Category: Security

How to Use OpenSSL to Generate X.509 Certificate Request

Lincoln Hughes /  OpenSSL, Security , 3 comments

In this tutorial, let’s learn how to use OpenSSL to generate X.509 certificate request.

Certificate signing request is a message sent from an applicant to a certificate authority, which usually includes:

  1. Country Name (2 letter code) [US]
  2. State or Province Name (full name) [BC]
  3. Locality Name (e.g., city) [Vancouver]
  4. Organization Name (e.g., company) [My Company Ltd]
  5. Organizational Unit Name (e.g., section)
  6. Common Name (e.g., your name or your server’s hostname)
  7. Email Address

Implementation Steps:

  1. Generate RSA key
  2. Set version
  3. Set subject
  4. Set public key
  5. Set sign key
  6. Free

Code & Result:

#include <stdio.h>
#include <iostream>
#include <openssl/rsa.h>
#include <openssl/pem.h>

bool gen_X509Req()
{
	int				ret = 0;
	RSA				*r = NULL;
	BIGNUM			*bne = NULL;

	int				nVersion = 1;
	int				bits = 2048;
	unsigned long	e = RSA_F4;

	X509_REQ		*x509_req = NULL;
	X509_NAME		*x509_name = NULL;
	EVP_PKEY		*pKey = NULL;
	RSA				*tem = NULL;
	BIO				*out = NULL, *bio_err = NULL;

	const char		*szCountry = "CA";
	const char		*szProvince = "BC";
	const char		*szCity = "Vancouver";
	const char		*szOrganization = "Dynamsoft";
	const char		*szCommon = "localhost";

	const char		*szPath = "x509Req.pem";

	// 1. generate rsa key
	bne = BN_new();
	ret = BN_set_word(bne,e);
	if(ret != 1){
		goto free_all;
	}

	r = RSA_new();
	ret = RSA_generate_key_ex(r, bits, bne, NULL);
	if(ret != 1){
		goto free_all;
	}

	// 2. set version of x509 req
	x509_req = X509_REQ_new();
	ret = X509_REQ_set_version(x509_req, nVersion);
	if (ret != 1){
		goto free_all;
	}

	// 3. set subject of x509 req
	x509_name = X509_REQ_get_subject_name(x509_req);

	ret = X509_NAME_add_entry_by_txt(x509_name,"C", MBSTRING_ASC, (const unsigned char*)szCountry, -1, -1, 0);
	if (ret != 1){
		goto free_all;
	}

	ret = X509_NAME_add_entry_by_txt(x509_name,"ST", MBSTRING_ASC, (const unsigned char*)szProvince, -1, -1, 0);
	if (ret != 1){
		goto free_all;
	}

	ret = X509_NAME_add_entry_by_txt(x509_name,"L", MBSTRING_ASC, (const unsigned char*)szCity, -1, -1, 0);
	if (ret != 1){
		goto free_all;
	}	

	ret = X509_NAME_add_entry_by_txt(x509_name,"O", MBSTRING_ASC, (const unsigned char*)szOrganization, -1, -1, 0);
	if (ret != 1){
		goto free_all;
	}

	ret = X509_NAME_add_entry_by_txt(x509_name,"CN", MBSTRING_ASC, (const unsigned char*)szCommon, -1, -1, 0);
	if (ret != 1){
		goto free_all;
	}

	// 4. set public key of x509 req
	pKey = EVP_PKEY_new();
	EVP_PKEY_assign_RSA(pKey, r);
	r = NULL;	// will be free rsa when EVP_PKEY_free(pKey)

	ret = X509_REQ_set_pubkey(x509_req, pKey);
	if (ret != 1){
		goto free_all;
	}

	// 5. set sign key of x509 req
	ret = X509_REQ_sign(x509_req, pKey, EVP_sha1());	// return x509_req->signature->length
	if (ret <= 0){
		goto free_all;
	}

	out = BIO_new_file(szPath,"w");
	ret = PEM_write_bio_X509_REQ(out, x509_req);

	// 6. free
free_all:
	X509_REQ_free(x509_req);
	BIO_free_all(out);

	EVP_PKEY_free(pKey);
	BN_free(bne);

	return (ret == 1);
}

int main(int argc, char* argv[]) 
{
	gen_X509Req();
	return 0;
}
-----BEGIN CERTIFICATE REQUEST-----
MIICmzCCAYMCAQEwVjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAkJDMRIwEAYDVQQH
EwlWYW5jb3V2ZXIxEjAQBgNVBAoTCUR5bmFtc29mdDESMBAGA1UEAxMJbG9jYWxo
b3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA++1mP9LtZPaCKfFe
paVTjvIWdeWLOEwh5K8uSDNb84Hkx83nJxInY6CZPA+07nWq5Xudofahiiop2ifq
kyuIya0AQOpsiWjV6GyY9j9ERvyTKcTMaXW4FgKRVKb71y5DYVtx7GbluoCb6Iky
GBPzUJnBlbyzFWT7d/FH4YDxbdTEWTw7YJtm/nbakD09JprT/4JrjC+jBCmWwb19
2WXAI4vEFhqGVJIUufwHwMD9ZVwIhpk3cB83gNsQuwTtQIRFl0yuY7om15d5Qg1j
vvGsSodJdMmp2MV4NO2rmt2H7iZKlXREYVsmnvdbOzb4v4V/DUkm5gRp+MUXtBxf
2NCgsQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAH7fo3WgaM8TakXN/jAsMZMs
F4Thyyc0ZcVPF8r23ULJgYgENjXhaS8xuoXWOVikRZZm+6H7OHzHyfVeOkwlplsH
1+yXG2IBP3W6nw71oJjDYIcU4Dtw3e3tTN3/J0eSXlSr7MU9DXeVLBdiodeWeKHw
AumED55pd0lpFiJ1f7bQ2Nh0+mVIuZaDgnN8YesPPDqW70t9bjD9LHJl6T9OxRJE
vTq7BEqNB8XmYKJ+ODEKDQQNUar2YFcs4tZHiaOotZ11ZRaLrkG+Svl7ZE6V9GaO
Yss1j3jb4rFENS3vQdt69ODNJHu/maPUS87TpN1vmX66ntiEt7M2HKx8FiBiz/E=
-----END CERTIFICATE REQUEST-----

You can feel free to download the sample code, and run it in Visual Studio.

How to Use OpenSSL to Generate RSA Keys in C/C++

Lincoln Hughes /  Security , , 5 comments

It is known that RSA is a cryptosystem which is used for the security of data transmission. This tutorial introduces how to use RSA to generate a pair of public and private keys on Windows.

  1. Download and install OpenSSL https://www.openssl.org/community/binaries.html.
  2. Find libeay32.lib, ssleay32.lib and libeay32.dll.
  3. The following sample code will generate a public key “public.pem” and a private key “private.pem”.
#include <stdio.h>
#include <openssl/rsa.h>
#include <openssl/pem.h>

bool generate_key()
{
	int				ret = 0;
	RSA				*r = NULL;
	BIGNUM			*bne = NULL;
	BIO				*bp_public = NULL, *bp_private = NULL;

	int				bits = 2048;
	unsigned long	e = RSA_F4;

	// 1. generate rsa key
	bne = BN_new();
	ret = BN_set_word(bne,e);
	if(ret != 1){
		goto free_all;
	}

	r = RSA_new();
	ret = RSA_generate_key_ex(r, bits, bne, NULL);
	if(ret != 1){
		goto free_all;
	}

	// 2. save public key
	bp_public = BIO_new_file("public.pem", "w+");
	ret = PEM_write_bio_RSAPublicKey(bp_public, r);
	if(ret != 1){
		goto free_all;
	}

	// 3. save private key
	bp_private = BIO_new_file("private.pem", "w+");
	ret = PEM_write_bio_RSAPrivateKey(bp_private, r, NULL, NULL, 0, NULL, NULL);

	// 4. free
free_all:

	BIO_free_all(bp_public);
	BIO_free_all(bp_private);
	RSA_free(r);
	BN_free(bne);

	return (ret == 1);
}

int main(int argc, char* argv[]) 
{
	generate_key();
        return 0;
}

You can feel free to download the sample code, and run it in Visual Studio.

Secure Image Scanning, Processing and Uploading in Web App

Kevin Gao /  Security Leave comment

Introduction

Security is always an important factor when choosing a document imaging API. It directly relates to:

  • Whether the control is safe and friendly enough for the end users to download and install.
  • Whether the control will access the local data and communicate with the others silently.
  • Whether it is secure to upload the image data over the network.

In this article, I’ll share with you how Dynamsoft’s Dynamic Web TWAIN scanner control deals with the securities.

About Dynamic Web TWAIN

Dynamic Web TWAIN is an image acquisition API optimized for web applications. The component allows you to scan documents/images from scanners and other TWAIN compliant devices. Extension features including image processing and uploading are also supported.

Security Features

1. Safe to Download

Dynamic Web TWAIN ActiveX is digitally signed by VeriSign. By signing the component digitally, a dialog box with the publisher’s legal name will appear when a customer first installs the scanning component. The user can choose whether they want to install the component during the download and install process.

Install DWT on the client side

If the control is altered after the publisher has signed it, the digital signature will be broken and the user will be informed. This makes it impossible for the signed control to be infected by a virus or maliciously tampered by hackers. With Dynamic Web TWAIN, there are 2 levels of signatures:

First, the library files “DynamicWebTwainCtrl.dll” and “DynamicWebTwainCtrlTrial.dll” are digitally signed. This ensures that Dynamic Web TWAIN itself won’t be tampered with.

Secondly, the cabinet files “DynamicWebTWAIN.cab” and “DynamicWebTWAINx64.cab” are digitally signed. These files contain the library files and additional files with the extension “INF” (which are used when the control is being installed on the client machine). This signature makes sure that the files downloaded on the client machines are the correct & unchanged ones.

2. Marked safe for initialization and scripting

Dynamic Web TWAIN is marked safe for initialization and scripting as you can see in the below screenshot. With these marks, Dynamsoft guarantees there is no security breach when you use Dynamic Web TWAIN.

DWT marked safe for initialization and scripting

3. Non-disclosure of any personal info.

Dynamic Web TWAIN is a component meant to add scanner support to web applications. For end users, the documents they scan are usually private and important. Any unintentional disclosure of the info cannot be tolerated. When documents are scanned, they’re stored in the buffer of Dynamic Web TWAIN which is part of the physical memory allocated for the web browser on the client machines. Without the permission from the user, the data won’t go anywhere. All interfaces of Dynamic Web TWAIN are secure; it does nothing unless commanded by the current user.

4. Minimal communication with the outside world.

Users of great security level are concerned about any info that would be sent out to the outside world without them knowing it. They can rest assured when using Dynamic Web TWAIN because the only communication it does with the outside world is verifying the certificate that was used for the digital signature. The certificate is from VeriSign. And the verification process is considered 100% secure.

If the user doesn’t even want the verification, the certificate can be removed. But this is not recommended as discussed in point 1.)

5. Secure data transmission over the network.

a. Support for SSL

You can use SSL to encode your posted data to further ensure secure data transmission. This is necessary for many web applications that would require data upload/download

b. Authentication

Dynamic Web TWAIN supports authentications including Windows, Forms and Basic Authentication. It gives the software developers the most flexibility to set the access permissions. Cookie and session are also supported by the component.

c. Compatible with Protected Mode and Data Execution Prevention (DEP)

Since Windows 2008, Microsoft set Protected Mode and DEP ON as the default option to protect from virus and other attack on purpose. Dynamic Web TWAIN is fully compatible with Protected Mode and DEP.

Case Study — Lockheed Martin

All the above features are the reasons why Lockheed Martin chose us for their Intranet Quorum system (check out the case study in PDF format). Intranet Quorum®, or IQ, is Lockheed Martin’s web based out-of-the-box enterprise contact management and workflow system for government offices. It is widely used by leading federal agencies, the United States Congress, and numerous state and local government organizations.

If you are interested in the SDK, the trial version is available for you.
Dynamic Web TWAIN 30-Day Free Trial Download

You can also see it in action:
Dynamic Web TWAIN Online Demo

Why a Dedicated VM for Your TFS Hosting Service

Kevin Gao /  Security , , Leave comment

More and more people incline to choose hosting services. It is convenient, secure, cost-effective, etc. Usually, a hosting company would provide two kinds of plans for their customers with different requirements: Shared Plan and Managed Plan. The primary difference between these plans is that the Managed plan provides users a dedicated virtual machine.

So why Managed Plan, in spite of that it costs more money? Take Dynamsoft’s TFS Hosting service for example, I’ll give 5 reasons:

TFS Plan

1. More Intense Monitoring

Besides the 24*7 network and security monitoring from the world-class primus data center, our administrator 24*7 monitors your server to ensure you get the maximum security and performance capability.

  • 24*7 track your hosting environment
  • Monitor your server, CUP/memory usages
  • Track and eliminate unexpected traffic increases

2. More secure and independent

Instead of sharing one SQL Server with other hosting users, you get your own instance of VM and SQL Server. By isolating your database from others, the dedicated VM environment decreases the impact from other hosting users to the minimum.

3. Flexible

Urban Turtle and Build Server are optional add-ons provided by Dynamsoft’s hosting services, both for the shared and managed plans. Besides these two add-ons, you are allowed to install additional software/add-ons onto your virtual machine. To keep a secure environment, remote access is disabled to avoid any malicious data.

In the meantime, based on the ongoing proactive server monitoring, Dynamsoft provides the maximum available memory in the most flexible way. Security and other software upgrades and patches can be applied according to your requirements.

4. More Resources

Considering teams with more than 5 members are more inclined to choose the Managed Plan, we design the plan to help customers focus on their own tasks, no worry about the performances and the resource related questions that might be caused by the expanding teams and the size-increasing projects under version control. You are allowed to expand the physical memory based on the 4G by default. The maximum storage capacity is also increasable to fully fulfill your requirements.

5. More support

One of the main differences that make the dedicated hosting service standout is that the Managed Plan offs more support. As a customer oriented company, Dynamsoft opens different support channels, including email, online chat, phone call, forum, knowledge base and the ticket system, as the standard ones to help customers from different time zones. On top of those, managed plan users will get best practice suggestions and consultant from our R&D team based on the 8 years of experiences in developing our own version control and issue tracking tools.
(Our team developed SourceAnywhere for VSS as the fastest internet and cross-platform VSS solution; then SourceAnywhere, a SQL Server based version control; and then we have SCM Anywhere available which constitutes version control and issue tracking.)

If you are interested in the Managed Plan of Dynamsoft TFS Hosted, you can check out the following page for detailed information. 5-day free trial is available for you.

Dynamsoft TFS hosted Managed Plan

Version Control: Manage and Protect Your Source Code

Kevin Gao /  Security, Version Control Leave comment

Source code is the most treasure asset to us developers. When expecting a version control tool to better manage the projects and documents and save us time, we also require it to be a secure one.

Dynamsoft SourceAnywhere, a SQL Server-based version control tool designed for both central and distributed teams, protects your data on every level, ranging from the unique database encryption, file content permission, to neat access permissions and data protections over the network.

Version Control Security

I.        Content Level

a) Database Encryption

This is a unique and important security feature provided by Dynamsoft’s version control tools. It encrypts your database on the file content level, and users are not able to view the file unless they have the permission. Under the unlikely worst scenario, even if your database is copied without your permission, no one can read a single file in your repository unless they know your passphrase.

b) Cache File Encryption

To speed up the performance for distributed teams, the team introduced the cache mechanism to SourceAnywhere. Cache file encryption is provided to protect these temporary files.

c) Microsoft SQL Server as the back-end to store your databases

Compared with the file-system mechanism, Microsoft SQL Server is a robust and mature tool to store the data, especially when you have large projects to manage. The security features provided by SQL Server give a great protection to your data. The features include database authentications, access permissions, database backup and more.

II.        Safe data transmission over the network.

SourceAnywhere supports Secure Sockets Layer (SSL) and Blowfish to secure your data.

Version Control SSL and Blowfish

I.        Access Level

a) Permissions

SourceAnywhere allows you to manage the access permissions on 2 levels: Repository Level and Project Level.

Version Control Access Permissions

b) Password Policy.

The password complexity and the expiration settings greatly prevent hacks and unexpected accesses. The user lock-out feature available in SourceAnywhere gives you another security lock. For example, you enable the “Lock Out” option and give a chance of 3 unsuccessful login attempts. It’s almost impossible for a hacker to guess out your password, which combines number and characters at a various length, within 3 times.

Version Control Password Policy

c) Windows Authentication

On top of the password policy, the Built-in and Windows Integrated authentications are also available in SourceAnywhere.

Version Control Authentication

If you’d like to check out the security features of SourceAnywhere by yourself, the 30-day free trial is available:

SourceAnywhere 30-Day Free Trial Download