Verify integrity Ceritifcate { RSACryptoServiceProvider - SHA1 - thumbprint }
Date : March 29 2020, 07:55 AM
should help you out There is no actual question here. You are right that you are unconditionally ignoring the initial value of verif. More importantly, have you considered using X509Certificate2 to do verification?: X509Certificate2 x2 = new X509Certificate2(certificatEnCours);
bool verif = x2.Verify();
|
Error: unable to verify the first certificate / How to trust all certificates?
Date : November 01 2020, 09:01 AM
this one helps. When I try to install an extension I get this error: , Had the same problem.
Adding environment variable
|
How do I verify a root DNS trust anchor?
Date : March 29 2020, 07:55 AM
it helps some times You seem to have misunderstood what's in the files IANA provides. None of them except the public root key itself is actually DNSSEC data. The Kjqmt7v.crt file, for example, is an X.509 certificate in DER format (so it's no wonder that Net::DNS::Keyset chokes on it). If you look at it (with the openssl x509 command, for example), you can see that included in its DN field is the textual representation of a DS record for the root KSK. So if you verify that certificate, you know that DS is genuine, and you can use that to verify the DNSKEY.
Another alternative available at the same URL, which is probably easier to use for most people, is a DS for the KSK in XML format, with a detached PGP signature. Verify the signature, use the data in the XML file to build a proper DS record in your favorite programming language, and then you can use that to verify the KSK DNSKEY record.
|
Parse and verify a WS Trust XML Token
Tag : .net , By : Tony Siu
Date : March 29 2020, 07:55 AM
it should still fix some issue The solution is to think of the token as it was a regular XMLDsig signed XML - the assertion node is signed and the signature's reference points back to it. The code is rather simple, what's interesting however is that the SignedXml class has to be inherited to have the signature validator that follows the AssertionID attribute (the default convention is that the signed node's id attribute is called just ID and the default validator just won't find the node that has the id attribute called differently). public class SamlSignedXml : SignedXml
{
public SamlSignedXml(XmlElement e) : base(e) { }
public override XmlElement GetIdElement(XmlDocument document, string idValue)
{
XmlNamespaceManager mgr = new XmlNamespaceManager(document.NameTable);
mgr.AddNamespace("trust", "http://docs.oasis-open.org/ws-sx/ws-trust/200512");
mgr.AddNamespace("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
mgr.AddNamespace("saml", "urn:oasis:names:tc:SAML:1.0:assertion");
XmlElement assertionNode =
(XmlElement)document.SelectSingleNode("//trust:RequestSecurityTokenResponseCollection/trust:RequestSecurityTokenResponse/"+
"trust:RequestedSecurityToken/saml:Assertion", mgr);
if (assertionNode.Attributes["AssertionID"] != null &&
string.Equals(assertionNode.Attributes["AssertionID"].Value, idValue, StringComparison.InvariantCultureIgnoreCase)
)
return assertionNode;
return null;
}
}
// token is the string representation of the SAML1 token
// expectedCertThumb is the expected certificate's thumbprint
protected bool ValidateToken( string token, string expectedCertThumb, out string userName )
{
userName = string.Empty;
if (string.IsNullOrEmpty(token)) return false;
var xd = new XmlDocument();
xd.PreserveWhitespace = true;
xd.LoadXml(token);
XmlNamespaceManager mgr = new XmlNamespaceManager(xd.NameTable);
mgr.AddNamespace("trust", "http://docs.oasis-open.org/ws-sx/ws-trust/200512");
mgr.AddNamespace("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
mgr.AddNamespace("saml", "urn:oasis:names:tc:SAML:1.0:assertion");
// assertion
XmlElement assertionNode = (XmlElement)xd.SelectSingleNode("//trust:RequestSecurityTokenResponseCollection/trust:RequestSecurityTokenResponse/trust:RequestedSecurityToken/saml:Assertion", mgr);
// signature
XmlElement signatureNode = (XmlElement)xd.GetElementsByTagName("Signature")[0];
var signedXml = new SamlSignedXml( assertionNode );
signedXml.LoadXml(signatureNode);
X509Certificate2 certificate = null;
foreach (KeyInfoClause clause in signedXml.KeyInfo)
{
if (clause is KeyInfoX509Data)
{
if (((KeyInfoX509Data)clause).Certificates.Count > 0)
{
certificate =
(X509Certificate2)((KeyInfoX509Data)clause).Certificates[0];
}
}
}
// cert node missing
if (certificate == null) return false;
// check the signature and return the result.
var signatureValidationResult = signedXml.CheckSignature(certificate, true);
if (signatureValidationResult == false) return false;
// validate cert thumb
if ( !string.IsNullOrEmpty( expectedCertThumb ) )
{
if ( !string.Equals( expectedCertThumb, certificate.Thumbprint ) )
return false;
}
// retrieve username
// expires =
var expNode = xd.SelectSingleNode("//trust:RequestSecurityTokenResponseCollection/trust:RequestSecurityTokenResponse/trust:Lifetime/wsu:Expires", mgr );
DateTime expireDate;
if (!DateTime.TryParse(expNode.InnerText, out expireDate)) return false; // wrong date
if (DateTime.UtcNow > expireDate) return false; // token too old
// claims
var claimNodes =
xd.SelectNodes("//trust:RequestSecurityTokenResponseCollection/trust:RequestSecurityTokenResponse/trust:RequestedSecurityToken/"+
"saml:Assertion/saml:AttributeStatement/saml:Attribute", mgr );
foreach ( XmlNode claimNode in claimNodes )
{
if ( claimNode.Attributes["AttributeName"] != null &&
claimNode.Attributes["AttributeNamespace"] != null &&
string.Equals( claimNode.Attributes["AttributeName"].Value, "name", StringComparison.InvariantCultureIgnoreCase ) &&
string.Equals( claimNode.Attributes["AttributeNamespace"].Value, "http://schemas.xmlsoap.org/ws/2005/05/identity/claims", StringComparison.InvariantCultureIgnoreCase ) &&
claimNode.ChildNodes.Count == 1
)
{
userName = claimNode.ChildNodes[0].InnerText;
return true;
}
}
return false;
}
|
How use openssl to verify a certificate in PEM with a local trust store?
Date : March 29 2020, 07:55 AM
it should still fix some issue The overall OpenSSL documentation around this topic is rather limited and has broken links all over the place, so my approach might not the only one or best one. As far as I can see, verifying a certificate (chain) is done with the following steps, unrolled in reverse order because I think that gives a better understanding. For the resulting code, see the end of this answer. All code has error checking omitted for the sake of brevity. Also, the loading of Certificate Revocation Lists (CRLs) is not explained, I think that is beyond the scope of your question. The actual verification function store_ctx = X509_STORE_CTX_new();
X509_STORE_CTX_init(store_ctx, store, cert, intermediates)
store = X509_STORE_new();
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
X509_LOOKUP_add_dir(lookup, "/etc/ssl/certs", X509_FILETYPE_PEM);
bio_in = BIO_new_file(certFileName, "r");
result = PEM_read_bio_X509(bio_in, NULL, NULL, NULL);
BIO_free(bio_in);
intermediates = sk_X509_new_null();
for (filename in certFilenames) do {
icert = readCert(filename);
sk_X509_push(intermediates, icert);
}
#include <openssl/x509.h>
#include <openssl/x509_vfy.h>
#include <openssl/pem.h>
const char *trustedCertsPath = "/etc/ssl/certs";
int main(
int argc,
char **argv)
{
X509 *cert = NULL;
X509 *icert = NULL;
STACK_OF(X509) *intermediates = NULL;
X509_STORE *store = NULL;
X509_LOOKUP *lookup = NULL;
X509_STORE_CTX *store_ctx = NULL;
BIO *bio_in = NULL;
int currentArg = 1;
int result = 0;
store = X509_STORE_new();
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
X509_LOOKUP_add_dir(lookup, trustedCertsPath, X509_FILETYPE_PEM);
/* Certificate to be checked */
bio_in = BIO_new_file(argv[currentArg++], "r");
cert = PEM_read_bio_X509(bio_in, NULL, NULL, NULL);
BIO_free(bio_in);
/* Stack of untrusted intermediate certificates */
intermediates = sk_X509_new_null();
while (currentArg < argc) {
bio_in = BIO_new_file(argv[currentArg++], "r");
icert = PEM_read_bio_X509(bio_in, NULL, NULL, NULL);
BIO_free(bio_in);
sk_X509_push(intermediates, icert);
}
store_ctx = X509_STORE_CTX_new();
X509_STORE_CTX_init(store_ctx, store, cert, intermediates);
result = X509_verify_cert(store_ctx);
printf("Result from X509_verify_cert is %d\n", result);
sk_X509_pop_free(intermediates, X509_free);
X509_STORE_CTX_cleanup(store_ctx);
X509_STORE_CTX_free(store_ctx);
X509_STORE_free(store);
}
$ gcc main.c $(pkg-config openssl --libs) -o verify -Wall
$ ./verify \*.google.com.pem Google\ Internet\ Authority\ G3.pem
Result from X509_verify_cert is 1
|
Boards Message :
Related QUESTIONS :