New TSslCertTools component to create and sign certificates. More minor SSL improvements. Major update of OverbyteIcsPemtool sample.
The main SSL changes have been running on my public server since December, but the new TSslCertTools component still needs more testing and is missing some minor functionality, any comments appreciated. The two main functional changes are that ICS now supports all the common SSL certificate file formats (previously just PEM) so it should no longer be necessary to mess around with the OpenSSL tools converting file formats, and now support Elliptic Curve (ECDSA) private keys and certificates, which have lower overhead than RSA keys and certificates. There is also a major change to SSL debug logging. Previously loSslInfo created vast log files with lots of BIO lines which were not related to the SSL protocol but which are really for internal ICS development. These BIO lines have now gone, and been replaced by some more useful debugging lines and full hex dumps of all SSL protocol packets. If decoded, these dumps can be used to locate SSL protocol issues when negotiation fails, which can currently be done using Wireshark externally. Unfortunately decoding these protocol packets is not trivial, there is a new event OnSslProtoMsg which receives the raw data if someone has the time to look further at this. OverbyteIcsWSocket.pas Jan 27, 2017 V8.40 TX509Base can now read and save all common X509 certificate file formats: .PEM, .CER, .CRT - Base64 encoded DER - LoadFromPemFile/SaveToPemFile .DER, .CER, .CRT - binary DER - LoadFromPEMFile/SaveToDERFile .P7B, .P7R, .SPC - PKCS#7 - LoadFromP7BFile/SaveToP7BFile .PFX, .P12 - PKCS#12 - LoadFromP12File/SaveToP12File PEM/P12 may have certificate and private key PEM/P7B/P12 may have extra intermediate certificates LoadFromFile/SaveToFile uses file extension to choose file format. Extra options for TX509Base methods to load and save files to specify if private key should be read or saved and the password. TX509Base will now encrypt private keys with a password. CheckCertAndPKey in TX509Base checks cert and pkey match. SslCertX509 in context now public not published, returns certificate and private key from the context rather than what was loaded, and may be used to set both, overriding any previous settings. Fixed bug in TX509Base.SerialNumHex to show correct serial, note most browsers display serial in hex not a numeric value. Added SerialNumHexto GetCertInfo. Fixed bug in TX509Base.SerialNum to clear SSL error for an illegal serial, to avoid handshaking later failing with 'asn1_get_uint64:too large' (mainly when logging was enabled). TX509Base.SerialNum now returns an int64 instead of integer, but only correctly with 1.1.0 and later (or use SerialNumHex instead). Added SslSecLevel to context to set security level (1.1.0 and later), defaults to sslSecLevel80bits, set sslSecLevelNone for SSLv3. Added CheckPrivateKey to context which checks loaded certificate and private key match. Added OnSslProtoMsg event which receives SSL protocol messages (in binary, need decoding) for debugging purposes. Added loSslDevel to ICS logger which replaces many loSslInfo logging lines for BIO. read and write which are really internal ICS development use to make logging more readable, added more useful loSslInfo lines. Added SslBuildCertChain to context for servers to validate correct certificates loaded OK (not sure how useful yet). Added SslGetCertChain to context for servers to get list of certificates in chain (not sure how useful yet). Added ReadOnly option to IcsSslOpenFileBio since mostly we don't want to update certificates. GetKeyInfo now support both RSA and EC keys, displays curve names. Added GetPKeyRawText to display private key raw values. Added PrivateKeyInfo to display private key type and size. Added CertPolicies, AuthorityKeyId, SubjectKeyId and CRLDistribution extended certificate properties. Added ExtendedValidation returns true for EV certificates. OpenSSL 1.1.0 and later support security levels, as follows: TSslSecLevel = ( sslSecLevelAny, // 0 - anything allowed, old compatibility sslSecLevel80bits, // 1 - default, RSA/DH keys=>1024, ECC=>160, no MD5 sslSecLevel112bits, // 2 - RSA/DH keys=>2048, ECC=>224, no RC4, no SSL3, no SHA1 certs sslSecLevel128bits, // 3 - RSA/DH keys=>3072, ECC=>256, FS forced, no TLS/1.0 sslSecLevel192bits, // 4 - RSA/DH keys=>7680, ECC=>384, no SHA1 suites, no TLS/1.1 sslSecLevel256bits); // 5 - RSA/DH keys=>15360, ECC=>512 OverbyteIcsLIBEAY.pas OverbyteIcsLogger.pas OverbyteIcsSSLEAY.pas Added more functions to get and check context certs. Added Protocol Message callback functions for handshake debugging Added Security Level functions (1.1.0 and later) Added 200 more certificate, EC key, digest, encryption and signing functions (but still over 3,000 missing, fortunately not needed often). OverbyteIcsSslX509Utils.pas Jan 27, 2017 V8.40 Angus New TSslCertTools component to create and sign certificates. Create Elliptic Curve/ECDSA private keys. Create certificate request from old certificate. Sign certificate requests as CA. Create DHParam files. Add alternate extended properties to certs, DNS and IP addresses. Added TEvpCipher and TEvpDigest (hash) types supported by OpenSSL. Display Sha1Hex in General certificate as Fingerprint. Pending - short term Saving more X509v3 extensions for requests and certs Saving intermediate certs in files Saving a CA databases of certificates created Sign buffers and files with private keys and digests Pending - long term Download free SSL certificates from Let's Encrypt using ACME protocol Create string and file encryption component from existing functions Using TSslCertTools component ============================= The main test application for the component is the OverbyteIcsPemtool sample, which illustrates use of all the methods and properties. Message digests or hashes: TEvpDigest = (Digest_md5, Digest_mdc2, Digest_sha1, Digest_sha224, Digest_sha256, Digest_sha384, Digest_sha512, Digest_ripemd160); Private key algorithm and key length in bits, bracketed comment is security level and effective bits, beware long RSA key lengths increase SSL overhead heavily: TSslPrivKeyType = ( PrivKeyRsa1024, // level 1 - 80 bits PrivKeyRsa2048, // level 2 - 112 bits PrivKeyRsa3072, // level 3 - 128 bits PrivKeyRsa4096, // level 3 - 148 bits? PrivKeyRsa7680, // level 4 - 192 bits PrivKeyRsa15360, // level 5 - 256 bits PrivKeyECsecp256, // level 3 - 128 bits PrivKeyECsecp384, // level 4 - 192 bits PrivKeyECsecp512, // level 5 - 256 bits PrivKeyECX25519); // level 3 - 128 bits Private key file encryption: TSslPrivKeyCipher = ( PrivKeyEncNone, PrivKeyEncTripleDES, PrivKeyEncIDEA, PrivKeyEncAES128, PrivKeyEncAES192, PrivKeyEncAES256, PrivKeyEncBlowfish128); Create a new private key file ----------------------------- A private key is required to create a self signed certificate or a certificate request, and needs to be installed on any SSL servers (never distribute it). 1 - Set property PrivKeyType (RSA or EC) from TSslPrivKeyType. 2 - Create keys using DoKeyPair method checking exception for any errors. 3 - PrivateKey property contains pointer to new private key. 4 - If file to be encrypted, set property PrivKeyCipher from TSslPrivKeyCipher. 5 - Save private key to file using PrivateKeySaveToPemFile method with optional password. 6 - Optionally save public key to file using PublicKeySaveToPemFile method. Create a new certificate request from properties ------------------------------------------------ A certificate request is needed to buy a commercial SSL certificate from a public certificate authority and most importantly specifies the host domain name of the public SSL server it will secure. 1 - Create a new private key (see above) or load an old key using PrivateKeyLoadFromPemFile or PrivateKeyLoadFromText methods. 2 - Specify request properties, CommonName (host domain name), Country, State, Locality, Organization, OrgUnit, KeyDigiSign, KeyKeyEnc, etc, as needed. 3 - Create request using DoCertReqProps method checking exception for any errors. 4 - X509Req property contains pointer to new request. 5 - Save request to PEM file using SaveReqToFile method. 6 - Optionally save request to string using SaveReqToText method. Create a new certificate request from old certificate ----------------------------------------------------- This is a shorter way to create a new request when renewing an existing certificate with the same private key. 1 - Load existing certificate using LoadFromFile or LoadFromText methods. 2 - Load private key for existing certificate using PrivateKeyLoadFromPemFile or PrivateKeyLoadFromText methods. 3 - Create request using DoCertReqOld method checking exception for any errors. 4 - X509Req property contains pointer to new request. 5 - Save request to PEM file using SaveReqToFile method. 6 - Optionally save request to string using SaveReqToText method. Create new self signed certificate from properties -------------------------------------------------- Self signed certificates are mostly used for testing SSL applications on temporary servers, prior to final deployment to a public server with a commercial SSL certificate. Can also used for internal networks. May also be used to create your own CA certificate if you want to sign your own certificates. 1 - Create a new private key (see above) or load an old key using PrivateKeyLoadFromPemFile or PrivateKeyLoadFromText methods. 2 - Specify certificate properties, CommonName (host domain name), Country, State, Locality, Organization, OrgUnit, KeyDigiSign, KeyKeyEnc, etc, as needed. 3 - Create certificate using DoSelfSignCert method checking exception for any errors. 4 - X509 property contains pointer to new certificate. 5 - If file to be encrypted, set property PrivKeyCipher from TSslPrivKeyCipher. 6 - Save certificate to file using SaveToFile method with the file extension specifying the format that should be used. Options include IncludePrivateKey which will save the private key into the same PEM or P12 file, and optional password. 7 - Optionally save certificate to string using SaveCertToText method. Create new CA signed certificate from certificate request --------------------------------------------------------- This is how commercial certificate authorities create SSL certificates from a request, signing it with their own CA certificate (root or intermediate) that will be trusted by Windows due to the root already being installed locally. For development, you can create your own CA root certificate and install it in the Windows certificate store of any test computers, then create certificates signed by the root and they will be trusted by Windows without needing to accept security exceptions as happens with self signed certificates. 1 - The CA certificate and CA private key need to loaded using LoadFromFile and PrivateKeyLoadFromPemFile into X509 and PrivateKey, and these properties assigned to X509CA and PrivKeyCA respectively. 2 - Load certificate request using LoadReqFromFile. 3 - Currently the subject certificate properties are taken from the request and can not be edited, extended properties are currently taken from properties, KeyDigiSign, KeyKeyEnc, etc, as needed. This needs more work for flexibility. 4 - Create certificate using DoSignCertReq method checking exception for any errors. 5 - X509 property contains pointer to new certificate. 6 - If file to be encrypted, set property PrivKeyCipher from TSslPrivKeyCipher. 7 - Savecertificate to file using SaveToFile method with the file extension specifying the format that should be used. Options include IncludePrivateKey which will save the private key into the same PEM or P12 file, and optional password. 8 - Optionally save certificate to string using SaveCertToText method. Beware the private key used to create the request must be loaded into PrivateKey property before saving a private key with the certificate, otherwise the CA key may be incorrectly saved. Pending - save details of certificates created to database, to support transparency and certificate revocation lists. Currently certificates have random serial numbers, should allow sequential numbers to be allocated. Convert certificate from one file format to another --------------------------------------------------- 1 - Load existing certificate using LoadFromFile or LoadFromText methods. 2 - Optionally load private key for existing certificate using PrivateKeyLoadFromPemFile or PrivateKeyLoadFromText methods. 4 - If file to be encrypted, set property PrivKeyCipher from TSslPrivKeyCipher. 4 - Save certificate to file using SaveToFile method with the file extension specifying the format that should be used. Options include IncludePrivateKey which will save the private key into the same PEM or P12 file, and optional password. One use for this is to convert base64 DER/PEM certificates into P12/PVX format that can be easily installed into the Windows certificate store. Create New DHParams File ------------------------ DHParams contain prime numbers needed to support DH and DHE ciphers (but not ECDH and ECDHE). Ideally they should be unique per server and/or application and some applications even generate new params each day. But finding prime numbers is time consuming, the shortest 1,024 bits can take up a minute, 2,048 bits several minutes, 4,096 bits a few hours, and gave up with 8,192 bits after two days. ICS include constants sslDHParams2048 and sslDHParams4096 to save you calculating your own. 1 - Assign OnKeyProgress event handler with Application.ProcessMessages and optionally a progress indicator so the application remains responsive while calculating DHParams. 2 - Create DHParams using DoDHParams method passing new file name and number of bits, 768, 1024, 20248, 4096, 8192. 3 - Optionally save DHParams string returned by DoDHParams method. Samples/Delphi/SslInternet/OverbyteIcsPemTool.res Samples/Delphi/SslInternet/OverbyteIcsPemTool1.dfm Samples/Delphi/SslInternet/OverbyteIcsPemTool1.pas Samples/Delphi/SslInternet/OverbyteIcsPemTool2.dfm Samples/Delphi/SslInternet/OverbyteIcsPemTool2.pas Jan 27, 2017 V8.40 Angus Display multiple certificate file formats. Using new TSslCertTools component to read, create and save certificates, private keys, certificate requests, DHParams, and to sign requests as a certificate authority. This tool can now be used to convert different format certificate files between formats, by reading one format and saving as a different format. Also combining keys and certificates in a file. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
