I am currently trying to make my own game app to have a secure transmission to my server. Specifically, I am trying to build a SSL/TLS layer over CF connections. There seems a decent support of this in iOS/MacOS (https://developer.apple.com/documentation/security/secure_transport/using_the_secure_socket_layer_for_network_communication). However, the resource of learning this library is pretty scarce.
By referencing some other posts online and guessing the usage of this secure API, I have built a simple program to (1) create a CFStream to my server and read/write it (2) add SSL Context/IO to this stream and (3) successfully(!?) SSLHandsake.
My server now is just a dummy one created by OpenSSL (like: openssl s_server -key key.pem -cert cert.pem -CAfile CA.pem -accept 44330 -www).
It takes me lots of effort to achieve this step and I am actually stuck to continue the development.
The main problem of mine is the API docuemnt is not helpful. For example, I expect calling the "SSLCopyDistinguishedNames(ctx, names)" on my client will get the list of CA authorized by my server but it turns out returning nothing (e.g., size of names is 0).
Is there any good tutorial or Apple support to know API like this? or any working example? Is there any way I can dump the information on these "SecXXXRef" class, like SecTrustRef?
I have looked at other answers on StackOverflow and I didn't find what I was looking for.
I have a public RSA key in Base64 format generated by some other system.
It is in x509 format and the encryption is 512 bits strong.
I need to create a SecKeyRef in order to use an encrypt some data and send back home. (for all purposes the public key is sent from the server side)
I can't find anything on the web that helps me in this situation, all other examples and answers by-pass the problem. I can't create a PEM or DER files or use any other 'tricks', Base64 -> SecKeyRef nothing less.
I know this is a hard one so thank you all for helping.
p.s this is for a framework and not an app.
I have found this amazing GitHub project which helped me a lot!
https://github.com/ideawu/Objective-C-RSA
I hope this helps!
I am trying to extract a web site SSL certificate chain. I used Openssl as the following:
openssl s_client -connect hostname:443 -showcerts
But this gives me the first cetificate only. while I need the whole chain certificate. How can I achieve this please ?
That generally means that the server is not sending the whole chain. So openssl cannot give it to you.
The best solution usually is to get what you can from that output - and then search for the Serial, DN and similar through google or through the CA's website and fetch it from there. And with that build your own, client side, chain.
Unfortunately it is very common for websites to be mis-configured.
Sorry :)
Dw.
I'm kinda new to this topic so please be gentle ;) I'm attempting to use a 3rd-party Health API called Dossia (http://dossia.org).
I setup a test account and have received my OAuth Consumer Key and Secret, in the config there's a line which says
define('USER_SIG_METHOD','HMAC-SHA1');
My question is how do I make my server's "Signature Method" HMAC-SHA1?
This is just a non-ssl dev box with Fedora, I do have a production box with SSL on it, but I was hoping to get a sandbox post before moving it to production.
When I curl a post, I get a 404 error and the curl handle's info reads this:
[ssl_verify_result] => -8179
So I'm assuming this is the issue, I have scoured their wiki, which is found here however the only thing it says about the signature method is that they only support HMAC, do I need to include a certificate like the one on my prod box? Or am I going in completely the wrong direction?
Any advice would help me,
Thank you!
The signature Method was not the issue here, it was an issue with the record ID needed to be consistent in order to post to the right patient,
I want to do what myopenid does -- once you've logged, you can click a button that generates you an SSL certificate; the browser then downloads this certificate and stores it. When you later go back to yourid.myopenid.com, your browser can use its stored certificate for authentication so you don't ever need a password.
So my questions is what is required to get this working? How do I generate certificates? How do I validate them once they're presented back to me?
My stack is Rails on Apache using Passenger, but I'm not too particular.
These are usually referred to as client side certificates.
I've not actually used it but a modified version of restful-authentication can be found here here that looks like what your after.
I found this via Dr. Nic's post
Depends on the server, but the simplest solution I know of, using Apache:
FakeBasicAuth
"When this option is enabled, the Subject Distinguished Name (DN) of the Client X509 Certificate is translated into a HTTP Basic Authorization username. This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client's X509 Certificate (can be determined by running OpenSSL's openssl x509 command: openssl x509 -noout -subject -in certificate.crt). Note that no password is obtained from the user... "
Not sure about rails, but the usual REMOTE_USER environment variable should be accessible in some way.
If you want to generate certificates, you need to cause the client to generate a key pair, and send you at least the public key. You can do this in Firefox via a Javascript call, it's crypto.generateCRMFRequest. I'm guessing there are browser-specific methods available in other browsers too. But first, you need to figure out how to issue a certificate once you get a public key.
You could script something on the server with OpenSSL, but it has built-in support for CSRs, not the CRMF format Firefox will send you. So you'd need to write some code to convert the CRMF to a CSR, which will require some sort of DER processing capability… I'm just scratching the surface here—operating a CA, even for a toy application, is not trivial.
SSO solutions like OpenId and PKI solutions do overlap, and there is an elegance in PKI. But the devil is in the details, and there are good reasons why this approach has been around a long time but has only taken off in government and military applications.
If you are interested in pursuing this, follow up with some questions specific to the platform you would want to develop your CA service on.
You can generate a certificate in the client's browser using browser-specific code. See this question
You could also generate SSL client certs server-side using OpenSSL in Ruby (see this q). (This will work in any browser without browser-specific code, but your server will have generated the client's private key, which is not ideal for crypto purists.)
Whichever method you use to generate them, you will then need to configure your webserver to require the client certificates. See the Apache docs for an example.
I've been working on a solution to this problem. I wanted to do the same thing and I know lots of other website owners want this feature, with or without a third party provider.
I created the necessary server setup and a firefox plugin to handle the certificate-based authentication. Go to mypassfree.com to grab the free firefox plugin. Email me (link on that page) for the server setup as I haven't packaged it yet with a nice installer.
Server setup is Apache2 + OpenSSL + Perl (but you could rewrite the perl scripts in any language)
Jonathan