[edit: I've written a blogpost that explains everything in detail: look here]
Hi!
I'm desperately trying to build a service for trusted timestamps based on rfc3161. I've decided to use the free trusted timestamp service at zeitstempel.dfn.de.
My question is how i shall contact this service in order to receive a valid response. Regarding the request format, the RFC tells:
TimeStampReq ::= SEQUENCE {
version INTEGER { v1(1) },
messageImprint MessageImprint,
--a hash algorithm OID and the hash value of the data to be
--time-stamped
reqPolicy TSAPolicyId OPTIONAL,
nonce INTEGER OPTIONAL,
certReq BOOLEAN DEFAULT FALSE,
extensions [0] IMPLICIT Extensions OPTIONAL }
where
MessageImprint ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier,
hashedMessage OCTET STRING }
I've found a client which helped me a bit.
Nevertheless, I still don't know how I should construct the request for the timestamp service.
Regards!
I'm glad that you find our software helpful. But you refer to our old service. Please visit www.ntp.org.pl - you'll find there the latest version of timestamping client and a lot of other useful free software related to time topic.
I'm not sure what you want to do. Maybe if you give a few more details, I'd be able to help you better. Anyway, I'll give you some hints, where to find some precious information.
Firs of all, you should look at OpenSSL project:
http://www.openssl.org/docs/apps/ts.html#
There is an example, how to create TSRequest. The request is stored in file, so you can read it's content. Later, you can send request to the server using this:
http://www.openssl.org/docs/apps/tsget.html#
Antoher trick you can do is to install some sniffer (for example Wireshark - www.wireshark.org/ ), start our client from www.ntp.org.pl , send request, then find proper packet in wireshark to see what it contains.
Feel free to ask, if you have some additional questions. Please, give some more information about your service.
Related
We are trying to automate certain processes with Chilkat.
In particular we are trying to generate a PKCS7 document that contains the following features:
A signed xml document. This signing is done via smartcard and the
output must include the signature. For this point, we are using the
crypt2 object with :
EncodingMode, HashAlgorithm and charset attributes
SetSigningCert, OpaqueSignStringENC methods
We need also to include the signer's digital signature certificate in X.509 ASN encoding.
This second point is where we are having some problems.
We have obtained a valid signed document according to the 2 points through the createp7m method for manual testing but the point of our program is to automate the process in memory. Therefore, we are trying to use the OpaqueSignStringENC("original xml to sign") but we believe the point (2) is not being taken into account.
I don't know if anyone has encountered a similar problem. I just recently started working with encryption, certificates...sorry if I am explaining myself incorrectly.
Thanks everyone for your help and time
I am trying to connect my Adobe Captivate XApi course to the LRS (YetAnalytics). I have very less information as to what should i add in this code of tc-onfig.js in the course files:
// Pre-configured LRSes that should receive data, added to what is included
// in the URL and/or passed to the constructor function.
//
// An array of objects where each object may have the following properties:
//
// endpoint: (including trailing slash '/')
// auth:
// allowFail: (boolean, default true)
// version: (string, defaults to high version supported by TinCanJS)
//
TC_RECORD_STORES = [
{
endpoint : "",
auth : "",
allowFail: ,
version: "",
}
];
Generally you should avoid using that functionality. That code is leveraged by an underlying library in Captivate (Rustici Driver) for packages with a tincan.xml file. That package will be launched with an LRS endpoint and authentication credential which is where it will send the statements that it generates. Generally it is a much better idea to send all statements to that configured LRS and then figure out a way to get those statements either forwarded from or pulled from that LRS into your additional LRS(s).
This is for two main reasons. First by using this functionality you have to hard code a credential into the package which makes it insecure and indistinguishable during requests, this is generally just bad. Second, there is little to no error handling around calls that leverage this functionality, so if you set allowFail to false exceptions will go uncaptured and the content will likely behave in strange ways (or break completely), if you set allowFail to true then you will have no recourse when a call fails and you potentially will not know that you've lost data.
(Unfortunately, I know this because I implemented the functionality originally a very long time ago before fully understanding all of the ramifications.)
But just so I've answered your actual question, if you wish to not heed my advice, then the values that should go there will be passed through to the constructor for a TinCan.LRS object which is documented here: http://rusticisoftware.github.io/TinCanJS/doc/api/latest/classes/TinCan.LRS.html
The auth being the most tricky, it should be a value that is a full Authorization header value as needed to connect to the LRS, very often a Basic Auth header.
As per my knowledge and research which i have done over the internet, it seems that currently OPENAM does not support SHA-256 encryption. I am using SAML authentication in my project, and currently using old openfed jar which does not support the SHA 256 encryption. I went through the latest jar also and found that openam does not support it.
FYI ..
Following is the snippet of QuerySignatureUtil.java :
final String querySigAlg;
final String alg = privateKey.getAlgorithm();
switch (alg) {
case "RSA":
//Defaulting to RSA-SHA1 for the sake of interoperability
querySigAlg = SystemPropertiesManager.get(SAML2Constants.QUERY_SIGNATURE_ALGORITHM_RSA,
XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1);
break;
case "DSA":
//Defaulting to SHA1WithDSA as JDK7 does not support SHA256WithDSA
querySigAlg = SystemPropertiesManager.get(SAML2Constants.QUERY_SIGNATURE_ALGORITHM_DSA,
XMLSignature.ALGO_ID_SIGNATURE_DSA);
break;
case "EC":
querySigAlg = SystemPropertiesManager.get(SAML2Constants.QUERY_SIGNATURE_ALGORITHM_EC,
XMLSignature.ALGO_ID_SIGNATURE_ECDSA_SHA512);
break;
default:
SAML2Utils.debug.error(classMethod + "Private Key algorithm not supported: " + alg);
throw new SAML2Exception(SAML2Utils.bundle.getString("algorithmNotSupported"));
}
While going through the internet i have found the ticket https://bugster.forgerock.org/jira/browse/OPENAM-8627
But it seems that it was done only for .NET fedlet.
Can someone
Well firstly, SHA-256 is not an encryption algorithm.
Digital signatures can use SHA256 as digest algorithm, yes. As you can see in the source of the QuerySignatureUtil, the actual algorithm is now configurable and can take lots of different values. The configuration retrieval is done with the SystemPropertiesManager calls in your snippet, and the config can come from two places:
For fedlet: the properties should be defined in FederationConfig.properties.
For the OpenAM server, the settings can be found under the Common Federation Configuration in the Global settings.
If you want to take a look at the digital signature implementation, then there are two classes of interest:
FMSigProvider: this class deals with proper XML signatures, all the digital signatures will be part of the XML document as per xmldsig spec.
QuerySignatureUtil: this class mainly deals with querystring signing, which has different set of rules than regular XML signatures. In this case the signature will not be part of the signed XML document, instead the signature will be put on the query string. The SAML binding spec that describes the HTTP-Redirect binding discusses this in more details.
If you want to control the DigestMethod value within the digital signature, then you need to have a look at OPENAM-7778, that was implemented in 13.5.0.
If you want to encrypt SAML messages using 256 bit encryption algorithms, then you will need to install the JCE jurisdiction files, after that, you should be able to configure http://www.w3.org/2001/04/xmlenc#aes256-cbc as XML encryption algorithm.
I'm trying to convert beta web-service to live. after removing beta word from the web-service [i.e. in web.config: endpoint address="https://wsbeta.fedex.com:443/web-services/rate"], this web service is not fetching the value. Any suggestions, why this is happening or I'm missing any procedure. Any guidance/suggestions on this.
To move a system from testing to production is not only needed to remove the word beta from the testing URL address:
From:
"https://wsbeta.fedex.com:443/web-services/rate";
To:
"https://ws.fedex.com:443/web-services/rate";
(when doing this change make sure you are replacing ALL occurrences of wsbeta. to ws. in your solution.)
But also you need to change the MeterNumber, include the Password and Key. When you sign up for the Production Key you will get all this information on the email and also you'll get the Key as soon as you sign up (you won't get that key on the email so be careful and write down that information).
With those pieces of information you should be good to go. If you are getting an exception that's a different story, let us know what exception you are getting.
I have been given a task of reproducing the issue/testing the unauthorized access to file system through request.param and query string.
For instance i have something like this. request.querystring("blah");
How could somebody pass "../../../b1/b2" in the query string and access file system.
This may be related to cross site scripting.
Need help..at least provide resources. Thanks in advance.
Wish I could provide a definitive answer, but can at least steer you in some direction. Not sure how confident you are that request.querystring() was indeed responsible, but some possibilities are:
Directory Traversal/Path Traversal:
Overview: http://en.wikipedia.org/wiki/Directory_traversal
Testing For: http://www.owasp.org/index.php/Testing_for_Path_Traversal
Remote File Inclusion:
Overview: http://en.wikipedia.org/wiki/Remote_file_inclusion
Tutorial: http://www.offensivecomputing.net/?q=node/624 (KnightLighter's Tutorial)
Hope this moves you in the right direction.