Java has a DualFormatJKS class that is managed by the JavaKeyStore SPI. It determines the type of keystore at runtime. However, the PAX SSLContextBuilder in pax-url-aether-2.6.10.jar never gets into that code. Instead, PAX goes down this path. Eventually, the method KeyStore.getInstance(String type) is executed. It throws an exception because type is "" and it is expecting "jks" or "pkcs12".
The exception is
java.security.NoSuchAlgorithmException: KeyStore not available
I can't figure out how marry the PAX code to the Java code that reads the file to determine the type of keystore it's working with. I get lost in the TrustStoreManager class. Has anyone has a similar issue or know how to solve it?
Related
I'm trying to write a program in Java that will digitally sign database entries prior to insertion. I would like for the program to be algorithm-independent - ideally, the user would specify the JCE provider and algorithm as arguments at runtime.
Is there a way to do this? I've been testing with the BouncyCastle provider, and the code runs fine when I dynamically register it:
Security.addProvider(new BouncyCastleProvider());
However, when I try to statically register the provider by adding the following lines to the end of my security/java.policy file, I get the error: java.security.NoSuchProviderException: no such provider: BC when I try to get an instance of a Security object using the provider.
security.provider.1=sun.security.provider.Sun
security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
Specifically, I added those lines to /etc/java-7-openjdk/security/java.policy (which is linked to $JAVA_HOME/jre/lib/security/java.policy). This is on Ubuntu 12.04. I also tried just adding the BouncyCastleProvider as the first entry and got the same error.
Am I configuring the static registration wrong or is what I am attempting impossible?
I think you are adding the static registration into the wrong file.
Use security.policy instead of java.policy within the same folder.
See: https://www.bouncycastle.org/wiki/display/JA1/Provider+Installation
I have been attempting to encrypt a text file with the PGP encryptor in my Mule flow and have so far been unsuccessful. I am executing against the CloudHub Mule Runtime (Dec 2013) as I intend to deploy to CloudHub.
I have used GnuPG to generate the binary public key from the .asc file provided to me by my client and put the resulting .gpg file in my src/main/resources directory. Even though it doesn't seem like I should have to I generated my own secret gpg keyring and provided that in my application as well.
When I attempt to run my flow it keeps giving me an NPE:
Root Exception stack trace:
java.lang.NullPointerException
at org.mule.module.pgp.KeyBasedEncryptionStrategy.checkKeyExpirity(KeyBasedEncryptionStrategy.java:100)
at org.mule.module.pgp.KeyBasedEncryptionStrategy.safeGetCryptInfo(KeyBasedEncryptionStrategy.java:87)
at org.mule.module.pgp.KeyBasedEncryptionStrategy.encrypt(KeyBasedEncryptionStrategy.java:54)
I'm not sure what is causing this. Any ideas?
UPDATE:
I've updated to use the latest version of AnyPoint Studio with the 3.5.1 runtime and get the same error, on line 98 this time which is the same line of code.
UPDATE AND MY SOLUTION:
I got it to work. It was an error on my part. I had a principal in the Encryption element that was overriding the principal from the Global element. I had placed this principal in the configuration to overcome an initial error telling me it was required. Removing this principal seems to have resolved all of my problems.
ANOTHER UPDATE
I can successfully encrypt using the pub and sec keys provided in a Mule blog post, however, attempting to use the gpg file that I exported from the public key (.asc file) that my client provided but I again get the NPE mentioned above. I have followed all the steps I can find for importing their key into my keyring and exporting it as a binary. I'm stumped.
FINAL UPDATE
So it turns out the success with the keys from the Mule blog were giving me a success that I didn't completely understand. Turns out that I was not properly setting the Principal value. I was setting the principal according to what I thought it should be for the secret keyring, when, as I found out, it is actually for the public key ring. All seems to be working now.
As a premise, I am not very experienced yet, but I have tried to read and search everything I possibly could, related to this topic, and still no luck.
I was given a simple client to call a webservice but once it was fully setup (which included the use of a certificate and a couple more properties to set) I got the error mentioned in the title:
javax.xml.ws.WebServiceException: {http://http://cert.controller.portaapplicativa.ictechnology.it//}MyService is not a valid service. Valid services are:
at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:187)
at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:159)
at com.sun.xml.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:82)
at javax.xml.ws.Service.<init>(Service.java:56)
at package.client.wsimport.MyService..<init>(MyService.java:46)
at package.client.Client.doRicercaDEN(Client.java:55)
at package.client.Client.main(Client.java:36)
I tried generating the client again with JAX-WS:
java -classpath C:\Programmi\Java\jdk1.6.0_38\lib\tools.jar com.sun.tools.internal.ws.WsImport -verbose C:\WsdlFile.wsdl -p package.client.wsimport -s C:\tmp\ws\
And I get the same issue. I am using a local copy of the wsdl because wsimport doesn't seem to like the certificate I'm trying to set in the properties (I'm most likely doing something wrong, but I opted for the simple workaround, given I have more pressing issues).
Trying to use SoapUI to test the service, everything works fine, though I need to set the preferences for the proxy to "None".
So I tried to make sure the connection doesn't use any proxy in my client as well:
(...)
systemSettings.remove("http.proxyHost");
systemSettings.remove("http.proxyPort");
systemSettings.remove("https.proxyHost");
systemSettings.remove("https.proxyPort");
System.setProperty("http.nonProxyHosts","*");
System.setProperty("https.nonProxyHosts","*");
(BTW, before "*", which as I understand it should work as a wildcard for "every domain", I have tried specifying the specific domains as well)
Anyway, the result is always the same.
Is there something I am doing wrong, something left to try?
I doubt this is a proxy issue. If you can share the code you are using to create the Service object it might help.
As a kick start try reading the below thread Is not a valid service exception in JAX-WS
What I think is that the QName you have provided when creating the Service is not proper. To get the correct QName you might try to open the generated stub.
As it turns out, what I was missing was importing the certificate in my local truststore (or better, when I first tried doing so, I thought I was using the correct truststore, but I wasn't).
For anyone who may need it, here is an explanation of how to do that using keytool: http://javarevisited.blogspot.it/2012/03/add-list-certficates-java-keystore.html
Another option is to use specific GUI like Portecle.
I subclassed javax.net.ssl.X509TrustManager so I could use a private SSL cert. Now I am trying to write a JUnit test for my class, but the test cases keep giving me a null pointer exception.
E.g. my implementation of checkClientTrusted() is an empty method. However, when I call that method with a (supposedly) valid instance of X509Certificate[] (and any sort of String for that matter), JUnit reports a NullException at that line of test code. Any suggestions as to what I am missing?
Subclassing 'X509TrustManager' just for the use of a self signed certificate (I assume thats what you mean with 'private SSL cert' ?) is a bit overkill. Easier ways to use such a certificate are:
Use a keystore file (truststore) with the certificate (or the certificate of the CA with which you created your self signed certificate) and point your application to that. All you have to do is make sure the 'SSLContext' knows about your truststore. Take a look at the (really well written) article Custom SSL for advanced JSSE developers for details. Technically this is even safer then using the global JRE truststore since only your certificate will be accepted as valid.
Add the certificate (or the certificate of the CA with which you created your self signed certificate) to the global truststore of the JRE with 'keytool'. The global JRE truststore is located in '$JAVA_HOME/lib/security/cacerts'. The password of the JRE truststore is always 'changeit'. Although this way obviously makes deployment harder, since sometimes you don't control the JRE installation.
The problem was I subclassed my test class from junit.framework.TestCase, which caused my #BeforeClass setup method not to get called (and therefore the variables I instantiated there were still null). After deleting that, things are working now.
I have been able to run decryption and encryption locally using the bouncycastle jars. I have generated keys that I want to put the public key a client (Java and Android) and the private key in a web service. I have been able to encrypt and encoded a message and send the encrypted message to the webservice (on a hosted service by Lunarpages), but the webservice decryption fails with a FileNotFoundException on the line
BouncyCastleProvider bc = new BouncyCastleProvider();
or
Security.addProvider(new BouncyCastleProvider());
The bcprov-ext-jdk14-146.jar and the bcprov-jdk14-146.jar is included in the web-inf lib directory.
Is there something I can do programmatic to enable this or does Lunarpages have to do something?
I couldnt even get a stacktrace to print for me and so I thought I might attempt a different provider to see if I get a better response - the SunJCE.
access denied (java.security.SecurityPermission insertProvider.SunJCE)
java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
java.security.AccessController.checkPermission(AccessController.java:401)
java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1673)
java.security.Security.check(Security.java:1307)
java.security.Security.insertProviderAt(Security.java:697)
java.security.Security.addProvider(Security.java:757)
net.wpstudios.tcws.pgp.RSAEncrypt.generateKeys(RSAEncrypt.java:81)
javax.servlet.http.HttpServlet.service(HttpServlet.java:165)
javax.servlet.http.HttpServlet.service(HttpServlet.java:103)
com.caucho.server.http.FilterChainServlet.doFilter(FilterChainServlet.java:96)
com.caucho.server.http.Invocation.service(Invocation.java:315)
com.caucho.server.http.CacheInvocation.service(CacheInvocation.java:135)
com.caucho.server.http.RunnerRequest.handleRequest(RunnerRequest.java:346)
com.caucho.server.http.RunnerRequest.handleConnection(RunnerRequest.java:274)
com.caucho.server.TcpConnection.run(TcpConnection.java:139)
java.lang.Thread.run(Thread.java:534)
Does the FileNotFound exception matter? Obviously the caucho server setup is using access restrictions on adding providers. Never mind that, if you want to develop some application level encryption/decryption you can simply use the bouncy castle crypto API directly. It's not as friendly as the JCE but it is useable enough. This might not work if you want to use a library that in its turn uses the JCA/JCE framework though.
Lunarpages is to change the permissions or add providers manually (using resin.conf, it seems), but it might be hard to change them just for you, unless you are the only one using the Java application server. It never hurts to ask I suppose.