TSslCertTools for generate CSR

[Eric Winfly 1]

I use TSslCertTools for generating a KeyPair and Certificate CSR but i have a probleme with the Subject variable, i can find a ways to specify GN= and SN= because i only see the general variable like this :

 

    TSslCertTools *Tool = new TSslCertTools(NULL);

    Tool->CommonName = "Common Name";
    Tool->Organization = "Org";
    Tool->OrgUnit = "Org Unit";
    Tool->Locality = "Montreal";
    Tool->State = "QC";
    Tool->Country = "CA";

 

I have search all source code for Extended option or Subject line to specify my own data but nothing found ?

 

[Angus Robertson 659]

You should look at the OverbyteIcsPemtool sample, the 'New Certificate Properties' tab has settings for all the subject items, basic and extended usage, key usage, etc. 

 

However, these settings are primarily for server and computer certificates, if you need givenName and surName, I assume you are getting personal certificates from somewhere?  

 

Angus

 

 

[Eric Winfly 1]

I see the only the GetNameEntryByNid(TRUE, NID_givenName) in ListCertDetail but i see nothing about the opposite SetNameEntryByNid(TRUE, NID_givenName, String) example ?

 

I found no Edit box or other related component in the PemTool sample ?

 

Can you copy some code for setting the  givenName and surName this is the only thinks i need for my Cert Req, and yes the calling server return me the Signed Certificate but it ask for these 2 subject items ?

 

Thanks Eric

 

[Kas Ob. 151]

52 minutes ago, Eric Winfly said:

I see the only the GetNameEntryByNid(TRUE, NID_givenName) in ListCertDetail but i see nothing about the opposite SetNameEntryByNid(TRUE, NID_givenName, String) example ?

I highly recommend using OID instead of NID, they are documented, there is so many internet resources and DB populate them, and most important you can find the needed entry by its OID from any certificate or CSR.

 

In this page there is few lines on how to convert OID in its text formatted syntax into OBJ 

https://docs.openssl.org/1.0.2/man3/OBJ_nid2obj/#examples

then use OBJ instead of NID, as there is the same equivalent APIs for each of them

 

Also important note here, "Set" might not be acting as "Add" and i can't find details about this, but if there is Add then it should be used, and not depending on Set

 

From translated code from C++, this code might work, i say might as i didn't test it, just translated it

    // Create ASN1_OBJECT for givenName OID 2.5.4.42
    objGivenName := OBJ_txt2obj(PAnsiChar(AnsiString('2.5.4.42')), 1);
    if objGivenName = nil then
      raise Exception.Create('Failed to create ASN1_OBJECT for givenName(2.5.4.42)');

    X509_NAME_add_entry_by_OBJ(name, objGivenName, MBSTRING_ASC, PBYTE(AnsiString('John')), -1, -1, 0);
    ASN1_OBJECT_free(objGivenName);

 

Now as suggestions for Angus, it might be useful to add generic functions to this, this will be future proof, allowing any non essential entries or exotic objects to be added or enumerated, in other words allow customization in its purest way.

It could use NID, Text and OID, implement once and can be used whenever request like this pop then the solution is easy, find the OID (or text) for the entry then add it or read it using the custom entry access

givenName = 2.5.4.42
surname = 2.5.4.4

https://oid-base.com/cgi-bin/display?oid=2.5.4.4&submit=Display&action=display

https://oid-base.com/cgi-bin/display?oid=2.5.4.42&submit=Display&action=display

 

Using NID is also nice but only if it is already Known and declared in OpenSSL Pascal headers, so it will be limited.

[Angus Robertson 659]

The PemTool sample does not have edit boxes for surname oi given name, because you are the first to request them.  Most personal certificates are issued for email address, not people.    I'l like to see an example with names.

 

You should be able to add a couple of lines in TSslCertTools.DoCertReqProps, plus the properties to add them:

 

    AddNameEntryByTxt(SubjName, 'GN',  MyGN);

    AddNameEntryByTxt(SubjName, 'SN',  MySN);

 

I will do this in the next week or so.  

 

Angus

 

 

 

[Eric Winfly 1]

3 hours ago, Angus Robertson said:

The PemTool sample does not have edit boxes for surname oi given name, because you are the first to request them.  Most personal certificates are issued for email address, not people.    I'l like to see an example with names.

 

You should be able to add a couple of lines in TSslCertTools.DoCertReqProps, plus the properties to add them:

 

    AddNameEntryByTxt(SubjName, 'GN',  MyGN);

    AddNameEntryByTxt(SubjName, 'SN',  MySN);

 

I will do this in the next week or so.  

 

Angus

 

 

 

Hi added to the source and build package, its work fine now thanks !

 

For the use of names (GN, SN) i work on project for gouv of Quebec and he ask to put some parameter in this before signing my Cert, i dont think its a standars 😛

[Angus Robertson 659]

Do those new names end up in the certificate itself, or are they only used for validation?  If in the certificate, could you please email a PEM, so I can check we report it correctly. 

 

Angus

 

[Eric Winfly 1]

Only use by her to validate the user who try to connect the server, before her return the real Certificat. 

[Eric Winfly 1]

The SslTool have method for Save Cert to the Windows Store ? I see many methode have code for TMsCertTools but im not sure if i have acces with C++ package or i need to define MSCRYPT_Tool variable ?

 

How can easily load my cert with pkey and Store this to Windows Store ?

 

 

[Angus Robertson 659]

I assume from your earlier message you are using C++, not Delphi.  Our support for C++ is very limited, since I have zero knowledge of it.  

 

Earlier testing have given C++ errors I've been unable to fix trying to build the OverbyteIcsMsSslUtils unit needed for access to the Windows Store, so there are defines to prevent it being built for C++ and allow the rest of the units to work. 

 

To attempt to build the unit, you'll need to remove some defines from the bottom of the OverbyteIcsDefs.inc unit and fix the C++ errors.  Please let me know if you fix it.  

 

BTW, your new Distinguished Names properties are now in SVN, with a couple of other new ones. 

 

Angus

 

 

[Eric Winfly 1]

Without think to repair this unit can store my cert into Windows Store (add, delete) ?

 

Thanks for the add !

[Angus Robertson 659]

ICS can not access the Windows Certificate Store without the OverbyteIcsMsSslUtils unit, and it will not build for C++ without changes.   

 

But any ICS passworded PKCS12 file can be installed manually into the Windows store using Microsoft utilities.  

 

Angus

 

[Eric Winfly 1]

All work fine, now i need to Sign Data with my public key but the function tell me no RSA key found ?

 

	TSslCertTools *Tool = new TSslCertTools(NULL);
	String DataEnc;

	Tool->LoadFromPemFile("Certificat.pem");

	DataEnc = String(StrEncRsa(Tool->X509PublicKey, Data, true));

	return (DataEnc);

Somebody can help or if i need to create an new post ?

[Kas Ob. 151]

Until Angus answer you, and if we still talking about CSR, then you sign with your private key not public key.

 

Fact: RSA only can sign with private key, in this case you must use the same key that included in the CSR itself.

[Kas Ob. 151]

Just now, Kas Ob. said:

Fact: RSA only can sign with private key, in this case you must use the same key that included in the CSR itself.

Bad wording 😭

 

Fact: RSA only can sign with private key, in this case you must use the same key that included its public key in the CSR itself.

[Angus Robertson 659]

You encode with a private key, decode with a public key.  

 

StrEncRsa is not an ICS function I'm aware of, 

 

Signing does not encode data, it generates a signature digest of that data to check it's not corrupted. 

 

The ICS Jose unit contains many signing related functions, ditto the Jose sample. 

 

Angus

 

[Eric Winfly 1]

Im not an expert of Certificat and signing  for explain my situation i have create a CSR after i send hover the server (gouverment) and he returning me my certificat, i have writen on pem file (its contening Certificat and Private Key). Now im communicate with the server with these Cert in my comm with RESTClient, sound good !

 

Now i need to send Json request and add some signed data to its structure, but i found no other ways to do this otherswise with 

StrEncRsa

 

Someone can help me to found the good ways ? (The sample project from gouv it build in C# and it will use microsoft SignData function)

 

 

[Eric Winfly 1]

For information i found my PublicKey but its a ESCDA Public Key thats the problem ?

 

Quote

Issued to (CN): 5678912340, (O): RBC, (OU): 5678912340TQ0001
Issuer (CN): CNFR - Autorite de certification subordonnee pour MW - 2023
Expires: 2030-08-13T15:24:15, Signature: ecdsa-with-SHA256
Valid From: 2025-08-13T15:24:15, Serial Number: 05f780a119555c06d2b1c88e5b5ec43b5a5222fd
Fingerprint (sha256): f9d8ac2ec3ac81bf1b11f9f0e0f9df57be14abbb885d24ce629015808a0baa11
Public Key: ECDSA Key Encryption prime256v1 256 bits, 256 security bits
-----BEGIN CERTIFICATE-----
MIICKzCCAdGgAwIBAgIUBfeAoRlVXAbSsciOW17EOypSIv0wCgYIKoZIzj0EAwIw
RjFEMEIGA1UEAxM7Q05GUiAtIEF1dG9yaXRlIGRlIGNlcnRpZmljYXRpb24gc3Vi
b3Jkb25uZWUgcG91ciBNVyAtIDIwMjMwHhcNMjUwODEzMTUyNDE1WhcNMzAwODEz
MTUyNDE1WjCBkTEVMBMGA1UEBBMMQ2VydGlmaWNhdCBBMQ8wDQYDVQQqEwZFUjAw
MDExDzANBgNVBAcTBi0wNTowMDELMAkGA1UEBhMCQ0ExDDAKBgNVBAoTA1JCQzEL
MBkGA1UECBMCUUMxGTAXBgNVBAsTEDU2Nzg5MTIzNDBUUTAwMDExEzARBgNVBAMT
CjU2Nzg5MTIzNDAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQj49oXOj5v5The
RzNVckQK3qfjvzFVA0i4TuNO1WZq40gJohtawaD6jplqqP60sfLlfjWAsH3tpe5f
XQyUcl4zo1EwTzATBgNVHSUEDDAKBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBsAw
CQYDVR0TBAIwADAdBgNVHQ4EFgQU15e99wCNpWd1TcB6VYoWfuC7zJIwCgYIKoZI
zj0EAwIDSAAwRQIhAKYfBrZamniK282q6q0Wr7AyXqOl4CmEFFHAASK0B1sjAiBv
ULMalTKS5dU8rBgEkiVMl844Z5e603vHGQS9M9VHhw==
-----END CERTIFICATE-----

 

 

Edited Wednesday at 04:07 PM by Eric Winfly

[Kas Ob. 151]

7 minutes ago, Eric Winfly said:

For information i found my PublicKey but its a ESCDA Public Key thats the problem ?

Delete that !

Never post you private key

[Eric Winfly 1]

2 minutes ago, Kas Ob. said:

Delete that !

Never post you private key

it only a test certificat and private key are not used for reel (also i change some letter in this sample 🙂

[Kas Ob. 151]

4 minutes ago, Eric Winfly said:

it only a test certificat and private key are not used for reel (also i change some letter in this sample 🙂

You gave me a heart attack !

 

I am sorry i don't read French 🙂

[Kas Ob. 151]

17 minutes ago, Eric Winfly said:

Expires: 2030-08-13T15:24:15, Signature: ecdsa-with-SHA256
Valid From: 2025-08-13T15:24:15, Serial Number: 05f780a119555c06d2b1c88e5b5ec43b5a5222fd

This is wrong.

 

24 minutes ago, Eric Winfly said:

Someone can help me to found the good ways ?

I believe ICS have all what you need, switching between singing RSA or ECDSA should be viable and easy, so check ICS demos.

[Angus Robertson 659]

As I said before, run the Jose sample.  It allows you to create key pairs in several formats, then sign and check data in several ways, using various Jose formats.   

 

It does not do any encryption, which is rare for REST requests since they are encrypted with SSL/TLS.

 

Angus