Develop Reference

Parse a JWT Token issued by a Java application, inside a python script

I have a Java Spring boot API that a user logs in and is issued a JWT token ( i cant change this code). I have a new python API that needs to parse the JWT to verify its been authenticated.
Java Code
import io.jsonwebtoken.Jwts;
private String secretKey = "CFB86D5E4DC4C11C6AFA9E5DF5AD9"
String jwt = Jwts.builder()
.setSubject(userByUsername.getUsername())
.setIssuedAt(now)
.setNotBefore(now)
.setIssuer("my-authenticator")
.setExpiration(new Date(System.currentTimeMillis() + (1000L * tokenMaxAge)))
.signWith(SignatureAlgorithm.HS256, secretKey)
.compact();
Inside my python code i have
import jwt
token = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImlhdCI6MTY3NDUwMzE2NSwibmJmIjoxNjc0NTAzMTY1LCJpc3MiOiJ0ZXN0IiwiZXhwIjoxNjc0NTA2NzY1fQ.wPc98PTVmZKKUEBmuKZG3Z_fXrC7QLLpLE9BXHR3Sw4"
key = 'CFB86D5E4DC4C11C6AFA9E5DF5AD9'
jwt_options = {
'verify_signature': True,
'verify_exp': False,
'verify_nbf': False,
'verify_iat': True,
'verify_aud': False
}
parts = jwt.decode(token, key, algorithms="HS256", options=jwt_options)
print(parts)
If I set verify_signature = False everything works and i can parse the jwt. But I need to have this set to true. If I go to jwt.io the signature shows up as verified
I've tried playing around with encoding/decoding the string but Im not sure what I'm missing
I have tried decoding and encoding the key but havn't had success. The secret is the same in the java application and python application
ex1. key = b'CFB86D5E4DC4C11C6AFA9E5DF5AD9'
ex2. key = str(base64.urlsafe_b64decode(CFB86D5E4DC4C11C6AFA9E5DF5AD9), 'utf-8')
ex3. key = base64.urlsafe_b64decode(CFB86D5E4DC4C11C6AFA9E5DF5AD9)
ex4. key = base64.b64decode('CFB86D5E4DC4C11C6AFA9E5DF5AD9') # this gives binascii.Error: Invalid base64-encoded string: number of data characters (29) cannot be 1 more than a multiple of 4
Solution:
So I was able to solve my question but im not sure why it worked. The first consisted of setting my secret to a 256 character string ex. 73357638792F423F4428472B4B6250655368566D597133743677397A24432646 The next step was to encode it to UTF-8 and then b64encode it so:
jwt_options = {
'verify_signature': True,
'verify_exp': False,
'verify_nbf': False,
'verify_iat': True,
'verify_aud': False
}
signature_key = config.config.signature_key
signature_key = b64decode(signature_key.encode("utf-8"))
parts = jwt.decode(self.token, signature_key, algorithms=["HS256"], options=jwt_options)

Cannot sign data using private key, getting algorithm not supported by the key in swift

I have generated the private key in swift using the following code:
let publicKeyAttr: [NSObject: NSObject] = [
kSecAttrIsPermanent:true as NSObject,
kSecAttrApplicationTag:"com.xeoscript.app.RsaFromScrach.public2".data(using: String.Encoding.utf8)! as NSObject] // added this value
let privateKeyAttr: [NSObject: NSObject] = [
kSecAttrIsPermanent:true as NSObject,
kSecAttrApplicationTag:"com.xeoscript.app.RsaFromScrach.private2".data(using: String.Encoding.utf8)! as NSObject] // added this
var keyPairAttr = [NSObject: NSObject]()
keyPairAttr[kSecAttrKeyType] = kSecAttrKeyTypeRSA
keyPairAttr[kSecAttrKeySizeInBits] = 2048 as NSObject
keyPairAttr[kSecPublicKeyAttrs] = publicKeyAttr as NSObject
keyPairAttr[kSecPrivateKeyAttrs] = privateKeyAttr as NSObject
statusCode = SecKeyGeneratePair(keyPairAttr as CFDictionary, &publicKey, &privateKey)
And then I am using the private key to sign a piece of data, using the SecKeyAlgorithm.rsaEncryptionPKCS1 algorithm.
The code to sign is as follows:
public func sign(privateKey myPrivateKey: SecKey, value: String, base64EncodingOptions: Data.Base64EncodingOptions = []) throws -> String?
{
enum LoginErrors: Error {
case badUsername
case badPassword
}
guard #available(iOS 10.0, watchOS 3.0, tvOS 10.0, *) else {
return "Not available"
}
let data = value.data(using: .utf8)!
var error: Unmanaged<CFError>?
guard let signedData = SecKeyCreateSignature(myPrivateKey,
SecKeyAlgorithm.rsaEncryptionPKCS1,
data as CFData,
&error) as Data? else
{
return nil
}
return "(signedData.base64EncodedString())"
}
I am getting this exception:
[0] (null) "NSDescription" : "algid:encrypt:RSA:PKCS1: algorithm not supported by the key <SecKeyRef algorithm id: 1, key type: RSAPrivateKey, version: 4, block size: 2048 bits, addr: 0x280a0e5a0>"

SecKeyAlgorithm.rsaEncryptionPKCS1 is incorrect, this is attempting to use the RSA private key for hybrid encryption.
Instead pass something appropriate such as rsaSignatureDigestPKCS1v15SHA256, rsaSignatureDigestPSSSHA256 or one of the other options shown here.
Note, rsaSignatureDigestPKCS1v15SHA256 is deterministic.
Additionally, I would suggest using elliptic curve signature, RSA in 2020, however tempting, is the wrong choice.
There are so many gorgeous libs that support ECC now I wouldn't be using SecKit.

How to create bitcoin wallet from mnemonics using bitcoinj (walletappkit) in android

I am creating a wallet from mnemonics,for ethereum i have used web3j library for generating mnemonics,address and its private key and now for bitcoin i want to use the same generated mnemonics to generate bitcoin address and its private key for bitcoin i am using Bitcoinj library but not able to get its address and key.
I also tried Walletappkit but its generating address without getting mnemonics so is there any way of using mnemonics in Walletappkit so i can get bitcoin address and sync the bitcoin chain for transactions.
Also is there any way of using walletappkit without syncing and gets bitcoin detail like its balance and transaction info.
Below is the code how I created ethereum wallet and its mnemonic key using web3j and bitcoinj.
val wallet = WalletUtils.generateBip39Wallet("", File(path))
val mnemonics = wallet.mnemonic
// bitcoinj
var seed = DeterministicSeed(wallet.mnemonic, null, "", 1409478661L)
val chain = DeterministicKeyChain.builder().seed(seed).build()
val keyPath = HDUtils.parsePath("M/44H/60H/0H/0/0")
val key = chain.getKeyByPath(keyPath, true)
val privKey = key.privKey
// Web3j
val credentials = Credentials.create(privKey.toString(16))
val eth_address = credentials.address

I'm not sure if I correctly understand what you want to do, but if you want to restore/create a Bitcoinj wallet from a mnemonic seed, then there's an official example for this here:
// Here we restore our wallet from a seed with no passphrase. Also have a look at the BackupToMnemonicSeed.java example that shows how to backup a wallet by creating a mnemonic sentence.
String seedCode = "yard impulse luxury drive today throw farm pepper survey wreck glass federal";
String passphrase = "";
Long creationtime = 1409478661L;
DeterministicSeed seed = new DeterministicSeed(seedCode, null, passphrase, creationtime);
// The wallet class provides a easy fromSeed() function that loads a new wallet from a given seed.
Wallet wallet = Wallet.fromSeed(params, seed, Script.ScriptType.P2PKH);

you can use bitcore.js for generating mnemonics. I am sharing the link of npm package please have a look.
var Mnemonic = require('bitcore-mnemonic');
var code = new Mnemonic(Mnemonic.Words.SPANISH);
code.toString();
var xpriv = code.toHDPrivateKey();

Programmatically enable versioning on AWS S3

I am having trouble programmatically enabling versioning of an existing bucket using AWS SDK iOS v2.1.1. The error is -[NSNull _fastCharacterContents]: unrecognized selector sent to instance .... My snippet of code that creates the error results from executing the putBucketVersioning method:
AWSS3VersioningConfiguration *conf = [AWSS3VersioningConfiguration new];
conf.status = AWSS3BucketVersioningStatusEnabled;
AWSS3PutBucketVersioningRequest *versionRequest = [AWSS3PutBucketVersioningRequest new];
versionRequest.bucket = createBucketReq.bucket;
versionRequest.versioningConfiguration = conf;
[[[AWSS3 S3ForKey:key] putBucketVersioning:versionRequest] continueWithBlock:^id(BFTask *task) {
return task;
}
I am probably missing an argument in how I create the AWSS3PutBucketVersioningRequest request, but I cant find any examples or documentation that will point me in the right direction. Any suggestions in Java, Cocoa, or Swift are very welcome. Cheers, Trond
UPDATE:
Based on comments I am including the full method and the error output after having enabled AWSLogging verbose.
-(BFTask*) enableVersioningOfBucket:(NSString*)bucket region:(NSInteger) region {
[self setupCredentialsForRegion:region];
NSString *key = [NSString stringWithFormat:#"regionkey%li",region];
AWSS3VersioningConfiguration *conf = [AWSS3VersioningConfiguration new];
conf.status = AWSS3BucketVersioningStatusEnabled;
AWSS3PutBucketVersioningRequest *versionRequest = [AWSS3PutBucketVersioningRequest new];
versionRequest.bucket = bucket;
versionRequest.versioningConfiguration = conf;
NSLog(#"Config %#",versionRequest);
return [[[AWSS3 S3ForKey:key] putBucketVersioning:versionRequest] continueWithBlock:^id(BFTask *task) {
NSLog(#"Put bucket versioning %# - %#", task, task.result);
return task;
}];
}
Log message:
2015-06-06 12:09:41.822 connectS3[50137:6337899] Config <AWSS3PutBucketVersioningRequest: 0x600000082350> {
bucket = testbucket;
versioningConfiguration = "<AWSS3VersioningConfiguration: 0x600000024bc0> {\n MFADelete = 0;\n status = 1;\n}";}
2015-06-06 12:09:41.832 connectS3[50137:6337899] -[NSNull _fastCharacterContents]: unrecognized selector sent to instance 0x7fff7724c210
Update 2
The image below shows the stack trace as the error message has just appeared when I use a break-point and step into each method call.
Update 3
I setup my credentials as described below. This works fine for all of my other methods connecting with S3 except for enabling versioning.
AWSStaticCredentialsProvider *credentialsProvider = [[AWSStaticCredentialsProvider alloc ]
initWithAccessKey:keychainStore[ACCESS_KEY_ID]
secretKey:keychainStore[SECRET_KEY]];
AWSServiceConfiguration *configuration = [[AWSServiceConfiguration alloc] initWithRegion:region
credentialsProvider:credentialsProvider];
/* One credential configuration for each region **/
NSString *key = [NSString stringWithFormat:#"regionkey%li",region];
[AWSS3 registerS3WithConfiguration:configuration forKey:key];
/* Default credentialsProvider **/
[AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;
Thanks for your help!

I can confirm it is a bug in current AWS Mobile SDK. we will fix it in future release. Thanks for the reporting.
For a workaround, you can add the following line to your AWSS3VersioningConfiguration code:
AWSS3VersioningConfiguration *conf = [AWSS3VersioningConfiguration new];
conf.status = AWSS3BucketVersioningStatusEnabled;
conf.MFADelete = AWSS3MFADeleteDisabled; // <------ Add this line
...

Is there a way to use commutative encryption in php?

I have used the encrypt and decrypt functions from this answer to implement message passing using Three-pass protocol with the Blowfish cipher.
And I tried using commutative ecryption/decryption. That is,
$tmp = encrypt($input, $key1);
$tmp = encrypt($tmp, $key2);
$tmp = decrypt($tmp, $key1);
$dec2 = decrypt($tmp, $key2);
But it does not work. I used a single key instead of 2 different keys and it works(has to!).
So there's no problem in the way I'm using these functions, but I simply cant get it working with two keys.
Am I doing something wrong? Is this not possible, or is there another way?
Or, is there a way I could do it in Java?
Edit: For those who don't understand the procedure, Three-pass protocol is a way to send encrypted messages without having to send the keys. So the procedure is
Sender encrypts with key1 and sends
Receiver encrypts with key2 and sends back
Sender decrypts with key1 and sends back
Receiver decrypts with key2 to get the original message
You can see that keys are not exchanged, but the message is sent only in encrypted form. That's the whole point.

Using the XOR function provided by a user in this thread
Encrypt/decrypt with XOR in PHP
function xor_this($string,$key) {
// Our plaintext/ciphertext
$text =$string;
// Our output text
$outText = '';
// Iterate through each character
for($i=0;$i<strlen($text);)
{
for($j=0;($j<strlen($key) && $i<strlen($text));$j++,$i++)
{
$outText .= $text{$i} ^ $key{$j};
//echo 'i='.$i.', '.'j='.$j.', '.$outText{$i}.'<br />'; //for debugging
}
}
return $outText;
}
//The sender chooses a private encryption key s and a corresponding decryption key t. The sender encrypts the message m with the key s and sends the encrypted message E(s,m) to the receiver.
//The receiver chooses a private encryption key r and a corresponding decryption key q and super-encrypts the first message E(s,m) with the key r and sends the doubly encrypted message E(r,E(s,m)) back to the sender.
//The sender decrypts the second message with the key t. Because of the commutativity property described above D(t,E(r,E(s,m)))=E(r,m) which is the message encrypted with only the receiver's private key. The sender sends this to the receiver.
$senderkey=base64_encode('chicken');
$receiverkey=base64_encode('ardvark');
$itemwewanttoshare='hello darling';
echo'$itemwewanttoshare: '.$itemwewanttoshare.'<BR>';
$packet1=xor_this($itemwewanttoshare,$senderkey);
echo'$packet1: '.$packet1.'<BR>';
$packet2=xor_this($packet1,$receiverkey);
echo'$packet2: '.$packet2.'<BR>';
$packet3=xor_this($packet2,$senderkey);
echo'$packet3: '.$packet3.'<BR>';
$packet4=xor_this($packet3,$receiverkey);
echo'$packet4: '.$packet4.'<BR>';
You get this
$itemwewanttoshare: hello darling
$packet1: 1W6 TS>
$packet2: hNwRVtq|ing
$packet3: 1=&M"TS>
$packet4: hello darling
EDIT addition
I base64'd the key for simplicity. Use a key with more variation and the results will be more complicated.
use mcrypt_create_iv(40) to create your keys and you end up with something like this
$senderkey='<²#H[Ô\´(µÑ/KÀ®"熺¥ç|Ëvr%O›eu$nºbe';
$receiverkey='Øh\5PÀKO[ù¬òZH‰•Ê¬h/¥nëk¾ðéíPÄ"Uü';
which will change the output to
$itemwewanttoshare: hello darling
$packet1: T§ÞO'{§õ.®ÝF¥
$packet2: —?¶+¦6®½– þ
$packet3: «ý0Zpe¢ò"!<
$packet4: hello darling
Edit 2
Duskwuff brings up a good point. $itemwewanttoshare should be created by the system(program) and not be a user created item. This method could be used to establish a shared encryption key that both send and receiver could use to encrypt further communication. Sender would generate the key, and then that would be the itemwewanttoshare , thus allowing both sides to know the encryption key without passing it directly.

The WikiPedia article gives a hint at what can be used:
Sometimes the encryption function and decryption function are the same.
This is the case for stream ciphers like RC4 which create a long stream of pseudo-random data and simply XOR it with the data. XOR is commutative and it is easy to implement it in PHP:
$cipher = "arcfour";
$k1 = mcrypt_create_iv(256); // random
$k2 = mcrypt_create_iv(256); // random
$data = "some string";
$mode = "stream";
echo "key size: ".mcrypt_get_key_size($cipher, $mode)."\n"; // 256
echo "iv size: ".mcrypt_get_iv_size($cipher, $mode)."\n"; // 0
// Three-pass protocol property: D(d,E(k,E(e,m))) = E(k,m)
$c1 = mcrypt_encrypt($cipher, $k1, $data , $mode, "");
$c2 = mcrypt_encrypt($cipher, $k2, $data , $mode, "");
$c2 = mcrypt_encrypt($cipher, $k1, $c2 , $mode, "");
$c2 = mcrypt_decrypt($cipher, $k2, $c2 , $mode, "");
echo $c1 == $c2;
Block ciphers in CTR mode are also useable in the same way. This is an example of AES in CTR mode:
$cipher = "rijndael-128";
$k1 = mcrypt_create_iv(16); // random
$k2 = mcrypt_create_iv(16); // random
$iv1 = mcrypt_create_iv(16); // random
$iv2 = mcrypt_create_iv(16); // random
$data = "some string";
$mode = "ctr";
echo "key size: ".mcrypt_get_key_size($cipher, $mode)."\n";
echo "iv size: ".mcrypt_get_iv_size($cipher, $mode)."\n";
$c1 = mcrypt_encrypt($cipher, $k1, $data , $mode, $iv1);
$c2 = mcrypt_encrypt($cipher, $k2, $data , $mode, $iv2);
$c2 = mcrypt_encrypt($cipher, $k1, $c2 , $mode, $iv1);
$c2 = mcrypt_decrypt($cipher, $k2, $c2 , $mode, $iv2);
echo $c1 == $c2;