Develop Reference

How to disable weak ciphers and client renegotiation in Play 2.5.x (Scala)

I am using Play 2.5.x (Scala). The default server is Netty. I can't find a way to disable some (weak) specific ciphers as well as client renegotiation.
The Play doc refers to JSSE settings:
https://www.playframework.com/documentation/2.3.x/ConfiguringHttps
How do I use these JSSE settings in a config file ? Or is there a different way to achieve this ?

As described in the documentation, create a properties file (let's call it jvm.security.properties) that looks something like the following:
jdk.tls.disabledAlgorithms=EC keySize < 160, RSA keySize < 2048, DSA keySize < 2048
jdk.tls.rejectClientInitiatedRenegotiation=true
jdk.certpath.disabledAlgorithms=MD2, MD4, MD5, EC keySize < 160, RSA keySize < 2048, DSA keySize < 2048
Then start up the JVM with that properties file:
java -Djava.security.properties=jvm.security.properties

JCE - how to find the active Cryptographic Service Provider(s)

As I see the document, there are multiple providers for JCE. How can I find out the provider(s) that are available by default?

Call Security.getProviders(), e.g.
for (Provider provider : Security.getProviders())
System.out.printf("%-11s %s%n", provider.getName(), provider.getInfo());
Output on my Oracle Java 9.0.1 on Windows:
SUN SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; PKCS12, JKS & DKS keystores; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores, JavaPolicy Policy; JavaLoginConfig Configuration)
SunRsaSign Sun RSA signature provider
SunEC Sun Elliptic Curve provider (EC, ECDSA, ECDH)
SunJSSE Sun JSSE provider(PKCS12, SunX509/PKIX key/trust factories, SSLv3/TLSv1/TLSv1.1/TLSv1.2/DTLSv1.0/DTLSv1.2)
SunJCE SunJCE Provider (implements RSA, DES, Triple DES, AES, Blowfish, ARCFOUR, RC2, PBE, Diffie-Hellman, HMAC)
SunJGSS Sun (Kerberos v5, SPNEGO)
SunSASL Sun SASL provider(implements client mechanisms for: DIGEST-MD5, EXTERNAL, PLAIN, CRAM-MD5, NTLM; server mechanisms for: DIGEST-MD5, CRAM-MD5, NTLM)
XMLDSig XMLDSig (DOM XMLSignatureFactory; DOM KeyInfoFactory; C14N 1.0, C14N 1.1, Exclusive C14N, Base64, Enveloped, XPath, XPath2, XSLT TransformServices)
SunPCSC Sun PC/SC provider
JdkLDAP JdkLDAP Provider (implements LDAP CertStore)
JdkSASL JDK SASL provider(implements client and server mechanisms for GSSAPI)
SunMSCAPI Sun's Microsoft Crypto API provider
SunPKCS11 Unconfigured and unusable PKCS11 provider
If you want to see the services each provider provides, try this:
for (Provider provider : Security.getProviders()) {
System.out.printf("%-11s %s%n", provider.getName(), provider.getInfo());
for (Service service : provider.getServices())
System.out.printf(" %s: %s%n", service.getType(), service.getAlgorithm());
}
Output
SUN SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; PKCS12, JKS & DKS keystores; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores, JavaPolicy Policy; JavaLoginConfig Configuration)
SecureRandom: DRBG
SecureRandom: SHA1PRNG
Signature: SHA1withDSA
Signature: NONEwithDSA
Signature: SHA224withDSA
Signature: SHA256withDSA
Signature: SHA1withDSAinP1363Format
Signature: NONEwithDSAinP1363Format
Signature: SHA224withDSAinP1363Format
Signature: SHA256withDSAinP1363Format
KeyPairGenerator: DSA
MessageDigest: MD2
MessageDigest: MD5
MessageDigest: SHA
MessageDigest: SHA-224
MessageDigest: SHA-256
MessageDigest: SHA-384
MessageDigest: SHA-512
MessageDigest: SHA-512/224
MessageDigest: SHA-512/256
MessageDigest: SHA3-224
MessageDigest: SHA3-256
MessageDigest: SHA3-384
MessageDigest: SHA3-512
AlgorithmParameterGenerator: DSA
AlgorithmParameters: DSA
KeyFactory: DSA
CertificateFactory: X.509
KeyStore: PKCS12
KeyStore: JKS
KeyStore: CaseExactJKS
KeyStore: DKS
Policy: JavaPolicy
Configuration: JavaLoginConfig
CertPathBuilder: PKIX
CertPathValidator: PKIX
CertStore: Collection
CertStore: com.sun.security.IndexedCollection
SunRsaSign Sun RSA signature provider
KeyFactory: RSA
KeyPairGenerator: RSA
Signature: MD2withRSA
Signature: MD5withRSA
Signature: SHA1withRSA
Signature: SHA224withRSA
Signature: SHA256withRSA
Signature: SHA384withRSA
Signature: SHA512withRSA
SunEC Sun Elliptic Curve provider (EC, ECDSA, ECDH)
KeyFactory: EC
AlgorithmParameters: EC
Signature: NONEwithECDSA
Signature: SHA1withECDSA
Signature: SHA224withECDSA
Signature: SHA256withECDSA
Signature: SHA384withECDSA
Signature: SHA512withECDSA
Signature: NONEwithECDSAinP1363Format
Signature: SHA1withECDSAinP1363Format
Signature: SHA224withECDSAinP1363Format
Signature: SHA256withECDSAinP1363Format
Signature: SHA384withECDSAinP1363Format
Signature: SHA512withECDSAinP1363Format
KeyPairGenerator: EC
KeyAgreement: ECDH
SunJSSE Sun JSSE provider(PKCS12, SunX509/PKIX key/trust factories, SSLv3/TLSv1/TLSv1.1/TLSv1.2/DTLSv1.0/DTLSv1.2)
KeyFactory: RSA
KeyPairGenerator: RSA
Signature: MD2withRSA
Signature: MD5withRSA
Signature: SHA1withRSA
Signature: MD5andSHA1withRSA
KeyManagerFactory: SunX509
KeyManagerFactory: NewSunX509
TrustManagerFactory: SunX509
TrustManagerFactory: PKIX
SSLContext: TLSv1
SSLContext: TLSv1.1
SSLContext: TLSv1.2
SSLContext: TLS
SSLContext: DTLSv1.0
SSLContext: DTLSv1.2
SSLContext: DTLS
SSLContext: Default
KeyStore: PKCS12
SunJCE SunJCE Provider (implements RSA, DES, Triple DES, AES, Blowfish, ARCFOUR, RC2, PBE, Diffie-Hellman, HMAC)
Cipher: RSA
Cipher: DES
Cipher: DESede
Cipher: DESedeWrap
Cipher: PBEWithMD5AndDES
Cipher: PBEWithMD5AndTripleDES
Cipher: PBEWithSHA1AndDESede
Cipher: PBEWithSHA1AndRC2_40
Cipher: PBEWithSHA1AndRC2_128
Cipher: PBEWithSHA1AndRC4_40
Cipher: PBEWithSHA1AndRC4_128
Cipher: PBEWithHmacSHA1AndAES_128
Cipher: PBEWithHmacSHA224AndAES_128
Cipher: PBEWithHmacSHA256AndAES_128
Cipher: PBEWithHmacSHA384AndAES_128
Cipher: PBEWithHmacSHA512AndAES_128
Cipher: PBEWithHmacSHA1AndAES_256
Cipher: PBEWithHmacSHA224AndAES_256
Cipher: PBEWithHmacSHA256AndAES_256
Cipher: PBEWithHmacSHA384AndAES_256
Cipher: PBEWithHmacSHA512AndAES_256
Cipher: Blowfish
Cipher: AES
Cipher: AES_128/ECB/NoPadding
Cipher: AES_128/CBC/NoPadding
Cipher: AES_128/OFB/NoPadding
Cipher: AES_128/CFB/NoPadding
Cipher: AES_128/GCM/NoPadding
Cipher: AES_192/ECB/NoPadding
Cipher: AES_192/CBC/NoPadding
Cipher: AES_192/OFB/NoPadding
Cipher: AES_192/CFB/NoPadding
Cipher: AES_192/GCM/NoPadding
Cipher: AES_256/ECB/NoPadding
Cipher: AES_256/CBC/NoPadding
Cipher: AES_256/OFB/NoPadding
Cipher: AES_256/CFB/NoPadding
Cipher: AES_256/GCM/NoPadding
Cipher: AESWrap
Cipher: AESWrap_128
Cipher: AESWrap_192
Cipher: AESWrap_256
Cipher: RC2
Cipher: ARCFOUR
KeyGenerator: DES
KeyGenerator: DESede
KeyGenerator: Blowfish
KeyGenerator: AES
KeyGenerator: RC2
KeyGenerator: ARCFOUR
KeyGenerator: HmacMD5
KeyGenerator: HmacSHA1
KeyGenerator: HmacSHA224
KeyGenerator: HmacSHA256
KeyGenerator: HmacSHA384
KeyGenerator: HmacSHA512
KeyPairGenerator: DiffieHellman
AlgorithmParameterGenerator: DiffieHellman
KeyAgreement: DiffieHellman
AlgorithmParameters: DiffieHellman
AlgorithmParameters: DES
AlgorithmParameters: DESede
AlgorithmParameters: PBE
AlgorithmParameters: PBEWithMD5AndDES
AlgorithmParameters: PBEWithMD5AndTripleDES
AlgorithmParameters: PBEWithSHA1AndDESede
AlgorithmParameters: PBEWithSHA1AndRC2_40
AlgorithmParameters: PBEWithSHA1AndRC2_128
AlgorithmParameters: PBEWithSHA1AndRC4_40
AlgorithmParameters: PBEWithSHA1AndRC4_128
AlgorithmParameters: PBES2
AlgorithmParameters: PBEWithHmacSHA1AndAES_128
AlgorithmParameters: PBEWithHmacSHA224AndAES_128
AlgorithmParameters: PBEWithHmacSHA256AndAES_128
AlgorithmParameters: PBEWithHmacSHA384AndAES_128
AlgorithmParameters: PBEWithHmacSHA512AndAES_128
AlgorithmParameters: PBEWithHmacSHA1AndAES_256
AlgorithmParameters: PBEWithHmacSHA224AndAES_256
AlgorithmParameters: PBEWithHmacSHA256AndAES_256
AlgorithmParameters: PBEWithHmacSHA384AndAES_256
AlgorithmParameters: PBEWithHmacSHA512AndAES_256
AlgorithmParameters: Blowfish
AlgorithmParameters: AES
AlgorithmParameters: GCM
AlgorithmParameters: RC2
AlgorithmParameters: OAEP
KeyFactory: DiffieHellman
SecretKeyFactory: DES
SecretKeyFactory: DESede
SecretKeyFactory: PBEWithMD5AndDES
SecretKeyFactory: PBEWithMD5AndTripleDES
SecretKeyFactory: PBEWithSHA1AndDESede
SecretKeyFactory: PBEWithSHA1AndRC2_40
SecretKeyFactory: PBEWithSHA1AndRC2_128
SecretKeyFactory: PBEWithSHA1AndRC4_40
SecretKeyFactory: PBEWithSHA1AndRC4_128
SecretKeyFactory: PBEWithHmacSHA1AndAES_128
SecretKeyFactory: PBEWithHmacSHA224AndAES_128
SecretKeyFactory: PBEWithHmacSHA256AndAES_128
SecretKeyFactory: PBEWithHmacSHA384AndAES_128
SecretKeyFactory: PBEWithHmacSHA512AndAES_128
SecretKeyFactory: PBEWithHmacSHA1AndAES_256
SecretKeyFactory: PBEWithHmacSHA224AndAES_256
SecretKeyFactory: PBEWithHmacSHA256AndAES_256
SecretKeyFactory: PBEWithHmacSHA384AndAES_256
SecretKeyFactory: PBEWithHmacSHA512AndAES_256
SecretKeyFactory: PBKDF2WithHmacSHA1
SecretKeyFactory: PBKDF2WithHmacSHA224
SecretKeyFactory: PBKDF2WithHmacSHA256
SecretKeyFactory: PBKDF2WithHmacSHA384
SecretKeyFactory: PBKDF2WithHmacSHA512
Mac: HmacMD5
Mac: HmacSHA1
Mac: HmacSHA224
Mac: HmacSHA256
Mac: HmacSHA384
Mac: HmacSHA512
Mac: HmacSHA512/224
Mac: HmacSHA512/256
Mac: HmacPBESHA1
Mac: PBEWithHmacSHA1
Mac: PBEWithHmacSHA224
Mac: PBEWithHmacSHA256
Mac: PBEWithHmacSHA384
Mac: PBEWithHmacSHA512
Mac: SslMacMD5
Mac: SslMacSHA1
KeyStore: JCEKS
KeyGenerator: SunTlsPrf
KeyGenerator: SunTls12Prf
KeyGenerator: SunTlsMasterSecret
KeyGenerator: SunTlsKeyMaterial
KeyGenerator: SunTlsRsaPremasterSecret
SunJGSS Sun (Kerberos v5, SPNEGO)
GssApiMechanism: 1.2.840.113554.1.2.2
GssApiMechanism: 1.3.6.1.5.5.2
SunSASL Sun SASL provider(implements client mechanisms for: DIGEST-MD5, EXTERNAL, PLAIN, CRAM-MD5, NTLM; server mechanisms for: DIGEST-MD5, CRAM-MD5, NTLM)
SaslClientFactory: DIGEST-MD5
SaslClientFactory: NTLM
SaslClientFactory: EXTERNAL
SaslClientFactory: PLAIN
SaslClientFactory: CRAM-MD5
SaslServerFactory: CRAM-MD5
SaslServerFactory: DIGEST-MD5
SaslServerFactory: NTLM
XMLDSig XMLDSig (DOM XMLSignatureFactory; DOM KeyInfoFactory; C14N 1.0, C14N 1.1, Exclusive C14N, Base64, Enveloped, XPath, XPath2, XSLT TransformServices)
XMLSignatureFactory: DOM
KeyInfoFactory: DOM
TransformService: http://www.w3.org/TR/2001/REC-xml-c14n-20010315
TransformService: http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments
TransformService: http://www.w3.org/2006/12/xml-c14n11
TransformService: http://www.w3.org/2006/12/xml-c14n11#WithComments
TransformService: http://www.w3.org/2001/10/xml-exc-c14n#
TransformService: http://www.w3.org/2001/10/xml-exc-c14n#WithComments
TransformService: http://www.w3.org/2000/09/xmldsig#base64
TransformService: http://www.w3.org/2000/09/xmldsig#enveloped-signature
TransformService: http://www.w3.org/2002/06/xmldsig-filter2
TransformService: http://www.w3.org/TR/1999/REC-xpath-19991116
TransformService: http://www.w3.org/TR/1999/REC-xslt-19991116
SunPCSC Sun PC/SC provider
TerminalFactory: PC/SC
JdkLDAP JdkLDAP Provider (implements LDAP CertStore)
CertStore: LDAP
JdkSASL JDK SASL provider(implements client and server mechanisms for GSSAPI)
SaslClientFactory: GSSAPI
SaslServerFactory: GSSAPI
SunMSCAPI Sun's Microsoft Crypto API provider
SecureRandom: Windows-PRNG
KeyStore: Windows-MY
KeyStore: Windows-ROOT
Signature: NONEwithRSA
Signature: SHA1withRSA
Signature: SHA256withRSA
Signature: SHA384withRSA
Signature: SHA512withRSA
Signature: MD5withRSA
Signature: MD2withRSA
KeyPairGenerator: RSA
Cipher: RSA
Cipher: RSA/ECB/PKCS1Padding
SunPKCS11 Unconfigured and unusable PKCS11 provider

Dropwizard Client Certificate Authentication via HttpClient Key/Trust store

I am running a dropwizard server, and a client leveraging Apache HttpClient 4.5.1.
Given a single .pfx file that contains both the public and private keys, how would I structure my key/trust stores on both the server and client to accept/trust and pass the certificate for authentication purposes?
What I'm running into is the client trusts the provided server certificate, but
after the server hello that includes the certificate request per tls spec, my client is unable to find a suitable certificate to send back.
My first thought was to run the server with the keystore and truststore as the same pfx file, but java throws a null cert chain error when loading the pfx file as a trust store in the server. So I had to go through the process of creating a trust store manually.
Here are the general steps I thought would allow this entire process to succeed:
Run the server with the .pfx file, with a PKCS12 keystore type.
Extract the cert from the pfx file, and create a java trust store using the cert.
Run the server with the above clientCerts.jks file as the trust store
Run the client with a keystore set to the clientCerts.jks file
Run the client with a truststore set to the .pfx PKCS12 keystore.
These steps didn't work, and I've tried other less obvious permutations and none of them worked. Is there something blatantly wrong with the way I'm approaching this? Does anyone have any advice on actually getting it to work?
Lots of details below (including ssl debug logs)
PFX cert info:
(its a valid corporate signed cert, but I don't have the root CA as trusted anywhere, which is why I just create a trust store so I can trust the client cert).
$ openssl pkcs12 -info -in cert.pfx
Enter Import Password:
MAC Iteration 1
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: xxx
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
xxx
-----END ENCRYPTED PRIVATE KEY-----
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
Certificate bag
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: my.domain.com
subject=/C=US/O=My Company/OU=Web Servers/CN=my.domain.com
issuer=/C=US/O=My Company
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
Java Trust store Creation:
//create pem file
openssl pkcs12 -in cert.pfx -out tempCert.crt -nokeys -clcerts
//convert to x509
openssl x509 -inform pem -in tempCert.crt -outform der -out tempx509Cert.cer
//create a java trust store
keytool -import -file tempx509Cert.cer -alias firstCA -keystore newJavaTrustStore.jks
Dropwizard Config:
applicationConnectors:
- type: https
port: 443
bindHost: localhost
keyStorePath: ./cert.pfx
keyStorePassword: pw
keyStoreType: PKCS12
trustStorePath: ./clientCerts.jks
trustStorePassword: pw
trustStoreType: JKS
supportedProtocols: [TLSv1, TLSv1.1, TLSv1.2]
excludedProtocols: [SSLv2Hello, SSLv3]
validateCerts: false
needClientAuth: true
wantClientAuth: true
HttpClient Config Values:
keyStorePath: ./clientCerts.jks
keyStorePassword: pw
keyStoreType: JKS
trustStorePath: ./cert.pfx
trustStorePassword: pw
trustStoreType: PKCS12
HttpClient Config:
public static CloseableHttpClient getSecurePooledHttpClient(
final String host,
final int port,
final boolean ssl,
final String keystorePath,
final String keystorePassword,
final String keystoreType,
final String trustStorePath,
final String trustStorePassword,
final String trustStoreType
) throws Exception {
//Setup the keystore that will hold the client certificate
KeyStore ks = KeyStore.getInstance(keystoreType);
ks.load(new FileInputStream(new File(keystorePath)),
keystorePassword.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, keystorePassword.toCharArray());
//Setup the Trust Store so we know what certificates
//we can trust that are hosting the service
KeyStore ts = KeyStore.getInstance((trustStoreType));
ts.load(new FileInputStream(new File(trustStorePath)),
trustStorePassword.toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ts);
//setup our SSL context to be TLSv1.2, then setup the key and trust manager.
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
//Register the socket factory so that it uses the ssl Context and key
// manager we created above
Registry<ConnectionSocketFactory> socketFactoryRegistry =
RegistryBuilder.<ConnectionSocketFactory>create()
.register("https", new SSLConnectionSocketFactory(sslContext,
NoopHostnameVerifier.INSTANCE))
.build();
//Define an overridden routeplanner that setups up our default host
// so all our later calls can simply be
//sub-routes.
HttpRoutePlanner routePlanner =
new DefaultRoutePlanner(DefaultSchemePortResolver.INSTANCE)
{
#Override
public HttpRoute determineRoute(
final HttpHost target,
final HttpRequest request,
final HttpContext context) throws HttpException {
return super.determineRoute(
target != null ? target : new HttpHost(host, port, ssl ? "https" : "http"),
request, context);
}
};
return BuildClientWithRoutePlanner(socketFactoryRegistry, routePlanner);
Client SSL debug:
...
*** ServerHello, TLSv1.2
RandomCookie: Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-7, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=my.domain.com, OU=Web Servers, O=My Company, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
.........
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=my.domain.com, OU=Web Servers, O=My Company, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
......
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Cert Authorities:
<CN=my.domain.com, OU=Web Servers, O=My Company, C=US>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***

How do I read an sha1WithRSAEncryption public DER key in Java?

openssl x509 -inform DER -text
on my DER file gives the dump on the bottom of this question.
I try to read it with:
static PublicKey getCertKey() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
URL keyUrl = Resources.getResource(LManager.class, "iid.der");
byte[] keyBytes = Resources.toByteArray(keyUrl);
X509EncodedKeySpec spec = new X509EncodedKeySpec(keyBytes);
KeyFactory kf = KeyFactory.getInstance("RSA");
return kf.generatePublic(spec);
}
And I get:
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException: ObjectIdentifier() -- data isn't an object ID (tag = -96)
at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:205)
at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
....
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at Caused by: java.security.InvalidKeyException: IOException: ObjectIdentifier() -- data isn't an object ID (tag = -96)
at sun.security.x509.X509Key.decode(X509Key.java:397)
at sun.security.x509.X509Key.decode(X509Key.java:403)
at sun.security.rsa.RSAPublicKeyImpl.<init>(RSAPublicKeyImpl.java:83)
at sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.java:298)
at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:201)
... 25 more
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a9:cb:e1:41:03:30:df:c5
Signature Algorithm: sha1WithRSAEncryption
Issuer: REDACTED
Validity
Not Before: Jun 5 14:28:02 2014 GMT
Not After : Jun 5 14:28:02 2024 GMT
Subject: REDACTED
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:87:bd:18:df:ff:49:12:b6:92:76:e3:c9:21:b4:
86:8d:f2:a9:03:37:7b:64:c3:85:63:bc:0f:67:bc:
f9:76:6a:72:4e:f9:e2:01:52:a3:df:40:6d:3d:91:
99:70:a5:6a:66:c8:ef:1b:18:1d:91:5a:a5:b1:0b:
0b:81:fd:d7:27:22:86:fa:c3:8d:b4:93:d5:98:e4:
2d:08:20:6b:43:44:d6:ae:37:79:2e:bc:65:e4:c3:
71:c4:9c:5d:04:8d:8a:f4:a5:cc:96:52:f0:72:59:
8e:0a:b3:06:55:e3:65:fb:63:b5:d2:4b:5d:e1:38:
87:0b:e8:d2:c0:f8:7f:78:fd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
25:D6:CC:08:15:CA:B6:F0:9C:59:DC:14:52:2C:EF:B5:41:76:51:38
X509v3 Authority Key Identifier:
keyid:25:D6:CC:08:15:CA:B6:F0:9C:59:DC:14:52:2C:EF:B5:41:76:51:38
DirName:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=ec2.amazonaws.com
serial:A9:CB:E1:41:03:30:DF:C5
X509v3 Basic Constraints:
CA:TRUE

First, openssl -inform DER -text is an error. The openssl program is a wrapper that runs one of a bunch of functions, identified by the first argument, which in this case must be x509, so openssl x509 -inform DER -text.
That's a clue. Your file is an X.509 certificate not (just) a public key. Certificates in general, and X.509 certificates in particular, contain a public key but that is not the same thing as being a public key.
Since your file is an X.509 certificate, use a CertificateFactory of type X.509 to read it. The pattern is similar: use a static .getInstance() method to get a factory then use .generateCertificate() to take some input, here a stream that reads the data (directly from the file, or from memory if you have it buffered), and generate a Certificate object. (Note java.security.cert.Certificate not the obsolete and deprecated java.security.Certificate -- some IDEs may not default to the good one.)
If you want to use the public key in the certificate for something like encrypting or verifying call .getPublicKey() on the Certificate. If you want to look at other information such as the subject name or extensions which are specific to X.509, cast the Certificate to X509Certificate (also in java.lang.security.cert) and use its additional methods.
Also: the certificate is signed with sha1withRSA. The publickey itself is an RSA key, and could be used for any RSA operation -- but since the cert claims this key belongs to a CA, the corresponding privatekey should be used only for signing certs and/or CRLs (controlled by KeyUsage if present, but it's not unless you've redacted it) and thus doing something with this publickey other than verifying those certs and/or CRLs is useless. And since the key is only 1024 bits, using a signing hash stronger than SHA1 would be wasted, except for the facts that RSA-1024 is already considered insecure (since early 2014) and using SHA1-RSA for certificates is considered at risk and prohibited after sometime next year.

Encryption and Decryption with X.509 public certificate

I want to encrypt my post payload with an X.509 certificate and the inherited public key. So far I have this java code to perform the encryption
private String encrypt(String str) throws Exception {
ClassPathResource classPathResource = new ClassPathResource("testcert1.crt");
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
X509Certificate certificate = (X509Certificate)certificateFactory.generateCertificate(classPathResource.getInputStream());
PublicKey pk = certificate.getPublicKey();
Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
cipher.init(Cipher.ENCRYPT_MODE, pk);
return Base64.encodeBase64String(cipher.doFinal(str.getBytes()));
}
which returns the base64 encoded string. From the endpoint I am always getting the result, that the certificate is not valid.
So I want to validate my encrypted string on the console using the openssl command, but failing to do so.
I can read out the certificate with: openssl x509 -in testcert1.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=xxx
Validity
Not Before: Jul 24 11:40:39 2013 GMT
Not After : Jul 24 11:40:39 2015 GMT
Subject: C=xxx, ST=xxx, L=xxx, O=xxx, OU=xxx, CN=xxx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
....
Exponent: 65537 (0x10001)
But I cannot figure out the command lines to encrypt/decrypt a text file using that certificate

You can validate your encrypted string using openssl with the following command:
echo -n 'string to encrypt' | openssl rsautl -encrypt -certin -inkey testcert1.crt | base64

As you are using asymmetric cryptography, if you encrypt using the public key of your certificate, you can only decrypt using the corresponding private key. Make sure you have that key and use it for decryption.