EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How remove Public Key to sign just with Secret Key TElX509Certificate

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#28803
Posted: 03/17/2014 11:39:47
by Juan Carlos Morales (Basic support level)
Joined: 03/17/2014
Posts: 6

Hello
I am trying to remove only the public key part of a certificate stored in a SBX509.TElX509Certificate object.
I need to sign a document using only the secret key part, but with all the other properties.
But when I used KeyMaterial.ClearPublic, PrivateKeyExists propertie change to False also.
My Code:

MyJustPrivateCert:= TElX509Certificate.Create(nil);

OriginalFullCert.Clone(MyJustPrivateCert:, true); //clone the original full private and public key certificate to new one with all properties
//here MyJustPrivateCert.PrivateKeyExists is True

MyJustPrivateCert.KeyMaterial.ClearPublic; // I guess removes only the public key
//after that MyJustPrivateCert.PrivateKeyExists is False

I need to remove only the public key part of the TElX509Certificate object, leaving the SecretKey part and all other properties.
Thanks for the help.
#28804
Posted: 03/17/2014 11:51:43
by Eugene Mayevski (EldoS Corp.)

What you are trying to do doesn't make any sense because data is signed using the private key. Can you please explain why you think that you need to remove the public part?


Sincerely yours
Eugene Mayevski
#28805
Posted: 03/17/2014 12:08:15
by Juan Carlos Morales (Basic support level)
Joined: 03/17/2014
Posts: 6

Im trying to sign an Electronic Invoice for the Costa Rican Govermment.
The standard defined for that is, to separate the original certificate in 2 parts, the public and the private, and use ONLY the private part to sign.

Im loading the full certificate in the SBX509.TElX509Certificate object, and try to remove the public part to leave only the private part to sign. I already know that only the private part is used to sign for the component, but if I use the whole cerificate, the validation for the standard fails.

Needs to separate both parts and leave a SBX509.TElX509Certificate with only the private key to sign with that.

Other developers use tools as OpenSSL to split the certificate, but I need to do it with the SBX509.TElX509Certificate object.

Thanks.
#28806
Posted: 03/17/2014 12:13:14
by Eugene Mayevski (EldoS Corp.)

The requirement makes no sense really, but ... What exactly protocol/standard should be used for signing?


Sincerely yours
Eugene Mayevski
#28807
Posted: 03/17/2014 12:18:05
by Juan Carlos Morales (Basic support level)
Joined: 03/17/2014
Posts: 6

The standard defined is:
1. Take the .pfx certificate and split it in 2 parts, public and private (some developers use OpenSSL to do that)

2. Take the resulting .key part (private key only) and use that for sign the Electronic Invoice.

I am loading the whole .pfx in the SBX509.TElX509Certificate object, needs to split it and use only the private part to sign.
#28808
Posted: 03/17/2014 12:20:22
by Eugene Mayevski (EldoS Corp.)

"I need to sign" is not enough to understand what algorithm should be used for signing. In most standard algorithms the requirement to use only the private part is non-sense. So we need to understand how they want you to sign the data.


Sincerely yours
Eugene Mayevski
#28809
Posted: 03/17/2014 12:25:03
by Juan Carlos Morales (Basic support level)
Joined: 03/17/2014
Posts: 6

PKCS#7
It makes no sense, but it is the way the government defined it.
Is possible to split the certificate and leave only the private key part to sign, using the SBX509.TElX509Certificate object?
#28810
Posted: 03/17/2014 12:37:27
by Eugene Mayevski (EldoS Corp.)

For PKCS#7 it's neither possible nor it makes sense. MAYBE they meant that the certificate must not be included in the signature, but I can only guess.


Sincerely yours
Eugene Mayevski
#28811
Posted: 03/17/2014 12:47:01
by Juan Carlos Morales (Basic support level)
Joined: 03/17/2014
Posts: 6

They meants, that the original certificate must be splitted in private and public key parts (as OpenSSL do it). After that must use only the private key part resulting, to sign the document using PKCS#7.
#28812
Posted: 03/17/2014 15:29:02
by Juan Carlos Morales (Basic support level)
Joined: 03/17/2014
Posts: 6

The main questions are:
1.Is there any way to do this kind of certificate split with the SBX509.TElX509Certificate object?

2. Why when I use KeyMaterial.ClearPublic, PrivateKeyExists goes to False, if I just cleaning the public one?

Thanks.
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 1144 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!