Recommended Posts

I'm trying to encrypt a file using a X509 certificate. I'm trying using OPENSSL - command as follows:

 

openssl rsautl -encrypt -pubin -inkey receiver.crt -in my_infile.txt -out my_outfile.txt

 

However I can't seem to get this to work - it keeps coming up with "Unable to load publick key". Can anyone point me in the right direction to get this done? I'm sick of looking at visited links on Google trying to find a solution.

 

Thanks in advance.

Link to comment
https://www.neowin.net/forum/topic/1261760-encrypt-file-using-x509-certificate/
Share on other sites

where did you get the cert, you don't seem to have any path specified in in your command.  Can you PM the cert and I will encrypt a text file for you showing example commands, etc..

 

what version of openssl are you using - this is on linux/windows - what flavor?

 

example on ubuntu 14.04.2

 

user@ubuntu:~$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

 

do you have a CA setup?  Or did someone send you this x509?

Thanks for the response. The cert has been issued by the US IRS - the link for which is https://www.ides-support.com/Downloads/encryption-service_services_irs_gov.crt

 

I'm running the OPENSSL on Windows - version 1.0.2a. I've managed to get this done before, but can't figure out for the life of me how to do it again. Of course, this time round I'm taking detailed notes.

 

All help appreciated.

you sure that is the crt your using for encryption.  I grabbed that crt with wget and then looking at its details

 

[pre]

user@ubuntu:~/myCA$ openssl x509 -in gov.crt -text -noout

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 1355950258 (0x50d228b2)

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=© 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K

        Validity

            Not Before: Oct 16 18:44:59 2014 GMT

            Not After : Dec 17 02:12:19 2018 GMT

        Subject: C=US, ST=District of Columbia, L=Washington, O=United States Department of Treasury - IRS, CN=encryption-service.services.irs.gov

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:e2:17:21:32:1e:7e:ee:13:ab:c1:46:1b:cc:f5:

                    c8:bf:e8:11:53:1c:89:52:d4:c8:71:7a:33:85:5f:

                    41:5f:f1:72:f9:dd:21:60:ba:cf:34:bc:07:37:d6:

                    be:60:f2:10:88:b5:b3:98:43:69:d9:57:08:31:ae:

                    77:ca:07:be:5c:30:5d:e5:22:85:ed:7c:db:2d:d9:

                    73:74:9d:44:47:ee:a5:94:1c:61:b6:d8:67:1f:9b:

                    11:bf:34:1d:c2:76:b0:02:b4:17:0c:2f:70:c5:ae:

                    52:54:8f:49:40:ee:84:e1:26:bb:83:bc:26:88:9d:

                    49:ba:58:cc:1a:ab:8e:0b:ac:e5:38:2e:46:67:43:

                    f6:5c:1e:55:b1:c2:6e:8e:98:a9:c5:1d:02:5c:68:

                    8d:43:6f:99:ea:02:ce:70:6b:24:39:44:7a:3e:73:

                    a6:0d:01:e6:d7:17:d6:1b:ad:b9:6a:ca:64:f0:68:

                    24:2b:9d:04:1b:0b:fe:8e:df:c9:cc:cb:58:06:60:

                    0c:3c:01:83:1e:3a:12:88:67:2b:8c:9a:8c:36:ed:

                    da:b5:7d:a2:f0:ec:39:d3:20:89:e4:d7:c1:e5:4f:

                    bb:53:b1:db:1f:93:a5:1b:b7:6f:01:8e:14:3e:e3:

                    df:3a:9d:2d:9f:2d:0e:df:fa:ab:89:3c:4f:54:84:

                    d3:f9

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Key Usage:

                Digital Signature, Key Encipherment

            X509v3 Extended Key Usage:

                TLS Web Server Authentication, TLS Web Client Authentication

            X509v3 CRL Distribution Points:

                Full Name:

                  URI:http://crl.entrust.net/level1k.crl

            X509v3 Certificate Policies:

                Policy: 2.16.840.1.114028.10.1.5

                  CPS: http://www.entrust.net/rpa

                Policy: 2.23.140.1.2.2

            Authority Information Access:

                OCSP - URI:http://ocsp.entrust.net

                CA Issuers - URI:http://aia.entrust.net/l1k-chain256.cer

            X509v3 Subject Alternative Name:

                DNS:encryption-service.services.irs.gov

            X509v3 Authority Key Identifier:

                keyid:82:A2:70:74:DD:BC:53:3F:CF:7B:D4:F7:CD:7F:A7:60:C6:0A:4C:BF

            X509v3 Subject Key Identifier:

                C3:92:3E:9C:84:E4:63:50:CA:8A:FE:A2:27:67:BC:2C:7E:DB:5F:05

            X509v3 Basic Constraints:

                CA:FALSE

    Signature Algorithm: sha256WithRSAEncryption

         52:5d:9e:13:6c:f0:ce:91:b8:ca:40:59:05:b7:4a:0d:0f:e2:

         e3:88:1e:b8:50:92:56:ec:68:e2:bc:67:3a:ba:7e:7e:8c:af:

         e3:16:24:5b:89:95:e0:be:f8:94:f6:8b:39:d5:dc:7d:eb:e9:

         8d:62:be:04:6b:3e:1d:4a:2e:3c:4c:6e:8b:58:a6:0c:0c:2c:

         4f:4b:36:c4:45:5a:c2:33:fd:80:54:0d:19:a0:07:64:6e:11:

         8b:c6:d5:1e:bc:d2:16:13:37:d9:4e:96:a0:23:23:a1:7f:e5:

         39:34:b1:76:c1:56:7e:ac:21:39:2d:46:f9:f6:02:59:62:a5:

         af:f1:23:a1:27:af:ea:8e:0e:a8:15:a9:6a:a9:c4:76:b1:4f:

         c5:24:d2:11:0f:e1:de:ba:b4:24:26:b9:8b:a8:9c:7d:d9:2e:

         7d:18:76:90:e2:5d:49:34:3a:8b:0c:13:bf:16:36:36:34:f7:

         9d:68:e4:44:d8:71:9e:3e:af:78:ad:0d:f0:d8:f7:f2:91:40:

         da:33:1a:d7:62:ba:28:57:6a:95:68:19:65:e2:a4:65:3a:08:

         8a:f8:4a:df:20:b4:08:b4:69:bc:4c:ec:71:e9:f6:66:5f:cc:

         10:4f:05:04:65:f1:34:12:2f:8e:c1:bd:b5:d9:5a:de:ff:e8:

         b5:c1:04:8f

user@ubuntu:~/myCA$

[/pre]

 

Looks like its suppose to be used as client auth.

 

      X509v3 extensions:

            X509v3 Key Usage:

                Digital Signature, Key Encipherment

            X509v3 Extended Key Usage:

                TLS Web Server Authentication, TLS Web Client Authentication

 

 

So your trying to encrypt a file with it to send where?  From what the extensions are on that key..

 

http://tools.ietf.org/html/rfc5280

The keyEncipherment bit is asserted when the subject public key is

used for enciphering private or secret keys, i.e., for key

transport. For example, this bit shall be set when an RSA public

key is to be used for encrypting a symmetric content-decryption

key or an asymmetric private key.

The dataEncipherment bit is asserted when the subject public key

is used for directly enciphering raw user data without the use of

an intermediate symmetric cipher. Note that the use of this bit

is extremely uncommon; almost all applications use key transport

or key agreement to establish a symmetric key.

That key is not really meant to encrypt a file with and send it too them..

Thanks for the responses - managed to get it using:

 

openssl smime -encrypt -binary -aes-256-cbc -in my_infile.txt -out my_ourfile.txt receiver.crt

 

Sometimes a break away from the screen helps! Plus bouncing off you guys :-)

that is not really what the crt is meant for...

From looking at the extensions on that crt, it does not look to be intended for smime...

http://tools.ietf.org/html/rfc3850

4.4.4. Extended Key Usage Extension

The extended key usage extension also serves to limit the technical

purposes for which a public key listed in a valid certificate may be

used. The set of technical purposes for the certificate therefore

are the intersection of the uses indicated in the key usage and

extended key usage extensions.

For example, if the certificate contains a key usage extension

indicating digital signature and an extended key usage extension

which includes the email protection OID, then the certificate may be

used for signing but not encrypting S/MIME messages. If the

certificate contains a key usage extension indicating digital

signature, but no extended key usage extension then the certificate

may also be used to sign but not encrypt S/MIME messages.

If the extended key usage extension is present in the certificate

then interpersonal message S/MIME receiving agents MUST check that it

contains either the emailProtection or the anyExtendedKeyUsage OID as

defined in [KEYM]. S/MIME uses other than interpersonal messaging

MAY require the explicit presence of the extended key usage extension

or other OIDs to be present in the extension or both.

From looking at that cert, its meant for client auth, and not really meant as means of sending encrypted messages via smime.. While it has the digital signature ext.. It makes no mention of other email related use, and clearly states the client auth ext.. So while you could use it to sign a email, clearly it should not be used for encryption from my looking at it.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Nothing surprising there. Anyone expecting privacy on ANY social media platform is delusional at best. Let alone one controlled by the same creep that owns Tesla (a.k.a. facecrook on wheels), which blatantly violates user privacy with Tesla vehicles as reported by Louis Rossman. This action of his is just another prime example of why ANYTHING from him is trust-worthy as the same from Zuckerberg...i.e. not at all.
    • 007 First Light's first trailer shows off an action-packed James Bond game by Pulasthi Ariyasinghe IO Interactive has been teasing its next project outside of Hitman for some time now, and even before its first-ever showcase that's happening soon, the James Bond game showed up during the PlayStation State of Play event today. Dubbed 007 First Light, the third-person action-adventure title received a trailer showing off the new face of Bond, some of his gadgets, and plenty of action. Catch it above. While inspired by novels of Ian Fleming as well as the movie franchise, First Light will follow Bond to reveal just how he earned his MI6 007 role in an all-original story by IO Interactive. James Bond will be just 26 years old in this iteration. While not the smooth and tactical agent with a martini that we've seen in the movies just yet, this Bond is described as a man with "sharp instincts, sometimes reckless, who is still learning when to fight, when to bluff, and when to disappear into the shadows." As expected from the Hitman developer, missions in 007 First Light will offer both stealth and loud options, depending on the player's actions. A variety of futuristic gadgets will be available for use as well, while driving portions are also confirmed for the title. "In 007 First Light, Bond starts as a NAVY air crewman, when against all odds, an audacious act of bravery propels him on MI6’s most challenging training program," says the studio, regarding Bond's beginnings. "This training coupled with his natural instinct, wits, and heart will see him grow into a fully-fledged spy. It’s a completely original standalone story, developed in collaboration with Amazon MGM Studios." The studio says that the game will take players across the world, from snow-drenched mountains to sun-soaked beaches, while interacting with some of the most iconic characters in the franchise, including M, Q, and Moneypenny. There are original faces in the story too, such as Bond's mentor Greenway. 007 First Light is coming to PC (Steam and Epic Games Store, Xbox Series X|S, PlayStation 5, and the Nintendo Switch 2 sometime in 2026.
    • That sharp cold toothache you dread? Its origins trace back to ancient, unexpected purpose by Sayan Sen Image by Pavel Danilyuk via Pexels Scientists at the University of Chicago have discovered that the sensitive tissue inside our teeth first evolved as part of the armored skin of ancient fish. Their new study, published in Nature, confirms that dentine—a key part of teeth—was originally used by early vertebrates to sense their surroundings. This research supports the idea that dentine wasn’t always used for chewing. Instead, millions of years ago, it helped fish detect changes in the water. The study also clears up confusion about Anatolepis heintzi, a fossil once thought to be the earliest known vertebrate because of its dentine-like structures. For years, scientists debated whether Anatolepis was really an early vertebrate. The fossil had tiny tubules that some researchers believed were odontodes—small structures considered to be the ancestors of teeth. However, there wasn’t enough evidence to be sure. To settle the debate, scientists used synchrotron scanning, a powerful imaging technique, to study different fossils and modern creatures. The scans revealed that Anatolepis didn’t have dentine. Instead, its tubules were sensory structures similar to those found in arthropods like crabs and shrimp. These structures, called sensilla, help animals detect their surroundings. “This shows us that ‘teeth’ can also be sensory even when they’re not in the mouth,” said lead researcher Yara Haridy, PhD. “There’s sensitive armor in these fish. There’s sensitive armor in these arthropods. This explains the confusion with these early Cambrian animals.” Although Anatolepis turned out to be an arthropod, researchers did find real dentine in another ancient fish. The Ordovician vertebrate Eriptychius, which lived about 465 million years ago, had large dentine-filled tubules in its armor. This confirms that dentine first evolved in vertebrates as a sensory tissue. Further tests showed that modern fish, such as sharks and teleosts, still have nerve connections in their external dentine structures. This means early vertebrates may have used dentine to sense their environment before it became part of teeth. Scientists have two main ideas about how teeth came to be. The “inside-out” theory suggests teeth evolved first and were later adapted for exoskeletons. The new research supports the “outside-in” theory, which argues that sensory structures appeared first in exoskeletons and later evolved into teeth. While the team didn’t find the oldest vertebrate fish, study co-author Neil Shubin, PhD, believes the discovery is still important. “We didn’t find the earliest one, but in some ways, we found something way cooler,” he said. Source: University of Chicago, Nature This article was generated with some help from AI and reviewed by an editor. Under Section 107 of the Copyright Act 1976, this material is used for the purpose of news reporting. Fair use is a use permitted by copyright statute that might otherwise be infringing.
    • "How dare you profit off our user's data without compensating them. That's our job!"
  • Recent Achievements

    • First Post
      James courage Tabla earned a badge
      First Post
    • Reacting Well
      James courage Tabla earned a badge
      Reacting Well
    • Apprentice
      DarkShrunken went up a rank
      Apprentice
    • Dedicated
      CHUNWEI earned a badge
      Dedicated
    • Collaborator
      DarkShrunken earned a badge
      Collaborator
  • Popular Contributors

    1. 1
      +primortal
      347
    2. 2
      snowy owl
      167
    3. 3
      +FloatingFatMan
      164
    4. 4
      ATLien_0
      161
    5. 5
      Xenon
      128
  • Tell a friend

    Love Neowin? Tell a friend!