.net – Encrypt RSA PRIVATE KEY as OpenSSL using C#

I want to encrypt the RSA PRIVATE KEY given by the piece of code:

var privateKey = cert.GetRSAPrivateKey().ExportRSAPrivateKey()

This is giving the RSA PRIVATE KEY after decrypting using openssl with command:

rsa -text -in private.key -passin pass:passphrase

Now I want a private key as in the command:

OpenSSL> pkcs12 -in src_test_resources_bokkzbv.p12 -nocerts -passin pass:yEzgzmKPkAgj6p17sHnM-des
MAC verified OK
Bag Attributes
    friendlyName: name
    localKeyID: <some random hex>
Key Attributes: <No Attributes>
Enter PEM pass phrase: passphrase
Verifying - Enter PEM pass phrase: passphrase

Is there a way to do this in C# (.Net Core 3.1).
Someone please help with this.

openssl – Windows: CertUtil “Error => Pending OCSP response download”

I am trying to debug why Windows does not accept the responses from my OCSP responder as valid. I am using the command
CertUtil -downloadOcsp .certs .ocsp_responses downloadonce
A single p7b certificate is in the certs directory. I read the log of my openssl 1.1.1f OCSP responder in real-time, and I can see that
the connection is made. And the output from certutil looks like it downloads the response. But certutil reports an error, and no ocsp response is saved in .ocsp_responses

The output from certutil is:

==== Downloaded OCSP Responses ====
7/5/2021 2:56 PM 44.368s :: Error => Pending OCSP response download — <8958F37AF76E2151B548E950719789A1FA705F0A> <saratoga.candy-land.name> <ca-sub.candyland.org> <saratoga.candy-land.name_exchange_20210630145440_exchange.p7b>

Total: 1 Downloaded: 0 Warnings: 0 Pending: 1 Errors: 0 Maximum Thread Count: 2

CertUtil: -downloadOcsp command completed successfully.

I get the same behavior on Windows 10 Pro, and Windows Server 2019. The OCSP responder is openssl 1.1.1f

What might the problem be, and How can I correct it?

openssl – Extract RSA Public Key from public Certificate

I have public certificate with 2048 bit RSA public key for encrypt data.
I need use openssl to extract this public key.
Certyficate is PEM .cer file, and extracted key should be PEM too.

I use command to extract Public key

openssl x509 -pubkey -noout -in cert.cer  > pubkey.pem

And output is:

—–BEGIN PUBLIC KEY—– MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr5qMxLWtgkId2oRUfnPf
6MX+UouBQKOzyfG0J9LW9yya8Nr+ilPTSPp+hSBL/TD1ijUZ2RClyegnrojOKHS7
kp1ZFDQJwmKSW660NKeLbyu2fbcJFBuDmSVK8XwRsUaIpf4eixqx5wAZg8q64kJ9
R9e07WPqrC2+8p2F/7zlKsZ263CWZ/xE0M6I4RiKSA24iaiGVrppnIrX1oX2v/dq
UNaQL3uIgH1WWtf4apnDA7MVei2Iz2NjFzLJ569wxzO92XBUrcEkqA7Xx0or6xij
h0oFKxsygNqHzK3qf56McRi/xy1VFrGQsiZL1u4+cdIAu5/tWaecLFl0UOBBbYxz
9QIDAQAB
—–END PUBLIC KEY—–

And I try to convert it to RSA Public key with PKCS#1 padding and AN1 encoding

openssl x509 -inform PEM -in cert.cer -outform PEM -pubkey -nocert -out pubkeyRSA.pem

And output is

—–BEGIN RSA PUBLIC KEY—– MIIBCgKCAQEAr5qMxLWtgkId2oRUfnPf6MX+UouBQKOzyfG0J9LW9yya8Nr+ilPT
SPp+hSBL/TD1ijUZ2RClyegnrojOKHS7kp1ZFDQJwmKSW660NKeLbyu2fbcJFBuD
mSVK8XwRsUaIpf4eixqx5wAZg8q64kJ9R9e07WPqrC2+8p2F/7zlKsZ263CWZ/xE
0M6I4RiKSA24iaiGVrppnIrX1oX2v/dqUNaQL3uIgH1WWtf4apnDA7MVei2Iz2Nj
FzLJ569wxzO92XBUrcEkqA7Xx0or6xijh0oFKxsygNqHzK3qf56McRi/xy1VFrGQ
siZL1u4+cdIAu5/tWaecLFl0UOBBbYxz9QIDAQAB
—–END RSA PUBLIC KEY—–

After decode it with Base64 and used to encrypt data, server show me an error, that encrypted key is wrong. Also, trying to load this keys to LockBox library for Delphi programs, it throws an exception “Wrong asymetric key”

The certificate is:

—–BEGIN CERTIFICATE—– MIIFGTCCBAGgAwIBAgITYwABPJqEcB3zrmJ2agABAAE8mjANBgkqhkiG9w0BAQwF
ADBdMRIwEAYKCZImiZPyLGQBGRYCcGwxEzARBgoJkiaJk/IsZAEZFgNnb3YxEjAQ
BgoJkiaJk/IsZAEZFgJtZjEeMBwGA1UEAxMVUmVzb3J0IEZpbmFuc293IEkxIENB
MB4XDTIwMDcyMzExMjgyM1oXDTIyMDcyMzExMjgyM1owgZExCzAJBgNVBAYTAlBM
MRQwEgYDVQQIEwttYXpvd2llY2tpZTERMA8GA1UEBxMIV2Fyc3phd2ExHzAdBgNV
BAoMFk1pbmlzdGVyc3R3byBGaW5hbnPDs3cxHDAaBgNVBAsTE0FwbGlrYWNqZSBL
cnl0eWN6bmUxGjAYBgNVBAMTEWV0dy10c3QubWYuZ292LnBsMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr5qMxLWtgkId2oRUfnPf6MX+UouBQKOzyfG0
J9LW9yya8Nr+ilPTSPp+hSBL/TD1ijUZ2RClyegnrojOKHS7kp1ZFDQJwmKSW660
NKeLbyu2fbcJFBuDmSVK8XwRsUaIpf4eixqx5wAZg8q64kJ9R9e07WPqrC2+8p2F
/7zlKsZ263CWZ/xE0M6I4RiKSA24iaiGVrppnIrX1oX2v/dqUNaQL3uIgH1WWtf4
apnDA7MVei2Iz2NjFzLJ569wxzO92XBUrcEkqA7Xx0or6xijh0oFKxsygNqHzK3q
f56McRi/xy1VFrGQsiZL1u4+cdIAu5/tWaecLFl0UOBBbYxz9QIDAQABo4IBmzCC
AZcwDgYDVR0PAQH/BAQDAgWgMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIS3
mFWE7NgBhrmTDYO18X6DrtM2gUKEotdOhMuPDgIBZAIBDDAdBgNVHQ4EFgQUnFcp
uSFJZYUBUkIplCvJERbNN98wHwYDVR0jBBgwFoAUfR+t1nzLSol4VWy6EPLtM9Yx
us0wRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL3BraS5tZi5nb3YucGwvY2RwL3Jl
c29ydF9maW5hbnNvd19pMV9jYSgxKS5jcmwwdQYIKwYBBQUHAQEEaTBnMD4GCCsG
AQUFBzAChjJodHRwOi8vcGtpLm1mLmdvdi5wbC9haWEvcmVzb3J0X2ZpbmFuc293
X2kxX2NhLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL3BraS5tZi5nb3YucGwvb2Nz
cDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJwYJKwYBBAGCNxUKBBow
GDAKBggrBgEFBQcDATAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQwFAAOCAQEAHatd
TuoQDgaydiNDZFPvbvnqO0wmD/sH54LkXnf49hXHcGQRjhBc7xsSDbKzxHEORJ08
wNWWJa0H8cbKCLytBq49FQnENYoi5sgMetM5XGqGSYHwFLTFyAf8A9af8rpqfAEY
HwmL6iIjz6NmSD52i3owOaMCop4pyC+UU5CZDqBrYd10JY4bWRm5NPdjIga0+mDm
hQYEkoW/AEQQam+VmyLsJFGtBl/kr5+EFIUFw8X2tFAubNTuxQsveLo91Q0lHtSt
BMBJ7MYnJeFCGDeuPM65nJtCxexDfWfWSTZvGrdJSUooD5iFSZodCkReP7ZLiQmB
dPB1oIhW3y/VUem3+A== —–END CERTIFICATE—–

Is it correctly trying to extract this key from the certificate?

openssl – Can mutual TLS work with a self-signed client certificate?

Is it conceptually possible to allow in the server a specific self signed client certificate for mutual TLS?

If possible but not recommended. Why?

I have a client to who I have to provide a server that does mutual TLS auth. But they say they wont sign our server certificate nor will they let us sign their client certificate. How should I approach this?

crl – OpenSSL and connection time

Does anyone know about the search mechanism used in OpenSSL w.r.t verifying a serial number against a CRL file?
I understand that in the case of Base-CRL approach, the file size will grow over time and also it depends upon the number of revocations and length/size of the serial number.

Any idea as to whether OpenSSL makes use of binary search or linear search for CRL checking? Due to the environmental constraints, I’m not able to perform some tests to understand the time taken for a CRL check with different CRL file sizes and so looking for an answer here.

Getting different results with a Bitcoin address generator c++ openssl

I’m making a bitcoin address generator from a private key in C++, I followed several examples on the net and I don’t get the same result after the public key is hashed with sha256 and ripemd160

Example: https://programmer.help/blogs/how-bitcoin-addresses-are-generated.html

Private Key: ccea9c5a20e2b78c2e0fbdd8ae2d2b67e6b1894ccb7a55fc1de08bd53994ea64

Public Key: 04d061e9c5891f579fd548cfd22ff29f5c642714cc7e7a9215f0071ef5a5723f691757b28e31be71f09f24673eed52348e58d53bcfd26f4d96ec6bf1489eab429d

Correct Hash:
Ripemd: 2b6f3b9e337cedbb7c40839523fb1100709c12f7

Resulting Hash:
Ripemd: 6d0933c13cad83f9f67657e1f87e8acccc2b98e6

#include <stdio.h>
#include <stdlib.h>
#include <iostream>
#include <string>
#include <cstring>
#include <iomanip>
#include <sstream>
#include <crtdbg.h>
#include <locale>
#include <algorithm>
#include <openssl/ec.h>
#include <openssl/obj_mac.h>
#include <openssl/bn.h>
#include <openssl/sha.h>
#include <openssl/ripemd.h>

using namespace std;


string inputSHA256;
string outputSHA256;

char inputRipemd(41);
char outputRipemd(41);




string sha256(const string str)
{
    unsigned char hash(SHA256_DIGEST_LENGTH);
    SHA256_CTX sha256;
    SHA256_Init(&sha256);
    SHA256_Update(&sha256, str.c_str(), str.size());
    SHA256_Final(hash, &sha256);
    stringstream ss;
    for (int i = 0; i < SHA256_DIGEST_LENGTH; i++)
    {
        ss << hex << setw(2) << setfill('0') << (int)hash(i);
    }
    return ss.str();
}


void ripemd160(char *string, char outputBuffer(41))
{
    unsigned char hash(RIPEMD160_DIGEST_LENGTH);
    RIPEMD160_CTX ripemd160;
    RIPEMD160_Init(&ripemd160);
    RIPEMD160_Update(&ripemd160, string, strlen(string));
    RIPEMD160_Final(hash, &ripemd160);
    for (int i = 0; i < RIPEMD160_DIGEST_LENGTH; i++)
    {
        sprintf_s(outputBuffer + (i * 2), sizeof(outputBuffer + (i * 2)), "%02x", hash(i));
    }
    outputBuffer(40) = 0;
}

int main()
{
    EC_KEY *eckey = NULL;
    EC_POINT *pub_key = NULL;
    const EC_GROUP *group = NULL;
    BIGNUM start;
    BIGNUM *res;
    BN_CTX *ctx;


    // Elliptic Curve
    BN_init(&start);
    ctx = BN_CTX_new(); // ctx is an optional buffer to save time from allocating and deallocating memory whenever required

    res = &start;
    BN_hex2bn(&res,   "ccea9c5a20e2b78c2e0fbdd8ae2d2b67e6b1894ccb7a55fc1de08bd53994ea64");

    eckey = EC_KEY_new_by_curve_name(NID_secp256k1);
    group = EC_KEY_get0_group(eckey);
    pub_key = EC_POINT_new(group);

    EC_KEY_set_private_key(eckey, res);

    /* pub_key is a new uninitialized `EC_POINT*`.  priv_key res is a `BIGNUM*`. */
    if (!EC_POINT_mul(group, pub_key, res, NULL, NULL, ctx))
        printf("Error at EC_POINT_mul.n");

    EC_KEY_set_public_key(eckey, pub_key);



    char *cc = EC_POINT_point2hex(group, pub_key, POINT_CONVERSION_UNCOMPRESSED, ctx);
    char *c = cc;

    BN_CTX_free(ctx);


    string bytes(cc);
    string bytesLower = "";


    // To Lower Case
    std::locale loc;

    for (auto elem : bytes){
        bytesLower += tolower(elem, loc);
    }

    cout << "Public Key: " << bytesLower << endl;



    // Sha256
    inputSHA256 = bytesLower;
    outputSHA256 = sha256(inputSHA256);

    cout << "SHA256: " << outputSHA256 << endl;

    //transform(outputSHA256.begin(), outputSHA256.end(), outputSHA256.begin(), ::toupper);

    // Ripemd
    strcpy(inputRipemd, outputSHA256.c_str());
    ripemd160(inputRipemd, outputRipemd);

    string ripemd(outputRipemd);

    cout << "Ripemd: " << ripemd << endl;
    
    string tc = "00";
    tc += ripemd;

    // Checksum
    string outputSHA256Checksum = sha256(sha256(tc));

    for (int i = 0; i < 8; i++) {
        tc += outputSHA256(i);
    }

    cout << "Address HEX: " << tc << endl;


    return 0;
}

openssl won’t verify certs beyond intermediate CA, error 20 even when using CApath or CAfile

Ultimately, I am trying to configure an ocsp server on ubuntu 20.4, but I cannot even verify any certs issued by my intermediate CA yet.

I have configured a ca-root called ca-root.mydomain.org. I also have configured a intermediate ca called ca-sub.mydomain.org. Finally, there is my future ocsp server, ocsp-server.mydomain.org.

First, I make a self-signed cert ca_root_cert_file. Then I have the ca-root sign a cert for ca-sub.mydomain.org, ca_sub_cert_file. I then create a cert chain pem file “sub-chain.pem”. It contains the sub-ca cert, then the ca-root cert, in that order.

Next, I then copy both ca_root_cert_file and ca_sub_cert_file to a “$CA_ROOTS_HASHES_DIR” directory, and copy all the root certs in /etc/ssl/certs there as well. I run the openssl utility c_rehash -v "$CA_ROOTS_HASHES_DIR". I expect I can now use this as the argument for the -CApaths parameter of openssl verify.

Next, I have the ca-sub sign a cert for ocsp-server.mydomain.org. I then create a cert chain pem file “ocsp_signer_chain.pem”. It contains the ocsp-server cert, the sub-ca cert, then the ca-root cert, in that order. I don’t expect to need this ocsp_signer_chain.pem, but I have it.

I can use openssl verify to verify ca_sub_cert_file:

`openssl verify -verbose -show_chain -CApath "$CA_ROOTS_HASHES_DIR" "$ca_sub_cert_file"`
OK
Chain:
depth=0: C = US, ST = California, L = Pacifica, O = Mydomain, CN = ca-sub.mydomain.org (untrusted)
depth=1: C = US, ST = California, L = Pacifica, O = Mydomain, CN = ca-root.mydomain.org, emailAddress = deft@mydomain.org

But I can’t verify ocsp-server_cert_file. I always get error 20 at 0 depth lookup: unable to get local issuer certificate.
I’ve tried CAfile with sub-chain.pem vs. ocsp_signer_chain.pem vs. -CApath "$CA_ROOTS_HASHES_DIR".
I’ve tried with and without -untrusted "$ca_sub_cert_file"

openssl verify -verbose -show_chain -CApath "$CA_ROOTS_HASHES_DIR" -untrusted  "$ca_sub_cert_file" "$ocsp-server_cert_file"`
C = US, ST = California, L = Pacifica, O = Mydomain, CN = ocsp-signer.mydomain.org
error 20 at 0 depth lookup: unable to get local issuer certificate
error ocsp.mydomain.org_ocspserver_ocsp-signing.crt: verification failed

What am I doing wrong? I’ve been searching for days, but the answers I’ve found all end with using CApath or CAfile

I’m surprised that even when verifying ca_sub_cert_file, openssl reports “ca-sub.mydomain.org (untrusted)” I expected that having the cert in CA_ROOTS_HASHES_DIR would make it trusted. :/

ssh – Why Getting error curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to hostname:8065

I tried to use cURL command in Ubuntu terminal. The command is

curl -X POST  https://hostname:8065/finance/1.0/go 
-H "accept: application/json" 
-H "Content-Type: application/jwt" 
-H "x-v: 1.0" 
--cert asa.pem --key asa.key 
-d eyJ0eX -k

When I try above curl command I got an error.

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to hostname:8065

How can I fix this problem