I am trying to use SafeNet eToken 5300 (manufacturerID: Gemalto; model: ID Prime MD) for client certificate authentication in openconnect VPN client. The connection failed.
When the SmartCard (manufacturerID: SafeNet, Inc.; model: eToken) inserted into Alcor Micro AU9540 reader is used, the connection is established successfully.
Debugging the issue I found that the error comes from PKCS11 module:
[2022-08-10 11:55:47] Returned: 0 CKR_OK
[2022-08-10 11:55:47] gnutls[2]: p11: Initializing module: opensc-pkcs11.module.ORIG
[2022-08-10 11:55:47] P:37956; T:0x139638815061248 11:55:47.201 [opensc-pkcs11] pkcs11-global.c:402:C_GetInfo: C_GetInfo()
[2022-08-10 11:55:47] gnutls[2]: p11: module opensc-pkcs11.module.ORIG is already loaded.
[2022-08-10 11:55:47] gnutls[3]: ASSERT: ../../lib/pkcs11.c[auto_load]:951
[2022-08-10 11:55:47] gnutls[2]: Cannot load PKCS #11 module: opensc-pkcs11.module.ORIG
[2022-08-10 11:55:47] gnutls[2]: p11: Initializing module: softhsm2
[2022-08-10 11:55:47] gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896
[2022-08-10 11:55:47] gnutls[2]: p11: No login requested.
[2022-08-10 11:55:47] Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=09E850133ABF3E39;token=Pavel;id=%68%35%73%BD%14%9B%F5%37%02%8B%BF%CE%48%FB%71%38%B8%59%91%3E;object=EFF270AEC07D70DA;type=private
[2022-08-10 11:55:47] PIN required for Pavel
[2022-08-10 11:55:48] Enter PIN:
[2022-08-10 11:55:54] gnutls[2]: p11: Login result = ok (0)
[2022-08-10 11:55:54] gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
[2022-08-10 11:55:54] gnutls[2]: p11: No login requested.
[2022-08-10 11:55:54] Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=09E850133ABF3E39;token=Pavel;id=%68%35%73%BD%14%9B%F5%37%02%8B%BF%CE%48%FB%71%38%B8%59%91%3E;object=EFF270AEC07D70DA;type=private
[2022-08-10 11:55:54] gnutls[2]: p11: Login result = ok (0)
[2022-08-10 11:55:56] gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
[2022-08-10 11:55:56] Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=09E850133ABF3E39;token=Pavel;id=%68%35%73%BD%14%9B%F5%37%02%8B%BF%CE%48%FB%71%38%B8%59%91%3E;type=private
[2022-08-10 11:55:56] gnutls[2]: p11: Login result = ok (0)
[2022-08-10 11:55:56] Using PKCS#11 key pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=09E850133ABF3E39;token=Pavel;id=%68%35%73%BD%14%9B%F5%37%02%8B%BF%CE%48%FB%71%38%B8%59%91%3E;type=private
[2022-08-10 11:55:56] gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[_gnutls_pkcs11_privkey_sign]:416
[2022-08-10 11:56:27] gnutls[3]: ASSERT: ../../lib/privkey.c[privkey_sign_and_hash_data]:1300
[2022-08-10 11:56:27] Error signing test data with private key: PKCS #11 error.
[2022-08-10 11:56:27] Loading certificate failed. Aborting. <-------- Here is the problem
[2022-08-10 11:56:27] Failed to complete authentication
Both USB Token and the SmartCard have the same certificates/key installed, from the same p12 file.
They were initially initialized and then the p12 file was applied.
Using pkcs11-dump I found that the only difference between USB Token and the SmartCard is the value of CKA_SIGN_RECOVER attribute for Private Key:
CKA_SIGN_RECOVER: TRUE - for SmartCard
CKA_SIGN_RECOVER: FALSE - for USB Token
Since CKA_MODIFIABLE attribute is TRUE for both tokens, I am looking for a way to change the CKA_SIGN_RECOVER value for USB Token (according to the documents, it is possible). then I will re-attempt the connection with openconnect.
Any ideas?
Thank you in advance for your help.
Regards,
Pavel
Related
I am trying to read in excel files to Pandas from the following URLs:
url = 'https://www.anac.gob.ar/anac/web/uploads/estadisticas/series-hist-ricas-anac.xlsx'
pd.read_excel(url)
I get the error:
#URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1091)>
How can I do it?
I have problems getting work "SAML2 Bearer Assertion profile for Oauth" within WSO2 API Manager(9445 port).
My Setup,
I created an application (app1) in API manager tenant domain (wso2.com) and generated keys.
When I log into IS as admin of wso2.com tenant domain I see a service provider is created for my application (app1).
I configured the SP of app1 and created the IDP as explained in documentation.
I could generate SAML assertion by SAML2AssertionCreator.
When I try to generate access token using the assertion generated with command I get "
{"error":"invalid_grant","error_description":"Provided Authorization Grant is invalid"}
SAML Assertion
<?xml version="1.0" encoding="UTF-8"?>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="alajckjphcbadkfhacmcfnnanohlnlpbhfomlmjm" IssueInstant="2017-06-13T08:05:36.500Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">TestSP</saml:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#alajckjphcbadkfhacmcfnnanohlnlpbhfomlmjm">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ISNhVVsEbeRLN2MQdob0qs1QEXc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
XrMqLJO6z8BERlmrysn9aV9m1GPte3hOUqxNUhr8eTMtho2zjYE5fJkbT+pf8oHxXUaozefs5G+o
N0tWQc9pqXxuYtk6Lk/EimMzF2xEgrtEzZqksVebJagz9UeOr1mfubZpSGcfdWMHSJdkOuAmsW0E
rqIc1RZDh+95aoh3VmE=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv
Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE
AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou
sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5
HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID
AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i
QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR
O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2017-06-13T08:10:36.500Z" Recipient="https://localhost:9445/oauth2/token"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2017-06-13T08:05:36.500Z" NotOnOrAfter="2017-06-13T08:10:36.500Z">
<saml:AudienceRestriction>
<saml:Audience>https://localhost:9445/oauth2/token</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2017-06-13T08:05:36.601Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="C">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">:
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
Command java -jar SAML2AssertionCreator.jar TestSP admin https://localhost:9445/oauth2/token https://localhost:9445/oauth2/token .../wso2/wso2is-5.1.0/repository/resources/security/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon
Token CMD-
curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<Assertion_provided_by_client>&scope=PRODUCTION" -H "Authorization: Basic <Base64 encoded consumer key:consumer secret>" -H "Content-Type:application/x-www-form-urlencoded" https://<IP of the APIM server>:9445/oauth2/token
Logs
[2017-06-13 12:56:17,036] DEBUG - OAuth2Service Access Token request received for Client ID 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka, User ID null, Scope : [PRODUCTION] and Grant Type : urn:ietf:params:oauth:grant-type:saml2-bearer
[2017-06-13 12:56:17,036] DEBUG - AbstractClientAuthHandler Can authenticate with client ID and Secret. Client ID: 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,039] DEBUG - AbstractClientAuthHandler Grant type : urn:ietf:params:oauth:grant-type:saml2-bearer Strict client validation set to : null
[2017-06-13 12:56:17,043] DEBUG - OAuth2Util Client credentials were available in the cache for client id : 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,045] DEBUG - OAuth2Util Successfully authenticated the client with client id : 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,055] DEBUG - SAML2BearerGrantHandler SAML Assertion Audience Restriction validation failed against the Audience : https://192.168.0.4:9445/oauth2/token of Identity Provider : IS in tenant : carbon.super
[2017-06-13 12:56:17,055] DEBUG - AccessTokenIssuer Invalid Grant provided by the client Id: 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,060] DEBUG - AccessTokenIssuer OAuth-Error-Code=invalid_grant client-id=0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka grant-type=urn:ietf:params:oauth:grant-type:saml2-bearer scope=PRODUCTION
We are developing an application using IBM MobileFirst Platform Foundation v7.1. Currently we are in UAT phase. The app supports both Android and iOS.
We implemented certificate pinning for our application. The MobileFirst Server is maintained by the network team, which provided me with a public certificate with "cer" extension (com.uat.myapp.cer). I included this public certificate in my project under the certificate folder and wrote the certificate pinning code in the main.js file.
The Android application is working fine and SSL Handshake with the MobileFirst Server is happening. The application is working properly.
The iOS application though is not able to connect to the MobileFirst Server with the following error:
An SSL error has occurred and a secure connection to the server cannot be made".
I converted the .cer certificate to .der certificate (com.uat.myapp.der) using the following portal: https://www.sslshopper.com/ssl-converter.html and placed it in the application but I still ended up with the same error.
Please find the below error logs for more information:
-[WLAFHTTPRequestOperationManagerWrapper requestFailed:error:] in WLAFHTTPRequestOperationManagerWrapper.m:390 :: Response Error : An SSL error has occurred and a secure connection to the server cannot be made. 2016-12-26 19:38:49.301 MyApp[1419:26347] [DEBUG] [WORKLIGHT]
+[WLClient sharedInstance] in WLClient.m:165 :: IBMMobilieFirstFoundation.framework version = 7.1-2016/05/28 17:08:17
-[WLRequest requestFailed:error:] in WLRequest.m:509 :: Status code='0' error='An SSL error has occurred and a secure connection to the server cannot be made.' response='(null)'
2016-12-26 19:38:49.302 MyApp[1419:26347] [DEBUG] [WL_REQUEST]
-[WLRequest requestFailed:error:] in WLRequest.m:512 :: Response Header: (null) Response Data: (null)
2016-12-26 19:38:49.302 MyApp[1419:26347] [DEBUG] [WL_AUTH]
-[WLAuthorizationManager failRegistratioWithResponse:] in WLAuthorizationManager.m:866 :: Response does not contain a valid certificate and client Id. device registration failed
2016-12-26 19:38:49.306 MyApp[1419:26347] [DEBUG] [CERTIFICATE_MANAGER] +[WLCertManager removeKey:] in WLCertManager.m:262 :: Key was successfully removed.
My hunch is that the domain specified in the certificate does not match the actual server host or IP used by the application.
Use keytool verify that the certificate indeed contains the required host/ip values.
In your application, make sure that the application indeed attempts to connect to the same server host/ip.
I have developed a MobileFirst 7.1 Hybrid application in eclipse with ipad environment.
This ipad environment is configured with a custom security test that has the following realm:
<customSecurityTest name="myIpadTest">
<test isInternalUserID="true" realm="wl_anonymousUserRealm" />
<test realm="wl_deviceNoProvisioningRealm" isInternalUserID="true" />
</customSecurityTest>
In the application-descriptor.xml
<ipad bundleId="com.xxx.xxx.xxx" securityTest="myIpadTest" version="1.0">
....
</ipad>
This application when installed in the real device works properly with my Eclipse environment and my Staging MobileFirst Server. The Staging MobileFirst Server has HTTP Server Nginx in front of it without SSL.
But when I deploy the same application in the Production MobileFirst Server the device fails to register with the below error logs. This production server has a nginx also in front of it that acts as a reverse proxy to the mobilefirst server and is configured with SSL with a valid CA Issued Certificate. TLSv1.2 with SHA256 Cipher.
2016-08-24 14:57:33.087 MyApp[2388:1849431] [DEBUG] [WL_REQUEST] -[WLRequest sendRequest:path:withOptions:] in WLRequest.m:244 :: Sending request (https://xxx.xxx.xxx.com:443/myapp/authorization/v1/clients/instance) with headers:
{
"Accept-Language" = en;
"User-Agent" = "MyApp/1.0 (iPad; iOS 9.3.2; Scale/2.00)/WLNativeAPI/7.1.0.0";
"X-Requested-With" = XMLHttpRequest;
"x-wl-app-version" = "1.0";
"x-wl-device-id" = "1293712973921739217398217893721";
"x-wl-platform-version" = "7.1.0.0";
}
You can see the request body in the Analytics platform logs.
2016-08-24 14:57:33.094 MyApp[2388:1849431] [DEBUG] [WL_AFHTTPRequestOperationManagerWrapper_PACKAGE] -[WLAFHTTPRequestOperationManagerWrapper start] in WLAFHTTPRequestOperationManagerWrapper.m:356 :: Starting the request with URL https://xxx.xxx.xxx.xxx.com:443/myapp/authorization/v1/clients/instance
2016-08-24 14:57:33.095 MyApp[2388:1849431] [DEBUG] [WL_REQUEST] __42-[WLRequest sendRequest:path:withOptions:]_block_invoke in WLRequest.m:254 :: waiting for response... (Thread=<NSThread: 0x13cd16140>{number = 1, name = main})
2016-08-24 14:57:33.096 MyApp[2388:1849431] THREAD WARNING: ['WLAuthorizationManagerPlugin'] took '86.991943' ms. Plugin should use a background thread.
08-24 14:57:33.455 INFO App Sending no login credential event with cause 0 [ UserCredentialReportThread_0, SendNoLoginCredentialEvent, /Users/iosbuild/TAGS/TAG_VC_3_3_4_0004/Products/Client/ClientLib/AppLogic.cpp:15304 ]
2016-08-24 14:57:33.455 MyApp[2388:1849664] Received event=202002
2016-08-24 14:57:33.456 MyApp[2388:1849664] Sending Data to JS key callStatus, value 202002
2016-08-24 14:57:33.456 MyApp[2388:1849664] Unknown event 202002
2016-08-24 14:57:34.409 MyApp[2388:1849431] [DEBUG] [WL_AFHTTPRequestOperationManagerWrapper_PACKAGE] -[WLAFHTTPRequestOperationManagerWrapper requestFailed:error:] in WLAFHTTPRequestOperationManagerWrapper.m:388 :: Request Failed
2016-08-24 14:57:34.412 MyApp[2388:1849431] [DEBUG] [WL_AFHTTPRequestOperationManagerWrapper_PACKAGE] -[WLAFHTTPRequestOperationManagerWrapper requestFailed:error:] in WLAFHTTPRequestOperationManagerWrapper.m:389 :: Response Status Code : 404
2016-08-24 14:57:34.415 MyApp[2388:1849431] [DEBUG] [WL_AFHTTPRequestOperationManagerWrapper_PACKAGE] -[WLAFHTTPRequestOperationManagerWrapper requestFailed:error:] in WLAFHTTPRequestOperationManagerWrapper.m:390 :: Response Error : Request failed: not found (404)
2016-08-24 14:57:34.420 MyApp[2388:1849431] [DEBUG] [WORKLIGHT] +[WLClient sharedInstance] in WLClient.m:165 :: IBMMobilieFirstFoundation.framework version = 7.1-2016/05/13 10:26:34
2016-08-24 14:57:34.421 MyApp[2388:1849431] [ERROR] [WL_REQUEST] -[WLRequest requestFailed:error:] in WLRequest.m:509 :: Status code='404' error='Request
I thought the issue was caused by the Reverse proxy so i decided to install the desktopbrowser version in the production but i dont have any 404 issues with the desktopbrowser. The certificate is also trusted by the browser.
Looking forward for your help guys. Thanks in advance.
Can you please tell me what i am missing
I am using phone gap to develop hybrid APP.
My config.xml looks like
<preference name=“com.urbanairship.developmentappkey” value=“*******RhKiHsW9pASskA ” />
<preference name=“com.urbanairship.developmentappsecret” value=“****2QDjOZJM1g ” />
<preference name=“com.urbanairship.inproduction” value=“No” />
when i build app using XCODE then in console following info is been logged
1.278017ms
2014-06-26 20:09:57.793 Mercer Select[745:60b] [W] -[UAConfig validate] [Line 152] Development App Key is not valid.
2014-06-26 20:09:57.794 Mercer Select[745:60b] [W] -[UAConfig validate] [Line 156] Development App Secret is not valid.
2014-06-26 20:09:57.795 Mercer Select[745:60b] [W] -[UAConfig validate] [Line 160] Production App Key is not valid.
2014-06-26 20:09:57.796 Mercer Select[745:60b] [W] -[UAConfig validate] [Line 164] Production App Secret is not valid.
2014-06-26 20:09:57.797 Mercer Select[745:60b] [E] -[UAConfig validate] [Line 168] Current App Key (***RhKiHsW9pASskA ) is not valid.
2014-06-26 20:09:57.798 Mercer Select[745:60b] [E] -[UAConfig validate] [Line 173] Current App Secret (****2Q_DjOZJM1g ) is not valid.
2014-06-26 20:09:57.799 Mercer Select[745:60b] [E] +[UAirship executeUnsafeTakeOff:] [Line 141] The AirshipConfig.plist file is missing and no application credentials were specified at runtime.
My JS Code look like : I am writing below code inside device.ready event
document.addEventListener("urbanairship.registration", function (event) {
alert("Inside");
if (event.error) {
alert('there was an error registering for push notifications');
} else {
alert("Registered with ID: " + event.pushID);
}
}, false);
document.addEventListener("urbanairship.push", function (event) {
alert("Incoming push: " + event.message);
}, false);