EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Subject Key Identifier is SHA1 hash over whole key or just key bits?

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#16110
Posted: 03/23/2011 10:52:00
by Richard Kelsall (Standard support level)
Joined: 06/25/2010
Posts: 16

Hello,

I am getting error 75789 ERROR_SSL_ILLEGAL_PARAMETER when I create a self-signed certificate and try to access my web application. I have a very similar self-signed certificate created with OpenSSL and when I use it instead my web application does not produce this error but shows the web pages correctly in my browser so I think the error is somewhere in the certificate. I have tried many things to try to get the self-signed certificate produced by TElX509CertificateEx.Generate to be identical to the self-signed OpenSSL certificate and have removed most possibile errors without solving the problem.

The thing I am now wondering about is whether the Subject Key Identifier and Authority Key Identifier hashes are correct. I believe these are SHA1 hashes of the public key. They are both 20 bytes long and have the same value. They seem to be produced in the FinishGeneration routine by a call to SavePublic? What I am not sure about is whether the hash is over the whole key including length, etc or just the key bits. I ask because this page

http://certificateerror.blogspot.com/2011/02/how-to-validate-subject-key-identifier.html

suggests it should only be over the key bits. I am thinking that if these hashes are wrong then I might get an error trying to browse my web application.

Maybe I am just getting in a muddle after trying so many things to solve the error.
#16112
Posted: 03/23/2011 11:16:47
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

SecureBlackbox calculates these hashed over the public key bits as it is written in http://tools.ietf.org/html/rfc5280#section-4.2.1.2, so it must be another reason for error.
#16117
Posted: 03/24/2011 03:37:27
by Richard Kelsall (Standard support level)
Joined: 06/25/2010
Posts: 16

Thank you Vsevolod. I will continue my investigation and post details when I find the cause.
#16118
Posted: 03/24/2011 06:37:20
by Richard Kelsall (Standard support level)
Joined: 06/25/2010
Posts: 16

I do not understand all these commands, maybe I am going wrong somewhere, but I have tried to follow the commands on the page I linked above and I get a matching SHA1 where it says I should not.

I seem to get the Subject Key Identifier

51:A1:E7:BD:CE:5F:C8:3E:EE:8D:1B:A7:76:B0:EF:6C:8D:52:0A:24

in my self-signed certificate generated by my Delphi program (I tried to attach the file Certificate51.pem, but got the message "Incorrect file type or maximum size of the file exceeded (.pem)!". It is converted to text below.) and when I use OpenSSL to convert this PEM file to a DER file then do an SHA1 of the whole(?) public key I get

51:a1:e7:bd:ce:5f:c8:3e:ee:8d:1b:a7:76:b0:ef:6c:8d:52:0a:24

which is obviously the same. I have tried to do the same things with OpenSSL and the two SHA1 hashes are different:

CD:62:4E:44:C9:18:FD:13:2A:D6:79:4E:06:A2:B3:44:49:B5:20:05
0f:88:a1:9a:4a:1b:b8:e4:42:1a:50:9a:7f:d4:11:7b:a4:63:68:3c

I am hoping somebody can point to my mistake for me. (My copy of the Secure Black Box code is no longer the clean original - I have been changing it, but I have not meant to change the part that produces this SHA1.) Thank you.


--------------------------------------------------------------------------------
Here are the OpenSSL commands I used in a Windows command prompt:
Code
C:\OpenSSL\Test>openssl req -new -x509 -key PrivateKey51.pem -out CertOpenSSL51.pem -days 710
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:51
Locality Name (eg, city) []:51
Organization Name (eg, company) [Internet Widgits Pty Ltd]:51
Organizational Unit Name (eg, section) []:51
Common Name (eg, YOUR name) []:51
Email Address []:.

C:\OpenSSL\Test>openssl x509 -in CertOpenSSL51.pem -text -noout>CertOpenSSL51.txt
C:\OpenSSL\Test>openssl x509 -in Certificate51.pem -text -noout>Certificate51.txt

C:\OpenSSL\Test>openssl x509 -outform der -in Certificate51.pem -out Certificate51.der
C:\OpenSSL\Test>openssl x509 -outform der -in CertOpenSSL51.pem -out CertOpenSSL51.der

C:\OpenSSL\Test>openssl x509 -in Certificate51.der -inform DER -pubkey -noout|openssl rsa -pubin -outform DER|openssl dgst -c -sha1
writing RSA key
51:a1:e7:bd:ce:5f:c8:3e:ee:8d:1b:a7:76:b0:ef:6c:8d:52:0a:24

C:\OpenSSL\Test>openssl x509 -in CertOpenSSL51.der -inform DER -pubkey -noout|openssl rsa -pubin -outform DER|openssl dgst -c -sha1
writing RSA key
0f:88:a1:9a:4a:1b:b8:e4:42:1a:50:9a:7f:d4:11:7b:a4:63:68:3c


--------------------------------------------------------------------------------
This is file Certificate51.txt produced from my Delphi program certificate

Code
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            31:32:33:34:35:36:37:38
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=51, L=51, O=51, OU=51, CN=127.0.0.1
        Validity
            Not Before: Mar 24 00:00:00 2011 GMT
            Not After : Mar  3 00:00:00 2013 GMT
        Subject: C=US, ST=51, L=51, O=51, OU=51, CN=127.0.0.1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:a6:c7:1f:ee:92:14:cc:ff:2c:b4:9a:1d:51:8b:
                    ec:9f:49:95:9d:f7:dc:1e:3f:8e:1c:be:e8:ad:72:
                    81:a1:5d:e5:ee:e7:c9:8f:f6:1c:7b:a6:d1:61:88:
                    1d:81:8c:e0:3f:a0:34:56:13:b7:df:78:b6:83:b1:
                    a4:41:2b:f1:fc:87:b7:50:63:3d:c7:39:2e:bc:ee:
                    37:2a:69:55:c6:5e:29:ae:68:05:78:49:f0:23:cc:
                    cb:8c:80:11:ba:bc:20:08:97:e3:62:10:03:93:e1:
                    51:2f:a6:9d:0c:b4:96:c1:c3:46:e8:7e:5c:9c:f8:
                    9e:ca:b9:40:6f:7c:eb:c0:7a:03:60:73:2c:2f:08:
                    ea:ad:30:64:01:ee:da:bb:33:27:9a:83:a1:07:c9:
                    47:dd:60:72:12:bf:e3:a1:ab:64:d6:0e:b5:e4:59:
                    03:66:48:03:ec:a6:77:3e:95:26:ba:23:57:99:4b:
                    96:5e:5b:5a:4c:31:7f:43:6a:48:13:15:b4:fc:cb:
                    d0:cd:98:88:d2:6b:d9:f7:0b:a8:9e:3a:fe:86:c1:
                    d0:c4:da:68:0f:2d:a2:44:32:d1:8c:ba:39:0a:65:
                    fe:d9:ae:49:eb:d2:4a:6f:bc:5f:33:9a:23:f1:47:
                    48:84:28:52:e2:ce:7a:45:12:74:2f:86:2f:7c:7b:
                    e3:61
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                51:A1:E7:BD:CE:5F:C8:3E:EE:8D:1B:A7:76:B0:EF:6C:8D:52:0A:24
            X509v3 Authority Key Identifier:
                keyid:51:A1:E7:BD:CE:5F:C8:3E:EE:8D:1B:A7:76:B0:EF:6C:8D:52:0A:24

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        a4:c3:45:3e:8c:6d:84:4a:cd:30:dd:05:6e:a2:57:72:43:42:
        17:97:d3:ee:c7:2d:24:f8:b1:36:81:d9:9b:d2:e0:bd:1d:49:
        93:9d:fe:cb:19:7f:c0:c9:ae:2c:d7:08:8e:e0:57:48:b3:2d:
        f2:1c:8f:f4:6f:dd:02:73:14:8f:f2:dd:fd:d0:6f:06:03:a4:
        23:c8:72:05:de:fe:3f:71:32:ef:86:18:cd:c8:4f:13:a1:6a:
        e9:d8:5b:8c:e5:f0:21:93:d5:2f:5c:bc:3a:20:72:a0:49:b1:
        5f:6e:0a:11:a9:e5:1b:59:2e:3a:ff:4e:fe:d6:e1:02:f1:6b:
        10:f3:06:8d:04:24:39:21:3c:72:13:e6:8d:2a:3f:d6:28:f1:
        f1:61:8c:ef:aa:05:4f:af:e4:77:0d:8c:75:a9:c0:54:81:1f:
        a7:e6:9d:90:4a:b0:ef:82:1c:0f:cf:55:89:ee:b7:72:a9:d4:
        cb:7d:0d:5a:a3:12:78:ae:7a:d6:23:a9:fb:0d:82:da:87:65:
        16:1b:2a:62:8c:18:8b:a6:6c:e0:50:44:ff:7e:ed:72:c4:4b:
        5e:6d:ef:7f:e8:30:48:bd:4b:9b:51:de:32:10:b3:12:68:6d:
        80:b4:ea:65:3e:85:1f:6f:09:f4:33:11:89:ee:29:c6:ed:c5:
        4e:9d:8e:7c

--------------------------------------------------------------------------------
This is file CertOpenSSL51.txt produced from my OpenSSL certificate

Code
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d0:ff:75:41:9a:4e:52:e4
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=51, L=51, O=51, OU=51, CN=51
        Validity
            Not Before: Mar 24 10:11:49 2011 GMT
            Not After : Mar  3 10:11:49 2013 GMT
        Subject: C=US, ST=51, L=51, O=51, OU=51, CN=51
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:c6:b4:d0:2e:41:a6:12:6c:6c:2f:fc:b1:b1:b4:
                    e9:e3:fc:05:c2:8f:78:32:e1:fe:ed:f8:95:58:b3:
                    d5:04:88:99:8e:34:ce:a5:3c:87:0c:6d:e9:c3:a8:
                    c2:1a:1e:e7:cb:d7:00:e3:8d:de:6c:8c:35:03:9c:
                    cf:bc:dd:b9:e6:80:b7:e9:0f:22:64:86:01:7c:bb:
                    4d:a5:f8:ff:1e:81:93:84:4d:6f:7a:23:63:c2:9a:
                    8f:c1:ad:da:bc:e7:2d:ea:00:64:9d:53:dd:7f:a0:
                    43:91:2c:8b:be:56:e0:fc:fd:dd:ea:56:77:1a:80:
                    d4:55:14:4e:20:e6:08:fd:ed:7b:c9:cd:5b:b4:e1:
                    84:74:42:63:68:75:66:26:53:9d:b8:26:f6:36:cd:
                    91:91:4f:f3:8c:11:95:29:20:85:34:e3:f8:75:a2:
                    e2:62:26:48:66:da:f8:39:a7:e2:2a:cc:34:02:d6:
                    a1:d2:77:8f:13:2f:6d:f5:12:6e:21:52:9e:98:b6:
                    62:7d:30:5a:f0:66:0d:ba:a7:df:0c:9a:f1:7f:82:
                    29:48:0e:9c:eb:05:03:14:42:13:96:96:df:15:b1:
                    b5:27:f5:b7:75:96:99:f6:ec:a2:fd:43:93:72:e2:
                    f1:a5:f9:ed:60:bf:37:5a:d6:0d:fb:9d:30:42:d8:
                    de:4b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                CD:62:4E:44:C9:18:FD:13:2A:D6:79:4E:06:A2:B3:44:49:B5:20:05
            X509v3 Authority Key Identifier:
                keyid:CD:62:4E:44:C9:18:FD:13:2A:D6:79:4E:06:A2:B3:44:49:B5:20:05

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        4a:d9:61:05:9b:1d:ca:67:0a:b9:68:7b:39:a8:19:27:14:25:
        5c:ae:d8:e0:93:02:39:80:ba:08:0f:7e:e2:19:8f:c0:56:cb:
        31:1a:3e:e4:56:01:5c:c8:d2:ae:9f:f0:fa:84:78:05:e4:cf:
        2c:60:6b:84:fe:0f:0c:fe:f2:e0:c1:e6:75:10:e9:bf:ef:db:
        d7:fa:be:aa:c5:dc:21:6f:53:f0:3c:fb:74:57:88:7e:0c:e7:
        44:85:2d:43:72:9a:a3:62:c9:72:d3:78:c1:98:d7:aa:36:a3:
        c0:2f:40:3f:62:97:8b:29:63:b9:aa:32:bb:1d:44:a3:c1:c3:
        e8:1b:46:cb:63:ed:9b:28:d5:62:4d:0b:fb:77:1e:c1:70:3b:
        d3:dc:26:d6:17:5b:b9:aa:d0:30:2c:00:83:67:d4:f1:2b:8f:
        3a:e3:7c:45:12:3c:59:74:28:44:35:4c:71:26:f5:a6:b6:ad:
        c4:3d:be:e7:9b:53:f4:1e:63:6d:e9:69:3e:1e:b7:4d:67:c4:
        cd:19:9e:03:a4:f1:a8:45:2a:e0:40:cb:e4:a5:e5:15:6a:d6:
        28:5d:5b:50:5d:08:ab:28:79:6e:81:a3:86:45:86:ed:50:60:
        97:6a:b7:51:ff:26:3e:f8:3e:75:82:91:6d:11:04:9d:3f:74:
        cf:b8:a0:18
#16119
Posted: 03/24/2011 08:23:38
by Richard Kelsall (Standard support level)
Joined: 06/25/2010
Posts: 16

Hello,

Another thing I have just discovered is that I can produce the same 75789 error message and browser error message by deliberately giving my program the wrong key-pair with a certificate that does work if it is with the right key-pair.

When my application starts it reads a private-public key-pair from file PrivateKey.pem and a certificate from Certificate.pem. These are meant to be for the same public key and work together. When I give the application the OpenSSL self-signed certificate file and the matching key-pair file the application works correctly, but when I take away the correct key-pair and give it another unrelated key-pair in file PrivateKey.pem then I get the same error 75789 and same browser error as I am experiencing with my Delphi generated certificate.

Maybe this helps identify the problem?
#16120
Posted: 03/24/2011 08:44:02
by Vsevolod Ievgiienko (EldoS Corp.)

Try to generate self-signed certificate using sample application located in \EldoS\SecureBlackbox\Samples\Delphi\PKIBlackbox\Certificates
#16121
Posted: 03/24/2011 10:32:58
by Richard Kelsall (Standard support level)
Joined: 06/25/2010
Posts: 16

Hi Vsevolod,

That is a good idea. I will do some comparisons against the sample application. Unfortunately it does not seem to put in extensions for the Subject Key Identifier and Authority Key Identifier. But maybe these are not needed, or I can add them to the sample. I will experiment some more.
#16128
Posted: 03/25/2011 09:50:18
by Richard Kelsall (Standard support level)
Joined: 06/25/2010
Posts: 16

Hello,

I think my original problem with error 75789 is probably that I am calling Generate incorrectly - I think I am not connecting my key-pair produced earlier in my program with the new self-signed certificate I am generating. So when my web server starts it is trying to use a private key that does not match the public certificate. I am trying to fix this, but I have got stuck on loading the key-pair correctly.

I am trying to do something like this

Code
C := TElX509CertificateEx.Create(nil);
i := C.LoadKeyFromFileAuto('PrivateKey.pem', '');


and after this i = 0 but C.PrivateKeyExists = False and so my call to Generate afterwards gives me an error about the key not existing. An example PrivateKey.pem file is shown below. I do not understand why the function says it has worked OK if it has not loaded my key. I guess I do not understand something?

When I look in the documentation to try to understand what I am meant to do it confuses me. The list of Algorithms I can use for a self-signed certificate is listed here

http://www.eldos.com/documentation/sbb/documentation/ref_howto_pki_cert_generate.html

but this list does not agree with the list here

https://www.eldos.com/documentation/sbb/documentation/ref_cl_certificateex_mtd_generate.html

Am I allowed to use SHA256 or only SHA1?

When I look here

http://www.eldos.com/documentation/sbb/documentation/ref_cl_certificateex.html

I do not see the LoadKeyFileFromFileAuto function. Am I allowed to use it?

When I compare these pages

http://www.eldos.com/documentation/sbb/documentation/ref_cl_certificateex.html
http://www.eldos.com/documentation/sbb/documentation/ref_cl_certificate.html

they have different lists of methods for example one has LoadKeyFromFile and the other does not. Which key loading function am I meant/allowed to use?

Sorry I am asking so many questions.


Code
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEArNzr4XC20aDxcgCyAQnI4V/KGjw8HokGymh2+b8XpcufQrfB
S5CrsF6Tfy7Z6N/GDnUq/zXUMbyzGzFhLflas25RWXxSkADTvMeJGxr3pmHBcAcQ
0vej+2onN6VDX7lRLSjsVMdIAx7g+4oTMMeMpUzKegqgEbFAN+zPa00tsd4YcvLm
CU8FNpth2W+N0gXkSFdaNA+URaqX71el5uUmjEX74K1aLOukdZV7zG282aGDfGKn
z1LlrUvjA3wDeAwFOxMYkm+lyHf23IM+KTMhnpmFYgqvCQOY2qVsFtY6Jj8GxEgA
XRZWF0i92mxvkaIbYYw7/fpH61CsNVbLxikMsQIEAAEAAQKCAQAoLTCltQzIrB9x
37d/hkaqGxld/6H5dt+dK6p7YW6dmjXpy8uhRH6i/1hItxruhRQDSDg2GMy4wqLe
LxvnE42BJqLBqaOG1Kphtf6nzhzBDvdmkj3WyrfSN1nmFQMTvH6hgGFtUuPp1cN0
syLCs558zNxCgTWy5v+GAAQ1bDqynAo3S3KiON99PmLBmLALyW475xpVpBTojgH2
VHWZ1sfn+AX8vHTf7uQ+5QVxZJ6lSB7RzPEaR0fgHwol5dF8KX7vZi55vZ5EZnS0
i4Td4s/DcOURXs+0f+Vu0YUq0r0sipSax2O6nZj1WE0GYfM/JWWCkBJMQUHf2FX5
oZMXWeABAoGBANqD1zLtZGsr5VM7fzfWXDB5/+wOwapHvTQdpe9JrmMeC91lpdxf
gdENWCeExNmtzjLugK+kP5siHqpVT9SVqLMciN/BrlnP4u1HpPRbF1mJtDiWrtFg
47kA5Dy7E75S1mSPyXVw4mXdzJBMnjBeueyIl0ib5J1VAsbnETF+apVZAoGBAMqE
Qbe4OitrBApQkev1UZnmuPBaCW8oXZ3Ui1P0IcJgPrmPbNetnnYiKvh5geUn8nBj
MpfHK3ToGjmsSnIT84miN/jRFvGVi3j+RrwzoGR7EcuuQGtQvHsIKKW9PYJKrGEK
EwE1Us18bADv+WEQEpeWcV+LtJ9GRGLaPu9fuk8ZAoGBALd5xBPq6EpkjSWZ63QC
9V1u0shui4ZivicoTc/h2h83d1bqpp2nQ+U4gzCLdo4gNebmA/92tkGYII99Go6x
KvlZmEPo6HBY8X2yjnrukWiJC14Ih7ke1ZbdfMbRff5sp7/AS7PkmPRXjBANhTWw
FATbm8tHummwm6hPFEyujOfhAoGATMxs85Psk0yJArRdMgMdB+UEGzm5vCqtnc3d
bF/3cXP4NXxbhUr0/c2lSAckKFfGy7ICnKZOJ45ha5+Xt70zLO2UlkoMjl7svlyH
TJWzbIdzTy9shIXghDOq3nduXPuedUpRvLKRDRXzC0P16UYkFtJZeidLvt7xzh7/
oN1HlPkCgYEAs0uNyuclHOWGoz4lo9VmWMuNely/TV62Z5zgcIvhCd09MpmrP/nV
kBcBAcPyC1y8Q1JCdef0KHVlZd9sVbOuodW/M64Aoput9J4EaVbp1zs4y8K4BItK
+dg9ON9kiYhAxof1j6InmJsvD/Ty8zjDUI0R4TRIs6cbUQS+FSQa9aU=
-----END RSA PRIVATE KEY-----
#16129
Posted: 03/25/2011 10:22:14
by Vsevolod Ievgiienko (EldoS Corp.)

C.PrivateKeyExists is False because certificate does not contain a corresponding public key.

If you want to connect a key-pair produced earlier with a new certificate you should load both public and private keys to ElX509Certificate.KeyMaterial then set ElX509Certificate.PreserveKeyMaterial to 'true' and finally call Generate method.
Quote
Am I allowed to use SHA256 or only SHA1?

You can use SHA-256.
Quote
I do not see the LoadKeyFileFromFileAuto function. Am I allowed to use it?

Yes you can use it.
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 5102 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!