Spring Boot cipher BadPaddingException: Decryption error - spring-boot

I am following an article here, where it described how to use a cipher to encrypt spring boot application properties.
So based on the instruction, I downloaded and placed the JCE Java Cryptography Extension (JCE) files.
Then I created a keystore,
keytool -genkeypair -alias mytestkey -keyalg RSA
-dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US"
-keypass changeme -keystore server.jks -storepass letmein
-validity 365
After that, I copied the server.jks file in the Spring project resource folder and add the following properties to the bootstrap.properties file located under resource folder as well.
The content of the bootstrap.properties file looks as below:
encrypt.key-store.location: classpath:/server.jks
encrypt.key-store.password=letmein
encrypt.key-store.alias=mytestkey
encrypt.key-store.secret=changeme
Now when I run the application, I can easily encrypt or decrypt by making POST call to "http://localhost/encrypt" and "http://localhost/decrypt" endpoints.
And I can encrypt or decrypt successfully in the code using the TextEncryptor as well.
However when I encrypt some value and add the encrypted value to the application.properties, as shown below:
messageinfo={cipher}AQBt2RnIRqX1UrHGfvcJpQhfurqbxjGEgeHh....
When I run the application again I get
java.lang.IllegalStateException: Cannot decrypt: key=messageinfo
javax.crypto.BadPaddingException: Decryption error
I am not sure, how I can resolve this issue, any help appreciated.

I have managed to find the issue, it was issue related to Java environment, I had multiple Java SDK installed on my box, My JAVA_HOME (and PATH) was pointing to Java 11 SDK, so when I used the keytool to generate key, it was using Java 11.
However in my Spring Studio, it was pointing to Java 8 SDK, so when I ran the project it used the Java 8 to read and decrypt.
So After:
Uninstalled Java 11
Changed the JAVA_HOME (and PATH) to point to Java 8 SDK
Regenerated key using keytool
It started working fine.

Related

How to establish SSL connection from Spring Boot client to Redis Server

Having my redis server with self_signed certificate (in certificate_base64 format) running on IBM cloud. wanted to connect to redis (server) through SSL from Spring Boot application (client).
Tried decrypting the base64 and saved it as .cer file and stored that certification in C:\Program Files\Java\jre1.8.0_341\lib\security\cacerts using the command line keytool -keystore "JRE_CA_CERT_PATH" -import -alias servername -file ".cer FILE"
but it was not as expected, still got unable to find valid certification path to requested target
I'm super new to this topic, any thoughts here would be helpful :-)

Quarkus HTTPS restful service

Is there any example/tutorial to build and configure TLS-secured restful service using quarkus.io?
Unfortunately I can not find one neither at quarkus documentation, no here.
Thanks mr. Guillaume Smet, I found the solution. Here is "from zero to hello in 5 minutes with Quarkus and SSL guide". This is done by quarkus undertow plugin. Also you will need text editor, jdk 1.8+ and maven installed.
Frist, create the project.
mkdir restls
cd restls
mvn io.quarkus:quarkus-maven-plugin:create -DprojectGroupId=org.acme -DprojectArtifactId=restls -DclassName="org.acme.HelloResource" -Dpath="/hello" -Dextensions="undertow"
Open your application config file src/main/resources/application.properties with any editor and add lines:
quarkus.http.port=80
quarkus.http.ssl-port=443
quarkus.http.ssl.certificate.key-store-file=keystore.jks
Create keystore containing self-signed certificate (answer all questions and specify password namelly "password"):
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 365 -keysize 2048
The file keystore.jks must be in the src/main/resources/ folder.
Build the project:
mvnw clean package quarkus:build
Now try it out:
java -jar target/restls-1.0-SNAPSHOT-runner.jar
Navigate to https://localhost/hello and allow your browser to trust certificate. That's all.
You can override options in invocation time like this:
java -Dquarkus.http.ssl.certificate.key-store-file=/path-to-keystore/keystore-name.jks -jar target/restls-1.0-SNAPSHOT-runner.jar
Finally, here is the concerning options list:
quarkus.http.ssl.certificate.file -- The file path to a server certificate or certificate chain in PEM format.
quarkus.http.ssl.certificate.key-file -- The file path to the corresponding certificate private key file in PEM format.
quarkus.http.ssl.certificate.key-store-file -- An optional key store which holds the certificate information instead of specifying separate files.
quarkus.http.ssl.certificate.key-store-file-type -- An optional parameter to specify type of the key store file. If not given, the type is automatically detected based on the file name.
You can specifiy either certificate + key files in PEM format or keystore.
It is indeed supported by our Undertow extension but, unfortunately, not documented.
You can define things like the following:
quarkus.http.ssl.certificate.file=...
quarkus.http.ssl.certificate.key-file=...
...
in your application.properties.
The config entry point is ServerSslConfig (see https://github.com/quarkusio/quarkus/blob/master/core/runtime/src/main/java/io/quarkus/runtime/configuration/ssl/ServerSslConfig.java#L41). You then add the nested properties with dots and transform camel-case to dashes.
If you want to build a native executable, there's a good chance you will have to add quarkus.ssl.native=true too.
If you have feedback or if you want to contribute a guide for that, feel free to join us on Zulip or open issues/PRs on GitHub.

Solr Https Secure Certificate Password

By default setting up Solr on Https requires storing the certificate password as plain text in "bin\solr.in.cmd" (using windows to host solr)
And the certificate password is exposed in the portal.
How can I configure Solr with a Https certificate keeping the certificate password safe?
I want to use a private certifcate so the client trusts the certificate by default, rather than a self signed one.
I'm connecting via SolrNet from C#, currently without authentiation, but in the future can look at Basic Authentication which is supported in the provider which wraps SolrNet.
Seems like a basic thing which I would have thought should be supported? Can't find any article/documention on this.
Anyone solved this already?
Nearest I've found is:
Setting SOLR SSL properties
http://lucene.472066.n3.nabble.com/Prevent-the-SSL-Keystore-and-Truststore-password-from-showing-up-in-the-Solr-Admin-and-Linux-process-td4257422.html
Some suggestion of using jetty-https.xml and encrypt the configuration there.
Looking for a more complete answer.
update
I've come across the following Solr tickets:
https://issues.apache.org/jira/browse/SOLR-10307
https://issues.apache.org/jira/browse/SOLR-8897
Where support for loading the certificate passwords from environment variables has been added in Solr 7.0 and 6.7 (which hasn't been released yet).
I don't think using environment variables is much better, but some progress.
There is also a link to using Hadoop credential provider, but I'm not using Hadoop, so not applicable for me.
In the comments of the tickets, it mentions that someone tried the Jetty Password Utility, and Solr UI loaded over HTTPS. However the Collection API was erroring not being able to understand the password format.
So I'm still left without a way of configuring a certificate password for Solr, in a way I feel is secure.
For me the certificate password is not stored on the SOLR portal
see my setup
SSL
cd /path/to/solr/server/etc/
The following command will create a keystore file named solr-ssl.keystore.jks in the current directory
keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:#ipsolr,IP:127.0.0.1 -dname "CN=localhost, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx"
Convert the certificate and key to PEM format for use with Curl
keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12
Next convert the PKCS12 format keystore into PEM format using the openssl
openssl pkcs12 -in solr-ssl.keystore.p12 -out solr-ssl.pem
After go to your $JAVA_HOME (into jre/lib/security)
curl --cacert /pah/to/solr/server/etc/solr-ssl.pem https://localhost:8983/solr/
Set Common SSL-Related System Properties
vi /etc/default/solr.in.sh
SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=secret
SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=secret
SOLR_SSL_NEED_CLIENT_AUTH=false
SOLR_SSL_WANT_CLIENT_AUTH=false
SOLR_SSL_KEY_STORE_TYPE=JKS
SOLR_SSL_TRUST_STORE_TYPE=JKS
Restart solr
service solr restart
For authentication
create security.json on SOLR_HOME (/var/solr/data/ for me)
Owner : root
See example of security.json to configure has you hope
After securing, add into solr.in.sh
SOLR_AUTH_TYPE="basic"
SOLR_AUTHENTICATION_OPTS="-Dbasicauth=solr:xxx"
it allows to have an answer on solr status service because with authentication it is not accessible
For me it's work and i don't see the certificate password on solr UI

How to configure Spring Boot 2 WebFlux to use SSL?

All I get is javax.net.ssl.SSLHandshakeException: no cipher suites in common.
This is how to reproduce the behavior:
go to http://start.spring.io and add "Reactive Web" as dependency for Spring 2.0.1
unpack the archive
run keytool -genkeypair -keystore demo/src/main/resources/keystore.jks
Choose a password
Hit return as long as [Unknown] is the default, enter Yes when asked if CN=Unknown, OU=Unknown, ... is correct.
Use the same password for the key as for the keystore
add the following to application.properties
server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-password=<my-secure-pwd>
build and run the application
run curl https://localhost:8080
This is my first time adding SSL to a Spring Boot application and I think that something must be wrong - but I've no idea what. Maybe anyone of you could provide some help? Thanks!
Ok, turns out that you need to set the key algorithm to RSA in order to make this work.
keytool -genkeypair -keyalg RSA -keystore src/main/resources/keystore.jks

How can I set up Jenkins CI to use https on Windows?

We've recently set up a Jenkins CI server on Windows. Now in order to use Active Directory authentication I'd like to require https (SSL/TLS) for access. Given this setup, what is the recommended way to do this?
Go to your %JENKINS_HOME% and modify the jenkins.xml. Where you see --httpPort=8080 change it to --httpPort=-1 --httpsPort=8080 you can make the ports anything you want of course, but in my testing (a while ago, it may have changed) if you don't keep --httpPort=<something> then Jenkins will always use 8080. So if you simply change --httpPort=8080 to --httpsPort=8080, port 8080 will still use http.
Also, if you want to use your own certificate, there are some instructions at the bottom of this page.
http://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins
Run:
keytool -genkey -keyalg RSA -keystore Jenkins.jks -alias [Name of website] -keysize 2048
Answer the questions remembering that First and last name is the website URL and should be lowercase. Example:
build.jenkins-ci.org
State or province cannot be abbreviated.
Run:
keytool -certreq -Keystore jenkins.jks -alias [Name of website] -file jenkins.csr -keysize 2048
Send Jenkins.csr to your cert provider and request a PKCS#7 cert which has a .p7b extension and starts with:
-----BEGIN PKCS #7 SIGNED DATA-----
Note: Trial certs are not normally available in .p7b format but you may be able to combine the .cer files using this tool which reported success but didn't work for me. (https://www.sslshopper.com/ssl-converter.html)
Run:
keytool -import -trustcacerts -file jenkins.p7b -keystore jenkins.jks -alias [Name of website]
Change the arguments node in Jenkins.xml to the following prespectivly.
<arguments>-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "%BASE%\jenkins.war" --httpPort=-1 --httpsPort=443 --httpsKeyStore="%BASE%\Cert\Jenkins.jks" --httpsKeyStorePassword=[Cert password from step 1]</arguments>
Troubleshooting:
If Jenkins doesn't start read the last lines from Jenkins.err.log.
If Jenkins didn't start because of an issue with Jenkins.xml, replace the – (weird Windows hyphen) characters with an actual - (ASCII hyphen).
If Jenkins starts but the cert still reads as bad, make sure the [Name of website] is the actual URL without the https: example: https://build.jenkins-ci.org would be build.jenkins-ci.org.
If that isn't the issue inspect the .jks file using KeyStore Explorer. The "Certificate Hierarchy" should show that each cert is nested in another; This is to illustrate the cert chain. If it shows the certs next to each other then it's not correct.
If it won't start on a specific port, 443 for example, then verify IIS or another app isn't currently using the port.
If you can see the site on the PC it's hosted on, but not another PC, then verify you aren't getting blocked by a firewall.
Step1: Create both public and private Certificate on your jenkin name (convert them into keysore file if its not)
Step2: Import the public certificate into your browser certificate mananger (import into all tabs)
Step3: Host your jenkin using JKS file which contain both public and private key.
For steps refer "Enable HTTPS in jenkins?"

Resources