Signing code with Public Key

Similar Messages

• Encrypt data with public key?

  I am trying to find a class that support encryption with PublicKey.
  In the class Signature there is a method "initSign" that takes a PrivateKey as argument, but that is used for signing certificates.
  What I am looking for is to make A encrypt some data with B' public key that B can decrypt with its private key...is there any class for this scenario?

  You might want to check out these, if you haven't already:
  http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html
  http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html
  http://java.sun.com/j2se/1.5.0/docs/api/javax/crypto/package-summary.html
  http://java.sun.com/j2se/1.5.0/docs/api/javax/crypto/interfaces/package-summary.html
  http://java.sun.com/j2se/1.5.0/docs/api/javax/crypto/spec/package-summary.html

• Allow privilleged users to enter into EXEC mode on login not working with public keys

  Hi,
  I have recently updated one of my Cisco ASA to v9.2(1) and noticed a function to get the perform authorization for exec shell access can do a auto-enable when logging in from ssh.
  The problem is that if I use a private/public key authentication with a user it won't do the auto-enable feature. If I login without keys and using my password, it jumps into privilleged exec mode as it should.
  Anyone else had this issue?
  Config:
  aaa authentication ssh console LOCAL
  aaa authorization exec LOCAL auto-enable
  username user password xxxxxx encrypted privilege 15
  username user attributes
   ssh authentication publickey 22:af:xxxxxx hashed
  Any answer will be highly appreciated. 
  P.S I'm totally new in this forum.

  Would you be able to open a TAC SR and once you do , Email me the SR no and i will look into this issue.
  [email protected]
  Thanks and Regards,
  Vibhor Amrodia

• Problem with public key ssh login

  Weird problem just appeared. Home computer has two accounts (A and B). I allow ssh login to both accounts via public key login (ssh-keygen). Two remote computers with accounts A' and B' on one, and A" and B" on the other.
  I can ssh into the home computer account B from account B' on one computer. I can log into the home computer account B from account B" on the other computer. I cannot ssh into the home computer account A from either A' or A", but I could last week.
  Here is what the .ssh directories look like:
  Home computer, account A:
  total 8
  drwx------ 4 userA groupA 136 Jan 30 11:51:38 2006 .
  drwxrwxr-x 25 userA groupA 850 Nov 8 20:05:58 2006 ..
  -rw-r--r-- 1 userA groupA 1216 Jan 10 13:20:20 2006 authorized_keys2
  -rw-r--r-- 1 userA groupA 447 Sep 25 15:28:42 2006 known_hosts
  Home computer, account B:
  total 16
  drwx------ 5 userB groupB 170 Oct 2 09:52:02 2006 .
  drwxr-xr-x 23 userB groupB 782 Nov 9 08:26:03 2006 ..
  -rw------- 1 userB groupB 6148 May 19 17:54:58 2006 .DS_Store
  -rw-r--r-- 1 userB groupB 1228 Jan 10 13:24:15 2006 authorized_keys2
  -rw-r--r-- 1 userB groupB 242 Oct 2 09:52:02 2006 known_hosts
  Remote computer 1, account A':
  total 16
  drwx------ 6 userA' groupA' 204 Nov 9 09:55:12 2006 .
  drwxr-xr-x 29 userA' groupA' 986 Nov 9 09:41:21 2006 ..
  -rw-r--r-- 1 userA' groupA' 41 Mar 13 12:13:17 2006 config
  -rw------- 1 userA' groupA' 736 Nov 20 13:38:54 2005 id_dsa
  -rw-r--r-- 1 userA' groupA' 607 Nov 20 13:38:54 2005 id_dsa.pub
  -rw-r--r-- 1 userA' groupA' 246 Jan 10 09:41:27 2006 known_hosts
  Remote computer 1, account B':
  total 16
  drwx------ 5 userB' groupB' 170 Nov 9 08:23:04 2006 .
  drwxr-xr-x 18 userB' groupB' 612 Nov 9 09:52:11 2006 ..
  -rw------- 1 userB' groupB' 6148 Nov 9 08:23:04 2006 .DS_Store
  -rw------- 1 userB' groupB' 668 May 25 08:51:51 2006 id_dsa
  -rw-r--r-- 1 userB' groupB' 2481 Oct 30 09:00:57 2006 known_hosts
  Remote computer 2, account A":
  total 12
  drwx------ 5 userA" groupA" 170 Jan 25 10:59:54 2006 .
  drwxr-xr-x 20 userA" groupA" 680 Nov 9 08:19:30 2006 ..
  -rw------- 1 userA" groupA" 736 Jan 10 13:14:16 2006 id_dsa
  -rw-r--r-- 1 userA" groupA" 609 Jan 10 13:14:16 2006 id_dsa.pub
  -rw-r--r-- 1 userA" groupA" 3376 Oct 31 19:48:25 2006 known_hosts
  Remote computer 2, account B":
  total 12
  drwx------ 5 userB" groupB" 170 Jan 25 11:41:48 2006 .
  drwx------ 22 userB" groupB" 748 Nov 9 10:33:00 2006 ..
  -rw------- 1 userB" groupB" 736 Jan 10 13:11:50 2006 id_dsa
  -rw-r--r-- 1 userB" groupB" 615 Jan 10 13:11:50 2006 id_dsa.pub
  -rw-r--r-- 1 userB" groupB" 2947 Nov 7 10:18:27 2006 known_hosts
  I had copied the A' id_dsa.pub from remote computer 1 to the home computer account A authorized_keys2, then I copied the A" id_dsa.pub from remote computer 2 and had appended it to the home computer account A authorized_keys2. I had done a similar thing with accounts B', B", and B on their respective computers.
  All worked great for many months, until today, when ssh connections from A' or A" into A give me the dreaded
  Permission denied,gssapi-keyex,gssapi-with-mic) error message. Pretty certain that it was as recent as earlier this week I made the A'-->A ssh connection and all was well. Meanwhile, ssh connections from B' or B" into B still work fine.
  As near as I can tell, file ownerships and permissions look okay. While ssh'ed into B from B' I even did a
  cat /Users/userA/.ssh/authorized_keys2
  and then in another Terminal window, local to the remote computer, I did a
  cat /Users/userA/.ssh/id_dsa.pub
  In the terminal windows, each key wraps over about five-and-a-half lines, and I spotchecked like the last half-dozen characters, on each Terminal window line, of remote computer 1, account A' id_dsa.pub and the first pub key entry in authorized_keys2 in home computer account A. They all match.
  I even keep a clone backup of my hard drive, and the date/timestamp of /etc/sshd_config hasn't changed (although, I'm a bit mystified why it is dated as recently as it is -- Sep 29 2006 -- don't remember doing anything to it)
  So, I'm really confused, and not sure what to try or where to look next.
  2001 Quicksilver G4 (M8360LL/A)   Mac OS X (10.4.8)  

  Hi j.v.,
  Home computer, account A:
  total 8
  drwx------ 4 userA groupA 136 Jan 30 11:51:38 2006 .
  drwxrwxr-x 25 userA groupA 850 Nov 8 20:05:58 2006 ..
  The parent directory ".." of the directory ".ssh", i.e. home directory of account A, is group-writeble. SSH considers this as "insecure". You should make it writable only by the owner.
  A@Home$ cd (cd to the home directory)
  A@Home$ chmod g-w .
  HTH
  PowerMac G4   Mac OS X (10.4.7)  

• How encrypt msg with Public Key ?

  I want to encrypt my Session Key with the public key of the recipient but how can I do ?
  I know how to encrypt with the Secret Key but not with the Public Key.
  Thanks for response
  Nicolas

  It depends on the cryptosystem of which the public key you are having.
  If it is of RSA then you have to get the cipher of RSA and pass the session key bytes as input to it.

• How to setup an ikev2 VPN with public key authentica​tion with your BB10 device

  This setup will allow you to run a VPN between your BB10.2 (and probably BB10.1) device and a debian linux computer (I am running the testing stream).  You will need to tweak this config (and possibly install strongswan server on your LAN's gateway) to get access to network resources, or access the internet via the VPN.  I have created this setup with the intention of accessing files/services on the debian computer only.
  1.  Install strongswan on your debian machine(I have v4.6.4 installed, I think the current testing version is v5.1.  If you install v5+, some lines in the config may be obsolete), and install any other extra packages you are prompted to install: 
  apt-get install strongswan strongswan-ikev1 strongswan-ikev2 strongswan-starter openssl ipsec-tools
  2.  Generate certificates on your debian server in any, starting with a certificate authority.  Edit the C= O= CN= fields to whatever you want:
  ipsec pki --gen --outform pem > caKey.pem
  ipsec pki --self --in caKey.pem --dn "C=CA, O=none, CN=Certificate-Auth" --san="Certificate-Auth" --ca --outform pem > caCert.pem
  Generate a server keypair (again, editing the same fields as I indicated above.  The CN= field should be lan ip address of your strongswan server.  I would also put this as the address in --san=, or you can specify your hostname(if you have one, i.e. mydomainname.com):
  ipsec pki --gen --outform pem > serverKey.pem
  ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, O=none, CN=192.168.1.100" --san="192.168.1.100" --flag serverAuth --outform pem > serverCert.pem
  Generate a keypair for your BB10 device (choose a CN=, and use it in the --san field @your server lan ip or hostname:
  ipsec pki --gen --outform pem > userKey.pem
  ipsec pki --pub --in userKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, O=none, CN=bb10" --san "[email protected]"  --flag serverAuth --outform pem > userCert.pem
  3.  After generating your keys, package the client keys for your BB10 device(you will be asked to create a password): openssl pkcs12 -export -in userCert.pem -inkey userKey.pem -out bb10.pfx
  Copy the bb10.pfx file, and serverCert.pem to your BB10 device and import the certificates into the certificate store(Open Settings --> Security and Privacy --> Certificates --> Import)
  4. Move the certificates into the appropriate folders on your debian server: 
  mv caKey.pem /etc/ipsec.d/private
  mv caCert.pem /etc/ipsec.d/cacerts
  mv serverKey.pem /etc/ipsec.d/private
  mv serverCert.pem /etc/ipsec.d/certs
  5. Enable ip forwarding on your debian machine:
  edit /etc/sysctl.conf - change the following value as follows:
  net.ipv4.ip_forward=1
  Close the file and save changes.  To enable changes, type:  sysctl -p /etc/sysctl.conf
  6.  Edit config files:
            ipsec.secrets:
  : RSA serverKey.pem
          ipsec.conf:
  config setup
          strictcrlpolicy=no
          uniqueids=yes
  conn %default
          ikelifetime=60m
          keylife=20m
          rekeymargin=3m
          keyingtries=1
          keyexchange=ikev2
          leftfirewall=yes
          dpddelay=30
          dpdtimeout=120
          dpdaction=clear
  conn bb10
          mobike=yes
          ike=aes256-sha1-sha1-modp1024!
          esp=aes256-sha1!
          left=%defaultroute
          leftid="C=CA, O=none, CN=192.168.1.100"
          leftcert=serverCert.pem
          right=%any
          rightsourceip=10.10.0.1
          rightid="C=CA, O=none, CN=bb10"
          rightauth=pubkey
          leftauth=pubkey
          pfs=yes
          auto=add
  7. Start the ipsec service on your debian machine: service ipsec stop; service ipsec start
  8. Set up the VPN connection on your blackberry: Settings -->Network Connections --> VPN --> Add.
  a) Profile Name:  Give your VPN a name
  b) Server Address:  Enter your server's address
  c) Gateway Type: Generic IKEv2 VPN Server
  d) Authentication Type: PKI
  e) Authentication ID Type:  Identity Certificate Distinguished Name
  f) Client Certificate: The client certificate you imported should show up in the dropdown
  g) Gateway Auth Type: PKI
  h) Gateway Auth ID Type: Identity Certificate Distinguished Name
  i) Gateway CA Certificate:  Find the certificate authority you imported.  If you used the same name as I did above when creating the certificate, if will be called "Certificate-Auth".
  j) Perfect forward secrecy : ON
  k) Change IKE Lifetime to 3600
  l) Change IPSEC lifetime to 1200
  You can leave everything else on default settings.  Save your VPN profile.
  9. Connect to your VPN.  You should now be able to ping both ways between your blackberry and debian host.  Using the above configuration, your blackberry device will have the ip address of 10.10.0.1.

  There have been numerous bb10 updates (now 10.2.1.2977) since I first posted this mini how-to-I am not sure if it was the bb10 updates, or updates to strongswan (now v5.2.0) or my linux kernel (v3.15.3), though I am now able to use stronger hash and elliptic curve key exchange.  I am using sha384 in my example, though have also got it working with sha512.  Give it a try:
  Simply use the same process I detailed before, though change the following lines in ipsec.conf:
  ike=aes256-sha1-sha1-modp1024!
  esp=aes256-sha1!
  to
  ike=aes256-sha384-ecp521
  esp=aes256-sha384-ecp521
  Be sure to restart strongswan after you change these lines in the config.
  After this is done, change 'Automatically determine algorithm' to off in the VPN profile settings of your VPN connection profile on your blackberry.  I'm not sure why it doesn't work automatically.  State the following in this section:
  IKE DH Group:  21
  IKE CIpher: AES (256-bit key)
  IKE Hash: SHA384
  IKE PRF: HMAC-SHA384
  IPSec DH Group: 21
  IPSec Cipher: AES (256-bit key)
  IPSec Hash: SHA384

• Encrypting a vote with a servers public key...HELP!

  Hey, I really need some help( online voting application)....what I want to do it allow a voter to be able to submit a ballot(vote) via servlets, they encrypt the ballot with the servers public key and then the ballot is stored in a database, where at another time the administrator may decrypt the ballot(s) using the servers private key. I have already sorted the voters authentication(MD5), and at the moment the servlet submits the ballot in an unencrypted form....so I just need a little help from here. I enclose my code and I would be truly grateful of someone could give me a hand.
  import java.io.*;
  import javax.servlet.*;
  import javax.servlet.http.*;
  import java.sql.* ;
  public class CastVote extends HttpServlet{
  public void doPost(HttpServletRequest request, HttpServletResponse response)
  throws ServletException,IOException{
  try {
  String jmulligan= request.getParameter("jmulligan");
  String pkelly=request.getParameter("pkelly");
  String mjones=request.getParameter("mjones");
  response.setContentType("text/html");
  PrintWriter out=response.getWriter();
  Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
  Connection con = DriverManager.getConnection ("jdbc:odbc:evoting");
  Statement stmt = con.createStatement();
  stmt.executeUpdate(
  "INSERT INTO Ballot (JMulligan, PKelly, MJones)"
  + "VALUES ('"+jmulligan+"','"+pkelly+"','"+mjones+"') ");
  stmt.close();
  out.println("<HTML>\n"+
  "<HEAD><TITLE>EVoting</TITLE></HEAD>\n"+
  "<BODY BGCOLOR=\"127734\">\n"+
  "<H1>Your Ballot has been entered as follows</H1>\n"+
  "<H1>J Mulligan got "+ jmulligan +"</H1>\n"+
  "<H1> M Jones got "+ mjones +"</H1>\n"+
  "<H1> P Kelly got "+ pkelly +"</H1>\n"+
  "</BODY></HTML>");
  catch( Exception e ) {
  System.out.println(e.getMessage());
  e.printStackTrace();
  thanks
  Jacinta
  PS I have ssl configured, with a self signed cert.

  Hey!
  I am also in the middle of doing an en=voting application as part of my thesis! Its interesting to see the way other people do the voting. Well, my experience so far is that I cannot get public/private key encryption to work. I have posted many topics on this forum regarding it and the reason it wont work is that the ballot that I am trying to enctypt is too large for the ballot object . I used the RSA algoithm and it wasn't able to handle my large object. So instead I have just used a symmetric algorithm and that works fine. I think its the DES algorithm. The only problem with this is that you are using the same key to encrypt and decrypt the ballot. I dont think this is secure. It has been reccomended to me that I use this symmetric algorithm as it is, but that I then use public/private key to encrypt the symmetric key! I still have a problem with this because if the key is still encrypted with public key, the user must have acces to the private key to decrypt the symmetric key to decryt the ballot. See where I'm going?
  I would love to know of an asymmetric algorithm that can encrypt large objects. That would solve the whole security issue. I will post a replyhere if I find out the answer.
  By the way, how is your project going?
  All the best,
  Chris Moltisanti

• Message Digest with symmetric key

  Hi,
  I am new to Java Cryptography.
  My requirement is i want to digest a message using RSA generated 128 bit key and i am not able to find any functions to generate Symmetric key and also to digest a message with key. Can any one please tell me how to do. Any help would be appreciated. This is very urgent requirement.
  Thanks in advance.
  Cheers,
  Sreedhar Gupta

  RSA use a key pair :
  you can sign with the private key
  and you verify signature with public key.
  for this use class : java.security.Signature
  To have a "message digest" with a symmetric key
  use the class : javax.crypto.MAC

• Identifying Public keys??

  How to identify the public keys if there are many public keys at the client side???
  plz do let me know how to find the wanted public keys...
  asap
  thnx in advnce
  Subhash

  No a person A (other than yourself) creates a key pair. Person A submits
  his/her public key to get a certificate through a certificate request
  protocol. Once that certificate is returned to person A he/she can
  distribute his/her public key to anyone he/she wishes through whatever
  mechanisms he/she wishes. (aka email, floppy, whatever..)
  If you trust the CA who provided the certificate then it is likely you
  will trust the public key associated with it as being from person A. If
  so you can then encrypt messages to person A using his/her publickey/certificate.
  You can use keytool to take an X509 encoded public key/certificate and add
  it to your keystore locally. Once it is in your keystore you can access
  it at will for whatever operations you chose to do including encryption
  or signature verification.
  This all assumes you start out with the public certificate of the CA for
  which signed your friends public key (otherwise known as certifying) already
  on your machine. Java comes with a set of CA certificates of the most common
  CAs including verisign etc..
  If you are the CA then keep a copy of the certificate in your keystore
  and then send it to person A. Now you can get the cert from your local
  keystore anytime you need to encrypt data to be sent to person A.
  Person A should NEVER provide anyone access to his/her private key. That
  defeats the whole process. In fact person A should encrypt his/her private
  key so that should it somehow wind up exposed it is difficult for the key
  itself to be retrieved. This is typically done with PBE...

• Remote login via ssh and public keys

  I'm not exactly a UNIX expert, but I need to be able to remote login to my PowerBook. The problem with enabling ssh is that as soon as I'm on campus, all kinds of nefarious hosts try brute force attempts to crack my password. I've heard that public/private key logins are the answer, and I've managed to get the public key in the right place on my PowerBook (the private key resides on my iPhone, from which I'll be logging in). But I have two questions:
  1) How do I disable logins via user/password?
  2) When I use my private key, I'm asked to enter the password for the key -- ssh isn't properly storing that password. I've checked permissions, but how can I get ssh to store that password, as it should?

  1) In Sharing > Remote Login, do I still need an account listed to be able to use ssh logins with a public key? I ask because currently (i.e. password authentication enabled), when no accounts are listed, login via public key doesn't work. In other words, an account has to be listed for public key logins to work.
  Yes you still need an account name to login to that computer. However you don't need to specify an account in the sharing preferences. You can lock down the security further by limiting which user accounts can login via ssh.
  by default if you don't specify a username when you login it will use the username of the device your logging in from. So to use an alternative login name you would use
  ssh [email protected]
  whereas john can be anyname or your choosing.
  Put another way: if turn off password authentication for ssh in sshd_config, how should Sharing > Remote Login be configured?
  If you turn off password authentication you still need to allow your user account to login via ssh in the sharing preferences or you can allow all.
  2) According to that MacOS X Hints article:
  "Leopard has now a built-in support for SSH authentication with public keys.
  OSX has been able to use ssh public key authentication since day 1 of the beta release of osx. It is not new to leopared it has been around for years.
  Just open Terminal and ssh to your public-key-enabled server. A Keychain window appears, proposing you to enter the pass phrase, and then remembering it in your keychain. "
  I have not used this functionality as I don't use any passwords for ssh logins.
  They're talking about the password associated with the key. But on second thought, that password is being saved on the client, not the server, right?
  I am sure this is the case.

• How Sign Message with Certificate (public key)?

  Hi, I need to to send Sign xml message by Certificate file (public key) and read sign message
  so how can i do it ??
  and i should have 2 public key ?? or what ??
  please help :)
  Thanks

  ejp has answered your question, but it seems you did not understand. This forum is not a good place to learn about public key cryptography and message encryption. You should already understand these fundamentals before asking questions here. This forum is about how to implement these crypto operations in the Java programming language. If you are cheap or poor, you can try googling for the more information; wikipedia is good starting point also. If you can afford it, I recommend you buy Practical Cryptography_ by Schneier.

• Import a signed public key into a keystore

  Hai all,
  When I followed the steps listed at the end of the email, to create a cert request using keytool (from jdk 1.3.0), make it signed by a CA and import the signed public key into a keystore,
  I got the following error when I did step 9: keytool error: java.security.cert.CertificateException: IOException: data is not sufficient
  Could you please give me a help? Thanks in advance. ---
  1.Generate the CA key
  $ openssl genrsa -rand -des -out ca.key 1024
  2.Create a self signed certificate
  $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
  3.Setup the OpenSSL CA tools
  $ mkdir demoCA $ mkdir demoCA/newcerts $ touch demoCA/index.txt
  $ cp ca.crt demoCA/ $ echo "01" > demoCA/serial
  4.Create a new key store for the client application
  $ keytool -keystore testkeys -genkey - alias client
  5.Export the client's public key
  $ keytool -keystore testkeys -certreq -alias client -file client.crs
  6.Sign the client's key with our CA key
  $ openssl ca -config /etc/openssl.cnf -in client.crs -out client.crs.pem -keyfile ca.key
  7.Convert to DER format
  $ openssl x509 -in client.crs.pem -out client.crs.der -outform DER
  8.Import CA certificate into client's key store
  $ keytool -keystore testkeys -alias jsse_article_ca -import -file ca.crt
  9.Import signed key into client's key store
  $ keytool -keystore testkeys -alias client -import -file client.crs.der
  (The above steps are available at <http://www.ddj.com/articles/2001/0102/0102a/0102a.htm>)
  I have created CA and Server certificates using openssl and client certificate request using keytool and it is signed by our CA.
  I am using openssl server (C++) and JSSE client (JAVA)...
  to communicate these two what certificates i need to put in the client keystore (created using keytool).
  I have imported CA into keytool ,but i am unable to import client cert into keystore.
  Please tell me some way to sort out this problem...
  Prasad.

  The following script using openssl and keytool (JDK1.3)
  works. Be sure to have the following in
  your extension directory (/opt/java1.3/jre/lib/ext):
  jcert.jar
  jnet.jar
  jsse.jar
  sunrsasign.jar
  Pierre
  #!/bin/ksh
  rm -f Keystore Config
  rm -rf certs
  mkdir certs
  touch certs/index
  echo "01" > certs/serial
  chmod 600 certs/*
  netstat > /tmp/.rnd
  echo "Creating config file for openssl"
  cat > Config <<EOCNF
  [ ca ]
  default_ca = CA_default
  [ CA_default ]
  dir = certs
  database = \$dir/index
  serial = \$dir/serial
  default_days = 365 # Duration to certify for
  default_crl_days= 30 # Time before next CRL
  default_md = SHA1 # Message digest to use.
  preserve = no # Keep passed DN ordering?
  policy = policy_anything
  [ policy_anything ]
  countryName = optional
  stateOrProvinceName = optional
  localityName = optional
  organizationName = optional
  organizationalUnitName = optional
  commonName = supplied
  emailAddress = optional
  [ req ]
  default_bits = 1024
  default_keyfile = privkey.pem
  distinguished_name = req_distinguished_name
  attributes = req_attributes
  [ req_distinguished_name ]
  countryName = Country Name (2 letter code)
  countryName_default = US
  countryName_value = US
  countryName_min = 2
  countryName_max = 2
  stateOrProvinceName = State or Province Name (full name)
  stateOrProvinceName_default = CA
  stateOrProvinceName_value = CA
  localityName = Locality Name (eg, city)
  localityName_default = Loc
  localityName_value = Loc
  0.organizationName = Organization Name (eg, company)
  0.organizationName_default = Org
  0.organizationName_value = Org
  organizationalUnitName = Organizational Unit Name (eg, section)
  organizationalUnitName_default = OrgUnit
  organizationalUnitName_value = OrgUni
  commonName = Common Name (eg, YOUR name)
  commonName_default = CN
  commonName_value = CN
  commonName_max = 64
  emailAddress = Email Address
  emailAddress_default = [email protected]
  emailAddress_value = [email protected]
  emailAddress_max = 40
  [ req_attributes ]
  EOCNF
  echo "Creating DSA params"
  openssl dsaparam -outform PEM -out DSAPARAM -rand /tmp/.rnd 1024
  echo "Creating CA key pair and cert request"
  openssl req -config Config -nodes -newkey DSA:DSAPARAM -keyout certs/caprivkey.pem -out certs/req.pem
  echo "Signing own CA cert"
  openssl x509 -req -in certs/req.pem -signkey certs/caprivkey.pem -out certs/cacert.pem
  echo "Generating client key pair and cert in keystore"
  keytool -genkey -alias myalias -keyalg DSA -keysize 1024 -keypass password -storepass password -keystore Keystore -dname "CN=Common Name, OU=Org Unit, O=Org, L=Locality, S=State, C=Country" -validity 365
  echo "Generating cert request"
  keytool -certreq -alias myalias -keypass password -storepass password -keystore Keystore -file certs/CertReq.csr
  echo "Signing client cert"
  openssl ca -config Config -policy policy_anything -batch -in certs/CertReq.csr -keyfile certs/caprivkey.pem -days 365 -cert certs/cacert.pem -outdir certs -out certs/public.pem -md SHA1
  echo "Importing CA cert into keystore"
  keytool -import -alias CA -keystore Keystore -storepass password -noprompt -file certs/cacert.pem
  # Clean the certificate file, contains extra stuff from openssl
  sed "/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/!d" \
       certs/public.pem > certs/tmp-public.pem
  cp certs/tmp-public.pem certs/public.pem
  rm certs/tmp-public.pem
  echo "Importing client cert into keystore"
  keytool -import -alias myalias -keystore Keystore -storepass password -noprompt -file certs/public.pem

• Problem with Copied Code finding Public Method

  Hi Guys,
  I'm an old R/2 programmer trying to get my head around OO coding.
  I have copied, in it's entirety, the SAP example program SAPTLIST_TREE_CONTROL_DEMO, as I'm trying to create a Tree based access to reports (don't ask, the user just wants it!).
  I've copied and activate all the standard include programs as follows:
  *& Modulpool         ZMM_COCKPIT_DISPLAY                               *
  INCLUDE ZMMC_COCKPIT_DISPLAY_TOP.
  INCLUDE ZMMC_COCKPIT_DISPLAY_CL1.
  INCLUDE ZMMC_COCKPIT_DISPLAY_O01.
  INCLUDE ZMMC_COCKPIT_DISPLAY_I01.
  INCLUDE ZMMC_COCKPIT_DISPLAY_F01.
  All the programs syntax check successfully, except ZMMC_COCKPIT_DISPLAY_F01 which displays the error message <i>'Method "HANDLE_NODE_DOUBLE_CLICK" is unknown or PROTECTED or PRIVATE'</i>, yet this does not prevent the include program from activating.
  The Section of code that is failing is:
  assign event handlers in the application class to each desired event
    SET HANDLER G_APPLICATION->HANDLE_NODE_DOUBLE_CLICK FOR G_TREE.
    SET HANDLER G_APPLICATION->HANDLE_ITEM_DOUBLE_CLICK FOR G_TREE.
    SET HANDLER G_APPLICATION->HANDLE_EXPAND_NO_CHILDREN FOR G_TREE.
    SET HANDLER G_APPLICATION->HANDLE_LINK_CLICK FOR G_TREE.
    SET HANDLER G_APPLICATION->HANDLE_BUTTON_CLICK FOR G_TREE.
    SET HANDLER G_APPLICATION->HANDLE_CHECKBOX_CHANGE FOR G_TREE.,
  When double clicking on the HANDLE_NODE_DOUBLE_CLICK, the SAP then goes to the following code in the ZMMC_COCKPIT_DISPLAY_CL1 program:
  CLASS LCL_APPLICATION DEFINITION.
    PUBLIC SECTION.
     METHODS:
       HANDLE_NODE_DOUBLE_CLICK
         FOR EVENT NODE_DOUBLE_CLICK
         OF CL_GUI_LIST_TREE
         IMPORTING NODE_KEY,
       HANDLE_EXPAND_NO_CHILDREN
         FOR EVENT EXPAND_NO_CHILDREN
         OF CL_GUI_LIST_TREE
         IMPORTING NODE_KEY,
       HANDLE_ITEM_DOUBLE_CLICK
         FOR EVENT ITEM_DOUBLE_CLICK
         OF CL_GUI_LIST_TREE
         IMPORTING NODE_KEY ITEM_NAME,
       HANDLE_BUTTON_CLICK
         FOR EVENT BUTTON_CLICK
         OF CL_GUI_LIST_TREE
         IMPORTING NODE_KEY ITEM_NAME,
       HANDLE_LINK_CLICK
         FOR EVENT LINK_CLICK
         OF CL_GUI_LIST_TREE
         IMPORTING NODE_KEY ITEM_NAME,
       HANDLE_CHECKBOX_CHANGE
         FOR EVENT CHECKBOX_CHANGE
         OF CL_GUI_LIST_TREE
         IMPORTING NODE_KEY ITEM_NAME CHECKED.
  ENDCLASS.
  CLASS LCL_APPLICATION IMPLEMENTATION.
    METHOD  HANDLE_NODE_DOUBLE_CLICK.
      " this method handles the node double click event of the tree
      " control instance
      " show the key of the double clicked node in a dynpro field
      G_EVENT = 'NODE_DOUBLE_CLICK'.
      G_NODE_KEY = NODE_KEY.
    ENDMETHOD.
  Lastly, the class definition, implementation and other required objects are defined in the ZMMC_COCKPIT_DISPLAY_TOP program as:
  *& Include  ZMMC_COCKPIT_DISPLAY_TOP                                   *
  REPORT SAPTLIST_TREE_CONTROL_DEMO MESSAGE-ID TREE_CONTROL_MSG.
    Screen Element Components   *********************
    CLASS LCL_APPLICATION DEFINITION DEFERRED.
    CLASS CL_GUI_CFW DEFINITION LOAD.
  CAUTION: MTREEITM is the name of the item structure which must
  be defined by the programmer. DO NOT USE MTREEITM!
    TYPES: ITEM_TABLE_TYPE LIKE STANDARD TABLE OF ZMMC_TREEITM
           WITH DEFAULT KEY.
    DATA: G_APPLICATION TYPE REF TO LCL_APPLICATION,
          G_CUSTOM_CONTAINER TYPE REF TO CL_GUI_CUSTOM_CONTAINER,
          G_TREE TYPE REF TO CL_GUI_LIST_TREE,
          G_OK_CODE TYPE SY-UCOMM.
  (NB:  ZMMC_TREEITM is a copy of the structure MTREEITM).
  All the programs are active, and have no syntax errors.
  Any ideas on how to make the error message vanish?  I don't know, but it must be resolved because it is causing the program to abend at runtime, claiming that the HANDLE_NODE_DOUBLE_CLICK cannot pass value 'NULL' to G_TREE.
  Thanks in advance.
  Stephen

  Hello Stephen
  I have made the following changes in the module pool (double-clicking on node executes a report (PFCG_MASS_TRANSPORT):
  <b>Include  TLIST_TREE_CONTROL_DEMOTOP:</b>
  * Fields on Dynpro 100
    DATA: G_EVENT(30),
          G_NODE_KEY TYPE TV_NODEKEY,
          G_ITEM_NAME TYPE TV_ITMNAME.
  * Collect nodes and items in globally accessible itabs
    DATA:
      gt_nodes    TYPE TREEV_NTAB,       " added
      gt_items    type ITEM_TABLE_TYPE.  " added
  *** INCLUDE TLIST_TREE_CONTROL_DEMOTOP
  <b>
    METHOD handle_expand_no_children.:</b>
  * Items of node with key 'New3'
        CLEAR item.
        item-node_key = 'New3'.
        item-item_name = '1'.
        item-class = cl_gui_list_tree=>item_class_text.
        item-length = 11.
        item-usebgcolor = 'X'. "
  *      ITEM-TEXT = 'SAPTROX1'.            " deleted
        item-text = 'PFCG_MASS_TRANSPORT'.  " added
      CALL METHOD g_tree->add_nodes_and_items
        EXPORTING
          node_table                     = node_table
          item_table                     = item_table
          item_table_structure_name      = 'MTREEITM'
        EXCEPTIONS
          failed                         = 1
          cntl_system_error              = 3
          error_in_tables                = 4
          dp_error                       = 5
          table_structure_name_not_found = 6.
      IF sy-subrc <> 0.
        MESSAGE a000.
      ENDIF.
      APPEND LINES OF node_table TO gt_nodes.  " added
      APPEND LINES OF item_table TO gt_items.   " added
    ENDMETHOD.                    "HANDLE_EXPAND_NO_CHILDREN
  <b>Form  CREATE_AND_INIT_TREE:</b>
  * add some nodes to the tree control
  * NOTE: the tree control does not store data at the backend. If an
  * application wants to access tree data later, it must store the
  * tree data itself.
    PERFORM build_node_and_item_table USING node_table item_table.
    CALL METHOD g_tree->add_nodes_and_items
      EXPORTING
        node_table                     = node_table
        item_table                     = item_table
        item_table_structure_name      = 'MTREEITM'
      EXCEPTIONS
        failed                         = 1
        cntl_system_error              = 3
        error_in_tables                = 4
        dp_error                       = 5
        table_structure_name_not_found = 6.
    IF sy-subrc <> 0.
      MESSAGE a000.
    ENDIF.
    APPEND LINES OF node_table TO gt_nodes.  " added
    APPEND LINES OF item_table TO gt_items.   " added
  ENDFORM.                               " CREATE_AND_INIT_TREE
  <b>METHOD  handle_node_double_click.:</b>
    METHOD  handle_node_double_click.
      " this method handles the node double click event of the tree
      " control instance
      BREAK-POINT.
      " show the key of the double clicked node in a dynpro field
      g_event = 'NODE_DOUBLE_CLICK'.
      g_node_key = node_key.
      DATA:
        ls_node    TYPE treev_node,
        ls_item    TYPE mtreeitm.
      READ TABLE gt_items INTO ls_item
           WITH KEY node_key  = node_key
                    item_name = '1'.
      IF ( syst-subrc = 0     AND
           ls_item-text IS NOT INITIAL ).
        SUBMIT (ls_item-text) VIA SELECTION-SCREEN
          AND RETURN.  " report !!!
      ENDIF.
    ENDMETHOD.                    "HANDLE_NODE_DOUBLE_CLICK
  I am not sure if I am correct but it appears that class CL_GUI_LIST_TREE does not provide any method to get hold of the node or item details. Thus, I collect them in my global itabs.
  Regards
    Uwe

• Can't read load RSA public key with JDK 1.4.2_08?

  We have been using Bouncy Castle's provider to provide RSA encryption and decryption of a login name and password for several years ... with JDKs in the 1.4.2 series up through 1.4.2_07.
  Recently, however, Sun released JDK 1.4.2_08, and suddenly any of our Java Web Start client applications are unable to successfully load the public key that we use to encrypt their login name and password before shipping it to the server for authentication with the 1.4.2_08 JRE. But, if we revert back to 1.4.2_07, everything works again.
  This public key itself has been in use for several years and the same code to read the public key has been in use for a long time ... including multiple versions of the BouncyCastle provider and all versions of the JDK up through 1.4.2_07. But suddenly things appear to break with JDK 1.4.2_08.
  This smells like a problem with JDK 1.4.2_08 so I thought that I'd check on this forum to see if any other Bouncy Castle users have experienced this problem. Is there anything further that I can do to check this out? Has any Bouncy Castle user successfully loaded a RSA public key from a byte stream with JDK 1.4.2_08? Or have people using other providers seen any problems reading similar public keys with JDK 1.4.2_08?
  The code that is failing on the client side is:
  try {
     encKey = new byte[this.publicKeyInputStream.available()];
     this.publicKeyInputStream.read(encKey);
     spec = new X509EncodedKeySpec(encKey);
     keyFactory = KeyFactory.getInstance("RSA",  "org.bouncycastle.jce.provide.BouncyCastleProvider");
     myPublicKey = keyFactory.generatePublic(spec);
     return myPublicKey;
  catch (Exception e) {
     e.printStackTrace();
  }The stack trace that I'm getting includes ...
  java.security.spec.InvalidKeySpecException: java.lang.IllegalArgumentException: invalid info structure in RSA public key
     at org.bouncycastle.jce.provider.JDKKeyFactory$RSA.engineGeneratePublic(JDKKeyFactory.java:330)
     at java.security.KeyFactory.generatePublic(Unknown Source)
     at org.opencoral.util.Encryption.loadPublicKey(SourceFile:450)
     at org.opencoral.util.Encryption.<init>(SourceFile:119)
     at org.opencoral.main.Coral.<init>(SourceFile:338)
     at org.opencoral.main.Coral.main(SourceFile:1919)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
     at java.lang.reflect.Method.invoke(Unknown Source)
     at com.sun.javaws.Launcher.executeApplication(Unknown Source)
     at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
     at com.sun.javaws.Launcher.continueLaunch(Unknown Source)
     at com.sun.javaws.Launcher.handleApplicationDesc(Unknown Source)
     at com.sun.javaws.Launcher.handleLaunchFile(Unknown Source)
     at com.sun.javaws.Launcher.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)While it clearly indicates that it thinks that there is an "invalid info structure in RSA public key", I believe that nothing has changed in the structure of our key ... and this same key still works properly if I revert to JDK 1.4.2_07.
  Any thoughts or insights?
  Thanks,
  John Shott

  I'm facing the same Exception here,
  With JDK 1.5 (SUNJce) i'm getting --
  Exception in thread "main" java.security.spec.InvalidKeySpecException: java.secu
  rity.InvalidKeyException: Invalid RSA public key
  at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(Unknown Source)
  With BouncyCastle i'm getting --
  Exception in thread "main" java.security.spec.InvalidKeySpecException: java.lang
  .IllegalArgumentException: invalid info structure in RSA public key
  at org.bouncycastle.jce.provider.JDKKeyFactory$RSA.engineGeneratePublic(
  JDKKeyFactory.java:345)
  Any Solution?

• Acrobat 9 Pro / Files with public+private key security

  Hi,
  I'm working at a Software Company. We want to create the Help Documents for our Software in PDF.
  We want to take care, that those PDF documents cannot be opened without our Software.
  My idea is to certificate the PDFs with a public key and the private key is hidden in our program.
  I tested a lot and read the manual, but it doesn't work.
  Thanx for some hints.
  Greetings,
  Sven
  Sorry for the lousy English, I'm from Germany.

  You might be able to write some JavaScript to solve the problem, but even in that case you need to be aware that the security of PDFs are not all that secure, particularly if one uses a 3rd party reader. Apparently several of them ignore the PDF security settings and open the PDF anyway. I do not know if that would occur if the PDF were encrypted in some way.
  So much for giving a spin on the topic. Good luck.