Why url is required for timestamping when signing the code ? Why it doesn't use system time ?
Your system time might be incorrect (either accidentally or deliberately). Using an external timestamp service removes your local system clock from the operation.
Related
Hy Guys,
I have been trying to integrate spring sample app, downloaded from https://github.com/spring-projects/spring-security-saml, with Ping Federate. I have used this sample app to integrate with so many other IDPs and it worked fine without any hassles. But Ping Federate seems to be bit complicated. This is what I did so far.
Create connection in Ping using my SP meta data.
Export Ping meta data
Configure it in my SP (securityContext.xml)
Start the server
I get various errors at various scenarios. The one which I am currently testing,
has following error on server restart,
org.opensaml.saml2.metadata.provider.MetadataProviderException: No IDP was configured, please update included metadata with at least one IDP
On investigating the logs, I see the root cause to be
Caused by: java.lang.NullPointerException
at org.opensaml.saml2.common.SAML2Helper.getEarliestExpiration(SAML2Helper.java:112)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.processCachedMetadata(AbstractReloadingMetadataProvider.java:328)
at org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider.refresh(AbstractReloadingMetadataProvider.java:258)
However, everything works fine if I disable metadataTrustCheck in securityContext.xml using property
< property name="metadataTrustCheck" value="false"/>
Can some one please help? I have been trying to solve this past one week. Unfortunately there is no good enough documentation from Ping for the version (latest) I am using.
Update:
Application works fine if,
Metadata trust check is disabled at SP and PF metadata is signed
Metadata trust check is enabled at SP and PF metadata is unsigned
However, I am getting above NullPointerException if
Metadata trust check is enabled at SP and PF metadata is signed
A while ago, we had exactly the same NullPointerException with IDP metadata (using opensaml 2.6.4). As written above, setting metadataTrustCheck="false" on the ExtendedMetadataDelegate did solve the problem, but was not the desired solution.
Alternatively, one could have removed the <Signature> block from the metadata, which is equally as bad.
Solution:
Besides adding the (self-signed) certificate, it was necessary to add the next certificate in the chain to the keystore as well.
For the interested reader:
Despite this error, the application continued to start and claimed "Reloading metadata was finished".
However, there's a TimerTask, which regularly checks whether metadata providers where changed i.e., if a new one was registered. Supposedly, this happens only at startup time.
Regardless, every 10 seconds (by default), a refresh is triggered internally, which leads to calculation of the expiration time. If the metadata is not loaded for any reason e.g., because of a validation error, then this leads to the mentioned NullPointerException in getEarliestExpiration().
If you're using a file-based MetadataProvider you might want customize the CachingMetadataManager and set refreshCheckInterval="-1" to disable this TimerTask.
PS: Maybe there are other reasons like a typo in the entityID, an overdue validUntil, expired certificates,... you name it. Anything, which causes the metadata not to be loaded will likely result in this issue. Another indicator is the following exception:
Caused by: org.opensaml.saml2.metadata.provider.MetadataProviderException: Metadata for issuer <ENTITY_ID> wasn't found
I am using FtpClient of Apache Commons Net to upload videos to FTP server. To check if the file has really been successfully transferred, I want to calculate the checksum of remote file, but unfortunately I found there is no related API I could use.
My question is: Whether there is a need to calculate file checksum in ftp server? If the answer is yes, how to get checksum in FtpClient?
If the answer is no, how do FtpClient know if the file has really been successfully and completely transferred?
With FTP, I'd recommend to verify the upload, if possible.
The problem is that there's no widespread standard API for calculating checksum with FTP.
There are many proposals for checksum calculation command for FTP. None were accepted yet.
The latest proposal is:
https://datatracker.ietf.org/doc/html/draft-bryan-ftpext-hash-02
As a consequence, different FTP servers support different checksum commands, with a different syntax. HASH, XSHA1, XSHA256, XSHA512, XMD5, MD5, XCRC, to name some. You need to check what, and if any at all, your FTP server supports.
You can test that with WinSCP. The WinSCP supports all the previously mentioned commands. Test its checksum calculation function or checksum scripting command. If they work, enable logging and check what command and what syntax WinSCP uses against your server.
> 2015-04-28 09:19:16.558 XSHA1 /test/file.dat
< 2015-04-28 09:19:22.778 213 a98faefdb2c36ca352a2d9b01668aec6b641cf4b
Then execute the command using Apache Commons Net sendCommand method:
if (FTPReply.isPositiveCompletion(ftpClient.sendCommand("XSHA1", "filename"))
{
String[] reply = ftpClient.getReplyStrings();
}
(I'm the author of WinSCP)
If your server does not support any of the checksum commands, you do not have many options:
Download the file back and check it locally.
When using encryption (TLS/SSL), chances of the file being corrupted during transfer are significantly lower. The receiving party (server in this case) would otherwise fail to decrypt the data. So if you are sure that the file transfer completed (no decryption errors and the size of the uploaded file is the same as size of the original local file), you can be pretty sure that the uploaded file is correct.
Just a addition of how I implemented this. When dealing with standard ftp servers without any additionak modules loaded for checksum checking, all i did was creating a list of MD5 CRC hashes about each file into an SFV file. Say its called uploads.sfv (just in the same format as sfv generator would do). This allows you to do further checksum checks.
Examples about the server side support checksum checking support:
PZS-ng for cuftpd, glftpd
mod_digest for ProFTPD
Of course as #MartinPrikryl highlighted, none of these are standardized.
That's a long shot, but if the server supports php, you can exploit that.
Save the following as a php file (say, check.php), in the same folder as your name_of_file.txt file:
<? php
echo md5_file('name_of_file.txt');
php>
Then, visit the page check.php, and you should get the md5 hash of your file.
Related questions:
FTP: copy, check integrity and delete
How to perform checksums during a SFTP file transfer for data integrity?
https://serverfault.com/q/98597/401691
I am testing Windows 7 file encryption. A test file was encrypted ( I see green colored file name). that file was shared across the network and it still can opened from other station. That green color file name is also viewable from other computer as well. What am I doing wrong? I admit that I don't know the encryption concept yet.
If I moved that file to shared folder of other computers, message appeared asking "Confirm encryption loss". How can I copy that file with encryption?
I know Truecrypt software but I am testing with Windows Encryption.
The NTFS file encryption is using your password hash to encrypt the file.
If you connect to the file from another computer you need to supply the user's password, which means the remote computer has the key to decrypt the file.
If you copy the file from the share to the local computer windows will save the key in the remote computer.
The whole idea in the filesystem encryption is that another user cannot use your encrypted files, or someone that get a hold on your hard-drive. But, if you're logged in, all the running applications that has been executed by you or have access to your token (for example, SYSTEM user) can access the file without ever knowing it is encrypted on the disk.
Be careful of encryption! Some encryption systems for Windows will automatically encrypt your files/folders for you. This is common in gov't/corporate computers. If you do NOT have this set, and then another user on your computer who DOES have this set accesses your file/folder, the file/folder can get encrypted with that other user's token, and then you won't be able to access your own file/folder!
This actually happened to me last week. Took a whole day to figure it out, because Windows won't tell you WHO encrypted the file, just that it wasn't done with your current token. Aaargh!
(This won't happen if permissions are set to ReadOnly, but in a collaborative environment sometimes permissions aren't set that way.)
One of the FTP accounts that I use recently began requiring secure FTP connections, which broke a script that I used to upload to it using a 'standard' FTP library. I've written a little batch file that will upload the 2 files via FTPS.exe (MoveIT Freely), but I get a dialog box that pops up and requires me to click yes.
Normally this wouldn't be a problem, but I'm calling the batch file at the end of a ~10 minute long script that parses, combines, and encodes several CSV files (usually unattended). With this dialog box popping up, I have to keep an eye on it... I'm trying to get this to the point where I can run it as a scheduled task and forget about it.
There doesn't seem to be much support for this freeware unless you are also a payware customer, so I was wondering if anyone else has run into this problem and knows a flag to ignore the error (or a workaround, or another free secure FTP solution). Error is below (server names changed).
MOVEit Freely
---------------------------
Non trusted certificate
---------------------------
The certificate's CN name does not match the passed value.
Certificate issued to: funftp501
Certificate issued by: Standalone007
Do you want to proceed with the connection?
---------------------------
Yes No
---------------------------
If you are sure that you use the proper servername in your script (meaning: the
exact name that the certificate was issued to), then you could try using the
parameter '-natpasv'.
You can also use '-z' to skip warnings...
Hope this helps
I was involved in creating MOVEit Freely. You may also want to try just running the client like this:
ftps -?
...to dump the short help. But "JW" is right. The "-z to not warn about problems with certificates" option was what we created to avoid this exact situation. As long as the certificate isn't expired (I don't think we let that one go), the "-z" argument will eat all other errors.
I have an installation package that installs a service process that I create. I'd like to prompt the user for the username/password of the account that the service process should run under. I'd like to verify the the username/password combination are valid before continuing with the installation. I have a C DLL that I am using for special installation behavior, but I can't figure out how to use the Windows API to verify an account's credentials. I'd like to be able to support the same account name syntax used by the service control manager.
The function you want to use is LogonUser. You can even be extra-cool and specify the LOGON32_LOGON_SERVICE flag which checks to make sure the user has the appropriate permissions to run a service.
LogonUser is the canonical way to do this, though Microsoft somewhat discourages it.
I've implemented this using the LogonUser function as you guys have mentioned (by the way, this service requires WinXP SP2 or later so I'm not worried about the privilege issue). However, this isn't quite working as I had hoped. If I call QueryServiceConfig, lpServiceStartName is in the format ".\accountname". If I pass this string as is to LogonUser, it fails. I assume the portion before the '\' represents the machine on which the user belongs?
Also, if I call ChangeServiceConfig specifying "LocalSystem" and "" for the lpServiceStartName and lpPassword parameters respectively, this works fine. However, calling LogonUser with these parameters does not work.
I'd really like to use the same syntax that the SCM uses for the account names.