Encrypt key material Command not working. How to fix it? - amazon-kms

openssl rsautl -encrypt \
-in PlaintextKeyMaterial.bin \
-oaep \
-inkey PublicKey.bin \
-keyform DER \
-pubin \
-out EncryptedKeyMaterial.bin
This command is not working in my Windows 7 cmd terminal.
It is showing the following errors:
-in not recognized as an internal or external command, operable
program or batch file.
and then following the same statement for all -oaep, -inkey, etc.

In batch files, lines append is done by caret ^ character, not by backslashes.

Related

How do I execute a command in cmder using powershell?

as part of an onboarding process I write a .ps1 script that installs every neccessary program, sets up the dev environments,...
Also I create SSH keys, therefore I have to use openSSL. The command openssl genrsa 4096 | openssl pkcs8 -topk8 -inform PEM -out key.p8 works fine using cmder (and the pub key as well).
But:
The onboarding script is a .ps1 script. Inside this script I install the CMDER (which is used later on in VS Code). I can't create the openssl key using PowerShell. Is there a way to open the CMDER window in the .ps1 script?
So far the Start-Process C:\cmder\cmder.exe -ArgumentList "\task 'openssl genrsa 4096 | openssl pkcs8 -topk8 -inform PEM -out key.p8'" creates an error. Either the command is not recognized or I use the wrong parameter for executing a command (see this link to the CMDER gitlab project: https://github.com/cmderdev/cmder#cmderexe-command-line-arguments).

Password file for sqoop

I have to execute psql command and after sqoop command using shell for that I need to give password. is there any option which I can place password and give that to both commands.
First off, you should never store plain text password in files.
Store the passport in a encrypted file and then decrypt and use it when required.
Encrypt the password::
openssl das3 -salt -in file.txt -out file.des3
Decrypt the password::
dec_pwd=openssl das3 -salt -in file.des3 -out file1.txt
Here use the dec_pwd variable to pass it in sqoop and postgres commands.
NOTE: Please overwrite the variable dec_pwd later on, to not to be used anywhere else for security reasons.

Is there a way to verify a signed digest within Postgres?

The following command was run and the content of content_file, signature_file and id_rsa.pub (or pem) are inserted into a Postgres database.
openssl dgst -sign id_rsa content_file > signature_file
Is there any way to verify that the signature corresponds with the content/public key within Postgres?
I have looked at the pgcrypto functions however the only relevant function seems to be pgp_pub_decrypt which requires the secret key.
Basically I am looking to perform the following in Postgres:
openssl dgst -verify .\id_rsa.pem -signature .\signature_file .\content_file
As per Craig's suggestion, I ended up using plpythonu to solve this.
CREATE OR REPLACE FUNCTION api.verify(
p_data text,
p_signature text,
p_publickey text
)
RETURNS boolean AS
$$
try:
import rsa
pubkey = rsa.PublicKey.load_pkcs1(p_publickey)
signature = bytearray.fromhex(p_signature)
verified = rsa.verify(p_data, signature, pubkey)
return verified
except:
return False
$$ LANGUAGE plpythonu VOLATILE
SECURITY DEFINER;
With my lack of python knowledge, the hardest part of this was actually setting up the required python packages (Docker environment in my case). Here is the relevant excerpt from the Dockerfile:
FROM postgres:9.6
# Install necessary python packages to work with postgres
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
"postgresql-plpython-$PG_MAJOR" \
&& apt-get install -y python-pip python-dev
# Install python rsa module for signature verification
RUN pip install rsa
The function worked given the following parameters:
-- Generate private key. Provide secure passphrase when prompted.
openssl genrsa -aes256 -out private.pem 4096
--Export public KEY
openssl rsa -in private.pem -RSAPublicKey_out -out public.pem
--Sign data. Provide secure passphrase when prompted.
--Remove first line (RSA-SHA256(data.txt)=) when passing into database verify function.
openssl dgst -hex -sign private.pem data.txt > signature.txt

Github peer not authenticated when I issue g8 command

I am using red hat linux. I am trying to run this command:
g8 typesafehub/play-scala
And I am getting this response:
Exception fetching from github peer not authenticated
But when I check the connection using
openssl s_client -connect github.com:443
I get this:
Verify return code: 0 (ok)
Which means that I am able to connect with github. Why doesn't this command work?
g8 typesafehub/play-scala
I also ran into this issue on an RHEL 5 VM image where I am using openjdk 6. It was the other note to look at TrustManager clued me in on a fix. I tweak the invocation to add a trust setting for github; in my situation it resolves the peer authentication issue.
First grab the github certificate using openssl and keytool to make it accessible to java.
echo "" | openssl s_client -connect www.github.com:443 \
-showcerts 2>/dev/null | openssl x509 -out github.cert
keytool -import -alias github \
-file github.cert -storepass g8g8g8 \
-keystore $HOME/g8.truststore
Now to rewrite the invocation with a script I call "G8":
g8 \
\ -Djavax.net.ssl.trustStore=$HOME/g8.truststore \
\ -Djavax.net.ssl.trustStorePassword=g8g8g8 \
$*
Now try executing G8 -v typesafehub/akka-scala-sbt and I see things are much happier now. I imagine setting a systemwide default truststore would may be better but I haven't figured that one out yet.
If it really is an authentication issue, check your ~/.g8/config file for authentication purpose, but you shouldn't need it for anonymous access.
Note that, according to issue 32 of giter8, it can also depends on the Java you are using.
For instance:
Sorry, that preview release of openjdk 7 is not fit for general use. (There's also giter8 issue #27 specific to openjdk on mac.) I have tested openjdk 7~b147-2.0-0ubuntu0.11.10.1 with giter8 and that worked fine, so when there is a final release available for mac you should be able to use it.
For now, please try with jdk 6 and reopen if you are still having trouble.
Another JDK (openjdk) might end up using the wrong TrustManager, as described in "Avoiding the "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated" with HttpClient"
I had the same issue as B Evans (thanks for this!), but in Windows, so here is the equivalent code in case someone else has this issue and doesn't know how to do it from windows cmd. I also had to get openssl from http://www.openssl.org/related/binaries.html
openssl s_client -connect www.github.com:443 -showcerts > out.txt
openssl x509 -out github.cert < out.txt
keytool -import -alias github -file github.cert \
-storepass g8g8g8 -keystore C:\tmp\g8.truststore
Then add the same to JAVA_OPTS (I also had to deal with our corporate firewall and hence proxy as well...)
SET JAVA_OPTS=-Dhttp.proxyHost=our.proxy.com -Dhttp.proxyPort=8080 \
-Dhttps.proxyHost=our.proxy.com -Dhttps.proxyPort=8080 \
-Djavax.net.ssl.trustStore=C:\tmp\g8.truststore \
-Djavax.net.ssl.trustStorePassword=g8g8g8

Syntax error for makecert.exe tool

Did I missed anything during this?
I am running a this command from command prompt in Windows 7 to create a certificate but it is showing a syntax error.
Command I ran:
makecert.exe "c:\1\Test.cer" -a sha1 -n "CN=AppGuid" -sr LocalMachine -ss My -sky signature -pe -len 2048
Output I got:
Usage: MakeCert [ basic|extended options] [outputCertificateFile]
Basic Options
-sk
-ss
-sr
.
.
.
Did I missed anything during this?
Well, as you can see from the format it says MakeCert [basic] [output file].
The last item in your command is not the output file, so theres one thing wrong. As for the rest, I would assume that "C:\1\test.cer" is not an option, so that is probably wrong too.