I want to use Access Based Control in my blockchain network and am assigning the user with attributes for this purpose. However, the enrollment certificate stored in my wallet does not have the attribute values present in it.
My code snippet for registering and enrolling the user:
RegistrationRequest registrationRequest = new RegistrationRequest("appUser1");
registrationRequest.setAffiliation("org1.department1");
registrationRequest.setEnrollmentID("appUser1");
Attribute attr = new Attribute("Type","Approver",true);
registrationRequest.addAttribute(attr);
String enrollmentSecret = caClient.register(registrationRequest, admin);
Enrollment enrollment = caClient.enroll("appUser1", enrollmentSecret);
Identity user = Identities.newX509Identity("Org1MSP", adminIdentity.getCertificate(), adminIdentity.getPrivateKey());
wallet.put("appUser1", user);
System.out.println("Successfully enrolled user \"appUser1\" and imported it into the wallet");
Decrypted x509 certificate of the generated certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
70:b2:b9:02:cd:de:14:6b:00:dc:16:b4:e8:95:74:7d:03:52:3e:01
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = North Carolina, O = Hyperledger, OU = Fabric, CN = fabric-ca-server
Validity
Not Before: Jan 5 05:34:00 2023 GMT
Not After : Jan 5 06:37:00 2024 GMT
Subject: OU = client, CN = admin
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:9f:03:45:44:0b:b1:4d:78:c9:58:fe:c1:82:d4:
34:04:80:a9:a5:fe:7f:27:2d:5a:a4:54:c8:c2:bb:
86:61:00:3d:62:33:99:02:0a:65:75:dc:ce:62:44:
96:fd:10:88:2f:44:fa:1d:4a:04:3d:79:33:03:ac:
b1:cd:82:dc:5c
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
FF:71:92:2E:B8:24:37:A3:13:78:EC:D1:11:D7:54:B6:BD:D6:43:9E
X509v3 Authority Key Identifier:
keyid:D5:DC:30:53:0C:B2:EF:74:76:6C:44:9F:45:B8:A3:46:EB:F0:05:2A
X509v3 Subject Alternative Name:
DNS:localhost
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:11:c6:fa:4a:bf:bb:57:89:63:4a:56:c0:bb:cf:
2d:49:19:9e:74:9b:ac:dc:05:d4:ed:ca:9c:9e:cf:48:be:f0:
02:20:53:0b:ed:57:88:26:9d:a9:38:c4:70:cd:8d:07:41:cc:
85:bf:32:dc:3b:15:41:11:fc:27:02:e4:cf:e8:cf:25
-----BEGIN CERTIFICATE-----
MIICITCCAcigAwIBAgIUcLK5As3eFGsA3Ba06JV0fQNSPgEwCgYIKoZIzj0EAwIw
aDELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRQwEgYDVQQK
EwtIeXBlcmxlZGdlcjEPMA0GA1UECxMGRmFicmljMRkwFwYDVQQDExBmYWJyaWMt
Y2Etc2VydmVyMB4XDTIzMDEwNTA1MzQwMFoXDTI0MDEwNTA2MzcwMFowITEPMA0G
A1UECxMGY2xpZW50MQ4wDAYDVQQDEwVhZG1pbjBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABJ8DRUQLsU14yVj+wYLUNASAqaX+fyctWqRUyMK7hmEAPWIzmQIKZXXc
zmJElv0QiC9E+h1KBD15MwOssc2C3FyjgZYwgZMwDgYDVR0PAQH/BAQDAgOoMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
DgQWBBT/cZIuuCQ3oxN47NER11S2vdZDnjAfBgNVHSMEGDAWgBTV3DBTDLLvdHZs
RJ9FuKNG6/AFKjAUBgNVHREEDTALgglsb2NhbGhvc3QwCgYIKoZIzj0EAwIDRwAw
RAIgEcb6Sr+7V4ljSlbAu88tSRmedJus3AXU7cqcns9IvvACIFML7VeIJp2pOMRw
zY0HQcyFvzLcOxVBEfwnAuTP6M8l
-----END CERTIFICATE-----
Access Based Control on the chain code requires the attributes to be present in the certificate. Does anybody know what I am doing wrong?
Related
I am trying to create self-signed certificates without using openssl or any command line application in PHP. Is it possible? I have found a library on the internet named phpseclib. But I am not sure if it is possible to produce certificates in .crt format. My objective is to sign pdfs with those self-signed certificates for which the certificates must be in .crt format. The private key must have a passphrase. how do I save the private key with a passphrase?? I am using the code below
// create private key / x.509 cert for stunnel / website
$CAPrivKey = RSA::createKey();
$CAPubKey = $CAPrivKey->getPublicKey();
$CASubject = new X509;
$CASubject->setDNProp('id-at-organizationName', 'phpseclib CA cert');
$CASubject->setPublicKey($CAPubKey);
$CAIssuer = new X509;
$CAIssuer->setPrivateKey($CAPrivKey);
$CAIssuer->setDN($CASubject->getDN());
$x509 = new X509;
// $x509->makeCA();
$result = $x509->sign($CAIssuer, $CASubject);
file_put_contents("2.key", $CAPrivKey);
$cert = $x509->saveX509($result);
file_put_contents("2.crt", $cert);
I'm trying to write a Java app that behaves as a Thing, publishing data in AWS. The Documentation has this code sample:
String clientEndpoint = "<prefix>.iot.<region>.amazonaws.com"; // replace <prefix> and <region> with your own
String clientId = "<unique client id>"; // replace with your own client ID. Use unique client IDs for concurrent connections.
String certificateFile = "<certificate file>"; // X.509 based certificate file
String privateKeyFile = "<private key file>"; // PKCS#1 or PKCS#8 PEM encoded private key file
// SampleUtil.java and its dependency PrivateKeyReader.java can be copied from the sample source code.
// Alternatively, you could load key store directly from a file - see the example included in this README.
KeyStorePasswordPair pair = SampleUtil.getKeyStorePasswordPair(certificateFile, privateKeyFile);
AWSIotMqttClient client = new AWSIotMqttClient(clientEndpoint, clientId, pair.keyStore, pair.keyPassword);
// optional parameters can be set before connect()
client.connect();
I know what clientId is and how to find my ID, but I cannot understand the in clientEndpoint.
It's not the account's personal endpoint, but the Thing's endpoint.
Go to IoT Core -> Manage -> Things, select your thing -> Interact.
Its the URL under the HTTPS part. It should be in the form xxxxxxxxxxxxxxxxx.iot.region.amazonaws.com, where the x's should contain mainly lowercase letters, and maybe some numbers.
Call the DescribeEndpoint API.
In Java, this would be:
AWSIot awsIotClient = AWSIotClientBuilder.defaultClient();
DescribeEndpointRequest request = new DescribeEndpointRequest().withEndpointType("iot:Data");
DescribeEndpointResult result = awsIotClient.describeEndpoint(request);
String endpoint = result.getEndpointAddress();
How to access two private keys on Web logic server or via Java code.
Any pointers would help.
Below is the piece of code, but it throws key is tampered or password is wrong.
Similar code works if i pass the the truststore or keystore location as direct location like .trustStoreFile("C:\Test\XYZTrust.jks")
If i change the code like below it throws
/* Get the JKS contents */
final KeyStore keyStore = KeyStore.getInstance("JKS");
try (final InputStream is = new FileInputStream(fullPathOfKeyStore())) {
keyStore.load(is, JKS_PASSWORD);
}
final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory
.getDefaultAlgorithm());
kmf.init(keyStore, KEY_PASSWORD);
final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory
.getDefaultAlgorithm());
tmf.init(keyStore);
/*
* Creates a socket factory for HttpsURLConnection using JKS
* contents
*/
final SSLContext sc = SSLContext.getInstance("TLS");
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new java.security.SecureRandom());
final SSLSocketFactory socketFactory = sc.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);
Error :- Keystore was tampered with, or password was incorrect
Note:- Password and keystore are 1000 % correct.
You can find your Keystore using Admin-console.
Got to Environment -> Servers -> AdminServer.
You should see something like this:
In the field "Custom identity Keystore"is the path to your Keystore file,
and in the field "Custom Trust Keystore" is the path to your Trust key.
In case you don't have the correct Password you can use the following link to decrypt them.
http://techtapas.blogspot.de/2011/05/how-to-decrypt-weblogic-passwords-with.html?m=1
If you are using default passwords then most of the chances that this is one of those:
https://itguykelly.wordpress.com/2010/05/20/default-weblogic-keystore-passwordpassphrase/
I want to run my Certificate Authority with a PHP interface. As backend i want to use phpseclib. (version 1.0.2 - https://sourceforge.net/projects/phpseclib/files/phpseclib1.0.2.zip/download)
The CA root certificate is generated with openssl and the following script should create a valid Client Certificate issued by my CA. The part to the CSR looks reasonable and the CSR is valid. But the part i sign the Certificate with my CA seems to fail. I get a certificate with the user information but no issuer is given. I use the example code of website - so i have no idea what to do.
Any suggestions? Do i import the CA Certificate the wrong way?
<?php
set_include_path("../resources/library/");
include('File/X509.php');
include('Crypt/RSA.php');
//show ALL errors
error_reporting(E_ALL);
ini_set('display_errors', 1);
// Create key pair.
$rsa = new Crypt_RSA();
$key = $rsa->createKey();
$privkey = new Crypt_RSA();
$privkey->loadKey($key['privatekey']);
$pubkey = new Crypt_RSA();
$pubkey->loadKey($key['publickey']);
$pubkey->setPublicKey();
// Create certificate request.
$csr = new File_X509();
$csr->setPrivateKey($privkey);
$csr->setPublicKey($pubkey);
$csr->setDN('CN=www.example.org');
$csr->loadCSR($csr->saveCSR($csr->signCSR()));
// Set CSR attribute.
$csr->setAttribute('pkcs-9-at-unstructuredName', array('directoryString' => array('utf8String' => 'myCSR')), FILE_X509_ATTR_REPLACE);
// Set extension request.
$csr->setExtension('id-ce-keyUsage', array('encipherOnly'));
// Generate CSR.
file_put_contents('csr.pem', $output= $csr->saveCSR($csr->signCSR()));
echo $output . "\n";
// Read certificate request and validate it.
$csr = new File_X509();
$csr->loadCSR(file_get_contents('csr.pem'));
if ($csr->validateSignature() !== true) {
exit("Invalid CSR\n");
}
// Alter certificate request.
$csr->setDNProp('CN', 'www.example.org');
//~ $csr->removeExtension('id-ce-basicConstraints');
// Load the CA and its private key.
$pemcakey = file_get_contents("../../myCA/cafile/ca.key");
$cakey = new Crypt_RSA();
$cakey->setPassword('rootca'); // !!!!!!
$cakey->loadKey($pemcakey);
$pemca = file_get_contents("../../myCA/cafile/ca.crt");
$ca = new File_X509();
$ca->loadX509($pemca);
$ca->setPrivateKey($cakey);
// Sign the updated request, producing the certificate.
$x509 = new File_X509();
$cert = $x509->loadX509($x509->saveX509($x509->sign($ca, $csr)));
// Generate the certificate.
echo $x509->saveX509($cert) . "\n";
?>
Example Output first the CSR and then the generated Certificate:
-----BEGIN CERTIFICATE REQUEST-----
MIIBiTCB9QIBADAaMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5vcmcwgZ0wCwYJKoZI
hvcNAQEBA4GNADCBiQKBgQC+usAlbhb2Te1NOqIJHPmeGc0TcFa9qJUP8PQIVGip
YMbv5s2uTjmYm8VfnB9lWgchQksDnx561gSILWkcQboWS6upPk4IHGTULOn6qBM7
wnODS4aua6MQghUSx9uImyRt4DjQBn/CUEM1bdcvm4YwJy87KAipH4GvNMOxIbB4
ZQIDAQABoDQwFAYJKoZIhvcNAQkCMQcMBW15Q1NSMBwGCSqGSIb3DQEJDjEPMA0w
CwYDVR0PBAQDAgABMAsGCSqGSIb3DQEBBQOBgQBZSBz87numzJY+SWhaXpER6g7c
cllwJAM5kGl0JptVyN63q6zzc4DM+SVpB3/M5DnuVrWs8+pRifUyJRBcCbo3KYt9
OwJBMO8wCAE7mTKUS/7G3RvAnHyXr3Vp6Ce+qygcmLGlGQ3dcDPeRtHZ5Bhx/j+K
4ZSgiyvE/AO2hm3iqw==
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE-----
MIIBgTCCAWugAwIBAgIUClioDCnX08a7h12xkdKPSdi6Op4wDQYJKoZIhvcNAQEF
BQAwFTETMBEGA1UEAxMKTXJvdHplayBDQTAeFw0xNjA3MDQxNTE2MjBaFw0xNzA3
MDQxNTE2MjBaMDQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLm9yZzEYMBYGA1UEAwwP
d3d3LmV4YW1wbGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+usAl
bhb2Te1NOqIJHPmeGc0TcFa9qJUP8PQIVGipYMbv5s2uTjmYm8VfnB9lWgchQksD
nx561gSILWkcQboWS6upPk4IHGTULOn6qBM7wnODS4aua6MQghUSx9uImyRt4DjQ
Bn/CUEM1bdcvm4YwJy87KAipH4GvNMOxIbB4ZQIDAQABozAwLjALBgNVHQ8EBAMC
AAEwHwYDVR0jBBgwFoAU4AZGByEnlMiUK2anCwjvl+9P8MMwDQYJKoZIhvcNAQEF
BQADAQA=
-----END CERTIFICATE-----
I falsly had the opinion that the output certificate contains no issuer. I used https://www.sslshopper.com/certificate-decoder.html for testing/decoding.
[SOLVED]
- Using another decoder like openssl all set information + issuer are
shown.
?! In some case the decoder is messing up reading all header information ?!
I am a newbie and I try to create an app to list the boat renter company and to allow users to give reviews on them. First of all, I want to allow users to create Renters. I used omniauth for Facebook connect. It works on production but not on localhost.
When I try to add a renter, after the submit button on the renter view, I have the error :
Started POST "/renters" for ::1 at 2016-02-10 11:20:00 +0100
Processing by RentersController#create as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"xxx...xxx", "renter"=>{"name"=>"bastia", "address"=>"bastia", "latitude"=>"", "longitude"=>"", "website"=>"", "email"=>"", "phone"=>"", "user_id"=>""}, "commit"=>"Valider"}
(0.3ms) BEGIN
(0.4ms) ROLLBACK
Completed 500 Internal Server Error in 34ms (ActiveRecord: 0.7ms)
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
app/controllers/renters_controller.rb:44:in `create'
Here it is the renters_controller.rb
class RentersController < ApplicationController
before_action :set_renter, only: [:show, :edit, :update, :destroy]
def create
#renter = Renter.new(renter_params)
if #renter.save
gflash notice: "Le loueur a bien été enregistré"
redirect_to '/'
else
gflash :now, notice: "Une erreur est survenue."
render :new
end
end
def renter_params
params.require(:renter).permit(:name, :address, :website, :email, :phone, :review, :latitude, :longitude, :user_id)
end
end
and the model renter.rb
class Renter < ActiveRecord::Base
geocoded_by :address
after_validation :geocode
reverse_geocoded_by :latitude, :longitude
after_validation :reverse_geocode # auto-fetch address
end
Can someone help me?
To make Facebook connect work in a development environment, you must first create a test app in your Facebook Developers account:
Go to your app https://developers.facebook.com/apps/[your-id]
Click on Test Apps
Create a new one
Settings:
- App domains: localhost
- Site url: http://localhost:3000/
Then enter in your app the app id and the app secret (in your application.yml if you use Figaro), like this:
application.yml
development:
OAUTH_FACEBOOK_ID: 'facebook-id'
OAUTH_FACEBOOK_SECRET: 'facebook-secret'
Then you can use it in your devise.rb
devise.rb
config.omniauth :facebook, ENV['OAUTH_FACEBOOK_ID'], ENV['OAUTH_FACEBOOK_SECRET'],
scope: 'public_profile', image_size: {height: 1600}, info_fields: 'name, id, first_name,
last_name, gender, hometown, cover, email, link' # list of permissions
It works on production but not on localhost...
When developing on localhost, you can model the public gear by creating a CA, creating a CSR for the localhost, and then having your CA sign the CSR. Finally, you use you certificate with your dev web server, and you install your CA in your local trust store.
Becoming your own CA means things will "just work" in browsers and other user agents. If you try the self-signed certificate route (discussed below), then you will be OK with most user agents, but browsers will be a pain point.
For information on becoming your own CA and issuing certificates for your developer workstation, see How do you sign Certificate Signing Request with your Certification Authority?
You might also be able to create a self signed certificate to avoid the CA and CSR stuff. In this case, you would tell Ruby to trust the self signed certificate for localhost instead of the CA.
You should be OK with most user agents, but browsers will be a pain point because they have moved against self-signed certificates.
For creating self signed certificates, see How to create a self-signed certificate with openssl? and How can I generate a self-signed certificate with SubjectAltName using OpenSSL?
You should not do this: :use_https => false.