Anda di halaman 1dari 25

OpenSSL &

MS Cryptography Service
Provider
PKI Certificates with MS Crypto API & OpenSSL

Max Kleiner, 2017


Start with OpenSSL
The Secure Socket Layer protocol was created by
Netscape to ensure secure transactions between web
servers and browsers. The protocol uses a third party, a
Certificate Authority (CA), to identify one end or both
end of the transactions. This is in short how it works.
http://www.softwareschule.ch/download/maxbox_starter47.pdf
The encryption using a private key/public key pair ensures
that the data can be encrypted by one key but can only be
decrypted by the other key. The trick in a key pair is to
keep one key secret (private key) and to distribute the other
key (public key) to everybody.
2
Install OpenSSL
Nowadays, you do not have to worry too much about
installing OpenSSL: most distributions use package

maXbox Delphi System


management applications (see next).
www.softwareschule.ch/maxbox.htm
https://www.openssl.org/

The directory for all OpenSSL certificates is /var/ssl/.


OpenSSL by default looks for a configuration file
in /usr/lib/ssl/openssl.cnf so always add config
/etc/openssl.cnf to the commands openssl ca or
openssl req for instance.
3
THE COMMAND TOOL
OpenSSL includes a command line utility openssl.exe that
can be used to perform a variety of cryptography functions
like generating your machine certificate in [/CERT].
The libraries have no noteworthy dependencies just copy
both DLL files into your application directory
libeay32.dll / ssleay32.dll

Get the SLL binary download Package:


https://indy.fulgan.com/SSL/openssl-1.0.2l-i386-
win32.zip
4
Create the Certification Authority
To create a certification authority, use the following
commands after correctly editing openssl.cnf and open

maXbox Delphi System


openssl.exe of OpenSSL v1.0.2l:
CA.pl newca

The utility will ask you to select a certificate


file to act as you CA certificate or you are
prompted to create one. Follow the steps to
create one as exercise.

5
Create a Root Certification CA (selfsigned)
First set a const space:
Const
OpenSSLPath='..\pki2017\openssl-1.0.2l-i386-win32\';

2. Create the Root CA (private key pair)


ExecuteShell(OpenSSLPath+'openssl.exe',
'genrsa -des3 -out
'+OpenSSLPath+'./certs/CA_pvkmX42.pem 2048')

3. Check the key pair


rsa -in .\certs3\CA_pvkmX42.pem -check
6
We sign with private key to make a certificate
of our CA
4. We generate CA_Cert with signing of private to make a
certificate of CA
ExecuteShell(OpenSSLPath+'openssl.exe',
'req -new -x509 -days 900 -key
'+OpenSSLPath+'./certs/CA_pvkmX42.pem -out
'+OpenSSLPath+'./certs/CA_crt.pem -config
'+OpenSSLPath+'./openssl.cnf')
//}

5. Check the key cert


rsa -in .\certs3\CA_crt.pem -check
7
Create a Host Cert key pair
Second we need the host private key

6. Create the Host (private key pair)


ExecuteShell(OpenSSLPath+'openssl.exe',
'genrsa -des3 -out
'+OpenSSLPath+'./certs/host_pvkmX42.pem 2048')

7. Check the key


rsa -in .\certs\host_pvkmX42.pem -check

8
Create a Host Cert Request
We sign the host private from the CA (machine
certificate) and generate and sign a certificate request
8. Create the Host csr cert sign request
ExecuteShell(OpenSSLPath+'openssl.exe',
'req -new -key
'+OpenSSLPath+'./certs/host_pvkmX42.pem -out
'+OpenSSLPath+'./certs/host_csr.pem -config
'+OpenSSLPath+'./openssl.cnf')

Enter a Common Name (CN) the main usage of the certificate for instance www.max.org if
you want to secure the website www.max.org, or enter max@max.org if you want to use to
secure the emails 9
Sign and create the Host Cert
We let sign the host private request (machine certificate)
and out is the wanted host_crt.pem
9. Create the Host Cert as a web certificate

ExecuteShell(OpenSSLPath+'openssl.exe',
'ca -out
'+OpenSSLPath+'./certs/host_crt.pem -in
'+OpenSSLPath+'./certs/host_csr.pem -cert
'+OpenSSLPath+'./certs/CA_crt.pem -keyfile
'+OpenSSLPath+'./certs/CA_pvkmX42.pem -config
'+OpenSSLPath+'./openssl.cnf')

10
Verify CA and Host Cert
10. we verify the cert's chain

ExecuteShell(OpenSSLPath+'openssl.exe',
'verify -verbose -CAfile certs/CA_crt.pem
-CApath certs certs/host_pvkmX42.pem')

Or
writeln(getDosOutput('openssl.exe verify -verbose
-CAfile certs/CA_cert.pem -CApath certs
certs/host_crt.pem',OpenSSLPath));

11
Convert to PKCS#12
Convert a PEM cert file and a private key to a PKCS#12
(.pfx .p12), you get a file that you import in the Certificate
store by clicking on the file when in Windows.

ExecuteShell('cmd.exe','/k
'+OpenSSLPath+'openssl.exe '+
'pkcs12 -export -out
'+OpenSSLPath+'/certs/CERT_PFX.pfx -inkey
'+OpenSSLPath+'/certs/PVK_host.pem -in
'+OpenSSLPath+'/certs/CERT_host_crt.pem -certfile
'+OpenSSLPath+'/certs/CA_crt.pem') // }

12
THE TEST OVERVIEW
OpenSSL Precompiled Binaries for Win32 test:
sr:= loadfromfile(OpenSSLExe+'\openssl.exe')
writeln(getsha256(sr))
sleep(500)
writeln((SHA1(OpenSSLExe+'\openssl.exe')))

sr:= loadfromfile(OpenSSLExe+'\ssleay32.dll')
writeln('ssleay32.dll sha256: '+getSHA256(sr))

sr:= loadfromfile(OpenSSLExe+'\libeay32.dll')
writeln('libeay32.dll sha256: '+getSHA256(sr))

13
Process Overview
// we generate the private key pair of the CA:
1. openssl genrsa -des3 -out ./MyDemo/certs/CA_pvk.pem 2048
// we generate CA_Cert sign the private to make a certificate of CA
2. openssl req -new -x509 -days 365 -key ./MyDemo/certs/CA_pvk.pem -out
./MyDemo/certs/CA_crt.pem -config ./openssl.cnf

maXbox Delphi System


// we need the host private key
3. openssl genrsa -des3 -out ./MyDemo/crl/host_pvk.pem 2048
// we sign the host private from the CA (machine certificate)
4. openssl req -new -key ./MyDemo/crl/host_pvk.pem -out
./MyDemo/crl/host_csr.pem -config ./openssl.cnf
5. openssl ca -out ./MyDemo/crl/host_crt.pem -in ./MyDemo/crl/host_csr.pem
-cert ./MyDemo/certs/CA_crt.pem -keyfile ./MyDemo/certs/CA_pvk.pem -config
./openssl.cnf // we verify the cert's
6. openssl verify -verbose -CAfile ./MyDemo/certs/CA_crt.pem -CApath
./MyDemo ./MyDemo/crl/host_crt.pem
the result is: ./MyDemo/crl/host_crt.pem: OK 14
MS Crypto API
We do this with a tool from MS called makecert. Most
certificates in common use are based on the X.509 v3
certificate standard. First I open the shell with the MS
SDK:
C:\maXbox\EKON_BASTA\EKON19\Windows
Kits\10\bin\x64>
C:\Program Files\Microsoft
SDKs\Windows\v7.1\Bin> makecert -n
"CN=maXboxCertAuth" -cy authority -a
sha1 -sv "maXboxPrivateKey3.pvk" -r
"maXboxCertAuth3.cer" Succeeded
15
Sign Key for Digital Signing
Ref: maxbox_digital_signature_report.pdf

Next we create the second certificate with the purpose to

maXbox Delphi System


sign all files we want. In our case, you remember, we want
to sign an executable:
C:\Program Files\Microsoft
SDKs\Windows\v7.1\Bin>makecert -n
"CN=maXbox3signer" -ic maxboxcertauth3.cer
-iv maXboxprivatekey3.pvk -a sha1 -sky
exchange -pe -sv
maxbox3signerprivatekey.pvk
maxboxsigner.cer Succeeded
16
COMMONLY USED PFX:

You need both the public and private keys for an official SSL
Certificate to function. So, if you need to transfer your SSL

maXbox Delphi System


Certificates from one server to another, you need to export is
as a .pfx file. Now we generate that as well with the shell:

C:\Program Files\Microsoft
SDKs\Windows\v7.1\Bin>pvk2pfx -pvk
"maXboxPrivateKey3 .pvk" -spc
maXboxCertAuth3.cer -pfx
maXboxCertAuth3.pfx -pi password

17
Sign an executable
So it's time to make the last step namely to sign our
executable with another shell tool called signtool:
C:\maXbox\EKON_BASTA\EKON19\Windows
Kits\10\bin\x64>signtool sign /f
"maxboxsigner.pfx" /p "password" /tr
http://tsa.starfieldtech.com /td SHA256
C:\maxbox\maxbox3\work2015\maxbox3digisign_
certificates\maxbox44.exe
Done Adding Additional Store Successfully
signed:
C:\maxbox\maxbox3\work2015\maxbox3digisign_
certificates\maXbox44.exe
18
Certificate Store
Next I want to stress the chain of certificate (block chain is
one of the next big thing).
http://www.softwareschule.ch/download/maxbox_starter54.pdf
A certificate authority themselves have a certificate with
which they digitally sign all the certificates they issue. My
machine (and pretty much everyone's) has a store of the
certificates (see first picture) of these different certificate
authorities.
The computer then knows that if its sees any certificate that
has been signed by one of these trusted certificate
authorities' certificate, then the machine should trust that
certificate.
19
Regex Test EXAMPLE: Mail Finder
procedure delphiRegexMailfinder;
begin
// Initialize a test string to include some email addresses. This
would normally be your eMail.
TestString:= '<one@server.domain.xy>, another@otherserver.xyz';
PR:= TPerlRegEx.Create;

maXbox Delphi System


try
PR.RegEx:= '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b';
PR.Options:= PR.Options + [preCaseLess];
PR.Compile;
PR.Subject:= TestString; // <-- tell PR where to look for matches
if PR.Match then begin
WriteLn(PR.MatchedText); // Extract first address
while PR.MatchAgain do
WriteLn(PR.MatchedText); // Extract subsequent addresses
end;
finally
PR.Free;
end;
//Readln;
end;

20
EXAMPLE: HTTP RegEx[ ]
% cat get russian rouble rate - datafile

procedure getHttpREGEX(Sender: TObject);


var http1: TIDHTTP;
htret: string;
begin

maXbox Delphi System


http1:= TIDHTTP.Create(self);
htret:= HTTP1.Get('http://win.www.citycat.ru/finance/finmarket/_CBR/');
//writeln(htret);
with TRegExpr.Create do try
Expression:= russTemplate;
if Exec(htret) then begin
//if output success
writeln(Format ('Russian rouble rate at %s.%s.%s: %s',
[Match [2], Match [1], Match [3], Match [4]]));
end;
//writeln(dump)
finally Free;
end;
//text2html
//writeln('deco: '+#13+#10+DecorateURLs(htret,[durlAddr, durlPath]))
end;
21
EXAMPLE: Extract Phones\<city code 812

% cat grep-delphi-maXbox_datafile

procedure ExtractPhones(const AText: string; APhones: TStrings);


begin

maXbox Delphi System


with TRegExpr.Create do try
Expression := '(\+\d*)?(\((\d+)\)*)?(\d+(-\d*)*)';
if Exec (AText) then
REPEAT
if Match[3] = '812'
then APhones.Add(Match [4]);
UNTIL not ExecNext;
finally Free;
end;
end;

writeln('Formula Gauss : '+


floatToSTr(maXcalc('1/SQRT(2*PI*3^2)*EXP((-
0.0014^2)/(2*3^2))')));
22
Regex Atoms
An atom specifies what text is to be matched and where
it is to be found.

23
Example: Classes

24
SUMMARY
OpenSSL Certificates
MS Crypto API Certificates

maXbox Delphi System


Regex Test Examples

Certificate Store

https://maxbox4.wordpress.com/

25