I am implementing something similar to : https://login.microsoftonline.com/common/discovery/v2.0/keys
Spring boot JWT application which generate and validate JWT token.
I will generate many public/private keys (I do not want to generate all tokens with one key. One keys pair will be generate token with shorter life time, second will generate longer...)
I will create endpoint /keys with public keys. The question is : How to connect proper public key with private key in my application to validate it?
And the second one : How to generate keys like above (with fields like kty":"RSA","use":"sig", kid...) Is there any pattern to do it?
How to generate keys like above (with fields like "kty": "RSA", "use": "sig", "kid"...) Is there any pattern to do it?
It's a standard called JSON Web Key (JWK), defined in the RFC 7517, which defines a data structure that represents a cryptographic key in JSON.
In Java, you can use Nimbus JOSE + JWT, which supports JWK with RSA keys.
How to connect proper public key with private key in my application to validate it?
You can use the kid header claim in your token: It's is an optional header claim which holds a key identifier, particularly useful when you have multiple keys to sign the tokens and you need to look up the right one to verify the signature.
Once a signed JWT is a JWS, consider the definition from the RFC 7515:
4.1.4. "kid" (Key ID) Header Parameter
The kid (key ID) Header Parameter is a hint indicating which key
was used to secure the JWS. This parameter allows originators to
explicitly signal a change of key to recipients. The structure of the
kid value is unspecified. Its value MUST be a case-sensitive
string. Use of this Header Parameter is OPTIONAL.
When used with a JWK, the kid value is used to match a JWK kid
parameter value.
Related
In my request body I have property field names with "_" So I used #JsonProperty and mapped to camelCase names.
But the problem is I need to authenticate the request based on the hashed string value coming in header. This the initial request hash sha512 with a key.
But in my case since I used #JsonProperty, a field for which initial name is currency_received is deserialized to currencyReceived
#JsonProperty("currency_received")
private CurrencyReceived currencyReceived;
And I try to get the hashed value of request using
String reqObj = gson.toJson(req);
String hashVal = HashGeneratorUtils.generateHmacSHA512(reqObj, pvt_key);
the hashVal will never be same as the value coming in header hashed with original request.
So, what is the ideal way to solve this problem.
I'm trying to update a field of my user DTO, but every time I update by doing userService.save(user), my login credentials become invalid in the database, because when I first get the user I get the encrypted password in the password field of my DTO, and when I save the user again I'm re-encrypting the encrypted password making the password different than before.
How can I go about fixing this? Should I decrypt the password when I first query the database in my user service? Is that safe?
Edit : found out you can't decode the password (I'm using BCryptPasswordEncoder) anyways. Is there a way to update all my fields without affecting the password?
Have you tried to update only the column without saving the entire entity?
There is an example of how to create such a query in the Spring Data JPA documentation:
https://docs.spring.io/spring-data/jpa/docs/2.1.1.RELEASE/reference/html/#jpa.modifying-queries
Addition:
If there is a way to save only the password without re-encrypting it? If so, you could perhaps try to:
- Obtain the encrypted password.
- Update the user entity (resulting in the encrypted password being encrypted a second time).
- Overwrite only the password in the user with the encrypted password obtained in step 1.
You should use entity listeners.
Look here https://www.concretepage.com/java/jpa/jpa-entitylisteners-example-with-callbacks-prepersist-postpersist-postload-preupdate-postupdate-preremove-postremove
Create entity listener class, implement preUpdate method.
You should inject applicationContext into class. You can find bean "passwordEncoder". Spring use it to encode password.
In pre update method you get your raw password, create encoded version like
passwordEncoder.encode(password) and set it back to the entity.
I'am writing a software for the data-synchronization of a custom software and sugarCRM. Therefore I need an updateOrCreate() function. My Problem is, that the custom software uses other uuid´s than sugarCRM so i can´t look for the uuid to check on update or create.So I want to save the custom-uuid in a custom field of sugarCRM.
But i have no idea how to do that over the REST-API of sugarCRM.
By the way I wrote a java-application.
Thank you for help!
As far as I'm aware there is no update-or-create API (see https://your-sugarsite/rest/v10/help), howewer if you just want to use the API (rather than customize it) you could sync data like this:
1) Fetch all ids of records that have a custom uuid by using the POST /rest/v10/<module>/filter endpoint and a payload similar to:
{
offset: 0,
max_num: 1000,
fields: ["id", "custom_uuid_c"],
filter: [{"custom_uuid_c": {"$not_empty": ""}}],
]
}
or if you just need a specific custom uuid at a time:
{
offset: 0,
max_num: 1000,
fields: ["id"],
filter: [{"custom_uuid_c": {"$equals": "example-custom-uuid"}}],
]
}
The response will look something like this:
{
next_offset: -1,
records: [
{"id": "example-sugar-uuid", "custom_uuid_c": "example-custom-uuid"},
...
],
}
Notes:
Make sure to evaluate next_offset as even with a high max_num you may not get all records at once because of server limits. As long as next_offset isn't -1 you should use its value as offset in a new request to get the remaining records.
You can supply all field names you need to sync in the fields array, so that you get that information early and can check whether or not an update is required at all (maybe data is still up-to-date?)
Sugar also always include certain fields in the response, no matter if they were requested or not. (E.g. id and date_modified). I did not include them all in the response snippets for the sake of simplicity.
2)
Based on the information received in the previous step you know which sugar ID belongs to which custom UUID and you can detect/prepare data for updates.
If you need to sync all and retrieve the complete list first, I suggest you create a lookup table custom-uuid => sugar-id, so that you do not have to loop through the data array and compare fields when looking for a specific number.Don't forget to consider the possibility of a custom-uuid being present in one than more Sugar-record at a time, unless you enforce them being unique on the server/database side.
3)
Now that you have all the information you need you can update and create records as needed:
Update existing record: PUT /rest/v10/<module>/<record_id>
Create missing record: POST /rest/v10/<module>
If want to send a lot of creates and/or updates in a single request, have a look at the POST /rest/v10/bulk API - if your version of Sugar has it.
Final notes:
The filter operators definition on /rest/v10/help seems incomplete, for more info you can check the filter docs
I'm working with the low-level datastore API. I've created an entity like this:
Entity entity = new Entity("Error");
entity.setProperty("description", "foo");
In the datastore viewer, I ses this:
Key Write Ops ID/Name description
----------------------------------------------
ahN0c... 4 259 foo
So the ID/Name field will be generated for me automatically since I'm not supplying anything in the Entity constructor. It generates an "ID" instead of a "Name", which is a number rather than an opaque string (like the "Key" value).
Is there a way to have the datastore generate a random "Name" instead of an "ID" for the Entity's "ID/Name" field?
I ask because if I share this ID with third parties, they could start to figure out roughly how many Error instances I have in my system. I'd rather give them an opaque string for the lookup ID, similar to what's in the auto-generated "Key" field. But I don't see a way to do this.
Thanks
For a similar task I used UUID to create a random string.
String uuid = UUID.randomUUID().toString();
You can use com.google.appengine.api.datastore.KeyFactory, combining the answer from #Devolus, it would look like
final Key key = KeyFactory.createKey("Error", UUID.randomUUID().toString());
final Entity e = new Entity(key);
You could even pass around the String representation of your Entitie's key via KeyFactory.keyToString(key) , may be after an encrypting depending on your security needs.
We have requirement to get the "public key of an x509 certificate" in out project. We are using x509Certificate.getPublicKey() API to get the byte[] and then calculating the hexadecimal form of it. For example public key in hexadecimal form of a certificate calculated in java is following
30820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001
But when we double click the certificate and see value of public key in details tab, it is following:
3082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001
What we have found is that the value calculated by JAVA api has extra 44 characters in the begining and the from the 45th character the data is same as value calculated by windows.
can any body please help me to identify how to calculated the public key of a certificate which same as calculated by windows.
Thank You.
In a X509 certificate the public key is encoded into an ASN.1 structure called SubjectPublicKeyInfo which looks like this:
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING }
The algorithm field identifies the kind of key (RSA, DSA, Diffie Hellman...) and the bit string contains the public key data encoded into a structure which depends on the key type.
In your case the first byte[] contains all data of the SubjectPublicKeyInfo including the top level SEQUENCE tag, the length and the algorithm field and the subjectPublicKey field.
The second byte[] only contains the second field (i.e the BIT STRING). In your example this is a RSA public key encoded with this structure:
RSAPublicKey ::= SEQUENCE {
modulus INTEGER, -- n
publicExponent INTEGER } -- e