Friday, June 30, 2017

Java and SSL: Creating a Certificate Signing Request from Java

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

Creating a CSR from Java:

X500Name x500Name = new X500Name(distinguishedName);

String signatureAlgorithmName = "SHA1WithRSA";
Signature signature = Signature.getInstance(signatureAlgorithmName);
signature.initSign(getPrivateKey());

PKCS10 pkcs10 = new PKCS10(getPublicKey());
pkcs10.encodeAndSign(x500Name,signature);

return pkcs10;

This was relatively easy to find out how to do.  The one snag I hit was around the "encodeAndSign" method, which at first I thought needed an instance of X500Singer.  It seems that support was dropped for X500Singer as of JDK1.7.  It turned out that X500Singer is not needed, and that it just needs an instance of X500Name.

Wednesday, June 28, 2017

Java and SSL: Creating a Certificate Signing Request with Keytool

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

Creating a Certificate Signing Request with Keytool

keytool -certreq -keystore temp -storepass whatever -file temp.csr


Tuesday, June 27, 2017

Java and SSL: How to Create a Certificate in Java

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

How to Create a Certificate in Java

  • A brief digression: what is a certificate?
  • How to create a certificate signing request
  • How to sign a CSR
  • How to import the certificate to a keystore
As the bullet points indicate, there are 3 steps to creating a certificate: creating the certificate signing request (CSR), signing the CSR, and importing the resulting certificate to the keystore.

A certificate is merely a public key that has been "signed" but another party.  The signature takes the form of a one-way hash of the public key to be signed, encrypted with the private key of the signer. The public key is singed by the sender, to ensure that the public key is genuine.

Others can verify the certificate by computing the hash of the public key, and decrypting the value from the certificate with the signer's public key.  If the computed hash matches the decrypted value, then the certificate is considered good.

For this scheme to work, the public key of the signer must be widely available, and the hashing algorithm and the signature must be readily available, which is why file formats are so important with SSL.

Java and SSL: How to Generate a Key Pair Using Java

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

How to Generate a Key Pair Using Java

public KeyPair createKeyPair () throws GeneralSecurityException {
    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
    return keyPairGenerator.genKeyPair();
}

After generating a certificate, generating a key pair was almost anti-climatic.

Sunday, June 25, 2017

Java and SSL: How to Generate a Key Pair with Keytool



This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

How to Generate a Key Pair with Keytool

keytool -genkeypair -keystore keystore -storepass whatever -alias private \
    -keyalg rsa

What is your first and last name?
[Unknown]:  development.sun.com
What is the name of your organizational unit?
[Unknown]:  Development
What is the name of your organization?
[Unknown]:  Sun
What is the name of your City or Locality?
[Unknown]:  Monrovia
What is the name of your State or Province?
[Unknown]:  California
What is the two-letter country code for this unit?
[Unknown]:  US
Is
C=US> correct?
[no]:  yes

Enter key password for

(RETURN if same as keystore password):

This was taken from:

https://docs.oracle.com/cd/E19509-01/820-3503/ggezy/index.html

With a few alterations.

Java and SSL: How to Generate a Key Pair

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

How to Generate a Key Pair
  • Using keytool
  • Programmatically

Saturday, June 24, 2017

Java and SSL: How to Create a Self-signed Certificate Programmatically

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

How to Create a Self-signed Certificate Programmatically



public X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm)
         throws GeneralSecurityException, IOException {
    PrivateKey privkey = pair.getPrivate();
    X509CertInfo info = new X509CertInfo();
    Date from = new Date();
    Date to = new Date(from.getTime() + days * 86400000l);
    CertificateValidity interval = new CertificateValidity(from, to);
    BigInteger sn = new BigInteger(64, new SecureRandom());
    X500Name owner = new X500Name(dn);

    info.set(X509CertInfo.VALIDITY, interval);
    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
    info.set(X509CertInfo.SUBJECT, owner);
    info.set(X509CertInfo.ISSUER, owner);
    info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
    info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
    AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
    info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));

    // Sign the cert to identify the algorithm that's used.
    X509CertImpl cert = new X509CertImpl(info);
    cert.sign(privkey, algorithm);

    // Update the algorith, and resign.
    algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
    info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
    cert = new X509CertImpl(info);
    cert.sign(privkey, algorithm);
    return cert;
}

This was ridiculously difficult to figure out.  I kept getting an exception like this:

java.security.cert.CertificateException: Subject class type invalid.

But the problem was that the original code was using X509CertInfo.set instead of using an instance of X500Name.  

Friday, June 23, 2017

Java and SSL: How to create a New Certifate Authority

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

How to create a New Certificate Authority


I didn't come up with this.  I got most of my information from https://docs.oracle.com/cd/E19509-01/820-3503/ggezy/index.html. This page explained most of what I'm going to talk about.

OpenSSL is a must have for developers doing SSL development with Java.  It comes with the command line of Git  (for Windows developers) and with OSX (for mac developers).

A certificate is merely a public key whose hash value has been computed using a cryptographically strong algorithm like SHA-256 and encrypted with the private key of someone.  In the case of a "self-signed" certificate, this is the private key associated with the certificate's public key.

To do this on the command line, use OpenSSL:


openssl req -new  -x509  -keyout ca-key.pem.txt -out ca-certificate.pem.txt -days 365


Java and SSL: What Git Considers to be an Acceptable Error Message

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

An Example Error Message from Git

fatal: repository 'wrong' does not exist

While the problem is clear, the solution is still vague, but at least the error is understandable.

Java and SSL: What OpenSSL Considers an Acceptable Error Message

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

An Example Error Message from OpenSSL

16884:error:02001002:system library:fopen:No such file or directory:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/crypto/bio/bss_file.c:126:fopen('c:opensslbinopenssl.cnf','rb')
16884:error:2006D080:BIO routines:BIO_new_file:no such file:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/crypto/bio/bss_file.c:129:

16884:error:0E078072:configuration file routines:DEF_LOAD:no such file:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64.50.6/src/crypto/conf/conf_def.c:197:

When I first saw the output from openSSL my jaw dropped.  This error gives me only a vague idea of what went wrong (a file appears to be missing), and absolutely no idea of what to do about it.

Thursday, June 22, 2017

Java and SSL:Welcome to the Dark Ages!


This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.
  • If you have an Java and SSL Expert..
  • SSL is difficult in Java NIO
  • Few tools are available
  • Even Stack Overflow was no help
All I can say about experts in the field of Java and SSL is that if you have one...KEEP THEM!  I found the combination of Java (NIO) and SSL to be very difficult.  And the Java world has had over 10 years (NIO was releases in 2006) to fix this!

I found SSL to be ridiculously difficult in Java NIO.  For something as ubiquitous as SSL I was hoping to find it an easier going.  Oh boy was I wrong.  

I had to fight SSL every step of the way.  If things became easy, I immediately became suspicious.  If I tried to do something "simple" in SSL, all the examples that I found generated warnings when I tried to use them.  When I found what I deemed a bug in one library, the person I worked with dismissed it as "not a bug," the list goes on and on.

I found very few libraries or frameworks for SSL.  The only real alternative to the classes in the JDK is BouncyCastle, but I found BC to be very poorly documented (there is a one page "User Guide" that basically points you to some examples and the JavaDoc).  

Two frameworks that implement SSL are Apache Mina and Netty.  Interacting with Netty was were I had the "this is not a bug" experience.  I am dreading the day that I have to work with the Mina folks.

Examples with SSL are few and far between.  Many problems I just couldn't find an answer to.  I even posted a problem on Stack Overflow, expecting a dozen message with title like "Try THIS, bonehead" but no one replied.

As with all my experiences, your own experience may vary from mine.

Java and SSL: What's in this Section?

This is the first of a series of posts about the worlds of Java and SSL.  I hope to do 1 post a day on this topic.  The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

SSL and Java

  • Welcome to the dark ages!
  • How to create a new Certificate Authority
  • How to create a key pair
  • How to create a certificate signing request
  • How to sign a CSR


Wednesday, June 21, 2017

Slides up on Slideshare

I just put my slides from my talk at DOSUG on Slideshare.  You can get them at https://www.slideshare.net/ClarkHobbie/miranda-77154415.

A Talk on Security

Recently, I asked to speak at the Denver/Boulder Cybersecurity Meetup. Pattie Kettle was kind enough to pencil me in for the August 10 meeting.

This leaves me with a problem.

My talk at DOSUG was around 40 minutes and doesn't address security directly.

So what I've decided to do is to add an "optional" section on SSL with Java.  I will use the five core topics (what is Miranda, why was it created, how it works, why it's reliable, and why it's secure) and then add on the "extra" topic. This should bring the talk up to 50 minutes, which should be acceptable.

I will blog about SSL and Java in the coming days.

Tuesday, June 6, 2017

Presented at DOSUG

(Finally) presented at DOSUG.  Slides available at ltsllc.com/talks as a PDF at http://ltsllc.com/talks/Miranda.pdf and as a PowerPoint presentation at http://ltsllc.com/talks/Miranda.pptx.