Certificate and RSACryptoServiceProvider

//===
RSACryptoServiceProvider rsa ...

Bob rsa.Encrypt(): use Alice's public key to encrypt the msg sent for the receiver Alice;

Bob rsa.Decrypt():  use Bob's private key to decrypt the received msg target for Bob from ...;


Henceforth, in order to sign the hash, have to use rsa.Decrypt() (i.e. pirvate key) !?
to verify the crypted sig , have to use rsa.Encrypt()
but they failed for hash/sig verify/creation

*** use rsa.VerifyHash() / rsa.SignHash() instead


//=== another trouble
exception: Key not valid for use in specified state.
input data to long?

常用的Windows Registry 與 路徑

//=== application programs loaded in system tray
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

• Run
• RunOnce
• RunServices
• RunServicesOnce

//=== IE temporary internet files
C:\Documents and Settings\username\Local Settings
C:\Documents and Settings\username\Local Settings\Temp
C:\Documents and Settings\username\Local Settings\Temporary Internet Files
C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Internet Explorer
C:\Documents and Settings\username\Start Menu\Programs

Vista
C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\

Certificate chain and Certificate

[Q] How to get the whole certificate chain from a given X509 certificate?
[Q] How to get the CA's certificate from a given DN?
[Q] How to get the CA's certificate from a given public key?

[try]
C#,
X509Chain xChain;
X509Certificate2 cert;
...
xChain.Build(cert);
...
X509ChainElement
...

[ref]
X509Chain,
http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509chain.aspx

online certificate chain check,
http://forums.asp.net/t/1149495.aspx

//===

• certificate chain = certificate path
• DN= Distinguished Name
• CN= Common Name

//=== Digital certificate (or Certificate for short)

Digital certificates are used to authenticate an entity( a person, an organization, a company, ...) 
 by  "a chain of trust" .
 
The chain is formed topdown?,  with a root authority(RA) at the top.
To view any certificate's chain,

• trigger MMC snap-in by double-clicking a certificate,
• then click the Certificate Path tab.

//===
The root authority certificate at the top of a certificate chain is self-issued.

//===  Distinguished Name (DN) uniquely identifies an entity in an X.509 certificate.
Attribute types in  DN:

• CN:  Common Name
•  T :  Title
•  O :  Organization name
•  OU :  Organizational Unit name
•  L : Locality name
•  ST (or SP or S)  : State or Province name
•  C : Country

 //=== Digital certificate (Certificate for short)

A digital certificate contain at least the following information

• The owner's public key
• The owner's Distinguished Name  (Owner's DN)
• The Distinguished Name of the CA that is issuing the certificate (issuer's DN)
• The date from which the certificate is valid (Valid From)
• The expiry date of the certificate (Valid To)
• A version number
• A serial number (SN)

 
[ref]
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahu/rzahudistname.htm

http://java.sun.com/j2se/1.5.0/docs/guide/security/cert3.html

http://www.iona.com/support/docs/orbix2000/2.0/tls/html/OpenSSL4.html

Get CN from Certificate

[Q] How to get "CN" attribute from a certificate ?

X509Certificate2 cert;
...
cert.SubjectName.Name= "CN= ..., OU= ..."

[try] my primitive approach ...
//=== C# code snippet


public string getCN( X509Certificate2  cert)
{
string s = cert.SubjectName.Name;
string[] strArr=s.Split(new char[] { ',' });

for (int i = 0; i < strArr.Length; i++)
{
  if (strArr[i].Contains("CN"))
  {
    s = strArr[i];
    int pos = s.IndexOf('=');
    s=s.Substring(pos + 1);
    break;
   }

 }

 return s
}

asn, ber, der again

//===  BER encoding == Type(Tag) + Length + Value(Contents)
Type(Tag) : 佔掉1個byte
Length : 佔掉1~5(?)個bytes
Value(Contents): 所佔的bytes 由Length field 來決定

常用的Type :
0x03 == Bit String
0x04 == Octet String



//===  Example  of  BIT STRING with value "0101-1110-0100-1111-0111-1"
DER encoding (padding "000") :
0x 03(stands for type Bit String)  04(length in bytes)  03(3 padding bits) 5e 4f 78  
--> 0x 03 04 03 5e 4f 78


 

//=== short form / long form of  length field of BER-TLV

Short form:  the length field consists of a single byte where the bit B8 shall be set to 0 and the bits B7-B1 stands for the number of bytes in the value field. Any length from 0-127 is encoded by 1 byte.

Long form:  the length field consists of a leading byte where the bit B8 shall be set to 1 and the B7-B1 shall not be all equal(i.e 1111-1111, 1000-0000 are not allowed), B7-B1 stands for the number of subsequent bytes in the "length" field. Those subsequent bytes shall encode an integer equal to the number of bytes in the value field.
Any length within ushort  (up to 65535= 0xFFFF) can thus be encoded by 3 bytes.

Example:  if the value is  500-byte long (0x 01 F4), then the encoded length will consist of
three bytes: 82 01 F4.

Neither DER nor ISO/IEC 7816  use the indefinite lengths specified by the BER(basic encoding rules) of ASN.1





 

//===
"... DER adds the following restrictions to the rules given in Section 3:

• When the length is between 0 and 127, the short form of length must be used
• When the length is 128 or greater, the long form of length must be used, and the length must be encoded in the minimum number of octets.
• For simple string types and implicitly tagged types derived from simple string types, the primitive, definite-length method must be employed.
• For structured types, implicitly tagged types derived from structured types, and explicitly tagged types derived from anything, the constructed, definite-length method must be employed.

...
"

//=== BER encoding for BitString :

Primitive or constructed.

P/C is the primitive/constructed bit: Bit 6 of the first byte(Type byte) ,  it specifies if the value is primitive(integer, byte, bool, ..  or constructed type which holds TLV values like a SET.

If P/C bit is "on" , it indicates a constructed type.

Padding:

• The bit string is padded with zero to seven bits of "any value" to make the length of the bit string a multiple of eight.
• If the length of the bit string is a multiple of eight already, no padding is done.

 

"Primitive" encoding :

• The first "contents octet" gives the number of bits by which the length of the bit string is less than the next multiple of eight (this is called the "number of unused bits").  == the number of padded bits for Bit String
• The second and following contents octets give the value of the bit string, converted to an octet string.

  

"Constructed" encoding:
??? the contents octets give the "concatenation" of the BER encodings of consecutive substrings of the bit string, where each substring except the last has a length that is a multiple of eight bits.

Example: The BER encoding of the Bit String value "0110-1110-0101-1101-11"

 

  

DER encoding  : 03 04 06 6e 5d c0


 

padded with "100000"  : 03 04 06 6e 5d e0

   

long form of length octets : 03 81 04 06 6e 5d c0

constructed encoding: "0110111001011101" + "11"  

23 09 +
03 03 00 6e 5d +
03 02 06 c0

[ref]
http://luca.ntop.org/Teaching/Appunti/asn1.html
http://en.wikipedia.org/wiki/Basic_Encoding_Rules
http://www.cardwerk.com/smartcards/smartcard_standard_ISO7816-4_annex-d.aspx#AnnexD_3
https://www.opends.org/wiki/page/DefBasicEncodingRules

某大電信公司 非固定制ADSL配發固定ip時程

在打了三通客服電話 + 兩封email後
最後得到一個???答案 : "辦理移機業務 原則上需7個工作天才竣工,故需待竣工後申請之非固固定ip才能重新配發"

移機申請後 第二個工作天 工程人員就來跳線 當天網路查詢進度就已經竣工了
但是 "... 竣工後申請之非固 固定ip才能重新配發 ..."
竣工後 重新配發固定ip 又需要幾個工作天 固定ip才能真的上線使用呢???

還是沒有答案 ....



//===
Subject: xxNet客服中心回函(xxNet Customer Care Center Reply)

親愛的客戶您好: 首先感謝台端來函!


您的來函編號為{HIN5xxxxxxx}

經查詢詢台端是2010/05/xx辦理移機業務,故原則上需7個工作天才竣工,故需待竣工後申請之非固固定ip才能重新配發.

xx電信數據分公司祝您上網愉快! 若您有任何問題或者建言，請電洽0800 080 xxx客服中心或再來函與我們聯絡，我們將竭誠為您服務。
為有效處理廣告信檢舉，假使您是要檢舉廣告信請寄至spam@ms1.xxNet.net
======最新業務訊息======= 有關於ADSL+xxNet最新優惠方案台端可來函apply.xxNet@msa.xxNet.net留下您的大名及聯絡方式或來電02-2192xxxx 將有專人為您解說服務!




//===
Subject: xxNet客服中心回函(xxNet Customer Care Center Reply)

親愛的客戶您好: 首先感謝台端來函!


您的來函編號為{HINxxxxxxxxx}

有關台端的問題，煩請您來信提供ADSL附掛電話號碼(含區碼)，以利為您轉相關單位回
覆，不便之處，敬請見諒！

xx電信數據分公司祝您上網愉快! 若您有任何問題或者建言，請電洽0800 080 xxx客
服中心或再來函與我們聯絡，我們將竭誠為您服務。
為有效處理廣告信檢舉，假使您是要檢舉廣告信請寄至spam@ms1.xxNet.net
======最新業務訊息=======
有關於ADSL+xxNet最新優惠方案台端可來函apply.xxNet@msa.xxNet.net
留下您的大名及聯絡方式或來電02-21926xxxx(???) 將有專人為您解說服務!


//===
Subject: web 主旨 : 非固定制ADSL 配發固定IP時程

敬啟者您好:

客戶HN號碼：
客戶端電腦系統環境： ....
以下為客戶來信內容

本人安裝非固定制ADSL 申請配發固定IP
自從移機當日 到今天已是第五個工作天
打了三次客服電話 每次都是
資料庫還在作業 請您再等兩三天 作業完成後會以email通知您

如此不僅用戶沒辦法掌握時程
反覆電話詢問 也會造成客服人員困擾

強烈建議: 申請非固定制ADSL 配發固定IP時程 應給出上限 避免彼此困擾

ThrashBox Test Again !

//===
preview differs from the final post ?
inter-influence between post and side-bar gadget?
embedded CSS name conflict?





//=== ThrashBox is fine within "Post" but doesnot work well in side gadget

TrashBox Test

Who's who?

//=== The following example does not use thrashBox and can be applied to Blogger's gadget without misalignment

SmartCard

3H Itek