go-ora
go-ora copied to clipboard
sijms
Wallet Generated with Oracle 19 not valid
Unable to use a cwallet.sso that was generated using Oracle 19
I have been able to connect/query this DB with out TCPS (using TCP, no SSL)
When using TCPS, and attempting to pass through wallet I get
My wallet is placed in at ./ssl/cwallet.sso
urlOptions := map[string]string{
"wallet": "./ssl/",
}
The error thrown is: source of error: https://github.com/sijms/go-ora/blob/master/v2/wallet.go#L86
invalid wallet header
num3 in our scenario is equal to 53
We are using JDBC for our connection string
'jdbc:oracle:thin:@(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = hostname.com)(PORT = ####))) (CONNECT_DATA = (SERVICE_NAME = SERVICE_NAME)))'
We have validated that this wallet does work with other clients.
Wallet is passwordless
Whole code block is as follows (attempted with and without commented block):
import (
go_ora "github.com/sijms/go-ora/v2"
)
func (db Database) NewConnection(pw string) (*go_ora.Connection, error) {
return go_ora.NewConnection(buildConnectionString(db, pw))
}
func buildConnectionString(db Database, password string) string {
if db.JDBC != nil {
urlOptions := map[string]string{
"wallet": "./ssl/",
// "SSL": "enable",
// "SSL Verify": "true",
}
return go_ora.BuildJDBC(*db.Username, password, *db.JDBC, urlOptions)
}
}
We have tried with prior versions of our cwallet.sso (that are no longer used but are for previous version of OracleDB).
Those pass this header validation. But obviously fail TLS handshake because they are no longer being used on our DB Server.
You can make TCPS without passing wallet
remove the wallet from urlOptions and
make "SSL Verify": "false"
try this and tell me the results
about reading wallet generated with oracle 19 I will try to make one and investigate its reading operation with other clients
this is the steps used to create wallet reference website
> mkstore -wrl /opt/oracle/oradata/wallet -create
> mkstore -wrl /opt/oracle/oradata/wallet -createCredential "LAB=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=lab)))" lab lab
You can make TCPS without passing wallet remove the wallet from urlOptions and make
"SSL Verify": "false"try this and tell me the results
This will pass validation, that gets called when I go_ora.BuildJDBC() (which was where it was failing validation with this wallet) but when I attempt to open the connection with connection.Open(), it fails with alertHandshakeFailure (40)
can you make a wallet with your server as above and test it
do you make "SSL verify": "false"
I need your help to solve the issue for me wallet generated with oracle server v19.3 is valid and can read by client as I explain to you above I need to know why your wallet cannot be read
Our wallet was created using orapki, not with mkstore
orapki wallet create -wallet ./ -pwd <keystore.password> -auto_login
When we make "SSL verify": "false" we fail as described here when we try to open the connection. TLS fails the handshake: https://github.com/sijms/go-ora/issues/229#issuecomment-1208203697
Op = {string} "remote error"
Net = {string} ""
Source = {net.Addr} nil
Addr = {net.Addr} nil
Err = {error | tls.alert} alertHandshakeFailure (40)
I create a wallet with orapki as follow
>orapki wallet create -wallet wallet2 -pwd lab12345 -auto_login
>orapki wallet add -wallet wallet2 -dn "cn=lab.com" -keysize 1024 -self_signed -validity 3650 -pwd lab12345
I read the wallet with client ==> no error can you make this test and see the result cwallet.sso.zip
can you make this test and see the result cwallet.sso.zip
Using this wallet, yes it does pass the wallet header validation (where ours is failing), and we are able to successfully create the connection object, with the JDBC url.
Ok then the issue now is different may be the wallet that generate the error is not auto-login (i think this is the cause of error) you can also recreate your wallet using the previous steps and test it again
we'll try creating a new auto-login wallet with mkstore and I will let you know if we have any different outcome
@sijms would it be at all possible to add support for JKS truststore?
All our client needs is our root CAs to be trusted. We have a similar java application that simply needed the field Djavax.net.ssl.trustStore added to JVM properties, that pointed to a truststore that had our root CAs imported.
Could this feature be a possibility to use TCPS without having a Oracle Wallet?
Comparing the two wallets we have
Header of Wallet that does not pass validation (from our DBA):
0x00 - 0x03 A1 F8 4E 36
0x04 - 0x06 00 00 00
0x07 06
0x08 - 0x0A 00 00 00
0x0B 41
0x0C 35 (num3 != 6)
Header of Wallet that DOES pass validation (that you handed me):
0x00 - 0x03 A1 F8 4E 36
0x04 - 0x06 00 00 00
0x07 06
0x08 - 0x0A 00 00 00
0x0B - 21
0x0C 0 (num3 == 6)
I also was able to find a description of a wallet header that matched what our DBA gave us (that is failing go-ora header validation) https://github.com/tejado/ssoDecrypt#file-structure-of-11g-cwalletsso
in wallet.go
} else if num3 == 6 {
index++
rgbKey := fileData[index : index+16]
index += 16
blk, err := aes.NewCipher(rgbKey)
if err != nil {
return err
}
dec := cipher.NewCBCDecrypter(blk, []byte{192, 52, 216, 49, 28, 2, 206, 248, 81, 240, 20, 75, 129, 237, 75, 242})
w.password = make([]byte, 16)
dec.CryptBlocks(w.password, fileData[index:index+16])
index += 16
} else {
after num3 I read the aes key
but according to the link if num3 == 0x41 it will be DES key
so we are not talking about 19c Wallet but 11g wallet
I have oracle 9 but not 11g so I will try creating wallet with oracle 9 and see its format