dss | Digital Signature Service : creation, extension and validation of advanced electronic signatures | Cryptography library

I have ec2 instance with ubuntu v20.04 and it has python v3.8.10 and pysftp 0.2.9.

I have generate .pem file from .ppk file using below command

puttygen sftp_server.ppk -O private-openssh -o sftp_server.pem

I am able to connect successfully to sftp server using command line-

Environment:

I am trying to bulk insert keys in db in go here is the code Key Struct

I have a Python 3 application running on CentOS Linux 7.7 executing SSH commands against remote hosts. It works properly but today I encountered an odd error executing a command against a "new" remote server (server based on RHEL 6.10):

encountered RSA key, expected OPENSSH key

Executing the same command from the system shell (using the same private key of course) works perfectly fine.

On the remote server I discovered in /var/log/secure that when SSH connection and commands are issued from the source server with Python (using Paramiko) sshd complains about unsupported public key algorithm:

userauth_pubkey: unsupported public key algorithm: rsa-sha2-512

Note that target servers with higher RHEL/CentOS like 7.x don't encounter the issue.

It seems like Paramiko picks/offers the wrong algorithm when negotiating with the remote server when on the contrary SSH shell performs the negotiation properly in the context of this "old" target server. How to get the Python program to work as expected?

Python code

I've been using ssh keys with github for a while now. Suddenly i can't push and I'm getting a Permission denied (publickey) error. Here's what I've tried so far:

• Checked the ssh key is in the correct directory (~/.ssh)
• Tried reuploading my public key to github (I get a message that the key already exists)
• Double checked that the output of ssh-add -l -E sha256 on my system agrees with the string in my ssh settings on my github account
• Followed all the steps in the "Troubleshooting ssh" section of the github docs. (Everything seems gucci)
• Banged my head against the wall for an hour

So far nothing has helped. This is my last resort. I'll greatly appreciate any and all suggestions. Here's the output of my ssh -vT git@github.com

I am hoping for a solution that will replace the ??? on Spreadsheet 2, with the emails on Spreadsheet 1 on a scheduled bases using the GAS trigger feature.

Currently I am using formulas, but they are slowing down the performance of my sheets. I don't need them fetching data more than once every 24 hours, hence why I am wanting to use GAS instead with a trigger.

• IMPORTRANGE & QUERY to import Spreadsheet #1 (ID, Email 1, Email2) to Spreadsheet #2 =QUERY(IMPORTRANGE(spreadsheet_url, A1:E), "SELECT Col1,Col4,Col5 WHERE A Col1 is not null", 1)
• Then on Spreadsheet #2 using ARRAYFORMULA & VLOOKUP to populate all the emails. =ARRAYFORMULA(VLOOKUP(Sheet1!A2:A,ImportedData!A2:C},{2,3},0)

Here are what my 2 spreadsheets look like...

I asked a similar question HERE and received an answer.

The answer was:

My problem concern the usage of an hsm with Java (openjdk 11.0.12). Hsm should be use for signature purpose, by SHA512 RSA algorithm. I could be wrong in a lot of the following sentences, I'm totally newbie with HSM & co, so I apologize in advance.

For what I've understand there are three kinds of approaches:

1- Using SUNPKCS11 provider

2- Using vendor lib (hsm is shipped with a couple of jar, in my case nCipher is shipped with nCipherKM.jar, which should be vendor provider.)

3- openssl (we have some software in c already doing this, I prefer to avoid)

The usage of vendor lib it's really easy, at least until the Get info call, which send an Unknown Parameter to HardServer, causing an unmarshable exception. This is difficult to debug, communication protocol isn't documented. Right now I've put this solution aside.

In any case I prefer the SUNPKCS11 solution, it doesn't work out of the box for me, but it was simple to debug and analyze. And should be a standard.

In this case i'm using European DSS library to interface with PKCS11Provider, making things a little simpler for me to configure and implement.

The problem occurs during SunPKCS11 (vanilla) initialization.

At some point it calls a method "P11Keystore.mapLabels()" that match, according to code and Oracle documentation, all private key handlers (CKA_PRIVATE_KEY) coming from that slot with certificate handlers (CKO_CERTIFICATE), looking for matching between cka_id, in order to build a software in memory keystore with aliases map containing the CKA_LABEL attributes. (Private key is unextractable so access is read only https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html#KeyStoreRestrictions)

In signature initialization this private key entry is used to fetch from HSM (by some key attributes that I don't have) the private key handler.

The problem is that my hsm nCipher doesn't expose any object for CKO_CERTIFICATE, so the match returns 0 result and my software keystore is empty.

When I try to extract the private key handler from keystore I obtain nothing and I cannot initialize Signature object.

My predecessor manually wrapped the private key attributes inside a local jks, and rewrote a new provider in order to load certificate from file and not from HSM/PKCS11.

I dislike this solution, I don't want my application to have configuration depending on HSM certificate.. it's HSM certificate job to handle those keys, not mine.

Instead, I wrote another provider to fetch and use directly the private key handler, from CKA_PRIVATE_KEY, using a preconfigured CKA_LABEL, bypassing the certificate match. And it works.

However I dislike this solution too, it means more maintenance costs for a standard protocol, and the jar must be signed each time, which for me is a nuisance.

I have the feeling that I am approaching the problem from the wrong side, maybe because I'm a noob in the matter.

Explanation are over, so here my questions: 1- Am I wrong to claim that CKO_CERTIFICATE is a prerequisite for SunPKCS11? 1- Could/Should HSM expose CKO_CERTIFICATE object without malevolent side effects? 2- Is this missing object a limitation of nCipher HSM or, probably, a configuration missing during installation? (It works even without so it's a java prerequisite more than an HSM missing) 3- If the CKO_CERTIFICATE cannot be installed and exposed: Is it ok to implement our own provider to obtain the workaround, or could exist a better way to get it working?

Sorry for my English, I'm not a native one. Thanks to those who have come to read up to here and who will answer.

I PDF signing problems with the latest iTextSharp 5. I know that version is already deprecated, but I must use the older one, because I need to use it in an environment, where no newer than .NET Framework v3.5 is allowed.

For singing documents, the clients may use software or hardware keys. We already used RSA signatures in our company, but now we have toimplement support for ECDsa keys too. That's why I tried to sign PDF files with iText's PrivateKeySignature class, and calling MakeSignature.SignDetached method.

When I use RSA key for signing a PDF, and try to verify signature with European Commission's DSS Demonstration App (https://ec.europa.eu/cefdigital/DSS/webapp-demo/validation), it has no issue with the signature, only that it not accepts the certificate issuer as a trusted CA. That's fine, because I use a test key generated by an internal CA for developer use only.

But if I use ECDSA key for signing a PDF, the DSS Demonstration App says "Signature is not intact.".

The code I use for signing:

I am looking at how to make OpenVPN client work on a pod's container, I explain what I do, but you can skip all my explanation and offer your solution directly, I don't care replacing all the below with your steps if it works, I want to make my container to use a VPN (ExpressVPN for example) in a way that both external and internal networking works.

I have a docker image that is an OpenVPN Client, it works find with the command: