Digitially Sign Key with Lockbox - delphi

I have to digitally sign a string using the SHA-1 algorithm with RSA using PKCS#1 padding. I have downloaded Turbo Power Lockbox to use with the Delphi programming language.
In a previous question I have learned how to convert private key from PEM format to DER format (which if I understand correctly is ASN.1 format and is used with Lockbox).
I am getting a "division by zero" error in the following code on the SignString:
uses LbRSA,lbAsym,LbDSA;
procedure TForm1.Button1Click(sender: TObject);
var
mPrivateKey: TLbRSAKey;
mLbRSASSA : TLbRSASSA;
begin
mPrivateKey := TLbRSAKey.Create(aks1024);
mPrivateKey.LoadFromFile('C:\temp\myrsakey.der');
mLbRSASSA := TLbRSASSA.create(nil);
mLbRSASSA.HashMethod := hmSHA1;
mLbRSASSA.PrivateKey.Assign(mprivateKey);
mLbRSASSA.SignString('sign this message');
Here is how I generated c:\temp\myrsakey.der:
c:\openssl\bin\openssl req -x509 -nodes -days 365 -newkey rsa:1024 -sha1 -subj "/C=US/ST=CA/L=Mountain View/CN=www.mycompany.com" -keyout myrsakey.pem -out c:\temp\myrsacert.pem
Use following to convert from PEM to DER:
c:\openssl\bin\openssl rsa -inform PEM -outform DER -in c:\temp\myrsakey.pem -out c:\temp\myrsakey.der
Any ideas why I am getting the division by zero error?

The private key you are generating with OpenSSL is in a different format to what Lockbox requires.
I haven't worked out what the required incantation is that you need for OpenSSL to generate a Lockbox compatible key (even if OpenSSL is able to) but judging by your previous question you already have a key/certificate so my first idea of using Lockbox to generate the key is probably no use:
mLbRSASSA := TLbRSASSA.create(nil);
mLbRSASSA.KeySize := aks1024;
mLbRSASSA.GenerateKeyPair;
mLbRSASSA.PrivateKey.StoreToFile(mykeyname);
However, perhaps a better suggestion is that you could avoid Lockbox altogether. I've stopped using Lockbox and now use the OpenSSL library/dll directly for signing etc using the work by Marco Ferrante:
http://www.disi.unige.it/person/FerranteM/delphiopenssl/
There are good examples on there and it all starts to make sense once you combine it with a reading of the OpenSSL docs.

Related

Is there a chance to deal with unknown format of private key & certificate?

I'm working on a Delphi project where I will sign an invoice. I tested some OpenSSL Delphi ports and I had success in signing and verifying data. The problem is that I can't read either the key or the certificate files. I think there is a problem with key and certificate formats.
Private key (private-key.pem)
MHQCAQEEIP0tXvA0mhzTBgjZaAGt+V3tWIr79nG/gs56jKFJb6gboAcGBSuBBAAKoUQDQgAE+39UxFUCaF5p51RTvwXL+YODEpITlTdI27S72pSPJEAjQs2jBb1sLS/xg8/y5555+d19KoLmLo6gMrxvINXaHw==
Certificate (cert.pem)
MIID6zCCA5CgAwIBAgITbwAAgLTUs0JsZqZVAQABAACAtDAKBggqhkjOPQQDAjBjMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNnb3YxFzAVBgoJkiaJk/IsZAEZFgdleHRnYXp0MRwwGgYDVQQDExNUU1pFSU5WT0lDRS1TdWJDQS0xMB4XDTIyMTAwNjEyNTcyNloXDTI0MTAwNTEyNTcyNlowTjELMAkGA1UEBhMCU0ExEzARBgNVBAoTCjM5OTk5OTk5OTkxDDAKBgNVBAsTA1RTVDEcMBoGA1UEAxMTVFNULTM5OTk5OTk5OTkwMDAwMzBWMBAGByqGSM49AgEGBSuBBAAKA0IABGGDDKDmhWAITDv7LXqLX2cmr6+qddUkpcLCvWs5rC2O29W/hS4ajAK4Qdnahym6MaijX75Cg3j4aao7ouYXJ9GjggI5MIICNTCBmgYDVR0RBIGSMIGPpIGMMIGJMTswOQYDVQQEDDIxLVRTVHwyLVRTVHwzLTA3MzBlZThlLTA4OWQtNDQ1OS1hMzg3LWIxMTg5NGJmMTQyOTEfMB0GCgmSJomT8ixkAQEMDzM5OTk5OTk5OTkwMDAwMzENMAsGA1UEDAwEMTEwMDEMMAoGA1UEGgwDVFNUMQwwCgYDVQQPDANUU1QwHQYDVR0OBBYEFDuWYlOzWpFN3no1WtyNktQdrA8JMB8GA1UdIwQYMBaAFHZgjPsGoKxnVzWdz5qspyuZNbUvME4GA1UdHwRHMEUwQ6BBoD+GPWh0dHA6Ly90c3RjcmwuemF0Y2EuZ292LnNhL0NlcnRFbnJvbGwvVFNaRUlOVk9JQ0UtU3ViQ0EtMS5jcmwwga0GCCsGAQUFBwEBBIGgMIGdMG4GCCsGAQUFBzABhmJodHRwOi8vdHN0Y3JsLnphdGNhLmdvdi5zYS9DZXJ0RW5yb2xsL1RTWkVpbnZvaWNlU0NBMS5leHRnYXp0Lmdvdi5sb2NhbF9UU1pFSU5WT0lDRS1TdWJDQS0xKDEpLmNydDArBggrBgEFBQcwAYYfaHR0cDovL3RzdGNybC56YXRjYS5nb3Yuc2Evb2NzcDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMDMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwMwCgYIKoZIzj0EAwIDSQAwRgIhAOZ8oJnliPhdWvCiokPmStz2niL+1Rbw6y9asAh229z7AiEA0r6l1qnq6vzRjVvr9Hnbtq/9Aki0R4rF64EFNY4XACM=
Code to read private key
bp := BIO_new_file(PAnsiChar(PrivKeyFile), 'r');
if CheckError() then Exit;
try
FPrivateKeyData := PEM_read_bio_PrivateKey(bp, nil, nil, PAnsiChar(FCertPassword));
if CheckError() then Exit;
finally
BIO_free(bp);
end;
Code to read certificate
bp := BIO_new_file(PAnsiChar(certFile), 'r');
if CheckError then Exit;
try
_x509 := PEM_read_bio_X509(bp, nil, nil, PAnsiChar(FCertPassword));
if CheckError then Exit;
finally
BIO_free(bp);
end;
Error Message in both cases
error:0906D06C:PEM routines:PEM_read_bio:no start line
If files format is not accepted by OpenSSL, is there any way to convert files format so I can use them with OpenSSL library?
PEM IS NOT JUST BASE64. Your files names say .pem and you try to read them with routines that handle PEM, but they aren't PEM. PEM is base64 (of certain data types) with linebreaks and with header/trailer lines -- these are not optional; see rfc7468.
Your previous Q had these correct and only the 'type' in the header/trailer wrong.
Add header/trailer lines and linebreaks as follows (edit: corrected privatekey type) and your files will work with your code:
-----BEGIN EC PRIVATE KEY-----
MHQCAQEEIP0tXvA0mhzTBgjZaAGt+V3tWIr79nG/gs56jKFJb6gboAcGBSuBBAAK
oUQDQgAE+39UxFUCaF5p51RTvwXL+YODEpITlTdI27S72pSPJEAjQs2jBb1sLS/x
g8/y5555+d19KoLmLo6gMrxvINXaHw==
-----END EC PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIID6zCCA5CgAwIBAgITbwAAgLTUs0JsZqZVAQABAACAtDAKBggqhkjOPQQDAjBj
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNnb3YxFzAV
BgoJkiaJk/IsZAEZFgdleHRnYXp0MRwwGgYDVQQDExNUU1pFSU5WT0lDRS1TdWJD
QS0xMB4XDTIyMTAwNjEyNTcyNloXDTI0MTAwNTEyNTcyNlowTjELMAkGA1UEBhMC
U0ExEzARBgNVBAoTCjM5OTk5OTk5OTkxDDAKBgNVBAsTA1RTVDEcMBoGA1UEAxMT
VFNULTM5OTk5OTk5OTkwMDAwMzBWMBAGByqGSM49AgEGBSuBBAAKA0IABGGDDKDm
hWAITDv7LXqLX2cmr6+qddUkpcLCvWs5rC2O29W/hS4ajAK4Qdnahym6MaijX75C
g3j4aao7ouYXJ9GjggI5MIICNTCBmgYDVR0RBIGSMIGPpIGMMIGJMTswOQYDVQQE
DDIxLVRTVHwyLVRTVHwzLTA3MzBlZThlLTA4OWQtNDQ1OS1hMzg3LWIxMTg5NGJm
MTQyOTEfMB0GCgmSJomT8ixkAQEMDzM5OTk5OTk5OTkwMDAwMzENMAsGA1UEDAwE
MTEwMDEMMAoGA1UEGgwDVFNUMQwwCgYDVQQPDANUU1QwHQYDVR0OBBYEFDuWYlOz
WpFN3no1WtyNktQdrA8JMB8GA1UdIwQYMBaAFHZgjPsGoKxnVzWdz5qspyuZNbUv
ME4GA1UdHwRHMEUwQ6BBoD+GPWh0dHA6Ly90c3RjcmwuemF0Y2EuZ292LnNhL0Nl
cnRFbnJvbGwvVFNaRUlOVk9JQ0UtU3ViQ0EtMS5jcmwwga0GCCsGAQUFBwEBBIGg
MIGdMG4GCCsGAQUFBzABhmJodHRwOi8vdHN0Y3JsLnphdGNhLmdvdi5zYS9DZXJ0
RW5yb2xsL1RTWkVpbnZvaWNlU0NBMS5leHRnYXp0Lmdvdi5sb2NhbF9UU1pFSU5W
T0lDRS1TdWJDQS0xKDEpLmNydDArBggrBgEFBQcwAYYfaHR0cDovL3RzdGNybC56
YXRjYS5nb3Yuc2Evb2NzcDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYB
BQUHAwIGCCsGAQUFBwMDMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwIwCgYI
KwYBBQUHAwMwCgYIKoZIzj0EAwIDSQAwRgIhAOZ8oJnliPhdWvCiokPmStz2niL+
1Rbw6y9asAh229z7AiEA0r6l1qnq6vzRjVvr9Hnbtq/9Aki0R4rF64EFNY4XACM=
-----END CERTIFICATE-----
Alternatively, you can decode the base64 to binary and then use the routines that parse binary rather than PEM, for this case d2i_ECPrivateKey and d2i_x509.
Note this privatekey is not encrypted, so you don't actually need the password (it is ignored).
Meta: I'm not sure this is really programming or development, but I needed formatting so I answered. If Q is closed, I will delete if requested.

How to get X509Certificate field in Swift

I’m trying to Sign a XML document in iOS. I already created a digestValue and a SignatureValue using a pfx file, but I cannot generate the X509Certificate field inside KeyInfo field. I know I only need the pfx file to generate this, but how could I do it in iOS?
Thank you.
I got it.
I had to import OpenSSL lib to my project as a pod:
pod 'OpenSSL-Universal', '~> 1.0'
Then I created an Objective-C file to use the C functions of OpenSSL, and use the following functions to get the PEM value:
d2i_PKCS12: read certificate
PKCS12_parse: parse the certificate to X509 object.
PEM_write_bio_X509: parse the X509 data to a BIO object.
BIO_get_mem_ptr: parse the BIO data to a MEM data
Then I allocated a NSString using the mem->data, and there is the Certificate PEM value.
For more details about the functions, I followed this documentation:
https://www.openssl.org/docs/man1.0.2/crypto/

Computing byte range digest

I'm building an app that lets user digitally sign a PDF. I'm using plugPDF SDK. It has no built in support for generating byte range digest so I have to do it myself. PlugPDF generates the PDF content from which I generate signed hash in Terminal:
openssl dgst -hex -sha256 -sign privateKey.pem -out encrypted.out invoice.content
From this hash I generate the PKCS#7 object:
openssl cms -in encrypted.out -sign -signer signer.pem -outform der -out cert.p7b
Then I inject it into the PDF using the plugPDF SDK. When I open it in Adobe Acrobat the PDF is signed but the signature is invalid. It says: “The Document has been altered or corrupted since the Signature was applied.”
I assume the problem is wrong hash value but I have no idea how else to generate it.
Here's an example tutorial: https://plugpdf.com/how-to-sign-pdf-document-with-pki-certificate-on-ios/
The byte range digest for PDFs typically exclude the area of the PDF where the signature will be injected, so that the digest value should be the same before and after adding the signature. If they are not the same, then the assumption is that the file has been in some way modified since being signed.
It doesn't look like openssl's dgst command allows you to specify discontinuous byte ranges.

Rails can't read certificate information from environment due to nested asn1 error

I've got some certificate files, namely a .key file which says:
-----BEGIN RSA PRIVATE KEY-----
IEpAIBAAKCAQEAwAwxt4edIh3UuK8r5
....blablabla..................
QSNoquaasdsaKDybrezemVqCxsQjg==
-----END RSA PRIVATE KEY-----
So it's a RSA Private Key.
I used to load them from files like so:
#private_key = OpenSSL::PKey::RSA.new(File.read(private_key_file))
But since I am using Heroku, I intend to have my certificates saved as their values in environment variables.
So I've pasted them in my .env file
COMPANY_KEY="-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKC.....\n-----END RSA PRIVATE KEY-----"
Yeah, I switched the \n for explicits \\n based on Multi-line config variables in Heroku. So now my code looks like this:
#private_key = OpenSSL::PKey::RSA.new(ENV['COMPANY_KEY'])
And if I run it from the console I get the object built. But if I try to run it from the web server (Puma 3.4.0 over Rails 4.2.6, Ruby 2.2.3) it fails miserably saying: Neither PUB key nor PRIV key:: nested asn1 error when trying to run that same line.
If I use the debug console I get that the read file looks like
"Line 1\\nLine3\\nLinea3" and so on...
I'm pretty sure that it has something to do with the file format, but I'm all out of ideas and maybe you could help if you had a problem like mine.
I finally found a way to do it... mixing it all up!
So the file, for example company.key looks like
-----BEGIN PRIVATE RSA KEY ----
Mumbojumbomummbojumbo
-----END RSA PRIVATE KEY----
So I switched it to a one liner, making explicit \n in the string (so its a real \n)
COMPANY_KEY=""-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA+ztKEj\n-----END RSA PRIVATE KEY-----\n"
Don't forget the last \n in the file.
Now, the last part, in the place where I used to do
#private_key = OpenSSL::PKey::RSA.new(File.read(private_key_file))
Now I do
#private_key = OpenSSL::PKey::RSA.new(ENV['COMPANY_KEY'].gsub("\\n", "\n"))
And now works like a charm! No public certificates, every piece of info in environment variables.
Save yourself some trouble and store only the certificate or key body in the environment variable. No need to put in newline characters.
SECRET = <<-SECRET
-----BEGIN PRIVATE KEY-----
#{ENV['SECRET_KEY']}
-----END PRIVATE KEY-----
SECRET
CERTIFICATE = <<-CERT
-----BEGIN CERTIFICATE-----
#{ENV['CERT']}
-----END CERTIFICATE-----
CERT
I switched the \n for explicits \\n based on Multi-line config variables in Heroku.
...
If I use the debug console I get that the read file looks like "Line 1\\nLine3\\nLinea3" ...
You problem should be here. The post you are linking is not suggesting to double escape your new lines, it is suggesting to wrap your multi-line text into "double quotes". In bash, it would allow to enter multi-line text at the terminal. The post also suggests to do it an in much easier way:
heroku config:add MASISA_KEY ="$(cat your_private_key.pem)"

Ruby-Saml Certificate issue

I am not sure if I am doing something wrong here but I've been stuck on this issue for quite some time. I am using the Ruby-saml gem (https://github.com/onelogin/ruby-saml) and I am not sure if my settings.certificate is valid. I used OpenSSL to generate the public/private key pair. Here is my public key:
$ cat cert.pem
-----BEGIN CERTIFICATE-----
MIIE3zCCA8egAwIBAgIJANtTrhsq7mkmMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxDzANBgNVBAcTBkl0aGFjYTEbMBkG
A1UEChMSQ29ybmVsbCBVbml2ZXJzaXR5MQ4wDAYDVQQLEwVEeXNvbjEjMCEGA1UE
AxMaY3VtaW5vcnMuZHlzb24uY29ybmVsbC5lZHUxIDAeBgkqhkiG9w0BCQEWEW5t
YzUyQGNvcm5lbGwuZWR1MB4XDTE2MDQxMjE4MTUzOVoXDTI2MDQxMDE4MTUzOVow
gaUxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGSXRo
YWNhMRswGQYDVQQKExJDb3JuZWxsIFVuaXZlcnNpdHkxDjAMBgNVBAsTBUR5c29u
MSMwIQYDVQQDExpjdW1pbm9ycy5keXNvbi5jb3JuZWxsLmVkdTEgMB4GCSqGSIb3
DQEJARYRbm1jNTJAY29ybmVsbC5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCnVjE8GIJe19Ba+361+c7ATDhBrzpGQoe+IDrDWw8B68HayaAvC8Pq
WdNQNQ3SfHOdb+Vv0eywxHG7wRVVrJ+f8fLqmHBHfthzRG1JnGhReUXb/+wfkUEw
DFZPEnEcj6rBcSbX5nsLVvupMXw43XB7ev/NX1SLsRU4trS25YMOozxjL+SfcKsW
IQPgqD3usIArwS6b3UQ+ftuVfmWqKEqoUq25tUXoAporFkJyVqXZqe4g/Q+WqbX4
cD9e1u7q8OlbSeVXUyPwRsNXzn1n+8tUbCc2k8+glEW5UJk7DY0AP95ry0ZcpfLr
kgaOTqvbkUWCaZH1FP04SYG5Csw/8IDtAgMBAAGjggEOMIIBCjAdBgNVHQ4EFgQU
q3ybbMNZOEXWgJ7/K0mSMx3VeTMwgdoGA1UdIwSB0jCBz4AUq3ybbMNZOEXWgJ7/
K0mSMx3VeTOhgaukgagwgaUxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9y
azEPMA0GA1UEBxMGSXRoYWNhMRswGQYDVQQKExJDb3JuZWxsIFVuaXZlcnNpdHkx
DjAMBgNVBAsTBUR5c29uMSMwIQYDVQQDExpjdW1pbm9ycy5keXNvbi5jb3JuZWxs
LmVkdTEgMB4GCSqGSIb3DQEJARYRbm1jNTJAY29ybmVsbC5lZHWCCQDbU64bKu5p
JjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBA8QEvcxLnjZURGb5/
a4JUVwU6noFdZpmI9FgBi7d3nKs+BNxL/1Het6Kk19T1kPlyDdG96asG6fbRH24G
cJOoDvVpx6lxMu85gFpJVv/vtDmnlpiBoDH+v2I7O4ENhve76B7Z5XtT5FsjEdy4
RAn1iczxq391vFNQJl0kCz2Khdv5CS3t6qNS42sPcRk9mjbnN0wz6jHxG5BfCVdk
dXxoLuJVLzT7/sbBkT2SLkwQkPiYitb3LFoNFu+Sk8y+L4cVaeoA5XoEjmIbtkgD
oLCrILf6t18C/R2AD0/huq2pFtxd/rng/yGMniTBc6aGDsv06RXo/5r7DsO0feXV
cRzc
-----END CERTIFICATE-----
In Rails I tried multiple different way to get this to work:
settings.certificate = "-----BEGIN CERTIFICATE-----
MIIE3zCCA8egAwIBAgIJANtTrhsq7mkmMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYD
VQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxDzANBgNVBAcTBkl0aGFjYTEbMBkG
A1UEChMSQ29ybmVsbCBVbml2ZXJzaXR5MQ4wDAYDVQQLEwVEeXNvbjEjMCEGA1UE
AxMaY3VtaW5vcnMuZHlzb24uY29ybmVsbC5lZHUxIDAeBgkqhkiG9w0BCQEWEW5t
YzUyQGNvcm5lbGwuZWR1MB4XDTE2MDQxMjE4MTUzOVoXDTI2MDQxMDE4MTUzOVow
gaUxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGSXRo
YWNhMRswGQYDVQQKExJDb3JuZWxsIFVuaXZlcnNpdHkxDjAMBgNVBAsTBUR5c29u
MSMwIQYDVQQDExpjdW1pbm9ycy5keXNvbi5jb3JuZWxsLmVkdTEgMB4GCSqGSIb3
DQEJARYRbm1jNTJAY29ybmVsbC5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCnVjE8GIJe19Ba+361+c7ATDhBrzpGQoe+IDrDWw8B68HayaAvC8Pq
WdNQNQ3SfHOdb+Vv0eywxHG7wRVVrJ+f8fLqmHBHfthzRG1JnGhReUXb/+wfkUEw
DFZPEnEcj6rBcSbX5nsLVvupMXw43XB7ev/NX1SLsRU4trS25YMOozxjL+SfcKsW
IQPgqD3usIArwS6b3UQ+ftuVfmWqKEqoUq25tUXoAporFkJyVqXZqe4g/Q+WqbX4
cD9e1u7q8OlbSeVXUyPwRsNXzn1n+8tUbCc2k8+glEW5UJk7DY0AP95ry0ZcpfLr
kgaOTqvbkUWCaZH1FP04SYG5Csw/8IDtAgMBAAGjggEOMIIBCjAdBgNVHQ4EFgQU
q3ybbMNZOEXWgJ7/K0mSMx3VeTMwgdoGA1UdIwSB0jCBz4AUq3ybbMNZOEXWgJ7/
K0mSMx3VeTOhgaukgagwgaUxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9y
azEPMA0GA1UEBxMGSXRoYWNhMRswGQYDVQQKExJDb3JuZWxsIFVuaXZlcnNpdHkx
DjAMBgNVBAsTBUR5c29uMSMwIQYDVQQDExpjdW1pbm9ycy5keXNvbi5jb3JuZWxs
LmVkdTEgMB4GCSqGSIb3DQEJARYRbm1jNTJAY29ybmVsbC5lZHWCCQDbU64bKu5p
JjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBA8QEvcxLnjZURGb5/
a4JUVwU6noFdZpmI9FgBi7d3nKs+BNxL/1Het6Kk19T1kPlyDdG96asG6fbRH24G
cJOoDvVpx6lxMu85gFpJVv/vtDmnlpiBoDH+v2I7O4ENhve76B7Z5XtT5FsjEdy4
RAn1iczxq391vFNQJl0kCz2Khdv5CS3t6qNS42sPcRk9mjbnN0wz6jHxG5BfCVdk
dXxoLuJVLzT7/sbBkT2SLkwQkPiYitb3LFoNFu+Sk8y+L4cVaeoA5XoEjmIbtkgD
oLCrILf6t18C/R2AD0/huq2pFtxd/rng/yGMniTBc6aGDsv06RXo/5r7DsO0feXV
cRzc
-----END CERTIFICATE-----"
I've also tried to just have Rails read the cert.pem file directly:
settings.certificate = OpenSSL::X509::Certificate.new(File.read("#{Rails.root}/cert.pem")).to_s
The issue is (which I am not sure is an issue), my key is a long inline string in the XML file (metadata for the SP)
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIE3zCCA8egAwIBAgIJANtTrhsq7mkmMA0GCSqGSIb3DQEBBQUAMIGlMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxDzANBgNVBAcTBkl0aGFjYTEbMBkGA1UEChMSQ29ybmVsbCBVbml2ZXJzaXR5MQ4wDAYDVQQLEwVEeXNvbjEjMCEGA1UEAxMaY3VtaW5vcnMuZHlzb24uY29ybmVsbC5lZHUxIDAeBgkqhkiG9w0BCQEWEW5tYzUyQGNvcm5lbGwuZWR1MB4XDTE2MDQxMjE4MTUzOVoXDTI2MDQxMDE4MTUzOVowgaUxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGSXRoYWNhMRswGQYDVQQKExJDb3JuZWxsIFVuaXZlcnNpdHkxDjAMBgNVBAsTBUR5c29uMSMwIQYDVQQDExpjdW1pbm9ycy5keXNvbi5jb3JuZWxsLmVkdTEgMB4GCSqGSIb3DQEJARYRbm1jNTJAY29ybmVsbC5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnVjE8GIJe19Ba+361+c7ATDhBrzpGQoe+IDrDWw8B68HayaAvC8PqWdNQNQ3SfHOdb+Vv0eywxHG7wRVVrJ+f8fLqmHBHfthzRG1JnGhReUXb/+wfkUEwDFZPEnEcj6rBcSbX5nsLVvupMXw43XB7ev/NX1SLsRU4trS25YMOozxjL+SfcKsWIQPgqD3usIArwS6b3UQ+ftuVfmWqKEqoUq25tUXoAporFkJyVqXZqe4g/Q+WqbX4cD9e1u7q8OlbSeVXUyPwRsNXzn1n+8tUbCc2k8+glEW5UJk7DY0AP95ry0ZcpfLrkgaOTqvbkUWCaZH1FP04SYG5Csw/8IDtAgMBAAGjggEOMIIBCjAdBgNVHQ4EFgQUq3ybbMNZOEXWgJ7/K0mSMx3VeTMwgdoGA1UdIwSB0jCBz4AUq3ybbMNZOEXWgJ7/K0mSMx3VeTOhgaukgagwgaUxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGSXRoYWNhMRswGQYDVQQKExJDb3JuZWxsIFVuaXZlcnNpdHkxDjAMBgNVBAsTBUR5c29uMSMwIQYDVQQDExpjdW1pbm9ycy5keXNvbi5jb3JuZWxsLmVkdTEgMB4GCSqGSIb3DQEJARYRbm1jNTJAY29ybmVsbC5lZHWCCQDbU64bKu5pJjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBA8QEvcxLnjZURGb5/a4JUVwU6noFdZpmI9FgBi7d3nKs+BNxL/1Het6Kk19T1kPlyDdG96asG6fbRH24GcJOoDvVpx6lxMu85gFpJVv/vtDmnlpiBoDH+v2I7O4ENhve76B7Z5XtT5FsjEdy4RAn1iczxq391vFNQJl0kCz2Khdv5CS3t6qNS42sPcRk9mjbnN0wz6jHxG5BfCVdkdXxoLuJVLzT7/sbBkT2SLkwQkPiYitb3LFoNFu+Sk8y+L4cVaeoA5XoEjmIbtkgDoLCrILf6t18C/R2AD0/huq2pFtxd/rng/yGMniTBc6aGDsv06RXo/5r7DsO0feXVcRzc
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
The IdP people said it was not valid when they tried to use it, he gave me an example of theirs and theirs was split across many lines unlike mine which is just a long string with no space:
https://shibidp.cit.cornell.edu/idp/shibboleth
Am I doing something wrong here? All I did was take the output from cat and pasted it to my SAML Settings.
looks like your X509 doesn't have any line breaks. That might be your problem.

Resources