Creating certificate to sign GDB on Mac OS X from bash - macos

I am trying to install gdb on Mac OS X by following link1 and link2. This process is done in four steps:
installing gdb using brew install gdb
creating a certificate
sign gdb using codesign -s [cert-name] [your-gdb-location]
How can I automate step 2 in a bash script?

This is my final code (based on here, here and here):
cat > myconfig.cnf << EOF
[ req ]
prompt = no
distinguished_name = my dn
[ my dn ]
# The bare minimum is probably a commonName
commonName = VENTOS
countryName = XX
localityName = Fun Land
organizationName = MyCo LLC LTD INC (d.b.a. OurCo)
organizationalUnitName = SSL Dept.
stateOrProvinceName = YY
emailAddress = ssl-admin#example.com
name = John Doe
surname = Doe
givenName = John
initials = JXD
dnQualifier = some
[ my server exts ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
EOF
echo "generating the private key ..."
openssl genrsa -des3 -passout pass:foobar -out server.key 2048
echo ""
echo "generating the CSR (certificate signing request) ..."
openssl req -new -passin pass:foobar -passout pass:foobar -key server.key -out server.csr -config myconfig.cnf -extensions 'my server exts'
echo ""
echo "generating the self-signed certificate ..."
openssl x509 -req -passin pass:foobar -days 6666 -in server.csr -signkey server.key -out server.crt -extfile myconfig.cnf -extensions 'my server exts'
echo ""
echo "convert crt + RSA private key into a PKCS12 (PFX) file ..."
openssl pkcs12 -export -passin pass:foobar -passout pass:foobar -in server.crt -inkey server.key -out server.pfx
echo ""
echo "importing the certificate ..."
sudo security import server.pfx -k /Library/Keychains/System.keychain -P foobar
Now you can see the certificate listed in System keychains:
To sign gdb
sudo codesign -s VENTOS "$(which gdb)"

Related

How do I change the permissions of a file created in a script without using sudo?

I've got the following docker-compose file that creates a Cassandra cluster with SSL enabled. I have to mount the keystore and truststore files with a volume.
version: "3.3"
services:
cassandra-one:
image: bitnami/cassandra:3.11
ports:
- "9042:9042"
environment:
MAX_HEAP_SIZE: "400M"
MIN_HEAP_SIZE: "400M"
HEAP_NEWSIZE: "48M"
CASSANDRA_ENABLE_SCRIPTED_USER_DEFINED_FUNCTIONS: "true"
CASSANDRA_ENABLE_USER_DEFINED_FUNCTIONS: "true"
CASSANDRA_KEYSTORE_PASSWORD: "password"
CASSANDRA_TRUSTSTORE_PASSWORD: "password"
CASSANDRA_CLIENT_ENCRYPTION: "true"
volumes:
- ./keystore.p12:/bitnami/cassandra/secrets/keystore
- ./truststore.p12:/bitnami/cassandra/secrets/truststore
I use the following script to generate the key files needed.
#!/bin/bash
# Generate localhost_CA and localhost certs/keys
openssl genrsa -out localhost_CA.key 4096
openssl req -x509 -new -config localhost_CA.cfg -key localhost_CA.key -days 9999 -out localhost_CA.crt
openssl genrsa -out localhost.key 4096
openssl req -new -config localhost.cfg -key localhost.key -days 9999 -out localhost.csr
openssl x509 -req -in localhost.csr -CA localhost_CA.crt -CAkey localhost_CA.key -CAcreateserial -days 9999 -out localhost.crt
# generate keystore
openssl pkcs12 -export -out keystore.p12 -inkey localhost.key -in localhost.crt -passout pass:password
keytool -importkeystore -destkeystore keystore.jks -srcstoretype PKCS12 -srckeystore keystore.p12 -deststorepass "password" -srcstorepass "password"
# generate truststore
openssl pkcs12 -export -out truststore.p12 -inkey localhost.key -in localhost.crt -passout pass:password
keytool -importkeystore -destkeystore truststore.jks -srcstoretype PKCS12 -srckeystore truststore.p12 -deststorepass "password" -srcstorepass "password"
When I run docker-compose up I get the following error:
stackoverflow-example-cassandra-one-1 | Importing keystore /bitnami/cassandra/secrets/keystore to /opt/bitnami/cassandra/tmp/keystore.p12...
stackoverflow-example-cassandra-one-1 | keytool error: java.io.FileNotFoundException: /bitnami/cassandra/secrets/keystore (Permission denied)
So I have to run the following commands to fix the error and the services to start properly. This gives the files read permissions to the docker user (1001).
sudo chown -R 1001 keystore.p12
sudo chown -R 1001 truststore.p12
How can I do this step in the script without using sudo?
Below I'll put the *.cfg files so the script for generating the keys can be used.
localhost.cfg
[req]
encrypt_key = no
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
CN = localhost
localhost_CA.cfg
[dn]
C = US
ST = CA
L = Los Angeles
O = stackoverflow.com
CN = stackoverflow.com Test CA
[ca]
default_ca = stackoverflow_CA
[Shotover_CA]
private_key = Stackoverflow_CA.key
certificate = Stackoverflow_CA.crt
new_certs_dir = certs/new/
database = certs/database
RANDFILE = certs/.rand
default_md = sha256
policy = policy_anything
email_in_dn = false
serial = certs/serial
default_days = 365
x509_extensions = v3_ca
[policy_anything]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
basicConstraints = critical, CA:true
keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
extendedKeyUsage = serverAuth
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

Creating Root and Server certificates via openssl to enable https on web server shows Not Secure on Chrome Browser – so HTTPS is not working

We have a web service application in which we perform the following procedure to generate certificates:
1.Create a file named openssl.ini in the folder with the following content:
# OpenSSL configuration file.
#----Begin----
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
default_days = 3650
default_md = md5
preserve = no
email_in_dn = no
nameopt = default_ca
certopt = default_ca
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = md5 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department, division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city, district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname, IP, or your name)
commonName_max = 64
# Default values for the above, for consistency and less typing.
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = XYZ Corp
countryName_default = US
stateOrProvinceName_default = CA
localityName_default = San Francisco
emailAddress_default = support#xyz.com
organizationalUnitName_default = Business Division
commonName_default = ServerSystem1
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
#----End----
2.Run the following Openssl commands to generate the RootCA and Server certificate
md ServerCert
cd ServerCert
md newcerts private
copy ..\openssl.ini ServerCert
echo 01 > serial
copy /y nul index.txt
openssl genrsa -out private/cakey.pem 1024
openssl req -new -x509 -extensions v3_ca -key private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.ini
openssl x509 -in cacert.pem -out ServerCA.crt
openssl req -new -nodes -out req.pem -extensions v3_req -config ./openssl.ini
openssl ca -out cert.pem -extensions v3_req -config ./openssl.ini -infiles req.pem
move cert.pem tmp.pem
openssl x509 -in tmp.pem -out cert.pem
openssl rsa -in key.pem -inform PEM -out ServerKey.der -outform DER
openssl x509 -in cert.pem -inform PEM -out ServerCert.der -outform DER
At the end of the process, the 3 files that are used later are:
ServerCA.crt -> Used on Windows to trust the webserver application
ServerKey.der -> Key used by the webserver
ServerCert.der -> Certificate used by the webserver application
The web server application requires the DER files to send the certificates. But in the browser, upon running the web-service application, the browser shows “Not Secure” warning.
Upon clicking on the “Not Secure” warning, the following message is displayed.
However upon clicking on the Certificate and navigating to the tab “certification path”, the message says “This certificate is OK”.
This message is the same for Root Certificate and Server Certificate.
How to change the procedure to generate the certificates or modify the .ini file, so that the web-server application is trusted by the Browser?
Question Update:
To install the certificate in the Windows Trust store, i followed the following steps:
Typed "mmc" from command prompt(administrator)
Clicked on "File" -> "Add/Remove snap-in..."
Clicked on "Certificate" -> "Add" -> "Computer Account" -> "Next" -> "Finish"
Clicked on "Certificates" -> "Trusted Root Certification Authorities" -> "Certificates"
Right clicked on "Certificates"
Clicked on "All tasks" -> "import" -> "Next" -> "Browse" -> Selected the CRT file

Openssl CSR Creation with -subj is failing

I'm having a Scirpt and I'm trying to create a self signed Cert:
openssl ecparam -genkey -name secp384r1 -out /etc/nginx/ssl/${MYDOMAIN}.key.pem >/dev/null 2>&1
openssl req -new -sha256 -key /etc/nginx/ssl/${MYDOMAIN}.key.pem -out /etc/nginx/ssl/csr.pem -subj "/C=/ST=/L=/O=/OU=/CN=*.${MYDOMAIN}" >/dev/null 2>&1
openssl req -x509 -days 365 -key /etc/nginx/ssl/${MYDOMAIN}.key.pem -in /etc/nginx/ssl/csr.pem -out /etc/nginx/ssl/${MYDOMAIN}.pem >/dev/null 2>&1
The creation of the CSR should be silent due to the -subj paramter, but it's not working at all with this line:
openssl req -new -sha256 -key /etc/nginx/ssl/${MYDOMAIN}.key.pem -out /etc/nginx/ssl/csr.pem -subj "/C=/ST=/L=/O=/OU=/CN=*.${MYDOMAIN}" >/dev/null 2>&1
I'm receiving an error like this:
[INFO] Creating self-signed SSL certificates...
No value provided for Subject Attribute C, skipped
No value provided for Subject Attribute ST, skipped
No value provided for Subject Attribute L, skipped
No value provided for Subject Attribute O, skipped
No value provided for Subject Attribute OU, skipped
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
It was working in that way, before I updated Openssl to 1.1.0...
With:
openssl req -new -sha256 -key /etc/nginx/ssl/${MYDOMAIN}.key.pem -out /etc/nginx/ssl/csr.pem subj "/C=DE/ST=Berlin/L=Berlin/O=Privat/OU=Privat/CN=*.${MYDOMAIN}" >/dev/null 2>&1
I'm getting this error:
[INFO] Creating self-signed SSL certificates...
unknown option subj
req [options] outfile
where options are
[...]

Padding errors using OpenSSL for encrypt/decrypt with Keys extracted from Digital Cert

I am using some command line Open SSL commands to encrypt and decrypt data using Public and Private keys extracted from a Digital Cert. When I try to decrypt I get PKCS padding errors. Can someone tell me where I'm going wrong?
These are the command I've been using:
a) Extract Public key: openssl x509 -pubkey -noout -in xxxxx.cer > xxxxxpublickey.pem
b) Extract Private Key:openssl pkcs12 -in xxxxxx.pfx -nocerts -out xxxxxprivatekey.pem -nodes
c) Encypt a key (.bin file): openssl enc -aes-256-cbc -in kenkey.bin -out kenkey_Key -pass file:xxxxxpublickey.pem
d) Decrypt key produced in c) openssl rsautl -decrypt -hexdump -in kenkey_key -inkey xxxxxprivatekey.key -out aeskey.txt
This produces errors like this:
RSA operation error 3248:error:0407109F:rsa
routines:RSA_padding_check_PKCS1_type_2:pkcs decoding
error:.\crypto\rsa\rsa_pk1.c:273: 3248:error:04065072:rsa
routines:RSA_EAY_PRIVATE_DECRYPT:padding check
failed:.\crypto\rsa\rsa_eay.c:602:

openssl smime in ruby/rails

So, i have this application that creates a zip file with images and stuff
and i want to sign it using smime.
if i use the terminal command:
openssl smime -binary -sign -passin "pass:MYPASS" -signer ./MyCertificate.pem -inkey ./MyKey.pem -in ./manifest.in -out ./signature.out -outform DER
Formated:
openssl smime -binary -sign -passin "pass:MYPASS" \
-signer ./MyCertificate.pem -inkey ./MyKey.pem \
-in ./manifest.in -out ./signature.out -outform DER
the manifest.in is the file witch contains the text to be signed and signature.out is the output file.
i don't know a lot about signing but i believe this code is signing my file using PKCS7
how can i recreate the same result with ruby/rails?
i have tried to look in the documentation of OpenSSL but i couldn't find anything usefull for me
EDIT
if this helps someone,
this is what the documentation says
i need to build a:
A detached PKCS#7 signature of the manifest
Found a way.
like this:
require 'secure_digest'
def sign_manifest(manifest = {})
manifest_str = manifest.to_json
key4_pem = File.read Rails.root.join("lib", "keys", "key.pem")
pass_phrase = "supera"
key = OpenSSL::PKey::RSA.new key4_pem, pass_phrase
cert = OpenSSL::X509::Certificate.new File.read Rails.root.join("lib", "keys", "certificate.pem")
sign = OpenSSL::PKCS7.sign(cert, key, manifest_str, nil, OpenSSL::PKCS7::BINARY | OpenSSL::PKCS7::NOATTR | OpenSSL::PKCS7::DETACHED).to_der
sign
end
Just to clarify my code, manifest param is a hash witch i want to sign it using this code. if i want another item, like a image, string or file i just need do read it as string

Resources