I need to upload a key on GoogleCloud Platform, but the platform says that key needs to be Public certificates need to be in RSA_X509_PEM format. I'm kinda of stuck and don't how to upload the key. Did anyone came across the same situation and ca help googlecloud
When you want to "upload a key on a service account", that means that you have generated a private key on your side, in the correct format, and you want to send to Google the public key to let google validate validate the communication.
If you follow the documentation you have the correct openSSL command to generate a key for this use case.
Related
I have been following this sample from AWS. I have followed the guide, downloaded the certificates, converted them into .pfx and tested them in a local code similar to the sample. The code works fine and the intended connection can be established. However, when I try to upload the certificate to Azure Key Vault, I get this error:
The specified X.509 certificate content is invalid. Error: one or more x.509 properties are invalid.
I have Googled and tested quite a few different openssl commands, and also tried to upload through PowerShell (just incase), but its always the same error. I am a bit clueless as to why this (as far as I know) official AWS example does not just work, and why I can not just export certificates from one big cloud company to another.
Does anyone have any guesses as to what is going wrong and what properties may be invalid, or how I can find out?
PS: My Azure code is getting all configurations from the Key Vault secrets (connection strings, etc). I figured it could similarly be used to store certificates that my code can retrieve and use, instead of storing the certificate file in the project. Do let me know if I have misunderstood what kind of certificates should be saved in the Key Vault.
Please check if following can be worked around:
Please note that Key Vault requires /accepts only a PEM or PFX file
along with a private key.
If you have a private key stored separately in a different format,
you need to combine the key with the certificate and key should not
be encrypted. Some certificate authorities (CAs) provide certificates
in other formats. Therefore, before you import the certificate, make
sure that it's in either PEM or PFX file format and it uses key
either (RSA) or elliptic-curve cryptography (ECC) encryption. see
creating a certificate with a ca not partnered with key-vault
Some factors to check:
Please check if the Pfx was expired or Pfx password is incorrect or
has an invalid format.
Try Re-importing the cert from a pfx file with the --password
parameter if it is password protected.
Also make sure you have access policies created create,get
,set,delete ,list for user that is trying to create and also for the
application.
And the name of the secret or certificate that you are uploading
must be unique and should not match with any other secret that was
created previously. Content-type must be application/x-pkcs12 for
pfx file.
Also check the similar case from SO reference
References:
Understand X.509 public key certificates | Microsoft Docs /About Azure Key Vault Certificates
"The parameter KeyVault Certificate has an invalid value"- Microsoft
Q&A
Getting error when uploading build in google play store console. The error is following.
Leaked GCP API Keys
Your app contains exposed Google Cloud Platform (GCP) API keys.
The culprit code is following.
Places.initialize(getApplicationContext(), BuildConfig.GOOGLE_API_KEY);
According to the documentation i am reading key from BuildConfig and also restrict the key. But still the same issue. how can i fix this issue..
I also faced the same problem. I couldn't find any proper solution for this. After lot of searching I found a solution. So I am giving a complete guide for this issue.
Many thanks to Prasenjit Banerjee for helping me.
Complete guide for use API Keys and avoid Leaked GCP API Keys security issue in Google Play Console :
First of all you need to follow API security best practices for add restrictions and securely using API keys.
Then follow Set Up an Android Studio Project for add API keys to local.properties and use them in AndroidManifest.xml & Main program.
Finally access API keys As a variable in your AndroidManifest.xml file :
<application>
.
.
.
.
<activity>
.
.
.
.
</activity>
<meta-data
android:name = "keyValue"
android:value = "${KEY}"/>
</application>
Access API keys in MainActivity.kt and type in the below code to get the KEY value from the meta-data in AndroidManifest.xml (Find solution from this article in GeeksforGeeks ) :
Note: Don't use BuildConfig class to get these API keys because this class expose those properties as variables.
class MainActivity : AppCompatActivity() {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
setContentView(R.layout.activity_main)
//get the KEY value from the meta-data in AndroidManifest
val ai: ApplicationInfo = applicationContext.packageManager
.getApplicationInfo(applicationContext.packageName, PackageManager.GET_META_DATA)
val value = ai.metaData["keyValue"]
val key = value.toString()
//for testing only
Toast.makeText(applicationContext, key, Toast.LENGTH_LONG).show()
// use this key to initialize places sdk
Places.initialize(applicationContext, key)
}
}
In order to secure your API Keys in GCP you have to search for "Credentials" in the Cloud Platform Console. Create a new API Key using the Create credentials button, configured the same as the compromised API Key. The restrictions on the API Key must match, otherwise you may suffer an outage.
Push the API Key to all locations in which the old key was in use, and then delete the old key.
I would recommend you to take a look at the official documentation for handing compromised credentials in GCP for a better detail.
Other than that, you might want to consider Keyless API authentication by leveraging workload identify federation
I've had to download a key for a Google's Firebase service and yet another key for the pub/sub. How am I supposed to reference both keys with the GOOGLE_APPLICATION_CREDENTIALS key word?
Normally you only use one service account that has the required permissions.
Application Default Credentials (ADC) support one and only one service account JSON key file specified by the environment variable GOOGLE_APPLICATION_CREDENTIALS.
When writing code for Google Cloud, the SDK clients support specifying a service account as a parameter. In your example, you will need to create SDK clients using the appropriate credentials (service account JSON key file). The Firebase admin client can use one credential and the Pub/Sub client can use the other credential.
I'm having exactly the same issue. I'm trying to run two different Firestore services on one machine. Each service uses a different Firestore project. As far as I can see, to explicitly authenticate by directly accessing my JSON key file, I need to do something like this:
FirestoreClient client = Use ClientBuilderBase and its property: CredentialsPath
FirestoreDb = FirestoreDb.Create(firestoreProjectId, client);
But as ClientBuilderBase is an abstract class, I'm stumped. Anyone whose got some sample code that does this for real would be a real help.
Cheers
Keith
I'm trying to do something that seemed simple but ends up being difficult because I lack the expertise.
I have an APIM deployed with no customisation security-wise (don't worry, it's not production!). So it's only got carbon.jks.
I authenticate users in an application with SAML2 against an IDS, then use the APIM with an app secret for a user token generated from the SAML2 token. I get from the APIM an OAuth token which I use to call APIs in the APIM. (note that I managed to resolve this thanks to another post here some time ago :-) )
The backend that implements the APIs receives a JWT as a result, with header, user information and app information, and a signature.
For my first tests I write my own "hello world" backend, that logs the JWT.
I use http://jwt.io which manages to read my JWT without any problem. But it tells me the signature is invalid.
To make the signature valid I would need a valid public key.
I don't know where to find that key.
I have run the command line described in RSA Public Key of WSO2carbon and generated a .cert file. I have examined the .cert file in portecle (http://portecle.sourceforge.net/) but found nothing of interest, however opening it in Windows gave me a field "public key", which looks like "30 81 89 02 81 81 00 94 a[...]", quite long and obviously hex.
I tried this, and also its base64-encoded representation, in http://jwt.io but no success.
Because I was wondering where my public key is, I have also read:
How to validate a JWT from WSO2 API Manager
(and the referenced link https://asankad.org/2013/12/05/obtaining-certificate-used-to-sign-a-jwt/ )
However the code provided is a bit on its own, with not even a mention of language. I assume it's node.js, but no info about libs or anything.
Here are some more precise questions:
WSO2 APIM offers only SHA256withRSA (which is a flavor of SHA2 IIUC). wso2carbon.jks cert that I found were sha1. So I'm supposing that could not have worked anyway. How can APIM generate SHA256 with SHA1 certificates?
WSO2 APIM offers only SHA256withRSA. http://jwt.io gives the choice between RS256 and HS256, one uses a key, the other a secret (public/private). I'm guessing I need to use RS256? (but again the only keys I have seem to come from SHA1 certs)
has anyone succeeded in what I'm doing? Install WSO2 APIM, generate a JWT and validate the JWT against http://jwt.io, including signature?
If I use a lib such as https://github.com/tymondesigns/jwt-auth to validate the JWT, will it work? I was told that this lib doesn't support SHA256.
in the APIM I'm in a tenancy, called sandbox. If I go to the super-tenancy carbon I see wso2carbon.jks. If I go to my own tenancy's carbon I see sandbox.jks, but it's empty, and on the deployment machine there's no corresponding file. How does that work out, does the tenancy JKS exist only when used, or is it stored in the DB and not filesystem?
how much can I show of my tokens, JWT etc on a public forum? :-) (if it helps to help me, I'm willing to share!)
Thanks for any tips!
(maybe all I need is the default public key, seeing as I'm using the default keystore!)
Answering myself in case anyone has the same issue.
Two things helped me out:
first, to validate in jwt.io, I needed to change the cert encoding by running the following command: openssl x509 -inform der -in somekey.cer -out somekey.pem
then I was using the super-tenant keystore instead of the tenancy keystore. I had looked into this but not found any tenancy keystore on the APIM VM. I had to:
log in as tenant admin in APIM carbon portal
navigate to configure / keystores
there was a keystore for the tenancy (called sandbox1.jks), click on public key
save the downloaded sandbox1.cert and convert it to pem using the above command
The resulting pem worked fine with jwt.io using RS256
Hope this helps others!
I have written a program to sign XMl file using Digital signature API provided by Java
(ie., classes from javax.xml.crypto.dsig package). But to sign an xml document , the private key had to be provided, to create a signing context, before specifying a digest like in the below statement .
DOMSignContext dsc = new DOMSignContext(priv_key, doc.getDocumentElement());
I want to sign the xml when i store private key in a secure storage like HSM.
I have wrapper classes to access HSM in JAVA,so I can get a handle for the private key, but do not know how to use it for signing.
Can anyone guide me on how to sign XML in this way...
Signing is supported by the PKCS#11 provider that is delivered by Oracle. You may currently have a C style handle in the wrapper class, but that is not much use. The handle must be within a JCA provider to be used with the XML signing classes. And the provider must be signed by an Oracle provided code signing certificate.
To use the private key with the PKCS#11 provider, make sure that a certificate with the same ID is present in the PKCS#11 token. That way the combined private key/certificate entry will show up in the "PKCS11" KeyStore. You can use that to sign the XML data.