Hi i am trying a simple sftp, but i m getting an error while establishing. connection, i am using maverick-legacy-client-all jar available at
https://www.sshtools.com/en/products/java-ssh-client this code was working fine with release 1.6.9 but it failed when i updated it to 1.6.17.
I also tried going through there jar changes doc here, there was few notes regarding to my exception DiffieHellmanGroupExchange Algo related changes but i failed to understand them clearly.
public void connect() throws SshException, IOException,
SftpStatusException, ChannelOpenException {
SshConnector con = SshConnector.createInstance();
con.setKnownHosts(new SftpHostKeyVerification());
// Tries SSH2 first and fallback to SSH1 if its not available
con.setSupportedVersions(SshConnector.SSH1 | SshConnector.SSH2);
/*Error coming here, in con.connect*/
this.ssh = con
.connect(new SocketTransport(this.host, DEFAULT_SSH_PORT),
this.userName);
PasswordAuthentication pwd = new PasswordAuthentication();
pwd.setPassword(this.passwod);
int isLoggedIn = this.ssh.authenticate(pwd);
if (SshAuthentication.COMPLETE == isLoggedIn) {
this.client = new SftpClient(this.ssh);
} else {
throw new IOException("[Authentication failure] login status: "
+ isLoggedIn);
}
}
Exception Log:
com.maverick.ssh.SshException: com.maverick.ssh.SshException
at com.maverick.ssh.components.jce.client.DiffieHellmanGroupExchangeSha1.performClientExchange(DiffieHellmanGroupExchangeSha1.java:315)
at com.maverick.ssh2.TransportProtocol.performKeyExchange(TransportProtocol.java:1424)
at com.maverick.ssh2.TransportProtocol.processMessage(TransportProtocol.java:1835)
at com.maverick.ssh2.TransportProtocol.startTransportProtocol(TransportProtocol.java:348)
at com.maverick.ssh2.Ssh2Client.connect(Ssh2Client.java:146)
at com.maverick.ssh.SshConnector.connect(SshConnector.java:649)
at com.maverick.ssh.SshConnector.connect(SshConnector.java:471)
at com.tekelec.ems.util.SftpImpl.connect(SftpImpl.java:73)
at com.tekelec.ems.eagle.measurement.WriterThread.run(WriterThread.java:93)
Caused by: com.maverick.ssh.SshException: Failed to generate DH value: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive) [java.security.InvalidAlgorithmParameterException]
at com.maverick.ssh.components.jce.client.DiffieHellmanGroupExchangeSha1.performClientExchange(DiffieHellmanGroupExchangeSha1.java:250)
... 8 more
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)
at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DHKeyPairGenerator.java:120)
at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:658)
at java.security.KeyPairGenerator.initialize(KeyPairGenerator.java:400)
at com.maverick.ssh.components.jce.client.DiffieHellmanGroupExchangeSha1.performClientExchange(DiffieHellmanGroupExchangeSha1.java:240)
... 8 more
This because the default key exchange algorithm was changed to a more secure algorithm between those versions and you have not included all of the 3rd party dependencies that are provided in the lib folder of the Maverick Legacy Client distribution. This folder contains the BouncyCastle JCE provider which if added to the class path will resolve this issue.
The problem you are facing is that without the BouncyCastle JCE provider or a suitable JCE provider that supports large Diffie Hellman primes you will not be able to generate a large prime for the updated, more secure key exchange method.
i believe this a very serious condition occurring to many coders,
also i would like to thank Lee David here for the advice here. i was able to handle this situation by adding Bouncy Castle JCE 3rd party jar available in maverick lib folder.
Before this i was trying to edit my java.security file as suggested in other post but this was much easy way, also these Bouncy Castle jars come bundled in Maverick official release, so no worries on that part to.
Related
I am trying to access the list of Subscribers in my GCP Project using my java code and few libraries provided by GCP. This code works fine in my 64 bit Windows environment but not working in 32bit windows environment.
I have seen in a few documents, saying that netty is not supported on 32bit machines and we can build our own binaries if required.
https://netty.io/wiki/forked-tomcat-native.html#how-to-build
CredentialsProvider credentialsProvider =
FixedCredentialsProvider.create(
ServiceAccountCredentials.fromStream(new FileInputStream(JSONPath)));
try (SubscriptionAdminClient subscriptionAdminClient = SubscriptionAdminClient.create(SubscriptionAdminSettings.newBuilder().setCredentialsProvider(credentialsProvider).build())) {
ListSubscriptionsRequest listSubscriptionsRequest =
ListSubscriptionsRequest.newBuilder()
.setProject(ProjectName.of(ProjectId).toString())
.build();
SubscriptionAdminClient.ListSubscriptionsPagedResponse response =
subscriptionAdminClient.listSubscriptions(listSubscriptionsRequest);
logger.log(Level.SEVERE,"response List: "+response.toString());
Iterable<Subscription> subscriptions = response.iterateAll();
for (Subscription subscription : subscriptions) {
if(subscription.getName().equals(SubscriptionId)){
return true;
}
}
[20:02:30:384]|[06-17-2019]|[io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts]|[INFO]|[36]: netty-tcnative unavailable (this may be normal)|
java.lang.IllegalArgumentException: Failed to load any of the given libraries: [netty_tcnative_windows_x86_32, netty_tcnative_x86_32, netty_tcnative] at io.grpc.netty.shaded.io.netty.util.internal.NativeLibraryLoader.loadFirstAvailable(NativeLibraryLoader.java:104)
at io.grpc.netty.shaded.io.netty.handler.ssl.OpenSsl.loadTcNative(OpenSsl.java:526)
at io.grpc.netty.shaded.io.netty.handler.ssl.OpenSsl.(OpenSsl.java:93)
at io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts.defaultSslProvider(GrpcSslContexts.java:244)
at io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts.configure(GrpcSslContexts.java:171)
at io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts.forClient(GrpcSslContexts.java:120)
at io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder.buildTransportFactory(NettyChannelBuilder.java:385)
at io.grpc.internal.AbstractManagedChannelImplBuilder.build(AbstractManagedChannelImplBuilder.java:435)
at com.google.api.gax.grpc.InstantiatingGrpcChannelProvider.createSingleChannel(InstantiatingGrpcChannelProvider.java:254)
at com.google.api.gax.grpc.InstantiatingGrpcChannelProvider.createChannel(InstantiatingGrpcChannelProvider.java:165)
at com.google.api.gax.grpc.InstantiatingGrpcChannelProvider.getTransportChannel(InstantiatingGrpcChannelProvider.java:157)
at com.google.api.gax.rpc.ClientContext.create(ClientContext.java:157)
at com.google.cloud.pubsub.v1.stub.GrpcSubscriberStub.create(GrpcSubscriberStub.java:260)
at com.google.cloud.pubsub.v1.stub.SubscriberStubSettings.createStub(SubscriberStubSettings.java:241)
at com.google.cloud.pubsub.v1.SubscriptionAdminClient.(SubscriptionAdminClient.java:177)
at com.google.cloud.pubsub.v1.SubscriptionAdminClient.create(SubscriptionAdminClient.java:158)
The grpc-java SECURITY.md describes your options:
Use Java 9+, which support ALPN without need for tcnative
For 32 bit Windows specifically, you can Conscrypt
The documentation also describes how to use Conscrypt. Namely to add a dependency on conscrypt-openjdk-uber and to register it as the default security provider:
import org.conscrypt.Conscrypt;
import java.security.Security;
...
// Somewhere in main()
Security.insertProviderAt(Conscrypt.newProvider(), 1);
You answered your own question... netty-tcnative-* does not support 32bit platforms so you will need to compile it yourself and include it in your class-path.
I'm trying to get a jdbc hsqldb instance encrypted using threefish-512 from bouncycastle. Hsqldb supports configuring this via the connection url: http://hsqldb.org/doc/guide/dbproperties-chapt.html#dpc_crypt_props. I'm familiar with the essentials of cryptography and such but have never worked with JCE, bouncycastle, etc.
I first added crypt_type=Threefish-512;crypt_key=de7e... to my connection string. This threw exceptions about unknown providers and algorithms. Specifying crypt_provider=org.bouncycastle.jce.provider.BouncyCastleProvider did not fix this.
I then added Security.addProvider(new BouncyCastleProvider()); to my code before the jdbc initialization and now crypt_type=Threefish-512;crypt_key=de7e... (without crypt_provider) seems to work mostly. It throws a new exception though:
Illegal key size or default parameters
My crypt_key is 128 hex chars, so it's a 512 bit key. I doubt the key is the problem here. Debugging the Cipher class shows the key is indeed parsed to an array of 64 bytes.
Do I need to do some sort of configuration on bouncycastle/threefish after adding it as a provider? Simple information about this subject seems to be pretty sparse around the internet, there's no quick start to bouncycastle's threefish or other mentions of this problem or anything that I could find.
Spring boot project, hsqldb 2.4.0, bouncycastle 1.59 from maven org.bouncycastle:bcprov-jdk15on. Everything already works (db connection and such), I'm just trying to add encryption of the db on top of it. Normally, all you need to do for that is adding the crypt_* parameters to the connection string and hsqldb will handle the rest.
public static void main(String[] args) {
Security.addProvider(new BouncyCastleProvider());
ConfigurableApplicationContext app = SpringApplication.run(App.class, args);
application.properties
spring.datasource.url=jdbc:hsqldb:${app.db.path};create=${spring.datasource.initialize};hsqldb.tx=mvlocks;hsqldb.tx_level=serializable;crypt_type=Threefish-512;crypt_key=de7e...
Am I missing something like this?
BouncyCastleProvider provider = new BouncyCastleProvider();
provider.setParameter("foo", "bar");
Security.addProvider(provider);
Sigh. Silly US lawmakers and their shenanigans. I was using java 8u151, which still has the restricted crypto policy. Updating to u161 solved the problem.
I have a JCEKS keystore to hold my AES keys.
This has been working in the dev environment and in the GAE runtime for a while.
Last night I deployed an update (nothing to do with the crypto cases) and now loading the keystore throws an IOException: com.sun.crypto.provider.SealedObjectForKeyProtector and subsequently none of my crypto works (as you'd expect given I can't get to the keys).
I've Googled the exception - one lead looked promising:
Convert a key of JCEKS of a provider into another store for another provider
... which suggests that a keytore created with one provider cannot be read with another provider, but that doesn't seem to be the case here as it was working yesterday! Also https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Administration_and_Configuration_Guide/sect-Password_Vaults_for_Sensitive_Strings.html suggests incompatible providers.
I rolled back my app to the previous (working) version, but I get the same error.
Has GAE changed its default provider? Should I explicitly declare the required provider in my code?
Thanks
Steve
Update 20/05/2015 - root cause identified
The problem was the IOException thrown by ks.load() below:
final KeyStore ks = KeyStore.getInstance(KEYSTORE_TYPE_JCEKS);
try {
InputStream is = this.getClass().getClassLoader().getResourceAsStream("squirrol.keystore");
ks.load(is, getKeystorePassword().toCharArray()); // IOException thrown here
...
} catch (NoSuchAlgorithmException | CertificateException | IOException e) {
StringWriter sw = new StringWriter();
e.printStackTrace(new PrintWriter(sw));
throw new KeyStoreException("Failed to load KeyStore: " + e.getLocalizedMessage());
}
The stack trace output leads off with:
at com.sun.crypto.provider.JceKeyStore.engineLoad(JceKeyStore.java:844)
Googling the class name has found the source (possibly not the actual source, but the line number in the stack trace aligns). Line 844 suggests this IOException is thrown as the result of a ClassNotFoundException with the message being the name of the class that wasn't found - in this case com.sun.crypto.provider.SealedObjectForKeyProtector:
http://www.docjar.com/html/api/com/sun/crypto/provider/JceKeyStore.java.html
So, root cause is that the Google App Engine runtime v1.9.21 cannot load the keystore because it cannot load the class com.sun.crypto.provider.SealedObjectForKeyProtector which Google admit is a whitelisting issue.
Temporary resolution
As the result of a support ticket, Google have reverted my runtime back to 1.9.20 which doesn't have this problem. I'm awaiting a fix that allows me to get back onto automated engine updates.
Update 04/06/15 - Resolved
Google will have a fix in the v1.9.22 runtime.
Update 11/06/15 - Not Resolved after all
The problem persists in the v1.9.22 runtime :(
Update 30/06/15 - Really resolved & proven
Google fixed it in the v1.9.23 runtime. Answer updated to reflect.
This is confirmed fixed in the GAE runtime 1.9.23 (not 1.9.22 - it missed the cut).
The problem was with the runtime whitelisting, which omitted one or more classes needed to load the JCEKS keystore.
This problem only affects the GAE runtimes 1.9.21 & 1.9.22. Note this is the server engine version, not the SDK version. You can check the server version in the console.
I am trying to connect DB2 database using java,Below the driver and connection string details i am giving,
Class.forName("com.ibm.db2.jcc.DB2Driver");
DB2DataSource db2ds = new DB2DataSource();
db2ds.setServerName("servername");
db2ds.setPortNumber(portnumber);
db2ds.setDatabaseName(databasename);
db2ds.setUser(username);
db2ds.setPassword(password);
db2ds.setSecurityMechanism(DB2BaseDataSource.ENCRYPTED_USER_AND_DATA_SECURITY);
db2ds.setDriverType(4);
sourceConnection=db2ds.getConnection();
for this connection i have added the below jars
1)db2jcc.jar
2)db2jcc_license_cu.jar
But i am getting the below error,
com.ibm.db2.jcc.a.SqlException: java.security.InvalidAlgorithmParameterException is caught when initializing EncryptionManager 'Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)'
at com.ibm.db2.jcc.a.x.<init>(x.java:89)
at com.ibm.db2.jcc.b.b.lc(b.java:2353)
at com.ibm.db2.jcc.b.b.A(b.java:1190)
at com.ibm.db2.jcc.b.b.b(b.java:759)
at com.ibm.db2.jcc.b.b.a(b.java:725)
at com.ibm.db2.jcc.b.b.a(b.java:430)
at com.ibm.db2.jcc.b.b.<init>(b.java:374)
at com.ibm.db2.jcc.DB2DataSource.getSimpleConnection(DB2DataSource.java:87)
at com.ibm.db2.jcc.DB2DataSource.getConnection(DB2DataSource.java:65)
at com.ibm.db2.jcc.DB2DataSource.getConnection(DB2DataSource.java:47)
at TestDB2.main(TestDB2.java:73)
I have tried different security mechanism but still i am getting the same error.the below options i have tried for security mechanism,
1) ENCRYPTED_USER_AND_DATA_SECURITY
2) CLEAR_TEXT_PASSWORD_SECURITY
3) ENCRYPTED_PASSWORD_SECURITY
4) ENCRYPTED_USER_AND_PASSWORD_SECURITY
5)ENCRYPTED_USER_PASSWORD_AND_DATA_SECURITY
And I am using JDK 1.6.0 version for developing the code
Please guide on what needs to be done for successful connection.
Thanks in advance.
You will have to use a SecurityProvider. BouncyCastleProvider can be a good option for you. All you have to do is, as a first step in getConnection() method use below line:
Security.addProvider(new BouncyCastleProvider());
I have an existing Java web application running through IBM WebSphere (I'm unsure of the version, but could find out if it helps) that I am looking to implement two factor authentication with.
The system has a decent user base, and I wanted to distribute hardware tokens to the admin users of the system to ensure strong authentication.
Minimal impact to the end user is desirable, but I'd like to avoid having the admins need to go through a VPN connection.
Does anyone know of any products that provide Java APIs that could be directly integrated into the existing application or other products that will provide a minimal impact? I've already spoken with RSA SecurID, but their system wouldn't integrate directly and would require an infrastructure change. Any other ideas/experience is greatly appreciated.
For posterity, I've just posted my simple Java two factor authentication utility class to Github. With it, you can do something like the following:
TwoFactorAuthUtil twoFactorAuthUtil = new TwoFactorAuthUtil();
// To generate a secret use:
// String base32Secret = generateBase32Secret();
String base32Secret = "NY4A5CPJZ46LXZCP";
// now we can store this in the database associated with the account
// this is the name of the key which can be displayed by the authenticator program
String keyId = "user#j256.com";
System.out.println("Image url = " + twoFactorAuthUtil.qrImageUrl(keyId, base32Secret));
// we can display this image to the user to let them load it into their auth program
// we can use the code here and compare it against user input
String code = twoFactorAuthUtil.generateCurrentNumber(base32Secret);
// this little loop is here to show how the number changes over time
while (true) {
long diff = TwoFactorAuthUtil.TIME_STEP_SECONDS
- ((System.currentTimeMillis() / 1000) % TwoFactorAuthUtil.TIME_STEP_SECONDS);
code = twoFactorAuthUtil.generateCurrentNumber(base32Secret);
System.out.println("Secret code = " + code + ", change in " + diff + " seconds");
Thread.sleep(1000);
}
If you want two-factor authentication via a TLS client-certificate, there are a few hardware cryptographic tokens out there. Java can load a PKCS#11 store out of the box, although some configuration may be required. How much of it is admin configuration vs. application configuration depends on the application (and sometimes on how 'locked' the terminal is w.r.t to inserting a USB token or having a card reader).
There may be alternative solutions, such as One-Time Password tokens (which don't rely on certificates, but on unique passwords instead). This seems less heavy for the users. I must admit I've never tried it, but this project might be interesting: http://directory.apache.org/triplesec/ (There are also hardware OTP keyrings, usually by the same vendors who do RSA cards/USB tokens).
We have API packages for Java (and php, ruby, python, and C#): http://www.wikidsystems.com/downloads/network-clients for the WiKID Strong Authentication system. These packages are LGPL, so you can also use them in commercial products. They work with both our open-source community version and the commercial Enterprise version.
HTH,
Nick
If you are able to use Spring Security we have a plugin which offers two factor authentication (physical and soft tokens) - www.cloudseal.com