Escolar Documentos
Profissional Documentos
Cultura Documentos
MS Cryptography Service
Provider
PKI Certificates with MS Crypto API & OpenSSL
5
Create a Root Certification CA (selfsigned)
First set a const space:
Const
OpenSSLPath='..\pki2017\openssl-1.0.2l-i386-win32\';
8
Create a Host Cert Request
We sign the host private from the CA (machine
certificate) and generate and sign a certificate request
8. Create the Host csr cert sign request
ExecuteShell(OpenSSLPath+'openssl.exe',
'req -new -key
'+OpenSSLPath+'./certs/host_pvkmX42.pem -out
'+OpenSSLPath+'./certs/host_csr.pem -config
'+OpenSSLPath+'./openssl.cnf')
Enter a Common Name (CN) the main usage of the certificate for instance www.max.org if
you want to secure the website www.max.org, or enter max@max.org if you want to use to
secure the emails 9
Sign and create the Host Cert
We let sign the host private request (machine certificate)
and out is the wanted host_crt.pem
9. Create the Host Cert as a web certificate
ExecuteShell(OpenSSLPath+'openssl.exe',
'ca -out
'+OpenSSLPath+'./certs/host_crt.pem -in
'+OpenSSLPath+'./certs/host_csr.pem -cert
'+OpenSSLPath+'./certs/CA_crt.pem -keyfile
'+OpenSSLPath+'./certs/CA_pvkmX42.pem -config
'+OpenSSLPath+'./openssl.cnf')
10
Verify CA and Host Cert
10. we verify the cert's chain
ExecuteShell(OpenSSLPath+'openssl.exe',
'verify -verbose -CAfile certs/CA_crt.pem
-CApath certs certs/host_pvkmX42.pem')
Or
writeln(getDosOutput('openssl.exe verify -verbose
-CAfile certs/CA_cert.pem -CApath certs
certs/host_crt.pem',OpenSSLPath));
11
Convert to PKCS#12
Convert a PEM cert file and a private key to a PKCS#12
(.pfx .p12), you get a file that you import in the Certificate
store by clicking on the file when in Windows.
ExecuteShell('cmd.exe','/k
'+OpenSSLPath+'openssl.exe '+
'pkcs12 -export -out
'+OpenSSLPath+'/certs/CERT_PFX.pfx -inkey
'+OpenSSLPath+'/certs/PVK_host.pem -in
'+OpenSSLPath+'/certs/CERT_host_crt.pem -certfile
'+OpenSSLPath+'/certs/CA_crt.pem') // }
12
THE TEST OVERVIEW
OpenSSL Precompiled Binaries for Win32 test:
sr:= loadfromfile(OpenSSLExe+'\openssl.exe')
writeln(getsha256(sr))
sleep(500)
writeln((SHA1(OpenSSLExe+'\openssl.exe')))
sr:= loadfromfile(OpenSSLExe+'\ssleay32.dll')
writeln('ssleay32.dll sha256: '+getSHA256(sr))
sr:= loadfromfile(OpenSSLExe+'\libeay32.dll')
writeln('libeay32.dll sha256: '+getSHA256(sr))
13
Process Overview
// we generate the private key pair of the CA:
1. openssl genrsa -des3 -out ./MyDemo/certs/CA_pvk.pem 2048
// we generate CA_Cert sign the private to make a certificate of CA
2. openssl req -new -x509 -days 365 -key ./MyDemo/certs/CA_pvk.pem -out
./MyDemo/certs/CA_crt.pem -config ./openssl.cnf
You need both the public and private keys for an official SSL
Certificate to function. So, if you need to transfer your SSL
C:\Program Files\Microsoft
SDKs\Windows\v7.1\Bin>pvk2pfx -pvk
"maXboxPrivateKey3 .pvk" -spc
maXboxCertAuth3.cer -pfx
maXboxCertAuth3.pfx -pi password
17
Sign an executable
So it's time to make the last step namely to sign our
executable with another shell tool called signtool:
C:\maXbox\EKON_BASTA\EKON19\Windows
Kits\10\bin\x64>signtool sign /f
"maxboxsigner.pfx" /p "password" /tr
http://tsa.starfieldtech.com /td SHA256
C:\maxbox\maxbox3\work2015\maxbox3digisign_
certificates\maxbox44.exe
Done Adding Additional Store Successfully
signed:
C:\maxbox\maxbox3\work2015\maxbox3digisign_
certificates\maXbox44.exe
18
Certificate Store
Next I want to stress the chain of certificate (block chain is
one of the next big thing).
http://www.softwareschule.ch/download/maxbox_starter54.pdf
A certificate authority themselves have a certificate with
which they digitally sign all the certificates they issue. My
machine (and pretty much everyone's) has a store of the
certificates (see first picture) of these different certificate
authorities.
The computer then knows that if its sees any certificate that
has been signed by one of these trusted certificate
authorities' certificate, then the machine should trust that
certificate.
19
Regex Test EXAMPLE: Mail Finder
procedure delphiRegexMailfinder;
begin
// Initialize a test string to include some email addresses. This
would normally be your eMail.
TestString:= '<one@server.domain.xy>, another@otherserver.xyz';
PR:= TPerlRegEx.Create;
20
EXAMPLE: HTTP RegEx[ ]
% cat get russian rouble rate - datafile
% cat grep-delphi-maXbox_datafile
23
Example: Classes
24
SUMMARY
OpenSSL Certificates
MS Crypto API Certificates
Certificate Store
https://maxbox4.wordpress.com/
25