This has been extremely confusing to me. I have a process where I generate a public/private key pair using PHP. This is the code where I do that:
$config = array(
"digest_alg" => "sha512",
"private_key_bits" => 4096,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
);
// Create the private and public key
$res = openssl_pkey_new($config);
And here is an example of the generated output:
-----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1ufdaaaDQuWPuBlw8Vce
WeGwdL3KhrC/YzgWi8oP72bQ2ZzgxzNcXHdmWGfXax4EBlWwIPBbTSNboi6urieb
bPNIS/ei/AjGBKO/yJ2iDkfnxmy6xBxwpunqeq2TjEDDNXb2Y0g896gIjfwN8FZk
olLspoFks5ipAxdYLNlWR5stgxWeEXC2gpAPLaP00d3Xg/Qhsm2fUBvlJHQReiS1
Mwyajg0EV72U3YpP0OK19z0YLBFRhaUbnE+Mx6TSnB9XqaWe4GKsBNSO06Lz4N9j
k7Sg16DXpueKHo8pDZwuN2qbIG3fGc3ibNMR2U6lux218BGTIgGdvoAar1E3cOF1
VmLI3aDS/EVejzDs3gkG1rxcrbCFajnWe5Yl1J+nXefFBedr2FLx6ChSPZFV1x3P
DUmR1hb/NDsLHwnj7qQqqhtgfPdFql4EjGFGUvYgid1K0u/8B6Vqk0k9JKU5nrN5
d1e3H7qJm/kbBoHNsI/0gbuUyRKTIpxU5b9ex51WpA80FBMC/Ao6DeWLNu59W134
YGu5kfI1qFI0w5xUsA3IU91Ak2tHYEzzjnIz0rVMoJezLbtxcv26e5gMDjuQN//d
UM/Qe6Akck382yYgdrivgUjxB3A/IWP5IhKaLZazAWxgrc6EPvcbQFgzU/T5EbHI
dt279SgTgQ+OlotfvnKNmL0CAwEAAQ== -----END PUBLIC KEY-----
And private key:
-----BEGIN RSA PRIVATE KEY----- MIIJKQIBAAKCAgEA1ufdaaaDQuWPuBlw8VceWeGwdL3KhrC/YzgWi8oP72bQ2Zzg
xzNcXHdmWGfXax4EBlWwIPBbTSNboi6uriebbPNIS/ei/AjGBKO/yJ2iDkfnxmy6
xBxwpunqeq2TjEDDNXb2Y0g896gIjfwN8FZkolLspoFks5ipAxdYLNlWR5stgxWe
EXC2gpAPLaP00d3Xg/Qhsm2fUBvlJHQReiS1Mwyajg0EV72U3YpP0OK19z0YLBFR
haUbnE+Mx6TSnB9XqaWe4GKsBNSO06Lz4N9jk7Sg16DXpueKHo8pDZwuN2qbIG3f
Gc3ibNMR2U6lux218BGTIgGdvoAar1E3cOF1VmLI3aDS/EVejzDs3gkG1rxcrbCF
ajnWe5Yl1J+nXefFBedr2FLx6ChSPZFV1x3PDUmR1hb/NDsLHwnj7qQqqhtgfPdF
ql4EjGFGUvYgid1K0u/8B6Vqk0k9JKU5nrN5d1e3H7qJm/kbBoHNsI/0gbuUyRKT
IpxU5b9ex51WpA80FBMC/Ao6DeWLNu59W134YGu5kfI1qFI0w5xUsA3IU91Ak2tH
YEzzjnIz0rVMoJezLbtxcv26e5gMDjuQN//dUM/Qe6Akck382yYgdrivgUjxB3A/
IWP5IhKaLZazAWxgrc6EPvcbQFgzU/T5EbHIdt279SgTgQ+OlotfvnKNmL0CAwEA
AQKCAgBzYwMq2tDXdlJ4UpClxFTzhY4s4EqBjxzztQXGALQVomq4rNazngwVSbaV
+Qtc5Dzc+d0bknIzNKzao53+vB1jnixPPaMxF7TagOFUYe7FJC56B58v9OU3eZkA TXpPb+ZgKoOYQw0ZHAub0J3bUUevMD8IF6luFKWKl1osmnUM9XC2VUENtCsKZzb/
Fm040ZgJrWb6WomThaa+r+NCZbs0sau6YZrXUV9ApCa+zTtOiGsWHiZbT49Hmh7I
guLiGKIE4HwxlkkuPsKBN5kiQE9C21UQ8bdYUjGCvvMX76eQ8ZhhDR0gyb6tF5cZ
ynSJxyYMxCLvu1ZrFnU9dKoD3coVn0lBeWZH17zVkGWIV6XmQ4aSM2wB2Qobvv0T
U8M/R1dqObCxCycJEB0LHhB4bAC98g5W2B8hL46ENn/YnUqxzLzWucVfwI/e59N2
kJm5FxHrE4empTT/Zfyn+/A36vDEHafb4yHDX2gQTHW7US47DaXMbkKME37oBqAz
oy2p1XNMAWq+yg/XznloHBZ5HQ3nThG4kD93AnXNCKVUYc0gy8ROqEwoFYWAGs9a
ircv4SwCVDm2LM1uYMB95L39yg5i038ndW0sfDn8FBw4YIik//+KezHL/1Yr0fRF
0gPFYcLtXFLYqbsPqg1wq7VOCtZ1+NhgzsAgWDULfFJhViFzAQKCAQEA/YMAJgqs
QLzNMAwpvCXqU1JShf9B3qc0J8LHO1mdy1qCCh873aFVJNppgX7j6PvXkuOotRWE
/Em+0dyqJxrd8B1ifEA3MbON3WGEYZR5BIgBvxW9vFlbKzKhOwjWBX9zIVok2WMg
TPoMPAxs0x0fJGKzBkVvg5pjolyLdhIr1j79nn8z7EIgoJ2ZhQiOZPBmGR/MIt1Y
dBroWa/8cSEy4SLqfifsoqx8AaN9lQwJXJck2/bZ2Ft47jtXOxhL2NfqY3eMvRlt
nPwC1hTTbGw1zFvqGTEK76W9zdD+nwkrC38lLDH01dBcDeRbJ8NbwfSVbH4d1Y+Z
wbG3ygUozOisLQKCAQEA2QPb44wYCuI06eUI8i8h8gqEpj6lzWBss4259CFg7rVK
9tuQS5VlazJ8l11+gjIX7E+mtwwo1oSzyf9qsIvNgwLS2CwdIxCn+Ldka4NLTfUP
BQ3KtFbS8O8z0dijdzulTAOv+zZw9GtcisvjVaN3sIlJQ91LkfDfQQE6pQgi4E7a
ajjf6mloDtInbSId0X2DcirokjQ0CH65QLScvrgL8DwU6kAhGAjQQxy79AkbDhdh
1R5jq2IhUdoJdvBSwvieT+46XsZxX3He0ObZ086eVQBcuxoGYesSQvsfQ/RIH1f7
AXrKbnDbsookpfA7+WXuivMZICn9EbOFJNYEqboo0QKCAQEA4bX3NeeewezXi4Xo
yrm/TfwnuWIxVXntN9F17WO22E13Jmf0tzljQ3KrKT6+0LsZjpDfrorAYpeOK++a
F0MWgyjGfPX3rmq9TnP6l57HuL8XPviue7nbMDTd1F/jnfWBnhpSYLKfGaovpm8x
nS16grzVxCmiRbv6JZ7cFH3NRe3DhZCfvCSMRDTNcOLTVQ+s94WWDRyiGo2yfdfw
nRD/6e9adIQ7bgLATf0wXLngw+1WRfocr0OSAhoXamgRb7md2H2icuLm8zR1mgHk
083sgEz9uvwtTn105oDDkvlot822XQkFgjEHJN9CQb7wPVn0iCopifFW5lvC1T2O
vBIU6QKCAQEAziF2OZsWMzBOJmSgrLnMOoV3Hhmfj4apeZuDJ7qUweh9/iDr3H9Z
SAs6gOQTiENgqdu2dWQdXjXKOHJdurfwSyLhduff/TCS/BHmVqDtZG0DCT/ibI2T
67qptAdcraKADcXq4GkDvYZE7qlflDajN5IPf2CxqTvsM2ihdaRWzEzZ9c90EMpy
RrGjNWwUeqoHsufC5Sykx/TmrelggV98J4JKM38acCPe/gBLHy+O/UGEcdRdw6qA
D6lVGB6J3hwc87tKwj8n7QrSJAdCnIdDqWWgry+3JEcOn4S8W+Wqo+sDxpIFugWF
CP9idCPOM8R4Yo8qLHz1nlyweR64ayciIQKCAQAuWLYvCBWJ5RjsG+m6RSisf/QS
uoPN+D1midgGrBBUC6NSSPusr8ACBWgPng4wJiR9uRgpN1FMpo/SKKyiIwFieWKu
m/kKPWkfZjVpwA84kSY7yx4LtQlRIDdF2+nTtLhYr4NfJ3i3yFMOPASkv2hx3X4D
2tlTmrR+Ug9fhS6O2YpjQVJDBLm21R98oT1BWKI7+X2hx6c8AQ25t5+9M6Kf6vtv
WHvk3ws6P9mHnHeGPufA+iP782mrNM5wnrj6qt1aMldV1g4c+oQW1kr29o9A0N37
qZnIn3kCiMldMyQlk0ITJ34Tt60dvpElF1Jh0JurfQI9IAGOCCP7Ciz4rZX5 -----END
RSA PRIVATE KEY-----
So I save these two files to my server where I am storing my keys. When my app runs, it receives the appropriate public/private keys just like this, in this format, in text format. Here is my question: How do I use these existing keys, based upon the algorithm (SHA512, 4096 bits) in a function to both encrypt and decrypt NSStrings? To my understanding, I have to do some work with the keys before I can use them with iOS - strip headers, convert to base64, eg?
In short, I am looking to create two functions. One that can decrypt and one that can decrypt - both should take the certificates in text format above (or converted to something else) as well as the text to be encrypted and return the encrypted/decrypted version.
You aren't using SHA512 for the encryption/decryption, that value is used if you are then going to create a certificate or certificate request tied to this keypair.
Here is a breakdown on the parameters you used:
"digest_alg" => "sha512"
For the digest in a certificate.
"private_key_bits" => 4096,
"private_key_type" => OPENSSL_KEYTYPE_RSA,
This means you generated an RSA-4096 key pair. So make sure to encrypt/decrypt using RSA-4096.
While this library doesn't address my original needs, it's security is more than enough for my requirements. It easily adds encrypting/decrypting across multiple languages as well.
https://github.com/RNCryptor/RNCryptor
Related
I'm super fresh in Rails and today I discovered RSA 2048 key. To generate such a key I used ruby-jwe gem. Creating such a key and testing it is trivial, rails console based on docs:
> key = OpenSSL::PKey::RSA.generate(2048)
=> #<OpenSSL::PKey::RSA:0x0000000113d6e368 oid=rsaEncryption>
> puts key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEArXPkbAkge5WBhMZsWqgu2wbk0h81uhRUJHZsixtnb+fc2j04
E93e9cTHT/EBQDMO5yR26ctK+t0kAJ7CIivcqscnD3wBm7R07Nux93MwzjBRO+Pb
YqQquES+2csLAHuCK0k/ME2Do1UxOMtTbO3FKpJWRaSaDYUL2UrIc2UPTfpPuGkd
XbPHpATLwkhp0/oq2Vrja87gJynxKjFMsepAF+pMa8k37THS3uaJjZdLsVVpPJHe
JAbnIR3EW6veflYOzd5lJQOota9Dg5EKNEeIZrZKyOktPojLd2ebD9vQI0dbidFP
nunfCvBtXjcL4Ua8eJzwMYUUrttLPVR71L7SmwIDAQABAoIBAQCev3vm+O92zF2O
9L/EtTq1EXkpapEUrnhYKt6q7jjcLbxvLSp+3EisbR3x52S6qkBQgoom7f3A3daO
jr6k4boDv2PbgyZBqIZ/JY+bJx0bCRPAGYn3nMLQhXKbCH8YQPHgxhgEEF2ThmwX
S9gd0PvsO6Sj9sNb7lHq3Mva+TpppVRlx+gA+pk8yeJtJ4rjdcJwzNDZVosrQRgb
0CBNVKe6VO3Xa71ilLnpM295xUYs733FMMvu5gi6Vsq7rFrODH5AElvsOYFt2Kp+
m0ehDjRM+wx+FZSfi6R39b8XxK7yL8Qa7r0YRLFEOkdyZw74LW0YO1/+vzlbCcD8
ZUS1ULoxAoGBAOVonyQ5x0HRO6YkSf4LIWm3Ecl4rGNMHcdP/MPfMYaq5Xv51iFg
m3Wk3RFCgvB20PzM4LquPnEKrcZZk5pR9OVcKcNK7yDKEWiObLGmEbc4G9IcSBYu
/0l9trZRcNF2NcrVKYAqx6AiriUyUPDTGQorMWyszCe3ok4jvAtP04E5AoGBAMGO
2y2ye1AJQgdzXXCSwV25ofVvqk+bY47iojAaFUE0UdRzh8/xJUoaHoiwrBbCmI6c
ls3nmkqcrV7Kw4oyb0DspKyURUpORpXvHLsTtuxTavdg4DpmO3VaLVpdKvec783S
GwIhzxKUeJtNED8bOEnep4RP0KjfZNAFQdzCB/ZzAoGBAJPdpYXx/+76cBocldy7
S+QZ7csQjvzJ2P/ZHLEbsY59pMEOPejxngJsK1mupztbOkVXwRpSqUive2a34h27
6b/Ucc7BA/T8ic/8zS6MPir8bWI2fHhf/oheEWDeiXtZWD7Oupsz98vNzrWHAwjW
5/LX+Fl133lSMblv6wrXfxpxAoGBAMDVni8svgXC83GQ0eqxisvhgSWQllCxMsLL
r2HU2pAXm97ZKtlUGh51Xy43NXuHa43JG8UPlHv5FBB4Wc9457X7DSSSo2WgDlqZ
2jnXLkrL4KmMblhAOcR0jvKUF5aRV6fqRtYc8LxGBtJSOHlmmPGfTa1YBz33Mey9
EBzrghtZAoGAf9rGx08UFdxbXbqZMTuG3Nd8o0gBGQSi8aSRKDozg2cAMGFa22Gk
raiU9uVHaFCXtB30ioQtPnDqMNItFUDMeE1N73FNNNVwIgllUUbVUZjKZfLrRp0Z
p4SDTcHLDIWIBrA+J5k8EXdldnskZcVWGSgITdIl42AdWngcCGWExCI=
-----END RSA PRIVATE KEY-----
=> nil
But now I want to add this key to the Rail env secrets (I'm using Rails 7 so multi environment credentials) to fetch this as Rails.application.credentials.rsa_key.
I thought all I need to do would be copy/paste that key into e.g. development.yml.enc like below:
`EDITOR=vim rails credentials:edit --environment development`
rsa_key: '-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEArXPkbAkge5WBhMZsWqgu2wbk0h81uhRUJHZsixtnb+fc2j04
E93e9cTHT/EBQDMO5yR26ctK+t0kAJ7CIivcqscnD3wBm7R07Nux93MwzjBRO+Pb
YqQquES+2csLAHuCK0k/ME2Do1UxOMtTbO3FKpJWRaSaDYUL2UrIc2UPTfpPuGkd
XbPHpATLwkhp0/oq2Vrja87gJynxKjFMsepAF+pMa8k37THS3uaJjZdLsVVpPJHe
JAbnIR3EW6veflYOzd5lJQOota9Dg5EKNEeIZrZKyOktPojLd2ebD9vQI0dbidFP
nunfCvBtXjcL4Ua8eJzwMYUUrttLPVR71L7SmwIDAQABAoIBAQCev3vm+O92zF2O
9L/EtTq1EXkpapEUrnhYKt6q7jjcLbxvLSp+3EisbR3x52S6qkBQgoom7f3A3daO
jr6k4boDv2PbgyZBqIZ/JY+bJx0bCRPAGYn3nMLQhXKbCH8YQPHgxhgEEF2ThmwX
S9gd0PvsO6Sj9sNb7lHq3Mva+TpppVRlx+gA+pk8yeJtJ4rjdcJwzNDZVosrQRgb
0CBNVKe6VO3Xa71ilLnpM295xUYs733FMMvu5gi6Vsq7rFrODH5AElvsOYFt2Kp+
m0ehDjRM+wx+FZSfi6R39b8XxK7yL8Qa7r0YRLFEOkdyZw74LW0YO1/+vzlbCcD8
ZUS1ULoxAoGBAOVonyQ5x0HRO6YkSf4LIWm3Ecl4rGNMHcdP/MPfMYaq5Xv51iFg
m3Wk3RFCgvB20PzM4LquPnEKrcZZk5pR9OVcKcNK7yDKEWiObLGmEbc4G9IcSBYu
/0l9trZRcNF2NcrVKYAqx6AiriUyUPDTGQorMWyszCe3ok4jvAtP04E5AoGBAMGO
2y2ye1AJQgdzXXCSwV25ofVvqk+bY47iojAaFUE0UdRzh8/xJUoaHoiwrBbCmI6c
ls3nmkqcrV7Kw4oyb0DspKyURUpORpXvHLsTtuxTavdg4DpmO3VaLVpdKvec783S
GwIhzxKUeJtNED8bOEnep4RP0KjfZNAFQdzCB/ZzAoGBAJPdpYXx/+76cBocldy7
S+QZ7csQjvzJ2P/ZHLEbsY59pMEOPejxngJsK1mupztbOkVXwRpSqUive2a34h27
6b/Ucc7BA/T8ic/8zS6MPir8bWI2fHhf/oheEWDeiXtZWD7Oupsz98vNzrWHAwjW
5/LX+Fl133lSMblv6wrXfxpxAoGBAMDVni8svgXC83GQ0eqxisvhgSWQllCxMsLL
r2HU2pAXm97ZKtlUGh51Xy43NXuHa43JG8UPlHv5FBB4Wc9457X7DSSSo2WgDlqZ
2jnXLkrL4KmMblhAOcR0jvKUF5aRV6fqRtYc8LxGBtJSOHlmmPGfTa1YBz33Mey9
EBzrghtZAoGAf9rGx08UFdxbXbqZMTuG3Nd8o0gBGQSi8aSRKDozg2cAMGFa22Gk
raiU9uVHaFCXtB30ioQtPnDqMNItFUDMeE1N73FNNNVwIgllUUbVUZjKZfLrRp0Z
p4SDTcHLDIWIBrA+J5k8EXdldnskZcVWGSgITdIl42AdWngcCGWExCI=
-----END RSA PRIVATE KEY-----'
But turn out those two are not the same because after some test I'm getting an error:
> encrypted = JWE.encrypt(payload, key)
=> "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.miYseR0y6hAFFzb8KzwbUKxp3deqP7Q2uMM2A1ylOVKH4wHIsbPu3WJxqX_C75jplt4HwTN32ERLwqUrl_KMUn-5wuVgBi1CkUiuh83DDms0u-xx9eaLvYnlMWGtH_T_D8Ffbe2BT--6DWpmP_...
> plaintext = JWE.decrypt(encrypted, Rails.application.credentials.rsa_key)
`decrypt': undefined method `private_decrypt' for "-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEArXPkbAkge5WBhMZsWqgu2wbk0h81uhRUJHZsixtnb+fc2j04 E93e9cTHT/EBQDMO5yR26ctK+t0kAJ7CIivcqscnD3wBm7R07Nux93MwzjBRO+Pb (...)
Why such storage is impossible?
It is because you are passing a string to JWE.decrypt instead of a key (an instance of OpenSSL::PKey::RSA).
Refer to the following code:
require 'openssl'
require 'jwe'
key = OpenSSL::PKey::RSA.generate(2048)
encrypted = JWE.encrypt("hello there", key)
key_string = key.to_s
# What you are doing:
# plaintext = JWE.decrypt(encrypted, key_string)
# What you need to do:
plaintext = JWE.decrypt(encrypted, OpenSSL::PKey::RSA.new(key_string))
p plaintext
You can take the string you are storing with Rails credentials and instantiate a new OpenSSL::PKey::RSA from it.
It is important to store your key correctly in the YAML. Make sure that it includes the "-----BEGIN " line. Also use the pipe and indentation to ensure the newlines are preserved, like so:
rsa_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwX91sW499nMLbDEdk4RFlxatc/WbDMeDNH01cboqKoUHK32r
aqfmDLGGgDdBZpIO+1w7un+9Vg/uP6UsYqFsct2o60rCFZh4QXOXfhUwlfwEUlus
4AqYZQtSvztiDNq1pDd3lrwdLVWbYQIyvI/gSK1hBFbb8tOZ8j18SYLucqjo8GWQ
DqC+rkHMHQtVWRmwVjVFA1MFj5AEfhaVNOYxnlQeKs07Iny0NGZV7vWcj+fx4zRr
Xxi2OHKmVHldzUhCwcjWNGzI8ORYo3ko1+KhVy091BV2ovKTixG7w6ZyX8rYt+ob
ZTgCJKjia/RpOjt/b5QvfDDLmRRZZUSOwB625QIDAQABAoIBABW8HPrAsNoZgxt0
iudykKSPig0/9doiIQVI2TN8n1bmWW9TrukMkgUz/bEyQ7jjSCaI7jadOaXMpUzl
30325ukiJ+LCI3nshfmII+ioNaxrQgsEPC9wUTzsYC+V2oYqHQQkrNy0JazddFYZ
upw+pwlS3FZx8UPd6+lvaaISQHmFeH0FFIyGLcnyvuzaLqHVy9+3fpr3F1hp2qPg
H04QDTjkpG0XK+vNDXx4NrVndVOQ3GM94vPNmF60E+j+7YeV0LzAdhGrQQ3zjBic
BsDg5ZoYFOdqL3nluza58Vb0n7ZZrGeMh7sTthjEMI5Px//XcvBN2bJQLIaBP/My
QIPjdwECgYEAzosh60KFBk6RtRWK4ZjNiTlbCUQuDEThJidXtTnOmYP3e1u1rkZP
kPJ5eu1H4dsmDppmBM4p368Y8U9Di2mQO3zo+Q32Kl6On6aExuvgqfFG7wS6GGtP
+JUvI7cl19Tn2BZEisAx7nYtCYPMRtXNXZaHPTbcw/XDgEuEgDXBAoECgYEA79Sl
2PCHGJxRWTQmWWzs9wSIFRhWOPcuHDs2LveM0AGtCxNEGObsQQZLrqD/M0oTsuh3
8SPXKtJu2L/og9THi2EAPwEInd50dmeotzrE3dIqthxdO3lESkzV/Er14NeWjphC
dmKoG31NHXvw5mZ3Y+C1Ya+W376EoV/rki2numUCgYB6GCsb3D2wpb9icXKgu2g8
xyf2iVRDMnB50mX5nktv2l/wjx0OAUhFoeCH9z432AleNo06J/j+3o37D+UYw3Vc
hRFfMI6lKzJaU+BHiuZK73MEFiJADye+BcpQ7ZI0TQokZb1s3AJoOXmUF1IpSXfV
7AbT+9tzB5PjAkE4XQ5UgQKBgQCRVuj6wyjbvT9/M59Z6izgtZpSTmFSPFlxOmDn
rZVkKN/ZKl/GR4s9DLeoqGB/kJDHhyHIvNOUW9pY+FPMMJKM4MfpZpL2OO2TI9aW
08KiOs8vdZj6hc7gyBeVwUeobn4LBDKi077UiebFy2p99fK8UF0bSfHAvhBaS2rT
N1/CEQKBgQDGpl0oYWNkzkU9iTg1ncSHmzJLuk08ooHIEoS0AtyCRe5PLk0AX/f2
DsrgrFWwXmTlt9L49hG1E+hc6Zst3t+y+GR9sDjXVnIBkwNtDWs+8cZSwwxS+fxq
A4uqx0/DrZ/Dx7Yukf74vOjghZpott/Q77MUVsHy28N9IAt3iL+V3w==
-----END RSA PRIVATE KEY-----
Now you can use this in a Rails console like this:
key = OpenSSL::PKey::RSA.new(Rails.application.credentials.rsa_key)
encrypted = JWE.encrypt("hello there", key)
plaintext = JWE.decrypt(encrypted, key)
p plaintext # => "hello there"
I write an iOS app to communicate with an existing server. The server generates RSA key pair(public key and private key), and sends public key to the client.
The client(the iOS app) have to encrypt with ONLY the public key, and sends the encrypted data to server.
So, I need a Objective-C function to do RSA encryption.
Input:
Plain text: hello world!
The public key:
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEChqe80lJLTTkJD3X3Lyd7Fj+
zuOhDZkjuLNPog3YR20e5JcrdqI9IFzNbACY/GQVhbnbvBqYgyql8DfPCGXpn0+X
NSxELIUw9Vh32QuhGNr3/TBpechrVeVpFPLwyaYNEk1CawgHCeQqf5uaqiaoBDOT
qeox88Lc1ld7MsfggQIDAQAB
-----END PUBLIC KEY-----
Process:
+ (NSString *)encryptString:(NSString *)str publicKey:(NSString *)pubKey;
Output:
uwGuSdCgDxAAN3M5THMrNcec3Fm/Kn+uUk7ty1s70oH0FNTAWz/7FMnEjWZYOtHe37G3D4DjqiWijyUCbRFaz43oVDUfkenj70NWm3tPZcpH8nsWYevc9a1M9GbnNF2jRlami8LLUTZiogypSVUuhcJvBZBOfea9cOonX6BG+vw=
Question:
How to implement this function?
+ (NSString *)encryptString:(NSString *)str publicKey:(NSString *)pubKey;
I have had digg for a long time, on SO and google and Apple's document. I found out Apple need a .der file to do encryption, not only the public key.
I will answer my qustion:
1. create SecKeyRef with public key string
I am helped by this post: http://blog.flirble.org/2011/01/05/rsa-public-key-openssl-ios/#its-all-in-the-format
It led to my code: https://github.com/ideawu/Objective-C-RSA/blob/master/RSA.m#L34
2. use the SecKeyRef to encrypt input data
Use Apple's SecKeyEncrypt(https://developer.apple.com/library/ios/documentation/Security/Reference/certifkeytrustservices/index.html)
3. the full code on github
https://github.com/ideawu/Objective-C-RSA
If you are using your public and private keys then use SecKeyRef
to generate both keys else use keys provided by backend guys to communicate with server.
These are some third party sdks that can help for this purpose, i've used one of them that helped me a lot to encrypt and decrypt.
[1]: https://github.com/Kitura/Swift-JWT [2]: https://github.com/TakeScoop/SwiftyRSA [3]: https://github.com/soyersoyer/SwCrypt [4]: https://github.com/Kitura/BlueRSA
For further info visit below Apple link for official documentation
https://developer.apple.com/documentation/security
I've been searching but I cant find anything about this... only EC Diffie-Hellman with symmetric cryptography, which is exactly what I do not want :(
Imagine this:
generate a random private key, k
then calculate a "public key" with ECC, d=kG
The algorithm I'm looking for is this: any message cyphered with the public key will "only" be decyphered by the owner of the private key.
Does this exists? Has anything like this been developed yet?
You could try ecc (pip install ecc)
from ecc.Key.Key import Key
# Create keypair
k=Key.generate(521)
# Encode public key
pub=k.encode()
# Encode private key
priv=k.encode(include_private=True)
# Decode public key
pubK=Key.decode(pub)
# Decode private key
privK=Key.decode(priv)
# Encrypt message
msg=pubK.encrypt("Test")
# Decrypt message
print privK.decrypt(msg)
Actually, El Gamal scheme, being based on Diffie–Hellman key exchange, presumes an asymmetric encryption algorithm, with private and public keys, so you should consider this. Computing the public key in this scheme will be as difficult as computing the discrete logarithm in the group.
I'm trying to do some public-key-related things in Erlang, and they require me to track public keys. According to this page, I should be able to import PEM format keys by using file:read_file/1 and public_key:decode_pem/1. The thing is, when I try to import a GPG public key, I don't get a result.
I've got a file called inaimathi.pubkeywith the following content:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
mQINBE9NBIQBEADMSzN6b0FaPP0rGiLDWKfH4ehN66Z0SAIynXm6lBHjmO69pNsm
iIe4p1X9aXhr7EgEZKdbqevfXW7NuA/oL7Rbt+tzBT5nS2cYSHoZhUC/onVhJxUb
drCR9NsBDZc1wZs+b95K3vWW91wMPYs4tn71DeeNgUVCcZOGofWltI7+etTVVIyG
zMEW4lOiEwBgLee+5u3XyGsBbyhtWnbp8ZMewiXjo14w0UCMEQxvf55NjggAO/vR
C+Czz5FQ7m9AnZwqIZJfaAw+aM81lmcXRZenGZ/H25H6WLq2DrVXnRjEyUvK+juj
K6rTHcot6K4Cgvo3P47uZcze92c4KaI22jTePRB1qov8ygAQw8BPsaZ+cA3AQ2Zv
4hjIyx2Qovs+vb1xWhk9Mgqyt0ToMZ6HNn386ICxaeYR8XY/rhf9ej0PJOS5c9Nx
reeTdrYXeco27kp/x+nDSWzqy0MrSAAD19xCK1w8Eiwc9MmjAAX1yarQzUy/ICey
eY6SaBfdK7x7A1ecUSu7mS7LmGFWB49Tx5u3ENXw9rU2hKbmGbbQsc+xCx5s7ZM1
q0aATJsUO4fsNe+4/9cBXCSP+4P6irX1EfliqaySt0LEr0WYhIgNgYq8PB7yx4Cv
0mOMv8lXBMYZs8NTrMJl2XHfi3egu8Ti14VChCklnWe95sZvKrk9/3BYxwARAQAB
tCtMZW8gWm92aWMgKEluYWltYXRoaSkgPGxlby56b3ZpY0BnbWFpbC5jb20+iQI4
BBMBAgAiBQJPTQSEAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDlo9AP
+vpofbYuD/9luGWbbw0ia5EfsDArk+iAs55HdmgjtVrcEqASR92bSbXxUylvM41T
Gd4nrM7Ri9XVgUSj6ZMnvPJihk08dkjWtoz83JQFdyJ9u7vIqs0LU4awrbNQ8l7P
M3fVKOme/vwQQ7kyIWkIYB0bl+CDRnldYGyBbV0lzh25/eVnhE8AsDltHJjhwe17
GVQPQfk/4B9SY0bTuAojZCUpMtI4cSBaI4v+xojewFt9B53oxW/KrLOvCVYUE9m2
TiJrtWcQjYqrlY9Ku203LzIZWbsFt9NEM6I26ewL3Iqn687fLgdkXZ2TuomJEcY+
5UxPIZfdiXqNG/nFLSII3v9kWA/f6ysXn7NTFx594+5KUqwjPke9ZFxi7gmyuRtK
KQyz1P+fRpkHqdP+OdNASDZ66CUaOqJrea6N+HpGIdBgRVfaYezl0wy9QfPe/PV7
ewYlP/nEpXDNpnr4cOvvD52VeoW9oiZEt0UFZ5iWEVepZlJ9uNq1QKkKDGHjBA/n
Mgd/Mc/Bg6sTfs6gtKfiX5MoPhZd/WDonAZyimJMY23Dw31TuIjmEmO1MuNNxj6c
Q2qWCVsQED6GgkPSRMwZ4+6Dh8DsLrt5xQp68I204XnT+ppgkXY/f4ALseRlOXeQ
9TeqeMcq7lO9DVULHLfXELw5/ijN08BBToZBIaBPKKoGhEdWBl9P3bkCDQRPTQSE
ARAAt9MpaK5TzTOzO/IenaHpfu0EoI4ZQSiWD4ZujvyuMEscdPQ4wDRMVwh66FAW
jeRE4O/m1q4rt/qDKqa0VCSGmap9gj7iLZ9+Fu5n3jyentzmoe22ATO7jOITGbW2
+0D56U3jCRRoSsY8ZSqECBLhsKbc7WIBX8yVxvpHYaqTOwM2+CIqDda5vgKeNxzk
cVDgUBnYj1nNpklGCs3494IVQ8aLVo5nOm8J0vY/n/YK5sAf6RlK+MEXCEyMVoiG
V4wo4fGLJXkhky5yL9vW+vmkUslw7mbAFRIC2KLg0CxXaGychsScpDlpmHkcxmsl
riGbEaKe0kMOM4KkXdopoGB66T0sEftL+hJmrAVe3H4iyldh/d5Hf1ez670m4ZZ6
gNdRCv3WJ72mZv4pqFH94NUksHvPrmot0B23ne6y/MqxYLIweIjJkD1ePxqpffMq
Ktkq9ooH7SB2GAMihCWiY/orSi6bt670Y9P3pzrwolErCWxieX8dg3H04z5nA7J3
6mqxQXLQvY6lXZYANOEKmm1qyoDgeBJoJdYUFbHrb83xcxQUqp8zikKneQ0rJfVG
dj38smSNAMqOeQQwZlmKFVwmIu4ozqszgZ2oqWS7q2NJgg64dnQlA60VMebQ0e8d
MMqy41VJ1FF8PCT1GGMsL+H4vdoZ+/wF2bhMQISWqFSVa5EAEQEAAYkCHwQYAQIA
CQUCT00EhAIbDAAKCRDlo9AP+vpofVp4D/9WqB4h9T5kGLBvuGUebjSqBuv6XfUd
q8vrvrMbSiLTLj2Gk58FjXdTPKCAuTkTtiYjMIXR0cF30uGRccM/tOMSp0xQYVT6
ueBhDZHaWaAEr2408j7/+tVg5CaLO/dVVfxpHIJ+8Bf1YmRRMpDm94i8X5j4rxPv
GNaOa6CgqWGlXsqFUw19OqXI5pK+hBH/GEpVPawr8/JLauc24ovt76gLGXDHrmKV
aeryKzy3TWikj3cq8Mdj2mKqNwkn1uu89j3xvxbq6gxX7lGX8pCLS2W6a7PYDaXf
no1/C31//Shn26LD9YfzRhcA/B/uXtEST3eShM5uS2sm+oOpxpiRaBv477K2TLpn
zh82VgwRTDkelpYJG8R8eBXwbBik+WSeIprZ8IrMfzZNs7xwn+z9isB0P3+VObWj
tBYKdMoF1mu40O1I7hsWV9UpJjRw2WrI8WpZMQTInXcaDWomWRgVhQjVhenYf6u2
nVoN3MM47hR7OR6KtcQ59lwlBeLcK9ImFuXjPK1GG9LtHzkKVOTI6p51S6Ug5MPu
7BuJxpxwDiohhVizBk3oZWInpNiXomk7Q6XwQ65mFTB11bX+wn0JIWO7BUWxK+dH
E+8YuCe53OAvNU0BFT8MAe/vB9kMl4N3p/3bJPuzmP4lnAGrLwzBZPkiQTNq8aj8
5NsttvIOclBY5A==
=Zqph
-----END PGP PUBLIC KEY BLOCK-----
which seems to be in the correct format, but the result I get is
1> {ok, GpgBin} = file:read("inaimathi.pubkey").
{ok,<<"-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG v1.4.11 (GNU/Linux)\n\nmQINBE9NBIQBEADMSzN6b0FaPP0rGiLDWKf"...>>}
2> public_key:pem_decode(GpgBin).
[]
Based on the documentation, I'd expect this to return an RSAEntry which I could then decode into a public key. Is there something special I need to do to import public keys through this mechanism? Are GPG keys actually valid PEM files? Am I missing something else?
ASCII-armored and PEM are very similar. You just need to change the BEGIN/END markers, strip the PGP headers and checksums (the checksum is the last line =Zqph), and add the PEM header. So, you have to change the inaimathi.pubkey to this file:
-----BEGIN RSA PUBLIC KEY-----
mQINBE9NBIQBEADMSzN6b0FaPP0rGiLDWKfH4ehN66Z0SAIynXm6lBHjmO69pNsm
iIe4p1X9aXhr7EgEZKdbqevfXW7NuA/oL7Rbt+tzBT5nS2cYSHoZhUC/onVhJxUb
drCR9NsBDZc1wZs+b95K3vWW91wMPYs4tn71DeeNgUVCcZOGofWltI7+etTVVIyG
zMEW4lOiEwBgLee+5u3XyGsBbyhtWnbp8ZMewiXjo14w0UCMEQxvf55NjggAO/vR
C+Czz5FQ7m9AnZwqIZJfaAw+aM81lmcXRZenGZ/H25H6WLq2DrVXnRjEyUvK+juj
K6rTHcot6K4Cgvo3P47uZcze92c4KaI22jTePRB1qov8ygAQw8BPsaZ+cA3AQ2Zv
4hjIyx2Qovs+vb1xWhk9Mgqyt0ToMZ6HNn386ICxaeYR8XY/rhf9ej0PJOS5c9Nx
reeTdrYXeco27kp/x+nDSWzqy0MrSAAD19xCK1w8Eiwc9MmjAAX1yarQzUy/ICey
eY6SaBfdK7x7A1ecUSu7mS7LmGFWB49Tx5u3ENXw9rU2hKbmGbbQsc+xCx5s7ZM1
q0aATJsUO4fsNe+4/9cBXCSP+4P6irX1EfliqaySt0LEr0WYhIgNgYq8PB7yx4Cv
0mOMv8lXBMYZs8NTrMJl2XHfi3egu8Ti14VChCklnWe95sZvKrk9/3BYxwARAQAB
tCtMZW8gWm92aWMgKEluYWltYXRoaSkgPGxlby56b3ZpY0BnbWFpbC5jb20+iQI4
BBMBAgAiBQJPTQSEAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDlo9AP
+vpofbYuD/9luGWbbw0ia5EfsDArk+iAs55HdmgjtVrcEqASR92bSbXxUylvM41T
Gd4nrM7Ri9XVgUSj6ZMnvPJihk08dkjWtoz83JQFdyJ9u7vIqs0LU4awrbNQ8l7P
M3fVKOme/vwQQ7kyIWkIYB0bl+CDRnldYGyBbV0lzh25/eVnhE8AsDltHJjhwe17
GVQPQfk/4B9SY0bTuAojZCUpMtI4cSBaI4v+xojewFt9B53oxW/KrLOvCVYUE9m2
TiJrtWcQjYqrlY9Ku203LzIZWbsFt9NEM6I26ewL3Iqn687fLgdkXZ2TuomJEcY+
5UxPIZfdiXqNG/nFLSII3v9kWA/f6ysXn7NTFx594+5KUqwjPke9ZFxi7gmyuRtK
KQyz1P+fRpkHqdP+OdNASDZ66CUaOqJrea6N+HpGIdBgRVfaYezl0wy9QfPe/PV7
ewYlP/nEpXDNpnr4cOvvD52VeoW9oiZEt0UFZ5iWEVepZlJ9uNq1QKkKDGHjBA/n
Mgd/Mc/Bg6sTfs6gtKfiX5MoPhZd/WDonAZyimJMY23Dw31TuIjmEmO1MuNNxj6c
Q2qWCVsQED6GgkPSRMwZ4+6Dh8DsLrt5xQp68I204XnT+ppgkXY/f4ALseRlOXeQ
9TeqeMcq7lO9DVULHLfXELw5/ijN08BBToZBIaBPKKoGhEdWBl9P3bkCDQRPTQSE
ARAAt9MpaK5TzTOzO/IenaHpfu0EoI4ZQSiWD4ZujvyuMEscdPQ4wDRMVwh66FAW
jeRE4O/m1q4rt/qDKqa0VCSGmap9gj7iLZ9+Fu5n3jyentzmoe22ATO7jOITGbW2
+0D56U3jCRRoSsY8ZSqECBLhsKbc7WIBX8yVxvpHYaqTOwM2+CIqDda5vgKeNxzk
cVDgUBnYj1nNpklGCs3494IVQ8aLVo5nOm8J0vY/n/YK5sAf6RlK+MEXCEyMVoiG
V4wo4fGLJXkhky5yL9vW+vmkUslw7mbAFRIC2KLg0CxXaGychsScpDlpmHkcxmsl
riGbEaKe0kMOM4KkXdopoGB66T0sEftL+hJmrAVe3H4iyldh/d5Hf1ez670m4ZZ6
gNdRCv3WJ72mZv4pqFH94NUksHvPrmot0B23ne6y/MqxYLIweIjJkD1ePxqpffMq
Ktkq9ooH7SB2GAMihCWiY/orSi6bt670Y9P3pzrwolErCWxieX8dg3H04z5nA7J3
6mqxQXLQvY6lXZYANOEKmm1qyoDgeBJoJdYUFbHrb83xcxQUqp8zikKneQ0rJfVG
dj38smSNAMqOeQQwZlmKFVwmIu4ozqszgZ2oqWS7q2NJgg64dnQlA60VMebQ0e8d
MMqy41VJ1FF8PCT1GGMsL+H4vdoZ+/wF2bhMQISWqFSVa5EAEQEAAYkCHwQYAQIA
CQUCT00EhAIbDAAKCRDlo9AP+vpofVp4D/9WqB4h9T5kGLBvuGUebjSqBuv6XfUd
q8vrvrMbSiLTLj2Gk58FjXdTPKCAuTkTtiYjMIXR0cF30uGRccM/tOMSp0xQYVT6
ueBhDZHaWaAEr2408j7/+tVg5CaLO/dVVfxpHIJ+8Bf1YmRRMpDm94i8X5j4rxPv
GNaOa6CgqWGlXsqFUw19OqXI5pK+hBH/GEpVPawr8/JLauc24ovt76gLGXDHrmKV
aeryKzy3TWikj3cq8Mdj2mKqNwkn1uu89j3xvxbq6gxX7lGX8pCLS2W6a7PYDaXf
no1/C31//Shn26LD9YfzRhcA/B/uXtEST3eShM5uS2sm+oOpxpiRaBv477K2TLpn
zh82VgwRTDkelpYJG8R8eBXwbBik+WSeIprZ8IrMfzZNs7xwn+z9isB0P3+VObWj
tBYKdMoF1mu40O1I7hsWV9UpJjRw2WrI8WpZMQTInXcaDWomWRgVhQjVhenYf6u2
nVoN3MM47hR7OR6KtcQ59lwlBeLcK9ImFuXjPK1GG9LtHzkKVOTI6p51S6Ug5MPu
7BuJxpxwDiohhVizBk3oZWInpNiXomk7Q6XwQ65mFTB11bX+wn0JIWO7BUWxK+dH
E+8YuCe53OAvNU0BFT8MAe/vB9kMl4N3p/3bJPuzmP4lnAGrLwzBZPkiQTNq8aj8
5NsttvIOclBY5A==
-----END RSA PUBLIC KEY-----
AIR allows to inject code using Loader.LoadBytes()
this allows to download remote plugins as swf files which will have full access to everything that the AIR application has access to. This imposes a security risk, so it would be desirable to digitally sign the swf's.
What's the best way to do this and to verify the code signature?
I know the as3corelib has some encryption functionality and also for X.509 certificate - but I didn't find a ressource explaining how to use it. Also, maybe there's some 'official' way to codesign SWF's?
One robust method is using public key encryption, which goes something like this:
You will need an asymmetric encryption algorithm (eg, RSA), and a hash algorithm (eg, SHA, MD5).
Generate a public-private key pair.
Generate and checksum of the data using the hash algorithm.
Encrypt the checksum with the private key using the encryption algorithm. This becomes the "signature".
Send the data to the client along with the signature.
Decrypt the signature on the client with the public key to obtain the original checksum.
Generate a checksum from the data on the client.
Compare the checksums. If they match, then you know that the data came from you without alterations. If they do not match then you know the data was altered after it was sent from you, or it came from someone else.
See http://en.wikipedia.org/wiki/Public-key_cryptography
An attacker can bypass this security if they are able to intercept the connection and modify the original client SWF file and either change the public key, or remove the security mechanism entirely. Use TLS or SSL to prevent attackers intercepting the data.
An x.509 certificate is little more than a public key bundled with some meta-data. The standard also specifies a mechanism for validating the certificate, by relying on a certificate authority (CA) (see http://en.wikipedia.org/wiki/X.509).
The AS3Crypto library provides (amongst other things), an implementation of RSA, MD5, and an x.509 parser (see http://code.google.com/p/as3crypto/).
Here is some code. The signing process entails computing the hash of the data, then signing it with the private key to produce a signature, eg:
var rsa:RSAKey;
var md5:MD5;
var data:ByteArray = getSWFBytes();
var signature:ByteArray = new ByteArray();
var originalHash:ByteArray;
// read private key
rsa = PEM.readRSAPrivateKey(private_key);
// create the checksum of the original data
md5 = new MD5();
originalHash = md5.hash(original);
// encrypt the data using the private key
rsa.sign(data, signature, original.length);
The data and signature are sent to the client. The client decrypts the signature using the public key stored in the cert and compare it to the computed hash of the data, eg:
var rsa:RSAKey;
var md5:MD5;
var data:ByteArray = getSWFBytes();
var signature:ByteArray = new ByteArray();
var decryptedHash:ByteArray = new ByteArray();
var clientHash:ByteArray;
// load the certificate
var cert:X509Certificate = new X509Certificate(public_cert);
// get the public key from the cert
rsa = cert.getPublicKey();
// decrypt the signature with the public key
rsa.verify(signature, decryptedHash, encrypted.length);
// create a hash of the data
md5 = new MD5();
clientHash = md5.hash(data);
// compare the hashes
// isEqual compares the bytes in the input byte arrays, it returns true only of all bytes in both arrays match
if (isEqual(clientHash, decryptedHash))
trace("signature valid");
else
trace("signature invalid")
You can check if the certificate is signed like this:
var store:X509CertificateCollection = new MozillaRootCertificates();
var cert:X509Certificate = new X509Certificate(public_cert);
var isValid:Boolean = cert.isSigned(store, store);
You can load the raw SWF bytes like this:
var loader:URLLoader = new URLLoader();
loader.dataFormat = URLLoaderDataFormat.BINARY;
loader.addEventListener(Event.COMPLETE, completeHandler);
loader.load(new URLRequest(url_of_swf_to_load));
Example x.509 private key (usually created when you apply for a certificate):
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDoKlLzpJeLcoPYQQYPa0diM4zpZ+0rKeRxhx9ssq91DzwAeSmM
7wT03WLiLZkqPt2MS3uNo75zK5RtmjHqF6Ojfs2tbSdlCK5tpisvOAssuq0o5vIz
g/MhS2PIijnBtVB9XFSTXxhveKeIq1VgdB2wHW95+zhBF+Z1hsYcNRRFFwIDAQAB
AoGAI8wK2EhjmXvBuoFkJtJ6wjiCnKaKmiIueBbGkKMIjLsZnFUSRAnCsOLF0WwI
dswUqwIkfdVmkymADFo/IgIdF9hLGNLRskIPKGZWEUC8d5ZJnRg+nuzi2c2msN5u
/BvCCgL5/shBhO5KvrPbU/Fbs/k4saCDQZ2EO4HpueRZWGkCQQD6hC0pTfyW4yQT
Qr/dY7FhOwdOh/8ewGyXBa9ruOuZqTR23Ya20O8NuF22+NqW9AZl7uioiTZyZkOV
jqAckelrAkEA7T9QVdK+QcaQSznrZPJpXlSIDLSBRWjaPKBoypnNTF3y3JkUQE0L
iA0c2oUc8D+LCgx9vA0Ai0IzwzrIec+iBQJAJb5YV4rKbalXPBeodKCajv2nwis3
QtjXA4H1xhMcXBBkOSxzKYQdIEIQzIp91JR7ikwOfaX+sAm8UQImGWfadQJAMAb4
KVePQluDDGd+OqJEKF9uZzwHS1jNjSZf8FuwTrxaFMQ8cEPoiLM22xnFYPFMIU2k
CnSLXqWZOvVkbhxVTQJAL3xIc5AUbhsEp7ZeeJrkPRv5rCObmLw0+wIaERtMX83b
PNM0TpzY6EXk+geTCqudAipYF/A7qn38wpOh+PuuVg==
-----END RSA PRIVATE KEY-----
Example cert:
-----BEGIN CERTIFICATE-----
MIID4zCCA0ygAwIBAgIJAL7k5X3sCvniMA0GCSqGSIb3DQEBBQUAMIGoMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
FDASBgNVBAoTC2h1cmxhbnQuY29tMRcwFQYDVQQLEw5hczMgY3J5cHRvIGxpYjEY
MBYGA1UEAxMPSGVucmkgVG9yZ2VtYW5lMSgwJgYJKoZIhvcNAQkBFhloZW5yaV90
b3JnZW1hbmVAeWFob28uY29tMB4XDTA3MTEwNTA1MjUyOVoXDTA4MTEwNDA1MjUy
OVowgagxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQH
EwhTYW4gSm9zZTEUMBIGA1UEChMLaHVybGFudC5jb20xFzAVBgNVBAsTDmFzMyBj
cnlwdG8gbGliMRgwFgYDVQQDEw9IZW5yaSBUb3JnZW1hbmUxKDAmBgkqhkiG9w0B
CQEWGWhlbnJpX3RvcmdlbWFuZUB5YWhvby5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAOgqUvOkl4tyg9hBBg9rR2IzjOln7Ssp5HGHH2yyr3UPPAB5KYzv
BPTdYuItmSo+3YxLe42jvnMrlG2aMeoXo6N+za1tJ2UIrm2mKy84Cyy6rSjm8jOD
8yFLY8iKOcG1UH1cVJNfGG94p4irVWB0HbAdb3n7OEEX5nWGxhw1FEUXAgMBAAGj
ggERMIIBDTAdBgNVHQ4EFgQU/XyNp2QghYm3MWOU5YoUoFWcTKMwgd0GA1UdIwSB
1TCB0oAU/XyNp2QghYm3MWOU5YoUoFWcTKOhga6kgaswgagxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEUMBIGA1UE
ChMLaHVybGFudC5jb20xFzAVBgNVBAsTDmFzMyBjcnlwdG8gbGliMRgwFgYDVQQD
Ew9IZW5yaSBUb3JnZW1hbmUxKDAmBgkqhkiG9w0BCQEWGWhlbnJpX3RvcmdlbWFu
ZUB5YWhvby5jb22CCQC+5OV97Ar54jAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
BQUAA4GBABsXUJjiRAz+FeiVq4JMSBWeiiGcXTw+8sNv8SfWaWx3su+AgooKlBn3
nsGKf3BEDdmJCOSgY0+A5Pce9SRoAMhabHKwoLEogrtp2p8vRj2OTMjWBW7ylrxj
FvUpFdc8qFaqTtgH6+JiIYllGFlcsSV+6d9fDPaFDZEHjz5GweWJ
-----END CERTIFICATE-----
Both examples were taken from as3crypto.