I'm following this guide to update Github's dependabot secrets using their newly released API.
There's a part that says I need to encrypt my secret value using a public key
...
const key = "base64-encoded-public-key";
const value = "plain-text-secret";
// Convert the message and key to Uint8Array's (Buffer implements that interface)
const messageBytes = Buffer.from(value);
const keyBytes = Buffer.from(key, 'base64');
...
My question is, where does this public key come from? I don't recall setting up any keys when configuring dependabot for my repo.
Looking through the dependabot API docs I realized there's also an endpoint to get your repository's public key which gives you the public key to be used. I missed it initially.
Related
I'm new to JWT. I've noticed that a lot of people place the private and public keys in separate files, and then load the content of the files when creating the JWT.
For example:
const fs = require('fs');
const jwt = require('jsonwebtoken');
const privateKEY = fs.readFileSync('./private.key', 'utf8');
const publicKEY = fs.readFileSync('./public.key', 'utf8');
let token = jwt.sign(payload, privateKEY, signOptions);
I don't know if I'm misunderstanding the concept of something but doesn't that make every key the same? And what is the point of having keys if they're all the same? Let's say I'm creating a server that stores a user's login information and assigns a private and public key to each user. That would mean that ever key-pair would have to be unique right? I obviously want the keys to be generated automatically for each user. What is the correct way to create an unique key-pair for a user when using JWT?
On the command line I generated a new key pair using the github-api-signature package's generateKeyPair function, providing a name and email of my GitHub account and a random passphrase.
I took the public part of the generated key pair and put it in my GitHub account on the keys page.
I took the private key and provided it to the snippet of code below.
The request to create the commit returns successfully as does the programmatic creation of the PR, but when I visit the commits page of the PR there is a box saying 'Unverified' with the message "The signature in this commit could not be verified. Someone may be trying to trick you."
I compared the GPG key ID it provides me on this page with those listed in my GitHub keys page and it matches, so why does it show my commit as unverified?
Example code:
const privateKey = '[GENERATED PRIVATE KEY]';
const passphrase = '[RANDOM PASSPHRASE FROM EARLIER]';
const author = {
name: '[NAME THAT MATCHES GITHUB]',
email: '[EMAIL THAT MATCHES GITHUB]',
date: new Date().toISOString(),
};
const commitPayload: CommitPayload = {
message: commitMessage,
author,
committer: { ...author },
tree: tree.data.sha,
parents: [branch.data.object.sha],
};
const signature = await githubApiSignature.createSignature(
commitPayload,
privateKey,
passphrase,
);
const result = await got(
`[GITHUB API URL]/repos/[USERNAME]/[REPO_NAME]/git/commits`,
{
protocol: 'https:',
method: 'POST',
body: {
...commitPayload,
signature,
},
json: true
},
);
This was caused by a trailing \n in the commit message which was trimmed by the library I was using to generate the signature but not by me before POSTing to GitHub.
Further information on how I debugged this, should it help anyone else further down the line:
Originally I tried using the openpgp library directly following the guide for creating and verifying detached signatures, and faced the same validity issue.
Knowing that the signature was verified locally I knew that I must be sending something to the GitHub API incorrectly. The Git Commits API provides some useful feedback in the verification block of the response:
verification: {
verified: boolean
reason: string
signature: string
payload: string
}
...as well as a little further information in the documentation page on what each of the reasons mean.
Further investigation of the payload (including simplifying all my values) led me to find that the message was at fault.
I realized there are many iterations of this questions. But I can't seem to understand the answer correctly.
We have secured our rabbitmq and rest endpoints with a oauth2 spring server similar to this post. But it doesn't have all of the features we need and want. So we would like to use Keycloak. I have been successful with securing the rest endpoint by just going to the new version of spring security 5.1 and specifing the security.oauth2.resource.jwk.key-set-uri and setting the necessary dependencies and configuration.
While trying to secure the RabbitMQ, I have been running into problems checking the bearer token from the message header because the keycloak jwks endpoint isn't returning the true RSA public key.
RabbitMQ uses the CustomMessageListenerContainer to get the token from the message header and uses the DefaultTokenServices to check the token.
From my understanding, the endpoint that responds with the key is https://keycloak-server/auth/realms/my-realm/protocol/openid-connect/certs
Doing a HttpGet on this endpoint, I get a response that looks like the following
{
"keys": [{
"kid": "7JUbcl_96GNk2zNh4MAORuEz3YBuprXilmTXjm0gmRE",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"n": "nE9gEtzZvV_XisnAY8Hung399hwBM_eykZ9J57euboEsKra8JvDmE6w7SSrk-aTVjdNpjdzOyrFd4V7tFqev1vVJu8MJGIyQlbPv07MTsgYE5EPM4DxdQ7H6_f3vQjq0hznkFvC-hyCqUhxPTXM5NgvH86OekL2C170xnd50RLWw8FbrprP2oRjgBnXMAif1Dd8kwbKKgf5m3Ou0yTVGfsCRG1_LSj6gIEFglxNHvGz0RejoQql0rGMxcW3MzCvc-inF3FCafQTrG5eWHqp5xXEeMHz0JosQ7BcT8MVp9lHT_utiazhQ1uKZEb4uoYOyy6mDDkx-wExpZkOx76bk_Yu-N25ljY18hNllnV_8gVMkX46_vcc-eN3DRZGNJ-Asd_sZrjbXbAvBbKwVxZeOTaXiUdvl8O0G5xX2xPnS_WA_1U4b_V1t28WtnX4bqGlOejW2kkjLvNrpfQ5fnvLjkl9I2B16Mbh9nS0LJD0RR-AkBsv3rKEnMyEkW9UsfgYKLFKuH32x_CXi9uyvNDas_q8WS3QvYwAGEMRO_4uICDAqupCVb1Jcs9dvd1w-tUfj5MQOXB-srnQYf5DbFENTNM1PK390dIjdLJh4k2efCJ21I1kYw2Qr9lHI4X2peTinViaoOykykJiol6LMujUcfqaZ1qPKDy_UnpAwGg9NyFU",
"e": "AQAB"
}
]
}
From my understanding, the field with key "n" is supposed to be an RSA256 key. Adding it to a RSAVerifier eventually gets an error of "Caused by: org.springframework.security.jwt.codec.InvalidBase64CharacterException: Bad Base64 input character decimal 95 in array position 2."
However, if I login to keycloak admin page and go into the realm settings-> keys and click the public key, a popup shows the public key minus the "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----" headers and footers. Hard coding this enables everything to work.
Is the key encoded?
I've tried doing a Base64Utils.decodeFromUrlSafeString and a Base64Utils.decodeFromString. The first returning something smaller and doesn't lool like the key and the later creating an Illegal argument exception Illegal base64 character 5f.
Update:
The n being returned is the modulous and e is the public exponent of the public key. But how does one get the actual key string?
The keys are also directly on https://keycloak-server/auth/realms/my-realm, in a format directly exploitable with your code:
{
"realm": "my-realm",
"public_key": "MIIBI...",
"token-service": "https://keycloak-server/auth/realms/my-realm/protocol/openid-connect",
"account-service": "https://keycloak-server/auth/realms/my-realm/account",
"tokens-not-before": 0
}
I'll found it also on:
open admin console
choose realm
choose Realm Settings
open tab 'Keys'
open tab 'active'
in the column 'Public keys' press 'Public Key
a popup with the public key appears.
There is toIntegerBytes before base64 encode, so it is not just base64 decode. Try:
BigInteger modulus = new BigInteger(1, Base64.decodeBase64("n-value-here"));
BigInteger exponent = new BigInteger(1, Base64.decodeBase64("e-value-here"));
JWKS endpoints are designed to have their keys changed over time (in a process called key rotation), so retrieving the public key as per the accepted answer is not a good idea. What you should opt for instead is to use a JWKS client. I use node-jwks-rsa, but the same creators also have a java implementation (jwks-rsa-java).
Using windows CryptoAPI, is it possible to get public RSA key from a private key which was imported (not generated)?
If I use CryptGenKey, I can call CryptExportPublicKeyInfo and CryptImportPublicKeyInfo to obtain the public key handle. However, when I try to do the same thing with private key decoded from PEM and imported using:
CryptImportKey(hCSP, pKeyBuf, cbKeyBuf, 0, CRYPT_EXPORTABLE, &hPrivKey)
import of the private key succeeds and I have a valid handle but the subsequent call to CryptExportPublicKeyInfo fails with "Key does not exist" error. It looks like there's another call missing between CryptImportKey and CryptExportPublicKeyInfo, but I can not find that API call.
The problem with exporting/importing the public key was because private key was generated using AT_SIGNATURE, instead of AT_EXCHANGE. See the explanation and the example code
I have a public key and an encrypted string. I could encrypt with the publickey successfully.But when i try to decrypt using the publickey it fails. I mean when i pass the publickey toseckeyDecrypt it fails.
I have Googled and found out that, by default kSecAttrCanDecrypt is false for public keys.So When i import the public key, i have added this particular line ,
[publicKeyAttr setObject:(id)kCFBooleanTrue forKey:(id)kSecAttrCanDecrypt];
But there is no improvement it still fails. Please somebody help.
EDIT:
Apple's Certificate,Key and Trust Services Says,
kSecAttrCanEncrypt Default false for private keys, true for public keys.
kSecAttrCanDecrypt Default true for private keys, false for public keys.
Which means, the values can be changed right?. My server does not sign(Convert as a digest) the content. They just encrypt using the private key which is to be decrypted at my(in iphone) end. Is that possible?.
The point of asymmetric cryptography is that you encrypt with the public key and decrypt with the private key.
EDIT: If you're signing and verifying, you should use the associated APIs. For example, you can check this capability with kSecAttrCanSign and kSecAttrCanVerify.