.NET 5 and 6 lets us import RSA public keys in PEM format by using RSA.ImportFromPem. Somewhat surprisingly, there’s no corresponding ExportToPem method that would let us export RSA keys in PEM format. But with some extension methods and a little help from CryptoAPI, we can fill that gap. .NET Core 3.0 and later Although .NET Core 3.0 and newer versions don’t provide a RSA.ExportToPem method, they do provide 2 other useful methods: RSA.ExportRSAPublicKey, which exports a public key as a D...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
In .NET 5 and 6, we can use RSA.ImportFromPem to import a PEM-formatted RSA public key . Older .NET Core versions and .NET Framework don’t offer that functionality – but with some extension methods and a little help from CryptoAPI, we can fill that gap. .NET Core 3.1 and below Although .NET Core 3.1 and older versions don’t support RSA.ImportFromPem, they do support 2 other useful methods: RSA.ImportRSAPublicKey, which imports a public key from a DER-encoded PKCS#1 RSAPublicKey structur...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Workload identity federation lets us impersonate a Google Cloud service account by using credentials from an external identity provider. With workload identity federation, we can do things like authenticating to Google Cloud by using an AWS EC2 instance profile or by using an Azure managed identity. But there are also some things to watch out for. To use workload identity federation securely, we must configure it in a way that protects us from threats like: Spoofing: A bad actor might attempt...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
One of the most common uses of PEM files is storing or exchanging public keys. But there is more than one way to store a public key in a PEM file. PKCS#1 RSAPublicKey The oldest and arguably most simple PEM-based file format for public keys is RSAPublicKey. We can recognize RSAPublicKeyfiles by their BEGIN RSA PUBLIC KEY header: -----BEGIN RSA PUBLIC KEY----- MIIBigKCAYEAq3DnhgYgLVJknvDA3clATozPtjI7yauqD4/ZuqgZn4KzzzkQ4BzJ ar4jRygpzbghlFn0Luk1mdVKzPUgYj0VkbRlHyYfcahbgOHixOOnXkKXrtZW7yWG jXPqy...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
One of the more confusing aspects of dealing with public key cryptography is that there are so many different file formats: .key, .pem, .cer, .crt, .p8e, .p8 are just some of the file extensions we commonly encounter, and with PEM, DER, BER, PKCS#1, PKCS#8, there is no shortage of acronyms defining these file formats. So how are they all related? To make sense of this alphabet soup, let’s unpack how some of these standards and formats relate to another. ASN.1 Let’s start with the Abstract...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
When a web application needs to access an OAuth-secured API, it can use the OAuth authorization code flow (aka 3-legged OAuth or 3LO) to obtain access tokens and access the API on the user’s behalf. That’s great for scenarios where an end user is involved, but rarely applicable for unattended applications such as Windows services. When an unattended application needs to obtain OAuth credentials for itself, we have to use the client credentials flow and let the application provide some sor...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Johannes Passing's blog about identity and access management, Windows, security, cryptography, and other stuff| jpassing.com
Kubernetes offers two distinct ways for clients that run within your cluster, or that otherwise have a relationship to your cluster's control plane to authenticate to the API server. A service account provides an identity for processes that run in a Pod, and maps to a ServiceAccount object. When you authenticate to the API server, you identify yourself as a particular user. Kubernetes recognises the concept of a user, however, Kubernetes itself does not have a User API.| Kubernetes