Cryptography – Nextra

Hash Functions

Generally, when verifying a hash visually, you can simply look at the first and last four characters of the string.

SHA-1

Message digest
- 160 bit
Use cases
- Authentication by comparing the checksum of passwords
- File verification by comparing the checksum of files

Public Key Certificate

SSL/TLS

Certificate sent during TLS handshake is always in binary format (DER).

Check supported SSL/TLS versions in Java

SSLContext.getDefault().getSupportedSSLParameters().getProtocols();

// Output
TLSv1.3
TLSv1.2
TLSv1.1
TLSv1
SSLv3
SSLv2Hello

Resources
- An overview of the SSL/TLS handshake - IBM Documentation (opens in a new tab)
- Qualys SSL Labs - Projects (opens in a new tab)
  
  A range of SSL related tools and resources
- SSL and TLS Deployment Best Practices (opens in a new tab)

Mutual TLS

Extended Key Usage in extension might need to be set as TLS WWW client authentication.
HTTP
- curl
  - curl -v -s -G --key "$private.pem" --cert "$cert.pem" --cacert "$CA-chain.pem" https://<endpoint-supporting-GET>
- OpenSSL
  - openssl s_client -key "$private.pem" -cert "$cert.pem" -CAfile "$CA-cert.pem" -connect <host:port>
    
    TCP connection with TLS to the specified host and port
    
    Once connection established, the client can input HTTP request manually.
Resources
- Client Certificate Authentication (Part 1) (opens in a new tab)
- Client Certificate Authentication (Part 2) (opens in a new tab)

Java

Resources
- Additional information on Oracle's JDK and JRE Cryptographic Algorithms (opens in a new tab)
- Java Security Standard Algorithm Names (opens in a new tab)

Create a PKCS#12 TrustStore containing the CA certificate

keytool -importcert -noprompt \
    -storetype PKCS12 \
    -keystore "${CA-crt.p12}" \
    -storepass $TRUSTSTORE_PASSWORD \
    -alias $CA_KEYENTRY_ALIAS \
    -file "${CA-crt.pem}"

Janik Vonrotz - Create pkcs12 key- and truststore with keytool and openssl (opens in a new tab)

Convert a JKS KeyStore to PKCS#12 KeyStore

Note: private keys cannot be exported from a JKS KeyStore directly, the KeyStore has to be converted to a PKCS#12 KeyStore first.

keytool -importkeystore \
        -srckeystore <old-keystore-path> \
        -srcstoretype jks \
        -srcstorepass <old-keystore-password> \
        -destkeystore <new-keystore-path> \
        -deststoretype pkcs12 \
        -deststorepass <new-keystore-password>

Get a certificate in a PKCS#12 KeyStore

keytool -list -v -keystore <domain.p12> -storetype PKCS12 -storepass <EXPORT_PASSWORD>

Get the alias name of a PrivateKeyEntry in the KeyStore

keytool -list -v -keystore <domain.p12> -storetype PKCS12 -storepass <EXPORT_PASSWORD> | grep Alias

Get entries in the current JRE TrustStore

Default password: changeit

keytool -list -v -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit

or
keytool -list -v -cacerts -storepass changeit (Java SE 11+)

Get the content of a certificate of a service

keytool -printcert -v -sslserver <host:port>

Get the content of a certificate of a service in PEM format

keytool -printcert -v -rfc -sslserver <host:port>

Get/Validate the content of a local certificate

keytool -printcert -v -file "$domain-crt.pem"/"$domain-crt.der"

Get the content of a CSR / Validate a CSR file

keytool -printcertreq -v -file <csr.pem>

Import a CA certificate (DER) into the JRE TrustStore

keytool -importcert -alias <entry_alias> -cacerts -storepass <truststore-password:changeit> -file <CA-crt.der>

Import a certificate (DER) into a Keystore

keytool -importcert -keystore <keystore-file> -storepass <keystore-password:changeit> -storetype <PKCS12 / JKS> -alias <unique-alias> -file "$domain-crt.der" -noprompt

Delete an entry from a Keystore

keytool -delete -alias <alias> -keystore <domain-crt.p12> -storetype <PKCS12 / JKS> -storepass <password>

Export a certificate (DER format) from a Keystore

keytool -exportcert \
  -keystore $keystore \
  -storetype $store_type \
  -storepass $keystore_password \
  -alias $alias \
  -file $target_der_file

Java cryptography libraries

Bouncy Castle (opens in a new tab)
- Bouncy Castle - Java Cryptography APIs (opens in a new tab)

OpenSSL

Generate a private key

# Use `ed25519` algorithm
openssl genpkey -algorithm ED25519 > "$private.pem"

# Use `RSA` algorithm with `2048` bits
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 > "$private.pem"

Get the public key of the given private key

Can be used to verify if a private key matches a public key

openssl pkey -in "$private.pem" -pubout -out "$public.pem"

cat "$private.pem" | openssl pkey -pubout > "$public.pem"

Generate a CA private key and CA certificate pair with supplied CA Subject

CA Subject (Distinguished Name) -> CA private key & CA certificate

openssl req -x509 -newkey rsa:2048 -noenc -days $number_of_days_to_be_valid \
-config "$CA-csr.cnf" -keyout "$CA-private.key" > "$CA-crt.pem"

Generate (Sign) a domain CSR with the domain private key

Domain Subject (X.500 Distinguished Name) + Domain private key -> Domain CSR

openssl req -new -key "$domain-private.pem" -config "$domain-csr.cnf" > "$domain-csr.pem"

# domain.csr.cnf
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
 
[dn]
C=<ISO_COUNTRY_CODE>
ST=<STATE>
L=<CITY>
O=<ORGANIZATION_FULL_NAME>
OU=<DEPARTMENT_NAME>
emailAddress=<SERVER_ADMIN_EMAIL_ADDRESS>
CN=<FQDN>

CN should match the domain you are trying to access, e.g. localhost.

Resources
- Overview CSR-fields (opens in a new tab)

Sign a domain CSR with CA private key and create a domain certificate

Prepare a X.509 v3 Certificate Extensions file

# X.509 v3 Certificate Extensions
# Reference: https://www.openssl.org/docs/man1.1.1/man5/x509v3_config.html
# domain.v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
 
# When CN in CSR doesn't match the domain of URL, DNS names listed here will be used instead.
# When using curl to access target URL, with -v flag, you will see the following
# subjectAltName: host "localhost" matched cert's "localhost"
[alt_names]
DNS.1 = localhost
DNS.2 = cq.prototype.microservice.springboot

Create the certificate

CSR + CA private key -> domain certificate

# CA Private key pass phrase will be prompted if any
openssl x509 -req \
  -CA "$CA-crt.pem" \
  -CAkey "$CA-private.pem" \
  -extfile "$domain-v3.ext.cnf" \
  -days $days \
  -CAcreateserial \ # will generate a <CA.srl> file to be used for future signing with option -CAserial
  -in "$domain-csr.pem" \
  -out "$domain-crt.pem"

Create a PKCS#12 keystore to store private key and certificate

openssl pkcs12 \
  -export \
  -name $entry_alias \
  -inkey "$domain-private.pem" \
  -in "$domain-crt.pem" \
  -out "$keystore.p12" \
  -passout pass:$keystore_password \
  -noiter \
  -nomaciter
 
# Use either OpenSSL or Java keytool to view certificate
# OpenSSL
openssl pkcs12 -nokeys -info \
  -in "$keystore.p12" \
  -passin pass:$keystore_password
 
# Java keytool
keytool -list -v -keystore "$keystore.p12" -storetype PKCS12 -storepass $keystore_password

Export everything from a PKCS#12 Keystore

openssl pkcs12 \
  -in "$keystore.p12" \
  -out "$keystore.crt.pem" \
  -passin pass:$keystore_password

Only export client certificates from a PKCS#12 Keystore

openssl pkcs12 \
  -clcerts \
  -in "$keystore.p12" \
  -out "$keystore.crt.pem" \
  -passin pass:$keystore_password

Only export private keys from a PKCS#12 Keystore

openssl pkcs12 \
  -nocerts \
  -in "$keystore.p12" \
  -out <keystore.key.pem> \
  -passin pass:$keystore_password

Get contents of a PEM certificate file

openssl x509 -text -noout -in "$domain-crt.pem"

Get the fingerprint / thumbprint of a PEM certificate file

# SHA-1 fingerprint
openssl x509 -in "$domain-crt.pem" -noout -fingerprint -sha1

# SHA-256 fingerprint
openssl x509 -in "$domain-crt.pem" -noout -fingerprint -sha256

Get contents of a DER-encoded certificate file

openssl x509 -text -noout -inform der -in "$domain-crt.der"

Convert PEM certificate to DER

openssl x509 -outform der -in "$domain-crt.pem" -out "$domain-crt.der"

Convert DER-encoded certificate to PEM

openssl x509 -inform der -in "$domain-crt.der" -out "$domain-crt.pem"

Passphrase input options

Options
- pass:password
  
  Literals, will be recorded in shell history
- env:var
  
  The name of the environment variable storing the passphrase
- file:pathname
  
  The first line of the file located at pathname will be used as the passphrase
- fd:number
  
  Read the password from the file descriptor number. This can be used to send the data via a pipe for example.
- stdin
  
  Default option if no other option is explicitly specified
OpenSSL passphrase options (opens in a new tab)

Get the contents of a PEM private key file

Without specifying passphrase, will be prompted for passphrase from stdin

openssl rsa -text -noout -in "${private.pem}"

With passphrase

openssl rsa -text -noout -in "${private.pem}" -passin pass:$passphrase

Decrypt an encrypted private key

openssl rsa \
  -in $encrypted_key_pem \
  -passin pass:$passphrase \
  -out $decrypted_key_pem

Sign a text file and encode signature with Base64

Sign with SHA-256 algorithm

openssl dgst -sha256 -sign ${private.pem} -out ${signature.sha256} ${file-to-be-signed}

Encode the signature with Base64

openssl enc -base64 -in ${signature.sha256} -out ${signature.sha256.base64}

Verify a domain certificate against an intermediate CA certificate

openssl verify -untrusted ${intermediate-CA-crt.pem} ${domain-crt.pem}

Get all ciphers

Get all supported ciphers

openssl ciphers -v

Get supported SSL protocols

openssl ciphers -v | awk '{print $2}' | sort | uniq

Get the contents of a CSR

openssl req -in ${domain-csr.pem} -noout -text

Get the public key of a CSR

openssl req -in ${domain-csr.pem} -noout -pubkey

Can be used to compare if 2 CSRs are signed by the same private key

Connect to and disconnect from a remote SSL server automatically

echo | openssl s_client -connect $host:$port

openssl s_client -connect $host:$port < /dev/null

Get the remote site’s `root` and `intermediate` certificates

CA certificates have the same Subject and Issuer.

openssl s_client -showcerts -connect $host:$port

Get the serial number of the domain certificate

openssl s_client -connect $host:$port 2>/dev/null | openssl x509 -noout -text | grep -A 1 "Serial Number"

Example:

❯ openssl s_client -connect localhost:8443 2>/dev/null | openssl x509 -noout -text | grep -A 1 "Serial Number"
        Serial Number:
            70:7f:c8:68:b4:aa:48:4c:70:9e:8b:bd:48:fc:c0:a0:cc:80:4b:65

Get the SHA-1 fingerprint of the domain certificate

Fingerprint with :

openssl s_client -connect $host:$port 2> /dev/null | openssl x509 -noout -fingerprint

Fingerprint without :

openssl s_client -connect $host:$port 2> /dev/null | openssl x509 -noout -fingerprint | tr -d ":"

Get the SHA-1 fingerprint of the domain certificate with `sha1sum`

openssl s_client -connect $host:$port 2>/dev/null | openssl x509 -outform DER | sha1sum

Get the SHA-256 fingerprint of the domain certificate with `sha256sum`

openssl s_client -connect $host:$port 2>/dev/null | openssl x509 -outform DER | sha256sum

Get the SHA-256 fingerprint of the domain certificate