smime = OpenSSL::PKCS7.read_smime(File.read('encrypted_smime.p7m'))
p_key = OpenSSL::PKey::RSA.new(File.read('pr_key.pem'))
cert = OpenSSL::X509::Certificate.new(File.read('cert.pem'))
smime.decrypt(p_key, cert)
In the decrypt line above, I am getting the error OpenSSL::PKCS7::PKCS7Error: decrypt error.
I am not sure why this error is causing, as I am able to decrypt the smime using openssl command line tool properly. Also I have verified that the cert I am using is signed using the same private key that I am using in p_key.
Following is the command which is getting me the expected output -
openssl smime -decrypt -in encrypted_smime.p7m -inkey pr_key.pem -out decrypt_smime.pem
What is the problem, and how do I fix it?
Related
I have a private/public key that was generated by Putty in the following format:
SSH2 PUBLIC KEY rsa-key
However, I am trying to get it to work with Docebo API using the JWT Grant Type, which requires a different format (according to this post).
How would I convert my key(s) to work with that format? Is there a way within Putty?
I figured out the steps to take to get the proper format of key using OpenSSL:
openssl genrsa -out private.key 1024
openssl req -new -x509 -key private.key -out publickey.cer
openssl x509 -in publickey.cer -out publickey.pem
We run this command via Gem.
openssl pkcs8 -inform DER -in file_init.key -passin pass:secret -out file_key.pem
All works fine on shell, we wanna convert this line to openssl with ruby, we tried:
key_file = OpenSSL::PKey::RSA.new File.read('file_init'), 'secret'
puts key_file.to_pem_pkcs8
But we get:
`initialize': Neither PUB key nor PRIV key: nested asn1 error (OpenSSL::PKey::RSAError)
Any advice?
Ruby's openssl implementation doesn't handle pkcs8 encrypted der key-file.
There is a workaround (converting the der to PEM by base64 encoding the der + adding correct headers) here:
Load PKCS#8 binary key into Ruby
I am looking for ruby code to mimic below openssl smime encryption. I looked up other related topics but mostly were around signing. In snippet below cert.pem is a PEM-encoded X.509 certificate containing the PEM public key. token.txt file is the file to be encrypted.
openssl smime -encrypt -out encrypted.p7m -in token.txt cert.pem
Figured it.
token_plain_text = File.read("/path/to/token.txt")
cert = X509::Certificate.new("/path/to/cert.pem")
encrypted_object = OpenSSL::PKCS7.encrypt([cert], token_plain_text)
Got the encrypted string by outputting above object to string.
encrypted_str = encrypted_object.to_str
I have this files:
AddTrustExternalCARoot.crt
STAR_mydomain_com.crt
TrustedSecureCertificateAuthority5.crt
USERTrustRSAAddTrustCA.crt
domain.key
domain.key is passphrase protected and it was generated during creation of CSR files (files that were required to get .crt files from certificate provider. I tried:
heroku certs:update certs/STAR_mydomain_com.crt certs/domain.key
But I get following error:
! No valid, non-passphrase-protected keys given.
How I can generate valid crt/key for heroku? (I tried all other crt files with domain key but they are not valid domain certificates.
domain.key was generated with following command:
openssl genrsa -des3 -out domain.key 2048
Here's how to remove a passphrase from a private key:
openssl rsa -in certs/domain.key -out certs/domain-nopassphrase.key
You'll need to enter the current passphrase on the private key. If prompted for a passphrase on the new key, do not enter one (just press enter).
You can then update your SSL endpoint using your cert + this new key:
heroku certs:update certs/*.crt certs/domain-nopassphrase.key
I am using notnoop APNS 0.2.3, was struggling with the certs, and now I am struggling with SSL.
There is no documentation on how to prepare a p12 file for the library, so I found this article to guide me.
service = APNS.newService()
.withCert(mycertPath, myP12password)
.withSandboxDestination()
.build();
service.start();
service.testConnection();
service.push(listOfTokens,payload);
The start method fails with the following dump
09:46:16,657 INFO ~ Failed to send message Message(Token=00; Payload=)... trying again after delay
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1004)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
at java.io.OutputStream.write(OutputStream.java:58)
at com.notnoop.apns.internal.ApnsConnectionImpl.sendMessage(ApnsConnectionImpl.java:240)
at com.notnoop.apns.internal.ApnsConnectionImpl.sendMessage(ApnsConnectionImpl.java:230)
at com.notnoop.apns.internal.ApnsConnectionImpl.testConnection(ApnsConnectionImpl.java:294)
at com.notnoop.apns.internal.ApnsServiceImpl.testConnection(ApnsServiceImpl.java:57)
Did I screw up the p12 file? Is there something else I am missing here?
[UPDATE 1]
I am trying the following script to create and test the p12 file command line, and am also getting a connection error, so there is something I likely messed up in the certificates.
[UPDATE 2]
I altered the script to create p12 files... incase others can benefit from this.
#!/bin/sh
bold=`tput bold`
normal=`tput sgr0`
# CONVERT CERT TO PEM
echo "${bold}CONVERTING${normal} APNS..."
openssl x509 -in aps_development.cer -inform der -out aps_development.pem
openssl x509 -in aps_production.cer -inform der -out aps_production.pem
# CONVERT PRIVATE KEY P12 INTO PEM
echo "${bold}CONVERTING ${normal} private key..."
openssl pkcs12 -nocerts -out my_private.pem -in my_private.p12
# COMBINE CERTS INTO SINGLE P12
echo "${bold}COMBINING ${normal} development..."
#cat aps_development.pem my_private.pem > my_development.pem
openssl pkcs12 -export -in aps_development.pem -inkey my_private.pem -out my_development.p12
# COMBINE CERTS INTO SINGLE P12
echo "${bold}COMBINING ${normal} production..."
#cat aps_production.pem my_private.pem > my_production.pem
openssl pkcs12 -export -in aps_production.pem -inkey my_private.pem -out my_production.p12
echo "${bold}TESTING${normal}..."
# TEST IT
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert aps_development.pem -key my_private.pem
issue was a certificate problem and a misunderstanding that "AdHoc" only works with production push servers.