I followed former answers from Webcrypto AES-CBC Decrypt: Operation Error - The operation failed for an operation-specific reason and JavaScript AES encryption and decryption (Advanced Encryption Standard)
and used:
iv = crypto.getRandomValues(new Uint8Array(16))
key = window.crypto.subtle.generateKey(
{
name: "AES-GCM",
length: 256,
},
false,
["encrypt", "decrypt"]
)
to generate the key
and
Uint8ArrayEncrypted = window.crypto.subtle.encrypt(
{name: "aes-gcm", iv: iv, tagLength: 128},
key,
Uint8ArrayVar)
to encrypt and
Uint8ArrayDecrypted = window.crypto.subtle.decrypt(
{name: "aes-gcm", iv: iv, tagLength: 128},
key,
Uint8ArrayEncrypted)
to decrypt
On Chromium 83 (Ubuntu) and Firefox 88, I successfully generate the key, the iv and encrypt.
And on Chromium, it simply also decrypts without problem.Uint8ArrayDecrypted is correct ArrayBuffer.
But FF throws the error "The operation failed for an operation-specific reason" and stop there. No Uint8ArrayDecrypted returned.
I didn't use tag, like in WebCrypto API: DOMException: The provided data is too small
Reading https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/encrypt,
I don't see it uses tag.
Does Firefox need something else specific?
Why the error message is so "generic"? Which operation or specific reason?
With an error so generic, I don't know where to look.
When I tried connect to google.com from I got this Certificate Error:
Session #3: The server (152.199.19.161) presented a certificate that did not validate, because it was issued to a different host.
SANs: *.vo.msecnd.net, *.adn.azureedge.net, *.ads2.msads.net, *.aspnetcdn.com, *.azurecomcdn.net, *.azureedge.net, *.azureedge-test.net, *.cdn.skype.com, *.cdn.skype.net, *.cmsresources.windowsphone.com, *.cmsresources.windowsphone-int.com, *.dev.skype.com, *.fms.azureedge.net, *.microsoft-sbs-domains.com, *.secure.skypeassets.com, *.secure.skypeassets.net, *.wac.azureedge.net, *.wpc.azureedge.net, *.ec.azureedge.net, *.wpc.ec.azureedge.net, *.wac.ec.azureedge.net, *.adn.ec.azureedge.net, *.fms.ec.azureedge.net, ajax.microsoft.com, cdnads.msads.net, cdn-resources.windowsphone.com, cdn-resources-beta.windowsphone.com, ecnads1.msn.com, iecvlist.microsoft.com, images-cms-pn.windowsphone-int.com, images-cms-tst.windowsphone-int.com, lumiahelptipscdn.microsoft.com, lumiahelptipscdnqa.microsoft.com, lumiahelptipsmscdn.microsoft.com, lumiahelptipsmscdnqa.microsoft.com, montage.msn.com, mscrl.microsoft.com, r20swj13mr.microsoft.com, *.streaming.mediaservices.windows.net, *.origin.mediaservices.windows.net, download.sysinternals.com, amp.azure.net, rt.ms-studiosmedia.com, gtm.ms-studiosmedia.com, *.aisvc.visualstudio.com, *.cdn.powerbi.com, dist.asp.net, embed.powerbi.com, msitembed.powerbi.com, dxtembed.powerbi.com, *.cdn.powerappscdn.net, downloads.subscriptionsint.tfsallin.net, download.my.visualstudio.com, cdn.vsassets.io, cdnppe.vsassets.io, stream.microsoft.com, datafactory.azure.com, *.cortanaanalytics.com, do.skype.com, software-download.office.microsoft.com, software-download.microsoft.com, prss.centralvalidation.com, *.gallerycdn.vsassets.io, *.gallerycdnppe.vsassets.io, global.asazure.windows.net, download.learningdownloadcenter.microsoft.com, www.videobreakdown.com, www.breakdown.me, *.gallerycdntest.vsassets.io, agavecdn.o365weve-dev.com, agavecdn.o365weve-ppe.com, agavecdn.o365weve.com, download.visualstudio.com, *.Applicationinsights.net, *.Applicationinsights.io, *.Applicationinsights.microsoft.com, *.sfbassets.com, *.sfbassets.net, download.mono-project.com, *.streaming.media-test.windows-int.net, *.origin.mediaservices.windows-int.net, *.mp.microsoft.com, download.visualstudio.microsoft.com, software-download.coem.microsoft.com, cdn.wallet.microsoft-ppe.com, cdn.wallet.microsoft.com, vi.microsoft.com, *.nuget.org, *.nugettest.org, cdn.botframework.com, *.streaming.media.azure.net, *.streaming.media.azure-test.net, natick.research.microsoft.com, quotecenter.microsoft.com, quotecenter-ppe.microsoft.com, cdn.cloudappsecurity.com, *.yammer.com, *.videoindexer.ai, .api.videoindexer.ai SUBJECT: CN=.vo.msecnd.net
I don't know why because I added Trust Root Certificate.
ES v2.4.1
SG-SSL v2.4.1.16
SG v2.4.1.6
CentOS 7.2
Im able to run Elasticsearch with Search-Guard-SSL. I generated the certs/keys via the example script from Search Guard. Here is the info on the kirk client cert that I generated
> openssl x509 -noout -subject -in kirk-signed.pem -text
subject= /C=US/L=Raleigh/O=client/OU=client/CN=kirk
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=com, DC=example, O=Example Com Inc., OU=Example Com Inc. Signing CA, CN=Example Com Inc. Signing CA
Validity
Not Before: Oct 6 14:47:01 2016 GMT
Not After : Oct 6 14:47:01 2018 GMT
Subject: C=US, L=Raleigh, O=client, OU=client, CN=kirk
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
If I understand correctly, I need to have the following line in my elasticsearch.yml file, correct?
# Enable SSL via Search Guard SSL plugin
# Enable HTTPS
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-0-keystore.jks
searchguard.ssl.http.keystore_password: pw
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: pw
# Enable SSL between ES nodes
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
searchguard.ssl.transport.keystore_password: pw
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: pw
searchguard.ssl.transport.enforce_hostname_verification: false
# for Search Guard
searchguard.authcz.admin_dn:
- "cn=kirk, ou=client, o=client, l=Raleigh, c=US"
searchguard.cert.oid: '1.2.3.4.5.5'
But when I run sgadmin.sh, it just times out
> /usr/share/elasticsearch/plugins/search-guard-2/tools/sgadmin.sh -cd /etc/elasticsearch/ -ks kirk-keystore.jks -ts truststore.jks -nhnv -kspass pw -tspass pw
Will connect to localhost:9300 ... done
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
ERR: Timed out while waiting for a green or yellow cluster state.
And I see these in elasticsearch.log
[2016-10-06 15:17:41,354][DEBUG][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Arize] Node started, try to initialize it. Wait for at least yellow cluster state....
[2016-10-06 15:17:41,523][DEBUG][com.floragunn.searchguard.configuration.SearchGuardIndexSearcherWrapperModule] FLS/DLS not enabled
[2016-10-06 15:17:41,667][DEBUG][com.floragunn.searchguard.configuration.SearchGuardIndexSearcherWrapperModule] FLS/DLS not enabled
[2016-10-06 15:17:41,698][DEBUG][com.floragunn.searchguard.configuration.SearchGuardIndexSearcherWrapperModule] FLS/DLS not enabled
[2016-10-06 15:17:41,728][DEBUG][com.floragunn.searchguard.configuration.SearchGuardIndexSearcherWrapperModule] FLS/DLS not enabled
[2016-10-06 15:17:42,099][DEBUG][com.floragunn.searchguard.configuration.SearchGuardIndexSearcherWrapperModule] FLS/DLS not enabled
[2016-10-06 15:18:11,746][WARN ][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Arize] index 'searchguard' not healthy yet, we try again ... (Reason: timeout)
[2016-10-06 15:18:44,747][WARN ][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Arize] index 'searchguard' not healthy yet, we try again ... (Reason: timeout)
[2016-10-06 15:19:17,749][WARN ][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Arize] index 'searchguard' not healthy yet, we try again ... (Reason: timeout)
What am I missing?
I have tried the advice on several of the questions posted here, but to no avail. I have the following files: (NOTE, I generated these on the fly and they are throwaway keys)
cert file:
-----BEGIN CERTIFICATE-----
MIIE+jCCA+KgAwIBAgIJAMLMeL/HH75vMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD
VQQGEwJVUzENMAsGA1UECBMEVXRhaDEXMBUGA1UEBxMOU2FsdCBMYWtlIENpdHkx
HjAcBgNVBAoTFU5pY2hvbGFzIFRlcnJ5IGRvdGNvbTEUMBIGA1UECxMLZGV2ZWxv
cG1lbnQxFjAUBgNVBAMTDW5pY2hvbGFzdGVycnkxKTAnBgkqhkiG9w0BCQEWGm5p
Y2hvbGFzQG5pY2hvbGFzdGVycnkuY29tMB4XDTE0MTIyNTA3MTkxNFoXDTE1MTIy
NTA3MTkxNFowga4xCzAJBgNVBAYTAlVTMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQH
Ew5TYWx0IExha2UgQ2l0eTEeMBwGA1UEChMVTmljaG9sYXMgVGVycnkgZG90Y29t
MRQwEgYDVQQLEwtkZXZlbG9wbWVudDEWMBQGA1UEAxMNbmljaG9sYXN0ZXJyeTEp
MCcGCSqGSIb3DQEJARYabmljaG9sYXNAbmljaG9sYXN0ZXJyeS5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRA4sMOx8cn59h8xvE1EcwudGYgGID
WixEEz+8UczLzoIovbZI//iExrwfM7edYRU/HyIufx+dvHj5bRABt5pOwgEiolDA
XtIttxpsCX23gLg/40TQY2JXRv10JgxEQ3680ypghfAEXisOiIQGrT0W+k6WpIRo
/+z4zh/UPqUmvV3ZnzG97jsFiQ0Nu8IKlByLWzoef+2MqG0GO95do3gCcBhAF3tm
v+buNVi8DgJnYTnKKD5S1+KYRSkNNioRs3zE+/W0vCA0/kLiFjSjMq3bSuGJbHmt
N/8+lodfZYh1HB6DRZoyfTynNDRHyKpPGqTvfp8U/E91kkpxusVSQFbrAgMBAAGj
ggEXMIIBEzAdBgNVHQ4EFgQUPAm5VdPIPbdedLtCEmpivYi8xfkwgeMGA1UdIwSB
2zCB2IAUPAm5VdPIPbdedLtCEmpivYi8xfmhgbSkgbEwga4xCzAJBgNVBAYTAlVT
MQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwGA1UE
ChMVTmljaG9sYXMgVGVycnkgZG90Y29tMRQwEgYDVQQLEwtkZXZlbG9wbWVudDEW
MBQGA1UEAxMNbmljaG9sYXN0ZXJyeTEpMCcGCSqGSIb3DQEJARYabmljaG9sYXNA
bmljaG9sYXN0ZXJyeS5jb22CCQDCzHi/xx++bzAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBBQUAA4IBAQBIGsrZaWDwW2UWzTT2tbMEPOFVVZFZiWNazJLXFrXO1deW
1Ggaa2+h3tE+dMincQp7KPDeEOZ4VeXjrwZ1UfmJm5qOWhwJ2HnSBHay22tKO24Y
1qDF/ygMqW3yyr10MWZJaxQeUn+cgpclesS8IiTUVF61pYpjI8DrETa8Hwd8QJkC
YaB3qXOVWdbvJX3DTkYPDEqLkC0qzqibe8fWd0JFF5lDMAeCS5EgW+lu6M++dQve
u5L6Y1Xh8SvRB8SnZdy30OKNf0RrWPgNq9donv8nWgEJEYl9A/XRhWvl6ZWpQLEK
6GbCprqUIFgnWBhp0fteIMcgXZUe/oGBQ3/Yovd+
-----END CERTIFICATE-----
private key:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA0QOLDDsfHJ+fYfMbxNRHMLnRmIBiA1osRBM/vFHMy86CKL22
SP/4hMa8HzO3nWEVPx8iLn8fnbx4+W0QAbeaTsIBIqJQwF7SLbcabAl9t4C4P+NE
0GNiV0b9dCYMREN+vNMqYIXwBF4rDoiEBq09FvpOlqSEaP/s+M4f1D6lJr1d2Z8x
ve47BYkNDbvCCpQci1s6Hn/tjKhtBjveXaN4AnAYQBd7Zr/m7jVYvA4CZ2E5yig+
UtfimEUpDTYqEbN8xPv1tLwgNP5C4hY0ozKt20rhiWx5rTf/PpaHX2WIdRweg0Wa
Mn08pzQ0R8iqTxqk736fFPxPdZJKcbrFUkBW6wIDAQABAoIBAEFpWHTFc+EjW1/u
EzywKm9nV97gHsxpxfywAXxQJUWLJVTWultyMDZtc6ZYKxiHr3yHo8zlX+GfgESf
Cyleal5HfM93+MmbYy+HZC93cO6izAbCe2C0GayyvNNCrQgYD2vMsjBu+kSDq/nq
Y1crlDjCsSGX7xBlN6ZN68wiptDOVa1aBL+H3kzHtarURVdKY1MXrscR760/o8Nh
qA/9GA1PoHQ7ApNG8oLVPS9SU4JU3PfURCQTk8otYZ4GrScpSeYp9ISi/UODlF1M
IY+B9Bfrf2Eftv8zP+eF1UbTeBmMq0boy+afZsugMqjN/FpUpxUALlRX96az+VY9
fDSuUPECgYEA9Vv8E4HBbnzPrzA6jyYNcSnkfzTcNxuYaIqTrxWSLi018u1kRa9Z
zLyKFNZRg3+RTWKAqDLKkC/oZZARlPcpx8uzV1T+zrffrnf2aK1LDHUHEmsMj7PY
2DIhghO90BPGuWPpbHjmpr51hHH6+n/LcLN0EHQ2T9wh5HZY75qup9cCgYEA2hQL
sE0+Bp2rFP2CMfl5SAhhtmjrTGg76mItMmGj/3ycZ6CxRw/5nSepau7nbCZXSK+i
Pp/EutuUNcD9ZmyP7z7In2PdWP8X8OSjd9abUn3cRPz8IjSOkbuUMKYWnweUl5Qw
IgygFDYYGjEclOuUlbIzzhp9zeOJAwY0vsxulw0CgYAeaEnzOO95++nZMkbvmq2r
yp9QzIJGKhtXSWVIG4pEQsIe2yDEKhkc8HjEYFM10sd1KbH8Jl9IQ0ev3ozvQzpg
UnRlbFkv0UXdX2ygSGm2n4JC3BVwcb97+6p/bmbltK26KBGzqcAcBhqWUXHjPZc+
3l6R83UPrJ5eq/QVrbvbfQKBgBwvNwuEEB4exnuh/++hhHEw1CAVE0P+vK+gHKNE
R0O/wR8Lf53ljKco9xZg5fvuQJ2eRWO+llhoBJGl7ZoNMdUD0j33VCYqYde6VP4p
+E0DAzLPV268SCjBi3d2H7pR6nxkpIviAdZa32aTLlR41e066MMcXWH8pDqF1M9L
8IcJAoGBAMgoNz/y5LOclcfTLsj/1eYYDDCyB0a2rDsykcYSxeUOibRSicIQnE09
VW3NHZS56gsz4LFCK0Jxq9w76u/ZnhU5FCHs0+BwzyDYnyUnZQre38hcbEcMbEoe
Scmh3qRTfoS74qJzxx/rfhqRnLQal/FR4qf8V559gmB8idZmgMwK
-----END RSA PRIVATE KEY-----
The md5s match for these and when I run the following command:
openssl pkcs12 -export -out azure2.pfx -inkey azure2.key -in azure2.crt
I get a binary encoded pkcs12 file back.
However, when i try to do an http post, i get the following error:
Uncaught exception: nested asn1 error
Any ideas?
EDIT:
I tried the following:
p12 = OpenSSL::PKCS12.new(File.read("azure2.pfx"))
p p12.certificate
p p12.ca_certs
and i get valid output.... So what gives?
So, once again, I answered my own question. I was trying to read a DER-form pkcs12. I had to convert it to PEM format.
For others who might run into this. I had this error and fixed it by removing all carriage returns from my certificate string. (eg. replace "\r\n" and "\n\r" with just "\n" or just remove all "\r"
I have a mochiweb as WebSocket server; connectivity using JavaScript from Chrome browser as ws client went smooth (open, send message, close). However, when I tried to connect from C# using websocket4Net, I always get below error from mochiweb.
=CRASH REPORT==== 30-Jan-2013::16:57:41 ===
crasher:
initial call: mochiweb_acceptor:init/3
pid: <0.228.0>
registered_name: []
exception error: no case clause matching {error,timeout}
in function mochiweb_http:websocket_init_with_origin_validated/4 (mochiweb_http.erl, line 292)
in call from mochiweb_http:headers_ws_upgrade/4 (mochiweb_http.erl, line 192)
ancestors: [cim_https,<0.166.0>]
messages: []
links: [<0.167.0>]
dictionary: []
trap_exit: false
status: running
heap_size: 1597
stack_size: 24
reductions: 1585
my C# snippet:
webSocketClient = new WebSocket("wss://localhost:8080/login");
webSocketClient.Error += new EventHandler<SuperSocket.ClientEngine.ErrorEventArgs>(webSocketClient_Error) ;
webSocketClient.AllowUnstrustedCertificate = true;
webSocketClient.Opened += new EventHandler(webSocketClient_Opened);
webSocketClient.Closed += new EventHandler(webSocketClient_Closed);
webSocketClient.MessageReceived += new EventHandler<MessageReceivedEventArgs>(webSocketClient_MessageReceived);
webSocketClient.Open();
Is there any parameter that I've missed ? Any idea on how to trace this ?
Found the issue. Apparently, Mochiweb only supports what in websocket4net is known as Hybi00 -no support for RFC 6455 yet.
Seems like now I have to patch my mochiweb.