I want to extract CN from Kafka keystore.jks. This issue How to extract CN from X509Certificate in Java? can help you to extract CN from X509certificate, but it doesn't say how to extract from JKS and I spent a lot of time to get the right solution for my own question. I assume that my solution can help somebody to get the right answer faster. You should read keystore then convert to the X509 and take advantage of cryptacular lib (CertUtil.subjectCN). My code in Scala demonstrates this below.
That's my Scala code for extracting CN from JKS cert:
import org.cryptacular.util.CertUtil
import java.io.FileInputStream
import java.security.KeyStore
import java.security.cert.X509Certificate
....
val keystore = KeyStore.getInstance("JKS")
val keystoreLocation = new FileInputStream("your_path_to_the_certificate")
keystore.load(keystoreLocation, "your_password".toCharArray)
val aliases = keystore.aliases()
while (aliases.hasMoreElements) {
val alias = aliases.nextElement
logger.info("alias name: " + alias)
val certificate = keystore.getCertificate(alias).asInstanceOf[X509Certificate]
val CN = CertUtil.subjectCN(certificate)
logger.info("Common Name: " + CN)
}
Related
I have generated a private-public key pair using the web3j library.
ECKeyPair ecKeyPair = Keys.createEcKeyPair();
BigInteger publicKey = ecKeyPair.getPublicKey();
This returns an uncompressed form of the public key. I wanted to convert the same to a compressed format to generate the wallet using the below website.
https://lab.miguelmota.com/ethereum-public-key-to-address/example/
I know we can create the wallet directly using the Keypair, but I need this to work on the above website when I paste the public key.
I am using web3j version 5.0.0, and there is no built-in method to compress the public key.
Are there any other libraries or methods we can use to achieve the same
Try this for compressed public key - info from here
DeterministicSeed seed = new DeterministicSeed("some seed code here", null, "", 1409478661L);
DeterministicKeyChain chain = DeterministicKeyChain.builder().seed(seed).build();
DeterministicKey addrKey = chain.getKeyByPath(HDUtils.parsePath("M/44H/60H/0H/0/0"), true);
System.out.println("Address: " + Keys.getAddress(Sign.publicKeyFromPrivate(addrKey.getPrivKey()))); // mapper();
System.out.println("Uncompressed public key: " + Sign.publicKeyFromPrivate(addrKey.getPrivKey()).toString(16));
System.out.println("Compressed key: " + addrKey.getPublicKeyAsHex());
-- Output --
Address: 97f2582fec180600268ebae9a0052e676d876c27
Uncompressed public key: 37efe8e46dc39bee0f099871de99fe68a931730c02ef2918f832f30572b3f1a54f8d52fcaea129e31ac836063e2c432aac815cb86664165d1a226fe51a851d47
Compressed key: 0337efe8e46dc39bee0f099871de99fe68a931730c02ef2918f832f30572b3f1a5
Dependencies are as follows:
import org.bitcoinj.crypto.DeterministicKey;
import org.bitcoinj.crypto.HDUtils;
import org.bitcoinj.wallet.DeterministicKeyChain;
import org.bitcoinj.wallet.DeterministicSeed;
import org.bitcoinj.wallet.UnreadableWalletException;
import org.mapstruct.AfterMapping;
import org.web3j.crypto.ECKeyPair;
import org.web3j.crypto.Keys;
import org.web3j.crypto.Sign;
<dependency>
<groupId>org.web3j</groupId>
<artifactId>crypto</artifactId>
<version>3.3.1-android</version>
</dependency>
<dependency>
<groupId>org.bitcoinj</groupId>
<artifactId>bitcoinj-core</artifactId>
<version>0.16.2</version>
</dependency>
It is possible to generate a valid legacy bitcoin key pair with the following code which is using bitcoinj master branch:
import org.bitcoinj.core.Address;
import org.bitcoinj.core.DumpedPrivateKey;
import org.bitcoinj.core.ECKey;
import org.bitcoinj.core.NetworkParameters;
public class GeneratePrivateKeyBulk {
public static void main(String[] args) {
ECKey key = new ECKey();
Address pubAddress = new Address(NetworkParameters.prodNet(), key.getPubKeyHash());
DumpedPrivateKey privKey = key.getPrivateKeyEncoded(NetworkParameters.prodNet());
System.out.println("Public address: " + pubAddress.toBase58() + "; Private key: " + privKey.toBase58());
}
}
This creates a usable legacy base58 encoded public address and private key e.g. like 1ERzRYYdbibaQt2kuNfgH8spuoqQxYkwQb, L3AuZ2vNt11ac2xSi6AYwzXyftqSVPcSuHNdTsSuRfknXvoRtWzF correspondingly.
The question is how can I do the same operation to obtain a segwit key pair?
I looked at the bitcoinj docs but could not find any API for generating addresses directly as segwit.
By looking at the tests and the segwit pull request I found that the following code (appended to the code above) would produce a segwit address (i.e. one that starts with 3, e.g. 31uLnxKteEYa2u1vgWyVPkTpVfUGduCV82)
Script script = ScriptBuilder.createP2SHOutputScript(1, Collections.singletonList(key));
Address segwitAddress = Address.fromP2SHScript(NetworkParameters.prodNet(), script);
System.out.println("Segwit address: " + segwitAddress.toBase58());
My understanding is that the code above is supposed to be used in a multisig scenario, therefore I am not sure if this is the correct way to derive a segwit address from a single private key. Is this the correct/reliable/safe code for generating a paper segwit wallet?
Also, is there a way to add BIP38 password protection to the private key using bitcoinj? The class BIP38PrivateKey only has methods for decrypting a BIP38 key from an existing base58 representation, but no methods for BIP38 password encryption.
I am trying to read AWS parameters from the parameter store using java, i have created the parameters using a custom encryption key. I dont see a sample code in the internet where its using a custom KMS key , the below is the code i currently have which is working (here we are usingthe default KMS key).
AWSSimpleSystemsManagement client= AWSSimpleSystemsManagementClientBuilder.defaultClient();
GetParametersRequest request= new GetParametersRequest();
request.withNames("test.username","test.password")
.setWithDecryption(true);
This will give the results with default KMS key
Does anyone know how to handle this if we have a custom KMS key
just in case, if somebody looking for this (with Default encryption Key)
protected Parameter getParameterFromSSMByName(String parameterKey)
{
AWSCredentialsProvider credentials = InstanceProfileCredentialsProvider.getInstance();
AWSSimpleSystemsManagement simpleSystemsManagementClient = (AWSSimpleSystemsManagement)((AWSSimpleSystemsManagementClientBuilder)((AWSSimpleSystemsManagementClientBuilder)AWSSimpleSystemsManagementClientBuilder.standard().withCredentials(credentials)).withRegion("us-east-1")).build();
GetParameterRequest parameterRequest = new GetParameterRequest();
parameterRequest.withName(parameterKey).setWithDecryption(Boolean.valueOf(true));
GetParameterResult parameterResult = simpleSystemsManagementClient.getParameter(parameterRequest);
return parameterResult.getParameter();
}
Here is #Extreme's answer as a class with imports and a bit of cleanup:
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.InstanceProfileCredentialsProvider;
import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagement;
import com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClientBuilder;
import com.amazonaws.services.simplesystemsmanagement.model.GetParameterRequest;
import com.amazonaws.services.simplesystemsmanagement.model.GetParameterResult;
public class AWSSsmHelper
{
private AWSCredentialsProvider credentials = InstanceProfileCredentialsProvider.getInstance();
private AWSSimpleSystemsManagement simpleSystemsManagementClient =
AWSSimpleSystemsManagementClientBuilder.standard().withCredentials(credentials)).withRegion("us-east-1")).build();
public String getParameterFromSSMByName(String parameterKey) {
GetParameterRequest parameterRequest = new GetParameterRequest();
parameterRequest.withName(parameterKey).setWithDecryption(Boolean.valueOf(true));
GetParameterResult parameterResult = simpleSystemsManagementClient.getParameter(parameterRequest);
return parameterResult.getParameter().getValue();
}
}
For GetParameters API, there's no difference between use default KMS key or custom KMS key. It always works like your code. Just make sure the permission for the credential includes the custom key.
The difference only at PutParameter API, when using a default KMS key, you don't need to specify it, when using a custom KMS key, you set its KeyId to the custom key. The KeyId can be one of following examples:
Key ARN Example arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
Alias ARN Example - arn:aws:kms:us-east-1:123456789012:alias/MyAliasName
Globally Unique Key ID Example - 12345678-1234-1234-1234-123456789012
Alias Name Example - alias/MyAliasName
The authorization schema of my REST API includes a HTTP header like this:
"Authorization: MyAuth: JWT_VALUE:207112ade53c795df43ce38e5251b41ded1791aa"
JWT_VALUE is a standard Json Web Token that also contains the encrypted API key as a custom claim. The second part after the colon is a signature generated by the client like this:
<script src='lib/hmac-sha1.js' type='text/javascript'></script>
...
var token = ...
var signature = CryptoJS.HmacSHA1(token + httpMethod + requestUrl + requestBody), apiKey);
headers["Authorization"] = "MyAuth " + token + ":" + signature;
The problem is that I'm unable to generate the same signature on the server; here is my Scala code:
import javax.crypto.Mac
import javax.crypto.spec.SecretKeySpec
import org.apache.commons.codec.binary.Base64
...
val data = token + request.method + request.uri + request.body.asInstanceOf[AnyContent].asJson.getOrElse("")
val secret = ... // extract api key from token and decrypt it with app secret key
val singed = sign(data, secret)
if (signed != request.signature) {
// error
...
}
...
def sign(data: String, secret: String): String = {
val mac = Mac.getInstance("HmacSHA1")
mac.init(new SecretKeySpec(secret.getBytes("UTF-8"), "HmacSHA1"))
Base64.encodeBase64String(mac.doFinal(data))
}
Here is an example of what I get in my debugging sessions:
Incoming request signed by the server =========> um/TemuwSzboWD1D4kLRnFD6Sxk=
Signature generated by the client =============> 1c0567113a6bcc9f3715b83182d62e11aff52cec
As you can see the signature generated by the server with javax.crypto.Mac is shorter than the one generated by the client with CryptoJs.
As stated by Pavel, the problem was I used an HEX representation on the client and a BASE64 representation on the server. To fix the problem I just modified the client like this:
<script src='lib/hmac-sha1.js' type='text/javascript'></script>
<script src='lib/enc-base64-min.js' type='text/javascript'></script>
...
var token = ...
var signature = CryptoJS.HmacSHA1(token + httpMethod + requestUrl + requestBody), apiKey).toString(CryptoJS.enc.Base64);
headers["Authorization"] = "MyAuth " + token + ":" + signature;
;
Many thanks to Pavel.
Can't seem to create a functional way to insert a user from Java for Devise. Currently there are these fields:
"_id",
"access_level",
"confirmation_sent_at",
"confirmation_token",
"confirmed_at",
"email",
"encrypted_password",
"sign_in_count"
I am able to insert a document that counts as a user. The problem is that when I go to:
http://www.mysite.com:3000/users/confirmation?confirmation_token=TOKENHERE
I get a message saying that it's invalid.
EDIT 1:
When I resend confirmation instructions for this user (WHICH GENERATES A NEW TOKEN), the user can be logged into. This confirms my doubts about the token being the problem. How can I port Devise's token generator to Java?
EDIT 2:
When I register on site, it says I should check for a confirmation link. However, if I go into the Mongo shell, manually take out the confirmation token and paste it to site.com/users/confirmation?confirmation_token= then it doesn't work! However, if I actually use the confirmation link I was sent, it works. How can I make a VALID token, all from Java. Please help!
For this quoestion you should refer to this stackoverflow answer and to the Rails API of protect_from_forgery.
The short answer is to disable forgery protection in your controller, but this makes your application vulnerable to CSRF attacks:
skip_before_action :verify_authenticity_token
The better way would be to authenticate with a JSON or XML request as these requests are not protected by CSRF protection. You can find a solution for devise here.
Edit
Monkey patch devise to save unencoded confirmation token. In your config/initializers/devise.rb
module Devise
module Models
module Confirmable
def generate_confirmation_token
raw, enc = Devise.token_generator.generate(self.class, :confirmation_token)
#raw_confirmation_token = raw
self.my_unencoded_column = raw # Patch
self.confirmation_token = enc
self.confirmation_sent_at = Time.now.utc
end
end
end
end
In case anyone else finds themselves trying to get a java or scala app to coexist with a rails app, I hacked up the following. Its in scala but uses java apis so should be easy to read. As far as I can tell it replicates Devise's behavior, and if I hit the confirmation link in the rails app with the raw token rails/devise generates the same encoded string.
import java.security.spec.KeySpec
import javax.crypto.SecretKey
import javax.crypto.SecretKeyFactory
import javax.crypto.spec.PBEKeySpec
import javax.crypto.spec.SecretKeySpec
import javax.crypto.Mac
import javax.xml.bind.DatatypeConverter
import java.util.Base64
// copy functionality from Rails Devise
object TokenGenerator {
// sample values 9exithzwZ8P9meqdVs3K => 54364224169895883e87c8412be5874039b470e26e762cb3ddc37c0bdcf014f5
// 5zNMi6egbyPoDUy2t3NY => 75bd5d53aa36d3fc61ac186b4c6e2be8353e6b39536d3cf846719284e05474ca
private val deviseSecret = sys.env("DEVISE_SECRET")
private val factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1")
val encoder = Base64.getUrlEncoder()
case class TokenInfo(raw: String, encoded: String)
def createConfirmationToken: TokenInfo = {
// copy behavior from rails world. Don't know why it does this
val replacements = Map('l' -> "s", 'I' -> "x", 'O' -> "y", '0' -> "z")
// make a raw key of 20 chars, doesn't seem to matter what they are, just need url valid set
val bytes = new Array[Byte](16)
scala.util.Random.nextBytes(bytes)
val raw = encoder.encodeToString(bytes).take(20).foldLeft(""){(acc, x) => acc ++ replacements.get(x).getOrElse(x.toString)}
TokenInfo(raw, digestForConfirmationToken(raw))
}
private def generateKey(salt: String): Array[Byte] = {
val iter = 65536
val keySize = 512
val spec = new PBEKeySpec(deviseSecret.toCharArray, salt.getBytes("UTF-8"), iter, keySize)
val sk = factory.generateSecret(spec)
val skspec = new SecretKeySpec(sk.getEncoded, "AES")
skspec.getEncoded
}
def sha256HexDigest(s: String, key: Array[Byte]): String = {
val mac = Mac.getInstance("HmacSHA256")
val keySpec = new SecretKeySpec(key, "RAW")
mac.init(keySpec)
val result: Array[Byte] = mac.doFinal(s.getBytes())
DatatypeConverter.printHexBinary(result).toLowerCase
}
private def getDigest(raw: String, salt: String) = sha256HexDigest(raw, generateKey(salt))
// devise uses salt "Devise #{column}", in this case its confirmation_token
def digestForConfirmationToken(raw: String) = getDigest(raw, "Devise confirmation_token")
}