How to generate a X509 certificate with an EC public key and RSA signature using OpenSSL?

I’m trying to generate a X509 certificate with an EC public key but an RSA signature. I’m using OpenSSL like this:

openssl genpkey -algorithm EC -out ec256key.pem -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve
openssl req -new -key ec256key.pem  -out ec256request.csr -subj "/C=AB/ST=CD/L=Test/O=someOrganization/CN=domain.com"
openssl x509 -req -in ec256request.csr -signkey rsaKey.key -days 365 -out ec_rsa_256cert.pem

However, the resulting certificate contains the RSA public key instead of the elliptic curve public key. I also tried to set -force_pubkey ec256key.pem, which doesn’t work (unable to load Forced key). This error does not occur if I export the public key first using openssl pkey -in ec256key.pem -pubout -out ec256pk.pem but the resulting certificate again only holds the RSA public key with RSA signature.

Am I misunderstanding how signkey and force_pubkey work?

private key – HD Wallet with BIP44 – workaround of deriving public keys knowing only a xpub

My goal: I don’t want to require a private key to hierarchically derive new addresses.

Sure, I can create a batch of addresses, given a private key, at first. But once I have surpassed that batch I’ll require the private key again to generate more addresses.

I want to derive addresses knowing only a public key. I know this is possible with BIP39, but understand there can be security concerns involved with this, ie. if an attacker stumbles upon an xpub and xprv they can derive as many addresses as they want and be able to sign transactions using them.

Attempting to derive from a HD public key with BIP44 results in a exception stating a hardened path requires a HD private key. However, I have found a workaround, but I fear it is cheating and might sacrifice the benefits of path hardening in BIP44.

Here’s an example:

// It starts off with a `userCode` that represents a BIP39 Mnemonic code.
const codeUser = new Mnemonic('select scout crash enforce riot rival spring whale hollow radar rule sentence')

// Convert to HD private key...
const hdUserPrivateKey = codeUser.toHDPrivateKey()

console.log(hdUserPrivateKey.hdPublicKey.toString())
// The actual xpub for `hdPublicKey` is: `xpub661MyMwAqRbcEngoXGfFNahZ5FzSDGqY8pWKTqo6vtXxK15otDNLXJmbeHV7DUjvPc7CAFhYp6hzBiTanr8rgoHPHf6NSgZAyejK5bk8MiW`
// But we won't use it...

// Instead, I can then derive a BIP44 without the `change`, `address_index` segments from `hdUserPrivateKey` and save that instead.
console.log(hdUserPrivateKey.deriveChild(`m/44'/0'/0'`).hdPublicKey.toString())
// Gives: `xpub6CsrEMgU2f8uEGfFMvsPjKB9ekHuZiesLqSHLwCJuNFkP2uJGm7WjTo2gy95S4KEBc4etdodNQXAvn5Vsf4kupJQ1DKR4DMfcHwKdhQ3k6h`
// This is the xpub I can use to derive addresses without requiring the initial private key.

// So knowing this, I can build a HD public key given that xpub...
const hdPublicKey = Mnemonic.bitcore.HDPublicKey('xpub6CsrEMgU2f8uEGfFMvsPjKB9ekHuZiesLqSHLwCJuNFkP2uJGm7WjTo2gy95S4KEBc4etdodNQXAvn5Vsf4kupJQ1DKR4DMfcHwKdhQ3k6h')

const derivative = 0

// We can derive from it this path, but what is this path defined as? Are we back in BIP39 territory now?
const publicKey = hdPublicKey.deriveChild(`m/0/${derivative}`).publicKey

const address = new Mnemonic.bitcore.Address(publicKey)

console.log(address.toString()) // 12XyHwtmoq5w4VQ5mzcu6BQzdLqCLxUv5e

…and of course, I can increment the derivative as many times as I wish to create new addresses from the public key.

Whenever I wish to sign a transaction…

const codeUser = new Mnemonic('select scout crash enforce riot rival spring whale hollow radar rule sentence')
const hdUserPrivateKey = codeUser.toHDPrivateKey()
const derivative = 0

// BIP 44 derivation path for private key...
const privateKey = hdUserPrivateKey.deriveChild(`m/44'/0'/0'/0/${derivative}`).privateKey

Is this approach valid or am I dodging BIP44 standards?

Mnemonics but for Public addresses

Are there any implemented ways for turning addresses into human-readable word(s)? If not, why? I.e., are there any known technological issues in implementing this?

Thanks

Simple OAuth2 question? Public client without end-user authentication

A simple question which i cannot find any guidance on the RFC6749 (or related) spec.

I have a ecommerce public client (SPA & mobile), where i want to postpone as much as possible the authentication process (possibly registration too for new customers). I will only ask the customer at the end of his purchase journey to authenticate and place the order.
Meanwhile, before the authentication this public client needs to call back-end REST APIs which are OAuth2 protected.

So how can i perform correct and secure calls to the APIs?

  • system to system calls -> Client credentials grant type -> NO, because of public client (only confidential clients are allowed in this type)
  • Authorization code grant type with PKCE? -> NO, because no end-user authentication/consent

Does somebody has a similar case? How can i make this secure enough within the OAuth2 framework?

architecture – Is it a good idea to have separate instances for the public API Server and API Server used by the Web App?

I’ve built a React Web application with an Express REST API server and Firebase Auth. Also, Nginx is set up as a reverse proxy, so API calls from React to https://mydomain.com/api are routed to backend http://localhost:8002.

Now I want to publish part of my APIs under https://api.mydomain.com with an API Key scheme. I’ve modified the Express server so it can handle both auth schemes based on Authorization header (i.e. Bearer for Firebase, ApiKey for API Key).

The question is: Is it a good idea to have separate backends serving Web App and Public APIs? What benefits could it bring? Or should I direct API calls from the Web App to api.mydomain.com to keep setup simple?

Thanks in advance

public transport – How long from flight arrival to train travel at Heathrow T2

How long should I allow for, to clear Passport control and baggage reclaim ?

Very difficult to predict, but it also doesn’t matter.

Assuming you are going into London, you have three options: Heathrow Express, TFL (formerly known as Heathrow Connect) and the Piccadilly Underground Line.

None of these require you to pick a departure time up front. The Heathrow Express tickets are “anytime” (on a given day) and TFL and Tube are part of London’s transit system using the Oyster Card: You scan your card when you board the train/tube and then again when exit and the fare will be calculated on the fly and deducted from your balance on the card. This is super convenient and works for any public transport in London. I highly recommend to get one.

I also recommend taking the TFL: it’s less than half the price of the Heathrow Express, takes just 10 minutes longer and it also includes subsequent tube or bus rides in London. Both trains go every half hour. Depending on where you are going it may actually be faster, since you don’t need to ride all the way into Paddington.

While you can pre-buy a Heathrow express ticket, there is really no need for it. There are machines everywhere and it’s hard to avoid the human ticket vendors. They are pushing hard to sell you a Heathrow Express ticket, since it’s so much more expensive.

How to stop my public comments in facebook from appearing in my friend’s newsfeed?

Lately any comment I write in different pages or public groups in Facebook appears in my friends’ newsfeed as
"X commented on Y’s post" followed by the post with my commment in it …How do I stop this??

web server – How to host a public website with my domain name on Android?

I have my own domain name, richardbrowning.cf, and I want to host my own website (using this domain name) on my Android phone. My Android isn’t connected to Wi-Fi (I am using Mobile Data). I started locally hosting my website on my Android, (and it was available at http://mylocalipaddress:myport. Then I went to my registrar and added an A DNS Record setting the target to my local IP Address. Now if I go to richardbrowning.cf:myport, I can view my website. But it is still only local. So I have two issues. I want to make my website public, not just local (so everyone can view my website) and I want to remove the need for putting :port at the end of the domain/website. By the way, an end note is that I tried putting my external IP Address into my DNS Record instead of my local IP Address, but this doesn’t work because there is nothing being hosted to this external IP Address. So if I could maybe host my website to my external IP Address and then put this external IP Address into my DNS Record, then that would work. But I can’t find a way to host my website to my external IP Address. I only see ways to host my website to my local IP Address (locally). Thanks in advance.😀

web crawlers – Error on public website when web scraping is called through my personal user agent

I’m brand new to coding and have finished making a simple program to web scrape some stock websites for particular data. The simplified code looks like this:

headers = {'User-Agent': 'Personal_User_Agent'}

fv = f"https://finviz.com/quote.ashx?t=JAGX"

r_fv = requests.get(fv, headers=headers)
soup_fv = BeautifulSoup(r_fv.text, 'html.parser')
fv_ticker_title = soup_fv.find('title')
print(fv_ticker_title)

The website would not work until I created a user agent, but then it worked fine. I then creating a website through python’s local host which also worked fine, and so I thought I was ready to make the website public via “python anywhere”.

However, when I went to create the public website, the program shuts down every time I go to access information through web scraping (i.e. using the user_agent). I didn’t like the idea of using my user agent for a public domain, but I couldn’t find out how other people who web scrape go about this problem when a user agent is required for a public domain. Any advice!?

encryption – When is a private and public key given to a user, and why can the private key not get hacked?

Trying to understand assymetric encryption. To my knowledge, it deals with the key management problem by having each user have their own private key and public key. But when is this private and public key pair generated for the user? Does each user have a unique and persistent private and public key?

Also, why are hackers unable to get a private key?