PKCS11 ECDSA parameters in go module pkcs11 - go

I would like to know how to pass the correct argument values for ECDSA template using go module miekg/pkcs11: this is so far what i got:
privateKeyTemplate := []*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_TOKEN, tokenPersistent),
pkcs11.NewAttribute(pkcs11.CKA_ECDSA_PARAMS, []byte{{/*how to use secp256k1?*/}),
pkcs11.NewAttribute(pkcs11.CKA_SIGN, true),
pkcs11.NewAttribute(pkcs11.CKA_LABEL, label),
pkcs11.NewAttribute(pkcs11.CKA_SENSITIVE, true),
pkcs11.NewAttribute(pkcs11.CKA_EXTRACTABLE, true),
}
Can someone please help me with this?
thanks
EDIT:
the byte array provided by Alexander is correct, however please note that my original question was also misleading. One SHOULD NOT put the ECDSA_PARAMS in the private key template, but ONLY on the public key template.

Check this line (3189) in OpenSC project:
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_EC_PARAMS, gost.param_oid.value, gost.param_oid.len);
and this one (3199):
FILL_ATTR(privkey_templ[n_privkey_attr], CKA_GOSTR3410_PARAMS, gost.param_oid.value, gost.param_oid.len);
Using my experience with GOST keys I suggest that here must be an encoded OID. In your case it can look like this:
[]byte{ 06, 04, 01, 02, 03, 04 }

Related

Creating JWT signing method for AWS key in Go

I generated an ECC_NIST_P521 spec key, which uses the ECDSA_SHA_512 signing algorithm. I'm trying to create a jwt.SigningMethod with this in mind, but I'm not sure which values to use for the fields. This is what I have so far:
signingMethod := jwt.SigningMethodECDSA {
Name: "ECC_NIST_P521",
Hash: crypto.SHA512,
}
Specifically, I'm not sure if the name is correct and I don't know what to use for the KeySize and CurveBits fields. Any help would be appreciated.
You need to specify Hash, CurveBits and KeySize. The value of Name is ignored:
signingMethod := jwt.SigningMethodECDSA{
Name: "ECC_NIST_P521",
Hash: crypto.SHA512,
CurveBits: 521,
KeySize: 66,
}
521 bits - the size of curve field.
66 - number of bytes that fit a compact representation of a point on the curve.
Full example to sign and verify signature: https://go.dev/play/p/bEnLN2PJv4a

How to sign cert with an arbitrary or deprecated extension

For example say I want to sign a cert with an arbitrary or deprecated extension (nsCertType for example): https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
I believe I'm supposed to add the arbitrary extension as part of the certificate as per below but how / where do you discover the asn1 object identifier? I've read more documentation that I care to admit today and am still stumped.
tmpl := &x509.Certificate{
SerialNumber: big.NewInt(time.Now().Unix()*1000),
Subject: pkix.Name{CommonName: "edgeproxy", Organization: []string{"edgeproxy"}},
NotBefore: now,
NotAfter: now.Add(caMaxAge),
ExtraExtensions: []pkix.Extension{
{
Id: asn1.ObjectIdentifier{}, //what goes here
Critical: false,
[]byte("sslCA"),
},
},
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth,x509.ExtKeyUsageClientAuth,x509.ExtKeyUsageEmailProtection, x509.ExtKeyUsageTimeStamping, x509.ExtKeyUsageMicrosoftCommercialCodeSigning, x509.ExtKeyUsageMicrosoftServerGatedCrypto, x509.ExtKeyUsageNetscapeServerGatedCrypto} ,
KeyUsage: x509.KeyUsageCRLSign | x509.KeyUsageCertSign,
IsCA: true,
BasicConstraintsValid: true,
}
In python I would do this but don't know how to port this into go (which is what I'm doing at the end of the day):
OpenSSL.crypto.X509Extension(
b"nsCertType",
False,
b"sslCA"
),
Go sources at https://golang.org/src/encoding/asn1/asn1.go define:
// An ObjectIdentifier represents an ASN.1 OBJECT IDENTIFIER.
type ObjectIdentifier []int
So the object identifier (OID for short) is an array of integers. The asn1 module has methods to parse them, like parseObjectIdentifier.
This is the structure you need to put after the Id: attribute.
But now you need to find out the OID you want.
While difficult to read, OpenSSL source code can show you OIDs of many things in the X.400/X.500/X.509 worlds, or at least those known by OpenSSL.
If you go to https://github.com/openssl/openssl/blob/1aec7716c1c5fccf605a46252a46ea468e684454/crypto/objects/obj_dat.h
and searching on nsCertType you get:
{"nsCertType", "Netscape Cert Type", NID_netscape_cert_type, 9, &so[407]},
so is defined previously, and if you jump at its 407th item you see:
0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01, /* [ 407] OBJ_netscape_cert_type */
and doing a final search on OBJ_netscape_cert_type in same file gives:
71, /* OBJ_netscape_cert_type 2 16 840 1 113730 1 1 */
which means the corresponding OID is 2.16.840.1.113730.1.1
Or you can decode the above list of integers that describe this OID (see How does ASN.1 encode an object identifier? for details).
first 0x60 is 9610 so 2*40 + 16, which means the OID starts with 2.16.
then each other one is in "base128" form: if most significant bit is 1 combine the 7 least significant bits together of all following numbers until one has 0 as most significant bit
0x86 is 100001102 so has to go with 0x48 aka 010010002 so it is in fact 000011010010002 or 84010
0x01 is less than 128 so it is itself, 1
0x86 is still 100001102 but has to be paired with both 0xF8 (111110002) and 0x42 (010000102 and we stop here since first bit is 0) so 0000110111100010000102 altogether or 11373010
and the two last 0x01 are themselves, 1.
so we do get again 2.16.840.1.113730.1.1
You can double check it at some online OID browser like here:
http://oid-info.com/cgi-bin/display?oid=2.16.840.1.113730.1.1&action=display
that gives the following description for it:
Netscape certificate type (a Rec. ITU-T X.509 v3 certificate extension
used to identify whether the certificate subject is a Secure Sockets
Layer (SSL) client, an SSL server or a Certificate Authority (CA))
You can then even browse various arcs, like the netscape one, or others, to find out other OIDs.
You also get the full ASN.1 notation:
{joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730) cert-ext(1) cert-type(1)}

momentjs keep getting the following error moment.js:Deprecation warning: value provided is not in a recognized RFC2822 or ISO

I am trying to integrate maddhatter laravel-fullcalendar into a laravel app, I have the calendar working on most browsers but it fails on Internet Exprorer, when I do an inspect I get the deprecation warning.
My array looks like this:
$('#calendar-wean15RN').fullCalendar({
"header":{
"left":"prev,next today",
"center":"title",
"right":"month,agendaWeek,agendaDay"
},
"eventLimit":true,
"defaultDate":"Apr 2017",
"eventColor":"#3c8dbc !important",
"eventBackgroundColor":"#3c8dbc !important",
"eventBorderColor":"#3c8dbc",
"eventTextColor":"#fff !important",
"events":[{
"id":"1557",
"title":"xxx \nHrs worked:6.00",
"allDay":"true",
"start":"2017-04-03T09:00:00+00:00",
"end":"2017-04-03T15:00:00+00:00",
"url":"\/timesheet\/1557\/edit"
}]
}
Not sure what I am doing wrong.
The full error looks like this
Deprecation warning: value provided is not in a recognized RFC2822 or ISO format. moment construction falls back to js Date(), which is not reliable across all browsers and versions. Non RFC2822/ISO date formats are discouraged and will be removed in an upcoming major release. Please refer to http://momentjs.com/guides/#/warnings/js-date/ for more info.
Arguments:
[0] _isAMomentObject: true, _isUTC: true, _useUTC: true, _l: undefined, _i: Apr 2017, _f: undefined, _strict: undefined, _locale: [object Object]
Error
at Function.createFromInputFallback (js/moment.js:314:94)
at configFromString (js/moment.js:2172:11)
at configFromInput (js/moment.js:2541:9)
at prepareConfig (js/moment.js:2524:9)
at createFromConfig (js/moment.js:2491:40)
at createLocalOrUTC (js/moment.js:2578:12)
at Function.createUTC [as utc] (js/moment.js:81:12)
at makeMoment (js/fullcalendar.js:1197:21)
at FC.moment.parseZone (js/fullcalendar.js:1154:9)
at constructor.moment (js/fullcalendar.js:11795:30)
warn # moment.js:287
Change "defaultDate":"Apr 2017" to "defaultDate":moment("Apr 2017", "MMM YYYY").
FullCalendar docs state the defaultDate 's type is Moment.
As the warning says: value provided ("Apr 2017") is not in a recognized RFC2822 or ISO format; so you have to use moment(String, String) parsing function.
As it says here:
https://fullcalendar.io/docs/current_date/defaultDate/
defaultDate should also be an ISO8601 date string.
$('#calendar-wean15RN').fullCalendar(
{"header":{"left":"prev,next today","center":"title","right":"month,agendaWeek,agendaDay"},"eventLimit":true,"defaultDate":"2017-04-03T09:00:00+00:00","eventColor":"#3c8dbc !important","eventBackgroundColor":"#3c8dbc !important","eventBorderColor":"#3c8dbc","eventTextColor":"#fff !important","events":[{"id":"1557","title":"xxx \nHrs worked:6.00","allDay":"true","start":"2017-04-03T09:00:00+00:00","end":"2017-04-03T15:00:00+00:00","url":"\/timesheet\/1557\/edit"}]
}

Parsing a certificate string in go

I'm using ssldump to extract the certificate in a communication. When i parse the result I obtain a string in go defined as:
var string certStr
certStr = "30 82 06 9f...."
How can I parse it to a X509 certificate?
UPDATED
I have tried to parse it directly:
certSlc := []byte(certStr)
cert,err := x509.ParseCertificates(certSlc)
But the result was:
Error:asn1: structure error: tags don't match (16 vs {class:0 tag:19 length:48 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false}
Should I do another kind of conversion? maybe is the string incomplete or has got wrong type of cert?
I found the error. The problem was in the source.
As I was explaining, my cert string was "30 82 06 09...". This source must be decoded with:
hex.DecodeString(certStr)
The problem is that hex decoding doesn't work with this format. The error I obtained was:
encoding/hex: invalid byte: U+0020 ' '
So, removing whitespaces and carriage returns in the original string is the solution to make it work.
After decoding in a byte slice the X509 certificate can be created with no problem.

Search command output for string minitest

I'm trying to create a minitest for chef (minitest::spec) and I'm a little lost at how to accomplish what I want in ruby.
What I want to do is have the code run the 'date' command and then check if the output contains 'UTC'.
I have this so far, but I don't know how to check the output for 'true':
it "uses the correct timezone" do
timezone_check = shell_out("date")
timezone_check.to_s.include?('UTC')
end
I tried to use .must_output, but I don't know how to incorporate it. Is this even the best way to accomplish what I want?
Any input is appreciated!
Thanks.
EDIT: I have now tried this:
it "uses the correct timezone" do
date_input = `date`
proc { puts date_input.to_s }.must_output /UTC/
end
but it results in this:
Failure:
test_0002_uses_the_correct_timezone(recipe::base::default) [/var/chef/minitest/base/default_test.rb:18]:
In stdout.
--- expected
+++ actual
## -1 +1,2 ##
-/UTC/
+"Fri Apr 19 17:50:27 UTC 2013
+"
Testing shell_out requires you to test against stdout
it "uses the correct timezone" do
timezone_check = shell_out("date")
timezone_check.stdout.must_match /UTC/
end
For more examples check out Cookbook Integration Testing
Wrap it in a proc and try using must_output. The test would probably look like:
it "uses the correct timezone" do
proc { timezone_check = shell_out("date") }.should_output /UTC/
end
Not entirely sure from the documentation that the should_output method will accept a pattern, but if you can write the test such that you know precisely the entire output expected, then you can simply test against the full expected string. E.g.
it "uses the correct timezone" do
proc { timezone_check = shell_out("date") }.should_output("Fri Apr 19 12:33:13 CDT 2013")
end

Resources