Wednesday, July 26, 2017
Testing CLCL
Today I am going to focus on writing tests for clcl. I wrote one that tests encryption for private keys. It wasn't working until I remembered that if you encrypt something with a private key you decrypt it with the corresponding public key (I was trying to decrypt it with the private key, you'd think that I would realize after all this time...).
Tuesday, July 25, 2017
CLIPC Resurrected
I was rooting around yesterday when I came across my old SourceForge account. I looked in on SourceForge and noticed a project that I hadn't done anything with in a long time: CLIPC.
CLIPC stands for the com ltsllc inter-process communication library. It does shared memory, FIFOs and semaphores. I stopped working on it when I got a job with Pearson/eCollege.
I have moved it over to gihub (https://github.com/ltsllc-consulting/clipc), where I will try to do something with it.
CLIPC stands for the com ltsllc inter-process communication library. It does shared memory, FIFOs and semaphores. I stopped working on it when I got a job with Pearson/eCollege.
I have moved it over to gihub (https://github.com/ltsllc-consulting/clipc), where I will try to do something with it.
Sunday, July 23, 2017
CLCL
I was creating a presentation for the Denver/Boulder Cybersecurity meetup and I found myself, as usual, complaining.
I was decrying the state of Java and SSL, in particular, the lack of good tools and libraries for crypto stuff, when I decided to stop complaining and do something about it. Sigh. And so CLCL, the com ltsllc crypto library, was born.
CLCL is a collection of classes that I have taken from the Miranda project and put into their own library. CLCL does actually do anything it just makes it easier to use classes that do all the crypto stuff. Java and SSL have both been around for over 10 years. It is about time they got some tools.
I was decrying the state of Java and SSL, in particular, the lack of good tools and libraries for crypto stuff, when I decided to stop complaining and do something about it. Sigh. And so CLCL, the com ltsllc crypto library, was born.
CLCL is a collection of classes that I have taken from the Miranda project and put into their own library. CLCL does actually do anything it just makes it easier to use classes that do all the crypto stuff. Java and SSL have both been around for over 10 years. It is about time they got some tools.
Monday, July 17, 2017
The Long Term Vision
The Long Term Software vision boils down doing the things that we are supposed to do, but that haven't been done.
There are certain parts of software engineering that we know are beneficial, but which don't get done. Things like documentation, testing and refactoring. A person cannot be expected to modify a system correctly, but time and time again, developers are asked to do just that. Adequate documentation solves this problem.
As a system ages, it gradually acquires quirks. Maybe an approach seemed like a good idea at the time but later proved to be a bad idea. Whatever the case may be, systems require refactoring to make them consistent again.
Testing is often times the orphan child of software engineering. All systems should have tests but they often don't have them. This really comes back to bite when a change is made to a system that breaks something else. Without adequate tests, there is no way to know that this has happened.
None of these ideas are Earth-shattering. We know that these things should be done. But for whatever reason they don't get done. Maybe there is some sort of deadline that has to be met and corners have to cut to make it. Perhaps there is some new approach or cost-cutting going on that someone is eager to prove right. Whatever the reason, the things that should get done don't get done.
This problem is not unique to software, it happens across the board. Take a look at the number of people who are overweight. Everyone knows that dieting and exercise are good ideas, but people don't do them.
The Long Term Software approach is to do the things that we know are right but which don't get done. While this is easy in principal, it is hard to do in practice. That is why you need to bring in someone from outside the organization to do it.
There are certain parts of software engineering that we know are beneficial, but which don't get done. Things like documentation, testing and refactoring. A person cannot be expected to modify a system correctly, but time and time again, developers are asked to do just that. Adequate documentation solves this problem.
As a system ages, it gradually acquires quirks. Maybe an approach seemed like a good idea at the time but later proved to be a bad idea. Whatever the case may be, systems require refactoring to make them consistent again.
Testing is often times the orphan child of software engineering. All systems should have tests but they often don't have them. This really comes back to bite when a change is made to a system that breaks something else. Without adequate tests, there is no way to know that this has happened.
None of these ideas are Earth-shattering. We know that these things should be done. But for whatever reason they don't get done. Maybe there is some sort of deadline that has to be met and corners have to cut to make it. Perhaps there is some new approach or cost-cutting going on that someone is eager to prove right. Whatever the reason, the things that should get done don't get done.
This problem is not unique to software, it happens across the board. Take a look at the number of people who are overweight. Everyone knows that dieting and exercise are good ideas, but people don't do them.
The Long Term Software approach is to do the things that we know are right but which don't get done. While this is easy in principal, it is hard to do in practice. That is why you need to bring in someone from outside the organization to do it.
Monday, July 10, 2017
Miranda Moving to https://miranda-messaging.blogspot.com/
All Miranda-related stuff is moving to https://miranda-messaging.blogspot.com
Sunday, July 9, 2017
New Utility
In an effort to make it easier to use Miranda, I have created the miradaUtilities project on github (https://github.com/ltsllc-consulting/mirandaUtilities). Currently, the utility allows creation of new users, but it will include creating CAs, nodes and subscriptions as well.
Thursday, July 6, 2017
Hosting Secure Servlets: Registering Servlets
This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.
The code that registers servlets:
HandlerCollection handlerCollection = new HandlerCollection(true);
handlerCollection.addHandler(resourceHandler);
jetty.setHandler(handlerCollection);
Then to add servlets:
servletHandler.addServletWithMapping(, );
Jetty says that a handler can be "mutable at runtime" but I haven't had too much luck with that.
handlerCollection.addHandler(resourceHandler);
jetty.setHandler(handlerCollection);
Then to add servlets:
servletHandler.addServletWithMapping(
Tuesday, July 4, 2017
Hosting Secure Servlets: What's in this Section?
This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.
How to Host Secure Web Services
- Using Jetty
- Define Jetty's properties
- Register the servlets
- Register the SSL handler
- Start Jetty
I was going to do this in one slide, but realized that there was too much material, so I made it into it's own section.
Monday, July 3, 2017
Java and SSL: Signing a CSR with Java
This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.
public static X509Certificate sign(PrivateKey caPrivate, PublicKey signeePublic,
X500Name issuer, Date notValidBefore, Date notValidAfter, BigInteger serialNumber,
X500Name subject)
throws InvalidKeyException, NoSuchAlgorithmException,
NoSuchProviderException, SignatureException, IOException,
OperatorCreationException, CertificateException {
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder()
.find("SHA1withRSA");
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder()
.find(sigAlgId);
AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(caPrivate.getEncoded());
SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(signeePublic.getEncoded());
org.bouncycastle.asn1.x500.X500Name bcIssuer = new org.bouncycastle.asn1.x500.X500Name(issuer.getName());
org.bouncycastle.asn1.x500.X500Name bcSubject = new org.bouncycastle.asn1.x500.X500Name(subject.getName());
X509v3CertificateBuilder myCertificateGenerator = new X509v3CertificateBuilder(bcIssuer, serialNumber,
notValidBefore, notValidAfter, bcSubject, keyInfo);
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId)
.build(foo);
X509CertificateHolder holder = myCertificateGenerator.build(sigGen);
X509CertificateStructure eeX509CertificateStructure = holder.toASN1Structure();
CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded());
X509Certificate theCert = (X509Certificate) cf.generateCertificate(is1);
is1.close();
return theCert;
}
This is complex...and it really shouldn't be. But at least there is a way to do this in Java.
public static X509Certificate sign(PrivateKey caPrivate, PublicKey signeePublic,
X500Name issuer, Date notValidBefore, Date notValidAfter, BigInteger serialNumber,
X500Name subject)
throws InvalidKeyException, NoSuchAlgorithmException,
NoSuchProviderException, SignatureException, IOException,
OperatorCreationException, CertificateException {
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder()
.find("SHA1withRSA");
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder()
.find(sigAlgId);
AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(caPrivate.getEncoded());
SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(signeePublic.getEncoded());
org.bouncycastle.asn1.x500.X500Name bcIssuer = new org.bouncycastle.asn1.x500.X500Name(issuer.getName());
org.bouncycastle.asn1.x500.X500Name bcSubject = new org.bouncycastle.asn1.x500.X500Name(subject.getName());
X509v3CertificateBuilder myCertificateGenerator = new X509v3CertificateBuilder(bcIssuer, serialNumber,
notValidBefore, notValidAfter, bcSubject, keyInfo);
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId)
.build(foo);
X509CertificateHolder holder = myCertificateGenerator.build(sigGen);
X509CertificateStructure eeX509CertificateStructure = holder.toASN1Structure();
CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded());
X509Certificate theCert = (X509Certificate) cf.generateCertificate(is1);
is1.close();
return theCert;
}
This is complex...and it really shouldn't be. But at least there is a way to do this in Java.
Sunday, July 2, 2017
Java and SSL: Signing a CSR with OpenSSL
This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.
Signing a CSR with OpenSSL
Signing a CSR with OpenSSL
openssl x509 -req -CA ca-certificate.pem.txt -CAkey ca-key.pem.txt -in private.csr \
-out private.cer -days 365 -CAcreateserial
Java doesn't make creating CAs or signing part of keytool. This is very strange. Creating CAs and
signing CSRs seem like a fundamental abilities that users would want. The fact that they are left out
is another indication of how primitive SSL is with Java.
Java and SSL: How to sign a CSR
This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.
How to Sign a CSR
How to Sign a CSR
- What this does
A signed CSR is a certificate. This is basically just a public key, and a hash code encrypted with the private key of the signer.
Subscribe to:
Posts (Atom)