Quantcast

Problem with generating self-signed x509 certificate in FIPS mode

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Problem with generating self-signed x509 certificate in FIPS mode

Hamlet Hakobyan

Hi,


I haven't managed to generate self-signed x509 certificate in FIPS approved mode.

Could someone be able to guide me throughout the process?


Thanks in adcance.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem with generating self-signed x509 certificate in FIPS mode

Hamlet Hakobyan
Hi,

May be I should be more specific. The problem is in creating of FipsSecureRandom, I haven't managed, how to create the one.

Thanks

On Apr 1, 2017 3:59 PM, Hamlet Hakobyan <[hidden email]> wrote:

Hi,


I haven't managed to generate self-signed x509 certificate in FIPS approved mode.

Could someone be able to guide me throughout the process?


Thanks in adcance.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem with generating self-signed x509 certificate in FIPS mode

David Hook-3

It's covered in chapter 13 of the user guide.

SecureRandom.getInstance(“DEFAULT”, “BCFIPS”);

will also return an acceptable SecureRandom.

Regards,

David

On 03/04/17 17:52, Hamlet Hakobyan wrote:
Hi,

May be I should be more specific. The problem is in creating of FipsSecureRandom, I haven't managed, how to create the one.

Thanks

On Apr 1, 2017 3:59 PM, Hamlet Hakobyan [hidden email] wrote:

Hi,


I haven't managed to generate self-signed x509 certificate in FIPS approved mode.

Could someone be able to guide me throughout the process?


Thanks in adcance.



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fw: [dev-crypto] Problem with generating self-signed x509 certificate in FIPS mode

Hamlet Hakobyan

Thank you for response.


My primary goal is to generate a x509 certificate and store it in the pfx.

I want to describe the approach I've being used to be sure that I'm on the right way.

Firstly, I've generated pair of RSA keys:

            var parameters = new FipsRsa.KeyGenerationParameters(BigInteger.ValueOf(65537), bitLength).For(FipsRsa.Pkcs1v15.WithDigest(FipsShs.Sha1));
            var gen = CryptoServicesRegistrar.CreateGenerator(parameters);
            var subjectKeyPair = gen.GenerateKeyPair();
A question related to the snippet. Is it neccessary that the public exponent to be equal 0x10001 ?
Then, I've created the X509CertificateGenerator and configured it apropriately. 
Then I've added AuthorityKeyIdentifier  extention to the certificate.
            var authorityKeyIdentifier = new AuthorityKeyIdentifier(new GeneralNames(new GeneralName(subjectDn)), serialNumber);
            certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, authorityKeyIdentifier);
Then, I've generated X509Certificate passing signature factory configured like this:
            var service = CryptoServicesRegistrar.CreateService(subjectKeyPair.PrivateKey);
            var factory = service.CreateSignatureFactory(FipsRsa.Pkcs1v15.WithDigest(FipsShs.Sha1));
            var cert = certGen.Generate(new PkixSignatureFactory(factory));
Now, the tricky part. To create pfx I need to build SafeBag.
            var publicBag = new Pkcs12SafeBagBuilder(cert).Build();
            var privateBag = new Pkcs12SafeBagBuilder(subjectKeyPair.PrivateKey, cipher).Build();
but to have a safe bug with private key the builder demands an ICipherBuilder<AlgorithIdentifier> . The only builder which builds the encriptor
with this interface I've found was the 
            var cipher = new PkixPbeEncryptorBuilder(PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc)
                .WithSecureRandom(random)
                .WithIterationCount(1024)
                .WithSalt(BigInteger.ProbablePrime(256, random).ToByteArrayUnsigned())
                .Build(password);
But this encryptpr is not FIPS aproved. The lib suggests to use OpenSSL builder, but I haven't found the one which builds ICipherBuilder<AlgorithIdentifier> 
The same situation is with Pkcs12PfxPduBuilder. It demands ICipherBuilder<AlgorithIdentifier> as well when I want to add encrypted data
and needs IMacFactory<Pkcs12MacAlgDescriptor> on build the store. The IMacFactory<Pkcs12MacAlgDescriptor> is not FIPS aproved as well.
            var pfxPdu = pkcs12PfxPduBuilder.AddData(publicBag).AddEncryptedData(cipher, privateBag).Build(macFactory);

Could you suggest an success approach to achieve my goal?
Thanks in advance.




From: David Hook <[hidden email]>
Sent: Monday, April 3, 2017 3:04 PM
To: [hidden email]; [hidden email]
Subject: Re: [dev-crypto] Problem with generating self-signed x509 certificate in FIPS mode
 

It's covered in chapter 13 of the user guide.

SecureRandom.getInstance(“DEFAULT”, “BCFIPS”);

will also return an acceptable SecureRandom.

Regards,

David

On 03/04/17 17:52, Hamlet Hakobyan wrote:
Hi,

May be I should be more specific. The problem is in creating of FipsSecureRandom, I haven't managed, how to create the one.

Thanks

On Apr 1, 2017 3:59 PM, Hamlet Hakobyan [hidden email] wrote:

Hi,


I haven't managed to generate self-signed x509 certificate in FIPS approved mode.

Could someone be able to guide me throughout the process?


Thanks in adcance.



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fw: [dev-crypto] Problem with generating self-signed x509 certificate in FIPS mode

Hamlet Hakobyan


Hey people,

any thoughts?

Thanks in advance.


From: Hamlet Hakobyan <[hidden email]>
Sent: Monday, April 3, 2017 5:59 PM
To: [hidden email]
Subject: Fw: [dev-crypto] Problem with generating self-signed x509 certificate in FIPS mode
 

Thank you for response.


My primary goal is to generate a x509 certificate and store it in the pfx.

I want to describe the approach I've being used to be sure that I'm on the right way.

Firstly, I've generated pair of RSA keys:

            var parameters = new FipsRsa.KeyGenerationParameters(BigInteger.ValueOf(65537), bitLength).For(FipsRsa.Pkcs1v15.WithDigest(FipsShs.Sha1));
            var gen = CryptoServicesRegistrar.CreateGenerator(parameters);
            var subjectKeyPair = gen.GenerateKeyPair();
A question related to the snippet. Is it neccessary that the public exponent to be equal 0x10001 ?
Then, I've created the X509CertificateGenerator and configured it apropriately. 
Then I've added AuthorityKeyIdentifier  extention to the certificate.
            var authorityKeyIdentifier = new AuthorityKeyIdentifier(new GeneralNames(new GeneralName(subjectDn)), serialNumber);
            certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, authorityKeyIdentifier);
Then, I've generated X509Certificate passing signature factory configured like this:
            var service = CryptoServicesRegistrar.CreateService(subjectKeyPair.PrivateKey);
            var factory = service.CreateSignatureFactory(FipsRsa.Pkcs1v15.WithDigest(FipsShs.Sha1));
            var cert = certGen.Generate(new PkixSignatureFactory(factory));
Now, the tricky part. To create pfx I need to build SafeBag.
            var publicBag = new Pkcs12SafeBagBuilder(cert).Build();
            var privateBag = new Pkcs12SafeBagBuilder(subjectKeyPair.PrivateKey, cipher).Build();
but to have a safe bug with private key the builder demands an ICipherBuilder<AlgorithIdentifier> . The only builder which builds the encriptor
with this interface I've found was the 
            var cipher = new PkixPbeEncryptorBuilder(PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc)
                .WithSecureRandom(random)
                .WithIterationCount(1024)
                .WithSalt(BigInteger.ProbablePrime(256, random).ToByteArrayUnsigned())
                .Build(password);
But this encryptpr is not FIPS aproved. The lib suggests to use OpenSSL builder, but I haven't found the one which builds ICipherBuilder<AlgorithIdentifier> 
The same situation is with Pkcs12PfxPduBuilder. It demands ICipherBuilder<AlgorithIdentifier> as well when I want to add encrypted data
and needs IMacFactory<Pkcs12MacAlgDescriptor> on build the store. The IMacFactory<Pkcs12MacAlgDescriptor> is not FIPS aproved as well.
            var pfxPdu = pkcs12PfxPduBuilder.AddData(publicBag).AddEncryptedData(cipher, privateBag).Build(macFactory);

Could you suggest an success approach to achieve my goal?
Thanks in advance.




From: David Hook <[hidden email]>
Sent: Monday, April 3, 2017 3:04 PM
To: [hidden email]; [hidden email]
Subject: Re: [dev-crypto] Problem with generating self-signed x509 certificate in FIPS mode
 

It's covered in chapter 13 of the user guide.

SecureRandom.getInstance(“DEFAULT”, “BCFIPS”);

will also return an acceptable SecureRandom.

Regards,

David

On 03/04/17 17:52, Hamlet Hakobyan wrote:
Hi,

May be I should be more specific. The problem is in creating of FipsSecureRandom, I haven't managed, how to create the one.

Thanks

On Apr 1, 2017 3:59 PM, Hamlet Hakobyan [hidden email] wrote:

Hi,


I haven't managed to generate self-signed x509 certificate in FIPS approved mode.

Could someone be able to guide me throughout the process?


Thanks in adcance.



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fw: [dev-crypto] Problem with generating self-signed x509 certificate in FIPS mode

David Hook-3

I hate to be the bearer of bad news, but the real problem is that PKCS#12 is not FIPS compliant. You might want to use something else for protecting the private key.

If you have any further questions on this one, please direct them to [hidden email]. This list concentrates on the Java APIs.

Thanks,

David

On 05/04/17 19:26, Hamlet Hakobyan wrote:


Hey people,

any thoughts?

Thanks in advance.


From: Hamlet Hakobyan [hidden email]
Sent: Monday, April 3, 2017 5:59 PM
To: [hidden email]
Subject: Fw: [dev-crypto] Problem with generating self-signed x509 certificate in FIPS mode
 

Thank you for response.


My primary goal is to generate a x509 certificate and store it in the pfx.

I want to describe the approach I've being used to be sure that I'm on the right way.

Firstly, I've generated pair of RSA keys:

            var parameters = new FipsRsa.KeyGenerationParameters(BigInteger.ValueOf(65537), bitLength).For(FipsRsa.Pkcs1v15.WithDigest(FipsShs.Sha1));
            var gen = CryptoServicesRegistrar.CreateGenerator(parameters);
            var subjectKeyPair = gen.GenerateKeyPair();
A question related to the snippet. Is it neccessary that the public exponent to be equal 0x10001 ?
Then, I've created the X509CertificateGenerator and configured it apropriately. 
Then I've added AuthorityKeyIdentifier  extention to the certificate.
            var authorityKeyIdentifier = new AuthorityKeyIdentifier(new GeneralNames(new GeneralName(subjectDn)), serialNumber);
            certGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, authorityKeyIdentifier);
Then, I've generated X509Certificate passing signature factory configured like this:
            var service = CryptoServicesRegistrar.CreateService(subjectKeyPair.PrivateKey);
            var factory = service.CreateSignatureFactory(FipsRsa.Pkcs1v15.WithDigest(FipsShs.Sha1));
            var cert = certGen.Generate(new PkixSignatureFactory(factory));
Now, the tricky part. To create pfx I need to build SafeBag.
            var publicBag = new Pkcs12SafeBagBuilder(cert).Build();
            var privateBag = new Pkcs12SafeBagBuilder(subjectKeyPair.PrivateKey, cipher).Build();
but to have a safe bug with private key the builder demands an ICipherBuilder<AlgorithIdentifier> . The only builder which builds the encriptor
with this interface I've found was the 
            var cipher = new PkixPbeEncryptorBuilder(PkcsObjectIdentifiers.PbeWithShaAnd3KeyTripleDesCbc)
                .WithSecureRandom(random)
                .WithIterationCount(1024)
                .WithSalt(BigInteger.ProbablePrime(256, random).ToByteArrayUnsigned())
                .Build(password);
But this encryptpr is not FIPS aproved. The lib suggests to use OpenSSL builder, but I haven't found the one which builds ICipherBuilder<AlgorithIdentifier> 
The same situation is with Pkcs12PfxPduBuilder. It demands ICipherBuilder<AlgorithIdentifier> as well when I want to add encrypted data
and needs IMacFactory<Pkcs12MacAlgDescriptor> on build the store. The IMacFactory<Pkcs12MacAlgDescriptor> is not FIPS aproved as well.
            var pfxPdu = pkcs12PfxPduBuilder.AddData(publicBag).AddEncryptedData(cipher, privateBag).Build(macFactory);

Could you suggest an success approach to achieve my goal?
Thanks in advance.




From: David Hook [hidden email]
Sent: Monday, April 3, 2017 3:04 PM
To: [hidden email]; [hidden email]
Subject: Re: [dev-crypto] Problem with generating self-signed x509 certificate in FIPS mode
 

It's covered in chapter 13 of the user guide.

SecureRandom.getInstance(“DEFAULT”, “BCFIPS”);

will also return an acceptable SecureRandom.

Regards,

David

On 03/04/17 17:52, Hamlet Hakobyan wrote:
Hi,

May be I should be more specific. The problem is in creating of FipsSecureRandom, I haven't managed, how to create the one.

Thanks

On Apr 1, 2017 3:59 PM, Hamlet Hakobyan [hidden email] wrote:

Hi,


I haven't managed to generate self-signed x509 certificate in FIPS approved mode.

Could someone be able to guide me throughout the process?


Thanks in adcance.




Loading...