Using Portecle to replace command line Keytool interface

Usually default keytool from Sun’s JDK is used to perform local testing on applications involving crytographic operations. Portecle is a nice alternative to achieve a Windows-like behaviour of this tool. It can be launched writing a simple CMD script and executing it from desktop.

START javaw -jar C:\portecle-1.3\portecle.jar
EXIT
Anuncios

WSS in Java

WSS stands for Web Services Security or, shortly, WS-Security. This standard is commonly used to perform secure communications between web services and it’s underlying based on XMLDSig.

Most used toolkits in Java for WSS are:

  • XWSS from Sun (as part of the project Glassfish)
  • WSS4J from Apache

Both are mature solutions and both cover obligatory part of the standard. However, the implementation of optional parts of the standard produces conflicts in client-server communications between this toolkits.

Recently, we had to work with systems communicating through secure web services based on XWSS and WSS4j and we had to solve two problems:

  1. WSS4J doesn’t support InclusiveNamespaces in canonicalization methods of XMLDSig (WSS estandar covers this functionality as optional). 
  2. WSS4J doesn’t support signed timestamp (WSS estandar covers this functionality as optional).

For the first issue, we configured XWSS in order to avoid the unsupported use of the prefix in XML canonicalization.

 

    
    
        
    

Someone decided for the second issue to use non-signed timestamp. In my opinion, this option is unwise because of timestamp manipulation risk. But one can’t always win…

A deep comparison of XWSS and WSS4j can be found at http://blogs.cocoondev.org/dims/wss4j/compare.html

Generating, storing and retrieving Private Keys

Some applications does not work with certificates to perform security operations. Instead of this, raw private keys are used for signature or ciphering. Hence, private keys must be stored as PCKS#8 rather than PCKS#12.  

The following code shows how to generate and use a DSA private key of 1024 bits. Note that this key is stored using Base64 encoding in order to achieve appropiate results. And also Base64 code it’s not provided, any available code would work.

import java.io.BufferedWriter;
import java.io.FileInputStream;
import java.io.FileWriter;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.spec.DSAPrivateKeySpec;
import java.security.spec.PKCS8EncodedKeySpec;

import sun.security.provider.DSAPrivateKey;

public class PrivateKeyOps {

  /**
   * Generate a DSA private key 1024 bits
   * @return DSA private key 1024 bits
   * @throws Exception
   */
  @SuppressWarnings( "unchecked" )
  private static PrivateKey generate() throws Exception {

    KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
    kpg.initialize(1024, new SecureRandom());
    KeyPair kp = kpg.generateKeyPair();

    Class spec = Class.forName("java.security.spec.DSAPrivateKeySpec");
    KeyFactory kf = KeyFactory.getInstance("DSA");
    DSAPrivateKeySpec dsaPrivKeySpec =
      (DSAPrivateKeySpec)kf.getKeySpec(kp.getPrivate(), spec);

    return new DSAPrivateKey(
        dsaPrivKeySpec.getX(),
                dsaPrivKeySpec.getP(),
                dsaPrivKeySpec.getQ(),
                dsaPrivKeySpec.getG());

  }

  /**
   * Store a PKCS8 base64 encoded private key in a file
   * @param fileName
   * @param generatedPK
   * @throws Exception
   */
  private static void store(String fileName, byte[] generatedPK) throws Exception {
        BufferedWriter keybw = new BufferedWriter(new FileWriter(fileName));
        keybw.write(Base64.encode(generatedPK));
        keybw.close();
  }

  /**
   * Retrieve a PKCS8 base64 encoded private key from a file
   * @param fileName
   * @return
   * @throws Exception
   */
  private static byte[] retrieve(String fileName) throws Exception {
        FileInputStream keyfis = new FileInputStream(fileName);
        byte[] loadedEncKey = new byte[keyfis.available()];
        keyfis.read(loadedEncKey);
        keyfis.close();
        return Base64.decode(new String(loadedEncKey));
  }

  /**
   * Load a PrivateKey object from an encoded key
   * @param encKey Encoded key
   * @return PrivateKey object
   * @throws Exception
   */
  private static PrivateKey load(byte[] encKey) throws Exception {
        PKCS8EncodedKeySpec privKeySpec = new PKCS8EncodedKeySpec(encKey);
        KeyFactory keyFactory = KeyFactory.getInstance("DSA");
        return keyFactory.generatePrivate(privKeySpec);
  }

  /**
   * Generate a private key
   * Store it on a file using base64 encoding
   * Retrieve it from the file using base64 decoding
   * Load the private key
   * @param args No args required
   * @throws Exception
   */
  public static void main(String...args) throws Exception {

    // Generate and store DSA Private Key
    byte[] generatedPK = generate().getEncoded();
    store("key.pem", generatedPK);

        // Retrieve and load DSA Private Key
    byte[] retrievedEncKey = retrieve("key.pem");
    byte[] loadedPK = load(retrievedEncKey).getEncoded();

    // See how it looks
    System.out.println(Base64.encode(loadedPK));

  }

}