Develop Reference

Unzip Password Protected File in R using WinZip

I am trying to use R to unzip password protected files from a drive without using 7-zip. My organisation doesn't have access to it, we use WinZip for everything.
I have searched far and wide here but cannot find a post that satisfies the question.
I have a file that is zipped and contains a single XML file. I need to automate the collation of this data, my thinking is unzip then read. I have found these that I can't see what I need to do:
Using unzip does not support passwords - unzip a .zip file
e.g. unzip(file.xml.zip) produces
Warning message: In unzip(zipfile = "file.xml.zip") : zip file is corrupt
And the file is not corrupt as I can manually unzip it fine afterwards.
Using 7-Zip (I can't access this) - Unzip a password protected file with Powershell
Reading without unzipping (get "error reading from the connection) - Extract files from password protected zip folder in R
read_xml(unz("file.xml", "file.xml.zip"))
produces
Error in open.connection(x, "rb") : cannot open the connection In addition: Warning message: In open.connection(x, "rb") : cannot open zip file 'file.xml'
I have tried looking at Expand-Archive in PowerShell and trying to call that through R but am not having much luck, please someone help me!
With PowerShell I use
Expand-Archive -Path 'file'
which produces:
Exception calling "ExtractToFile" with "3" argument(s): "The archive entry was compressed using an unsupported compression method."

I don't have WinZip, but since both it and unzip.exe (within Rtools-4.2) support password-encoding, then we should be able to use similar methods. (Or perhaps you can use unzip included with Rtools.)
Setup:
$ echo 'hello world' > file1.txt
$ echo -e 'a,b\n11,22' > file2.csv
$ c:/rtools42/usr/bin/zip.exe -P secretpassword files.zip file1.txt file2.txt
adding: file1.txt (stored 0%)
adding: file2.txt (stored 0%)
$ unzip -v files.zip
Archive: files.zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
12 Stored 12 0% 2023-02-09 10:03 af083b2d file1.txt
10 Stored 10 0% 2023-02-09 10:03 1c1d572e file2.csv
-------- ------- --- -------
22 22 0% 2 files
$ unzip -c files.zip file1.txt
Archive: files.zip
[files.zip] file1.txt password:
Okay, now we have a password-protected zip file.
In R,
readLines(pipe("unzip -q -P secretpassword -c files.zip file1.txt"))
# [1] "hello world"
read.csv(pipe("unzip -q -P secretpassword -c files.zip file2.csv"))
# a b
# 1 11 22
WinZip does support a command-line interface, so we should be able to use it within pipe (or system or similar). It does support passwords, I believe it uses the -s argument instead of -P. I don't know if it supports extracting a file to stdout, so you might need to explore its command-line options for that, and if not then work out storing the document to a temporary directory.
Or, assuming you have Rtools installed, you can use its unzip as above without relying on WinZip.
Note:
Including the password as a command-line argument is relatively unsafe: users on the same host (if a multi-user system) can see the password in clear text by looking at the process list. I'm not certain if there's an easy way around this.

how to use openssh keys with paramiko [duplicate]

I am trying connect to server using following spinet
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ip = ['x.x.x.x']
key_file = "/Users/user/.ssh/id_rsa"
key = paramiko.RSAKey.from_private_key_file(key_file)
ssh.load_system_host_keys()
ssh.connect(ips, port=22, username='XYZ', pkey=key, timeout=11)
But I am getting an error:
not a valid RSA private key file

I faced a similar situation and ssh-keygen comes to my help. You should make a copy of id_rsa and convert it to RSA type with ssh-keygen.
To Convert "BEGIN OPENSSH PRIVATE KEY" to "BEGIN RSA PRIVATE KEY"
ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

Recent versions of OpenSSH (7.8 and newer) generate keys in new OpenSSH format by default, which starts with:
-----BEGIN OPENSSH PRIVATE KEY-----
That format is fully supported by the Paramiko since version 2.7.1 (2019-12-09) only.
If you are stuck with an older version of Paramiko, you can use ssh-keygen to convert the key to the classic OpenSSH format:
ssh-keygen -p -f file -m pem -P passphrase -N passphrase
(if the key is not encrypted with a passphrase, use "" instead of passphrase)
For Windows users: Note that ssh-keygen.exe is now built-in in Windows 10. And can be downloaded from Microsoft Win32-OpenSSH project for older versions of Windows.
On Windows, you can also use PuTTYgen (from PuTTY package):
Start PuTTYgen
Load the key
Go to Conversions > Export OpenSSH key.
For RSA keys, it will use the classic format.
If you are creating a new key with ssh-keygen, just add -m PEM to generate the new key in the classic format:
ssh-keygen -m PEM
Note that you can get the error, also when you are trying to use a completely different key format, like ssh.com or PuTTY .ppk. Then you will have to convert the key in any case.
For ssh.com format, see Paramiko: "not a valid DSA private key file".
For PuTTY .ppk format, use PuTTYgen as shown above.

The paramiko.RSAKey.from_private_key_file method requires the private key file to be in "PEM" format. Examine the file you're trying to read and see if it begins with a line that says:
-----BEGIN RSA PRIVATE KEY-----
If it doesn't have that line then it's not PEM.
If it's not PEM then you'll have to find some way to create a PEM version of the private key. (EDIT: the original poster used PuTTY's puttygen utility to export the private key into a PEM-format file.)
Make sure that the new file has the same ownership and limited access permissions that the original id_rsa file has, so that nobody can steal the key by reading the file. Then, obviously, modify your paramiko call to read the key from the new PEM-format file.

I have encountered the same error while I was connected with ssh to an Ubuntu VM.
In my terminal SSH_AUTH_SOCK environment variable is not defined, and paramiko throws the not a valid RSA private key file error.
However, if I am connected in a graphical session to the same machine, the graphical terminal has got SSH_AUTH_SOCK defined, and Paramiko is happy.
As a workaround, I have copied the content of SSH_AUTH_SOCK in my SSH terminal and it works better.

As I checked, there was no issue with the path as well permissions(only read permission on the RSA file will work), so the problem was with the Paramiko version.
I updated it using the below command and it resolved the issue for me.
pip3 install paramiko update

Sign JAR without JRE but with OpenSSL?

Our system has Java and C parts. On the C side, we are signing certain data using command-line scripts calling OpenSSL commands. Now we want to sign some JARs too. We already have established PKI (what is important for this case - private keys are accessible) "on the C side" and we try to avoid duplicating/extending that to the Java side.
What would be an easy way to get the JAR signed for someone who does not want to have JRE (but has OpenSSL)? I.e. I want to create the correct MANIFEST.MF, KEY.SF and KEY.?SA for my JAR. Their format is not complicated and this seems to be doable with some scripting. Has anyone done this before?

Answering own question.
Format of MANIFEST.MF and KEY.SF is documented by Oracle. Surprisingly, exact content of the signature KEY.?SA (where "KEY" is the keystore alias of the signing key) is not detailed in the "Signature File" section.
This KEY.RSA (for RSA signatures) can be created by OpenSSL command-line tools in exactly the way jarsigner creates it. Example for RSA signature and SHA256 digest:
$ openssl smime -sign -noattr -in META-INF/TEST1.SF -outform der -out META-INF/TEST1.RSA -inkey privateKey.pem -signer cert.pem -md sha256
Similarly the signature can be produced with OpenSSL C API. Snap of C code (no error checking):
/* PKCS7_PARTIAL flag is needed to be able to change the digest from the default value */
PKCS7 *signed_data = PKCS7_sign(NULL, NULL, NULL, data,
PKCS7_NOATTR | PKCS7_DETACHED | PKCS7_PARTIAL
);
digest = EVP_get_digestbyname("sha256");
PKCS7_sign_add_signer(signed_data, signcert, pkey, digest, flags);
PKCS7_final(signed_data, NULL, 0);
Signature created in this way is identical to what jarsigner would have produced.

Centos 6.5 Samba 3 You don't have permission from user

I have an error while i want to copy my file in centos 6.5 using samba to my windows 7 folder.
This is the error message :
you need permission to perform this action
You require permission from ERP\hao to make change to this file.
[global]
workgroup = MYGROUP
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
security = user
[erp]
comment = ERP
path = /opt/erp
public = yes
writable = yes
printable = no
browseable = no
create mask = 0777
create mode = 0777
directory mode = 0777
share modes = yes
force user = hao
force group = hao
read only = no
File that i want to copy location :
/opt/erp/mve
my samba path
/opt/erp
[hao#erp mve]$ stat -c '%a %n' *
777 7841e10a957d4bceb2205632c49543af.ygk
777 p18i13847jgnl1s91kujqlh1t9c3.ygk
[hao#erp erp]# ls -l mve/
-rwxrwxrwx. 1 hao hao 63467455 Mar 10 21:38 7841e10a957d4bceb2205632c49543af.ygk
-rwxrwxrwx. 1 hao hao 111912448 Mar 10 21:46 p18i13847jgnl1s91kujqlh1t9c3.ygk
[root#erp erp]# smbd --version
Version 3.6.9-167.el6_5
[hao#erp erp]# ls -l
drwxrwxrwx. 2 hao hao 4096 Mar 11 09:42 mve
I Can copy all files in /opt/erp except in mve folder.
Please help, how to fix this problem. Please advice. Thank you.

This worked for me on Windows 7 when using CentOS 6.5.
http://rbgeek.wordpress.com/2012/05/25/how-to-install-samba-server-on-centos-6/
Slight changes to instructions..
The workgroup will need to change based on yours specifically (set value in /etc/samba/smb.conf).
Use \\192.168.x.x\ instead of \\centos on Windows.
You'll need to create the folders /samba and /samba/share and set permissions appropriately.
If your OS doesn't have nano (per the instructions), then install that before you begin... yum install nano
Run restart commands (2 of them) at the end twice, since the shutdown won't apply. Make sure you get OK on both.

I had a similar problem and it turned out to be related to the SELinux security context.
I had to run the command chcon -t samba_share_t /<path>/<to>/<share> -R.
Now i can create and change files in the shared folder.

Openssl command line troubles

Edit: Haven't solved my problems, but I've moved on to new and more exciting problems.
Leaving this here in case anyone has and insightful that'll help someone who stumbles on to this question in the future.
Hi,
I'm attempting to send an encrypted email from php to outlook. As such, I need to generate a certificate to import into outlook. I had no problem generating a set of keys using openssl and the CA.pl script that comes with it, but when I try to run the command to generate the PKCS12 file to import into outlook it complains about a missing "demoCA" directory. It appears this directory is a part of openssl, and is referenced in the openssl config... but i have no idea where it is. I've searched the drive in many ways from grep to spotlight (on os x, though i really wasn't expecting spotlight to find anything), and can't come up with anything.
The command I was trying to run is:
$ openssl ca -cert newcert.pem -ss_cert newcert.pem
Using configuration from /sw/etc/ssl/openssl.cnf
./demoCA/private/cakey.pem: No such file or directory trying to load CA private key
19918:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r')
19918:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247:
I am a bit of a noob when it comes to encryption / SSL, so I might be missing something stupid (I'm sure if it, haha).

You should create a new CA by means of the script provided, which is easier than just handle all the openssl options. You can do this be means of openssl bundled with Cygwin inside Windows itself or use your favourite Unix distro. I will show you how to do it with bash scripts (but perl scripts should be the same).
$ ./CA.sh -newca
This creates demoCA directory with the CA certificate inside it. As you invoke above command you will be prompt about the fields of the CA certificate (CN, OU, etc.) and CA private key passphrase.
Now you can create certificate requests or certificates from certificate requestes.
$ ./CA.sh -newreq
This prompts for a new certificate request fields and the passphrase to encrypt the private key generated. By default the request is left in the same directory as CA.sh (newreq.pem). It is important that you use as CN (Common Name) the email address you have.
Now you only need to sign it and you have a full blown certificate.
$ ./CA.sh -sign
This will generate newcert.pem which is the signed certificate request. You have your certificate, you only need to pack the certificate and the private key inside a PFX or P12 file, that Microsoft CSP recognizes.
Then copy the contents of newreq.pem and newcert.pem into a file.
$ cat newreq.pem > keypair.pem
$ cat newcert.pem >> keypair.pem
And now generate P12 file by means of openssl shell (this time we don't have the help of any script). It will prompt you for the passphrase you used when request was generated and then the export password (to encrypt private key inside p12 file).
$ openssl pkcs12 -export -in keypair.pem -out mykeypair.p12
Enter pass phrase for keypair.pem:
Enter Export Password:
Verifying - Enter Export Password:
Et voilà. You have a PKCS#12 file that you can double click in Windows and import it to your keystore and use it as a mail signing certificate (I don't remember if default options are enough or you need to specify some additional attributes when creating the certificate so Outlook recognizes as a e-mail signing certificate). You will also need to import CA certificate as a trusted CA (copy cacert.pem to cacert.cer that is inside demoCA directory and double click it to import).