digital-signature

Adding external PKCS1 byte array and Certificate to CMS container with Java

末鹿安然 提交于 2019-12-07 09:41:36
问题 We have client applications (Applets and Silverlight) that create a PKCS1 v2.1 digital signature. The digital signature is created as PKCS1 since the original content is not downloaded to the client, only the contents' hash is sent to the client to conserve bandwidth. We are attempting to create a PKCS7/CMS container server side, based on the information from this post: Reading certificate and loading as X509Certificate type Reading PKCS1 signature as base64 and loading as byte array

Authenticity and Integrity of HTTP Requests

让人想犯罪 __ 提交于 2019-12-07 08:02:30
问题 I have an API endpoint where external websites can submit a POST request. What would be the best method to make sure the requests are authentic and also are not tampered with, so they respect the principle of integrity ? Since the data is not valuable such as credit card information, I do not require HTTPS integration. I have had a look at both HMACs and Digital Signatures, and I believe the second option would be better, yet I am unsure if this is the way to go? Similarly, would hashing the

How to convert phpseclib's CRYPT_RSA_SIGNATURE_PKCS1 to node

旧巷老猫 提交于 2019-12-07 07:28:51
问题 How to convert PHP's $rsa->verify function to node? I used the crypto's verify function like this: const crypto = require('crypto'); const verify = crypto.createVerify('RSA-SHA256'); verify.update('some data to sign'); const public_key = getPublicKeySomehow(); const signature = getSignatureToVerify(); console.log(verify.verify(public_key, signature)); But it always return false. When I run my data and the signature through php it returns true! Any idea what I might be doing wrong? The php

BouncyCastle does not find algorithms that it provides?

为君一笑 提交于 2019-12-07 07:10:25
问题 I'm playing around with BouncyCastle 1.46 To my surprise, the catch-block in the snippet below is tripped quite often. Security.addProvider(new BouncyCastleProvider()); final Set<String> found = new HashSet<String>(); final Set<String> missing = new HashSet<String>(); final DefaultSignatureAlgorithmIdentifierFinder finder = new DefaultSignatureAlgorithmIdentifierFinder(); for (Service service : new BouncyCastleProvider().getServices()) { if ("Signature".equals(service.getType())) { final

JNLP get a permission

风格不统一 提交于 2019-12-07 04:47:06
问题 I recently stumbled across a problem when starting my application via JNLP. I now narrowed it down to a java.security.AccessControlException , which denies me to shut down my ExecuterService . So, I did some reading and found out that I'll need the permission ( modifyThread ) to successfully shut down the service. I also found out that I should use the <security> -tag (in the JNLP-file) to request it, but I'm a little confused about how. The documentation of the tag says: [...] If the all

bug? in codesign --remove-signature feature

跟風遠走 提交于 2019-12-07 01:59:36
问题 I would like to remove the digital signature from a Mac app that has been signed with codesign. There is an undocumented option to codesign, --remove-signature, which by it's name seems to be what I need. However, I can't get it to work. I realize it is undocumented, but I could really use the functionality. Maybe I'm doing something wrong? codesign -s MyIdentity foo.app works normally, signing the app codesign --remove-signature foo.app does disk activity for several seconds, then says foo

JWT Token Invalid Signature [duplicate]

寵の児 提交于 2019-12-07 01:50:53
问题 This question already has an answer here : PHP JWT Token Invalid Signature (1 answer) Closed 2 years ago . I am using JWT in my application for login authentication process. To generate the token I am using: Jwts.builder().setSubject(username).signWith(SignatureAlgorithm.HS512, MacProvider.generateKey()).compact(); Generated Token: eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJlaG91c2VAZGV2ZXJldXgub3JnIn0.5SX-aU-p_RlfC3CZa-YXnQu_YR7RsG2Xfim3LOmlqxjAZrIyZiz0fYZwViHr113ms8TNvngcJcV07U4hK-RBZQ When I decode

PDF digital signature verification fails on government document

心已入冬 提交于 2019-12-06 15:55:53
We're trying to validate the digital signature of a Dutch government agency (UWV Verzekeringsbericht) including the authenticity of the file. Adobe Acrobat Reader is able to validate this file correctly. With a small proof of concept application we're able to verify the authenticity of various kind of digitally signed PDFs: import com.itextpdf.text.pdf.AcroFields; import com.itextpdf.text.pdf.PdfReader; import com.itextpdf.text.pdf.security.PdfPKCS7; import org.bouncycastle.jce.provider.BouncyCastleProvider; import java.io.IOException; import java.security.GeneralSecurityException; import java

How do I read an embedded code signing signature in C++?

故事扮演 提交于 2019-12-06 15:32:20
I signed file with my digital signature, how can i read this signature from this file? Signature is trusted (Globalsign) . Encryption RSA/SHA1. Signed file is .exe First, you need to specify what kind of certificate you're dealing with. If you are talking about a CLI assembly, then you might be dealing with StrongName signatures, which are entirely different beasts designed to prevent name collisions in the CLR's global assembly cache. It sounds more like you want to read Authenticode signatures, which are used for both native and CLI applications. If you want to read the certificate itself,

How to validate and extract PKCS#7 file content on Windows (C#/C++)

放肆的年华 提交于 2019-12-06 15:06:48
With signtool I can create a PKCS#7 file with the following command signtool sign /p7 <output dir> /p7co 0 /tr <ts server> /td SHA256 /f <pfx file> /p <pass> /a myfile.zip I get a slightly larger file signed file with .p7 appended. I can then verify it with signtool verify /p7 myfile.zip.p7 But what is the recommended way to verify the signature with code and then extract the data? The WinVerifyTrustEx function works fine with PE files, but doesn't like P7 files. It returns 2148204800 ("No Signature was present in the subject"). signtool is not redistributable and it doesn't have an option to
订阅 digital-signature