I have written a program to sign XMl file using Digital signature API provided by Java
(ie., classes from javax.xml.crypto.dsig package). But to sign an xml document , the private key had to be provided, to create a signing context, before specifying a digest like in the below statement .
DOMSignContext dsc = new DOMSignContext(priv_key, doc.getDocumentElement());
I want to sign the xml when i store private key in a secure storage like HSM.
I have wrapper classes to access HSM in JAVA,so I can get a handle for the private key, but do not know how to use it for signing.
Can anyone guide me on how to sign XML in this way...
Signing is supported by the PKCS#11 provider that is delivered by Oracle. You may currently have a C style handle in the wrapper class, but that is not much use. The handle must be within a JCA provider to be used with the XML signing classes. And the provider must be signed by an Oracle provided code signing certificate.
To use the private key with the PKCS#11 provider, make sure that a certificate with the same ID is present in the PKCS#11 token. That way the combined private key/certificate entry will show up in the "PKCS11" KeyStore. You can use that to sign the XML data.
Related
I need to upload a key on GoogleCloud Platform, but the platform says that key needs to be Public certificates need to be in RSA_X509_PEM format. I'm kinda of stuck and don't how to upload the key. Did anyone came across the same situation and ca help googlecloud
When you want to "upload a key on a service account", that means that you have generated a private key on your side, in the correct format, and you want to send to Google the public key to let google validate validate the communication.
If you follow the documentation you have the correct openSSL command to generate a key for this use case.
I am trying to use Microsoft Outlook mail API in our web application.
Followed this tutorial https://learn.microsoft.com/en-us/outlook/rest/javascript-tutorial first, but some important thing is skipped in it.
[Skipped part]
https://learn.microsoft.com/en-us/outlook/rest/javascript-tutorial#using-the-id-token
This sample won't do all of the required validations listed in the
OpenID spec. Most notably, it won't validate the signature on the
token. Currently requesting the signing keys from Azure would require
a server-side component, so we'll skip that step for the sake of
simplicity. However, production apps should not skip this important
step!
In the example code:
// Per Azure docs (and OpenID spec), we MUST validate
// the ID token before using it. However, full validation
// of the signature currently requires a server-side component
// to fetch the public signing keys from Azure. This sample will
// skip that part (technically violating the OpenID spec) and do
// minimal validation
I have a server-side component created with Django, but I'm not sure how to fetch the public signing keys from Azure.
The actual feature I am implementing is sending email via HTML form. I chose to implement this feature on client-side due to several reasons. It's working and I'd like to make authentication secure before deployment.
Just clarify, I followed the tutorial above and use code from this repo to access Outlook API instead of Microsoft graph. The repo is introduced in the beginning of this tutorial.
Thank you in advance.
You have to find the jwks or cert endpoint in Azure by checking the well-known configuration for Azure (something like this). You'll be able to find all the active and enabled keys in the jwks endpoint in JSON format. You can parse those values inside your application and select the required key.
We are currently evaluating the WSO2 API Manager (v1.6.0) to Front our internal APIs so they can be securely exposed to thirdparty developers and partners. Our internal APIs have implemented an HMAC-SHA1 based custom authorization scheme similar to AWS, where clients construct a HMAC-SHA1 hash string using the request url, the current timestamp and a secret key assigned to that client.
I would like to configure/customize the API Manager to employ this custom scheme when routing requests to our service endpoint. This way the API Manager operates as just another client to our internal API. What is the best way to achieve this? Currently the API Manager only supports Basic Auth (When I select "Secured" in the "Endpoint Security Scheme" drop-down when setting up my API). How do I update the API Manager so it:
Supports my custom scheme - constructs the Authorization Header using our custom scheme when calling our service endpoint
Maintains the secret key used for generating the about header within it's configuration/data store
Although this is a very very old question, I'm answering so it can be useful to someone, someday.
You can do this by either writing a custom handler or custom sequence. What you have to do is,
1) Send the token in a custom header.
2) Copy that token to Authorization header by a custom handler/sequence.
Does anyone know how to add HMAC based authentication for WSO2 API Manager?
Background - We're rolling out WSO2 API Manager 1.3 in front of our publicly available web services and we need JavaScript applications (once authenticated) to be able to consume the services directly (not via a service proxy on their server to handle the OAuth authentication).
Does anyone know the easiest way to get this implemented in WSO2? We've started implementing an AbstractHandler and Authenticator but this seems overkill - someone must have done this or have some pointers on this?
Thank you very much in advance.
You can write your own handler which can implement the AbstractHandler.
Signature verification can be implemented as an API handler similar to the 'APIAuthenticationHandler'. The access token that was provided earlier can be used as the Mac Identifier. The consumer secret can be used as the Mac key, which is a shared secret between the consumer and the provider used to sign the normalized request string.
I do not know if this will help you but we needed our password hashes to be in PBKDF2. So I extended the JDBCUserStoreManager overriding only the preparePassword method. Inside it changed from MessageDigest to SecretKeyFactory for the PBKDF2WithHmacSHA1 algorithm. You can use Mac i guess?
This is possible by implementing a custom mediator and engaging it to the in-flow sequence. The API exposed by API Manager would be OAuth protected, but the actual backend would be HMAC protected. You can find more information on this in the article [1].
[1] https://wso2.com/library/article/2017/10/integrating-wso2-api-manager-with-a-hmac-secured-backend/
I've developed an API with WCF Data Services which exposes my website user's data.
The data hosted there belongs to each user and is not public, so the API is secured with API keys which are unique to each client and http header or GET parameter based authentication.
Now I am wondering if I should enable JSONP on my API. It seems that it would make mash-ups much easier, but on the other side I've seen blog postings like the following, which seem to suggest that JSONP is per se insecure:
http://robubu.com/?p=24
Am I understanding something wrong, or is JSONP indeed only meant for public API's?
Thanks,
Adrian
JSON(P) is simply data format and I think that it's wrong to talk about security of JSON. Security should be considered in context of transportation and interpretation of information that is packed in JSON.
Informations can be encrypted before they are packed in JSON format or whole JSON messages can be encrypted. Security is then based on the strength of the encryption and JSON can be used in insecure enviroment.