EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Cetificate changed

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#17955
Posted: 10/22/2011 10:26:25
by Robert Tulloch (Basic support level)
Joined: 10/22/2011
Posts: 6

Hi:

New to forum. I am using black box delphi components in program. This program has been working perfectly since 2004 using Version 3.1.49 and Delphi 5.

Also what to expect if I get newer version of black box (other than items moved to different unit files)?

Thanks and best regards


The certificate issuer changed the structure of the certificate from

CA
RA
Key

To

Key
CARoot 1 CA Root 1
CA Intermediate Cust 1 CA Root 1
CA Issuing Cust 1 Intermediate Cust 1
JACKSONA Issuing Cust 1

The three I want out are Key, CARoot1 and JACKSONA.

When I try running program now to extract the (desired) certs and key
I get the key index as 3 (should be 0) and then the operation fails with error message Invalid Signature.


[ Download ]
#17956
Posted: 10/22/2011 11:17:07
by Eugene Mayevski (EldoS Corp.)

Thank you for the message.

Regarding changes - you can study the change list which will give you detailed information. To make a brief comparison we would need to know what you are going to compare, cause currently SecureBlackbox includes over 20 individual packages including dozens and dozens of components for all widely used security standards and application-level network protocols.

As for the second part of your question, I am afraid I understood a little from it. Please elaborate on what that all stuff is meant to be.


Sincerely yours
Eugene Mayevski
#17957
Posted: 10/22/2011 20:23:51
by Robert Tulloch (Basic support level)
Joined: 10/22/2011
Posts: 6

"As for the second part of your question, I am afraid I understood a little from it. Please elaborate on what that all stuff is meant to be."

Those are the identity of the various parts of the certs in the p12.



I have a p12 from Transunion used since 2004. I can extract the 3 pem files I need to run my program. Transunion has issued a new p12 that has 5 parts in it.


If I extract the 3 parts I need from the new p12 converted to pem, those work fine just like the old one.

My program (attached file to original post) which works fine with old p12 throws and invalid signature error with the new p12. I can extract the key and user cert from the p12 using openssl but when I try to get the CA, I get what I want plus the two additional certs.

Is there any way using the Eldos components to extract only the CA I want (by some identity). The Key and the usercert extracted properyy before and I assume will do so again?

Also as I stated when I run my code it indicates the Key is index 3 whereas in reality (at least in the pem) it is index 0.
#17958
Posted: 10/22/2011 21:31:29
by Robert Tulloch (Basic support level)
Joined: 10/22/2011
Posts: 6

Hi:

Appreciate your attention to my problem.

Need to clarify some things. Original information on cert not correct.

OldCert.p12 when printed out from pem file shows:

Four sections:

First section:
Bag Attributes: <Empty Attributes>
subject=/C=US/ST=Illinois/L=Chicago/O=TransUnion, LLC/CN=TransUnion TUNA Certificate Authority
issuer= /C=US/ST=Illinois/L=Chicago/O=TransUnion, LLC/CN=TransUnion TUNA Certificate Authority
-----BEGIN CERTIFICATE-----

second section:
Bag Attributes: <Empty Attributes>
subject=/C=US/ST=Illinois/L=Chicago/O=TransUnion, LLC/CN=TransUnion TUNA Registration Authority
issuer= /C=US/ST=Illinois/L=Chicago/O=TransUnion, LLC/CN=TransUnion TUNA Certificate Authority
-----BEGIN CERTIFICATE-----

third section:
Bag Attributes
friendlyName: TUNA Production Client Cert
localKeyID: 00 00 00 01
subject=/C=US/ST=Illinois/L=Chicago/O=TransUnion, LLC/CN=TransUnion Net Access Client Production
issuer= /C=US/ST=Illinois/L=Chicago/O=TransUnion, LLC/CN=TransUnion TUNA Registration Authority
-----BEGIN CERTIFICATE-----

fourth section
Bag Attributes
friendlyName: TUNA Production Client Cert
localKeyID: 00 00 00 01
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----

When I run my program it identifies the the Key index as 2 (skipping the RA)

Works fine.

The NewCert.p12 printed out from pem file:

Shows 5 sections
first section:

Bag Attributes
1.3.6.1.4.1.311.17.2: <No Values>
localKeyID: 01 00 00 00
1.3.6.1.4.1.311.17.1: Microsoft Enhanced Cryptographic Provider v1.0
friendlyName: KeyVerification--58a84ef88fcdf890407b2274b6aa41bf
Key Attributes
X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----

second section:

Bag Attributes: <Empty Attributes>
subject=/CN=TransUnion CA Root 1
issuer= /CN=TransUnion CA Root 1
-----BEGIN CERTIFICATE-----


third section:

Bag Attributes: <Empty Attributes>
subject=/CN=TransUnion CA Intermediate Cust 1
issuer= /CN=TransUnion CA Root 1
-----BEGIN CERTIFICATE-----


fourth section:


Bag Attributes: <Empty Attributes>
subject=/DC=com/DC=transunion/DC=cust/CN=TransUnion CA Issuing Cust 1
issuer= /CN=TransUnion CA Intermediate Cust 1
-----BEGIN CERTIFICATE-----

fifth section:


Bag Attributes
localKeyID: 01 00 00 00
subject=/O=cts/OU=Members/OU=System ID/CN=JACKSONA
issuer= /DC=com/DC=transunion/DC=cust/CN=TransUnion CA Issuing Cust 1
-----BEGIN CERTIFICATE-----

When I run the program is says the key file is at index 3 while it should be at index 0 and then I get the invalid signature error.

I want to extract section 1 [0], section 2 [1] and section 5 [4]

I can send the actual pem files for both they certs of that will help.

I hope this clarifies the problem.

Thanks and best regards
#17959
Posted: 10/23/2011 03:29:19
by Eugene Mayevski (EldoS Corp.)

Thank you, now the question seems to be clear. You are having problems accessing certain certificate in PKCS#12 file due to "invalid signature" error.

As a first step to solve the problem I would recommend installing the latest version of SecureBlackbox and your code to load the certificates.

If I understood you right, OpenSSL successfully loads this new PKCS#12 file and can convert it to PEM. If it's so, then you can also try loading certificates from PEM but note: PEM is a private (not a standard) format used by OpenSSL.

The order of certificates in the container (be it PKCS#12 or PEM file) doesn't matter for using certificates. If you need to choose the certificate in the storage, you do this by comparing its attributes such as Issuer name and serial number, or SHA1 hashes.


Sincerely yours
Eugene Mayevski
#17977
Posted: 10/24/2011 12:02:12
by Robert Tulloch (Basic support level)
Joined: 10/22/2011
Posts: 6

Hi:

I looked into the latest secure black box and the pricing is way out of line
with what am looking for. This is a free project for a non-profit.

My current versions is:

Version 3.1.49. Minor update

and installed in 2004.

Guess I will try modifying the code to parse out what I want.

Best regards
#18018
Posted: 10/28/2011 08:48:49
by Robert Tulloch (Basic support level)
Joined: 10/22/2011
Posts: 6

Hi:

I downloaded trial for D5 and installed over my old version since it was an "upgrade". When I realized no pas files I uninstalled and it removed ALL my pas files even though they had been installed in 2004.

That is really nice. It destroyed by installation.
#18019
Posted: 10/28/2011 08:57:07
by Eugene Mayevski (EldoS Corp.)

That's very strange and unexpected behavior. From my experience, any extra files being installed are kept after deinstallation. In any case, you can re-install the version. If you need access to the installer of the old version, - we keep all installers since version 3 so I will be able to provide you such access.


Sincerely yours
Eugene Mayevski
#18020
Posted: 10/28/2011 11:45:29
by Robert Tulloch (Basic support level)
Joined: 10/22/2011
Posts: 6

Hi:

Thanks

My experience also. Uninstall should use install log to uninstall and not touch anything else. It left the old dcu's there so it was just not clearing the directory.

Weird. So how do I get Version 3.1.49 and Delphi 5?
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 2904 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!