{"id":522,"date":"2006-08-12T01:34:53","date_gmt":"2006-08-12T09:34:53","guid":{"rendered":"\/?p=522"},"modified":"2006-08-12T02:01:45","modified_gmt":"2006-08-12T10:01:45","slug":"william-tay-on-converting-public-key-pair-formats","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=522","title":{"rendered":"William Tay on converting public key pair formats"},"content":{"rendered":"

William Tay<\/a> has a very interesting technical blog and has solved the riddle of how to take a public key pair that he produced in a Microsoft environoment, and export it to PEM so it can by used by PHP.  I didn't have this particular problem, because I created my site's key using OpenSSL in the first place.  However, I've spent many hours with the OpenSSL utility trying – so far unsuccessfully – to go the other way (PEM to pfx).  It shouldn't matter which platform you create your key on – if you have a mix of platforms you want to be able to take the key in both directions.  Anyway, for those who have William's problem, here's how he dealt with it:<\/p>\n

I believe some hardcore Windows CardSpace<\/a> fanatics out there may have tried out Kim Cameron's IdentityBlog<\/a> Cardspace demo on php<\/a>. The tutorials can code samples can be found via his blog here<\/a>. As of this time, I dont think he has updated it to work with the WinFX July CTP drop.<\/p>\n

If you had played with those php samples, you will realize that nothing much has changed for the WinFX July CTP drop, we are still using the same version of WS-Trust<\/a> and WS-Security Specifications<\/a> specifications. While WS-Security has been pretty much baked, as the advanced WS-* specifications reach a better level of maturity and acceptance, it won't change as frequently anymore.<\/p>\n

The only change to take note is the OBJECT element in the html page. The way claims are presented on a html page is now space-delimited and not comma-delimited as it was before.<\/p>\n

I have been showing the php demos in my presentations around the Asia-Pacific circuits for some time now. One of the questions I frequently get asked is how do we get the RSA private key of the https site (Relying party<\/em>) we are using to authenticate our users. While Kim has shown some briefs snippets of his php code here<\/a> (It is fairly obvious why the entire Private Key cannot be disclosed here),<\/p>\n

\/\/ Cardspace_demoprocessing.php
\n\/\/ Put your own PEM private key here and
\n\/\/ use the right password (for the demo
\n\/\/ we don't use MySql to store this stufffunction get_settings($key)
\n{
\n    if ($key == “infocard_key”) {<\/p>\n

$retVal = “—–BEGIN RSA PRIVATE KEY—–
\nProc-Type: 4,ENCRYPTED
\nDEK-Info: DES-EDE3-CBC,9266952B733BFBE0<\/em><\/strong><\/p>\n

Z4WmpirV4dXvYjNmfSN99Iu4iYzUWa4\/CPZG0NParYSVHMOhb4lsS6iISjgniGG9
\nzhA862KDwsYUjgoyAIXfJAd5Z3hXiyJYdkygF\/DUgeQFcwQjsWmkguq27EDHW6nS
\n.
\n.
\n.
\n3GkQxPLzTMFZYm7haU3WH+QYnNxz2bG0esUmB\/YECXDCqFTbrUm\/DUPd4YiI2HiL
\n+j40vRpPzY6ngd1QNOfd5jkin7sjW1YlsEsRPV8OzEJvNmBZF274Cw==<\/em><\/strong>
\n—–END RSA PRIVATE KEY—–<\/em><\/strong>“;<\/p>\n

    }
\n    else if ($key == “infocard_opener”){
\n        $retVal = “xY8O< |aBB\";\n    }\n    else {\n        $retVal = NULL;\n    }\n    return($retVal);\n}\nhe did not show how he got that RSA Key.\n\nThere are, of course, a few ways to get that key. But since we are on the subject of Open-source and php being the flavour of the day, I thought why not show the readers how to get it using another popular utility out there called “OpenSSL<\/a>“. I am using version 0.9.8b the OpenSSL binaries\/executables.<\/p>\n

Once that is all downloaded, installed and setup – I used this command to retreive the RSA Private Key into a PEM file:<\/p>\n

Openssl pkcs12 -in Softwaremaker.NET.Pte.Ltd_300607_SSLCert.pfx -out cert.pem -nodes<\/strong><\/p>\n

You will, of course, replace the “Softwaremaker.NET.Pte.Ltd_300607_SSLCert.pfx<\/strong>” with your own site's SSL digital certificate. The -nodes<\/strong> flag just tells the output not to have a passphase lock on the resulting PEM file. Of course, you can if you want to if you are afraid of others being able to view your site's Private Key from the php code file. The output cert.pem will contain the output:<\/p>\n

Bag Attributes
\n    1.3.6.1.4.1.311.17.2:
\n    localKeyID: 01 00 00 00
\n    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
\n    friendlyName: 1a9c651d1153bf0e58ac3ff34c9fce1f_615cbd1c-54d4-4ea0-b0d4-5c14115c3abb
\nKey Attributes
\n    X509v3 Key Usage: 10
\n—–BEGIN RSA PRIVATE KEY—–
\nMIICXgIBAAKBgQDElLoxJcOzWT0jHT6uvdDHpDBnZLa4AE\/gznjcKuSIT880MAmL
\nADVIoDP\/0MPDucexjWCtJ33msRCmi2TOQ86dPhyc\/kfrmpTnjG+Kwi7tR5x07rAM
\n…
\nXLj+knD7VxrZvE\/CBJP5PgjuvqfcbiSGf4R8dVB\/nVm6tw==
\n—–END RSA PRIVATE KEY—–<\/em>
\nBag Attributes
\n    localKeyID: 01 00 00 00
\n    friendlyName: Default Web Site
\nsubject=\/C=SG\/ST=Singapore\/L=Singapore\/O=Softwaremaker.NET Pte Ltd\/OU=Software Development and Architecture Research Unit\/CN=swmvm2k3
\nissuer=\/CN=Softwaremaker.NET Pte Ltd
\n—–BEGIN CERTIFICATE—–
\nMIIE1DCCA7ygAwIBAgIKYVFrDgABAAAACDANBgkqhkiG9w0BAQUFADAkMSIwIAYD
\nVQQDExlTb2Z0d2FyZW1ha2VyLk5FVCBQdGUgTHRkMB4XDTA2MDYzMDAyMjkyNFoX
\n…
\nGl+c093\/wY1RT9FhAyK0vpP\/H9rFzyrCZbuyL69tWkTI1DGTuZHW5g==
\n—–END CERTIFICATE—–
\nOnce you got the above output, you just have to replace the “—–BEGIN RSA PRIVATE KEY—–…”<\/em><\/strong> until the “—–END RSA PRIVATE KEY—–“<\/em><\/strong> with your own in the php code file (Cardspace_demoprocessing.php).<\/p>\n

Hope this helps someone out there.<\/p><\/blockquote>\n

Yeah.  It's true that I was unclear, when writing my demo PHP code, how to best store and retrieve secret keys in a LAMP environment.  In Windows, I would use the system-provided routines for protecting and accessing secret keys, but I don't know the equivalents one would use in LAMP.<\/p>\n

I ended up just storing my keys in mySql (the code William shows above is a simplification to make the issues as easy to understand as possible) – but I'd appreciate hearing from someone who knows the proper way to do this.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

What is the proper way to store secret keys in a LAMP environment?<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[7],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/522"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=522"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/522\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=522"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=522"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}