Sunday, March 21, 2010

Troubleshooting tftp-proxy in OpenBSD pf

Finally figured out OpenBSD firewall configuration in which internal hosts can access TFTP servers on the internet. In OpenBSD pf firewall, you need to configure tftp-proxy. Google search returns a lot of complaints about tftp-proxy not working and not a single success story. I now believe there is a typo in the official manual.

The OpenBSD FAQ for TFTP proxy specifies the following redirect rule to redirect outgoing tftp connections to the internal tftp-proxy.

rdr pass log on $int_if proto udp from $int_if to port tftp -> 127.0.0.1 port 6969
However, according to "pfctl -g -s nat|grep tftp", my pf expands the rule above to the following.
rdr pass log on xl0 inet proto udp from 192.168.2.1 to any port = tftp -> 127.0.0.1 port 6969
It's clear that the expanded rule will will not redirect traffic coming from all of the internal hosts. The rule needs to be changed to
rdr pass log on $int_if proto udp from $int_net to any port tftp -> 127.0.0.1 port 6969
which expands to
rdr pass log on xl0 inet proto udp from 192.168.2.0/24 to any port = tftp -> 127.0.0.1 port 6969
The latter covers the whole internal network instead of just one host 192.168.2.1.

Thursday, February 25, 2010

Importing S/MIME certificate into Java

Although it is now possible to import a certificate in p12 format, into java, just any S/MIME certificate will not work to sign jars.

Thawte used to give out free S/MIME certificates and when imported into Java, those certificates could sign java code. I recently tried to import a Comodo S/MIME certificate into a Java keystore and sign a jar. While I managed to export my S/MIME certificate from Firefox in .p12 format and import .p12 keystore into a Java keystore, signing with this certificate generated a warning "The signer certificate's ExtendedKeyUsage extension doesn't allow code signing." Also, Web Start failed to validate the signed jar, generating an exception in com.sun.deploy.security.CertUtils in the following code

// Require either all of bits 5,6,7 are false or
// that at least bit 7 be true
if ((getNetscapeCertTypeBit(cert, NSCT_SSL_CA) != false ||
getNetscapeCertTypeBit(cert, NSCT_S_MIME_CA) != false ||
getNetscapeCertTypeBit(cert, NSCT_OBJECT_SIGNING_CA) != false) &&
getNetscapeCertTypeBit(cert, NSCT_OBJECT_SIGNING_CA) == false)
{
Trace.msgSecurityPrintln("trustdecider.check.basicconstraints.bitvalue");
return false;
}
To get my S/MIME certificate from Java, I used Firefox Certificate backup as p12, then the following command to find the alias of my certificate inside the .p12 keystore:
keytool -list -keystore comodo-nsushkin\@openfinance.com-exp20120930.p12 -storetype PKCS12
Once I found out the alias "nicholas sushkin's the usertrust network id #3", I imported my S/MIME private key and certificate from p12 file into my JKS keystore under alias "nsushkin" using the following command:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore java-certs.keystore -srckeystore comodo-nsushkin\@openfinance.com-exp20120930.p12 -srcstoretype PKCS12 -alias "nicholas sushkin's the usertrust network id #3" -destalias nsushkin