Im implementing windows 8.1 MDM and using Bouncycastle for WSTEP stage of the device enrolment part. For this I need to override the CommonName of the signed certificate from 'UTF8' encoding to 'PRINTABLE_STRING' encoding.
By default BouncyCastle provides UTF8, is there a way to change this ?
Answering my own question :
When i used,
new X500Principal("CN=someCN") instead of X500Name object while creating X509v3CertificateBuilder, the created certificate's Common Name was in PRINTABLE_STRING encoding. Sample code looks like below,
X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(caCert,BigInteger.valueOf(new SecureRandom().nextInt(Integer.MAX_VALUE)), new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 3),new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 300)), new X500Principal("CN=someCN"), jcaRequest.getPublicKey());
Related
I was trying to simulate /protocol/openid-connect/token Keycloak end point using JMeter. Even though I have correlated code parameter and passing that properly. There is something called code_verifier and it is not found any of the previous requests. Providing the sample request and response for your reference. Can someone help me here if I have to take any additional steps to overcome this issue in the response attached.
Request:
POST https://{HOST}/auth/realms/{Appname}/protocol/openid-connect/token
POST data:
code=f99e9da5-cfcf-4069-aaec-b53mee00af54.e46a981h-5291-4862-b6fd-abc7f2d222f2.87488f77-3b05-47b0-afd7-8a8c80b384e7%0AContent-Length%3A+0%0ADate%3A+Wed%2C+29+Dec+2021+18%3A30%3A26+GMT%0A&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fwebclient-performance.appname.ad%2F&client_id=premium-web-client&code_verifier=YTlYTmoxZ2tXbzM1M0xkVkRfZXg0M280TUhDZXVMYVdIY2hoVzRqTE5ESXkw
Cookie Data:
AUTH_SESSION_ID=e46a61f9-5291-4862-b6fd-eff7f2d222f2.d306f6737649; KEYCLOAK_LOCALE=en; KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiZDBmYTc0Ni02Y2NmLTRiMjktYTBmZC1kOWMxMWNmY2RlM2UifQ.eyJleHAiOjE2NDA4ODkwMjYsImlhdCI6MTY0MDgwMjYyNiwianRpIjoiZWFjZDczNDctNDYyNC00Mjk0LWE4NjYtYzRiYmM1MjNiMDlhIiwiaXNzIjoiaHR0cHM6Ly8xNzIuMjYuMjMzLjE0NDoyODA4MC9hdXRoL3JlYWxtcy9uZXh0Z2VuLXNvbmV0Iiwic3ViIjoiOTE4MDcyNDktZWZlYi00ZWZlLWEwY2EtMGRlMTYxZWIzNTU5IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3RhdGUiOiJlNDZhNjFmOS01MjkxLTQ4NjItYjZmZC1lZmY3ZjJkMjIyZjIiLCJzdGF0ZV9jaGVja2VyIjoiU3VmS2tOLXE0UTNDVUhvM2xFblhHZ3NFSWdWSS0wektFR2JKRENzZHpiYyJ9.4XA6eGrUB8HhhLTfNlhY9twiX3oJLQhlFlYDY3zYa6Q; KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiABCmYTc0Ni02Y2NmLTRiMjktYTBmZC1kOWMxMWNmY2RlM2UifQ.eyJleHAiOjE2NDA4ODkwMjYsImlhdCI6MTY0MDgwMjYyNiwianRpIjoiZWFjZDczNDctNDYyNC00Mjk0LWE4NjYtYzRiYmM1MjNiMDlhIiwiaXNzIjoiaHR0cHM6Ly8xNzIuMjYuMjMzLjE0NDoyODA4MC9hdXRoL3JlYWxtcy9uZXh0Z2VuLXNvbmV0Iiwic3ViIjoiOTE4MDcyNDktZWZlYi00ZWZlLWEwY2EtMGRlMTYxZWIzNTU5IiwidHlwIjoiU2VyaWFsaXplZC1JRCIsInNlc3Npb25fc3phdGUiOiJlNDZhNjFmOS01MjkxAAA4NjItYjZmZC1lZmY3ZjJkMjIyZjIiLCJzdGF0ZV9jaGVja2VyIjoiU3VmS2tOLXE0UTNDVUhvM2xFblhHZ3NFSWdWSS0wektFR2JKRENzZHpiYyJ9.4XA8bGrUB8HhhLTfNlhY9twiX3oJLQhlFlYDY3zYa6Q; KEYCLOAK_SESSION=appname/91807249-efeb-4abc-a0ca-0de161eb8741/e46a61f9-2147-4862-b6fd-eff7f2d222f2; KEYCLOAK_SESSION_LEGACY=name/85211234-efeb-4efe-a0ca-0de161eb1877/e46a78f9-5291-4862-b6fd-eff7f2d899f2
Response:
{"error":"invalid_grant","error_description":"User session not found"}
This code_verifier parameter needs to be generated, not correlated.
See the algorithm description in the RFC 7636
4. Protocol
4.1. Client Creates a Code Verifier
The client first creates a code verifier, "code_verifier", for each
OAuth 2.0 [RFC6749] Authorization Request, in the following manner:
code_verifier = high-entropy cryptographic random STRING using the
unreserved characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
from Section 2.3 of [RFC3986], with a minimum length of 43 characters
and a maximum length of 128 characters.
ABNF for "code_verifier" is as follows.
code-verifier = 43*128unreserved
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
ALPHA = %x41-5A / %x61-7A
DIGIT = %x30-39
NOTE: The code verifier SHOULD have enough entropy to make it
impractical to guess the value. It is RECOMMENDED that the output of
a suitable random number generator be used to create a 32-octet
sequence. The octet sequence is then base64url-encoded to produce a
43-octet URL safe string to use as the code verifier.
Sample implementation is available in the Create Code Verifier section of Auth0 manual
// Dependency: Apache Commons Codec
// https://commons.apache.org/proper/commons-codec/
// Import the Base64 class.
// import org.apache.commons.codec.binary.Base64;
SecureRandom sr = new SecureRandom();
byte[] code = new byte[32];
sr.nextBytes(code);
String verifier = Base64.getUrlEncoder().withoutPadding().encodeToString(code);
you can add the following line to store the generated value into a JMeter Variable:
vars.put("code_verifier", verifier);
and use ${code_verifier} in your HTTP Request sampler instead of the hard-coded value. In the above snippet vars stands for JMeterVariables class instance, see Top 8 JMeter Java Classes You Should Be Using with Groovy article for more details if needed.
The code can be called from i.e. JSR223 PreProcessor
I've installed decimal-ext extension and php-decimal/laravel composer package. I'm using it to compare large decimal numbers. On my laptop everything works correctly but on my staging server the following error is thrown:
Return value of Decimal\Decimal::compareTo() must be of the type int, none returned
and here is the code:
(new Decimal($value))->compareTo($maxNumber) == -1;
As I said I'm not getting this error on my laptop.
Laravel: 5.8
PHP: 7.4.3
Server: Ubuntu 18.04
I spent some time on this but figured it out. The decimal-ext extension was not loaded in the server's php.ini file. Php didn't throw an exception about missing extension but about the wrong return type because the class Decimal was actually loaded (it was installed via the composer). I could instantiate an instance but the implementation was missing:
/**
* Ordering
*
* This method is equivalent to the `<=>` operator.
*
* #param mixed $other
*
* #return int 0 if this decimal is considered is equal to $other,
* -1 if this decimal should be placed before $other,
* 1 if this decimal should be placed after $other.
*/
public function compareTo($other): int {}
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
0 C:\xamp\htdocs\okta\simplesamlphp\www\module.php:180 (N/A)
Caused by: Exception: Failed to parse XML string.
Backtrace:
7 C:\xamp\htdocs\okta\simplesamlphp\lib\SimpleSAML\Metadata\SAMLParser.php:333 (SimpleSAML_Metadata_SAMLParser::parseDescriptorsString)
6 C:\xamp\htdocs\okta\simplesamlphp\saml-autoconfig.php:54 (require)
5 C:\xamp\htdocs\okta\simplesamlphp\config\authsources.php:2 (require)
4 C:\xamp\htdocs\okta\simplesamlphp\lib\SimpleSAML\Configuration.php:114 (SimpleSAML_Configuration::loadFromFile)
3 C:\xamp\htdocs\okta\simplesamlphp\lib\SimpleSAML\Configuration.php:178 (SimpleSAML_Configuration::getConfig)
2 C:\xamp\htdocs\okta\simplesamlphp\lib\SimpleSAML\Auth\Source.php:330 (SimpleSAML_Auth_Source::getById)
1 C:\xamp\htdocs\okta\simplesamlphp\modules\saml\www\sp\saml2-acs.php:12 (require)
0 C:\xamp\htdocs\okta\simplesamlphp\www\module.php:137 (N/A)
saml-autoconfig.php
<?php
/* -*- coding: utf-8 -*-
* Copyright 2015 Okta, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*
* metadata_url_for contains PER APPLICATION configuration settings.
* Each SAML service that you support will have different values here.
*
* NOTE:
* This is implemented as an array for DEMONSTRATION PURPOSES ONLY.
* On a production system, this information should be stored as approprate
* With each key below mapping to your concept of "customer company",
* "group", "organization", "team", etc.
* This should also be stored in your production datastore.
*/
$metadata_url_for = array(
/* WARNING WARNING WARNING
* You MUST remove the testing IdP (idp.oktadev.com) from a production system,
* as the testing IdP will allow ANYBODY to log in as ANY USER!
* WARNING WARNING WARNING
* For testing with http://saml.oktadev.com use the line below:
*/
// 'test' => 'http://idp.oktadev.com/metadata',
'example' => 'https://dev-540405.oktapreview.com/app/weblogpkdev930725_weblog_1/exk8fuhzpynnGw54Q0h7/sso/saml',
);
foreach($metadata_url_for as $idp_name => $metadata_url) {
/*
* Fetch SAML metadata from the URL.
* NOTE:
* SAML metadata changes very rarely. On a production system,
* this data should be cached as approprate for your production system.
*/
$metadata_xml = file_get_contents($metadata_url);
/*
* Parse the SAML metadata using SimpleSAMLphp's parser.
* See also: modules/metaedit/www/edit.php:34
*/
SimpleSAML_Utilities::validateXMLDocument($metadata_xml, 'saml-meta');
$entities = SimpleSAML_Metadata_SAMLParser::parseDescriptorsString($metadata_xml);
$entity = array_pop($entities);
$idp = $entity->getMetadata20IdP();
$entity_id = $idp['entityid'];
/*
* Remove HTTP-POST endpoints from metadata,
* since we only want to make HTTP-GET AuthN requests.
*/
for($x = 0; $x < sizeof($idp['SingleSignOnService']); $x++) {
$endpoint = $idp['SingleSignOnService'][$x];
if($endpoint['Binding'] == 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST') {
unset($idp['SingleSignOnService'][$x]);
}
}
/*
* Don't sign AuthN requests.
*/
if(isset($idp['sign.authnrequest'])) {
unset($idp['sign.authnrequest']);
}
/*
* Set up the "$config" and "$metadata" variables as used by SimpleSAMLphp.
*/
$config[$idp_name] = array(
'saml:SP',
'entityID' => null,
'idp' => $entity_id,
// NOTE: This is how you configure RelayState on the server side.
// 'RelayState' => "",
);
$metadata[$entity_id] = $idp;
}
it seems like there is an error on the configuration you have done in the SimpleSAMLPhp. Can you please provide the configuration you have done inside saml-autoconfig.php file as well as under config.php?
I try to understand this Login example.
There is a procedure called "checkWithServerIfSessionIdIsStillLegal".
I am wondering how the server can validate if a session is still valid because the session id is always different when the user closes the browser.
Can someone explain me how does this work?
By setting session id in onModule load(when he logs in) as a cookie and checking again after he accessing login page.
String sessionID = result.getSessionId();
final long DURATION = 1000 * 60 * 60 * 24 * 1;
Date expires = new Date(System.currentTimeMillis() + DURATION);
Cookies.setCookie("sid", sessionID, expires, null, "/", false);
Here is the complete implemetation of checkWithServerIfSessionIdIsStillLegal(),which you are referring.
Take a look at the following link.
Cannot use same cookie for multiple GWT applications
This might solve your problem.
I want to use WatiN to verify the error message in a JavaScript alert box. Is this possible? Thanks.
see Trev's Blog and here as well.
using(IE ie = new IE("http://hostname/pagename.htm"))
{
AlertDialogHandler alertDialogHandler = new AlertDialogHandler();
using (new UseDialogOnce(ie.DialogWatcher, alertDialogHandler ))
{
/*************************************
* -- alert -- *
* *
* must use the "NoWait" to allow *
* the code to goto the next line *
* *
*************************************/
alertDialogHandler.WaitUntilExists();
alertDialogHandler.OKButton.Click();
ie.WaitForComplete();
}
}