Recommended Posts

I'm trying to encrypt a file using a X509 certificate. I'm trying using OPENSSL - command as follows:

 

openssl rsautl -encrypt -pubin -inkey receiver.crt -in my_infile.txt -out my_outfile.txt

 

However I can't seem to get this to work - it keeps coming up with "Unable to load publick key". Can anyone point me in the right direction to get this done? I'm sick of looking at visited links on Google trying to find a solution.

 

Thanks in advance.

Link to comment
https://www.neowin.net/forum/topic/1261760-encrypt-file-using-x509-certificate/
Share on other sites

where did you get the cert, you don't seem to have any path specified in in your command.  Can you PM the cert and I will encrypt a text file for you showing example commands, etc..

 

what version of openssl are you using - this is on linux/windows - what flavor?

 

example on ubuntu 14.04.2

 

user@ubuntu:~$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

 

do you have a CA setup?  Or did someone send you this x509?

Thanks for the response. The cert has been issued by the US IRS - the link for which is https://www.ides-support.com/Downloads/encryption-service_services_irs_gov.crt

 

I'm running the OPENSSL on Windows - version 1.0.2a. I've managed to get this done before, but can't figure out for the life of me how to do it again. Of course, this time round I'm taking detailed notes.

 

All help appreciated.

you sure that is the crt your using for encryption.  I grabbed that crt with wget and then looking at its details

 

[pre]

user@ubuntu:~/myCA$ openssl x509 -in gov.crt -text -noout

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 1355950258 (0x50d228b2)

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=© 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K

        Validity

            Not Before: Oct 16 18:44:59 2014 GMT

            Not After : Dec 17 02:12:19 2018 GMT

        Subject: C=US, ST=District of Columbia, L=Washington, O=United States Department of Treasury - IRS, CN=encryption-service.services.irs.gov

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:e2:17:21:32:1e:7e:ee:13:ab:c1:46:1b:cc:f5:

                    c8:bf:e8:11:53:1c:89:52:d4:c8:71:7a:33:85:5f:

                    41:5f:f1:72:f9:dd:21:60:ba:cf:34:bc:07:37:d6:

                    be:60:f2:10:88:b5:b3:98:43:69:d9:57:08:31:ae:

                    77:ca:07:be:5c:30:5d:e5:22:85:ed:7c:db:2d:d9:

                    73:74:9d:44:47:ee:a5:94:1c:61:b6:d8:67:1f:9b:

                    11:bf:34:1d:c2:76:b0:02:b4:17:0c:2f:70:c5:ae:

                    52:54:8f:49:40:ee:84:e1:26:bb:83:bc:26:88:9d:

                    49:ba:58:cc:1a:ab:8e:0b:ac:e5:38:2e:46:67:43:

                    f6:5c:1e:55:b1:c2:6e:8e:98:a9:c5:1d:02:5c:68:

                    8d:43:6f:99:ea:02:ce:70:6b:24:39:44:7a:3e:73:

                    a6:0d:01:e6:d7:17:d6:1b:ad:b9:6a:ca:64:f0:68:

                    24:2b:9d:04:1b:0b:fe:8e:df:c9:cc:cb:58:06:60:

                    0c:3c:01:83:1e:3a:12:88:67:2b:8c:9a:8c:36:ed:

                    da:b5:7d:a2:f0:ec:39:d3:20:89:e4:d7:c1:e5:4f:

                    bb:53:b1:db:1f:93:a5:1b:b7:6f:01:8e:14:3e:e3:

                    df:3a:9d:2d:9f:2d:0e:df:fa:ab:89:3c:4f:54:84:

                    d3:f9

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Key Usage:

                Digital Signature, Key Encipherment

            X509v3 Extended Key Usage:

                TLS Web Server Authentication, TLS Web Client Authentication

            X509v3 CRL Distribution Points:

                Full Name:

                  URI:http://crl.entrust.net/level1k.crl

            X509v3 Certificate Policies:

                Policy: 2.16.840.1.114028.10.1.5

                  CPS: http://www.entrust.net/rpa

                Policy: 2.23.140.1.2.2

            Authority Information Access:

                OCSP - URI:http://ocsp.entrust.net

                CA Issuers - URI:http://aia.entrust.net/l1k-chain256.cer

            X509v3 Subject Alternative Name:

                DNS:encryption-service.services.irs.gov

            X509v3 Authority Key Identifier:

                keyid:82:A2:70:74:DD:BC:53:3F:CF:7B:D4:F7:CD:7F:A7:60:C6:0A:4C:BF

            X509v3 Subject Key Identifier:

                C3:92:3E:9C:84:E4:63:50:CA:8A:FE:A2:27:67:BC:2C:7E:DB:5F:05

            X509v3 Basic Constraints:

                CA:FALSE

    Signature Algorithm: sha256WithRSAEncryption

         52:5d:9e:13:6c:f0:ce:91:b8:ca:40:59:05:b7:4a:0d:0f:e2:

         e3:88:1e:b8:50:92:56:ec:68:e2:bc:67:3a:ba:7e:7e:8c:af:

         e3:16:24:5b:89:95:e0:be:f8:94:f6:8b:39:d5:dc:7d:eb:e9:

         8d:62:be:04:6b:3e:1d:4a:2e:3c:4c:6e:8b:58:a6:0c:0c:2c:

         4f:4b:36:c4:45:5a:c2:33:fd:80:54:0d:19:a0:07:64:6e:11:

         8b:c6:d5:1e:bc:d2:16:13:37:d9:4e:96:a0:23:23:a1:7f:e5:

         39:34:b1:76:c1:56:7e:ac:21:39:2d:46:f9:f6:02:59:62:a5:

         af:f1:23:a1:27:af:ea:8e:0e:a8:15:a9:6a:a9:c4:76:b1:4f:

         c5:24:d2:11:0f:e1:de:ba:b4:24:26:b9:8b:a8:9c:7d:d9:2e:

         7d:18:76:90:e2:5d:49:34:3a:8b:0c:13:bf:16:36:36:34:f7:

         9d:68:e4:44:d8:71:9e:3e:af:78:ad:0d:f0:d8:f7:f2:91:40:

         da:33:1a:d7:62:ba:28:57:6a:95:68:19:65:e2:a4:65:3a:08:

         8a:f8:4a:df:20:b4:08:b4:69:bc:4c:ec:71:e9:f6:66:5f:cc:

         10:4f:05:04:65:f1:34:12:2f:8e:c1:bd:b5:d9:5a:de:ff:e8:

         b5:c1:04:8f

user@ubuntu:~/myCA$

[/pre]

 

Looks like its suppose to be used as client auth.

 

      X509v3 extensions:

            X509v3 Key Usage:

                Digital Signature, Key Encipherment

            X509v3 Extended Key Usage:

                TLS Web Server Authentication, TLS Web Client Authentication

 

 

So your trying to encrypt a file with it to send where?  From what the extensions are on that key..

 

http://tools.ietf.org/html/rfc5280

The keyEncipherment bit is asserted when the subject public key is

used for enciphering private or secret keys, i.e., for key

transport. For example, this bit shall be set when an RSA public

key is to be used for encrypting a symmetric content-decryption

key or an asymmetric private key.

The dataEncipherment bit is asserted when the subject public key

is used for directly enciphering raw user data without the use of

an intermediate symmetric cipher. Note that the use of this bit

is extremely uncommon; almost all applications use key transport

or key agreement to establish a symmetric key.

That key is not really meant to encrypt a file with and send it too them..

Thanks for the responses - managed to get it using:

 

openssl smime -encrypt -binary -aes-256-cbc -in my_infile.txt -out my_ourfile.txt receiver.crt

 

Sometimes a break away from the screen helps! Plus bouncing off you guys :-)

that is not really what the crt is meant for...

From looking at the extensions on that crt, it does not look to be intended for smime...

http://tools.ietf.org/html/rfc3850

4.4.4. Extended Key Usage Extension

The extended key usage extension also serves to limit the technical

purposes for which a public key listed in a valid certificate may be

used. The set of technical purposes for the certificate therefore

are the intersection of the uses indicated in the key usage and

extended key usage extensions.

For example, if the certificate contains a key usage extension

indicating digital signature and an extended key usage extension

which includes the email protection OID, then the certificate may be

used for signing but not encrypting S/MIME messages. If the

certificate contains a key usage extension indicating digital

signature, but no extended key usage extension then the certificate

may also be used to sign but not encrypt S/MIME messages.

If the extended key usage extension is present in the certificate

then interpersonal message S/MIME receiving agents MUST check that it

contains either the emailProtection or the anyExtendedKeyUsage OID as

defined in [KEYM]. S/MIME uses other than interpersonal messaging

MAY require the explicit presence of the extended key usage extension

or other OIDs to be present in the extension or both.

From looking at that cert, its meant for client auth, and not really meant as means of sending encrypted messages via smime.. While it has the digital signature ext.. It makes no mention of other email related use, and clearly states the client auth ext.. So while you could use it to sign a email, clearly it should not be used for encryption from my looking at it.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • iOS 26 leaks reveal AI-powered Messages, animated Music lock screen, and CarPlay redesign by Sagar Naresh Bhavsar A lot of these are reportedly changing this year for Apple. While the "Plus" model is expected to be replaced with the iPhone 17 Air, the iOS software is also expected to undergo a major branding change. Instead of iOS 19, Apple is rumored to introduce iOS 26 at the upcoming WWDC 2025 event on June 9. Not only iOS, but the change is expected across all platforms. Meaning, from this year, it could all be streamlined: iOS 26, iPadOS 26, macOS 26, watchOS 26, and more. However, since Apple Intelligence is still in its early stages, Apple is expected to introduce a slew of new features to apps such as Music, Messages, Notes, and CarPlay. According to 9to5Mac, Apple is preparing some "low-profile enhancements" for everyday apps, based on the information from previously accurate sources. As per the report, the Messages app could get an "Automatic Translation" feature that will make use of AI (artificial intelligence) to translate both incoming and outgoing messages. Plus, the Messages app could also gain a "Polls" feature, letting group chat members vote directly within the app. Apple Music is also expected to get a new full-screen animated lock screen artwork, enhancing the Now Playing widget by bringing a maximized look to the album art on the lock screen. The Notes app could also gain the ability to export notes in Markdown, a long-requested feature that third-party apps have supported for years. Apple recently introduced CarPlay Ultra, with some amazing changes, but that is limited to a few luxury cars at the moment. The standard CarPlay is expected to get a UI overhaul with iOS 26. While details remain under wraps, the new interface is speculated to reflect the sleek, glass-like design of iOS 26. Since these are still rumors, we suggest you take them with a pinch of salt. If you are confused about which iPhones will support iOS 26, you can check out the list of supported phones here.
    • Greetings!
    • Hmm, I'll give it a go
    • Is Samsung teasing a Galaxy Z Fold7 Ultra? An official press release suggests so by Sagar Naresh Bhavsar We are inching closer to the launch of this year's premium foldables from Samsung: the Galaxy Z Fold7 and the Galaxy Z Flip7. Recently, a certification revealed that the affordable Galaxy Z Flip7 FE, could also debut alongside the other two foldables. The device is expected to take on the standard Moto Razr 2025. While we were getting excited about the trio, Samsung has put out a press release to create some hype around the upcoming foldables. Interestingly, the company has put great emphasis on the "Ultra" branding, which it usually uses for its Galaxy S-series phone and previously for Note-series phones. So, does this mean, we are getting a Galaxy Z Fold7 Ultra? Time will only tell. As for the press release, it is titled "Meet the Next Chapter of Ultra" and the first line highlights how Samsung has been listening to fans that have demanded "bigger screens, better cameras and new ways to connect and create." To churn up up the hype, Samsung added, "That’s why Galaxy’s next chapter is to provide an experience that seamlessly blends artistry and engineering to elevate everyday interactions." The GIF inside the press-release reveals what looks like the Galaxy Z Fold7 (or the Galaxy Z Fold7 Ultra, if that exists). Rumors have indicated that this year's Galaxy Z Fold7 is getting taller and wider than last year's model, thanks to a bigger display. The Z Fold7 could also feature a titanium backplate to not only reduce its thickness and make it stronger but to shed some weight as well. The company then directs the attention to its AI features such as voice controls for finding the perfect eatery or shopping place, using powerful AI-powered camera features, and so on. We will get to know more about the devices in the coming weeks. By that time, let us know your thoughts, on whether you would like an Ultra foldable or want Samsung to tweak the existing model and keep the space less-crowded.
    • A couple of friends of mine have been building Gunpla for years and got me interested, so I asked and they recommended this as a fairly good quality, very affordable, starting point. https://www.amazon.co.uk/dp/B0BGN9K1MV It was fun to build, didn't take too long, and helped me decide if I wanted to go further with the hobby, which I did.  Still only got this one built, but that's only due to time availability!
  • Recent Achievements

    • Week One Done
      Leonard grant earned a badge
      Week One Done
    • One Month Later
      portacnb1 earned a badge
      One Month Later
    • Week One Done
      portacnb1 earned a badge
      Week One Done
    • First Post
      m10d earned a badge
      First Post
    • Conversation Starter
      DarkShrunken earned a badge
      Conversation Starter
  • Popular Contributors

    1. 1
      +primortal
      260
    2. 2
      snowy owl
      158
    3. 3
      +FloatingFatMan
      145
    4. 4
      ATLien_0
      140
    5. 5
      Xenon
      131
  • Tell a friend

    Love Neowin? Tell a friend!