Java security evolution and concepts, Part 5

J2SE 1.4 offers numerous improvements to Java security

1 2 3 4 Page 3
Page 3 of 4
/**
 * ValidateCertPath : validates an X.509 certification path
 *      using a PKIX CertPathValidator
 *
 * Synopsis: java ValidateCertPath trustAnchor certPath
 *      or
 *           java ValidateCertPath trustAnchor targetCert intermediateCACert ...
 *
 *      The "trustAnchor" parameter is the name of a file containing
 *      an encoded X.509 trusted CA cert in DER or Base64 format. The"certPath"
 *      parameter is the name of a file containing a PKCS7 or base64 encoded
 *      X.509 cert chain. The "targetCert" and "intermediateCACert" parameters
 *      are the names of a sequence of files representing a chain of certificates.
 *      These files must contain certificates in the same format as "trustAnchor".
 * Author: Sean Mullan
 */
import java.io.*;
import java.security.cert.*;
import java.util.*;
public class ValidateCertPath {
    public static void main(String[] args) throws Exception {
    if (args.length == 0)
        throw new Exception("must specify at least trustAnchor");
    PKIXParameters params = createParams(args[0]);
    CertPath cp = null;
    if (args.length == 2 && (args[1].endsWith("pkcs7") || args[1].endsWith("cer"))) {
        cp = createPath(args[1]);
    } else {
        cp = createPath(args);
    }
    System.out.println("path: " + cp);
    CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
    CertPathValidatorResult cpvr = cpv.validate(cp, params);
    System.out.println(cpvr);
    }
    public static PKIXParameters createParams(String anchorFile) throws Exception {
        TrustAnchor anchor = new TrustAnchor(getCertFromFile(anchorFile), null);
        Set anchors = Collections.singleton(anchor);
        PKIXParameters params = new PKIXParameters(anchors);
        params.setRevocationEnabled(false);
        return params;
    }
    public static CertPath createPath(String certPath) throws Exception {
        File certPathFile = new File(certPath);
        FileInputStream certPathInputStream = new FileInputStream(certPathFile);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
    try {
            return cf.generateCertPath(certPathInputStream, "PKCS7");
    } catch (CertificateException ce) {
        // try generateCertificates
                      Collection c = cf.generateCertificates(certPathInputStream);
        return cf.generateCertPath(new ArrayList(c));
    }
    }
    public static CertPath createPath(String[] certs) throws Exception {
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
        List list = new ArrayList();
        for (int i = 1; i < certs.length; i++) {
            list.add(getCertFromFile(certs[i]));
        }
    CertPath cp = cf.generateCertPath(list);
    return cp;
    }
    /**
     * Get a DER or BASE64-encoded X.509 certificate from a file.
     *
     * @param certFilePath path to file containing DER or BASE64-encoded certificate
     * @return X509Certificate
     * @throws Exception on error
     */
    public static X509Certificate getCertFromFile(String certFilePath)
        throws Exception {
        X509Certificate cert = null;
        File certFile = new File(certFilePath);
        FileInputStream certFileInputStream = new FileInputStream(certFile);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        cert = (X509Certificate) cf.generateCertificate(certFileInputStream);
        return cert;
    }
}

You should see output resembling:

C:\rags>java ValidateCertPath verisignclass3ca.cer verisign.cer
path:
X.509 Cert Path: length = 2.
[
=========================================================Certificate 1 start.
[
[
  Version: V3
  Subject: C=US, ST=MA, L=Burlington, OU=MDDR, CN=Sun Microsystems, OU=Digital ID Class 3 - Java Object Signing, OU="ww
.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)99", OU=VeriSign Trust Network, O="VeriSign, Inc."
  Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
  Key:  com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@c2a132
  Validity: [From: Wed Mar 28 19:00:00 EST 2001,
               To: Fri Mar 29 18:59:59 EST 2002]
  Issuer: CN=VeriSign Class 3 CA - Commercial Content/Software Publisher, OU="www.verisign.com/repository/RPA Incorp. b
 Ref.,LIAB.LTD(c)98", OU=VeriSign Trust Network, O="VeriSign, Inc."
  SerialNumber: [    716994b8 02b1dc8e 12246ec3 944a5f5c ]
Certificate Extensions: 6
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 03 7E 16 82 03 7A   54 68 69 73 20 63 65 72  .......zThis cer
0010: 74 69 66 69 63 61 74 65   20 69 6E 63 6F 72 70 6F  tificate incorpo
0020: 72 61 74 65 73 20 62 79   20 72 65 66 65 72 65 6E  rates by referen
0030: 63 65 2C 20 61 6E 64 20   0A 69 74 73 20 75 73 65  ce, and .its use
0040: 20 69 73 20 73 74 72 69   63 74 6C 79 20 73 75 62   is strictly sub
0050: 6A 65 63 74 20 74 6F 2C   20 74 68 65 20 56 65 72  ject to, the Ver
0060: 69 53 69 67 6E 20 0A 43   65 72 74 69 66 69 63 61  iSign .Certifica
0070: 74 69 6F 6E 20 50 72 61   63 74 69 63 65 20 53 74  tion Practice St
0080: 61 74 65 6D 65 6E 74 20   28 43 50 53 29 2C 20 61  atement (CPS), a
0090: 76 61 69 6C 61 62 6C 65   0A 69 6E 20 74 68 65 20  vailable.in the
00A0: 56 65 72 69 53 69 67 6E   20 72 65 70 6F 73 69 74  VeriSign reposit
00B0: 6F 72 79 20 61 74 3A 20   0A 68 74 74 70 73 3A 2F  ory at: .https:/
00C0: 2F 77 77 77 2E 76 65 72   69 73 69 67 6E 2E 63 6F  /www.verisign.co
00D0: 6D 3B 20 62 79 20 45 2D   6D 61 69 6C 20 61 74 0A  m; by E-mail at.
00E0: 43 50 53 2D 72 65 71 75   65 73 74 73 40 76 65 72  CPS-requests@ver
00F0: 69 73 69 67 6E 2E 63 6F   6D 3B 20 6F 72 20 62 79  isign.com; or by
0100: 20 6D 61 69 6C 20 61 74   20 56 65 72 69 53 69 67   mail at VeriSig
0110: 6E 2C 0A 49 6E 63 2E 2C   20 32 35 39 33 20 43 6F  n,.Inc., 2593 Co
0120: 61 73 74 20 41 76 65 2E   2C 20 4D 6F 75 6E 74 61  ast Ave., Mounta
0130: 69 6E 20 56 69 65 77 2C   20 43 41 20 39 34 30 34  in View, CA 9404
0140: 33 20 55 53 41 0A 0A 43   6F 70 79 72 69 67 68 74  3 USA..Copyright
0150: 20 28 63 29 31 39 39 36   20 56 65 72 69 53 69 67   (c)1996 VeriSig
0160: 6E 2C 20 49 6E 63 2E 20   20 41 6C 6C 20 52 69 67  n, Inc.  All Rig
0170: 68 74 73 20 0A 52 65 73   65 72 76 65 64 2E 20 0A  hts .Reserved. .
0180: 0A 57 41 52 4E 49 4E 47   3A 20 54 48 45 20 55 53  .WARNING: THE US
0190: 45 20 4F 46 20 54 48 49   53 20 43 45 52 54 49 46  E OF THIS CERTIF
01A0: 49 43 41 54 45 20 49 53   20 53 54 52 49 43 54 4C  ICATE IS STRICTL
01B0: 59 0A 53 55 42 4A 45 43   54 20 54 4F 20 54 48 45  Y.SUBJECT TO THE
01C0: 20 56 45 52 49 53 49 47   4E 20 43 45 52 54 49 46   VERISIGN CERTIF
01D0: 49 43 41 54 49 4F 4E 20   50 52 41 43 54 49 43 45  ICATION PRACTICE
01E0: 0A 53 54 41 54 45 4D 45   4E 54 2E 20 20 54 48 45  .STATEMENT.  THE
01F0: 20 49 53 53 55 49 4E 47   20 41 55 54 48 4F 52 49   ISSUING AUTHORI
0200: 54 59 20 44 49 53 43 4C   41 49 4D 53 20 43 45 52  TY DISCLAIMS CER
0210: 54 41 49 4E 0A 49 4D 50   4C 49 45 44 20 41 4E 44  TAIN.IMPLIED AND
0220: 20 45 58 50 52 45 53 53   20 57 41 52 52 41 4E 54   EXPRESS WARRANT
0230: 49 45 53 2C 20 49 4E 43   4C 55 44 49 4E 47 20 57  IES, INCLUDING W
0240: 41 52 52 41 4E 54 49 45   53 0A 4F 46 20 4D 45 52  ARRANTIES.OF MER
0250: 43 48 41 4E 54 41 42 49   4C 49 54 59 20 4F 52 20  CHANTABILITY OR
0260: 46 49 54 4E 45 53 53 20   46 4F 52 20 41 20 50 41  FITNESS FOR A PA
0270: 52 54 49 43 55 4C 41 52   0A 50 55 52 50 4F 53 45  RTICULAR.PURPOSE
0280: 2C 20 41 4E 44 20 57 49   4C 4C 20 4E 4F 54 20 42  , AND WILL NOT B
0290: 45 20 4C 49 41 42 4C 45   20 46 4F 52 20 43 4F 4E  E LIABLE FOR CON
02A0: 53 45 51 55 45 4E 54 49   41 4C 2C 0A 50 55 4E 49  SEQUENTIAL,.PUNI
02B0: 54 49 56 45 2C 20 41 4E   44 20 43 45 52 54 41 49  TIVE, AND CERTAI
02C0: 4E 20 4F 54 48 45 52 20   44 41 4D 41 47 45 53 2E  N OTHER DAMAGES.
02D0: 20 53 45 45 20 54 48 45   20 43 50 53 0A 46 4F 52   SEE THE CPS.FOR
02E0: 20 44 45 54 41 49 4C 53   2E 0A 0A 43 6F 6E 74 65   DETAILS...Conte
02F0: 6E 74 73 20 6F 66 20 74   68 65 20 56 65 72 69 53  nts of the VeriS
0300: 69 67 6E 20 72 65 67 69   73 74 65 72 65 64 0A 6E  ign registered.n
0310: 6F 6E 76 65 72 69 66 69   65 64 53 75 62 6A 65 63  onverifiedSubjec
0320: 74 41 74 74 72 69 62 75   74 65 73 20 65 78 74 65  tAttributes exte
0330: 6E 73 69 6F 6E 20 76 61   6C 75 65 20 73 68 61 6C  nsion value shal
0340: 6C 20 0A 6E 6F 74 20 62   65 20 63 6F 6E 73 69 64  l .not be consid
0350: 65 72 65 64 20 61 73 20   61 63 63 75 72 61 74 65  ered as accurate
0360: 20 69 6E 66 6F 72 6D 61   74 69 6F 6E 20 76 61 6C   information val
0370: 69 64 61 74 65 64 20 0A   62 79 20 74 68 65 20 49  idated .by the I
0380: 41 2E                                              A.
[2]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   Object Signing
]
[3]: ObjectId: 1.3.6.1.4.1.311.2.1.27 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 08 30 06 01 01 00 01   01 FF                    ..0.......
[4]: ObjectId: 2.16.840.1.113730.1.8 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 29 16 27 68 74 74 70   73 3A 2F 2F 77 77 77 2E  .).'https://www.
0010: 76 65 72 69 73 69 67 6E   2E 63 6F 6D 2F 72 65 70  verisign.com/rep
0020: 6F 73 69 74 6F 72 79 2F   43 50 53                 ository/CPS
[5]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]
[6]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
]
  Algorithm: [MD5withRSA]
  Signature:
0000: C9 9F AA 9B A7 02 6C A3   94 F2 B2 76 E3 F2 D2 1A  ......l....v....
0010: 5F 88 B9 3F 79 18 EB 90   A8 A1 F8 B9 24 71 45 DA  _..?y.......$qE.
0020: A1 BB C0 81 F8 2C BB CD   06 45 2B FA 61 1B 3D 10  .....,...E+.a.=.
0030: FE 8E 95 1D 68 23 38 9D   FD A0 1F 28 41 D6 E4 DC  ....h#8....(A...
0040: 16 B4 2D 57 C6 6A C7 B8   14 8C 2D 0D 76 AB 3C 8E  ..-W.j....-.v.<.
0050: 99 8F 9D E2 68 F2 31 90   F1 4E 5E 0A 02 87 1A 0C  ....h.1..N^.....
0060: 55 8C FD 50 56 26 81 F2   6F CD 31 93 F6 BF 51 0B  U..PV&..o.1...Q.
0070: E6 7D FE CE C2 85 E3 1A   B2 56 4B 8C 9A D5 11 90  .........VK.....
]
=========================================================Certificate 1 end.
=========================================================Certificate 2 start.
[
[
  Version: V3
  Subject: CN=VeriSign Class 3 CA - Commercial Content/Software Publisher, OU="www.verisign.com/repository/RPA Incorp.
y Ref.,LIAB.LTD(c)98", OU=VeriSign Trust Network, O="VeriSign, Inc."
  Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2
  Key:  com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@2a54f9
  Validity: [From: Wed Dec 30 19:00:00 EST 1998,
               To: Tue Jan 06 18:59:59 EST 2004]
  Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  SerialNumber: [    cbe213fe 8ff27a24 f743907c 37e6c51a ]
Certificate Extensions: 6
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   Object Signing CA]
[2]: ObjectId: 2.5.29.31 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 2E 30 2C 30 2A A0 28   A0 26 86 24 68 74 74 70  ..0,0*.(.&.$http
0010: 3A 2F 2F 63 72 6C 2E 76   65 72 69 73 69 67 6E 2E  ://crl.verisign.
0020: 63 6F 6D 2F 70 63 61 33   2E 31 2E 31 2E 63 72 6C  com/pca3.1.1.crl
[3]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
[CN=Class3CA1-3]]
[4]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
  Crl_Sign
]
[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1F 77 77 77 2E 76 65   72 69 73 69 67 6E 2E 63  ..www.verisign.c
0010: 6F 6D 2F 72 65 70 6F 73   69 74 6F 72 79 2F 52 50  om/repository/RP
0020: 41                                                 A
]]  ]
]
[6]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:0
]
]
  Algorithm: [MD2withRSA]
  Signature:
0000: 45 F7 FB 12 29 CF 21 D0   94 2B B5 BA 52 01 6B 59  E...).!..+..R.kY
0010: 1F 4D 30 8C 40 07 47 45   D1 3E 65 26 63 CB A8 CB  .M0.@.GE.>e&c...
0020: 66 C2 3A 60 93 AD DC 76   82 DC 3E BF F8 83 90 E1  f.:`...v..<.....
0030: F5 4E 06 B5 A6 CB 8C 9F   AF BC 80 E2 7F AA AA A3  .N..............
0040: 5C E2 0B 75 45 42 A0 5D   50 C7 99 92 89 F6 76 A7  \..uEB.]P.....v.
0050: 76 3D BB 4E C8 63 52 6B   41 AE 65 27 FC 51 8F DD  v=.N.cRkA.e'.Q..
0060: 6D 76 B7 77 00 26 85 BD   49 12 2E 10 11 FE 2F 1F  mv.w.&..I...../.
0070: 7B C9 4E 3C 49 03 65 3A   83 27 73 B9 31 78 9F B8  ..N<I.e:.'s.1x..
]
=========================================================Certificate 2 end.
]
PKIXCertPathValidatorResult: [
  Trust Anchor: [
  Trusted CA cert: [
[
  Version: V1
  Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  Signature Algorithm: MD2withRSA, OID = 1.2.840.113549.1.1.2
  Key:  com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@b1b4c3
  Validity: [From: Sun Jan 28 19:00:00 EST 1996,
               To: Wed Jan 07 18:59:59 EST 2004]
  Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
  SerialNumber: [    e49efdf3 3ae80ecf a5113e19 a4240232 ]
]
  Algorithm: [MD2withRSA]
  Signature:
0000: 61 70 EC 2F 3F 9E FD 2B   E6 68 54 21 B0 67 79 08  ap./?..+.hT!.gy.
0010: 0C 20 96 31 8A 0D 7A BE   B6 26 DF 79 2C 22 69 49  . .1..z..&.y,"iI
0020: 36 E3 97 77 62 61 A2 32   D7 7A 54 21 36 BA 02 C9  6..wba.2.zT!6...
0030: 34 E7 25 DA 44 35 B0 D2   5C 80 5D B3 94 F8 F9 AC  4.%.D5..\.].....
0040: EE A4 60 75 2A 1F 95 49   23 B1 4A 7C F4 B3 47 72  ..`u*..I#.J...Gr
0050: 21 5B 7E 97 AB 54 AC 62   E7 5D EC AE 9B D2 C9 B2  ![...T.b.]......
0060: 24 FB 82 AD E9 67 15 4B   BA AA A6 F0 97 A0 F6 B0  $....g.K........
0070: 97 57 00 C8 0C 3C 09 A0   82 04 BA 41 DA F7 99 A4  .W...&tl;.....A....
]
  Policy Tree: null
  Subject Public Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@c2a132
]

The examples above demonstrate how to validate certification paths. I haven't covered building certification paths, but the process is similar.

Having looked at the Java CertPath API in some detail, let's turn our attention to the JGSS API.

JGSS API

The JGSS API provides Java bindings for the Generic Security Services API -- a uniform API for authentication and secure communication regardless of the underlying technology, as illustrated in Figure 5.

Figure 5. A multimechanism GSS implementation. (Source: Sun Microsystems.)

Figure 5 shows the two main standards used for network authentication: Kerberos version 5 and the Simple Public Key Mechanism (SPKM), each accessible using a common API. (For more on Kerberos, see "Sidebar 2: Kerberos Made Easy.")

Presently, the Sun implementation only makes Kerberos version 5 available. Since JAAS performs authentication as well, developers typically use JAAS in conjunction with JGSS to accomplish complete authentication.

JGSS API classes and interfaces

The org.ietf.jgss package supports the following classes and interfaces:

  • GSSManager (class): Serves as a factory for other important JGSS API classes and creates instances of classes implementing the JGSS API interfaces mentioned next
  • GSSContext (interface): Manipulates the JGSS API security context and the security services available over the context
  • GSSCredntial (interface): Manipulates the JGSS API credentials for an entity
  • GSSName (interface): Encapsulates a single GSS API principal

In addition to these classes, several JAAS classes are used as well.

JGSS API programming model

The following four steps illustrate the use of the JGSS API:

  • The application acquires a set of credentials with which it may prove its identity to other applications
  • The communicating applications establish a joint security context using their credentials
  • Per-message services are invoked on a GSSContext object
  • The application(s) use one of the GSSContext's methods to invalidate the security context and release any resources held

Here's the client's outline:

1 2 3 4 Page 3
Page 3 of 4