Topic
  • 1 reply
  • Latest Post - ‏2014-01-10T14:49:06Z by The_Crazy
SystemAdmin
SystemAdmin
2262 Posts

Pinned topic Verifying LTPAToken

‏2010-04-09T10:01:18Z |
Hi,
I need to realize SSO between some application developed on tomcat, others on WebSphere 6.1 and Domino 8. The ones on Domino and WebSphere are already in SSO thanks to the LTPA token.
I need to build the LTPAToken so WebSphere and Domino will trust my Tomcat applications. Before writing the code to create the cookie i decided to write the code for verify it.
I found some code on google to decript the token and read the user but I can't find how to manage the signature for verifying and create the LTPAtoken.
Following the procedures on the WebSphere documentation i can export the keys needed.
These keys are from my trial version of WAS6.1

#IBM WebSphere Application Server key file #Wed Apr 07 16:04:48 CEST 2010 com.ibm.websphere.CreationDate=Wed Apr 07 16\:04\:48 CEST 2010 com.ibm.websphere.ltpa.version=1.0 com.ibm.websphere.ltpa.3DESKey=wEHjgaBvQLxcFAjiB4QPnj/tM+8BxrLo2rJcV++RBz4\= com.ibm.websphere.CreationHost=VMWare_VPN_Dego com.ibm.websphere.ltpa.PrivateKey=clIBChBgx0+6abOhOErfLfjjCvNwEt/if22g7eltoNSzNWsn0vouXm56SBMnDmage+BmHPZqEzr05SOp7w89AgQmsE8Qr/m+ssCepLyl977UqnN64o1eKssAjv+eU+pyCmwjzDl3iyint4wVE8w5d2/8EHwIEdU6lpg6wu10n1HuUVgS6nxkBeW/4lL/4U3f+3dPkHPiBfjCHPu1OW4aXbRwWlOn6ONLtL5DhMSGNXfJnNwS6Fzs+nzu2372R4cbiaxeVIy9ZnNXVzBMJprH8AMLItEcGyTtUHNexyoZc7s/MlULD784qdCJqSUUdXGUtyuJwdeiXLYwQc1m3MaNIVC/kKxYskHdu9WC31A3Y4o\= com.ibm.websphere.ltpa.Realm=defaultWIMFileBasedRealm com.ibm.websphere.ltpa.PublicKey=AK5OD7rzkjkpc7a8GLdWO
//8YG1YO27ygRpRMK1Nt/tfjkNITbVcZlda9Ly+JMGFPpLPBGgypwJqsqsgJY2QM8nBcXvYszUby4cSCqQggn34viYJU/s4RVucwS9SdZcDzdK/r7NNUI30gM3HqmMbfeP1jF/hjFm2uI67rM1ksWRtAQAB

Using the DESede/ECB/PKCS5Padding algorithm I can decript the cookie and read the user data, the expiration date and the signature.
The second step is verify the signature so the process is:


//Create userdata for user wsadmin String userDataStr = 
"u:user\:defaultWIMFileBasedRealm/uid=wsadmin,o=defaultWIMFileBasedRealm"; 
// Convert userdata in UTF8 byte array 

byte[] userdata = userDataStr.getBytes(
"UTF8")); 
// Digest the byte throught SHA algorithm  

byte[] data = MessageDigest.getInstance(
"SHA").digest(userdata);   
// verifying 

byte[][] rsaPublicKey = publicKeyByteArray.getRawKey(); 

boolean verified = 

false;   BigInteger n = 

new BigInteger(rsaPublicKey[0]); BigInteger e = 

new BigInteger(rsaPublicKey[1]); KeyFactory keyFactory = KeyFactory.getInstance(
"RSA"); RSAPublicKeySpec publicKeySpec = 

new RSAPublicKeySpec(n, e); PublicKey publicKey = keyFactory.generatePublic(publicKeySpec); Signature rsaSignature = Signature.getInstance(
"SHA1withRSA"); rsaSig.initVerify(publicKey); rsaSignature.update(data, 0, data.length); verified = rsaSignature.verify(base64DecodedSignature);

The variable verified is always false. someone can help me to understand if i mess something?
Thanks
  • The_Crazy
    The_Crazy
    3 Posts

    Re: Verifying LTPAToken

    ‏2014-01-10T14:49:06Z  

    Hey Admin, I'm looking into verifying the signature too but I don't know the format of the public key. Do you have the details for the format of the public key?

    Do you have the implementation of the below function getRawKey()?

    
    
    
    byte[][] rsaPublicKey = publicKeyByteArray.getRawKey();