dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

corrected hints and improved error handling base64 (#781)

Browse Source
This commit is contained in:
René Zubcevic 2020-04-14 16:13:25 +02:00 committed by GitHub
parent b8abc99faf
commit 0638cae6e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
webgoat-lessons/crypto/src/main/java/org/owasp/webgoat/crypto/CryptoUtil.java
View File

@ -16,7 +16,6 @@ import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAKeyGenParameterSpec; import java.security.spec.RSAKeyGenParameterSpec;
import java.util.Base64; import java.util.Base64;
import java.util.Random;
import javax.xml.bind.DatatypeConverter; import javax.xml.bind.DatatypeConverter;
@ -74,12 +73,15 @@ public class CryptoUtil {
PublicKey publicKey) { PublicKey publicKey) {
log.debug("start verifyMessage"); log.debug("start verifyMessage");
//get raw signature from base64 encrypted string in header
byte[] decodedSignature = Base64.getDecoder().decode(base64EncSignature);
boolean result = false; boolean result = false;
try { try {
base64EncSignature = base64EncSignature.replace("\r", "").replace("\n", "")
.replace(" ", "");
//get raw signature from base64 encrypted string in header
byte[] decodedSignature = Base64.getDecoder().decode(base64EncSignature);
//Initiate signature verification //Initiate signature verification
Signature instance = Signature.getInstance("SHA256withRSA"); Signature instance = Signature.getInstance("SHA256withRSA");
instance.initVerify(publicKey); instance.initVerify(publicKey);

4
webgoat-lessons/crypto/src/main/resources/i18n/WebGoatLabels.properties
View File

@ -12,8 +12,8 @@ crypto-hashing.hints.2=Find a online hash database or just google on the hash it
crypto-signing.hints.1=Use openssl to get the public key from the private key. Apparently both private and public key information are stored. crypto-signing.hints.1=Use openssl to get the public key from the private key. Apparently both private and public key information are stored.
crypto-signing.hints.2=Use the private key to sign the "modulus" value of the public key. crypto-signing.hints.2=Use the private key to sign the "modulus" value of the public key.
crypto-signing.hints.3=Actually the "modulus" of the public key is the same as the private key. You could use openssl -in test.key -pubout > test.pub and then openssl -in test.pub -pubin -modulus or other components. crypto-signing.hints.3=Actually the "modulus" of the public key is the same as the private key. You could use openssl rsa -in test.key -pubout > test.pub and then openssl rsa -in test.pub -pubin -modulus -noout or other components.
crypto-signing.hints.4=Make sure that you do not take hidden characters into account. You might want to use echo -n "00AE89..." | openssl dgst -sign ... crypto-signing.hints.4=Make sure that you do not take hidden characters into account. You might want to use echo -n "00AE89..." | openssl dgst -sign somekey -sha256 ... and do not forget to base64 encode the outcome
crypto-signing.notok=The signature does not match the data (modulus) crypto-signing.notok=The signature does not match the data (modulus)