Skip to content

Instantly share code, notes, and snippets.

View emboss's full-sized avatar

Martin Bosslet emboss

160 followers · 18 following
  • Germany
View GitHub Profile
@emboss
emboss / gist:2902696
Created June 9, 2012 21:44
Save RSA public keys in the pre-1.9.3 PKCS#1 format
require 'openssl'
require 'base64'
rsa = OpenSSL::PKey::RSA.new(2048)
modulus = rsa.n
exponent = rsa.e
ary = [OpenSSL::ASN1::Integer.new(modulus), OpenSSL::ASN1::Integer.new(exponent)]
pub_key = OpenSSL::ASN1::Sequence.new(ary)
base64 = Base64.encode64(pub_key.to_der)
@emboss
emboss / gist:2791400
Created May 26, 2012 00:25
Simple TLS server with client renegotiation disabled
require 'openssl'
require 'socket'
KEY = OpenSSL::PKey::RSA.new <<-_end_of_pem_
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDLwsSw1ECnPtT+PkOgHhcGA71nwC2/nL85VBGnRqDxOqjVh7Cx
aKPERYHsk4BPCkE3brtThPWc9kjHEQQ7uf9Y1rbCz0layNqHyywQEVLFmp1cpIt/
Q3geLv8ZD9pihowKJDyMDiN6ArYUmZczvW4976MU3+l54E6lF/JfFEU5hwIDAQAB
AoGBAKSl/MQarye1yOysqX6P8fDFQt68VvtXkNmlSiKOGuzyho0M+UVSFcs6k1L0
maDE25AMZUiGzuWHyaU55d7RXDgeskDMakD1v6ZejYtxJkSXbETOTLDwUWTn618T
@emboss
emboss / pbkdf2.rb
Created October 20, 2011 04:34
Using PBKDF2 with HMAC-SHA256 for storing passwords
p ="password"
#according to PKCS#5, should be at least 8 bytes. Public information, can be stored along with the pwd.
s = OpenSSL::Random.random_bytes(16)
c = 20000 # varies depending on how fast the system is, tweak until it takes "long enough"
digest = OpenSSL::Digest::SHA256.new
#should be >= the output size of the underlying hash function, but ">" doesn't improve security (says PKCS#5)
dk_len = digest.digest_length
#store the result for new passwords
value = OpenSSL::PKCS5.pbkdf2_hmac(p, s, c, dk_len, digest)
@emboss
emboss / gist:1470287
Created December 13, 2011 02:57
Encode pre-1.9.3 RSA public keys using X.509 format
require 'openssl'
require 'base64'
rsa = OpenSSL::PKey::RSA.new(2048)
modulus = rsa.n
exponent = rsa.e
oid = OpenSSL::ASN1::ObjectId.new("rsaEncryption")
alg_id = OpenSSL::ASN1::Sequence.new([oid, OpenSSL::ASN1::Null.new(nil)])
ary = [OpenSSL::ASN1::Integer.new(modulus), OpenSSL::ASN1::Integer.new(exponent)]
@emboss
emboss / JS crypto libraries
Created November 4, 2013 00:52
JavaScript crypto libraries
sjcl (http://crypto.stanford.edu/sjcl/)
crypto-js (https://code.google.com/p/crypto-js/)
jsCrypto (https://code.google.com/p/jscryptolib/)
triplesec (https://github.com/keybase/triplesec)
polycrypt (https://github.com/polycrypt)
@emboss
emboss / gist:6694336
Created September 25, 2013 02:13
The new Krypt::Asn1 implementation written purely in Ruby: Parsing performance compared to OpenSSL::ASN1.
The new Krypt::Asn1 implementation, written entirely in Ruby
vs.
OpenSSL::ASN1/OpenSSL::X509, both written in native C/Java code.
$ ruby --version
ruby 2.1.0dev (2013-09-25 trunk 43039) [x86_64-linux]
$ ruby -Ilib tmp/bm_asn1_parse.rb
@emboss
emboss / TestPolicyFiles.java
Last active December 10, 2015 17:58
Test program to detect the need for "Unlimited Strength Policy Files"
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
public class TestPolicyFiles {
public static void main(String[] args) {
try {
KeyGenerator keygen = KeyGenerator.getInstance("AES");
keygen.init(256);
@emboss
emboss / secureinstall.md
Created September 4, 2012 18:46
Secure Installation or the notion of a "Trusted Path"

Secure installation of OpenSSL FIPS module.

While looking into the "FIPS mode" of OpenSSL recently, I found this. What puzzled me was the footnote about "secure installation", and the details from section 6.6 of the OpenSSL FIPS User Guide. To count as a valid installation that fulfills all of the requirements, users are required to verify the integrity of the OpenSSL FIPS sources with an independently acquired FIPS 140-2-validated cryptographic module. The programmer in us immediately shouts "Infinite recursion!" and what seems like an overly academical troll on behalf of the CMVP at first turns out to be a delicate issue, while not novel at all, but with far-reaching consequences for the status of any "validated" piece of software in general, or as the OpenSSL FIPS User Guide puts it:

>Note this last point is downright mind-boggling: it amounts to an assertion that essentially all installations of v

@emboss
emboss / gist:3253173
Created August 4, 2012 00:58
Compute EC public key from private key and generator
require 'openssl'
group = OpenSSL::PKey::EC::Group.new('prime256v1')
generator = group.generator #the generator point
ec = OpenSSL::PKey::EC.new
ec.group = group
ec.generate_key #generate a key pair
priv = ec.private_key #this is a random number, a OpenSSL::BN
@emboss
emboss / gist:2662872
Created May 11, 2012 22:38
Compute integer cubic root via Newton-Raphson
class Integer
#Newton-Raphson: cubic root of n is equivalent to finding x in x**3 - n = 0
#=> x_(k+1) = x_k - f(x_k) / f'(x_k)
#=> x_(k+1) = x_k - (x_k**3 - n) / (3 * x_k**2)
#=> x_(k+1) = (2*x_k**3 + n) / (3*x_k**2)
#=> x_(k+1) = 2*x_k/3 + n/(3*x_k**2)
#returns an integer cubic root and a boolean indicating whether the root is exact
def icbrt
iter = lambda { |x, n| 2 * x / 3 + n / (3 * x * x) }
x = self