Getting Error while importing certificate

[nitzien]

I get following error in importing a pem certificate. Tried with multiple certificates including self signed certificate.

Chrome error:

Firefox error:

Thanks, Nitin

[rmhrisk]

Can you give us more information?

A copy of the certificate in question?

Console logs from your browser?

Make and model of the device your trying to import to?

The fortify logs while performing this action?

[nitzien]

Console logs from chrome browser on Ubuntu 18.04

{type: "ERROR", data: DOMException: Failed to execute 'atob' on 'Window': The string to be decoded is not correctly encod…, action: "import_item", @@redux-saga/SAGA_ACTION: true}action: "import_item"data: DOMException: Failed to execute 'atob' on 'Window': The string to be decoded is not correctly encoded.
    at Object.prepareCertToImport (https://tools.fortifyapp.com/assets/js/main.cfa1a3f5.chunk.js:1:115606)
    at https://tools.fortifyapp.com/assets/js/main.cfa1a3f5.chunk.js:1:258064
    at c (https://tools.fortifyapp.com/assets/js/vendors~main.e70bccc7.chunk.js:1:42995)
    at Generator._invoke (https://tools.fortifyapp.com/assets/js/vendors~main.e70bccc7.chunk.js:1:42748)
    at Generator.forEach.e.<computed> [as next] (https://tools.fortifyapp.com/assets/js/vendors~main.e70bccc7.chunk.js:1:43352)
    at b (https://tools.fortifyapp.com/assets/js/npm.redux-saga.38b36b35.chunk.js:1:14618)
    at K (https://tools.fortifyapp.com/assets/js/npm.redux-saga.38b36b35.chunk.js:1:14406)
    at https://tools.fortifyapp.com/assets/js/npm.redux-saga.38b36b35.chunk.js:1:11046
    at h (https://tools.fortifyapp.com/assets/js/npm.redux-saga.38b36b35.chunk.js:1:7519)
    at N.<computed> (https://tools.fortifyapp.com/assets/js/npm.redux-saga.38b36b35.chunk.js:1:11026)code: 5message: "Failed to execute 'atob' on 'Window': The string to be decoded is not correctly encoded."name: "InvalidCharacterError"stack: (...)get stack: ƒ ()set stack: ƒ ()__proto__: DOMExceptiontype: "ERROR"@@redux-saga/SAGA_ACTION: true__proto__: Object

ERROR MESSAGE: DOMException: Failed to execute 'atob' on 'Window': The string to be decoded is not correctly encoded.
    at Object.prepareCertToImport (https://tools.fortifyapp.com/assets/js/main.cfa1a3f5.chunk.js:1:115606)
    at https://tools.fortifyapp.com/assets/js/main.cfa1a3f5.chunk.js:1:258064
    at c (https://tools.fortifyapp.com/assets/js/vendors~main.e70bccc7.chunk.js:1:42995)
    at Generator._invoke (https://tools.fortifyapp.com/assets/js/vendors~main.e70bccc7.chunk.js:1:42748)
    at Generator.forEach.e.<computed> [as next] (https://tools.fortifyapp.com/assets/js/vendors~main.e70bccc7.chunk.js:1:43352)
    at b (https://tools.fortifyapp.com/assets/js/npm.redux-saga.38b36b35.chunk.js:1:14618)
    at K (https://tools.fortifyapp.com/assets/js/npm.redux-saga.38b36b35.chunk.js:1:14406)
    at https://tools.fortifyapp.com/assets/js/npm.redux-saga.38b36b35.chunk.js:1:11046
    at h (https://tools.fortifyapp.com/assets/js/npm.redux-saga.38b36b35.chunk.js:1:7519)
    at N.<computed> (https://tools.fortifyapp.com/assets/js/npm.redux-saga.38b36b35.chunk.js:1:11026)

[nitzien]

Not seeing any logs in fortify.log. Possibly because failure is happening in browser javascript while importing certificate itself.

[nitzien]

A sample self signed certificate

-----BEGIN CERTIFICATE----- MIIDNzCCAh6gAwIBAgIBADANBgkqhkiG9w0BAQ0FADA1MQswCQYDVQQGEwJpbjEM MAoGA1UECAwDS0FSMQswCQYDVQQKDAJOQTELMAkGA1UEAwwCTkEwHhcNMjAwNjIz MTUxNzM0WhcNMjEwNjIzMTUxNzM0WjA1MQswCQYDVQQGEwJpbjEMMAoGA1UECAwD S0FSMQswCQYDVQQKDAJOQTELMAkGA1UEAwwCTkEwggEjMA0GCSqGSIb3DQEBAQUA A4IBEAAwggELAoIBAgDEMpQguS7zbsWxv9L3GEvuD+h/EnWt6i2GZcosPnkQgARk mEtKliyNkJgGRBrfvYKlNToS5hUpEOTCGUH27JRcms/kUuRpFxDevXsXRRL98O5b kqhDffm4Uu8sycK0TnxDaYOsxFl0BMOXxmIyWzgYMM5iUpxJAHEX5CgytBFU7k1s FkbXPbMlLEzh5uLPDaRFrIdLoJUmFmS3J25Zmdf5Umvyyyi4cYRltWcCmL11E1AA eQTKzsUnD9fJ0uRoZFL+/0QBnFUykoJTkl2AiSZYYnVWEEro/877IYStwlEZEKQu Kv/dCSS8EOhAaf2U56PNZNkbyMjWFpVqtim6gAOsBQIDAQABo1AwTjAdBgNVHQ4E FgQU3/4phP9FgpC9fFDz5w6csSPHeMkwHwYDVR0jBBgwFoAU3/4phP9FgpC9fFDz 5w6csSPHeMkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAQIACbQGc065 gBGY1encwoOQYJcDgYnGXv/kD1eVSoKbfFl0c2tMmPPhh76QceZNtxeMASVVmRF5 Vf9VAuidoukHtVDbwaC0FIBmaXyP/koPH+oshGYgVm12E0+8g85mCFtcqsgk3rhK vw98Dk3+6P2rX2wbBSWAIKMfCCtVYDeBSVDkp7WQBFWJ002NHHbbmQey/oz3uWwi reS172D4i87ApJ0BRhR1/Q6FjKvTajdDoILa4z+OZOtzUBzuYrp5E6j7SYrcePsw R7gKf4b3l8XziKqO242tEOL5iLFaLtrOeOXE0i3RvVHYXV2aPTJYZ/t2PhVYpiVG /Nws3a/XKY1aW6c= -----END CERTIFICATE----- -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIZp8dsYUcqJ8CAggA MBQGCCqGSIb3DQMHBAhai5GQUt0shQSCBMgTiTOCuEIPFW6BMVjqEVxuPJhBvtcW hPk5is9IpuOBqU3xDXvwwzCp9J/fqtYKi9qVpaNIepAb1X0rMXdJmy97hYZMfEqA athedk9yXqaImD3Dka94rfAVzCDgIEWFW0sBioBw+TostaI2sG2pqW6VWaiCuOrM Oz6UzdIQclrm/e5LjQUXo4D2R1dT02jztzaikvddL3lgr3genTZsS2J/rQM0r1ia vBvv6KMLvsMCrbK8QptpEir0UDHfaAY/u/yjjdQlbXmJmABPdI2a0dr3VGeAvobE 15YN+cdC92q68n3JFFYWHNIR3N3wZJ5Rz+5IFsrWmEl34Xu38rR/rJwmiXwcwa18 SHu8Cfyz3eDSqNGnvEc+tBbkBRQQ7g3BFoFk4k/KwlU1WnRQKaisICS7lJ8AyRgf oPmCBLljJyUqgeugBeZojRju475uShr0rVKNuWG7zd0maODV/4mgtiC2+ptKTsFd 5k2S2MFnhs4vehg+L17WDmluqzdxPvnOdGPUWOHe2vjXcsZHOfvQMPzr5jIMIa4z KQhZK2Tj3UGwxkg2xBsSff/phTNzAvRI15fmXGIMB+io1oyQxEbLdxRRiY2cgxQi zhmMT+LPXtPx3k7s2APWSSC9VtatujGLiFtXRKRKBDbfA/02z5UOFuUp+SOEkFiB 31SC2rPxtntA2cIFWbmDYdKTSpoWO2JHcnaZkKPKmRfB8jszj8T4VRxXU9kXbi9n tlH4ii0n9d0PfBb2rz/cEw5Nl+ABwIuKUgWxCfNMfeuXgvHlEX80rfLxj8vpomHI ifaucFBozeA+Dq20AJaMcuRDYpu7/PiMWN+CFEonCYZh3jjBLVSxAGWgpmcotvb2 5ALwaKnd0PrfwXDPOADOhGO6M4r2iaIJWVem1M1CrFXqcXgja13vQ3A+iavRsieu 7XnlO/8EnbEMR9rkhjMiX02+G/TlmCfU/oUnBRYUTrIzH5ZkK2+IjiJihNrK64UH UQ3SEIXDQ5nbOPnqzJuVbIiyZp5/DIXhVksriwfQ+q8HJQwnJuSuJY4CxwAgX+r6 3kS9zF6LcE5hAjPbgR1JEypVGFnHlUgL0LfPX0Km38bz6y1WPg+CVRdN4AzSn9Tk +zdlKLpK7XAdw/H7LsNknTRHeUY54LJGkIZvwW0neEJJP5Qd/6XBpEOmSsUtD1AW sHa+5N1JINuEoSWRDNuwor1ICBUAV6u3awaAbmD81ceDb04Dv29NYDBUoSEfsYui TaPjyCsfWWyky7Xi2WGoQXppA9yVKVyd8bxO8n9xaqpM2Lk2h+PyTkyqpF+L2oZ3 wlDbHQZk9r8aubDXHkkKd718L6z4vDik2bjiDV2ctrB8QHK0Qnvmu3+IZ2w/gCbS 9qPhhAhKxPPhmtg+v8vXXuNBfDaLSZW9MN6u23mYcQKt7ovjVGecqq0CK06/BIC3 15z/T/38tnDN9wuYtOZwMET8G4FXIymAVOjf0l6kmcYyY80VxmrFDNqJYLZL0EVu aZ9rx5XMDggvgN3kNMN6Rfq4oQ1nVvg+M2Q/683HV4VPRNPbg8tbDYqI7z54Abiu HR201j+MCUqQCPYszG+HIlxOnaHlHomrAkpVAQr+DQ2WidUIDqa6I6rooIX+PnbC GR0= -----END ENCRYPTED PRIVATE KEY-----

[nitzien]

Also tried with unencrypted private key.

[rmhrisk]

@donskov please take a look, it seems tools.fortifyapp.com has a regression

[nitzien]

Is there an easy hack where I can copy paste cert / key content in ~/.fortify folder somewhere to make it work for now?

Just for development work.

[rmhrisk]

This is only an issue in tools.fortify.com and shouldn't impact any API calls.

[rmhrisk]

@nitzien are you trying to import both a private key and certificate in the formats specified?

[nitzien]

It is pem private key and certifcate as mentioned above.

[rmhrisk]

This UI is for importing a certificate and not keys and certificates.

[nitzien]

How does one import a signing certificate which will be combination of public certificate and private key?

[rmhrisk]

You can write code to do an import of a key with fortify, but this tool is a certificate import tool, not a private key import tool.

You would normally generate a key on the client, create a CSR, get a cert with that CSR, then install the certificate which is why we didn't create a tool to import private keys in this fashion.

[nitzien]

Thanks a lot.

So if we have certificate for which key was not generated on machine where signing will be done, we will need to write code for it?

[rmhrisk]

Or convince us to add capability into Foritfy; right now it just looks like bad security practice.

[nitzien]

In theory, I completely agree with you that it will be bad security practice to share or transfer keys. But in reality, ssl as well as signature certificates (and keys) are shared within company. It will not be possible to get different certificate for every machine.

May be it should be done but not through tools.fortify.com but a local UI.

[rmhrisk]

Passing clear text keys, or even password-protected keys (which are trivially grindable), around leaves "key turds" in swap files, email, filesystems, shared clipboards, and many other locations. There may be cases in which handling keys in this fashion is unavoidable but it is far from good practice.

If you explain the use case I may be able to provide some guidance that can lessen the impact of the business requirement.

[nitzien]

Keys in pem as well pfx can be password protected. One above is encrypted private key. No doubt they can be cracked with brute force. :)

[rmhrisk]

Yes, they can be but PFX, for example, can be encrypted to an asymmetric key pair, which can not be, if you give me more information I can possibly help you do this in a secure way.

[nitzien]

I am working on project where we need to sign pdf. Similar to setasign. But this will be on Ruby on Rails instead of php. Users will mostly have USB token to sign. But possibly they may also have signtature in pfx or pem file.

[rmhrisk]

What platforms does your solution need to work on and where/how will the users be getting these certificates?

[nitzien]

Client machines will be windows. I am currently using Ubuntu though. Client will buy these certificates online. USBs are physically delivered. And if files, it will be downloadable.

[nitzien]

I see here. https://www.e-mudhra.com/portal/Subscriber/Login.aspx

[rmhrisk]

If client machines are going to be Windows, why not just use the Windows enrollment flows and if appropriate the CAs existing enrollment capabilities?

[rmhrisk]

I am familiar with http://e-mudhra.com, please tell Vijay hi.

If your creating a certificate enrollment flow for e-mudhra using fortify, then the right thing to do is to do an enrollment where you generate the key on the machine and install the resulting certificate; this will leave the protection of the key up to the OS/browser.

If you are trying to use certificates purchased from another CA it seems letting that process be independent of the signing workflow seems appropriate. For example in our document signing solution where we use Fortify, we support dynamically enrolled certs in the browser (you would probably be doing server-side keys/signing instead, signing with certificates in OS/browser store (such as those in CAPI/NSS) -- done via fortify, and signing with USB smart cards, again, using smart cards -- done using fortify.

If you are doing the signing flow, then I strongly recommend you look at the web component we recently released as it handles the use cases for you - https://fortifyapp.com/developers

I should also add we will be creating a web component for certificate enrollment in the coming weeks also.

[nitzien]

Thanks a lot. Will check out web component.

[donskov]

Web component for certificate enrollment created - https://fortifyapp.com/docs/webcomponents/fortify-enrollment/readme. @nitzien Try to use.

[nitzien]

Thanks. Is this available in 1.5.0?

Will try this out.