Two Private keys on Weblogic - web-services

How to access two private keys on Web logic server or via Java code.
Any pointers would help.
Below is the piece of code, but it throws key is tampered or password is wrong.
Similar code works if i pass the the truststore or keystore location as direct location like .trustStoreFile("C:\Test\XYZTrust.jks")
If i change the code like below it throws
/* Get the JKS contents */
final KeyStore keyStore = KeyStore.getInstance("JKS");
try (final InputStream is = new FileInputStream(fullPathOfKeyStore())) {
keyStore.load(is, JKS_PASSWORD);
}
final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory
.getDefaultAlgorithm());
kmf.init(keyStore, KEY_PASSWORD);
final TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory
.getDefaultAlgorithm());
tmf.init(keyStore);
/*
* Creates a socket factory for HttpsURLConnection using JKS
* contents
*/
final SSLContext sc = SSLContext.getInstance("TLS");
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new java.security.SecureRandom());
final SSLSocketFactory socketFactory = sc.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);
Error :- Keystore was tampered with, or password was incorrect
Note:- Password and keystore are 1000 % correct.

You can find your Keystore using Admin-console.
Got to Environment -> Servers -> AdminServer.
You should see something like this:
In the field "Custom identity Keystore"is the path to your Keystore file,
and in the field "Custom Trust Keystore" is the path to your Trust key.
In case you don't have the correct Password you can use the following link to decrypt them.
http://techtapas.blogspot.de/2011/05/how-to-decrypt-weblogic-passwords-with.html?m=1
If you are using default passwords then most of the chances that this is one of those:
https://itguykelly.wordpress.com/2010/05/20/default-weblogic-keystore-passwordpassphrase/

Related

Can I decrypt password using the private key generated in Django backend in Flutter?

I am making a password manager app where I am using asymmetric encryption to store passwords. I have created a Django backend for the app where I have stored the user's public key in the User model. During registration, I am storing the public key in the database and sending the user their private key to the Flutter app.
I am using the following function to encrypt the password and store it in the password store model:
def encrypt(data, key):
key = serialization.load_pem_public_key(
key.encode(),
backend=default_backend()
)
data = key.encrypt(
data.encode(),
padding.OAEP(
mgf=padding.MGF1(algorithm=hashes.SHA256()),
algorithm=hashes.SHA256(),
label=None
)
)
return data
Now, I want to know if I can decrypt passwords or any other string data in Flutter using the private key that is generated in the Django backend. If yes, how can I do it?
Also, I don't want to pass the decrypted password from the backend to the Flutter app. I want the client-side to handle it. For this, I am storing the private key in the user's device using shared preferences in Flutter:
SharedPreferences.getInstance().then((prefs) {
prefs.setString("privateKey", widget.privateKey);
});
Can anyone help me with this?
I tried using the decryptByPrivateKey function below to decrypt a password on the client side in my Flutter app using a private key generated on my Django backend:
dynamic decryptByPrivateKey(String content) async {
final prefs = await SharedPreferences.getInstance();
final private = prefs.getString('privateKey')!;
RSAKeyParser parser = RSAKeyParser();
RSAPrivateKey privateKey = parser.parse(private) as RSAPrivateKey;
AsymmetricBlockCipher cipher = PKCS1Encoding(RSAEngine());
cipher..init(false, PrivateKeyParameter<RSAPrivateKey>(privateKey));
return utf8.decode(cipher.process(Encrypted.fromBase64(content).bytes));
}
However, I got the following error related to the content parameter, and I'm not sure how to resolve it:
FormatException: Invalid character (at character 2) b'\rV\x86ldn\x171*^c\xabsAc;\xead\xea\x05C\x996o\x0e#\xe2\xed\x1c\xa21\x80d... ^
Also, I am generating and sending the private key to the client as shown in the code snippet below:
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
public_key = private_key.public_key()
public_key = public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo
)
private_key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption()
)
private_key = private_key.decode('utf-8')
public_key = public_key.decode('utf-8')
I am hoping to be able to decrypt the password on the client side using the private key without passing the decrypted password from the backend. Can anyone help me with this issue?"

How can I save private key with passphase using phpseclib?

I am trying to create self-signed certificates without using openssl or any command line application in PHP. Is it possible? I have found a library on the internet named phpseclib. But I am not sure if it is possible to produce certificates in .crt format. My objective is to sign pdfs with those self-signed certificates for which the certificates must be in .crt format. The private key must have a passphrase. how do I save the private key with a passphrase?? I am using the code below
// create private key / x.509 cert for stunnel / website
$CAPrivKey = RSA::createKey();
$CAPubKey = $CAPrivKey->getPublicKey();
$CASubject = new X509;
$CASubject->setDNProp('id-at-organizationName', 'phpseclib CA cert');
$CASubject->setPublicKey($CAPubKey);
$CAIssuer = new X509;
$CAIssuer->setPrivateKey($CAPrivKey);
$CAIssuer->setDN($CASubject->getDN());
$x509 = new X509;
// $x509->makeCA();
$result = $x509->sign($CAIssuer, $CASubject);
file_put_contents("2.key", $CAPrivKey);
$cert = $x509->saveX509($result);
file_put_contents("2.crt", $cert);

How can I find my personal endpoint in AWS IoT?

I'm trying to write a Java app that behaves as a Thing, publishing data in AWS. The Documentation has this code sample:
String clientEndpoint = "<prefix>.iot.<region>.amazonaws.com"; // replace <prefix> and <region> with your own
String clientId = "<unique client id>"; // replace with your own client ID. Use unique client IDs for concurrent connections.
String certificateFile = "<certificate file>"; // X.509 based certificate file
String privateKeyFile = "<private key file>"; // PKCS#1 or PKCS#8 PEM encoded private key file
// SampleUtil.java and its dependency PrivateKeyReader.java can be copied from the sample source code.
// Alternatively, you could load key store directly from a file - see the example included in this README.
KeyStorePasswordPair pair = SampleUtil.getKeyStorePasswordPair(certificateFile, privateKeyFile);
AWSIotMqttClient client = new AWSIotMqttClient(clientEndpoint, clientId, pair.keyStore, pair.keyPassword);
// optional parameters can be set before connect()
client.connect();
I know what clientId is and how to find my ID, but I cannot understand the in clientEndpoint.
It's not the account's personal endpoint, but the Thing's endpoint.
Go to IoT Core -> Manage -> Things, select your thing -> Interact.
Its the URL under the HTTPS part. It should be in the form xxxxxxxxxxxxxxxxx.iot.region.amazonaws.com, where the x's should contain mainly lowercase letters, and maybe some numbers.
Call the DescribeEndpoint API.
In Java, this would be:
AWSIot awsIotClient = AWSIotClientBuilder.defaultClient();
DescribeEndpointRequest request = new DescribeEndpointRequest().withEndpointType("iot:Data");
DescribeEndpointResult result = awsIotClient.describeEndpoint(request);
String endpoint = result.getEndpointAddress();

Java Cant find Trusted Certificate (JKS)

I need to consume a service using CXF and I am facing the following issue.
Even though I had my Java key store (JKS) workig o SOAP UI, for example, when I use it on my java program it always give me the message
sun.security.validator.ValidatorException: No trusted certificate found
I have checked the JKS file and the certificate is in there, so when I put it on the SOAPUI project, it is recognized and the service successful called, with no problems. I am using as base the code provided by the cxf web site (http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/ClientNonSpring.java?view=log) , as follow:
public static void setupTLS(Object port) throws FileNotFoundException, IOException, GeneralSecurityException
{
final String keyStoreLoc = "d:/certs/mykeystore.jks";
HTTPConduit httpConduit = (HTTPConduit) ClientProxy.getClient(port).getConduit();
TLSClientParameters tlsCP = new TLSClientParameters();
final String keyPassword ="password";
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream(keyStoreLoc), keyPassword.toCharArray());
KeyManager[] myKeyManagers = getKeyManagers(keyStore, keyPassword);
tlsCP.setKeyManagers(myKeyManagers);
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream(keyStoreLoc), keyPassword.toCharArray());
TrustManager[] myTrustStoreKeyManagers = getTrustManagers(trustStore);
tlsCP.setTrustManagers(myTrustStoreKeyManagers);
httpConduit.setTlsClientParameters(tlsCP);
}
private static TrustManager[] getTrustManagers(KeyStore trustStore)
throws NoSuchAlgorithmException, KeyStoreException
{
String alg = KeyManagerFactory.getDefaultAlgorithm();
TrustManagerFactory fac = TrustManagerFactory.getInstance(alg);
fac.init(trustStore);
return fac.getTrustManagers();
}
private static KeyManager[] getKeyManagers(KeyStore keyStore, String keyPassword)
throws GeneralSecurityException, IOException
{
String alg = KeyManagerFactory.getDefaultAlgorithm();
char[] keyPass = keyPassword != null ? keyPassword.toCharArray() : null;
KeyManagerFactory fac = KeyManagerFactory.getInstance(alg);
fac.init(keyStore, keyPass);
return fac.getKeyManagers();
}
When debugging, I can see that the certs are loaded and the keystore and keystrustmanagers are populated accordingly, so after days trying to figure out what is happening, I am running out of ideas. So if you guys have any tip that can help,please help me out.
Thanks in advance.
After running some more tests it was clear that the certificate was the problem. I changed the jks for a valid one and now its running perfectly.
For the ones that need a solution like that, the example that I based my solution (http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/wsdl_first_https/src/main/java/demo/hw_https/client/ClientNonSpring.java?view=log) works like a charm.

How to set Issuer information (CA) to User-Certificate - using phpseclib?

I want to run my Certificate Authority with a PHP interface. As backend i want to use phpseclib. (version 1.0.2 - https://sourceforge.net/projects/phpseclib/files/phpseclib1.0.2.zip/download)
The CA root certificate is generated with openssl and the following script should create a valid Client Certificate issued by my CA. The part to the CSR looks reasonable and the CSR is valid. But the part i sign the Certificate with my CA seems to fail. I get a certificate with the user information but no issuer is given. I use the example code of website - so i have no idea what to do.
Any suggestions? Do i import the CA Certificate the wrong way?
<?php
set_include_path("../resources/library/");
include('File/X509.php');
include('Crypt/RSA.php');
//show ALL errors
error_reporting(E_ALL);
ini_set('display_errors', 1);
// Create key pair.
$rsa = new Crypt_RSA();
$key = $rsa->createKey();
$privkey = new Crypt_RSA();
$privkey->loadKey($key['privatekey']);
$pubkey = new Crypt_RSA();
$pubkey->loadKey($key['publickey']);
$pubkey->setPublicKey();
// Create certificate request.
$csr = new File_X509();
$csr->setPrivateKey($privkey);
$csr->setPublicKey($pubkey);
$csr->setDN('CN=www.example.org');
$csr->loadCSR($csr->saveCSR($csr->signCSR()));
// Set CSR attribute.
$csr->setAttribute('pkcs-9-at-unstructuredName', array('directoryString' => array('utf8String' => 'myCSR')), FILE_X509_ATTR_REPLACE);
// Set extension request.
$csr->setExtension('id-ce-keyUsage', array('encipherOnly'));
// Generate CSR.
file_put_contents('csr.pem', $output= $csr->saveCSR($csr->signCSR()));
echo $output . "\n";
// Read certificate request and validate it.
$csr = new File_X509();
$csr->loadCSR(file_get_contents('csr.pem'));
if ($csr->validateSignature() !== true) {
exit("Invalid CSR\n");
}
// Alter certificate request.
$csr->setDNProp('CN', 'www.example.org');
//~ $csr->removeExtension('id-ce-basicConstraints');
// Load the CA and its private key.
$pemcakey = file_get_contents("../../myCA/cafile/ca.key");
$cakey = new Crypt_RSA();
$cakey->setPassword('rootca'); // !!!!!!
$cakey->loadKey($pemcakey);
$pemca = file_get_contents("../../myCA/cafile/ca.crt");
$ca = new File_X509();
$ca->loadX509($pemca);
$ca->setPrivateKey($cakey);
// Sign the updated request, producing the certificate.
$x509 = new File_X509();
$cert = $x509->loadX509($x509->saveX509($x509->sign($ca, $csr)));
// Generate the certificate.
echo $x509->saveX509($cert) . "\n";
?>
Example Output first the CSR and then the generated Certificate:
-----BEGIN CERTIFICATE REQUEST-----
MIIBiTCB9QIBADAaMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5vcmcwgZ0wCwYJKoZI
hvcNAQEBA4GNADCBiQKBgQC+usAlbhb2Te1NOqIJHPmeGc0TcFa9qJUP8PQIVGip
YMbv5s2uTjmYm8VfnB9lWgchQksDnx561gSILWkcQboWS6upPk4IHGTULOn6qBM7
wnODS4aua6MQghUSx9uImyRt4DjQBn/CUEM1bdcvm4YwJy87KAipH4GvNMOxIbB4
ZQIDAQABoDQwFAYJKoZIhvcNAQkCMQcMBW15Q1NSMBwGCSqGSIb3DQEJDjEPMA0w
CwYDVR0PBAQDAgABMAsGCSqGSIb3DQEBBQOBgQBZSBz87numzJY+SWhaXpER6g7c
cllwJAM5kGl0JptVyN63q6zzc4DM+SVpB3/M5DnuVrWs8+pRifUyJRBcCbo3KYt9
OwJBMO8wCAE7mTKUS/7G3RvAnHyXr3Vp6Ce+qygcmLGlGQ3dcDPeRtHZ5Bhx/j+K
4ZSgiyvE/AO2hm3iqw==
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE-----
MIIBgTCCAWugAwIBAgIUClioDCnX08a7h12xkdKPSdi6Op4wDQYJKoZIhvcNAQEF
BQAwFTETMBEGA1UEAxMKTXJvdHplayBDQTAeFw0xNjA3MDQxNTE2MjBaFw0xNzA3
MDQxNTE2MjBaMDQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLm9yZzEYMBYGA1UEAwwP
d3d3LmV4YW1wbGUub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+usAl
bhb2Te1NOqIJHPmeGc0TcFa9qJUP8PQIVGipYMbv5s2uTjmYm8VfnB9lWgchQksD
nx561gSILWkcQboWS6upPk4IHGTULOn6qBM7wnODS4aua6MQghUSx9uImyRt4DjQ
Bn/CUEM1bdcvm4YwJy87KAipH4GvNMOxIbB4ZQIDAQABozAwLjALBgNVHQ8EBAMC
AAEwHwYDVR0jBBgwFoAU4AZGByEnlMiUK2anCwjvl+9P8MMwDQYJKoZIhvcNAQEF
BQADAQA=
-----END CERTIFICATE-----
I falsly had the opinion that the output certificate contains no issuer. I used https://www.sslshopper.com/certificate-decoder.html for testing/decoding.
[SOLVED]
- Using another decoder like openssl all set information + issuer are
shown.
?! In some case the decoder is messing up reading all header information ?!