I need a HTTPS Maven repository URL for spring source to configure in my pom.xml:
Right now I use the following http urls:
http://repository.springsource.com/maven/bundles/release
http://repository.springsource.com/maven/bundles/external
Another option to improve security is that you always verify the SHA-1 checksum after you have downloaded a dependency. Maven Central provides Spring artifacts for all released versions, as well as their corresponding SHA-1 checksums, e.g. spring-core:
spring-core-3.2.3.RELEASE.pom 230116bb23132569443ac0479c8ac7e33e9662e7
spring-core-3.2.3.RELEASE.jar accdd65db57e79e49f2af037bb76f5a55a580f00
On Ubuntu, you can use the sha1sum command:
sha1sum spring-core-3.2.3.RELEASE.jar
On Mac you can use the openssl sha1 command:
openssl sha1 spring-core-3.2.3.RELEASE.jar
Same links like you used just use HTTPS:
https://repository.springsource.com/
https://repository.springsource.com/maven/bundles/release
https://repository.springsource.com/maven/bundles/external
Added after the comment
You should import the following 3 certificates in the trust store and to configure Java to use it:
Related
In java 8 to setup a security provider I just needed to add the provider to the java.security file and add the provider external library to lib/ext. Since external libraries are not allowed in further versions how can I add a provider on jdk11?
Until now I tried to add the provider to the java.security file in conf/security folder.
security.provider.1=nCipherKM
I inserted the new provider on top of the list but when I try to .getInstance("providerExample") I still get a NoSuchProviderException.
java.security.NoSuchProvidIrException: no such provider: nCipherKM
The lib jar itself, I do not know where do I have to put or how can I include it to be recognized. If I create a lib/ext folder he says to use -classpath instead but also have no clue on that.
Thank you
EDIT: To complete my question I forgot to mention that im using thorntail and maven 3.6.1 to build the project. The error I get is related to this line:
KeyStore.getInstance("ncipher.sworld", "nCipherKM");
As I said before, when I had java 8 I only had to add the security.provider to the java.security and the nCipherKM.jar to $JAVA_HOME/lib/ext folder.
I am trying to use the sshj library to create an SFTP client in an existing project of my company. However if I create the SSHClient instance I get the error message:
[main] INFO net.schmizz.sshj.common.SecurityUtils - Registration of Security Provider 'org.bouncycastle.jce.provider.BouncyCastleProvider' unexpectedly failed
java.lang.SecurityException: JCE cannot authenticate the provider BC
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:118)
at javax.crypto.KeyAgreement.getInstance(KeyAgreement.java:270)
at net.schmizz.sshj.common.SecurityUtils.registerSecurityProvider(SecurityUtils.java:88)
at net.schmizz.sshj.common.SecurityUtils.register(SecurityUtils.java:267)
at net.schmizz.sshj.common.SecurityUtils.isBouncyCastleRegistered(SecurityUtils.java:245)
at net.schmizz.sshj.DefaultConfig.<init>(DefaultConfig.java:79)
at net.schmizz.sshj.SSHClient.<init>(SSHClient.java:134)
[... junit stacktrace ...]
Caused by: java.util.jar.JarException: Class is on the bootclasspath
at javax.crypto.JarVerifier.verify(JarVerifier.java:286)
at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:164)
at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:190)
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:114)
... 40 more
[main] INFO net.schmizz.sshj.common.SecurityUtils - BouncyCastle not registered, using the default JCE provider
[main] INFO net.schmizz.sshj.transport.random.JCERandom - Creating new SecureRandom.
The application uses maven to include dependencies and I added it like this:
<dependency>
<groupId>com.hierynomus</groupId>
<artifactId>sshj</artifactId>
<version>0.27.0</version>
</dependency>
The sshj library includes the bouncycastle (BC) dependencies to bcpkix-jdk15on v1.60 and bcprov-jdk15on v1.60 and I've tried the following solutions:
Add the BC provider on my own, include the sshj and BC JARs directly as library and use the provided scope in maven as stated here. The provider is then added correctly but still fails with the error message from above.
Place the BC JARs in the jre/lib/ext folder.
Modify the java.security file as stated here.
Check if there is another BC version on the classpath as stated here.
However if I create a fresh project and include sshj everything is working just fine and as expected. I compared the commands which execute my junit test which crates the SSHClient and in both projects I can find the sshj JAR and the BC JARs included in the -classpath.
I am fairly new to maven and spring so I might be missing something obviously why everything is fine in a fresh project and not in the existing one, but I just can't figure it out.
If you need any more information I will gladly provide them!
There are 2 classpaths in Java, the bootclasspath and the regular classpath. The bootclasspath is where java.* and javax.* are located (jre/lib/rt.jar). But because that is not loaded by the system classloader, it is not supported to drop signed/verified jars in there. You need to ensure that the BouncyCastle jars are on the regular classpath (as specified using the -classpath option in the JRE/JDK
Background
I am trying to use bouncy castle library to decrypt private keys in my war. Now I tested the code first in a standalone app and it worked fine. Now when I am testing it as a webapp in Wildfly8.0 am facing some issues with Bouncy castle.
The Wildfly 8.0 am using has bouncy castle provider module installed. The BC version being used in v1.46.
The code that I have developed uses v1.51.
I have followed the steps mentioned here:
https://developer.jboss.org/thread/175395
bouncycastle + JBoss AS7: JCE cannot authenticate the provider BC - Specifically followed instructions provided in For a specific deployment (preferred)
Already tried
Installing the JCE policy files.
Adding to the provider list.
Problem
The error I am getting is :
unable to read encrypted data: JCE cannot authenticate the provider BC
And the code which triggers the above error, in as follows :
PKCS8EncryptedPrivateKeyInfo kp = (PKCS8EncryptedPrivateKeyInfo) keyPair;
InputDecryptorProvider pkcs8dec = new JceOpenSSLPKCS8DecryptorProviderBuilder()
.setProvider(new BouncyCastleProvider())
.build("somepass".toCharArray());
PrivateKeyInfo pko = kp.decryptPrivateKeyInfo(pkcs8dec);<-- ##Error here
Also to add the details,in my pom.xml I have added the jar with compile scope, so the libs are copied into the war and get installed in WEB-INF/lib.
Any tips to fix the above problem?
I. Combining the idea of Peter (#comment) and https://developer.jboss.org/thread/175395, create "your own bc version" with a custom name:
Create an 'my.bouncycastle' module in the following manner:
Under $JBOSS_HOME/modules, create directory 'my/bouncycastle/main'. Directory 'my' might not be there. ;)
Copy bcprov-[your-version].jar into my/bouncycastle/main
Create file 'bcprov-[your-version].jar.index' in my/bouncycastle/main, which is basically the output of a jar -tf command without the ".class" lines. (pipe&edit...)
I put a blank line at the top because these .index files always seem to have one. I have attached this file as "bcprov-jdk16-1.46.jar.index".
Create a file called "module.xml", also in my/bouncycastle/main, which will point to the jar file and reference module "javax.api" as a dependency.
I have attached this file as 'module.xml'.
The module is complete.
Since I am deploying in an EAR file, I had to add a module dependency entry to my EAR's META-INF/jboss-deployment-structure.xml file, under the section, like so:
(the statement also applies to WAR files, when deployed on top-level, use the custom name as module reference)
<deployment><dependencies><module name="my.bouncycastle" slot="main" export="true"/>
Make certain that the ear's /lib directory does NOT contain bcprov-[your-version].jar. (actually II.)
Notes:
The 'slot="main" and 'export="true" parameters are very important in the jboss-dependency-structure.xml file...
II. Adjust your maven dependency(ies) to:
<scope>provided</scope>
Note: Don't change the maven dependecy(ies group artifacts) to "my.bouncycastle", only the scope, this will ensure you a nice compile-time-behavior by the most IDE's AND will prevent your (maven-)war/jar/ear-plugin from packaging it into libs! (And which would be anyway the correct scope for a dependency like this.)
I couldn't able to add maven artifact "ru.stqa.selenium" in eclipse.
I downloaded the catalog file from : "https://github.com/barancev/webdriver-testng-archetype"
Steps I followed is Eclipse-> Window-> Preference -> Maven-> ArchTypes-> Add Local Catalog.
On Local Archtype catalog popup I have put
Catalog file location: Address of pom file from local as "D:\Software\Selenium\webdriver-testng-archetype-master\src\main\resources\archetype-resources".
Description : Some name
Now I am getting this warning message " Archetype catalog is empty".
If I go with Add Remote catalog with remote location as "http://repo1.maven.org/maven2/archetype-catalog.xml" , it works fine.
Curious to know the reason for this strange behavior.
Effective January 15, 2020, The Central Repository no longer supports insecure communication over plain HTTP and requires that all requests to the repository are encrypted over HTTPS.
If you're receiving this error, then you need to replace all URL references to Maven Central with their canonical HTTPS counterparts:
Replace http://repo1.maven.org/maven2/ with https://repo1.maven.org/maven2/
Replace http://repo.maven.apache.org/maven2/ with https://repo.maven.apache.org/maven2/
If for any reason your environment cannot support HTTPS, you have the option of using our dedicated insecure endpoint at http://insecure.repo1.maven.org/maven2/
For further context around the move to HTTPS, please see https://blog.sonatype.com/central-repository-moving-to-https.
I am trying to create a deployment rule set as described here: link
I created a simple rule, to allow everything from localhost like
<rule>
<id location="http://localhost" />
<action permission="run" />
</rule>
After I self-signed the jar file and deployed it in Windows when I try to run a self-signed app(jnlp) from localhost it is still blocked.
Application Blocked by Deployment Rule Set.
Can not verify self-signed Deployment Rule Set jar
Q: Can anyone tell me why is not working? Do I have to sign the deployment jar with a verified certificate? I tried to use the deployment rules to avoid the block for my application. I don't want to lower the security or add my site to the trusted list.
Looks like the rule set jar has to be signed with a verified cert:
The rule set defined in the ruleset.xml file must be packaged in a signed JAR file named DeploymentRuleSet.jar. The JAR file must be signed with a valid certificate from a trusted certificate authority.
(from http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/deployment_rules.html#package)
This article seems to offer an alternative, which involves importing the self-signed cert on all target machines:
https://blogs.oracle.com/java-platform-group/entry/self_signed_certificates_for_a
HTH
I just have been throught this process and I was successfull. I followed this blog post to make my own ruleset and it worked like a charm. But with only one trick the command to sign the jar the NA must be replaced by the certificate password or you must omit the storepass parameter so it will ask the password interactively.
I think you should check:
You imported your cert as a signing CA so the jar signature can be verified (see the blog post).
Your ruleset follows the specification strictly. I had to remove some comments I added to the ruleset as it failed.
Remove the http:// from the location