I have an article page with AMP (on an subdomain).
Now I have made a few changes in an article.
How can I reload this cached AMP (sub-)page?
Normal Version: https://www.example.com/this-is-a-article-999
AMP-Version: https://amp.example.com/this-is-a-article-999
i do following steps:
1. I have installed openssl on my server
2. Then I generated the two keys
openssl genrsa 2048 > private-key.pem
openssl rsa -in private-key.pem -pubout >public-key.pem
3. I copied the public key to the subdomain (= AMP page) and renamed it to "apikey.pub"
So the public key is accessible over the browser:
https://amp.example.com/apikey.pub
4. Then I have created the update-cache request as follow:
get a timestamp with "date +%s"
echo -n >url.txt '/update-cache/c/s/amp.example.com/this-is-a-article-999?amp_action=flush&_ts=1526997689' cat url.txt | openssl dgst -sha256 -sign private-key.pem >signature.bin
5. I used the public key to verify the signature:
openssl dgst -sha256 -signature signature.bin -verify public-key.pem url.txt
I get the followind Error:
==> Verification Failure (!!!)
On step 3, the placement of the public key is wrong. The correct one would be: https://amp.example.com/.well-known/amphtml/apikey.pub
The issue with the verification seems to be on step 4, as there are 2 commands being invoked on single line and generating invalid output.
The solution is to break it in 2 parts:
echo -n >url.txt '/update-cache/c/s/amp.example.com/this-is-a-article-999?amp_action=flush&_ts=1526997689'
cat url.txt | openssl dgst -sha256 -sign private-key.pem >signature.bin
or to add an & between the 2 commands:
echo -n > url.txt '/update-cache/c/s/amp.example.com/this-is-a-article-999?amp_action=flush&_ts=1526997689' & cat url.txt | openssl dgst -sha256 -sign private-key.pem > signature.bin
The full sequence becomes something like this:
openssl genrsa 2048 > private-key.pem
openssl rsa -in private-key.pem -pubout > public-key.pem
echo -n > url.txt '/update-cache/c/s/amp.example.com/this-is-a-article-999?amp_action=flush&_ts=1526997689'
cat url.txt | openssl dgst -sha256 -sign private-key.pem > signature.bin
openssl dgst -sha256 -signature signature.bin -verify public-key.pem url.txt
and the output is the following:
openssl dgst -sha256 -signature signature.bin -verify public-key.pem url.txt
Verified OK
Another couple of things is that after generating the signature, it must be appended to the URL on the amp_url_signature parameter, using a web-safe variant of Base64.
At last, make sure to check the parameters section of the documentation and generating the URLs according to the AMP Cache URL Format.
Related
I use this command to give me the output from openssl without the (stdin)= the beginning.
openssl x509 -noout -modulus -in certfile.crt | openssl sha1 -binary | xxd -p
with output
7857b35259019acc7484201958ac7e622c227b68
If I change openssl to create a sha256 digest, xxd prints it over two lines
openssl x509 -noout -modulus -in certfile.crt | openssl sha256 -binary | xxd -p
with output
b274c19ac31cc7893dc2297804a2ca666fe168d5cd5eb4d4b6c47616bad9
8996
How can I write that output on line one?
b274c19ac31cc7893dc2297804a2ca666fe168d5cd5eb4d4b6c47616bad98996
Is it something else I have to do with xxd now that the digest is longer or is there a need to pipe it through some other command to get the combined output?
As usual there are several ways.
The first general solution which came into my mind is this:
printf "%s" $( openssl x509 -noout -modulus -in certfile.crt | openssl sha256 -binary | xxd -p )
Of course, if the output is less than 256, you could use xxd -f -c 256 as stated by tshiono.
Another solution for this special case with openssl would be this:
openssl x509 -noout -modulus -in certfile.crt | openssl sha256 -r
or
openssl x509 -noout -modulus -in certfile.crt | openssl sha256 -hex
but both are not exactly like the output you want. The hex string is in the output, but padded before or after which can be cut off, by piping to the command cut -d" " -f 1 or cut -d" " -f 2 for the removal of the prefix or postfix.
I want to sign a file with my private key via openssl on windows but it gives me this error
dgst: Can only sign or verify one file.
error in dgst
The command that I'm using is this
OpenSSL> dgst -sha256 -sign C:\Users\admin\Downloads\2\private.key -out ava.sha256 ava.txt
A friend of mine got it working under ubuntu with those commands
openssl dgst -sign private.key -sha256 message.txt > message.sign
Is there a way to run the following shell commands only on ruby?
I searched for weeks but I'm afraid it's not very well documented. I've tried a few methods from Ruby 'openssl' but I get different results.
%x[openssl pkcs8 -inform DER -in key.key -passin pass:passcode -out key.pem]
%x[openssl x509 -inform DER -in certificate.cer -noout -serial > serial.txt]
%x[openssl dgst -sha256 -out sign.bin -sign key.pem serial.txt]
%x[openssl enc -in sign.bin -a -A -out stamp.txt]
I am trying to convert a p12 to a pem from a shell script without any user input.
I can have the password as a variable within the script.
so when I call:
openssl pkcs12 -in *.p12 -out cert.pem -nodes
The terminal prints "Enter Import Password:" and waits for input.
I tried to pipe the password in with:
echo $PASS | openssl pkcs12 -in *.p12 -out cert.pem -nodes
as well as trying to use a flag with the openssl command but can't figure out how to do this.
This one liner worked for me-
openssl pkcs12 -in certificate.p12 -password pass:<your_password> -nodes | openssl x509 -noout -enddate
I would like some help with the openssl command. I need to automate the retrieval of the subject= line in a pkcs12 certificate for a script I'm working on.
I've used openssl to view the contents of the Identity/Certificate:
openssl pkcs12 -info -in /Users/[user]/Desktop/ID.pfx
But I am prompted three times for the password. I used -passin to eliminate one of the password prompts, but I am still being prompted for the PEM pass phrase and verification entry.
I need to figure out a way to pass ${password} to the other two password challenges or have the scrip issue a ctl-c. The piece of info I need is outputted to the stdout before the second password prompt.
Any help would be appreciated!
Obviously I gutted the certificate output for this post.... but you should get the idea of what I'm seeing:
bash-3.2# openssl pkcs12 -info -in /Users/[user]/Desktop/ID.pfx -passin pass:${password}
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: ****
friendlyName: ****
subject=****
issuer=****
-----BEGIN CERTIFICATE-----
::HASH REMOVED::
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: ****
Bag Attributes
localKeyID: ****
friendlyName: ****
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info:
::HASH REMOVED::
-----END RSA PRIVATE KEY-----
bash-3.2#
Try this:
$ openssl pkcs12 -in ~/cert.p12 -nodes \
-passin pass:"my password" | openssl x509 -noout -subject
Or this for the common name (ruby to strip trailing whitespace):
$ openssl pkcs12 -in ~/cert.p12 -nodes \
-passin pass:"my password" | openssl x509 -noout -subject \
| awk -F'[=/]' '{print $6}'`.strip`
Copying answer here in order to remove this question from the "Unanswered" filter:
openssl pkcs12 -nokeys -in /Users/[User]/Desktop/ID.pfx -passin pass:${password}
You could also use -passin and -passout which would not prompt you again for manual input. Here is a sample code:
openssl pkcs12 -in seldpush_dev.p12 -passin pass:$password -passout pass:$password | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | \
openssl x509 -subject -noout
Basically, use -keyword to fetch that value. In your case, -subject.
This is a few years late; I'm not familiar with openssl, & etc; but since I see no reference to "-nokeys" I'll give what works for me.
echo -e "$password\n$passphrase\n$passphrase\n" \
| openssl pkcs12 -in /Users/[user]/Desktop/ID.pfx -passin stdin -passout stdin
from manpage
stdin read the password from standard input.