Related questions

OCSP/CRL support on JBoss 5 AS

2018-05-10 10:48 korayguney imported from Stackoverflow

Has "JBoss 5 AS" support for OCSP or CRL validations on incoming certificates during TLS?

I saw an attribute on server.xml file of JBoss named "ca-certificate-file" which ensures to get the revocation list from a file or URL. But it gets static values, so how can I use this attribute dynamically?

See also questions close to this topic

  • Ignore ssl certs for easy install python

    I have my lib which has setup as

    setup.py

    from setuptools import setup

setup(
    setup_requires=['pbr>=0.11.0'],
    pbr=True
)

    setup.cfg

    [metadata]
name = MyLib

[options]
zip_safe = False
include_package_data = True
install_requires =
    cython
    pyrex
    pymssql
    elementtree
    bleach
    BeautifulSoup4
    pytz
    MySQL_python
    retry
    elementtree
    Pyrex
dependency_links =
    https://pypi.mydomain.com/packages/

[files]
packages =
    MyLib
    MyLib.package1
    MyLib.package1.new1

[tool:wheel]
universal = 1

[flake8]
exclude =
    venv,
    .tox,
    .git,
    __pycache__,
    *.pyc,
    *.egg-info,
    .cache,
    .eggs,
max-line-length = 80

[tool:pytest]
testpaths=MyLib/tests
ignore=
    .tox
    .cache
    docs
    config.py
    venv

[coverage:run]
omit=
    MyLib/config.py

    I am using this MyLib in my application requirements.txt

    myapp/requirements.txt ... ... MyLib==1.2.3 ... ...

    When I installed, with /usr/local/pyenv/versions/myapp/bin/pip install -i https://pypi.mydomain.com --trusted-host pypi.mydomain.com -r /opt/school/apps/myapp/requirements.txt, it was redirecting to pypi.python.org. Then I get that easy_install is using another config as ~/.pydistutils.cfg. I added as

    ~/.pydistutils.cfg

    [easy_install]
index_url=https://pypi.mydomain.com/
find_links = https://pypi.mydomain.com/simple/
allow_hosts = pypi.mydomain.com

    Now its not redirecting to pypi.python.org but it gives error for SSL.

    /usr/local/pyenv/versions/myapp/bin/pip install -i https://pypi.mydomain.com --trusted-host pypi.mydomain.com -r /opt/school/apps/myapp/requirements.txt
Requirement already satisfied: appdirs==1.4.3 in /usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages (from -r /opt/school/apps/myapp/requirements.txt (line 1))
Requirement already satisfied: beautifulsoup4 in /usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages (from -r /opt/school/apps/myapp/requirements.txt (line 2))
Requirement already satisfied: bleach==2.0.0 in /usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages (from -r /opt/school/apps/myapp/requirements.txt (line 3))
Requirement already satisfied: click==6.7 in /usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages (from -r /opt/school/apps/myapp/requirements.txt (line 4))
Collecting MyLib==1.2.3 (from -r /opt/school/apps/myapp/requirements.txt (line 5))
  Downloading https://pypi.mydomain.com/packages/MyLib-1.2.3.tar.gz (221kB)
    100% |████████████████████████████████| 225kB 31.8MB/s
    Complete output from command python setup.py egg_info:
    Download error on https://pypi.mydomain.com/simple/: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) -- Some packages may not be found!
    Download error on https://pypi.mydomain.com/pbr/: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) -- Some packages may not be found!
    Couldn't find index page for 'pbr' (maybe misspelled?)
    Download error on https://pypi.mydomain.com/: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) -- Some packages may not be found!
    No local packages or working download links found for pbr>=0.11.0
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/tmp/pip-build-Lsc4UJ/MyLib/setup.py", line 5, in <module>
        pbr=True
      File "/usr/local/pyenv/versions/2.7.13/lib/python2.7/distutils/core.py", line 111, in setup
        _setup_distribution = dist = klass(attrs)
      File "/usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages/setuptools/dist.py", line 315, in __init__
        self.fetch_build_eggs(attrs['setup_requires'])
      File "/usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages/setuptools/dist.py", line 361, in fetch_build_eggs
        replace_conflicting=True,
      File "/usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages/pkg_resources/__init__.py", line 850, in resolve
        dist = best[req.key] = env.best_match(req, ws, installer)
      File "/usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1122, in best_match
        return self.obtain(req, installer)
      File "/usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1134, in obtain
        return installer(requirement)
      File "/usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages/setuptools/dist.py", line 429, in fetch_build_egg
        return cmd.easy_install(req)
      File "/usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 659, in easy_install
        raise DistutilsError(msg)
    distutils.errors.DistutilsError: Could not find suitable distribution for Requirement.parse('pbr>=0.11.0')

    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-Lsc4UJ/MyLib/
    1. Is there any way to force dependency_links not to use ~/.pydistutils.cfg ?

    If answer of 1 is NO, then how to ignore SSL for my pypi server?

  • Include intermediate chain in keystore for mutual SSL

    I've been at this way too long and have searched high and low for a solution.

    I am trying to do mutual SSL. The target is using a certificate signed by an intermediate that is valid and trusted. My side, a Java web service client using httpclient 4.3.6, is also using a certificate signed by the intermediate.

    The intermediate is in a JKS format keystore and has the full chain. My certificate is also in a JSK keystore.

    I am also running Wireshark to follow the SSL process, since the Java exceptions are very unhelpful. I can see that the Server Hello finishes (a line in Wireshark called "Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done"). A couple of packets later, there is a "Certificate, Client Key Exchange" line that seems to run ok. Two packets later, there is an alert about a handshake failure (40). When I go backward two packets to the "Certificate, Client Key Exchange" line and inspect it closely, I can see that while the key was sent off, there is a line that says "Certificates Length: 0" in the packet inspection window.

    So it appears that my certificate is not even being sent? I saw on another question here that it may be because my side doesn't see a valid path to my cert, and so doesn't bother including it? (The answer here https://stackoverflow.com/a/14876605/5136448). I do include the trust store that has my intermediate in it when using SSLContext and SSLConnectionSocketFactory.

    A colleague of mine got a successful connection using openssl when including my keystore and intermediate together, so I'm trying to add the certificate chain from the intermediate keystore to my own keystore to see if that will solve it. I have no found any successful way of doing this (openssl, keytool, Keystore Explorer), so I may not have the right idea as to properly solve this.

    To sum up, using Apache http-client 4.3.6, I need to do mutual SSL to a server where the server is trusted, but the client doesn't seem to be sending its certificate (which was signed by the same entity that signed the server's certificate).

    Should it be relevant, here is the client-side code:

    KeyStore keystore = KeyStore.getInstance("PKCS12");
keystore.load(new FileInputStream(new File("/path/to/test.keystore")), "abc123".toCharArray());

KeyStore trustStore = KeyStore.getInstance("PKCS12");
trustStore.load(new FileInputStream(new File("/path/to/test.truststore")), "123abc".toCharArray());

SSLContext sslContext = SSLContexts
.custom()
.loadKeyMaterial(keystore, "abc123".toCharArray(), null)
.loadTrustMaterial(trustStore, null)
.build();

SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext,
new String[]{"TLSv1.2"},
null,
SSLConnectionSocketFactory.STRICT_HOSTNAME_VERIFIER);


CloseableHttpClient httpclient1 = HttpClients.custom().setSSLSocketFactory(sslConnectionSocketFactory).build();
  • Implementing X509TrustManager

    I'm currently trying to transfer data over the internet via SSL/TLS in java and I want both parties to authenticate themselves. I have implemented the KeyManager myself to load the key pair and present the other party the appropriate certificate.

    Now, I'm trying to check the certificate and I'm doing that by implementing my own TrustManager (both parties hold the cert of the other party, everything is self-signed). However, getAcceptedIssuers doesn't work like I want it to, because even when I return none the connection still gets established without problem.

    Why doesn't the certificate get refused?

    protected static class SelectingTrustManager implements X509TrustManager{
    final X509TrustManager delegate;

    private String[] trustedAliases;
    private final KeyStore keystore;

    public SelectingTrustManager(X509TrustManager delegate, KeyStore keystore, String[] trustedAliases) {
        this.trustedAliases = trustedAliases;
        this.keystore = keystore;
        this.delegate = delegate;
    }

    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException{
        delegate.checkClientTrusted(chain, authType);
    }

    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException{
        delegate.checkServerTrusted(chain, authType);
    }

    public X509Certificate[] getAcceptedIssuers(){
        return new X509Certificate[0];
    }

}
  • How to get OCSP responses through openssl apis in cms signed data

    I've been developing some logic to get certificates and its revocation list in cms signed data. The format of certificates is X509v3 and revocation list is OCSP responses.

    According to RFC 5652: "Online Certificate Status Protocol (OCSP) Responses can be supported using the OtherRevocationInfoFormat."

    So I #include <openssl/cms.h> and get x509v3 certificates through:

    STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms);

    (See: https://www.openssl.org/docs/man1.1.0/crypto/CMS_get1_certs.html)

    But, I do not know how to get OCSP responses via openssl in C++. There is only:

    STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms);

    But that gets a revocation info list as crls, not OCSP response.

    I found that in the cms_lcl.h, revocation info is included in CMS_RevocationInfoChoice as an union type:

    struct CMS_RevocationInfoChoice_st {
    int type;
    union {
        X509_CRL *crl;
        CMS_OtherRevocationInfoFormat *other;
    } d;
};

    But, I can't find the way to get it. Do I need to import other libraries?

  • How to create PADES using offline signature and OCSP response

    I'm stumped trying to figure out Esig DSS java suite just from docs and source. (eu.europa.esig.dss.* tree)

    We connect to Swedish BankID to sign PDF's and simple plain texts. Response is a SOAP XML with fields for the signature and an OCSP response.

    The end goal is to combine these two parts into a single object "a valid signature" that can be embedded in a PDF (using DSS and PDFbox).

    The contents of the BankID Soap fields seems to have the right format for DSS tools:

    The signature can be loaded with

    DSSDocument sigDoc = new InMemoryDocument(xmlSignature)
SignedDocumentValidator documentValidator = SignedDocumentValidator.fromDocument(sigDoc);
// ...
AdvancedSignature advancedSignature = documentValidator.getSignatures().get(0);

    and the OCSP response can be read with

    ExternalResourcesOCSPSource source = new ExternalResourcesOCSPSource(ocspBytes);
BasicOCSPResp basicOCSPResp = source.getContainedOCSPResponses().get(0);

    I can print out various info from the objects, find embedded certificates etc, so the format seems legit.

    Question: How do I get a valid OCSPToken from the ExternalResourcesOCSPSource?

    I keep running in circles trying to combining the two into a single AdvancedSignature (if that's what I can use to embed into a PDF).

  • AWS OCSP Stapling

    After creating an OCSP server via Python3.6 + Lambda + Serverless + DynamoDB + S3 and OpenSSL it has become necessary to support OpenSSL --version of 1.1 which supports the multiple -cert options, thus reducing overhead and network requests.

    With print('Openssl version in lambda:', ssl.OPENSSL_VERSION) I can see that the installed version is: OpenSSL 1.0.0-fips 29 Mar 2010. How feasible it is to upgrade the version on AWS Lambda?

    Also can OCSP Stapling disussed here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html#request-custom-ocsp-stapling be used in the set up above to reduce network requests and load?