Develop Reference

How to use OpenSSL command line to operate(signature, for example) after loading OpenSSL engine?

I wrote a self-defined OpenSSL engine and engine tester in ubuntu 20.4. And the OpenSSL version is 1.1.1.
The goal is to use engine in TLS session, and the first step is to use command line to sign a digest. The reference website is:
https://wiki.openssl.org/index.php/Creating_an_OpenSSL_Engine_to_use_indigenous_ECDH_ECDSA_and_HASH_Algorithms
But the tester use the engine by calling the function, like ECDSA_sign and ECDSA_verify in the code, which can't act as expected. I hope to achieve the effect like:
$ openssl dgst -engine <engine_id> -sha256 -sign -out
So what should I do? And is this practicable?
Thanks a lot!

That OpenSSL wiki page is useful for beginners to learn how OpenSSL engine works, but it is too old that a lot of APIs in the page has been deprecated, especially the ECC functions.
Yes it is practicable.
Copy your YOUR_ENGINE_NAME.so to /usr/lib/x86_64-linux-gnu/engines-1.1/, then edit /etc/openssl.cnf to tell OpenSSL command line utility to start with loading your engine:
# Insert near top of file openssl.cnf:
openssl_conf = openssl_init
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
......
......
# Insert at bottom of file openssl.cnf:
[ openssl_init ]
engines = engine_section
[ engine_section ]
YOUR_ENGINE_NAME = YOUR_ENGINE_NAME_section
[ YOUR_ENGINE_NAME_section ]
engine_id = YOUR_ENGINE_NAME
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/YOUR_ENGINE_NAME.so
default_algorithms = ALL
init = 1
You can put some printf info in your engine's init function. It will display after OpenSSL command line utility started if the engine is properly loaded:
$ openssl
engine bind start
YOUR_ENGINE init success
OpenSSL>

Host key not found error with pysftp SFTP connection [duplicate]

I am writing a program using pysftp, and it wants to verify the SSH host Key against C:\Users\JohnCalvin\.ssh\known_hosts.
Using PuTTY, the terminal program is saving it to the Registry [HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys].
How do I reconcile the difference between pysftp and PuTTY?
My code is:
import pysftp as sftp
def push_file_to_server():
s = sftp.Connection(host='138.99.99.129', username='root', password='*********')
local_path = "testme.txt"
remote_path = "/home/testme.txt"
s.put(local_path, remote_path)
s.close()
push_file_to_server()
The error response I am receiving is:
E:\Program Files (x86)\Anaconda3\lib\site-packages\pysftp\__init__.py:61:
UserWarning: Failed to load HostKeys from C:\Users\JohnCalvin\.ssh\known_hosts. You will need to explicitly load HostKeys (cnopts.hostkeys.load(filename)) or disableHostKey checking (cnopts.hostkeys = None).
warnings.warn(wmsg, UserWarning)
Traceback (most recent call last):
File "E:\OneDrive\Python\GIT\DigitalCloud\pysftp_tutorial.py", line 14, in <module>
push_file_to_server()
File "E:\OneDrive\Python\GIT\DigitalCloud\pysftp_tutorial.py", line 7, in push_file_to_server
s = sftp.Connection(host='138.99.99.129', username='root', password='********')
File "E:\Program Files (x86)\Anaconda3\lib\site-packages\pysftp\__init__.py", line 132, in __init__
self._tconnect['hostkey'] = self._cnopts.get_hostkey(host)
File "E:\Program Files (x86)\Anaconda3\lib\site-packages\pysftp\__init__.py", line 71, in get_hostkey
raise SSHException("No hostkey for host %s found." % host) paramiko.ssh_exception.SSHException: No hostkey for host 138.99.99.129 found.
Exception ignored in: <bound method Connection.__del__ of <pysftp.Connection object at 0x00000222FF3A6BE0>>
Traceback (most recent call last):
File "E:\Program Files (x86)\Anaconda3\lib\site-packages\pysftp\__init__.py", line 1013, in __del__
self.close()
File "E:\Program Files (x86)\Anaconda3\lib\site-packages\pysftp\__init__.py", line 784, in close
if self._sftp_live:
AttributeError: 'Connection' object has no attribute '_sftp_live'

The pysftp has some bugs regarding host key handling, as described below. It also seems that the pysftp project was abandoned. Consider using Paramiko directly instead. The pysftp is just a wrapper on top of Paramiko and it does not add anything really significant. See pysftp vs. Paramiko.
For handling of host keys in Paramiko, see:
Paramiko "Unknown Server"
If you want to keep using pysftp, do not set cnopts.hostkeys = None (as the second most upvoted answer shows), unless you do not care about security. You lose a protection against Man-in-the-middle attacks by doing so.
Use CnOpts.hostkeys (returns HostKeys) to manage trusted host keys.
cnopts = pysftp.CnOpts(knownhosts='known_hosts')
with pysftp.Connection(host, username, password, cnopts=cnopts) as sftp:
where the known_hosts contains a server public key(s)] in a format like:
example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB...
If you do not want to use an external file, you can also use
from base64 import decodebytes
# ...
keydata = b"""AAAAB3NzaC1yc2EAAAADAQAB..."""
key = paramiko.RSAKey(data=decodebytes(keydata))
cnopts = pysftp.CnOpts()
cnopts.hostkeys.add('example.com', 'ssh-rsa', key)
with pysftp.Connection(host, username, password, cnopts=cnopts) as sftp:
Though as of pysftp 0.2.9, this approach will issue a warning, what seems like a bug:
"Failed to load HostKeys" warning while connecting to SFTP server with pysftp
An easy way to retrieve the host key in the needed format is using OpenSSH ssh-keyscan:
$ ssh-keyscan example.com
# example.com SSH-2.0-OpenSSH_5.3
example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB...
(due to a bug in pysftp, this does not work, if the server uses non-standard port – the entry starts with [example.com]:port + beware of redirecting ssh-keyscan to a file in PowerShell)
You can also make the application do the same automatically:
Use Paramiko AutoAddPolicy with pysftp
(It will automatically add host keys of new hosts to known_hosts, but for known host keys, it will not accept a changed key)
Though for an absolute security, you should not retrieve the host key remotely, as you cannot be sure, if you are not being attacked already.
See my article Where do I get SSH host key fingerprint to authorize the server?
It's for my WinSCP SFTP client, but most information there is valid in general.
If you need to verify the host key using its fingerprint only, see Python - pysftp / paramiko - Verify host key using its fingerprint.

One option is to disable the host key requirement:
import pysftp
cnopts = pysftp.CnOpts()
cnopts.hostkeys = None
with pysftp.Connection(host, username, password, cnopts=cnopts) as sftp:
sftp.put(local_path, remote_path)
You can find more info about that here:
https://stackoverflow.com/a/38355117/1060738
Important note:
By setting cnopts.hostkeys=None you'll lose the protection against Man-in-the-middle attacks by doing so. Use #martin-prikryl answer to avoid that.

Try to use the 0.2.8 version of pysftp library.
$ pip uninstall pysftp && pip install pysftp==0.2.8
And try with this:
try:
ftp = pysftp.Connection(host, username=user, password=password)
except:
print("Couldn't connect to ftp")
return False
Why this?
Basically is a bug with the 0.2.9 of pysftp
here all details
https://github.com/Yenthe666/auto_backup/issues/47

Cook book to use different ways of pysftp.CnOpts() and hostkeys options.
Source : https://pysftp.readthedocs.io/en/release_0.2.9/cookbook.html
Host Key checking is enabled by default. It will use ~/.ssh/known_hosts by default. If you wish to disable host key checking (NOT ADVISED) you will need to modify the default CnOpts and set the .hostkeys to None.
import pysftp
cnopts = pysftp.CnOpts()
cnopts.hostkeys = None
with pysftp.Connection('host', username='me', password='pass', cnopts=cnopts):
# do stuff here
To use a completely different known_hosts file, you can override CnOpts looking for ~/.ssh/known_hosts by specifying the file when instantiating.
import pysftp
cnopts = pysftp.CnOpts(knownhosts='path/to/your/knownhostsfile')
with pysftp.Connection('host', username='me', password='pass', cnopts=cnopts):
# do stuff here
If you wish to use ~/.ssh/known_hosts but add additional known host keys you can merge with update additional known_host format files by using .load method.
import pysftp
cnopts = pysftp.CnOpts()
cnopts.hostkeys.load('path/to/your/extra_knownhosts')
with pysftp.Connection('host', username='me', password='pass', cnopts=cnopts):
# do stuff here

If You try to connect by pysftp to "normal" FTP You have to set hostkey to None.
import pysftp
cnopts = pysftp.CnOpts()
cnopts.hostkeys = None
with pysftp.Connection(host='****',username='****',password='***',port=22,cnopts=cnopts) as sftp:
print('DO SOMETHING')

Connect to the server first with a Windows ssh client that uses the known_hosts file.
PuTTy stores the data in the windows registry,however OpenSSH uses the known_hosts file, and will add entries in there after you connect.
Default location for the file is %USERPROFILE%.ssh. I hope this helps

I've implemented auto_add_key in my pysftp github fork.
auto_add_key will add the key to known_hosts if auto_add_key=True
Once a key is present for a host in known_hosts this key will be checked.
Please reffer Martin Prikryl -> answer about security concerns.
Though for an absolute security, you should not retrieve the host key remotely, as you cannot be sure, if you are not being attacked already.
import pysftp as sftp
def push_file_to_server():
s = sftp.Connection(host='138.99.99.129', username='root', password='pass', auto_add_key=True)
local_path = "testme.txt"
remote_path = "/home/testme.txt"
s.put(local_path, remote_path)
s.close()
push_file_to_server()
Note: Why using context manager
import pysftp
with pysftp.Connection(host, username="whatever", password="whatever", auto_add_key=True) as sftp:
#do your stuff here
#connection closed

Hi We sort of had the same problem if I understand you well. So check what pysftp version you're using. If it's the latest one which is 0.2.9 downgrade to 0.2.8.
Check this out. https://github.com/Yenthe666/auto_backup/issues/47

FWIR, if authentication is only username & pw, add remote server ip address to known_hosts like ssh-keyscan -H 192.168.1.162 >> ~/.ssh/known_hosts for ref https://www.techrepublic.com/article/how-to-easily-add-an-ssh-fingerprint-to-your-knownhosts-file-in-linux/

Error: error:0909006C:PEM routines:get_name:no start line - node

I have cloned this repo (https://github.com/docusign/code-examples-node) and believe I have entered all required keys and codes. But, when I try to authenticate with JWT I get this error:
at Sign.sign (internal/crypto/sig.js:105:29)
at Object.sign (C:\Users\BrownJ3\Documents\repos\code-examples-node\node_modules\jwa\index.js:152:45)
at Object.jwsSign [as sign] (C:\Users\BrownJ3\Documents\repos\code-examples-node\node_modules\jws\lib\sign-stream.js:32:24)
at Object.module.exports [as sign] (C:\Users\BrownJ3\Documents\repos\code-examples-node\node_modules\docusign-esign\node_modules\jsonwebtoken\sign.js:189:16)
at generateAndSignJWTAssertion (C:\Users\BrownJ3\Documents\repos\code-examples-node\node_modules\docusign-esign\src\ApiClient.js:62:16)
at exports.requestJWTUserToken (C:\Users\BrownJ3\Documents\repos\code-examples-node\node_modules\docusign-esign\src\ApiClient.js:890:19)
at _DsJwtAuth._getToken [as getToken] (C:\Users\BrownJ3\Documents\repos\code-examples-node\lib\DSJwtAuth.js:85:33)
at log (C:\Users\BrownJ3\Documents\repos\code-examples-node\lib\DSJwtAuth.js:174:33)
at _DsJwtAuth.DsJwtAuth.login (C:\Users\BrownJ3\Documents\repos\code-examples-node\lib\DSJwtAuth.js:184:5)
at commonControllers.login (C:\Users\BrownJ3\Documents\repos\code-examples-node\lib\commonControllers.js:36:16) {
library: 'PEM routines',
function: 'get_name',
reason: 'no start line',
code: 'ERR_OSSL_PEM_NO_START_LINE```

What this typically means is that the PEM file is missing the indicator that the key portion has begun.
PEM files are structured like this:
Intitial Data to be processed
-----Begin <Type>-----
Key Information
-----End <Type>-----
The standard for these files can be found here: https://www.rfc-editor.org/rfc/rfc7468
Can you confirm if the -----Begin / End lines are present are present in the PEM file you're using? Please don't post the actual file here, if they are present in the PEM we're going to want to have you open a support case with DocuSign so we keep any necessary private data for troubleshooting private.

If using docker, I have some observations.
Try to make .env values plain text. Not string literal.
When getting the item to code, replace '\\n' with '\n'

You can validate your certificate here: https://www.sslchecker.com/certdecoder.
In my case I pasted wrongly that missed one dash:
- -----BEGIN CERTIFICATE-----
+ ----BEGIN CERTIFICATE-----
Please note the first 5 dash is critical.

If you indeed have valid structure of PEM as #Matt King DS suggested, but you still get this error, it is likely that new lines are causing error.
If you are using dotenv then from documentation:
Multiline values
If you need multiline variables, for example private keys, those are now supported (>= v15.0.0) with line breaks:
PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
...
Kh9NV...
...
-----END DSA PRIVATE KEY-----"
Alternatively, you can double quote strings and use the \n character:
PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\nKh9NV...\n-----END DSA PRIVATE KEY---
AWS lambda
I also encountered this error in AWS lambda. Here above approach didn't work for me. I had to have env variable in lambda without double quotes, with \n instead of new lines and in code I had to replace \n by \n, like this:
process.env.MY_PRIVATE_KEY.replace(/\\n/g, '\n')

Try to delete .nprm from -->
C:\Users{username}
then it will works fine

I solved it by just running the following lines of code. This can be run anywhere in order to turn the normal \n into actual newlines '\n'
jWtstring = 'your_JWT_string'
jWtstring.replace(/\\n/g, '\n')
After you get the newly line-entered JWT key, you can paste it to SSM or perform the next steps as you wish.

const fs = require('fs')
const https = require('https')
https.createServer(
{
key:fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem'),
}
).listen(PORT, () => {
console.log(`server is running on http://localhost:${PORT}`);
})
you need to load the file key.pem before initialize to the "key: key.pem" with readFileSync that belongs to fs module
https.createServer:- https://nodejs.org/api/https.html#httpscreateserveroptions-requestlistener
fs.readFileSync:- https://nodejs.dev/en/learn/reading-files-with-nodejs/

I have exactly the same issue, I spent around 1 week working on this and still no solution for my M1 Mac Pro.
Solved my problem by:
Search for your .npmrc file and delete it.
sudo find ~ -type f -name
'*npmrc' rm -rf /Users/<user>/.npmrc
Do some classics like: npm cache verify npm cache clear --force
Finally use the npm install
Hope it helps, at least for the future user :DD

If you have this problem with Angular CLI then ensure that your ssl key paths are valid.
Had the same problem when running :
ng serve --ssl true --ssl-cert ./ssl/server.crt --ssl-key ./ssl/server.key
and it turned out my paths were invalid.

For the angular version 14.2.8 use following commands.
ng serve --ssl "Your_project_name" --ssl-key "path_of_key" --ssl-cert "path_of_your_certificate"
Example:-if your key and certificate on a same drive C://your_key or C://your_certificate

you have to use
const key = new NodeRSA({ b: 512 });
let keypair = {
private: key.exportKey(),
public: key.exportKey("public")
};
this private key at the time of signing token with RSA

if you just using it as sandbox project you can use: (without private key)
var jwt = require('jsonwebtoken');
var token = jwt.sign({ foo: 'bar' }, 'shhhhh');
if not as sandbox, you have to generate a privteKey.
you can see it on jsonwebtoken docs:
https://www.npmjs.com/package/jsonwebtoken

Foreman Multiline ENV Variable Error

I am trying to pass the contents of my pem file as a string in my .env file using \n to translate the form in the pem file to be used in an ENV variable. The issue, however, is that I'm getting an error from this variable and I'm not sure what it means, but I saw where there was an issue closed allowing for multiline so I'm not sure why this error exists.
Here is my terminal command nf run nodemon app.js
Here is the version 1.4.1
Here is the format of my pem file set within my .env file:
CF_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\n
MIIEpAIBAAKCAQEAm7NA5731034RiKsEkuBTrkoBidwFD7hsdfaiohdsfahsdfL99Iw5R4uTA\n
jpPJTOUHTJNMSNF472h42ofnlNflnriNBTPOHNJFRPNSRPFNSRpfPRNFORNFPRSNFpSNFFPNf\n
-----END RSA PRIVATE KEY-----"
This is the error message:
/Users/user/.nvm/versions/node/v4.3.2/lib/node_modules/foreman/lib/envs.js:38
case '"': return /^"([^"]*)"/.exec(val)[1];
^
TypeError: Cannot read property '1' of null
at parseValue (/Users/user/.nvm/versions/node/v4.3.2/lib/node_modules/foreman/lib/envs.js:38:46)

I don't think that it can work like that. It seems that node foreman scans the file line by line and it is trying to create key-value pairs and seems that is not aware of \n or other methods that can split the line. I don't think that you have to put it on more lines, though. Possibly you can do something like that:
CF_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAm7NA57......\n...."
and it is quite possible that will not work. Why don't you put just the filename in the env vars? Something like:
CF_PRIVATE_KEY_FILENAME="my-file-id-rsa"
and when you boot the application:
var id_rsa_contents = fs.readFileSync(__dirname + proces.env.CF_PRIVATE_KEY_FILENAME);

keytool error when creating BKS keystore: providerpath is not a legal command

I am trying to create a "bks" keystore using keytool (using terminal app on Mac OS X). I am following the instructions in:
keytool error: java.security.KeyStoreException: BKS not found
This is my usage:
keytool -genkeypair -v -alias androiddebugkey -keyalg RSA -keysize 2048 -validity 10000 -keypass android -keystore /Users/djames/dropbox/bc146keystore/debug.keystore -storepass android -storetype BKS -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider –providerpath /Users/djames/dropbox/bc146keystore/bcprov-jdk16-146.jar -dname "CN=Android Debug, OU=Android, O=Android, L=Whitefish, S=MT, C=US"
I am getting the following error:
keytool error: java.lang.RuntimeException: Usage error, ?providerpath is not a legal command
java.lang.RuntimeException: Usage error, ?providerpath is not a legal command
at sun.security.tools.KeyTool.parseArgs(KeyTool.java:375)
I have seen the -provider path option recommended in countless web posts (including the one above) and when I run keytool -help it confirms the syntax is legal:
keytool usage: ...
-genkeypair [-v] [-protected]
[-alias <alias>]
[-keyalg <keyalg>] [-keysize <keysize>]
[-sigalg <sigalg>] [-dname <dname>]
[-validity <valDays>] [-keypass <keypass>]
[-keystore <keystore>] [-storepass <storepass>]
[-storetype <storetype>] [-providername <name>]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
I also tried the following alternative (per http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html):
deleting the -providerpath option of the keytool command,
placing the bcprov-jdk16-146.jar inside the {$JAVA_HOME/lib/ext} folder
adding security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider to the java.security file.
But it still failed.
Any ideas on what I can do differently to succeed in creating a BKS keystore?

It's many years since, but I am attempting this too.
The answer is that you have the parameters in the wrong order. The -providerpath needs to come before the -providerclass parameter.
I hope that helps someone in future searching for a solution.

I was never able to succeed with Keytool. This is what I did to solve the problem instead: I made a copy of the default debug.keytool (a JKS type keystore) that was created by Eclipse (Indigo, SR2) automatically the first time an android program is run in Eclipse, and used Portecle (http://portecle.sourceforge.net/) to convert this to a BKS type keystore. Now this is the tricky part: If I now used the BKS version of debug.keytool in place of the original, I got an "Android packaging error" in Eclipse “java.io.IOException: Invalid keystore format” whenever I would try to run the android program. However, if I left the original JKS version of debug.keytool in the default directory where Eclipse created it, then I could use the BKS version of the debug.keytool in the Android program's /resources/raw subfolder and have Android open it and recognize it. Jim

An easy alternative is to use Portecle to generate the BKS:
Download the needed Boucycastle Provider
Replace bcprov.jar in your Portecle install directory (example: C:\Program Files (x86)\Portecle\bcprov.jar). Same naming is required.
Restart Portecle and generate your BKS truststore.
More explanations here.

I am trying to do SSL connection with certificates, so to support in Android I need to use jks / bks files as trust store.
So generated jks file tried in android SSLSocket connection, But
throws exception that jks not able to read. So I have to add
Boncycastle provider to JVM and create bks using jks file
Download the Bouncycastle provider jar file and place under below path:
C:\Program Files\Java\jre1.8.0_191\lib\ext
Update the java.security file by adding provider for the following file
C:\Program Files\Java\jre1.8.0_191\lib\security\java.security
Add the provider
security.provider.12=org.bouncycastle.jce.provider.BouncyCastleProvider
Close command prompt and open execute command to get bks file like below:
keytool -importkeystore -srckeystore <input>.jks -destkeystore <required_bks_file_name>.bks -srcstoretype JKS -deststoretype BKS -srcstorepass <jsk file password> -deststorepass <jsk file password> -provider org.bouncycastle.jce.provider.BouncyCastleProvider
Now you can bks file in your folder.
Thanks