When launching a JNLP application with Java 8 update 351, the following error is received:
**```
ERROR: Unsigned application requesting unrestricted access to system
Unsigned resoured: xyz.jar
The release notes for update 351 include "JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned."
There is a suggested workaround of "set allow_weak_crypto = true in the krb5.conf configuration file to re-enable them", but there is no krb5.conf file anywhere to be found (Windows 10 install).
Has anyone encountered and resolved this issue? Thank you.
Looked for krb5.conf file, could not find any.
Mike, we saw a similar error after updating to JRE351.
Our workaround is in the 'java.security' file, remove the following lines:
SHA1 usage SignedJAR & denyAfter 2019-01-01
SHA1 denyAfter 2019-01-01
Remove the block on SHA1 in the java.security file on the client system and re-download the JNLP file.
So it looks as if you'd remove these lines from examples below -
",SHA1 usage SignedJAR & denyAfter 2019-01-01"
",SHA1 denyAfter 2019-01-01"
https://www.java.com/en/configure_crypto.html
Use one of the following two methods to find out if your signed JARs may be affected by this change:
For JDK 7u301, 8u291, 11.0.11, 17 or later releases, edit the java.security file and make the following changes:
add "SHA1 usage SignedJAR & denyAfter 2019-01-01" to the jdk.certpath.disabledAlgorithms security property
add "SHA1 denyAfter 2019-01-01" to the jdk.jar.disabledAlgorithms security property
For example, if the current value of these properties is:
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024
then the new values would be:
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
SHA1 usage SignedJAR & denyAfter 2019-01-01
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024, SHA1 denyAfter 2019-01-01
Related
I generated an ECC_NIST_P521 spec key, which uses the ECDSA_SHA_512 signing algorithm. I'm trying to create a jwt.SigningMethod with this in mind, but I'm not sure which values to use for the fields. This is what I have so far:
signingMethod := jwt.SigningMethodECDSA {
Name: "ECC_NIST_P521",
Hash: crypto.SHA512,
}
Specifically, I'm not sure if the name is correct and I don't know what to use for the KeySize and CurveBits fields. Any help would be appreciated.
You need to specify Hash, CurveBits and KeySize. The value of Name is ignored:
signingMethod := jwt.SigningMethodECDSA{
Name: "ECC_NIST_P521",
Hash: crypto.SHA512,
CurveBits: 521,
KeySize: 66,
}
521 bits - the size of curve field.
66 - number of bytes that fit a compact representation of a point on the curve.
Full example to sign and verify signature: https://go.dev/play/p/bEnLN2PJv4a
For example say I want to sign a cert with an arbitrary or deprecated extension (nsCertType for example): https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
I believe I'm supposed to add the arbitrary extension as part of the certificate as per below but how / where do you discover the asn1 object identifier? I've read more documentation that I care to admit today and am still stumped.
tmpl := &x509.Certificate{
SerialNumber: big.NewInt(time.Now().Unix()*1000),
Subject: pkix.Name{CommonName: "edgeproxy", Organization: []string{"edgeproxy"}},
NotBefore: now,
NotAfter: now.Add(caMaxAge),
ExtraExtensions: []pkix.Extension{
{
Id: asn1.ObjectIdentifier{}, //what goes here
Critical: false,
[]byte("sslCA"),
},
},
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth,x509.ExtKeyUsageClientAuth,x509.ExtKeyUsageEmailProtection, x509.ExtKeyUsageTimeStamping, x509.ExtKeyUsageMicrosoftCommercialCodeSigning, x509.ExtKeyUsageMicrosoftServerGatedCrypto, x509.ExtKeyUsageNetscapeServerGatedCrypto} ,
KeyUsage: x509.KeyUsageCRLSign | x509.KeyUsageCertSign,
IsCA: true,
BasicConstraintsValid: true,
}
In python I would do this but don't know how to port this into go (which is what I'm doing at the end of the day):
OpenSSL.crypto.X509Extension(
b"nsCertType",
False,
b"sslCA"
),
Go sources at https://golang.org/src/encoding/asn1/asn1.go define:
// An ObjectIdentifier represents an ASN.1 OBJECT IDENTIFIER.
type ObjectIdentifier []int
So the object identifier (OID for short) is an array of integers. The asn1 module has methods to parse them, like parseObjectIdentifier.
This is the structure you need to put after the Id: attribute.
But now you need to find out the OID you want.
While difficult to read, OpenSSL source code can show you OIDs of many things in the X.400/X.500/X.509 worlds, or at least those known by OpenSSL.
If you go to https://github.com/openssl/openssl/blob/1aec7716c1c5fccf605a46252a46ea468e684454/crypto/objects/obj_dat.h
and searching on nsCertType you get:
{"nsCertType", "Netscape Cert Type", NID_netscape_cert_type, 9, &so[407]},
so is defined previously, and if you jump at its 407th item you see:
0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01, /* [ 407] OBJ_netscape_cert_type */
and doing a final search on OBJ_netscape_cert_type in same file gives:
71, /* OBJ_netscape_cert_type 2 16 840 1 113730 1 1 */
which means the corresponding OID is 2.16.840.1.113730.1.1
Or you can decode the above list of integers that describe this OID (see How does ASN.1 encode an object identifier? for details).
first 0x60 is 9610 so 2*40 + 16, which means the OID starts with 2.16.
then each other one is in "base128" form: if most significant bit is 1 combine the 7 least significant bits together of all following numbers until one has 0 as most significant bit
0x86 is 100001102 so has to go with 0x48 aka 010010002 so it is in fact 000011010010002 or 84010
0x01 is less than 128 so it is itself, 1
0x86 is still 100001102 but has to be paired with both 0xF8 (111110002) and 0x42 (010000102 and we stop here since first bit is 0) so 0000110111100010000102 altogether or 11373010
and the two last 0x01 are themselves, 1.
so we do get again 2.16.840.1.113730.1.1
You can double check it at some online OID browser like here:
http://oid-info.com/cgi-bin/display?oid=2.16.840.1.113730.1.1&action=display
that gives the following description for it:
Netscape certificate type (a Rec. ITU-T X.509 v3 certificate extension
used to identify whether the certificate subject is a Secure Sockets
Layer (SSL) client, an SSL server or a Certificate Authority (CA))
You can then even browse various arcs, like the netscape one, or others, to find out other OIDs.
You also get the full ASN.1 notation:
{joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730) cert-ext(1) cert-type(1)}
I need to get detailed certificate information using Ruby. I have following test certificate.
-----BEGIN CERTIFICATE-----
MIIDBzCCAe+gAwIBAgIJAPO77qM0KOtJMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV
BAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xOTA4MjQxNTQxMzJaFw0yOTA4MjExNTQx
MzJaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKdG8NkRftFf+UYFGLxvpenNtmjDqXFgchf/RjdCEDfl
1lFzfM6gxojh4gq5dkYpzZeNGKtBsLEmmIaHYSZa92YBhSXh7EXbi3MCcJqo6rzn
LWXHJfKP+PGNORrDxbIhrcr/QDNnFAYG/V5G58OqqqVaMuZUwvrtXJD38ysyGud7
SQz4kYQOvX654DiMDe8JzSAY6ucvZ+VP0hBCGzY+m5flMjBxQQBJMOL2pW6Clm2S
YLh+juatyKRcyFaMBOapWHkmUJoV9eWQoXramfDzNuBeQESeuvz/OzXwGdLKlteP
V0EIzkMinEtHA8X8FS7GEjZsfUBJZysURNBVUKCpltkCAwEAAaNQME4wHQYDVR0O
BBYEFArrFXDrPnY2jY1z1G/hdpFzRY6iMB8GA1UdIwQYMBaAFArrFXDrPnY2jY1z
1G/hdpFzRY6iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFRTTMv6
Qcs822DXvqSM47+Bz4n+KrSP+L+yI8htH0SgSrgqF3fa3V9ro/B+EFh+bdp6YOw/
JwM6lRD91jqrRfI1DqwxDquK+euBPj4FFrJfg4MmqjbHb7XjLwmk3mUgmnDPP1Kr
R5hkMxQ9qbIcZY7C4uF6Y1J1am7QMBT4Bvkt0YkAWk94HxKuK+6j3YoB1CWrwyxc
oj2FQIfod3zpU8U7y9X/maXxHWYI9IUOZKJvf/KVaRJwsN687L2OASRuSkOGRzAk
/tc7fjuaRiq1/E9SLUtnGRkxgEUEzXUKrGyDrGI8Aqekx5PRts+MTxGRPRawQIOf
seHvhKKVYqMY2Q8=
-----END CERTIFICATE-----
The output that I want is following.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 17562893556583557961 (0xf3bbeea33428eb49)
Signature Algorithm: sha256WithRSAEncryption
Issuer:
commonName = www.example.com
Validity
Not Before: Aug 24 15:41:32 2019 GMT
Not After : Aug 21 15:41:32 2029 GMT
Subject:
commonName = www.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a7:46:f0:d9:11:7e:d1:5f:f9:46:05:18:bc:6f:
a5:e9:cd:b6:68:c3:a9:71:60:72:17:ff:46:37:42:
10:37:e5:d6:51:73:7c:ce:a0:c6:88:e1:e2:0a:b9:
76:46:29:cd:97:8d:18:ab:41:b0:b1:26:98:86:87:
61:26:5a:f7:66:01:85:25:e1:ec:45:db:8b:73:02:
70:9a:a8:ea:bc:e7:2d:65:c7:25:f2:8f:f8:f1:8d:
39:1a:c3:c5:b2:21:ad:ca:ff:40:33:67:14:06:06:
fd:5e:46:e7:c3:aa:aa:a5:5a:32:e6:54:c2:fa:ed:
5c:90:f7:f3:2b:32:1a:e7:7b:49:0c:f8:91:84:0e:
bd:7e:b9:e0:38:8c:0d:ef:09:cd:20:18:ea:e7:2f:
67:e5:4f:d2:10:42:1b:36:3e:9b:97:e5:32:30:71:
41:00:49:30:e2:f6:a5:6e:82:96:6d:92:60:b8:7e:
8e:e6:ad:c8:a4:5c:c8:56:8c:04:e6:a9:58:79:26:
50:9a:15:f5:e5:90:a1:7a:da:99:f0:f3:36:e0:5e:
40:44:9e:ba:fc:ff:3b:35:f0:19:d2:ca:96:d7:8f:
57:41:08:ce:43:22:9c:4b:47:03:c5:fc:15:2e:c6:
12:36:6c:7d:40:49:67:2b:14:44:d0:55:50:a0:a9:
96:d9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
0A:EB:15:70:EB:3E:76:36:8D:8D:73:D4:6F:E1:76:91:73:45:8E:A2
X509v3 Authority Key Identifier:
keyid:0A:EB:15:70:EB:3E:76:36:8D:8D:73:D4:6F:E1:76:91:73:45:8E:A2
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
54:53:4c:cb:fa:41:cb:3c:db:60:d7:be:a4:8c:e3:bf:81:cf:
89:fe:2a:b4:8f:f8:bf:b2:23:c8:6d:1f:44:a0:4a:b8:2a:17:
77:da:dd:5f:6b:a3:f0:7e:10:58:7e:6d:da:7a:60:ec:3f:27:
03:3a:95:10:fd:d6:3a:ab:45:f2:35:0e:ac:31:0e:ab:8a:f9:
eb:81:3e:3e:05:16:b2:5f:83:83:26:aa:36:c7:6f:b5:e3:2f:
09:a4:de:65:20:9a:70:cf:3f:52:ab:47:98:64:33:14:3d:a9:
b2:1c:65:8e:c2:e2:e1:7a:63:52:75:6a:6e:d0:30:14:f8:06:
f9:2d:d1:89:00:5a:4f:78:1f:12:ae:2b:ee:a3:dd:8a:01:d4:
25:ab:c3:2c:5c:a2:3d:85:40:87:e8:77:7c:e9:53:c5:3b:cb:
d5:ff:99:a5:f1:1d:66:08:f4:85:0e:64:a2:6f:7f:f2:95:69:
12:70:b0:de:bc:ec:bd:8e:01:24:6e:4a:43:86:47:30:24:fe:
d7:3b:7e:3b:9a:46:2a:b5:fc:4f:52:2d:4b:67:19:19:31:80:
45:04:cd:75:0a:ac:6c:83:ac:62:3c:02:a7:a4:c7:93:d1:b6:
cf:8c:4f:11:91:3d:16:b0:40:83:9f:b1:e1:ef:84:a2:95:62:
a3:18:d9:0f
-----BEGIN CERTIFICATE-----
MIIDBzCCAe+gAwIBAgIJAPO77qM0KOtJMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV
BAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xOTA4MjQxNTQxMzJaFw0yOTA4MjExNTQx
MzJaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKdG8NkRftFf+UYFGLxvpenNtmjDqXFgchf/RjdCEDfl
1lFzfM6gxojh4gq5dkYpzZeNGKtBsLEmmIaHYSZa92YBhSXh7EXbi3MCcJqo6rzn
LWXHJfKP+PGNORrDxbIhrcr/QDNnFAYG/V5G58OqqqVaMuZUwvrtXJD38ysyGud7
SQz4kYQOvX654DiMDe8JzSAY6ucvZ+VP0hBCGzY+m5flMjBxQQBJMOL2pW6Clm2S
YLh+juatyKRcyFaMBOapWHkmUJoV9eWQoXramfDzNuBeQESeuvz/OzXwGdLKlteP
V0EIzkMinEtHA8X8FS7GEjZsfUBJZysURNBVUKCpltkCAwEAAaNQME4wHQYDVR0O
BBYEFArrFXDrPnY2jY1z1G/hdpFzRY6iMB8GA1UdIwQYMBaAFArrFXDrPnY2jY1z
1G/hdpFzRY6iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFRTTMv6
Qcs822DXvqSM47+Bz4n+KrSP+L+yI8htH0SgSrgqF3fa3V9ro/B+EFh+bdp6YOw/
JwM6lRD91jqrRfI1DqwxDquK+euBPj4FFrJfg4MmqjbHb7XjLwmk3mUgmnDPP1Kr
R5hkMxQ9qbIcZY7C4uF6Y1J1am7QMBT4Bvkt0YkAWk94HxKuK+6j3YoB1CWrwyxc
oj2FQIfod3zpU8U7y9X/maXxHWYI9IUOZKJvf/KVaRJwsN687L2OASRuSkOGRzAk
/tc7fjuaRiq1/E9SLUtnGRkxgEUEzXUKrGyDrGI8Aqekx5PRts+MTxGRPRawQIOf
seHvhKKVYqMY2Q8=
-----END CERTIFICATE-----
I need to get "Subject Public Key Info" and "modulus" data from that certificate.
I am using OpenSSL::X509::Certificate.new(certificate_date) which only provide information related to subject, issuer, expiry etc.Or I am unable to get above required information. The above information I need to use in ECDH encryption. Can somebody help on this?
ES v2.4.1
SG-SSL v2.4.1.16
SG v2.4.1.6
CentOS 7.2
Im able to run Elasticsearch with Search-Guard-SSL. I generated the certs/keys via the example script from Search Guard. Here is the info on the kirk client cert that I generated
> openssl x509 -noout -subject -in kirk-signed.pem -text
subject= /C=US/L=Raleigh/O=client/OU=client/CN=kirk
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=com, DC=example, O=Example Com Inc., OU=Example Com Inc. Signing CA, CN=Example Com Inc. Signing CA
Validity
Not Before: Oct 6 14:47:01 2016 GMT
Not After : Oct 6 14:47:01 2018 GMT
Subject: C=US, L=Raleigh, O=client, OU=client, CN=kirk
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
If I understand correctly, I need to have the following line in my elasticsearch.yml file, correct?
# Enable SSL via Search Guard SSL plugin
# Enable HTTPS
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-0-keystore.jks
searchguard.ssl.http.keystore_password: pw
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: pw
# Enable SSL between ES nodes
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
searchguard.ssl.transport.keystore_password: pw
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: pw
searchguard.ssl.transport.enforce_hostname_verification: false
# for Search Guard
searchguard.authcz.admin_dn:
- "cn=kirk, ou=client, o=client, l=Raleigh, c=US"
searchguard.cert.oid: '1.2.3.4.5.5'
But when I run sgadmin.sh, it just times out
> /usr/share/elasticsearch/plugins/search-guard-2/tools/sgadmin.sh -cd /etc/elasticsearch/ -ks kirk-keystore.jks -ts truststore.jks -nhnv -kspass pw -tspass pw
Will connect to localhost:9300 ... done
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
ERR: Timed out while waiting for a green or yellow cluster state.
And I see these in elasticsearch.log
[2016-10-06 15:17:41,354][DEBUG][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Arize] Node started, try to initialize it. Wait for at least yellow cluster state....
[2016-10-06 15:17:41,523][DEBUG][com.floragunn.searchguard.configuration.SearchGuardIndexSearcherWrapperModule] FLS/DLS not enabled
[2016-10-06 15:17:41,667][DEBUG][com.floragunn.searchguard.configuration.SearchGuardIndexSearcherWrapperModule] FLS/DLS not enabled
[2016-10-06 15:17:41,698][DEBUG][com.floragunn.searchguard.configuration.SearchGuardIndexSearcherWrapperModule] FLS/DLS not enabled
[2016-10-06 15:17:41,728][DEBUG][com.floragunn.searchguard.configuration.SearchGuardIndexSearcherWrapperModule] FLS/DLS not enabled
[2016-10-06 15:17:42,099][DEBUG][com.floragunn.searchguard.configuration.SearchGuardIndexSearcherWrapperModule] FLS/DLS not enabled
[2016-10-06 15:18:11,746][WARN ][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Arize] index 'searchguard' not healthy yet, we try again ... (Reason: timeout)
[2016-10-06 15:18:44,747][WARN ][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Arize] index 'searchguard' not healthy yet, we try again ... (Reason: timeout)
[2016-10-06 15:19:17,749][WARN ][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Arize] index 'searchguard' not healthy yet, we try again ... (Reason: timeout)
What am I missing?
I'm trying to load a particular private key encoded in binary DER format (PKCS#8) into Ruby.
However, OpenSSL::PKey won't recognize it. I can make it work by doing some console work and transforming it into a PEM like so:
openssl pkcs8 -inform DER -in file.key -passin pass:xxxxxxxx >private_key.pem
After this, the key can correctly be read.
However, since I would like for the whole process to be done in memory instead of writing and reading files.
So my question is: Is it possible to load private keys from the binary encoded DER format into Ruby/OpenSSL?
Thank you for your time,
Fernando
Yes, you can indirectly load PKCS#8 DER-encoded private keys using Ruby OpenSSL.
OpenSSL::PKey::RSA.new will only handle PEM-formatted PKCS#8, but it is easy to read the binary DER and convert it to a PEM-formatted string and then load from the string.
For example, with these DER-encoded private keys:
$ openssl genrsa | openssl pkcs8 -topk8 -outform DER \
-nocrypt -out pkcs8.key
$ openssl genrsa | openssl pkcs8 -topk8 -outform DER \
-v2 des3 -passout pass:secret -out pkcs8_des3.key
You can do something like this:
require 'openssl'
require 'base64'
def box(tag, lines)
lines.unshift "-----BEGIN #{tag}-----"
lines.push "-----END #{tag}-----"
lines.join("\n")
end
def der_to_pem(tag, der)
box tag, Base64.strict_encode64(der).scan(/.{1,64}/)
end
pem = der_to_pem('PRIVATE KEY', File.read('pkcs8.key'))
key = OpenSSL::PKey::RSA.new(pem)
pem2 = der_to_pem('ENCRYPTED PRIVATE KEY', File.read('pkcs8_des3.key'))
key2 = OpenSSL::PKey::RSA.new(pem2, 'secret')
Read the DER bytes, Base64 them and put the PEM tags on top and bottom, and then load the key.
Certificate is capable of handling DER-encoded certificates and certificates encoded in OpenSSL's PEM format.
You could find documentation about OpenSSL implementation for Ruby here :