|
|
Recommended: Sing it, brah! 5 fabulous songs for developers
JW's Top 5
Featured White Papers
- Measuring Risk to Improve Java Software Quality
- Do You Really Get Classloaders?
- Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
- Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
- Coding with JRebel, Java Forever Changed
- 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data
Sponsored Links
-
Graph databases are 1000x faster than relational.
Learn More!
-
Career opportunities at Harman- Careers That'll Rock Your Socks Off.
Learn More!
-
Developer-friendly Java PDF libraries by Qoppa Software
Live Demos
-
Stop blaming your app! Diagnose Java performance issues.
Free tool >
-
UrbanCode: Go From Continuous Integration to
Continuous DeliveryLearn More!
Sponsored Links
Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs
Java security evolution and concepts, Part 5
J2SE 1.4 offers numerous improvements to Java security
Page 4 of 6
Likewise, if alice were to validate bob's key, the certificate path bob-CA4-CA2-Root CA would be required, assuming alice trusts the Root CA's public key.
Figure 4. Hierarchy of CAs
To make such certificate-chain validation possible in programs, signatures must be verified, certification revocation and validity must be checked, and so on. Further, a certificate chain from the most-trusted CA to the subject may have to be found by other means, such as with access to LDAP (Lightweight Directory Access Protocol).
Building and validating certification paths is routinely carried out in security protocols such as SSL/TLS, S/MIME, IPSec, and so on. We saw how the Java Plug-in validated a certificate (or a chain). The Java CertPath API proves useful in all such cases.
I briefly examined X.509 in earlier articles of this series. The X.509 certificate standard in part provides confidence for doing business online. The Public-Key Infrastructure X.509 (PKIX) working group develops Internet standards needed to support X.509 PKI.
The Java CertPath API is based on the provider architecture introduced in the Java Connector Architecture (JCA). The provider architecture allows user programs to use the same API, but different providers can be plugged in via a Service Provider Interface (SPI). The Sun provider supports the PKIX standard.
Java CertPath API classes and interfaces
Now that we've seen Java CertPath's function, let's examine its classes for building and validating certification paths. Each
class below exists in the java.security.cert package:
- Core classes:
- The abstract
CertPathcaptures the functionality shared by all certification path objects. For example, itsgetCertificates()abstract method returns the certificates list in the path. - In J2SE 1.4 the
CertificateFactorynow supports certification path objects. - The interface
CertPathParametersspecifies parameters to the Certification Path algorithms. For example, the classPKIXParametersthat implements the interface can set PKIX parameters such as time of validity, policy constraints, target certificate constraints, and user-defined checks, among others.
- The abstract
- Validation classes:
CertPathValidatorvalidates a certification path.- The
CertPathValidatorResultinterface captures the results from theCertPathValidatorcertification path validation.
- Building classes:
- The
CertPathBuilderclass, likeCertPathValidator, builds certification paths. CertPathBuilderResultcaptures the results ofCertPathBuilder's path building.
- The
- Storage classes:
CertStoreprovides the functionality of a certificate and certificate revocation list (CRL) repository, such as LDAP. The methodsgetCertifcates()andgetCRLs()retrieve certificates and CRLs, respectively.CertStoreParametersspecifies allCertStoreparameters. In conjunction with theCertStore.getInstance()method, theCertStoreParametersclass obtains aCertStorewith the appropriate properties.- The
CertSelectorinterface serves as an argument to the respective methods, allowing them to specify a set of criteria for the respective selection. - The
CRLSelectorinterface also serves as an argument to the respective methods.
Having briefly looked at the classes and some methods, in the next section we see how to use them.
- Feedback
More from JavaWorld
Resources
- "Java Security Evolution and Concepts," Raghavan N. Srinivas (JavaWorld):
- Part 1Learn computer security concepts and terms in this introductory overview (April 2000)
- Part 2Discover the ins and outs of Java security (July 2000)
- Part 3Tackle Java applet security with confidence (December 2000)
- Part 4Learn how optional packages extend and enhance Java security (May 2001)
- Part 5J2SE 1.4 offers numerous improvements to Java security (December 2001)
- Java security resources from java.sun.com:
- For comprehensive Java security information, read Sun Microsystems' Java Security API page
http://java.sun.com/security - For the latest documentation on Java security, read the documentation from Java 2 1.4
http://java.sun.com/j2se/1.4/docs/relnotes/features.html#security - "Java 2 Platform, Standard Edition, v 1.4.0 API Specification"
http://java.sun.com/j2se/1.4/docs/api/index.html - "Java Cryptography Extension (JCE) Reference Guide"
http://java.sun.com/j2se/1.4/docs/guide/security/jce/JCERefGuide.html - "Java Secure Socket Extension (JSSE) Reference Guide"
http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html - For "Archives of java-security@sun.com," see
http://archives.java.sun.com/archives/java-security.html - "Frequently Asked Questions -- Java Security"
http://java.sun.com/sfaq/ - Java 2 SDK platform security tools
http://java.sun.com/j2se/1.4/docs/tooldocs/tools.html#security - "Default Policy Implementation and Policy File Syntax"
http://java.sun.com/j2se/1.3/docs/guide/security/PolicyFiles.html - "JDK 1.2 - Signed Applet Example,"
http://java.sun.com/security/signExample12/ - Java Plug-in documentation and download
http://java.sun.com/products/plugin/index.html - "Java Certification Path API Programmer's Guide," Sean Mullan
http://java.sun.com/j2se/1.4/docs/guide/security/certpath/CertPathProgGuide.html - "Java Authentication and Authorization Service (JAAS) Reference Guide"
http://java.sun.com/j2se/1.4/docs/guide/security/jaas/JAASRefGuide.html - "Introduction to JAAS and Java GSS-API Tutorials"
http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/index.html
- Security-related Java Specification Requests at the Java Community Process:
- Java Certification Path API (JSR 000055)
http://jcp.org/jsr/detail/055.jsp - Java GSS-API (JSR 000072)
http://www.jcp.org/jsr/detail/72.jsp
- Other important Java security resources:
- A list of CAs for obtaining code-signing certificateshttps://certs.netscape.com/client.html
- Netscape's security tools, including signtool
http://developer.netscape.com/docs/manuals/index.html?content=security.html - A comprehensive list of security-related problems with suggested remedial action, known as CERT advisories
http://www.cert.org/ - Applied CryptographyProtocols, Algorithms, and Source Code in C, Second Edition, Bruce Schneier (John Wiley and Sons, 1996; ISBN0471117099) -- a fascinating book on the science and politics of cryptography
http://www.amazon.com/exec/obidos/ASIN/0471117099/javaworld - RSA Labs' FAQ about today's cryptography (in PDF format)ftp://ftp.rsasecurity.com/pub/labsfaq/labsfaq4.pdf
- X.509 standard for certificates
http://www.ietf.org/rfc/rfc2459.txt - Generic Security Service API Version 2Java Bindings
http://www.ietf.org/rfc/rfc2853.txt - Kerberos information, including source code and binaries
http://web.mit.edu/kerberos/www/
- JavaWorld's Java security resources:
- "Construct Secure Networked Applications with Certificates," Todd Sundsted (JavaWorld):
- Part 1Certificates add value to public-key cryptography (January 2001)
- Part 2Learn to use X.509 certificates (February 2001)
- Part 3Use the Java CRL and X509CRL classes (March 2001)
- Part 4Authenticate clients and servers, and verify certificate chains (April 2001)
- For more Java security stories, visit the Security section of JavaWorld's Topical Index
http://www.javaworld.com/channel_content/jw-security-index.shtml - Discuss Java security in our Java Security discussion
http://forums.idg.net/webx?50@@.ee6b80e - JavaWorld's Java Bookstore security page can point you to numerous security-related books
http://www.javaworld.com/javaworld/books/jw-books-security.html - Sign up for JavaWorld's free Enterprise Java newsletter
http://www.javaworld.com/subscribe
- You'll find a wealth of IT-related articles from our sister publications at IDG.net
About Us | Advertise | Contact Us | Terms of Service/Privacy | AdChoices
Copyright, 2006-2013 Infoworld, Inc. All rights reserved.