Using ColdFusion to sign data for single sign-on

Question

Using ColdFusion to sign data for single sign-on

I apologize in advance for the length of this post. I don’t know enough about this problem to correctly determine what a specific problem really is! But, in any case, we made calls against our Membership API to request information about our members (affiliation dates, membership types, etc.), Using the steps and recommendations provided by @Leigh here and they work great! Thanks again, Lee, our members are very happy that we were able to do this!

Now I want to configure single sign-on for our members, allowing them to log in to our page, and then go to their member profile already registered on this site. According to the API documentation , I need to do the following:

"Use your signature certificate to sign the portal username for logging in."

I am completely stuck on this. I have been given a private XML key (generated by their .NET application) in the form

<RSAKeyValue><Modulus>{stuff}</Modulus><Exponent>{stuff}</Exponent><P>... etc etc

I understand that I cannot work with this format directly and must convert it to PEM or similar. Using OpenSSL, I think I did it, and now I have a file in the format "----- START A PRIVATE KEY ----- {stuff} ----- END PRIVATE KEY -----."

Using the Leigh solution gives me a signature, but this does not match the example provided in the API docs. I think this is due to the fact that he uses HmacSHA1, while they note that “the signature in the header uses HMAC SHA1, while the signature for creating security tokens uses the public / private key pair and RSA-SHA1. The same method cannot be used to generate both. " I tried to change

 <cfset key = key.init(jKey,"HmacSHA1") />

to

 <cfset key = key.init(jKey,"RSA-SHA1") />

and got the "RSA-SHA1 algorithm is unavailable."

I tried copying and pasting some other suggested solutions, but none of them work. One example (obtained from 12Robots.com ):

 <!--- Create a Java Cipher object and get a mode ---> <cfset cipher = createObject('java', 'javax.crypto.Cipher').getInstance("RSA") /> <!--- The mode tells the Cipher whether is will be encrypting or decrypting ---> <cfset encMode = cipher.ENCRYPT_MODE /> <cfset encryptedValue = "" /> <!--- Return variable ---> <!--- Initialize the Cipher with the mode and the key ---> <cfset cipher.init(encMode, key) /> <!--- Convert the string to bytes ---> <cfset stringBytes = stringToSign.getBytes("UTF8") /> <!--- Perform encryption ---> <cfset encryptedValue = cipher.doFinal(stringBytes, 0, len(inputString)) /> <cfdump var="#encryptedValue#">

The "key" in this case is the PEM text that I mentioned earlier, and "stringToSign" is the username. The error I get is: "Either there are no methods with the specified method name and argument types, or the init method is overloaded with argument types that ColdFusion cannot decrypt reliably. ColdFusion detected 0 methods that match the arguments provided. If it is a Java object and you confirmed, that the method exists, use the javacast function to reduce ambiguity. "

One more thing I tried:

 <cfset rsaPrivateKey = toBase64(key, "utf-8")> <cfset jKey = JavaCast("string", rsaPrivateKey)> <cfset jMsg = JavaCast("string", stringToSign).getBytes("ASCII")> <cfset key = createObject("java", "java.security.PrivateKey")> <cfset keySpec = createObject("java", "java.security.spec.PKCS8EncodedKeySpec")> <cfset keyFactory = createObject("java", "java.security.KeyFactory")> <cfset b64dec = createObject("java", "sun.misc.BASE64Decoder")> <cfset sig = createObject("java", "java.security.Signature")> <cfset byteClass = createObject("java", "java.lang.Class")> <cfset byteArray = createObject("java", "java.lang.reflect.Array")> <cfset byteClass = byteClass.forName(JavaCast("string", "java.lang.Byte"))> <cfset keyBytes = byteArray.newInstance(byteClass, JavaCast("int", "1024"))> <cfset keyBytes = b64dec.decodeBuffer(jKey)> <cfset sig = sig.getInstance("SHA1withRSA", "SunJSSE")> <cfset sig.initSign(keyFactory.getInstance("RSA").generatePrivate(keySpec.init(keyBytes)))> <cfset sig.update(jMsg)> <cfset signBytes = sig.sign()> <cfset finalSig = ToBase64(signBytes)> <cfdump var="#finalSig#">

Which gives me "java.security.InvalidKeyException: invalid key format." BTW, if I set rsaPrivateKey to "key", I get another error, "java.security.InvalidKeyException: IOException: DerInputStream.getLength (): lengthTag = 127, too big." I'm glad I get different error messages; at least something happens !:-)

Again, I don't know what these Java functions do. And of course, I don’t understand why something similar in a straightforward way turned out to be so complicated! But my suspicion is that I either incorrectly stored the PEM secret key or incorrectly read from the database (or both), and this is what contributes to the failure of these various solutions. But I do not know, suffice it to say if this is so.

I would welcome any insights or suggestions that could help me! If anyone needs more information, I will be happy to provide this. Thank you all in advance!

+7

coldfusion cryptography encryption private-key single-sign-on

daltec Nov 22 '16 at 3:13

source share

1 answer

Leigh · Accepted Answer · 2016-11-22T15:16:00+0000

I understand that I cannot work with this format directly and must convert it to PEM or similar

Nothing wrong with that, but it's technically not required. Key information can be loaded either from a PEM OR file directly from XML .

Option 1: Download the key from XML:

Parse the sample XML string into an object. Then remove the module and the private exponent (i.e. the <D> Element). Use the module and metric to create RSAPrivateKeySpec and load the RSA private key:

 xmlKeyString = "<RSAKeyValue><Modulus>........</D></RSAKeyValue>"; xmlDoc = xmlParse(xmlKeyString); modBytes = binaryDecode(xmlDoc.RSAKeyValue.Modulus.xmlText, "base64"); dBytes = binaryDecode(xmlDoc.RSAKeyValue.D.xmlText, "base64"); modulus = createObject("java","java.math.BigInteger").init(1, modBytes); exponent = createObject("java","java.math.BigInteger").init(1, dBytes); keySpec = createObject("java", "java.security.spec.RSAPrivateKeySpec").init(modulus, exponent); keyFactory = createObject("java", "java.security.KeyFactory").getInstance("RSA"); privateKey = keyFactory.generatePrivate(keySpec);

Option 2: Download the key from the PEM file:

Read the PEM file in a variable. Remove title / trailer i.e. "--- BEGIN / END RSA PRIVATE KEY -----". Then decode the contents of base64 and load the private key using KeyFactory :

 rawKey = replace( pemContent, "-----BEGIN RSA PRIVATE KEY-----", "" ); rawKey = replace( rawKey, "-----END RSA PRIVATE KEY-----", "" ); keyBytes = rawKey.trim().binaryDecode("base64"); keySpec = createObject("java", "java.security.spec.PKCS8EncodedKeySpec"); keyFactory = createObject("java", "java.security.KeyFactory").getInstance("RSA"); privateKey = keyFactory.generatePrivate(keySpec.init(keyBytes));

After you have downloaded the private key, you can use the Signature object to execute the SHA1 hash and generate a signature using the RSA key:

 stringToSign = " test@membersuite.com "; signer = createObject("java", "java.security.Signature").getInstance("SHA1withRSA");; signer.initSign(privateKey); signer.update( stringToSign.getBytes("us-ASCII")); signedBytes = binaryEncode(signer.sign(), "base64"); writeDump(signedBytes);

Result (using XML example):

 jTDKoH+INi19kGWn7WRk/PZegLv/9fPUOluaM57x8y1tkuwxOiyX86gxsZ7gU/OsStIT9Q5SVSG5NoaL3B+AxjuLY8b7XBMfTXHv2vidrDkkTTBW0D2LsrkZ3xzmvvPqqfA3tF2HXUYF+zoiTsr3bQdA32CJ+lDNkf+QjV3ZEoc=

NB: Whatever method you choose, properly securing private keys is VERY important. After you have a sample, be sure to read how best to store and protect private keys.

Using ColdFusion to sign data for single sign-on

More articles: