In my current assignment I work a lot with security issues. Recently I've had some work involving cryptography. As I have no experience with this from the past it was kinda hard getting started, but this book really gave me a good introduction on the subject.
It walks you through the basics of the history, block ciphers, stream ciphers and public key cryptography. It also has some chapter about the problem with public keys and Public Key Infrastructure. On some of the parts it goes a little deeper but mostly its a on the surface of things. It gives really good real world examples and is in a small format so you can bring it on the buss or the train.
Bottom line. Great book. Cheap book. Buy it if you want to get an intro to cryptography.
A blog where i gather my experiences as a consultant working with Java and security
Thursday, June 25, 2015
Protecting against CSRF
CSRF is a quite common and dangerous attack that many websites are not protected against. The attack can be used to perform actions on website with a logged in user.
To do the attack the attacker need to no what should be sent in a POST request and to URL to post, to perform an action. An action being for example. Creating a new user account.
Lets say the following is posted from a form to create a new account.
Name Value
name Carl
telephone 54865123
password 123456
The password is an example of commonly used passwords =)
The form is posted to a to the path http://www.mysite.com/users/createAccount
The attack can be done as follows.
Some of you might think that this wont work because your site has a login. But it the victim is logged in when the link is clicked the form will be posted using the authenticated session. Thus bypassing all login.
So you can see this is a problem. With a little knowledge of the internals of the site, an attacker can make a victim make whatever actions. And because the action is done with the victims session it can be hard to track the attack.
The way to protect against this is by putting a hidden input in the form, containing an unpredictable value stored at the server. For example a random number. Every session should have a unique value. The best is to let every request have unique value
Because the attacker can't know the value in the response, all you need to do on the server is to control that the value you get in the post request is the same as the one stored on the server.
For more information, tools and tips have a look at OWASPs page for CSRF http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
I would also recommend the OWASP top 10 publication. Witch describes the top 10 security threats to web applications and how to protect against them.
To do the attack the attacker need to no what should be sent in a POST request and to URL to post, to perform an action. An action being for example. Creating a new user account.
Lets say the following is posted from a form to create a new account.
Name Value
name Carl
telephone 54865123
password 123456
The password is an example of commonly used passwords =)
The form is posted to a to the path http://www.mysite.com/users/createAccount
The attack can be done as follows.
- The attacker creates a page on his website like this.
- The a link to a page is then be sent to the victims email. When the victim clicks, the form is posted and the action is excecuted.
<html> <head> <title>My evil page</title> </head> <body onload="javascript:postForm()"> <script language="JavaScript"> function postForm() { document.form.submit(); } </script> <form method="POST" name="form" action="http://www.mysite.com/users/createAccount"> <input type="text" name="name " value="Carl"/> <input type="text" name="telephone" value="54865123"/> <input type="password" name="password" value="password"/> </form> </body> </html>
Some of you might think that this wont work because your site has a login. But it the victim is logged in when the link is clicked the form will be posted using the authenticated session. Thus bypassing all login.
So you can see this is a problem. With a little knowledge of the internals of the site, an attacker can make a victim make whatever actions. And because the action is done with the victims session it can be hard to track the attack.
The way to protect against this is by putting a hidden input in the form, containing an unpredictable value stored at the server. For example a random number. Every session should have a unique value. The best is to let every request have unique value
<input type="hidden" name="CSRFToken" value="<?= $token ?>"/>
Because the attacker can't know the value in the response, all you need to do on the server is to control that the value you get in the post request is the same as the one stored on the server.
For more information, tools and tips have a look at OWASPs page for CSRF http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
I would also recommend the OWASP top 10 publication. Witch describes the top 10 security threats to web applications and how to protect against them.
Adding Java formated code to your blogger blog
[Update]
This one is much better
http://heisencoder.net/2009/01/adding-syntax-highlighting-to-blogger.html
For all you new on blogger, as I was, here is a simple recipe on how to use syntax highlighting or code formating in your blog post.
In blogger goto the tab Design -> Edit HTML
To then add java formated code to a blog use the following tag
Here is an example. The following...
... will render as
If anyone has another solution, maybe a tip on how to get the clipboard util up in the right to work, please comment this post and tell me.
http://heisencoder.net/2009/01/adding-syntax-highlighting-to-blogger.html
For all you new on blogger, as I was, here is a simple recipe on how to use syntax highlighting or code formating in your blog post.
In blogger goto the tab Design -> Edit HTML
Add the following in end of <head>
<link href='http://alexgorbatchev.com/pub/sh/current/styles/shCore.css' rel='stylesheet' type='text/css'/> <link href='http://alexgorbatchev.com/pub/sh/current/styles/shThemeDefault.css' rel='stylesheet' type='text/css'/> <script src='http://alexgorbatchev.com/pub/sh/current/scripts/shCore.js' type='text/javascript'></script> <script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushCpp.js' type='text/javascript'></script> <script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushCSharp.js' type='text/javascript'></script> <script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushCss.js' type='text/javascript'></script> <script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushJava.js' type='text/javascript'></script> <script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushJScript.js' type='text/javascript'></script> <script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushPhp.js' type='text/javascript'></script> <script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushPython.js' type='text/javascript'></script> <script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushRuby.js' type='text/javascript'></script> <script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushSql.js' type='text/javascript'></script> <script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushVb.js' type='text/javascript'></script> <script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushXml.js' type='text/javascript'></script> <script src='http://alexgorbatchev.com/pub/sh/current/scripts/shBrushPerl.js' type='text/javascript'></script> <script language='javascript'> SyntaxHighlighter.config.bloggerMode = true; SyntaxHighlighter.config.clipboardSwf = 'http://alexgorbatchev.com/pub/sh/current/scripts/clipboard.swf'; SyntaxHighlighter.all(); </script>
To then add java formated code to a blog use the following tag
Here is an example. The following...
... will render as
int x = 4; int y = 3; int sum = x + y; // 7
If anyone has another solution, maybe a tip on how to get the clipboard util up in the right to work, please comment this post and tell me.
Implicit CSRF protection of ajax requests
Protecting form against CSRF is easy but what about ajax requests, here something more must be done.
It pretty straight forward to just add the token to the data every time you make a ajax request, but what if you have a framework on top making the ajax request by it self. With frameworks using JQuery, in my case primefaces, this can be solved quite easy.
Primefaces uses the JQuery.ajax method when making ajax requests for many of its components, for example autocomplete. The easies way to do this would then offcourse be to change the underlaying function. Thanks to the way JQuery is built the core methods is very easy to override.
To override a core method in JQuery you just assign the function a new function... =/ like this.
The assign function should take the same arguments as the original function. In this case a key/value pair.
Now you just have to put something in the function to append the CSRF token. In my case:
For further reading I recommend the OWASP top 10 publication. Which describes the top 10 security threats to web applications and how to protect against them.
It pretty straight forward to just add the token to the data every time you make a ajax request, but what if you have a framework on top making the ajax request by it self. With frameworks using JQuery, in my case primefaces, this can be solved quite easy.
Primefaces uses the JQuery.ajax method when making ajax requests for many of its components, for example autocomplete. The easies way to do this would then offcourse be to change the underlaying function. Thanks to the way JQuery is built the core methods is very easy to override.
To override a core method in JQuery you just assign the function a new function... =/ like this.
JQuery.ajax = function(settings) { ... }
The assign function should take the same arguments as the original function. In this case a key/value pair.
Now you just have to put something in the function to append the CSRF token. In my case:
//IPR Ergogroup AS jQuery.ajax = function(settings) { if (!settings.dataType) settings.dataType = 'html'; if (typeof (settings.data) == typeof ('')) { settings.data += '$CSRFToken=' + CSRFToken; } else { settings.data['CSRFToken'] = CSRFToken; } orginalMethod(settings); }To be able to invoke the original method after doing my stuff I save it to a variable berofe overiding it.
For further reading I recommend the OWASP top 10 publication. Which describes the top 10 security threats to web applications and how to protect against them.
Todays useful linux commands
Some useful commands I use now and then.
What files at taking all my space?
du / -h | grep ^[0-9\\.]*G
Showing all folders/files with a size of 1G and up
What logs changed the last minutes?
find / -mmin 5 | grep log
Showing all files changed in the last five minutes. Greps on log
What files at taking all my space?
du / -h | grep ^[0-9\\.]*G
Showing all folders/files with a size of 1G and up
What logs changed the last minutes?
find / -mmin 5 | grep log
Showing all files changed in the last five minutes. Greps on log
Monitoring heap space on local JMVs in Java 5
In the last couple of days I have been helping a colleague with a problem. The problem is that they have a couple of java processes running on a server. These processes go out of memory every no and then and it is important that they can get a notice when this is about to happen.
So to the whole process for calculating used heap space on the machine would look something like this
Note that all java processes must use the -Dcom.sun.management.jmxremote for the JMX to be enabled.
First I had a look at some monitoring applications.
- jConsole - Had no email functions. It looks like you could install a MBean with mail funtions but I think that has to be done from inside each process and I'm not allowed to change the code.
- Nagios - Is a big infrastructure monitoring utility which have a JMX pluging, but it seemed to overkill.
- Munin - Appears to have some notification ability, but seems hard to set up.
The solution was to write my own little notification and monitoring program. Often not the best solution but I also saw some value in learning more about JMX monitoring.
I think everybody can agree, it better to fix the memory problem then to just restart the servers when they are running out of memory, but no time for that right now.
Enough of problem, now to the solution =)
To get the memory used by the processes, I needed to summarize the memory used y each process.
As I were going to monitor all the JVMs running om the machine I have to somehow connect to the JMX of every process.
I first stumbled on to the Attach API in java 6 which have a lot of functionality for listing and working with the VMs on the machine. Problem is I was going to build the program for java 5. So I soon dropped this.
Second I tried to find out how jConsole lists the VMs in its startup dialog. Finally I found the class sun.jvmstat.monitor.MonitoredHost used by the jvmstat program. As Oracle states it's not recommended to use sun.* classes because they are not guaranteed to work in future releases and all platforms. http://www.oracle.com/technetwork/java/faq-sun-packages-142232.html. But because this is a simple utility meant for use on one server I decided to use them anyway.
So I could use the method activeVms to get a list of all process ID of the active vms.
MonitoredHost.getMonitoredHost("localhost").activeVms();
But how to connect to the JMX of a process only using a PID. Google gave me very many unhelpful suggestions about the Attach API. But finally I found another helpful class in the sun.* classes. sun.management.ConnectorAddressLink
Using the method importFrom I got the JMX address for the JVM process and the hard part was over.
ConnectorAddressLink.importFrom(pid);
Then it was just the simple task of getting the max and used heapspace from the Memory MX Bean.
jmxConnector = JMXConnectorFactory.connect(serviceUrl, null); MBeanServerConnection con = jmxConnector.getMBeanServerConnection(); MemoryMXBean memBean = ManagementFactory.newPlatformMXBeanProxy(con, ManagementFactory.MEMORY_MXBEAN_NAME, MemoryMXBean.class); memBean.getHeapMemoryUsage().getUsed(); memBean.getHeapMemoryUsage().getMax();
So to the whole process for calculating used heap space on the machine would look something like this
long usedHeapSpace = 0; for (Object OPid : MonitoredHost.getMonitoredHost("localhost").activeVms()) { int dpid = Integer.parseInt(OPid.toString()); String address = ConnectorAddressLink.importFrom(dpid); JMXServiceURL serviceUrl = new JMXServiceURL(address); JMXConnector jmxConnector = JMXConnectorFactory.connect(serviceUrl, null); MBeanServerConnection con = jmxConnector.getMBeanServerConnection(); MemoryMXBean memBean = ManagementFactory.newPlatformMXBeanProxy(con , ManagementFactory.MEMORY_MXBEAN_NAME , MemoryMXBean.class); usedHeapSpace += memBean.getHeapMemoryUsage().getUsed(); jmxConnector.close(); }
Note that all java processes must use the -Dcom.sun.management.jmxremote for the JMX to be enabled.
If there are processes without this flag the resulting calculation will be incorrect.
So to summarize, bad lessons learned, there is a lot of fun stuff in sun.* classes =)
Syncing Active Directory with OpenAM datastore using LSC
Lately I have been tasked to set up an OpenAM server that should authenticate user against an existing AD server.
I have found three usual approaches to this problem.
The problem with the first one is that it require some changes to the AD which I am not allowed to implement.
The second one works fine if all you want to do is authenticate the user, as far as I've seen there aren’t any good ways to get more information about the user for example email address and phone number. The module can be configured to populate the default user store in OpenAM with user attributes from AD, but this will only happen on the first login. If the user changes email or phone number in the future the changes won't be reflected in OpenAM.
I ended up using both AD authentication module and synchronization. The authentication module for authentication directly against AD and synchronization for getting the attributes. For synchronization I used LSC.
In the next section I will describe the LSC configuration. This is not a beginners guide to LCS so if you are new to it, I recommend you checking out some of the tutorials here http://lsc-project.org/wiki/documentation/2.0/start
LSC configuration
In my OpenAM configuration different groups have different authorization so I want to sync both users and groups.
This is accomplished by defining two tasks.
Syncing users
First the properties for the srcService
Short description. The filterAll attribute is used to pick out all users of interest. In this case I'm specifying objectType users and they should have an sAMAccountName. I have also placed all the users to be synced in a group called OpenAMUsers as the users to be synced is only a subset of the user base.
The name to look at when matching users is the sAMAccountName and is specified in pivotAttrs. The filterId is a bit tricky In order to understand how to define this, I recommend reading http://lsc-project.org/user-guide/#matching-up-entries. The attr is the attributes I would like to read from the source.
The dstService
On the destination(OpenAM) all users lies under ou=People so base dn is ou=People.
FilterId sepecifies user of interest in the destination. The attrs in this case is the attributes I would like to update.
In OpenAM the users are by default identified with the uid attribute. I thought it wise to keep this so the DN is concatenated with the account name and the user base dn.
Sync options specify how to update the info in destination.
Pretty much straight forward, the uid is set to sAMAccountName, this is set to only update at creation time. This is the attribute to match users and it is not changed.
The objectClass is updated at creation time with the classes users use in OpenAM. This is needed for OpenAM to recognize the users.
For some reason the OpenAM data store schema demands SN to be set, so if it is not set in AD it is set to noSN.
User status is set to Active.
All attributes specified in the attrs settings with the same name in source and destination is automatically updated if nothing else is configured in sync options. In this case givenName, mail, cn.
Syncing groups
As with the users, to make it easier to find the groups I want to sync, I have added the groups to a group, OpenAMGroups. As you can see in the filterAll property, only the groups in OpenAMGroups are synced.
The expression in the filterId becomes a lot easier to understand if the identifying attributes have the same name at source and destination. Again have a look at http://lsc-project.org/user-guide/#matching-up-entries for more information on filterId.
The attributes cn, uniqueMember and objectClass. UniqueMember is OpenAMs attribute for members and the object class needs to be set in order for the groups to be recognized by OpenAM.
New DN is concatenated.
The delimiter is set to be $ as semicolon is used in the more complex javascript expression below.
Object class is set to standard values.
Here is the best part, it shows some of the power in LSC.
What we need to do here is to take all the member attribute entries and change the dn before syncing.
Every property value can be a javascript expression so we simply get the attributes, run them through a loop, do some string manipulation and return the new list.
This is the configuration I used. It works fine on OpenAM 10.0.0 and Windows Server 2008 R2.
If there are any questions or problems, feel free to post a comment.
I have found three usual approaches to this problem.
- Use the AD as a OpenAM user store
- The AD authentication module can be used to authenticate user against AD.
- Use some kind tool could be used to synchronize AD and OpenAM user store.
The problem with the first one is that it require some changes to the AD which I am not allowed to implement.
The second one works fine if all you want to do is authenticate the user, as far as I've seen there aren’t any good ways to get more information about the user for example email address and phone number. The module can be configured to populate the default user store in OpenAM with user attributes from AD, but this will only happen on the first login. If the user changes email or phone number in the future the changes won't be reflected in OpenAM.
I ended up using both AD authentication module and synchronization. The authentication module for authentication directly against AD and synchronization for getting the attributes. For synchronization I used LSC.
In the next section I will describe the LSC configuration. This is not a beginners guide to LCS so if you are new to it, I recommend you checking out some of the tutorials here http://lsc-project.org/wiki/documentation/2.0/start
LSC configuration
In my OpenAM configuration different groups have different authorization so I want to sync both users and groups.
This is accomplished by defining two tasks.
lsc.tasks = ADuser, ADgroup
Syncing users
First the properties for the srcService
lsc.tasks.ADuser.srcService = org.lsc.jndi.SimpleJndiSrcService lsc.tasks.ADuser.srcService.baseDn = cn=Users # Filter to list all entries to synchronize lsc.tasks.ADuser.srcService.filterAll = (&(sAMAccountName=*)(objectClass=user)(memberOf=CN=OpenAMUsers,CN=Users,DC=capra,DC=no)) # Attributes to read from all entries used to match objects between source and destination lsc.tasks.ADuser.srcService.pivotAttrs = sAMAccountName # Filter to read one entry to synchronize, based on pivotAttrs above # This filter may contain one or several pivotAttrs defined above, like "{attributeName}" lsc.tasks.ADuser.srcService.filterId = (&(objectClass=user)(|(sAMAccountName={sAMAccountName})(sAMAccountName={uid}))) # Attributes to read from each entry used to read and write data lsc.tasks.ADuser.srcService.attrs = mail cn sAMAccountName sn givenName
Short description. The filterAll attribute is used to pick out all users of interest. In this case I'm specifying objectType users and they should have an sAMAccountName. I have also placed all the users to be synced in a group called OpenAMUsers as the users to be synced is only a subset of the user base.
The name to look at when matching users is the sAMAccountName and is specified in pivotAttrs. The filterId is a bit tricky In order to understand how to define this, I recommend reading http://lsc-project.org/user-guide/#matching-up-entries. The attr is the attributes I would like to read from the source.
The dstService
lsc.tasks.ADuser.dstService = org.lsc.jndi.SimpleJndiDstService lsc.tasks.ADuser.dstService.baseDn = ou=People # Filter to list all entries to synchronize lsc.tasks.ADuser.dstService.filterAll = (&(uid=*)(objectClass=inetOrgPerson)) # Attributes to read from all entries used to match objects between source and destination lsc.tasks.ADuser.dstService.pivotAttrs = uid # Filter to read one entry to synchronize, based on pivotAttrs above # This filter may contain one or several pivotAttrs defined above, like "{attributeName}" lsc.tasks.ADuser.dstService.filterId = (&(objectClass=inetOrgPerson)(|(uid={sAMAccountName})(uid={uid}))) # Attributes to read from each entry used to read and write data lsc.tasks.ADuser.dstService.attrs = mail cn uid objectClass sn givenName inetUserStatus
On the destination(OpenAM) all users lies under ou=People so base dn is ou=People.
FilterId sepecifies user of interest in the destination. The attrs in this case is the attributes I would like to update.
lsc.tasks.ADuser.dn = "uid=" + srcBean.getAttributeValueById("sAMAccountName") + ",ou=People"
In OpenAM the users are by default identified with the uid attribute. I thought it wise to keep this so the DN is concatenated with the account name and the user base dn.
Sync options specify how to update the info in destination.
# syncoption for the uid attribute: At creation the uid is set to sAMAccountName from src lsc.syncoptions.ADuser.uid.action = K lsc.syncoptions.ADuser.uid.objectClass.create_value = srcBean.getAttributeValueById("sAMAccountName") #Insert objectClass lsc.syncoptions.ADuser.objectClass.action = K lsc.syncoptions.ADuser.objectClass.create_value = "iplanet-am-auth-configuration-service";"sunIdentityServerLibertyPPService";"sunAMAuthAccountLockout";"sunFederationManagerDataStore";"iplanet-am-managed-person";"iPlanetPreferences";"sunFMSAML2NameIdentifier";"person";"inetorgperson";"organizationalperson";"inetuser";"iplanet-am-user-service";"top" #Set defualt sn lsc.syncoptions.ADuser.sn.action = F lsc.syncoptions.ADuser.sn.default_value = "noSN" #Setting active user lsc.syncoptions.ADuser.inetUserStatus.action = K lsc.syncoptions.ADuser.inetUserStatus.default_value = "Active"
Pretty much straight forward, the uid is set to sAMAccountName, this is set to only update at creation time. This is the attribute to match users and it is not changed.
The objectClass is updated at creation time with the classes users use in OpenAM. This is needed for OpenAM to recognize the users.
For some reason the OpenAM data store schema demands SN to be set, so if it is not set in AD it is set to noSN.
User status is set to Active.
All attributes specified in the attrs settings with the same name in source and destination is automatically updated if nothing else is configured in sync options. In this case givenName, mail, cn.
Syncing groups
# Base DN for searches in the directory lsc.tasks.ADgroup.srcService.baseDn = cn=Users # Filter to list all entries to synchronize lsc.tasks.ADgroup.srcService.filterAll = (&(cn=*)(objectClass=group)(memberOf=CN=OpenAMGroups,CN=Users,DC=capra,DC=no)) # Attributes to read from all entries used to match objects between source and destination lsc.tasks.ADgroup.srcService.pivotAttrs = cn # Filter to read one entry to synchronize, based on pivotAttrs above # This filter may contain one or several pivotAttrs defined above, like "{attributeName}" lsc.tasks.ADgroup.srcService.filterId = (&(objectClass=group)(cn={cn})) # Attributes to read from each entry used to read and write data lsc.tasks.ADgroup.srcService.attrs = cn member
As with the users, to make it easier to find the groups I want to sync, I have added the groups to a group, OpenAMGroups. As you can see in the filterAll property, only the groups in OpenAMGroups are synced.
The expression in the filterId becomes a lot easier to understand if the identifying attributes have the same name at source and destination. Again have a look at http://lsc-project.org/user-guide/#matching-up-entries for more information on filterId.
# Base DN for searches in the directory lsc.tasks.ADgroup.dstService.baseDn = ou=groups # Filter to list all entries to synchronize lsc.tasks.ADgroup.dstService.filterAll = (cn=*) # Attributes to read from all entries used to match objects between source and destination lsc.tasks.ADgroup.dstService.pivotAttrs = cn # Filter to read one entry to synchronize, based on pivotAttrs above # This filter may contain one or several pivotAttrs defined above, like "{attributeName}" lsc.tasks.ADgroup.dstService.filterId = (cn={cn}) # Attributes to read from each entry used to read and write data lsc.tasks.ADgroup.dstService.attrs = cn uniqueMember objectClass
The attributes cn, uniqueMember and objectClass. UniqueMember is OpenAMs attribute for members and the object class needs to be set in order for the groups to be recognized by OpenAM.
lsc.tasks.ADgroup.dn = "cn=" + srcBean.getAttributeValueById("cn") + ",ou=groups"
New DN is concatenated.
# Set default delimiter for multiple values for an attribute. # This is normally a semi-colon (;) but can be problematic when writing complex JavaScript lsc.syncoptions.ADgroup.default.delimiter = $
The delimiter is set to be $ as semicolon is used in the more complex javascript expression below.
#Insert objectClass lsc.syncoptions.ADgroup.objectClass.action = K lsc.syncoptions.ADgroup.objectClass.create_value = "groupofuniquenames";"top"
Object class is set to standard values.
#members syncing lsc.syncoptions.ADgroup.uniqueMember.action = F lsc.syncoptions.ADgroup.uniqueMember.force_value = var uniqueMember = new Array();\ var members = srcBean.getAttributeValuesById("member").toArray();\ for (var i = 0; i < members.length; i++) {\ var member = members[i];\ member.replace(",CN=Users,DC=capra,DC=no", ",ou=people,dc=opensso,dc=java,dc=net").replace("CN", "uid");\ uniqueMember.push(member);\ }\ members
Here is the best part, it shows some of the power in LSC.
What we need to do here is to take all the member attribute entries and change the dn before syncing.
Every property value can be a javascript expression so we simply get the attributes, run them through a loop, do some string manipulation and return the new list.
This is the configuration I used. It works fine on OpenAM 10.0.0 and Windows Server 2008 R2.
If there are any questions or problems, feel free to post a comment.
Genereate .p7b file from multiple .cer files
A p7b file can contain many CA certificates. This can for example be the case when creating a bundle of CA certificates. As was the case for me.
In a project I'm working on we want to bundle all the trused CA certificates in one file. The file for this purpose was p7b.
We used openssl to do it.
The first thing that needs to be done is to convert the .cer files to PEM.
openssl x509 -in myCA1.cer -inform DER -outform pem -out myCA1.pem
openssl x509 -in myCA2.cer -inform DER -outform pem -out myCA2.pem
And then we bundle the PEM files
openssl crl2pkcs7 -nocrl -certfile myCA1.pem -certfile myCA1.pem -outform PEM -out bundle.p7b
To add another PEM fil just add another -certfile argument.
In a project I'm working on we want to bundle all the trused CA certificates in one file. The file for this purpose was p7b.
We used openssl to do it.
The first thing that needs to be done is to convert the .cer files to PEM.
openssl x509 -in myCA1.cer -inform DER -outform pem -out myCA1.pem
openssl x509 -in myCA2.cer -inform DER -outform pem -out myCA2.pem
And then we bundle the PEM files
openssl crl2pkcs7 -nocrl -certfile myCA1.pem -certfile myCA1.pem -outform PEM -out bundle.p7b
To add another PEM fil just add another -certfile argument.
Creating your own CA with OpenSSL and CA.pl
I have recently had an issue where I need to create test certificates for use in unit test.
The files I’m signing needs to be signed by a certificate that is signed by a CA with specific public key.
For this purpose I figure the easiest way to accomplish this is to
Create a CA of my own
Create a certificate for the unit tests
Sign the certificate with using the CA
I will show how I did this using OpenSSL and the CA.pl script that comes with the OpenSSL installation.
Create new CA
CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
................++++++
.............++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:test-ca
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from C:\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ff:65:cb:b3:87:ab:ce:4b
Validity
Not Before: Aug 23 08:40:46 2013 GMT
Not After : Aug 22 08:40:46 2016 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = test-ca
X509v3 extensions:
X509v3 Subject Key Identifier:
EA:DE:A5:01:11:76:9A:22:15:33:7E:72:6A:A8:FC:AD:3E:8E:23:9E
X509v3 Authority Key Identifier:
keyid:EA:DE:A5:01:11:76:9A:22:15:33:7E:72:6A:A8:FC:AD:3E:8E:23:9E
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Aug 22 08:40:46 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
I use all the default options except for the common name and PEM pass phrase.
Creating the test cert
CA.pl -newreq
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..............................................................++++++
...........................................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:test-cert
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
I use all the default options except for the common name and PEM pass phrase.
Sign the test cert with the CA
CA.pl -sign
Using configuration from C:\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ff:65:cb:b3:87:ab:ce:4c
Validity
Not Before: Aug 23 08:47:32 2013 GMT
Not After : Aug 23 08:47:32 2014 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = test-cert
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
99:7F:AD:BE:2F:3C:C5:F4:65:8A:A0:2D:6C:07:23:88:48:25:E5:39
X509v3 Authority Key Identifier:
keyid:EA:DE:A5:01:11:76:9A:22:15:33:7E:72:6A:A8:FC:AD:3E:8E:23:9E
Certificate is to be certified until Aug 23 08:47:32 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Now the newcert.pem is signed with the CA
PS. If you use the same common name for the CA and cert you will get this error.
failed to update database
TXT_DB error number 2
The files I’m signing needs to be signed by a certificate that is signed by a CA with specific public key.
For this purpose I figure the easiest way to accomplish this is to
Create a CA of my own
Create a certificate for the unit tests
Sign the certificate with using the CA
I will show how I did this using OpenSSL and the CA.pl script that comes with the OpenSSL installation.
Create new CA
CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
................++++++
.............++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:test-ca
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from C:\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ff:65:cb:b3:87:ab:ce:4b
Validity
Not Before: Aug 23 08:40:46 2013 GMT
Not After : Aug 22 08:40:46 2016 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = test-ca
X509v3 extensions:
X509v3 Subject Key Identifier:
EA:DE:A5:01:11:76:9A:22:15:33:7E:72:6A:A8:FC:AD:3E:8E:23:9E
X509v3 Authority Key Identifier:
keyid:EA:DE:A5:01:11:76:9A:22:15:33:7E:72:6A:A8:FC:AD:3E:8E:23:9E
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Aug 22 08:40:46 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
I use all the default options except for the common name and PEM pass phrase.
Creating the test cert
CA.pl -newreq
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..............................................................++++++
...........................................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:test-cert
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem
I use all the default options except for the common name and PEM pass phrase.
Sign the test cert with the CA
CA.pl -sign
Using configuration from C:\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ff:65:cb:b3:87:ab:ce:4c
Validity
Not Before: Aug 23 08:47:32 2013 GMT
Not After : Aug 23 08:47:32 2014 GMT
Subject:
countryName = AU
stateOrProvinceName = Some-State
organizationName = Internet Widgits Pty Ltd
commonName = test-cert
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
99:7F:AD:BE:2F:3C:C5:F4:65:8A:A0:2D:6C:07:23:88:48:25:E5:39
X509v3 Authority Key Identifier:
keyid:EA:DE:A5:01:11:76:9A:22:15:33:7E:72:6A:A8:FC:AD:3E:8E:23:9E
Certificate is to be certified until Aug 23 08:47:32 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Now the newcert.pem is signed with the CA
PS. If you use the same common name for the CA and cert you will get this error.
failed to update database
TXT_DB error number 2
Use sequence for toggling boolean value
I recently needed to build a postgres function that generated names, the function should return double names half of the times it was called. The function were to be run in a loop in a main function so the first idea was to use a boolean variable in the main function that was sent as a parameter to the name function. The was boolean was toggled after every loop iteration.
A better solution that I came up with is to use a sequence. These are stateful and can be access in the entire scheme.
I create a sequence that counts from 0 to 1 and then starts over. I then cast the result to char and then to boolean.
Every time the SELECT nextval('double_first_name_toggle')::char::boolean into double_first_name; is called it the result is the opposite from last time.
This is now used in the name function and no parameter needs to be sent in.
A better solution that I came up with is to use a sequence. These are stateful and can be access in the entire scheme.
I create a sequence that counts from 0 to 1 and then starts over. I then cast the result to char and then to boolean.
CREATE SEQUENCE double_first_name_toggle MINVALUE 0 MAXVALUE 1 CYCLE; SELECT nextval('double_first_name_toggle')::char::boolean into double_first_name;
Every time the SELECT nextval('double_first_name_toggle')::char::boolean into double_first_name; is called it the result is the opposite from last time.
This is now used in the name function and no parameter needs to be sent in.
Tool to test queries on Google Fusion tables
A couple of weeks ago I started a project where I needed to save big amounts of data for later statistical analysis. The first data store I looked at was Google Fusion Tabels (because it was free...). The reason I didn't go for it was that there were quota limitation that didn't allow that much data.
But another problem I found was that there is no good way to simply test out queries on a table. So I built a tool for it. So for those of you using Google Fusion Tables or thinking about it, go have a look.
The tool is here, https://rasmusson.github.io/fusion-tables-tool
Any ideas can be submitted here, https://github.com/ rasmusson/fusion-tables-tool/ issues
But another problem I found was that there is no good way to simply test out queries on a table. So I built a tool for it. So for those of you using Google Fusion Tables or thinking about it, go have a look.
The tool is here, https://rasmusson.github.io/fusion-tables-tool
Any ideas can be submitted here, https://github.com/
Further reading
This book covers, among other things, google fusion tablesUsing CDI in external JAR module
I recently had a task to create a REST API in a jar module separate from the main application. The JAR will be a dependency to the main application.
In this REST resource class I which to inject the som session scoped data about the user.
Problem is that CDI does not inspect external JAR files by default. This off cource resulted in the classic NullPointerException.
After some research found that adding an empty beans.xml to the resources/META-INF/ tells CDI to inspect the classes in the JAR for injection points.
In this REST resource class I which to inject the som session scoped data about the user.
Problem is that CDI does not inspect external JAR files by default. This off cource resulted in the classic NullPointerException.
After some research found that adding an empty beans.xml to the resources/META-INF/ tells CDI to inspect the classes in the JAR for injection points.
A simple way of doing pagination with Angular UI
In the last few days I have been developing a tool to work with Google fusion tables. In this I display results for a search query in a table with pagination. I found a lot of different ways to do this but I finally ended up with this.
The relevant part in this is row in queryResult.rows.slice(((currentPage-1)*10), ((currentPage)*10)) track by $index.
I using the currentPage variable from the Angular UI pagination component in combination with the javascript array slice method to split the result up in pages. Simple and efficient.
Here is a plunker with an example
The limitation of this being that you have to load the entire result at once. Pagination is entirely on the client side and not in the query.
{{column}} |
---|
{{cell}} |
I using the currentPage variable from the Angular UI pagination component in combination with the javascript array slice method to split the result up in pages. Simple and efficient.
Here is a plunker with an example
The limitation of this being that you have to load the entire result at once. Pagination is entirely on the client side and not in the query.
Further reading
This is the book I'm reading to learn AngularJS. Very good and very well formatted for kindle.Authenticating to Google Fusion Tables from Server
A couple of weeks ago I started a project where I needed to save big amounts of data for later statistical analysis. The first data store I looked at was Google Fusion Tabels (because it was free...). The reason I didn't go for it was that there were quota limitation that didn't allow that much data.
But before I got to the point that I discarded it wrote a working backend on Google app engine that could write to a table. Here is the code. The hard thing here was authenticating to the Fusion tables.
Working with Google APIs from Google App Engine should be very easy thanks to Google App engines support for service account, unfortunately Fusion tables API does not support this yet. So we need to use the harder way to use Application Accounts. Here is the code for authenticating and making request to Fusion tables. Please ignore bad exception handling.
private Fusiontables fusiontables = null; public void initiateFusionTablesAPI() { Collectionscopes = Collections.singleton("https://www.googleapis.com/auth/fusiontables"); String serviceAccountId = "768188911902@developer.gserviceaccount.com"; String p12FileName = "/privatekey.p12"; InputStream p12Stream = context.getResourceAsStream(p12FileName); PrivateKey serviceAccountPK = null; try { serviceAccountPK = SecurityUtils.loadPrivateKeyFromKeyStore( SecurityUtils.getPkcs12KeyStore(), p12Stream, "notasecret", "privatekey", "notasecret"); } catch (GeneralSecurityException e) { e.printStackTrace(); } GoogleCredential credential = new GoogleCredential.Builder() .setTransport(new NetHttpTransport()) .setJsonFactory(new JacksonFactory()) .setServiceAccountId(serviceAccountId) .setServiceAccountScopes(scopes) .setServiceAccountPrivateKey(serviceAccountPK) .build(); fusiontables = new Fusiontables.Builder( new NetHttpTransport(), new JacksonFactory(), credential) .setApplicationName("Bysykkel-stats") .build(); } public void storeInformation(){ String sql = "INSERT INTO ..."; try { Sqlresponse sqlresponse = fusiontables.query().sql(sql).execute(); if (sqlresponse.getRows().size() != 1) { throw new RuntimeException("Error in sql response " + sqlresponse.toPrettyString()); } } catch (Exception e) { e.printStackTrace(); } }
Further reading
This book covers, among other things, google fusion tables
Subscribe to:
Posts (Atom)