[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Handle-info] [SOLVED] Re: Error in handle - Unable to find signature of '0.NA/0.NA' from majority of keys

Hi!
 we just solved it, we forgot to add -Djdk.crypto.KeyAgreement.legacyKDF=true to a command line tool, the server seems to work ok even if there's the
Error verifying root values signature: HandleException (ENCRYPTION_ERROR) Unable to find signature of '0.NA/0.NA' from majority of keys 

error.
BTW, how can we update our key (adminpriv.bin) to a better algorithm, so we don't need to use -Djdk.crypto.KeyAgreement.legacyKDF=true? 

Il 01/09/20 13:20, Yuri Carrer ha scritto:

For this handle, it worked:

Start Time: Tue Sep 01 12:11:42 CEST 2020
  sending HDL-UDP request (version=2.5; oc=1; rc=0; snId=0 caCrt noAuth expires:Wed Sep 02 00:11:42 CEST 2020 0.NA/11168 [HS_SITE, HS_SITE.6, HS_NA_DELEGATE, HS_SERV, HS_NAMESPACE, HS_ADMIN, HS_VLIST, HS_PUBKEY, HS_SECKEY, ] [ ]) to [2a09:bd00:ffc9:1:100:0:0:0]:2641   sending HDL-UDP request (version=2.5; oc=1; rc=0; snId=0 caCrt noAuth expires:Wed Sep 02 00:11:42 CEST 2020 0.NA/11168 [HS_SITE, HS_SITE.6, HS_NA_DELEGATE, HS_SERV, HS_NAMESPACE, HS_ADMIN, HS_VLIST, HS_PUBKEY, HS_SECKEY, ] [ ]) to [2001:550:100:6::4]:2641   sending HDL-TCP request (version=2.5; oc=1; rc=0; snId=0 caCrt noAuth expires:Wed Sep 02 00:11:42 CEST 2020 0.NA/11168 [HS_SITE, HS_SITE.6, HS_NA_DELEGATE, HS_SERV, HS_NAMESPACE, HS_ADMIN, HS_VLIST, HS_PUBKEY, HS_SECKEY, ] [ ]) to [2a09:bd00:ffc9:1:100:0:0:0]:2641   sending HDL-TCP request (version=2.5; oc=1; rc=0; snId=0 caCrt noAuth expires:Wed Sep 02 00:11:42 CEST 2020 0.NA/11168 [HS_SITE, HS_SITE.6, HS_NA_DELEGATE, HS_SERV, HS_NAMESPACE, HS_ADMIN, HS_VLIST, HS_PUBKEY, HS_SECKEY, ] [ ]) to [2001:550:100:6::4]:2641   sending HDL-HTTP request (version=2.5; oc=1; rc=0; snId=0 caCrt noAuth expires:Wed Sep 02 00:11:42 CEST 2020 0.NA/11168 [HS_SITE, HS_SITE.6, HS_NA_DELEGATE, HS_SERV, HS_NAMESPACE, HS_ADMIN, HS_VLIST, HS_PUBKEY, HS_SECKEY, ] [ ]) to [2a09:bd00:ffc9:1:100:0:0:0]:8000   sending HDL-HTTP request (version=2.5; oc=1; rc=0; snId=0 caCrt noAuth expires:Wed Sep 02 00:11:42 CEST 2020 0.NA/11168 [HS_SITE, HS_SITE.6, HS_NA_DELEGATE, HS_SERV, HS_NAMESPACE, HS_ADMIN, HS_VLIST, HS_PUBKEY, HS_SECKEY, ] [ ]) to [2001:550:100:6::4]:8000   sending HDL-UDP request (version=2.5; oc=1; rc=0; snId=0 caCrt noAuth expires:Wed Sep 02 00:11:42 CEST 2020 0.NA/11168 [HS_SITE, HS_SITE.6, HS_NA_DELEGATE, HS_SERV, HS_NAMESPACE, HS_ADMIN, HS_VLIST, HS_PUBKEY, HS_SECKEY, ] [ ]) to 212.193.120.1:2641     received HDL-UDP response: version=2.5; oc=1; rc=1; snId=0 caCrt auth noAuth expires:Wed Sep 02 00:11:42 CEST 2020 0.NA/11168     index=100 type=HS_ADMIN rwr- "07F30000000D302E4E412F32302E41444D494E000000C8"     index=101 type=HS_ADMIN rwr- "0C010000000A302E4E412F3131313638000000C8"     index=200 type=HS_VLIST rwr- "000000010000000A302E4E412F31313136380000012C"     index=1 type=HS_SITE rwr- "0001020500028002000000000000000100000004646573630000001B506861696472612048616E646C652053657276657220556E697064000000010000000100000000000000000000000093A2D554000001B90000000B4453415F5055425F4B4559000000000015009760508F15230BCCB292B982A2EB840BF0581CF50000008100FD7F53811D75122952DF4A9C2EECE4E7F611B7523CEF4400C31E3F80B6512669455D402251FB593D8D58FABFC5F5BA30F6CB9B556CD7813B801D346FF26660B76B9950A5A49F9FE8047B1022C24FBBA9D7FEB7C61BF83B57E7C6A8A6150F04FB83F6D3C51EC3023554135A169132F675F3AE2B61D72AEFF22203199DD14801C70000008100F7E1A085D69B3DDECBBCAB5C36B857B97994AFBBFA3AEA82F9574C0B3D0782675159578EBAD4594FE67107108180B449167123E84C281613B7CF09328CC8A6E13C167A8B547C8D28E0A3AE1E2BB3A675916EA37F0BFA213562F1FB627A01243BCCA4F1BEA8519089A883DFE15AE59F06928B665E807B552564014C3BFECF492A0000008100E6B914123483F13051515027783AF61F54F1721B6B008DCAC652BB026DAC6935121B995B97279B2C448ED80D7BCAA89C1FC7915485B4B28F957A5CFB7100DCB85211599445533380CB936E59A213135BCDC8210BF3612556DB2B877074930FC11BA180AD18E1FA97DFDA1A23F76B1BDFC125D7141F0F8A535FE5F65F70C6868800000003030100000A51020000000A51030200001F40"     index=300 type=HS_PUBKEY rwr- "0000000B4453415F5055425F4B4559000000000015009760508F15230BCCB292B982A2EB840BF0581CF50000008100FD7F53811D75122952DF4A9C2EECE4E7F611B7523CEF4400C31E3F80B6512669455D402251FB593D8D58FABFC5F5BA30F6CB9B556CD7813B801D346FF26660B76B9950A5A49F9FE8047B1022C24FBBA9D7FEB7C61BF83B57E7C6A8A6150F04FB83F6D3C51EC3023554135A169132F675F3AE2B61D72AEFF22203199DD14801C70000008100F7E1A085D69B3DDECBBCAB5C36B857B97994AFBBFA3AEA82F9574C0B3D0782675159578EBAD4594FE67107108180B449167123E84C281613B7CF09328CC8A6E13C167A8B547C8D28E0A3AE1E2BB3A675916EA37F0BFA213562F1FB627A01243BCCA4F1BEA8519089A883DFE15AE59F06928B665E807B552564014C3BFECF492A0000008018E3A2C2767CC077BCF1868859A362E561D794469DC0E746155D5F8B4922053CDB3D5BBB838C0648603EAFD0F0C9CCDBB18CBD3409A3BCA948E0AF8250F825EFAA0CDD15274A13463615FC51A0D180B7CFEA6E38CBCAC37E9C81D72C9B63B2953084C123D42088E1532B59F5767EF8EC3BA21379E183FB3524A5843A5D8F1DD9"
  sending HDL-UDP request (version=2.5; oc=400; rc=0; snId=0 crt caCrt noAuth expires:Wed Sep 02 00:11:42 CEST 2020 /) to 147.162.213.84:2641     received HDL-UDP response: version=2.5; oc=400; rc=1; snId=1 crt caCrt auth noAuth expires:Wed Sep 02 00:11:42 CEST 2020   sending HDL-TCP request (version=2.5; oc=100; rc=0; snId=1 caCrt noAuth expires:Wed Sep 02 00:11:42 CEST 2020 adm 11168/11.446955) to 147.162.213.84:2641     received HDL-TCP response: version=2.5; oc=100; rc=402; snId=1 caCrt auth noAuth expires:Wed Sep 02 00:11:42 CEST 2020   sending HDL-TCP request (version=2.5; oc=200; rc=0; snId=1 caCrt noAuth expires:Wed Sep 02 00:11:42 CEST 2020 / HS_PUBKEY 300:0.NA/11168) to 147.162.213.84:2641     received HDL-TCP response: version=2.5; oc=100; rc=1; snId=1 caCrt auth noAuth expires:Wed Sep 02 00:11:43 CEST 2020 
==>SUCCESS[6]: create:11168/11.446955
Successes/Total Entries: 1/1
Batch File Lines: 6
Finish Time: Tue Sep 01 12:11:43 CEST 2020
This batch took 0 seconds to complete at an average speed of 1.2626262626262625 operations/second 
Batch process finished

So it seems it works sometimes...

Il 01/09/20 09:18, Yuri Carrer ha scritto:

Hi!
 here at the University of Padova (org name is Phaidra), we have an handle server with prefix 11168/. 

 Yesterday we was unable to register new handles:
2020-08-31 18:06:05.256+0200" 75 class net.handle.server.HandleServer: error getting values: HandleException (CANNOT_CONNECT_TO_SERVER) 41.231.118.2: java.net.SocketTimeoutException: connect timed out HandleException (CANNOT_CONNECT_TO_SERVER) 41.231.118.2: java.net.SocketTimeoutException: connect timed out         at net.handle.hdllib.HandleResolver.sendHttpRequest(HandleResolver.java:2915)         at net.handle.hdllib.HandleResolver.sendRequestToInterface(HandleResolver.java:2231)         at net.handle.hdllib.HandleResolver.sendRequestToServerByProtocol(HandleResolver.java:1913)         at net.handle.hdllib.HandleResolver.sendRequestToServerInSiteByProtocol(HandleResolver.java:1634)         at net.handle.hdllib.HandleResolver.sendRequestToSite(HandleResolver.java:1612)         at net.handle.hdllib.HappyEyeballsResolver.sendRequestToSiteViaProtocol(HappyEyeballsResolver.java:187)         at net.handle.hdllib.HappyEyeballsResolver.sendRequestToSites(HappyEyeballsResolver.java:165)         at net.handle.hdllib.HappyEyeballsResolver.sendRequestAndSetResponseOrPublicException(HappyEyeballsResolver.java:143)         at net.handle.hdllib.HappyEyeballsResolver.run(HappyEyeballsResolver.java:82) 
        at java.lang.Thread.run(Thread.java:748)
"2020-09-01 08:30:55.872+0200" 25 Shutting down server at Tue Sep 01 08:30:55 CEST 2020 
"2020-09-01 08:34:44.786+0200" 25 Started new run.

this morning I tried to register an handle and I got this:

AUTHENTICATE PUBKEY:300:0.NA/11168
/usr/local/hs/admpriv.bin|<our cert pass>
CREATE 11168/test2020
100 HS_ADMIN 86400 1110 ADMIN 300:110011111111:0.NA/11168
3 URL 86400 1110 UTF8 https://phaidra.cab.unipd.it/

[...]
  sending HDL-UDP request (version=2.5; oc=400; rc=0; snId=0 crt caCrt noAuth expires:Tue Sep 01 20:19:43 CEST 2020 /) to 147.162.213.84:2641     received HDL-UDP response: version=2.5; oc=400; rc=1; snId=134 crt caCrt auth noAuth expires:Tue Sep 01 20:19:43 CEST 2020   sending HDL-UDP request (version=2.5; oc=400; rc=0; snId=0 crt caCrt noAuth expires:Tue Sep 01 20:19:43 CEST 2020 /) to 147.162.213.84:2641     received HDL-UDP response: version=2.5; oc=400; rc=1; snId=135 crt caCrt auth noAuth expires:Tue Sep 01 20:19:43 CEST 2020 
==>FAILURE[5]: create:11168/test2020: Error setting up session
Successes/Total Entries: 0/1
Batch File Lines: 5
Finish Time: Tue Sep 01 08:19:43 CEST 2020
This batch took 0 seconds to complete at an average speed of 2.070393374741201 operations/second 
Batch process finished

and now, after a server restart, we have this in the logs:
2020-09-01 08:34:44.787+0200" 25 HANDLE.NET Server Software version 7.2.1 Error verifying root values signature: HandleException (ENCRYPTION_ERROR) Unable to find signature of '0.NA/0.NA' from majority of keys HandleException (ENCRYPTION_ERROR) Unable to find signature of '0.NA/0.NA' from majority of keys         at net.handle.hdllib.SecureResolver.verifyValuesByMajority(SecureResolver.java:753)         at net.handle.hdllib.Configuration.refreshRootInfoFromNet(Configuration.java:501)         at net.handle.server.AbstractServer$RootInfoUpdater.run(AbstractServer.java:110)
How can we fix this problem? Thanks for any help. We are using -Djdk.crypto.KeyAgreement.legacyKDF=true (you can see it below in the command line). We are ok with the payment until 6/30/2021. 

This is the handle server process:

root@phaidra:~# netstat -tulpn | grep 2641
tcp6       0      0 147.162.213.84:2641 :::* LISTEN 18713/java
udp6       0      0 147.162.213.84:2641 :::*                                18713/java 

/usr/local/hs/root@phaidra:~# ps auxw | grep 18713
java -Djdk.crypto.KeyAgreement.legacyKDF=true -server -Xmx200M -cp :/root/phaidra/hs/hsj-7.2/bin/../lib/admintool.jar:/root/phaidra/hs/hsj-7.2/bin/../lib/bcpkix-jdk15on-147.jar:/root/phaidra/hs/hsj-7.2/bin/../lib/bcprov-ext-jdk15on-147.jar:/root/phaidra/hs/hsj-7.2/bin/../lib/cnriutil.jar:/root/phaidra/hs/hsj-7.2/bin/../lib/commons-codec-1.7.jar:/root/phaidra/hs/hsj-7.2/bin/../lib/gson-2.2.2.jar:/root/phaidra/hs/hsj-7.2/bin/../lib/handle.jar:/root/phaidra/hs/hsj-7.2/bin/../lib/icu4j-4_2_1-idna.jar:/root/phaidra/hs/hsj-7.2/bin/../lib/je-3.3.98.jar:/root/phaidra/hs/hsj-7.2/bin/../lib/jython-2.2.1.jar:/root/phaidra/hs/hsj-7.2/bin/../lib/oldadmintool.jar:/root/phaidra/hs/hsj-7.2/bin/../lib/*/*.jar:/root/phaidra/hs/hsj-7.2/bin/../lib/amazons3/*.jar net.handle.server.Main /usr/local/hs/ 

Here the config:

contactdata.dct
{
  "contact_email" = "yuri.carrer@unipd.it"
  "org_name" = "Phaidra"
  "contact_name" = "Yuri Carrer"
}

config.dct
{
  "hdl_http_config" = {
    "bind_address" = "147.162.213.84"
    "num_threads" = "15"
    "bind_port" = "8000"
    "backlog" = "5"
    "log_accesses" = "no"
  }

  "server_type" = "server"
  "hdl_udp_config" = {
    "bind_address" = "147.162.213.84"
    "num_threads" = "15"
    "bind_port" = "2641"
    "log_accesses" = "no"
  }

  "hdl_tcp_config" = {
    "bind_address" = "147.162.213.84"
    "num_threads" = "15"
    "bind_port" = "2641"
    "backlog" = "5"
    "log_accesses" = "no"
  }

  "no_udp_resolution" = "n"
  "interfaces" = (
    "hdl_udp"
    "hdl_tcp"
    "hdl_http"
  )

  "server_config" = {
    "server_admins" = (
      "300:0.NA/YOUR_NAMING_AUTHORITY"
    )

    "replication_admins" = (
      "300:0.NA/YOUR_NAMING_AUTHORITY"
    )

    "max_session_time" = "86400000"
    "this_server_id" = "1"
    "max_auth_time" = "60000"
    "backup_admins" = (
      "300:0.NA/YOUR_NAMING_AUTHORITY"
    )

    "case_sensitive" = "no"
  }

}


--
Yuri Carrer

 CAB - Centro di Ateneo per le Biblioteche, Università di Padova
 Tel: 049/827 9712 - Via Beato Pellegrino, 28 - Padova


_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info