We Keep Coding

PBIVIZ not recognizing certificate

I've been updating my development environment with the latest pbiviz stuff
I did a:
npm i -g powerbi-visuals-tools
and:
pbiviz --install-cert
in Windows terminal/powershell
Then I opened a project in Visual Code and using terminal did a:
pbiviz package
info Building visual...
info Installing API: ~3.8.0...
Certificate is invalid!
warn Local valid certificate not found.
info Checking global instance of pbiviz certificate...
warn Global instance of valid pbiviz certificate not found.
info Generating a new certificate...
info Certificate generated. Location is C:\Users\mike\AppData\Roaming\npm\node_modules\powerbi-visuals-tools\certs\PowerBICustomVisualTest_public.pfx. Passphrase is '4492518445773821'
info Start preparing plugin template
info Finish preparing plugin template
error error:0308010C:digital envelope routines::unsupported
C:\Users\mike\AppData\Roaming\npm\node_modules\powerbi-visuals-tools\node_modules\powerbi-visuals-webpack-plugin\index.js:185
throw new Error("Failed to generate visualPlugin.ts");
^
Error: Failed to generate visualPlugin.ts
at C:\Users\mike\AppData\Roaming\npm\node_modules\powerbi-visuals-tools\node_modules\powerbi-visuals-webpack-plugin\index.js:185:12
at async PowerBICustomVisualsWebpackPlugin._beforeCompile (C:\Users\mike\AppData\Roaming\npm\node_modules\powerbi-visuals-tools\node_modules\powerbi-visuals-webpack-plugin\index.js:177:4)
Node.js v17.0.0
I've tried uninstalling, reatarting and various incantations, but it doesn't want to go.
Is my certificate really invalid? How do I check it? Are there any diagnostics I can run?
Any and all advice gladly accepted
I just updated to pbiviz -V
3.4.1
same problem

After a debug session we found an error in powerbi-visuals-tools#3.4.1 where the check for certificate in certificatetoosl.js uses the text date of the certificate expiry date, whihc in my case is dd/mm/yyyy which fails because this expects and ISO 8601, but will work with mm/dd/yyyy
[![debug image][1]][1]
This is the code:
// For Windows OS:
if (os.platform() === "win32") {
if (!fs.existsSync(pfxPath) || !passphrase) {
return false;
}
let certStr = await exec(`certutil -p ${passphrase} -dump "${pfxPath}"`);
let certStrSplitted = certStr.split('\r\n');
let regex = /(?<=: ).*/;
endDateStr = regex.exec(certStrSplitted[6]);
}
// For Linux and Mac/darwin OS:
else if (os.platform() === "linux" || os.platform() === "darwin") {
if (!fs.existsSync(certPath)) {
return false;
}
endDateStr = await exec(`openssl x509 -enddate -noout -in ${certPath} | cut -d = -f 2`);
}
let endDate = new Date(Date.parse(endDateStr));
verifyCertDate = (endDate - new Date()) > certSafePeriod;
if (verifyCertDate) {
ConsoleWriter.info(`Certificate is valid.`);
} else {
ConsoleWriter.warn(`Certificate is invalid!`);
removeCertFiles(certPath, keyPath, pfxPath);
}
We don't have a full solution but there will be workarounds until the package is fixed. Deleting all the modules and reinstalling seemed to fix the visualPlugin.ts problem as well.
[1]: https://i.stack.imgur.com/XVrsQ.png

Indy TLS Server "No shared cipher" using ECDH Keys

Hoping someone out there can help me with this one. Simple TIdHTTPServer with OpenSSL support used to decode TLS traffic from a client using ECDH-based keys.
Server key created with the following command:
openssl ecparam -name secp256k1 -genkey -noout -out key.pem
Server debug logs:
23:33:14.878 SSL status: "before/accept initialization"
23:33:14.886 SSL status: "SSLv3 read client hello C"
23:33:14.886 SSL status: "error"
23:33:14.887 Connection from: 192.168.12.1:23727 Closed
23:33:14.887 EXCEPTION: Error accepting connection with SSL.
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
From this question, it seems like I need to call SSL_CTX_set_ecdh_auto(ctx,1)
SSL Server Initialization:
ServerIOHandler = new TIdServerIOHandlerSSLOpenSSL();
ServerIOHandler->SSLOptions->CertFile = CertPath;
ServerIOHandler->SSLOptions->KeyFile = KeyPath;
ServerIOHandler->SSLOptions->RootCertFile = RootCertPath;
ServerIOHandler->SSLOptions->Method = sslvTLSv1_2;
ServerIOHandler->SSLOptions->Mode = sslmServer;
//ServerIOHandler->SSLOptions->CipherList = "";
ServerIOHandler->SSLOptions->VerifyDepth = 1;
ServerIOHandler->OnGetPassword = OnGetServerPassword;
ServerIOHandler->OnStatusInfo = SSL_Status;
TLSServer->Bindings->Add();
TLSServer->Bindings->Items[0]->IP = TLSServerInfo.AdapterIP;
TLSServer->Bindings->Items[0]->Port = TLSServerInfo.LocalPort;
TLSServer->DefaultPort = TLSServerInfo.LocalPort;
TLSServer->IOHandler = ServerIOHandler;
try {
PanelServer->Active = true;
}
catch (Exception &Ex) {
Msg = String(L"SSL Server Bound Exception: ") + Ex.Message;
}
I have followed these instructions to add SSL_CTX_set_ecdh_auto() to my IdSSLOpenSSLHeaders.pas file, but if I try to add an entry to call SSL_CTX_set_ecdh_auto() from my code, I get a "Call to undefined function 'SSL_CTX_set_ecdh_auto'" error.
I am running Indy 10.6.2.

How to install SSL certificate in Vapor web framework?

I want to install SSL(Comodo wildcard certificate, ex: "*.test.com")
in Vapor Web framework, the "servers.json" I got is:
{
"default": {
"port": "$PORT:443",
"host": "api.test.com",
"securityLayer": "tls",
"tls": {
"certificates": "chain",
"certificateFile": "/path/ssl-bundle.crt",
"chainFile": "/path/ssl-bundle.crt",
"privateKeyFile": "/path/key.pem",
"signature": "signedFile",
"caCertificateFile": "/path/AddTrustExternalCARoot.crt"
}
}
}
I already make sure that "public/private" key matches already using openssl command. And about the certificateFile part like "ssl-bundle.crt", I also tried "*.test.com.crt" with the "key.pem" as well(still pass the validation using openssl, the only difference is one is test.com's certificate, the other is bundle certificate, combined by correct orders already.). Besides, all certs and key's format are correct as well. And I also make sure the cert/key files location is correct so that the Vapor can find these files. But I still can't launch the server correctly, and always display the error.
I try to locate the exact location in xcode, but I can only see it fails in this method: "tls_accept_fds()", which is in tls_server.c of CLibreSSL library.
Also, I saw the error message the xcode displayed to me:
After use debug mode to trace, I can only know that it seems the program throws the error in "SSL_set_rfd()" or "SSL_set_rfd()", but I don't know exactly. The xcode only shows this to me, and I can't find any other error messages in the debug console. As result, so far I can only make sure that the error should be in this block:
int
tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write)
{
struct tls *conn_ctx = NULL;
// I pass this block
if ((ctx->flags & TLS_SERVER) == 0) {
tls_set_errorx(ctx, "not a server context");
goto err;
}
// I pass this block
if ((conn_ctx = tls_server_conn(ctx)) == NULL) {
tls_set_errorx(ctx, "connection context failure");
goto err;
}
// I pass this block
if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
tls_set_errorx(ctx, "ssl failure");
goto err;
}
// I pass this block
if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) {
tls_set_errorx(ctx, "ssl application data failure");
goto err;
}
// The error occurs here, in SSL_set_rfd or SSL_set_wfd, it will then go to err part: "*cctx = NULL;", not even go into the if block.
if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 ||
SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) {
tls_set_errorx(ctx, "ssl file descriptor failure");
goto err;
}
*cctx = conn_ctx;
return (0);
err:
tls_free(conn_ctx);
*cctx = NULL;
return (-1);
}
So, the above is all the info I got right now, and I can't find the solution on the internet for several days already...
Could anyone give me any hint about how to install SSL in Vapor web framework? I can correctly install the SSL in Apache, Nginx, Tomcat, etc already. But never success in Vapor, it seems like C library issue, but I don't know the real reason why it fails, thank you very much for any possible help.

The bug has been found and fixed here: https://github.com/vapor/tls/pull/27

Issues with TLS connection in Golang

I have the following certificate hierarchy:
Root-->CA-->3 leaf certificates
The entire chain has both serverAuth and clientAuth as extended key usages explicitly defined.
In my go code, I create a tls.Config object like so:
func parseCert(certFile, keyFile string) (cert tls.Certificate, err error) {
certPEMBlock , err := ioutil.ReadFile(certFile)
if err != nil {
return
}
var certDERBlock *pem.Block
for {
certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
if certDERBlock == nil {
break
}
if certDERBlock.Type == "CERTIFICATE" {
cert.Certificate = append(cert.Certificate, certDERBlock.Bytes)
}
}
// Need to flip the array because openssl gives it to us in the opposite format than golang tls expects.
cpy := make([][]byte, len(cert.Certificate))
copy(cpy, cert.Certificate)
var j = 0
for i := len(cpy)-1; i >=0; i-- {
cert.Certificate[j] = cert.Certificate[i]
j++
}
keyData, err := ioutil.ReadFile(keyFile)
if err != nil {
return
}
block, _ := pem.Decode(keyData)
if err != nil {
return
}
ecdsaKey, err := x509.ParseECPrivateKey(block.Bytes)
if err != nil {
return
}
cert.PrivateKey = ecdsaKey
return
}
// configure and create a tls.Config instance using the provided cert, key, and ca cert files.
func configureTLS(certFile, keyFile, caCertFile string) (tlsConfig *tls.Config, err error) {
c, err := parseCert(certFile, keyFile)
if err != nil {
return
}
ciphers := []uint16 {
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
}
certPool := x509.NewCertPool()
buf, err := ioutil.ReadFile(caCertFile)
if nil != err {
log.Println("failed to load ca cert")
log.Fatal(seelog.Errorf("failed to load ca cert.\n%s", err))
}
if !certPool.AppendCertsFromPEM(buf) {
log.Fatalln("Failed to parse truststore")
}
tlsConfig = &tls.Config {
CipherSuites: ciphers,
ClientAuth: tls.RequireAndVerifyClientCert,
PreferServerCipherSuites: true,
RootCAs: certPool,
ClientCAs: certPool,
Certificates: []tls.Certificate{c},
}
return
}
certFile is the certificate chain file and keyFile is the private key file. caCertFile is the truststore and consists of just the root certificate
So basically, here is what I expect to have inside of my tls.Config object that comes out of this function:
RootCAs: Just the root certificate from caCertFile
ClientCAs: Again, just the root certificate from caCertFile, same as RootCAs
Certificates: A single certificate chain, containing all of the certificates in certFile, ordered to be leaf first.
Now, I have 3 pieces here. A server, a relay, and a client. The client connects directly to the relay, which in turn forwards the request to the server. All three pieces use the same configuration code, of course using different certs/keys. The caCertFile is the same between all 3 pieces.
Now, if I stand up the server and the relay and connect to the relay from my browser, all goes well, so I can assume that the connection between relay and server is fine. The issue comes about when I try to connect my client to the relay. When I do so, the TLS handshake fails and the following error is returned:
x509: certificate signed by unknown authority
On the relay side of things, I get the following error:
http: TLS handshake error from : remote error: bad certificate
I am really at a loss here. I obviously have something setup incorrectly, but I am not sure what. It's really weird that it works from the browser (meaning that the config is correct from relay to server), but it doesn't work with the same config from my client.
Update:
So if I add InsecureSkipVerify: true to my tls.Config object on both the relay and the client, the errors change to:
on the client: remote error: bad certificate
and on the relay: http: TLS handshake error from : tls: client didn't provide a certificate
So it looks like the client is rejecting the certificate on from the server (the relay) due to it being invalid for some reason and thus never sending its certificate to the server (the relay).
I really wish go had better logging. I can't even hook into this process to see what, exactly, is going on.

When you say
Need to flip the array because openssl gives it to us in the opposite format than golang tls expects.
I have used certificates generated by openssl and had no problem opening them with:
tls.LoadX509KeyPair(cert, key)
Anyway, the error message bad certificate is due to the server not managing to match the client-provided certificate against its RootCAs. I have also had this problem in Go using self-signed certificats and the only work-around I've found is to install the caCertFile into the machines system certs, and use x509.SystemCertPool() instead of x509.NewCertPool().
Maybe someone else will have another solution?

Beside what beldin0 suggested.
I have tried another way to do this.
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(crt)
client := &http.Client{
//some config
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: caCertPool,
},
},
}
Here, the variable "crt" is the content in your certificate.
Basically, you just add it into your code(or read as a config file).
Then everything would be fine.

Which PEM file should I provide when uploading to S3 using HTTP PUT

I'm trying to put a file in S3 using a presigned signature my Java web server provides
http://docs.amazonwebservices.com/AmazonS3/latest/dev/PresignedUrlUploadObjectDotNetSDK.html
I need my uploading client (currently my windows 7 using C++) to have a handshake with amazon servers and I don't know how to do it.
When I tried to send the request with a "default context" (naively) it printed a "self signed certificate in certificate chain" error and asked me to accept or not the certificate.
Then I tried to figure out how to add a certificate and found this code:
POCO C++ - NET SSL - how to POST HTTPS request
The problem is that I'm not sure which pem file is needed here.
I tried providing the pem files I've downloaded from x.509 in Amazon Web Services Console but it raised an SSL exception: SSL3_GET_SERVER_CERTIFICATE
My Code:
URI uri("https://BUCKET.s3.amazonaws.com/nosigfile?Expires=1959682330&AWSAccessKeyId=ACCESSKEY&Signature=DgOifWPmQi%2BASAIDaIOGXla10%2Fw%3D");
const Poco::Net::Context::Ptr context( new Poco::Net::Context( Poco::Net::Context::CLIENT_USE, "", "", "cert(x509).pem") );
Poco::Net::HTTPSClientSession session(uri.getHost(), uri.getPort(), context );
HTTPRequest req(HTTPRequest::HTTP_PUT, uri.getPathAndQuery(), HTTPMessage::HTTP_1_1);
req.setContentLength(contentLength);
session.sendRequest(req) << streamToSend;
Thanks

Poco includes certificates in the project.
You will need any.pem, rootcert.pem, yourappname.xml which you can find in the poco test suite for the SSL side.
./poco-1.4.1p1-all/NetSSL_OpenSSL/testsuite/{any.pem,rootcert.pem,testsuite.xml}
Once you include the two pem files, your xml, which is used during the initializeSSL phase you will not get the warning for self-signed certificates.
class MySSLApp: public Poco::Util::Application
{
public:
MySSLApp()
{
Poco::Net::initializeSSL();
Poco::Net::HTTPStreamFactory::registerFactory();
Poco::Net::HTTPSStreamFactory::registerFactory();
}
~MySSLApp()
{
Poco::Net::uninitializeSSL();
}
protected:
void initialize(Poco::Util::Application& self)
{
loadConfiguration(); // load default configuration files, if present
Poco::Util::Application::initialize(self);
}
void myUpload(...) {
...
FilePartSource* pFPS = new FilePartSource(szFilename);
std::string szHost = "BUCKET.s3.amazonaws.com";
std::string szPath = "/";
int nRespCode = 201;
try{
HTTPClientSession s(szHost);
HTTPRequest request(HTTPRequest::HTTP_POST, szPath, HTTPMessage::HTTP_1_1);
HTMLForm pocoForm(HTMLForm::ENCODING_MULTIPART);
pocoForm.set("AWSAccessKeyId", ACCESSKEY);
pocoForm.set("acl", "public-read");
pocoForm.set("success_action_status", toString(nRespCode));
pocoForm.set("Content-Type", m_szContentType);
pocoForm.set("key", m_szPath + "/" + m_szDestFileName);
pocoForm.set("policy", m_szPolicy);
pocoForm.set("signature", m_szSignature);
pocoForm.addPart("file", pFPS);
pocoForm.prepareSubmit(request);
std::ostringstream oszMessage;
pocoForm.write(oszMessage);
std::string szMessage = oszMessage.str();
//AWS requires a ContentLength set EVEN though it is chunked!
request.setContentLength((int) szMessage.length());
s.sendRequest(request) << szMessage;
//or:
//pocoForm.write(s.sendRequest(request));
HTTPResponse response;
std::istream& rs = s.receiveResponse(response);
int code = response.getStatus();
if (code != nRespCode) {
stringstream s;
s << "HTTP Error " << code;
throw Poco::IOException(s.str());
}
} catch (Exception& exc) {
std::cout << exc.displayText() << endl;
return;
}
return;
}
}
The xml file will look something like this:
<AppConfig>
<openSSL>
<server>
<privateKeyFile>${application.configDir}any.pem</privateKeyFile>
<caConfig>${application.configDir}rootcert.pem</caConfig>
<verificationMode>none</verificationMode>
<verificationDepth>9</verificationDepth>
<loadDefaultCAFile>true</loadDefaultCAFile>
<cypherList>ALL:!ADH:!LOW:!EXP:!MD5:#STRENGTH</cypherList>
<privateKeyPassphraseHandler>
<name>KeyFileHandler</name>
<options>
<password>secret</password>
</options>
</privateKeyPassphraseHandler>
<invalidCertificateHandler>
<name>AcceptCertificateHandler</name>
<options>
</options>
</invalidCertificateHandler>
</server>
<client>
<privateKeyFile>${application.configDir}any.pem</privateKeyFile>
<caConfig>${application.configDir}rootcert.pem</caConfig>
<verificationMode>relaxed</verificationMode>
<verificationDepth>9</verificationDepth>
<loadDefaultCAFile>true</loadDefaultCAFile>
<cypherList>ALL:!ADH:!LOW:!EXP:!MD5:#STRENGTH</cypherList>
<privateKeyPassphraseHandler>
<name>KeyFileHandler</name>
<options>
<password>secret</password>
</options>
</privateKeyPassphraseHandler>
<invalidCertificateHandler>
<name>AcceptCertificateHandler</name>
<options>
</options>
</invalidCertificateHandler>
</client>
</openSSL>
</AppConfig>