Tuesday, 26 November 2013
Import PEM into .P12
OpenSSL> pkcs12 -export -in certFile.pem -inkey keyFile.key -out p12File.p12 -certfile intermediateCertFile.pem
Friday, 15 November 2013
JCE and Thales nCipher HSM
This was an education in JCE. The task was to:
1) Get a private key on a nCipher HSM
2) Use the key to produce a pkcs7 detached signature for a some content
3) Get the public certificate corresponding to the key so that it could be supplied to an external party to verify the signature.
Some terminology:
.pem file - a file that contains a base64 encoded private key or public key certificate, or certificate chain. Often used to pass public certificates / certificate chains around
.p12 file - a file that contains a private key and public certificate. Encrypted so you need passwords to get access to it.
Some JCE terminology
KeyStore - interface that allows you get access to files like .pems and .p12s. You load a keystore with a file, and specific its type, which then allows you to do stuff like gernate keys, obtains keys, certificates etc
Certificate - Represents a certificate! :-)
Provider - abstraction for the implementation classes that provide the implementation of the JCE interfaces like KeyStore. When you want to do s
Some providers, like the nCipher implement the interfaces in such a way that operations are performed on hardware devices. Others, like the SUN and BouncyCastle providers do stuff in memory. The former is more secure because the private key used for encryption does not exist outside the hardware device.
The BouncyCastle provider does stuff in memory, but it also has convenience classes that do translation from one format to another.
So the trick is to use the HSM provider to do all the key generation and signing stuff and then BC to do format changes.
See my private testSign git project for examples of signing.
To get a key into the HSM:
If you want to list certificates in a HSM then:
keytool -list -v -providername ncioherKM -storetype ncipher.sworld -keystore neilltest.dat -storepass [whatever it is]
To get a key into the HSM:
java -Dprotect=module
-DignorePassphrase=true sun.security.tools.KeyTool -genkey -storetype
nCipher.sworld -keyalg RSA -sigalg SHA1withRSA -keystore
d:/temp/neilltest.dat
This will create the .dat file that contains a reference to the private key in the HSM (but not the key itself). The .dat file is then used as a keystore like a normal JKS file, using keytools
This will create the .dat file that contains a reference to the private key in the HSM (but not the key itself). The .dat file is then used as a keystore like a normal JKS file, using keytools
You can use keytool to generate a csr to sign a certificate request that generates a cert that can be used to verify signatures created using the private key
http://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.htmlIf you want to list certificates in a HSM then:
keytool -list -v -providername ncioherKM -storetype ncipher.sworld -keystore neilltest.dat -storepass [whatever it is]
Thursday, 31 October 2013
Java trust store, Mule HTTPS how to
Occasionally you need to connect to an HTTPS server using java where the public certificate protecting the host is not siogned by a trusted 3rd party CA.
For example self-signed certificates.
This would be the case for example in Mule where you use the HTTPS connector with no trust store configuration.
In order to get the certificate trusted it has to be imported into the trust store of the java runtime being used.
That's held in a file [jre]\lib\security\cacerts
There is an open source tool called InstallCert that can be used to import a certificate into the trust store.
I've got a copy locally in my d:\tools folder, but you can get it and compile it if you want.
Useful links about this
This is also useful:
http://www.dekho.com.au/help/32/default.htm?turl=Documents%2Faddingacertificateintothejavacertificatestore.htm
https://code.google.com/p/java-use-examples/source/browse/trunk/src/com/aw/ad/util/InstallCert.java
http://miteff.com/install-cert
http://forums.visokio.com/discussion/1365/ssl-certificate-error-use-your-trusted-certificate
http://stackoverflow.com/questions/373295/digital-certificate-how-to-import-cer-file-in-to-truststore-file-using
For example self-signed certificates.
This would be the case for example in Mule where you use the HTTPS connector with no trust store configuration.
In order to get the certificate trusted it has to be imported into the trust store of the java runtime being used.
That's held in a file [jre]\lib\security\cacerts
There is an open source tool called InstallCert that can be used to import a certificate into the trust store.
I've got a copy locally in my d:\tools folder, but you can get it and compile it if you want.
Useful links about this
This is also useful:
http://www.dekho.com.au/help/32/default.htm?turl=Documents%2Faddingacertificateintothejavacertificatestore.htm
https://code.google.com/p/java-use-examples/source/browse/trunk/src/com/aw/ad/util/InstallCert.java
http://miteff.com/install-cert
http://forums.visokio.com/discussion/1365/ssl-certificate-error-use-your-trusted-certificate
http://stackoverflow.com/questions/373295/digital-certificate-how-to-import-cer-file-in-to-truststore-file-using
Tuesday, 3 September 2013
Import .p12 file into .jks (assuming the .p12 has a password)
If it doesn't have a passwod use previous post to add one first.
Obtain the name of the alias for the tomcat key in the certificate file using the following command:
keytool -v -list -storetype pkcs12 -keystore FILE_PFX
Next plug in the source file, alias name, new .jks file name keystore password and new alias into this command:
keytool -importkeystore -srckeystore [MY_FILE.p12] -srcstoretype pkcs12
-srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks]
-deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST]
Obtain the name of the alias for the tomcat key in the certificate file using the following command:
Next plug in the source file, alias name, new .jks file name keystore password and new alias into this command:
-srcalias [ALIAS_SRC] -destkeystore [MY_KEYSTORE.jks]
-deststoretype jks -deststorepass [PASSWORD_JKS] -destalias [ALIAS_DEST]
Add a password to a .p12 file
openssl
pkcs12 -in [file.p12] -out [file.pem] -info
pkcs12 -export -in [file.pem] -out [fileOut.p12]
pkcs12 -in [file.p12] -out [file.pem] -info
pkcs12 -export -in [file.pem] -out [fileOut.p12]
Friday, 16 August 2013
Debugging tests in gradle
Found this out after a bunch of hacking around.
Gradle starts tests in a separate process form the main build script process, so if you want to debug them you have to configure the test task with jvm debug args.
For example:
Gradle starts tests in a separate process form the main build script process, so if you want to debug them you have to configure the test task with jvm debug args.
For example:
test.doFirst {
jvmArgs '-Xdebug', '-Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=5005'
}If you "gradle test" the build process will run and suspend on the test task.You can then attach a remote debugger to see what is going on
Tuesday, 4 June 2013
Wrapped and Bare and JaxBElement
More web service binding stuff.
I had a wsdl that was declared elements as both nillable and minOccurs="0" (so that the elements were wrapped in JaxBElement)
AND it was of doc/lit wrapped form, but had an input type that was also an output type. This was causing the parameters to get wrapped in javax.xml.ws.Holder objects.
I managed to turn both off with the following binding file:
also had an input and output param
<jaxws:bindings wsdlLocation="[LOCATION OF WSDL]"
xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
xmlns:xjc="http://java.sun.com/xml/ns/jaxb/xjc"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:jxb="http://java.sun.com/xml/ns/jaxb"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">
<jaxws:enableWrapperStyle>false</jaxws:enableWrapperStyle>
<jaxws:bindings node="wsdl:definitions/wsdl:types/xs:schema[@targetNamespace='[NAMESPACE OF WSDL TYPES]">
<jxb:globalBindings xmlns:jxb="http://java.sun.com/xml/ns/jaxb" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xjc:generateElementProperty>false</xjc:generateElementProperty>
</jxb:globalBindings>
</jaxws:bindings>
</jaxws:bindings>
I had a wsdl that was declared elements as both nillable and minOccurs="0" (so that the elements were wrapped in JaxBElement)
AND it was of doc/lit wrapped form, but had an input type that was also an output type. This was causing the parameters to get wrapped in javax.xml.ws.Holder objects.
I managed to turn both off with the following binding file:
also had an input and output param
<jaxws:bindings wsdlLocation="[LOCATION OF WSDL]"
xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
xmlns:xjc="http://java.sun.com/xml/ns/jaxb/xjc"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:jxb="http://java.sun.com/xml/ns/jaxb"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">
<jaxws:enableWrapperStyle>false</jaxws:enableWrapperStyle>
<jaxws:bindings node="wsdl:definitions/wsdl:types/xs:schema[@targetNamespace='[NAMESPACE OF WSDL TYPES]">
<jxb:globalBindings xmlns:jxb="http://java.sun.com/xml/ns/jaxb" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xjc:generateElementProperty>false</xjc:generateElementProperty>
</jxb:globalBindings>
</jaxws:bindings>
</jaxws:bindings>
Wednesday, 10 April 2013
Thursday, 4 April 2013
Subscribe to:
Posts (Atom)