everyone
I've generated a pair of keys associated with my email address and uploaded the public key to the keyserver: keys.openpgp.org. With the help of gpgme examples, I wrote a C++ program using Visual Studio to retrieve my public key both locally,
gpgme_set_keylist_mode(ceofcontext, GPGME_KEYLIST_MODE_LOCAL);
and remotely,
gpgme_set_keylist_mode(ceofcontext, GPGME_KEYLIST_MODE_EXTERN);
The key's fingerprint, email, algorithm, name are all correct. The problem is that the key's fields: can_encrypt, can_sign and can_certify are 0 when it is retrieved from the remote key server. This renders the key retrieved remotely unusable.
Has anyone run into similar issue ?
Thanks,
Eric
Related
I have a pretty simple scenario/requirement:
Generate RSA private/public key pair through OpenSSL or any online RSA key pair generator
Save the private key to the windows internal store (so it does not lay around as just a file somewhere
Create a PowerShell script, that looks into the store, locates the key, and uses it.
(basically, I will have a PS script, to which I send a 3rd party tool already encrypted password, and I expect that PS script to decrypt that password using a locally stored private key and use it on-the-fly)
This so far showed an unreachable goal, because:
I haven't found a way, how to import .pem file with the key
.cer file apparently does not contain the key
the only way (so far what I have found) how to import the key is conversion to .pfx file, which can be imported, BUT
.pfx file cannot be read as plain text - there seems to be no reasonable way from Powershell to locate the key and read it for usage in decryption
there is a module PSPKI, but it seems to accept the file and not the stored/installed certificate/key.
So anyone has any idea, how can I import a simple private key to Windows for later read-out from PowerShell for further usage?
Thank you!
Have a look at this class to load the PFX: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2?view=net-7.0
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\my.pfx", "password");
Next step is to open the store. After you checked which one fits best (machine or user) you can use X509Store to read and write there. Do not forget the Open method. When a certificate with private key (off) is added the key ist stored and the file can be deleted.
The query is regarding the DP API functionality.
I am using DP API Protect and Unprotect method to encrypt my string with a secret entropy. As per the information available on internet , a Master key is generated by DP API initially which is stored at Appdata\roaming\Microsoft\protect[SID]\"mymasterkeyfile" .
On program execution , SID folder is generated on my system but I am not able to find master key file. I Don't know why?
I am new to this so not able to understand the issue.
Any help appreciated,Thanks..
It's a (hidden) system file so adapt your folder settings to make these visible ( probably only to admins). In the Console (as admin) use dir /A:HS [folder] to see the files, which have long random names.
We have Windows code which is heavily based on Crypt* API and keys stored in HCRYPTPROV (asymmetric, both public and private parts). The keys are normally imported from external source using CryptImportKey().
Note: The safety of the source providing this key is out of topic here. Let's say it is safe enough for our purposes.
Now with development going on we need to adopt keys coming from X.509 certificates. Currently code loads certificate into HCERTSTORE through PFXImportCertStore() or obtains it from online CA and then certificate itself can be accesses as CERT_CONTEXT through CertEnumCertificatesInStore.
But I completely failed to find a way to move keys from certificate into HCRYPTPROV. Any ideas are extremely welcome.
Regards,
HCRYPTPROV is just a pointer. You cannot move keys there.
Have you tried to use the IntPtr property X509Certificate2.Handle yet?
I tried to enable the feature "HDFS encryption".As part of encryption I have created a key.
When I tried below command it is listing the key which I have created.(testkey)
venkat#hdp-poc2:~$ hadoop key list
Listing keys for KeyProvider: KMSClientProvider[http://hdp-poc2.tbu.com:16000/kms/v1/]
testkey
I want to access the same key using url.I have copied same url(http://hdp-poc2.tbu.com:16000/kms/v1/) in the address bar.But it is giving the error.
Network Error (tcp_error)
Please help me how to access the key using URL.
You can find the rest api calls here
https://hadoop.apache.org/docs/stable/hadoop-kms/index.html
Seems like you have an incorrect URL.
I have created a self generated certificate to sign a DLL. When I load this DLL into my C++ application I am able to validate if the code signing certificate is valid or not by using the WinVerifyTrust api.
But I am not able to find a way to detect that the DLL has been signed by one of my certificates. Even by using the CryptQueryObject api I do not find any useful information.
Does anyone have a idea on how to do this? Or is it event possible?
Thank you
CryptVerifyCertificateSignature isn't what you want?
If you sign a certificate using your private key, it can only be verified with your public key. That's how public-key cryptography works. If you can use a public key to verify the signature, then you know that the corresponding private key must have been used to sign it.
In case you need a version that also works on earlier versions of Windows than the one Bill Zeller showed you, you can use the following:
Use CryptQueryObject with CERT_QUERY_OBJECT_FILE
Use CryptMsgGetParam with CMSG_SIGNER_CERT_INFO_PARAM on the HCRYPTMSG you received from the previous call
Now use CertCompareIntegerBlob to compare your known (certificate) serial number (or numbers, in a loop) against the one in the file
If any of the known serial numbers matches, you're done. If all comparisons fail, it's not your cert.
Note: when looking at the serial number of the certificate in the file properties dialog, the bytes shown there appear in the reverse order when compared with the contents of the PCERT_INFO (CERT_INFO::SerialNumber) you get from the CryptMsgGetParam. So make sure that you store your own serial numbers reversed or reverse them before comparison.
Also note: you'll still need to have the certificate installed as trusted, in order for WinVerifyTrust (not mentioned above) to consider the code signature trusted at all. I just described the part about how to find out it's your own certificate that was used.