GCS Signed URL client ID and sample code understanding - google-app-engine

I am trying to implement signed URL in my code. I was trying to understand and debug the below code provided by google.
https://cloud.google.com/storage/docs/access-control#signing-code-python
Below is what my client id from Developers console looks like
zzzzzzzzzzzz-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.apps.googleusercontent.com
Is this the client ID which the code expects? when I give this as the keytext in the code it throws "RSA key format is not supported". Any inputs greatly appreciated, I am new to this.

The complete example shows what to do basically: https://github.com/GoogleCloudPlatform/storage-signedurls-python
In cloud console, API > credentials > new credentials > service account key > key type > p12. This downloads a .p12 key
Convert key to PEM:
openssl pkcs12 -in /path/to/key.p12 -nodes -nocerts > /path/to/key.pem
Will be prompted for password: notasecret
The name of the downloaded private key is the key's thumbprint. When
inspecting the key on your computer, or using the key in your
application, you need to provide the password notasecret. Note that
while the password for all Google-issued private keys is the same
(notasecret), each key is cryptographically unique.
Write RSA key:
openssl rsa -in /path/to/key.pem -inform PEM -out /path/to/key.der -outform DER
It's your key.der you'll want to supply as your key
with open('key.der', 'rb') as k:
key = k.read()
then
import Crypto.PublicKey.RSA as RSA
...
...
private_key = RSA.importKey(key)

You may want to consider using gcloud-python for Google Cloud Storage, which among other things provides an easy way for signing a URL.

Related

Decrypt JSEncrypt-encrypted message in Bash [duplicate]

Please advice me on this issue.
It looks like JSEncrypt adds some random padding to the RSA-encrypted string, and thus I cannot decrypt it with openssl.
My JS code looks like this:
const rsaEncrypt = new window.JSEncrypt();
rsaEncrypt.setKey(
`-----BEGIN PUBLIC KEY-----
MIICITANBgkqhkiG9w0BAQEFAAOCAg4AMIICCQKCAgBNuSrpc+p9fd9I3qSa6+nC
HeNHfagAlCfJisM3eglbNN1yvY8U2DqtrYdPhukxSefo4iFMj65ngt+ZXLaLp6po
4VsGguQtqmQH9HC3I5FQk5YQTdtaLr8cQM8rHta0OEmJgGWfG2YndaFnxshuFgtW
AD9cdXPCh/RmGlhDdmR6xpBeMbvco6YOqyNGfxBRJqiZeINcVWmoEzHmqTlt/L7d
AcBHQA4erxsrfwie9POwgJptYYpwn1mamQ/a2/oDRnttaRayASlN2GRUkUeeI+hZ
zNe4eCrizXyEd7uL0JQ/h7T5qLj/5WNn/cCyi2X9VLllxLdRGauZ77NiB8KKVocb
i6BJM2gX/NszrBDsR/nyP1q0tLNalNE0IXiw0hsv6WamN2YvDfQtKm7Y4giAqhHY
Er7kwxR//OuNuf6Mb5YZVk8c1oZwIT0Vs9q6rlpcPLjpsWN769C+Pu4TP4Pmxh6n
zihPxWSnPLc4VegkpTzN+qix4cFgn6cYBIlvLg11NS0Vb+xKxtQroL67QWq0+LB0
5nS9ao4jxWFM80puWT813ThJ3vt/kIw5a1R9gNEuXW/zOwKQxfddvEO84YprVRRX
0TI2eZcjjBI0P6qJHkn1/B7rjZ7P0afDwCOS4K1vB0RHuP6tPwUI6nC+4R/+emfB
BHapRHdVpO8uotDNoaDhIQIDAQAB
-----END PUBLIC KEY-----`);
const rsaDecrypt = new window.JSEncrypt();
rsaDecrypt.setKey(
`-----BEGIN RSA PRIVATE KEY-----
MIIJJgIBAAKCAgBNuSrpc+p9fd9I3qSa6+nCHeNHfagAlCfJisM3eglbNN1yvY8U
2DqtrYdPhukxSefo4iFMj65ngt+ZXLaLp6po4VsGguQtqmQH9HC3I5FQk5YQTdta
Lr8cQM8rHta0OEmJgGWfG2YndaFnxshuFgtWAD9cdXPCh/RmGlhDdmR6xpBeMbvc
o6YOqyNGfxBRJqiZeINcVWmoEzHmqTlt/L7dAcBHQA4erxsrfwie9POwgJptYYpw
n1mamQ/a2/oDRnttaRayASlN2GRUkUeeI+hZzNe4eCrizXyEd7uL0JQ/h7T5qLj/
5WNn/cCyi2X9VLllxLdRGauZ77NiB8KKVocbi6BJM2gX/NszrBDsR/nyP1q0tLNa
lNE0IXiw0hsv6WamN2YvDfQtKm7Y4giAqhHYEr7kwxR//OuNuf6Mb5YZVk8c1oZw
IT0Vs9q6rlpcPLjpsWN769C+Pu4TP4Pmxh6nzihPxWSnPLc4VegkpTzN+qix4cFg
n6cYBIlvLg11NS0Vb+xKxtQroL67QWq0+LB05nS9ao4jxWFM80puWT813ThJ3vt/
kIw5a1R9gNEuXW/zOwKQxfddvEO84YprVRRX0TI2eZcjjBI0P6qJHkn1/B7rjZ7P
0afDwCOS4K1vB0RHuP6tPwUI6nC+4R/+emfBBHapRHdVpO8uotDNoaDhIQIDAQAB
AoICAAQ9EuAEWEdbs++PZL6mGuthIeHmMmFFsx3EmXzPBO+aZHE7cTAb0qdiDT0D
CHiNpT4IBvTb6RDwDC2a5sGa9SofEA282aC76BSe+f6iy+vvAIIHHO1AG1/5ENMz
LVZKs4fyHpicr+d6/MBiENAgF6IrBUmPhi6Xp3Zh/WpAbJ5dccYRREN2ETo/jv7r
MwKZ7xvffJpudgKaeWAw3lbnL6lxzQCVt69osTygAuJYTWnUuZc5eIlHx2Us77Zp
xKqlD1oaHwi6E3yRTndmLNes8aDkEOeYdg5EUoQO24V2bH9CcVYkI2KhKdij9/xE
qd00359zKOQdWERe1BOGhM9yhI+mmcPWLv6tloG78n3QpHVvjVz0pUXcQKqDM73p
sQhAIVyW2NK1LtPTwNZinBELqbYkDD1w1Qt1qxmrRCpTuQwRag3LXiWFw3ZoMK80
EQCaLnmOAIb9bYfsoxxo+wUzHIUzFvF2Rvqi6wNb/0E4uRwDne7geQMGxJjyDcTD
KG7uHugF8xu/DZ32qt2z6Em9yvsKGMRqONjJrel7oDDsLTUpvmvzfIn/009tYPeM
wksoUpCgZTW1dbtuEGRmPzTuNEPivGLDwKasEaoER+Qn2Q4EmODz3eyLxyUg0ADz
PcNXhe5ot02BRgi+R9kzar8d3gJvXJ7U/8skzkzEYfY0pj85AoIBAQCS9fvztJ18
4bbkVIkZ7ErS4Fc5NN5+6BBmOKJuf6v7oGKh+jvleXhN2kXxu/+ktTigvMhbYsuh
rXo9B8x0r81SFVqzDRCVS4Rk7dru4x2hXanL/ggrnLHeY9cPjgFjTpWQ5RAZSgIb
Scqq1Rd87lD2rxySAABzxwrcfa0Y/xdyMjxajNeS/jsi4OpFca/aPHf91pL/sUS9
YOQN/snyOx2pq6MDKcjJyOHNpePwQ3HN8VVv6Pac5WODd1d4haDcV6xpUAx5SloQ
hSeykBBdGn32BVl/woMl4JNHWUbbq3B8ZFN0H+8dGBmMwEfmfe1hQ1MLHhue9tMK
2nftUkQp9OTLAoIBAQCHZBMXGY8WTzQd0S077f0XLtUZ63eJDS986k8J3Goz2tdo
6TAvY5HdiRp/z1J7Weo+HzqOMgqwcLF5ZPGOEbf/xqLzM2Zt7rC02JMx6c1ZYZJg
vA0unfYpBoHNuiUgN+kCX7eiVL3r397pfYwVqNSi/msqOuSzIvkNx128cA+ln7nv
eNQIVMrLc8ed/zSH+05YOpDGdPAKh7RIKoK18PIG4g4Cm1Atq8ImUiH2/lep360y
QbTmyEeYXQ1nnUZuVjwGBQLh0/24RI4PL+3QbV2L1mpRjulFqHesbMRozoX4qWDP
tOVX92Q9s132MiUcNpn/t4TKtDc0seWl+GgLewBDAoIBAFXe8eeHA/bylMF6O9ov
3dC2UYEVyWRyCRMRyKe0ZjPTlY57/v+pKIilH/WOGmSNl5ckeBYd9kp0aVa79dXA
28I4xBSXb7cstyGacjDf+HJPnmWZ/AAvwSbnQ8TM/zadtntBvVRpkC2NwqRrexv+
zMQ3sgQFiD4ecdRAgyJ1+6c4f1eRsG0trDRHI9yL/2sPpjVmaeKKHFZkBR3AYRPv
QvffWJMCmVZ+0KIvaq77WcYyW+/WOjOXPbyVwUClJEdb21x177P3pAS/KWEHGOiu
ECfvHEqwx50cSjKIkgTNeh7VKIZUGo3vhQ5fVCP0NP5+Lknyv8T1CH/xA95iEX5K
oF0CggEANTs0gkWLS4Myg3KlrUVh18aTBJDeu6TSgfOBxefCXcbyII5mYotsY0Sv
hYbW8CanAWu30wZ7y2lTbd4xVuFCja7kjGguIpTRJxlrrhk1oqnJKn1lVWnHydOE
H4XLaQJye3t0sL9OuLmZZAX3mOB7UeZj7gOfvYrHjxJOmXMZw82sBipkey4TWbCY
0FbxqXE2GVxVZaG+avV1/VWxdKVaEzi3t3CnMn2wZO6v6fOQNfr6lqLc5EvkUlRr
m8xrT6BaEyfPPUjjHZrem7wFbYhCWmOgA5cDwl59Ru6wvmBMrjqyFJgT/+UFpXir
PcvzaUdSfwcBj80RU4eKOhoTlkfzDwKCAQB1YH42FTw8uXeg0xz0Hgs2+Id3v1Ft
80iZVkxTxpymTyVW0d09X3n2XJlKHzJA9jUS2kCLdaaAJSqbV3KTqPBM4wWvqLoe
JMGH0oiyiRO4yfyJjYXozdOuyz9AvoX5uDSwXyxqksNGLPlnAYVyLlvVEVef6Npy
o3zooCk/pRbJV8OkzuM2ukQ3OBIiOVEC3fxTzo8DOyZraZ9jP3FMhOXhJK+NVY/i
PuDLgKtaj0jfjtjmkw3j3G317y3tGxRG54VpeN0M7+7dPWF6KHqQjeySt3ELP+mU
8v5+L4GE4zk43Ni4OICC00wsvHQk1kck/NzNFOyeb0Qg/2hXMp13P7TZ
-----END RSA PRIVATE KEY-----`
);
const encryptedKey = rsaEncrypt.encrypt(key);
console.log(rsaDecrypt.decrypt(encryptedKey));
And the command I use to decrypt is this: (this is a command I use currently, but I've tried a million of different commands and none worked!)
openssl rsautl -in "$ENCRYPTED_FILE" -out "decrypted.txt" -inkey "private-key.pem"
I've been trying to solve this for 3 days purely, so any advice would be very very appreciated! I'm also open to using a different library that is compatible to be used with openssl.
Please help! Thanks in advance!

Login with Apple id returns "invalid_request Invalid web redirect url."

I'm trying to integrate Login with Apple id in my NextJS project. For authentication, I chose package next-auth. So, in the documentation for next-auth, it requires the following data:
import Providers from `next-auth/providers`
...
providers: [
Providers.Apple({
clientId: process.env.APPLE_ID,
clientSecret: {
teamId: process.env.APPLE_TEAM_ID,
privateKey: process.env.APPLE_PRIVATE_KEY,
keyId: process.env.APPLE_KEY_ID,
}
})
]
...
I used this link to create the credentials for my account.
For the clientId I used an identifier for my ServicesID, right now it looks like com.test.client. For the teamId I used a string that was in the right top corner. For the privateKey I used the key that I generated in my account and downloaded it. I removed the parts where it says -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- and made sure the key stays in one line. keyId I got from my account.
I store all the values in the .env variable. I double-checked and the problem is not with the .env variable.
When I try to log in with Apple id It redirects me to this error page:
Here's the list of my URLs from the ServicesID page:
Domains and Subdomains:
test.com
www.test.com
Return URLs
https://test.com
I guess the problem is with my redirect url, but I don't understand what is it.

How to specify SAML encryption certificate in ruby-saml?

The ruby-saml gem supports adding certificate and private-key info to Service Provider's metadata, but as far as I can tell, that configures only signing certificate, but not encryption one. Here's what I do:
settings.certificate = "---- BEGIN CERTIFICATE----..."
settings.private_key = "-----BEGIN PRIVATE KEY----..."
which results in the following XML section added to Service Provider's metadata:
<md:KeyDescriptor use='signing'>
<ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:X509Data>
<ds:X509Certificate>
CERTIFICATE IS HERE GSDk3tShjl4yhShj4Hr....
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
But how do I configure ruby-saml to add a similar section for use='encryption' in addition to use='signing'?
If I understood correctly, You are not able to send the SAMLResponse in the encrypted form. If that is the case, when you are building the SAML response, send one more parameter
saml_response = encode_response( :encryption => encryption_opts())
def encryption_opts:
return {
cert: saml_request.service_provider.cert,
block_encryption: 'aes256-cbc',
key_transport: 'rsa-oaep-mgf1p'
}

Add SSL certificate from Godaddy to Google App Engine

I'm trying to add an SSL certificate that I created on Godaddy to my Google App Engine account on a Mac.
Using Keychain, I created a new 2048bit RSA private-public key pair, and with it created a CertificateSigningRequest.certSigningRequest. I then used this certificate signing request to create the new SSL certificate on Godaddy. They then let me download a zip file with two .crt files in it (734b34####.crt and gd_bundle-g2-g1.crt).
And then trying to add it to GAE, I get this screen:
Can anyone tell me what to enter as "PEM encoded X.509 public key certificate" and what as "Unexcrypted PEM encoded RSA private key"?
I tried exporting from Keychain all different relevant keys and certificates in all kinds of format (p12, cer, and converting them to pem), even without passwords on them.
For some reason, whenever I export & convert the private key, its beginning looks like this:
Bag Attributes
friendlyName: *.mydomain.com
localKeyID: 10 93 42 BE 45...
subject=/OU=Domain Control Validated/CN=*.mydomain.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
After not finding any guide to do it on a Mac, and trying different options for hours, here's what I did:
Concat the two .crt provided by Godaddy into one: cat 734b34####.crt gd_bundle-g2-g1.crt > godaddy.crt.
Use godaddy.crt for the first certificate ("PEM encoded X.509 public key certificate").
In Keychain, export (without a password) the private key that was used for the certificate signing request in p12 format, let's call it private.p12:
Convert the p12 private key: openssl pkcs12 -in private.p12 -out private.pem -nodes -clcerts. The password is just empty.
[EDIT] - then convert the private.pem file to RSA type: openssl rsa -in private.pem -out private_unencrypted.pem -outform PEM
Copy the contents of the created file: pbcopy < private_unencrypted.pem.
Paste (what we've just copied) into the second text area ("Unecrypted PEM encoded RSA private key").
Edit the pasted text, so that all of the text starting from Bag Attributes until -----BEGIN RSA PRIVATE KEY----- (excluding) is deleted. The result is a long string that starts with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----.
You should now be able to click the Upload button at the bottom.
Phew!
Would love to see if anyone had a more elegant / official way to do it.

SSL Cipher help in C

I am trying to Use SSL on top of tcp/ip to send an HTTPS request to a site using C. I have no access to curl or other standard libraries. Pretend like i can't load any libraries at all.
I need to set an SSL Profile Cipher. When I successfully use curl on my linux box to talk with the server I see: SSL Connection using ECDHE-RSA-AES128-SHA
If my options for setting the cipher are:
SSL_kRSA (RSA Key Exchange)
SSL_kEDH (tmp DH key no DH cert)
SSL_aRSA (Authenticate with RSA)
SSL-aDSS (Authenticate with DSS)
SSL_DES (DES)
SSL_3DES (3DES)
SSL_RC4 (RC4)
SSL_RC2 (RC2)
SSL_AES (AES)
SSL_MD5 (MD5)
SSL_SHA1 (SHA1)
SSL_SHA256 (SHA256)
SSL_SHA384 (SHA384)
SSL_RSA ([SSL_kRSA|SSL_aRSA] RSA)
SSL_DSS ([SSL_aDSS] Authenticate with DSS)
I can set multiple things by something like:
SSL_RSA | SSL_AES
Protocol is TLSv1.2
What should my cipher look like?
"Pretend like i can't load any libraries at all." If that is true, you will need to implement the cipher itself plus the SSL handling layer ^_^.
Assuming you are using OpenSSL and have TCP established with socket_fd, you need to create a SSL_CTX with SSL_CTX_new (SSLv23_client_method()). Normally, to set the cipher list, you use SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL:#STRENGTH"), see http://openssl.org/docs/apps/ciphers.html for all available options, you may specific a particular cipher.
Then create a SSL session with SSL_new(ctx) and SSL_set_fd (ssl, socket_fd), after that use SSL_connect(...), SSL_read(...)/SSL_write(...) to communicate with server.
After all have been done, SSL_shutdown(...) and SSL_Free(...), SSL_CTX_Free(...).

Resources