EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problem with VerifyDetached and SelfSigned Certicate

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#10878
Posted: 08/25/2009 08:55:59
by Vadym Kyrychenko (Basic support level)
Joined: 10/24/2008
Posts: 9

I need to produce selfsigned certificate for create DIGITAL SIGNATURE
I Produse a pair Certificate with public key and private key.
Code here
PrivKey := TElRSAKeyMaterial.Create();
PrivKey.PEMEncode := True;
PrivKey.Passphrase := 'xxxx';
PrivKey.HashAlgorithm := SmallInt($7100 + $01);
PrivKey.Generate(1024);
StreamPrivKey := TFileStream.Create('priv.key',fmCreate or fmShareDenyWrite);
if PrivKey.SecretKey then
PrivKey.SaveSecret(StreamPrivKey);
StreamPrivKey.Free;
Cert := ElX509Certificate.Create(nil);
StreamPrivKey := TFileStream.Create('priv.key',fmOpenRead or fmShareDenyWrite);

Cert.LoadKeyFromStreamPEM(StreamPrivKey, 'xxxx');
Cert.CAAvailable := False;

Cert.IssuerRDN.Count := 6;
for i:=0 to 5 do Cert.IssuerRDN.Tags[i] := SB_ASN1_PRINTABLESTRING;
Cert.IssuerRDN.Tags[0] := SB_ASN1_PRINTABLESTRING;
Cert.IssuerRDN.OIDs[0] := SB_CERT_OID_COUNTRY;
Cert.IssuerRDN.Values[0] := 'UKRAINE';
Cert.IssuerRDN.Tags[1] := SB_ASN1_PRINTABLESTRING;
Cert.IssuerRDN.OIDs[1] := SB_CERT_OID_STATE_OR_PROVINCE;
Cert.IssuerRDN.Values[1] := 'Kiev';
Cert.IssuerRDN.Tags[2] := SB_ASN1_PRINTABLESTRING;
Cert.IssuerRDN.OIDs[2] := SB_CERT_OID_LOCALITY;
Cert.IssuerRDN.Values[2] := 'Kiev City';
Cert.IssuerRDN.Tags[3] := SB_ASN1_PRINTABLESTRING;
Cert.IssuerRDN.OIDs[3] := SB_CERT_OID_ORGANIZATION;
Cert.IssuerRDN.Values[3] := 'Nova Poshta';
Cert.IssuerRDN.Tags[4] := SB_ASN1_PRINTABLESTRING;
Cert.IssuerRDN.OIDs[4] := SB_CERT_OID_ORGANIZATION_UNIT;
Cert.IssuerRDN.Values[4] := 'IT Department';
Cert.IssuerRDN.Tags[0] := SB_ASN1_PRINTABLESTRING;
Cert.IssuerRDN.OIDs[5] := SB_CERT_OID_COMMON_NAME;
Cert.IssuerRDN.Values[5] := 'www.novaposhta.ua';

Cert.SubjectRDN.Count := 6;
for i:=0 to 5 do Cert.SubjectRDN.Tags[i] := SB_ASN1_PRINTABLESTRING;
Cert.SubjectRDN.Tags[0] := SB_ASN1_PRINTABLESTRING;
Cert.SubjectRDN.OIDs[0] := SB_CERT_OID_COUNTRY;
Cert.SubjectRDN.Values[0] := 'UKRAINE';
Cert.SubjectRDN.Tags[1] := SB_ASN1_PRINTABLESTRING;
Cert.SubjectRDN.OIDs[1] := SB_CERT_OID_STATE_OR_PROVINCE;
Cert.SubjectRDN.Values[1] := 'Kiev';
Cert.SubjectRDN.Tags[2] := SB_ASN1_PRINTABLESTRING;
Cert.SubjectRDN.OIDs[2] := SB_CERT_OID_LOCALITY;
Cert.SubjectRDN.Values[2] := 'Kiev City';
Cert.SubjectRDN.Tags[3] := SB_ASN1_PRINTABLESTRING;
Cert.SubjectRDN.OIDs[3] := SB_CERT_OID_ORGANIZATION;
Cert.SubjectRDN.Values[3] := 'Nova Poshta';
Cert.SubjectRDN.Tags[4] := SB_ASN1_PRINTABLESTRING;
Cert.SubjectRDN.OIDs[4] := SB_CERT_OID_ORGANIZATION_UNIT;
Cert.SubjectRDN.Values[4] := 'IT Department';
Cert.SubjectRDN.Tags[0] := SB_ASN1_PRINTABLESTRING;
Cert.SubjectRDN.OIDs[5] := SB_CERT_OID_COMMON_NAME;
Cert.SubjectRDN.Values[5] := 'www.novaposhta.ua';

with Cert.Extensions.KeyUsage do
begin
DigitalSignature := True;
NonRepudiation := True;
KeyEncipherment := True;
DataEncipherment := True;
KeyAgreement := True;
KeyCertSign := True;
CRLSign := True;
EncipherOnly := True;
DecipherOnly := True;
end;

Cert.Generate(SB_CERT_ALGORITHM_SHA1_RSA_ENCRYPTION, 1024 div 32);

StreamCert := TFileStream.Create('Cert_pem.crt',fmCreate or fmShareDenyWrite);
Cert.SaveToStreamPEM(StreamCert,'');
StreamCert.Free;

StreamCert := TFileStream.Create('priv1_pem.key',fmCreate or fmShareDenyWrite);
Cert.SaveKeyToStreamPEM(StreamCert,'xxxxxx');
StreamCert.Free;


And than try to use that pair with your sample program VerifyDetached
on code line VR := Crypto.VerifyDetached(StreamInput, StreamSignature);
I get error with text - Unsupported algorithm (32767)
I changed your code and add this line - Crypto.HashAlgorithm := $7100 + $01;
But result the same - why????

What's wrong???
#10881
Posted: 08/25/2009 12:35:08
by Eugene Mayevski (EldoS Corp.)

What are you trying to verify - is it the certificate? "Detached" term is usually applied for signatures made over data, when those signatures are stored separately from the data. Detached is not applicable for certificates. With self-signed certificate you just call Certificate.Validate() method, it will check validity of the self-signed certificate.


Sincerely yours
Eugene Mayevski
#10883
Posted: 08/25/2009 13:53:29
by Vadym Kyrychenko (Basic support level)
Joined: 10/24/2008
Posts: 9

In sample with SecureBlackbox VCL you distribute example how to SIGN text file and then virify SING and original text. I want to SING text with private key (this function exists in example) and verify with certicate x509 (with public key that a pair for private key that I using before - this function exists in example too). If I produce private key and certificate x509 with public key based on private key on openssl - no problem - all work fine - example SING and example Verify work fine). But if I try create that pair with SecureBlackbox VCL - SIGN on private key - example work fine, but Verify with certificate x509 return error "Unsupported algorithm (32767) ". Code for create private key and Certicate x509 - I shown above.
May be whats wrong in my certificate x509???
#10885
Posted: 08/26/2009 01:27:06
by Ken Ivanov (EldoS Corp.)

Which private key are you using to sign the data (priv.key or priv1_pem.key)? The TElX509Certificate.Generate() method generates brand new key pair, so you will be unable to validate signatures created with priv.key using the public key contained in the certificate.
#10887
Posted: 08/26/2009 02:05:15
by Vadym Kyrychenko (Basic support level)
Joined: 10/24/2008
Posts: 9

I try to use priv1_pem.key key and certificate x509 - but Verify with certificate x509 return error "Unsupported algorithm (32767) ".
#10888
Posted: 08/26/2009 02:54:08
by Ken Ivanov (EldoS Corp.)

Can you please post the certificate (along with a private key) here so that we could take a look at it (remember to ZIP the files prior to posting)?
#10889
Posted: 08/26/2009 04:08:59
by Vadym Kyrychenko (Basic support level)
Joined: 10/24/2008
Posts: 9

I sent you full source (without exe file). You could create your self certificate and key or use my.


[ Download ]
#10891
Posted: 08/26/2009 06:55:11
by Ken Ivanov (EldoS Corp.)

The signature is created and validated successfully for us using the certificate generated using your code. What exactly build of SecureBlackbox are you using? As you are using TElX509Certificate for certificate generation (not the TElX509CertificateEx one), I assume it's not the latest one?
#10907
Posted: 08/28/2009 01:06:19
by Vadym Kyrychenko (Basic support level)
Joined: 10/24/2008
Posts: 9

Thanks - on the latest vertion work fine.
Thank you very much.
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 2393 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!