Digital Signature Instruction Collections

Description: All about Digital Signature Instruction

Author: Eko Junaidi Salam

Generate CA Root Key

• Generate 4096bit RSA Key for Root CA

openssl genrsa -aes256 -out my_ca.enc.key 4096

• Generate RSA Key and CSR for CA

openssl req -new -newkey rsa:4096 -keyout cakey.pem -out careq.pem -config openssl.cnf

• Create and self-sign Root CA Certificate from RSA Key

openssl req -x509 -new -nodes -key my_ca.enc.key -sha256 -days 1024 -out myCA.crt

• Create and self-sign V3 Root CA from CSR file

openssl ca -out cacert.pem -days 2652 -keyfile cakey.pem -selfsign -config openssl.cnf -extensions v3_ca -in careq.pem

• Create and Sign end client CSR using Root CA from CSR file

openssl ca -in serverreq.pem -days 1200 -cert cacert.pem -keyfile cakey.pem -out servercrt.pem -extensions usr_cert -config openssl.cnf

• Generate Certificate for client CSR using Root CA

openssl x509 -req -in my_request.csr -CA myCA.crt -CAkey my_ca.enc.key -CAcreateserial -out my_request.crt -days 730 -sha256

• Generate PKCS12 with chain

openssl pkcs12 -export -in my_request.crt -inkey my_key.enc.key -name "Eko Junaidi Salam" -chain -CAfile myCA.crt -out my_req_with_chain.pfx

• Generate PKCS12 with no chain

openssl pkcs12 -export -in my_request.crt -inkey my_key.enc.key -name "Eko Junaidi Salam" -certfile myCA.crt -out my_req_with_chain.pfx

• Generate Key and self-sign Certificate

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout my.key -out my.crt

• Verify end point certificate with CA

openssl verify -CAfile cacert.pem servercrt.pem

• Revoke Certificate

openssl ca -revoke tescert.crt -config openssl.cnf

• Generate Certificate Revocation List (CRL)

openssl ca -gencrl -config openssl.cnf -out crl.pem

• Verify certificate based on CA and CRL

openssl verify -crl_check -CAfile cacert.pem -CRLfile crl.pem servercrt.pem

• Verify ocsp validation

openssl ocsp -CAfile cacert.pem -issuer issuer.pem -cert yourcert.crt -url http://ocsp.example.com/ -resp_text -noverify

Generate RSA Key

• Generate 2048bit RSA Key

openssl genrsa -aes256 -out my_key.enc.key 2048

• Generate Public Key from RSA Key

openssl rsa -in my_key.enc.key -pubout -outform pem -out my.pub.pem

• Generate CSR from RSA Key

openssl req -new -days 730 -key my_key.enc.key -text -out my_request.csr

• Check CSR content from CSR file

openssl req -in my_request.csr -noout -text

• Generate X509 default PEM Format

openssl x509 -req -days 730 -in my_request.csr -signkey my_key.enc.key -out my_cert.crt

• Generate X509 default PEM Format using V3 Extension and SHA256 Digest

openssl x509 -req -days 730 -in my_request.csr -signkey my_key.enc.key -out my_cert.crt -sha256 -extfile v3.ext

• Extract Public Key from X509 Certificate

openssl x509 -pubkey -noout -in my_cert.crt > my_pub.pem

• Generate SSH Public Key from RSA Key

ssh-keygen -y -f my_key.enc.key > my_ssh.pub

• Generate random key for encryption using aes-256-cbc

openssl rand -base64 32 -out key.b64

• Encrypt the key using public key recipient

openssl rsautl -encrypt -inkey my.pub.pem -pubin -in key.b64 -out key.b64.enc

• Encrypt the file using our key

openssl enc -aes-256-cbc -salt -in SECRET_FILE -out SECRET_FILE.enc -pass file:./key.b64

• Send and Decrypt The encrypted key.b64.enc using private key recipient and your SECRET_FILE.enc using the decrypted key

openssl rsautl -decrypt -inkey my_key.enc.key -in key.b64.enc -out key.b64

openssl enc -d -aes-256-cbc -in SECRET_FILE.enc -out SECRET_FILE -pass file:./key.b64

Using Free Time Stamp Authority

Source from Free TSA

• Download CA and tsa cert

wget https://freetsa.org/files/tsa.crt
wget https://freetsa.org/files/cacert.pem

• Create a tsq (TimeStampRequest) file, which contains a hash of the file you want to sign.

openssl ts -query -data signed.pdf -no_nonce -sha512 -cert -out signed.tsq

• Send the TimeStampRequest to freeTSA.org and receive a tsr (TimeStampResponse) file.

curl -H "Content-Type: application/timestamp-query" --data-binary '@signed.tsq' https://freetsa.org/tsr > signed.tsr

• With the public Certificates you can verify the TimeStampRequest.

openssl ts -verify -in signed.tsr -queryfile signed.tsq -CAfile cacert.pem -untrusted tsa.crt

• URL Screenshooter from TSA

curl --data "screenshot=https://www.fsf.org/&delay=n" https://freetsa.org/screenshot.php > screenshot.pdf

Generate ECDSA Key

• Generate Encrypted EC key

openssl ecparam -genkey -name secp256k1 | openssl ec -aes256 -out my_ec.enc.key

• Generate Public Key from EC Key

openssl ec -in my_ec.enc.key -pubout -out my_ecpub.pem

• Generate CSR from EC Key

openssl req -new -sha256 -key my_ec.enc.key -days 730 -text -out my_ec.csr

• Generate derive key as shared secret from recipient EC Public Key

openssl pkeyutl -derive -inkey my_ec.enc.key -peerkey bob_ecpub.pem | openssl dgst -sha256 -r | sed 's/ \*stdin//g' > pass.hash

• Encrypt data using shared secret from derive key

openssl enc -aes256 -base64 -k pass.hash -e -in hello.txt -out hello.txt.enc

• Decrypt data using shared secret from derive key

openssl enc -aes256 -base64 -k pass.hash -d -in hello.txt.enc -out hello.txt

My Certificate OpenSSH

• Create SSH Public Key from OpenSSL Key

ssh-keygen -y -f my_key.enc.key > my-ssh.pub

• Show Fingerprint of SSH Public Key

ssh-keygen -lv -E md5 -f my_ssh.pub

My Certificate X509

• Generate CSR from Certificate

openssl x509 -x509toreq -in .\my_cert.crt -signkey .\my_key.enc.key -out .\my_request.csr

• Renew expired certificate

openssl x509 -req -days 365 -in .\my_request.csr -signkey .\my_key.enc.key -out .\my_cert_renew.crt

• Get unencrypted key from encrypted private key

openssl rsa -in .\my_key.enc.key -out hasil.key

• Generate PKCS12 from Certificate

openssl pkcs12 -export -in .\my_cert_renew.crt -inkey .\my_key.enc.key -out .\my_cert_renew.p12

• Extract Private Key (PEM) from PKCS12

openssl pkcs12 -in .\my_cert_renew.p12 -nocerts -out .\my_cert.pem

• Extract Private Key from PEM file using DES3 encrypted

openssl rsa -in .\my_cert.pem -des3 -out .\my_key.enc.key

• Extract Client Certificate from PKCS12

openssl pkcs12 -in .\my_cert_renew.p12 -nokeys -clcerts -out .\my_cert.crt

• Extract CA Certificate from PKCS12

openssl pkcs12 -in .\my_cert_renew.p12 -nokeys -cacerts -out .\my_cert.crt

• Create Public Key from RSA Private Key

openssl rsa -in .\my_key.enc.key -pubout -out my_key.pub

• Sign a digest with RSA Private Key

openssl dgst -sha256 -sign .\my_key.enc.key -out .\README.md.sig .\README.md

• Verify a Signed Digest using Public Key

openssl dgst -sha256 -verify .\my_key.pub -signature .\README.md.sig .\README.md

• Sign/Verify data using X509 with RSA-PSS mode

# Create digest from the message
openssl dgst -sha256 -binary -out msg.bin msg.txt
# Create signed message using private key
openssl pkeyutl -sign -inkey me.key -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_mgf1_md:sha256 -pkeyopt rsa_pss_saltlen:digest -out msg.sig -in msg.bin
# Verified signed message using X509 Certificate
openssl pkeyutl -verify -inkey me.crt -certin -pkeyopt digest:sha256 -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_mgf1_md:sha256 -sigfile msg.sig -in msg.bin

• Encrypt/Decrypt data using X509 with RSA-OAEP

# Encrypt using X509
openssl pkeyutl -encrypt -inkey me.crt -certin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -out msg.enc -in msg.txt
# Decrypt using Private Key
openssl pkeyutl -decrypt -inkey me.key -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -out msg.dec -in msg.enc

• Encrypt/Decrypt data using X509 with RSA-OAEP and piv pkcs11

# Compile libp11 library to get pkcs11.dll/so file from this github link
# https://github.com/OpenSC/libp11.git

# Set the OPENSSL_CONF to engine.cnf
# https://raw.githubusercontent.com/ekojs/digital_signature/master/engine.cnf

# Check pkcs11 engine in openssl
openssl engine pkcs11 -c
# Your output if it's available :
# (pkcs11) pkcs11 engine
#  [RSA, rsaEncryption, id-ecPublicKey]

# Encrypt
openssl pkeyutl -encrypt -engine pkcs11 -keyform engine -inkey 3 -passin file:pin.piv -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in msg.txt -out msg.enc
# Decrypt
openssl pkeyutl -decrypt -engine pkcs11 -keyform engine -inkey 3 -passin file:pin.piv -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in msg.enc -out msg.dec

• AES-KWP as RFC 5649 compliant Using patched openssl-1.1.0l or openssl-3.0.x latest release

# The -id-aes256-wrap-pad cipher is the RFC 3394 compliant wrapping mechanism that coincides with CKM_RSA_AES_KEY_WRAP. The -iv values are set by RFC 5649 (an extension to RFC 3394)
# see rfc 5649 https://tools.ietf.org/html/rfc5649
openssl rand -out rand.bin 32
openssl enc -id-aes256-wrap-pad -iv A65959A6 -K $(hexdump -v -e '/1 "%02x"' < rand.bin) -in my.p8 -out wrap.bin

• Unwrap data using AES-KWP RFC 5649

openssl enc -d -id-aes256-wrap-pad -iv A65959A6 -K $(hexdump -v -e '/1 "%02x"' < rand.bin) -in wrap.bin -out my.p8.der

My Certificate gpg (GnuPG) 1.4.20

Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Read : https://futureboy.us/pgp.html

• Generate GPG Public & Private Key

gpg -i --gen-key

• Change key

gpg -i -edit-key user_id

• Change cipher algorithms

gpg --cipher-algo name -ca your_file

• Using Stronger Algorithms

gpg -i --edit-key user_id 
help
showpref
setpref AES256 CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 TWOFISH CAST5 3DES SHA512 SHA384 SHA256 SHA224 SHA1 RIPEMD160 ZLIB BZIP2 ZIP Uncompressed
save

• Backup Secret Key and Subkey

gpg --export-secret-key -a -o key.asc
gpg --export-secret-subkeys -a -o subkey.asc

• Backup Public Key

gpg -o pub.gpg -a --export eko_junaidisalam@live.com

• Encrypt using symmetric cipher

gpg --cipher-algo aes256 -ca filename

• Decrypt a file

gpg filename

• Sign and armored a file

gpg -o hasil.asc -sa filename

• Verify a signed armored file

gpg --verify hasil.asc

• Create revocation certificate

gpg -o my_revocation_cert --gen-revoke key_id

• Separate Master Keypair to Laptop Keypair

mkdir /tmp/gpg
sudo mount -t tmpfs -o size=1M tmpfs /tmp/gpg
gpg --export-secret-subkeys key_id > /tmp/gpg/subkeys
gpg --delete-secret-key key_id
gpg --import /tmp/gpg/subkeys
sudo umount /tmp/gpg
rm -rf /tmp/gpg

gpg -K

# You should see like this 'sec#  2048R/C774674E 2016-03-10' not 'sec  2048R/C774674E 2016-03-10', it means you're successfully separate subkey from the keypair located in your keyring.

• Show photo in gpg

# You must set photo-viewer "eog %i" in your gpg.conf file

gpg --list-options show-photos --fingerprint ekojs

• Sign someone key

gpg -u yourkey --sign-key --ask-cert-level someone@email.com

Check corresponding RSA Private Key & Public Key

• For RSA & X509

openssl rsa -in .\my_key.enc.key -modulus -noout | openssl md5
openssl x509 -in .\my_cert.crt -modulus -noout | openssl md5

• For RSA & SSH Pub Key

ssh-keygen -y -f my_key.enc.key
cat my_ssh.pub

• Check pub fingerprint

ssh-keygen -lv -E md5 -f my_ssh.pub
openssl x509 -noout -fingerprint -md5 -in .\my_cert.crt

• For Pub & priv Key OpenPGP, you can check it in keyid values.

gpg --list-packets pub_key.asc | head
gpg --list-packets priv_key.asc | head

Check IMAP via SSL uses port 993

openssl s_client -showcerts -connect mail.example.com:993

Check POP3 via SSL uses port 995

openssl s_client -showcerts -connect mail.example.com:995

Check SMTP via SSL uses port 465

openssl s_client -showcerts -connect mail.example.com:465

Check SMTP via TLS/StartTLS uses port 587

openssl s_client -starttls smtp -showcerts -connect mail.example.com:587

Configure OCSP Stapling

some reading : Configure OCSP Stapling

• Retrieve CA Bundle

wget -O - https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem> /dev/null
wget -O - https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem> /dev/null

• Config OCSP

# Outside vhost
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

# Inside vhost
SSLCACertificateFile /etc/ssl/ca-certs.pem
SSLUseStapling on

# Check
apachectl configtest

• Testing OCSP Stapling

echo QUIT | openssl s_client -connect ocsp.digicert.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

Create certificate using lets encrypt

some reading : Generate wildcard ssl using lets encrypt

apt install letsencrypt
certbot certonly --manual --preferred-challenges=dns --email your-email@gmail.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.example.com

Generate Certificate using Keytool from Java

• Create self-sign Certificate

keytool -genkeypair -storepass 123456 -storetype pkcs12 -alias test -validity 365 -v -keyalg RSA -keysize 2048 -keystore keystore.p12 

• Check detail keystore content

keytool -keystore keystore.p12 -list -v

• Import another PKCS12 to keystore

keytool -importkeystore -srcstoretype pkcs12 -srckeystore cert.p12 -destkeystore keystore.p12 -srcalias 1 -destalias youralias

Create Perfect Keypair in OpenPGP

• Generate key RSA-RSA 4096 bits keysize
• Add photo to the key
• Add subkey to complete flag i.e : SC, S, E
• Use Stronger Algorithms
• Creating Revocation Certificate if your master keypair gets lost or stolen. This file is only way to tell everyone to ignore the stolen key.
• Separate Master keypair to laptop keypair

Passphrase for all key is 12345

Note:

Please feel free to add useful instruction to this repo. Silahkan bebas untuk menambahkan perintah-perintah yang berguna dalam Digital Signature pada repo ini.