Applied Cryptography1 Michael McCarthy. Applied Cryptography2 “SOAP is going to open up a whole new avenue for security vulnerabilities” Bruce Schneier,

Applied Cryptography 1

Applied Cryptography

Michael McCarthy


“SOAP is going to open up a whole new avenue for security vulnerabilities”

Bruce Schneier, June 2000


SSL Web Applications

• Server Authentication

• Client Authentication

• Configuring Tomcat for SSL

• Writing a SSL servlet for a browser

• Writing a SSL JAXM servlet for a SOAP client

• XML Key Management


SSL Overview

• Performs secret key exchange like Diffie-Hellman• Data is encrypted with the exchanged key• Clients do not need to provide a certificate but may be required to by the server • Client authentication is typically done in the application layer• Servers must provide a certificate• Normally uses RSA


Writing a simple SSL Client• All SSL client must have a truststore

• If a client is to be verified by the server then the client needs a keystore as well as a trustore

• The truststore

- holds trusted certificates (signed public keys of CA’s)- is in the same format as a keystore- is an instance of Java’s KeyStore class- is used by the client to verify the certificate sent by the server- may be shared with others


Creating a Truststore

(1) Use keytool –genkey to create an RSA key pair

(2) Use keytool –export to generate a self-signed RSA certificate (holding no private key)

(3) Use keytool –import to place the certificate into a truststore


(1) Use keytool –genkey to create an RSA key pair

D:\McCarthy\www\95-804\examples\keystoreexamples>keytool -genkey -alias mjm -keyalg RSA -keystore mjmkeystore

Enter keystore password: sesame

What is your first and last name? [Unknown]: Michael McCarthy

What is the name of your organizational unit? [Unknown]: Heinz School

What is the name of your organization? [Unknown]: CMU


What is the name of your City or Locality? [Unknown]: Pittsburgh

What is the name of your State or Province? [Unknown]: PA

What is the two-letter country code for this unit? [Unknown]: US

Is CN=Michael McCarthy, OU=Heinz School, O=CMU,L=Pittsburgh, ST=PA, C=US correct? [no]: yes

Enter key password for <mjm> (RETURN if same as keystore password): <RT>


D:\McCarthy\www\95-804\examples\keystoreexamples>dir /w Volume in drive D has no label. Volume Serial Number is 486D-D392

Directory of D:\McCarthy\www\95-804\examples\keystoreexamples

[.] [..] mjmkeystore


(2) Use keytool –export to generate a self-signed RSA certificate (holding no private key)

D:\McCarthy\www\95-804\examples\keystoreexamples>keytool -export -alias mjm -keystore mjmkeystore -file mjm.cerEnter keystore password: sesameCertificate stored in file <mjm.cer>



[.] [..] mjm.cer mjmkeystore


(3) Use keytool –import to place the certificate into a truststore

D:\McCarthy\www\95-804\examples\keystoreexamples>keytool -import -alias mjm -keystore mjm.truststore -file mjm.cer

Enter keystore password: sesameOwner: CN=Michael McCarthy, OU=Heinz School, O=CMU, L=Pittsburgh, ST=PA, C=US

Issuer: CN=Michael McCarthy, OU=Heinz School, O=CMU, L=Pittsburgh, ST=PA, C=US


Serial number: 3e60f3ceValid from: Sat Mar 01 12:54:22 EST 2003 until: Fri May 30 13:54:22 EDT 2003Certificate fingerprints:

MD5: 80:F4:73:23:4C:B4:32:4C:5F:E0:8A:B1:4D:1E:A3:0D

SHA1: 19:06:31:54:72:ED:B8:D5:B3:CF:38:07:66:B5:78:1A:34:16:56:07Trust this certificate? [no]: yesCertificate was added to keystore




[.] [..] mjm.cer mjm.truststore mjmkeystore 5 File(s) 2,615 bytes

mjmkeystore will be placed in the server’s directorySSL will send the associated certificate to the client

mjm.truststore will be placed in the client’s directory


File OrganizationD:\McCarthy\www\95-804\examples\keystoreexamples>tree /fDirectory PATH listingVolume serial number is 0012FC94 486D:D392D:.├───clientcode│ mjm.truststore | Client.java│└───servercode mjmkeystore Server.java


Client.javaimport java.io.*;import javax.net.ssl.*;import java.net.*;import javax.net.*;

public class Client { public static void main(String args[]) {

int port = 6502; try { // tell the system who we trust System.setProperty("javax.net.ssl.trustStore","mjm.truststore");


// get an SSLSocketFactorySocketFactory sf = SSLSocketFactory.getDefault();

// an SSLSocket "is a" SocketSocket s = sf.createSocket("localhost",6502); PrintWriter out = new PrintWriter(s.getOutputStream());BufferedReader in = new BufferedReader( new InputStreamReader( s.getInputStream()));out.write("Hello server\n");out.flush();String answer = in.readLine(); System.out.println(answer);


out.close(); in.close(); } catch(Exception e) { System.out.println("Exception thrown " + e); } }}


Server.java// Server side SSL import java.io.*;import java.net.*;import javax.net.*;import javax.net.ssl.*;import java.security.*;

public class Server {

// hold the name of the keystore containing public and private keys static String keyStore = "mjmkeystore";

// password of the keystore (same as the alias) static char keyStorePass[] = "sesame".toCharArray();


public static void main(String args[]) {

int port = 6502; SSLServerSocket server;

try { // get the keystore into memory KeyStore ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(keyStore), keyStorePass);

// initialize the key manager factory with the keystore data KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(ks,keyStorePass);


// initialize the SSLContext engine// may throw NoSuchProvider or NoSuchAlgorithm exception// TLS - Transport Layer Security most generic

SSLContext sslContext = SSLContext.getInstance("TLS");

// Inititialize context with given KeyManagers, TrustManagers, // SecureRandom defaults taken if null

sslContext.init(kmf.getKeyManagers(), null, null);

// Get ServerSocketFactory from the context objectServerSocketFactory ssf = sslContext.getServerSocketFactory();


// Now like programming with normal server sockets ServerSocket serverSocket = ssf.createServerSocket(port);

System.out.println("Accepting secure connections"); Socket client = serverSocket.accept();System.out.println("Got connection"); BufferedWriter out = new BufferedWriter( new OutputStreamWriter( client.getOutputStream()));BufferedReader in = new BufferedReader( new InputStreamReader( client.getInputStream()));


String msg = in.readLine(); System.out.println("Got message " + msg); out.write("Hello client\n"); out.flush(); in.close(); out.close();

} catch(Exception e) { System.out.println("Exception thrown " + e); } }}


On the serverD:\McCarthy\www\95-804\examples\keystoreexamples\servercode>java ServerAccepting secure connectionsGot connectionGot message Hello server


On the client

D:\McCarthy\www\95-804\examples\keystoreexamples\clientcode>java ClientHello client


What we have so far…

The Client

Has a list of public keys it trusts in the file mjm.truststore

Has no public/private key pair of its own

The Server

Has no list of trusted public keys in a truststore

Has a public/private key pair of its own


For client authentication we need

(1) To generate a key pair for the client(2) Extract a client certificate from the key pair(3) Copy the certificate to the server(4) Import this certificate into the server's truststore(5) Have the server code trust the truststore(6) Have the client code know about its own keys


(1) Generate a key pair for the client

D:\McCarthy\www\95-804\examples\keystoreexamples3\client>keytool -genkey -alias mjmclient -keyalg RSA -keystore mjmclientkeystore

Enter keystore password: sesameWhat is your first and last name? [Unknown]: Michael J. McCarthyWhat is the name of your organizational unit? [Unknown]: Heinz SchoolWhat is the name of your organization? [Unknown]: CMU


What is the name of your City or Locality? [Unknown]: PittsburghWhat is the name of your State or Province? [Unknown]: PAWhat is the two-letter country code for this unit? [Unknown]: USIs CN=Michael J. McCarthy, OU=Heinz School, O=CMU, L=Pittsburgh, ST=PA, C=US correct? [no]: yes

Enter key password for <mjmclient> (RETURN if same as keystore password):<RT>

Created mjmclientkeystore


(2) Extract a client certificate from the key pair

D:\McCarthy\www\95-804\examples\keystoreexamples3\client>keytool -export -alias mjmclient -keystore mjmclientkeystore -file mjmclient.cer

Enter keystore password: sesameCertificate stored in file <mjmclient.cer>

Created mjmclient.cer


(3) Copy the certificate to the server

D:\McCarthy\www\95-804\examples\keystoreexamples3\server>dir

03/05/03 12:25p 602 mjmclient.cer03/01/03 12:54p 1,363 mjmkeystore03/05/03 01:49p 2,670 Server.class03/05/03 01:48p 2,740 Server.java


(4) Import the certificate into the server's truststore

D:\McCarthy\www\95-804\examples\keystoreexamples3\server>

keytool -import -alias mjmclient -keystore mjmclient.trustore -file mjmclient.cer

Enter keystore password: sesameOwner: CN=Michael J. McCarthy, OU=Heinz School, O=CMU, L=Pittsburgh, ST=PA, C=US

Issuer: CN=Michael J. McCarthy, OU=Heinz School, O=CMU, L=Pittsburgh, ST=PA, C=US


Serial number: 3e663114Valid from: Wed Mar 05 12:17:08 EST 2003 until: Tue Jun 03 13:17:08 EDT 2003

Certificate fingerprints:MD5: 8F:87:63:CD:0B:BD:FA:E7:21:7C:0C:B0:C2:CC:2C:14SHA1: 4A:C8:ED:BB:1A:C4:B9:32:A5:37:03:2F:4C:A3:3C:34:A3:33:9B:C8Trust this certificate? [no]: yesCertificate was added to keystore


D:\McCarthy\www\95-804\examples\keystoreexamples3\server>dir Volume in drive D has no label. Volume Serial Number is 486D-D392

Directory of server

03/05/03 12:25p 602 mjmclient.cer03/05/03 12:35p 668 mjmclient.trustore03/01/03 12:54p 1,363 mjmkeystore03/01/03 10:40p 2,942 Server.class03/01/03 10:40p 3,798 Server.java 9 File(s) 18,184 bytes


(5) Have the server code trust the truststore

// Server side SSL import java.io.*;import java.net.*;import javax.net.*;import javax.net.ssl.*;import java.security.*;

public class Server {

// hold the name of the keystore containing public and private keys static String keyStore = "mjmkeystore";

// password of the keystore (same as the alias) static char keyStorePass[] = "sesame".toCharArray();


public static void main(String args[]) {

int port = 6502; SSLServerSocket server;

try { // get the keystore into memory KeyStore ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(keyStore), keyStorePass);

// initialize the key manager factory with the keystore data

KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(ks,keyStorePass);


// tell the system who we trust, we trust the client's certificate// in mjmclient.truststore

System.setProperty("javax.net.ssl.trustStore", "mjmclient.truststore");

// initialize the SSLContext engine

// may throw NoSuchProvider or NoSuchAlgorithm exception// TLS - Transport Layer Security most generic

SSLContext sslContext = SSLContext.getInstance("TLS");// Inititialize context with given KeyManagers, TrustManagers, // SecureRandom// defaults taken if nullsslContext.init(kmf.getKeyManagers(), null, null);


// Get ServerSocketFactory from the context object ServerSocketFactory ssf = sslContext.getServerSocketFactory();

// Now almost like programming with normal server sockets ServerSocket serverSocket = ssf.createServerSocket(port); ((SSLServerSocket)serverSocket).setNeedClientAuth(true); System.out.println("Accepting secure connections"); Socket client = serverSocket.accept(); System.out.println("Got connection"); PrintWriter out = new PrintWriter(client.getOutputStream(),true); BufferedReader in = new BufferedReader( new InputStreamReader( client.getInputStream()));


String fromClient = in.readLine(); System.out.println(fromClient); out.println("Hello client\n"); out.flush(); in.close(); out.close(); System.out.println("Data sent");

} catch(Exception e) { System.out.println("Exception thrown " + e); } }}


(6) Have the client code know about its own keys

import java.net.*;import java.io.*;import javax.net.ssl.*;import javax.security.cert.X509Certificate;import java.security.KeyStore;

public class Client { public static void main(String args[]) {

int port = 6502; // tell the system who we trust System.setProperty("javax.net.ssl.trustStore","mjm.truststore");


try { SSLSocketFactory factory = null; try { SSLContext ctx;

KeyManagerFactory kmf;KeyStore ks;char[] passphrase = "sesame".toCharArray();ctx = SSLContext.getInstance("TLS");kmf = KeyManagerFactory.getInstance("SunX509"); ks = KeyStore.getInstance("JKS");

ks.load(new FileInputStream("mjmclientkeystore"), passphrase); kmf.init(ks, passphrase); ctx.init(kmf.getKeyManagers(), null, null); factory = ctx.getSocketFactory(); } catch (Exception e) { throw new IOException(e.getMessage()); }


SSLSocket s = (SSLSocket)factory.createSocket("localhost", port);s.startHandshake(); PrintWriter out = new PrintWriter(s.getOutputStream());BufferedReader in = new BufferedReader( new InputStreamReader( s.getInputStream()));out.write("Hello server\n");out.flush();String answer = in.readLine(); System.out.println(answer);out.close();in.close();}catch(Exception e) { System.out.println("Exception thrown " + e); } }}


Testing

D:…\server>java ServerAccepting secure connectionsGot connectionHello serverData sent D:\…\client>java Client

Hello client


Testing after deleting the server’s truststore

D:…\server>java ServerAccepting secure connectionsGot connection

Exception thrown javax.net.ssl.SSLHandshakeException: Couldn't find trusted certificate

D:\…\client>java ClientException thrown javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown


Testing after deleting the client’s truststore

D:..\server\java ServerAccepting secure connectionsGot connectionException thrown javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

D:\…\client>java ClientException thrown javax.net.ssl.SSLHandshakeException: Couldn't find trusted certificate


Configuring Tomcat for SSL

The web server needs a certificate so that the clientcan identify the server.

The certificate may be signed by a Certificate Authorityor it may be self-signed.

The web server needs a private key as well.


D:\McCarthy\www\95-804\examples\SSLAndTomcat>keytool -genkey -keyalg RSA -alias tomcat -keystore .keystore

Enter keystore password: sesame

What is your first and last name? [Unknown]: localhostWhat is the name of your organizational unit? [Unknown]: Heinz SchoolWhat is the name of your organization? [Unknown]: CMUWhat is the name of your City or Locality? [Unknown]: Pgh.What is the name of your State or Province? [Unknown]: PA

Generate public andprivate keys forTomcat

The keystore file is called .keystore


What is the two-letter country code for this unit? [Unknown]: USIs CN=localhost, OU=Heinz School, O=CMU, L=Pgh., ST=PA, C=US correct? [no]: yes

Enter key password for <tomcat> (RETURN if same as keystore password):<RT>

D:\McCarthy\www\95-804\examples\SSLAndTomcat>


Use admin tool to tell Tomcat about SSL

(1) Startup Tomcat(2) Run the admin server with http://localhost:8080/admin(3) Log in with your user name and password(4) Select Service (Java Web Service Developer Pack)(5) Select Create New Connector from the drop down list in the right pane(6) In the type field enter HTTPS(7) In the port field enter 8443(8) Enter complete path to your .keystore file(9) Enter keystore password(10) Select SAVE and then Commit Changes

Tell Tomcatabout .keystore

http://localhost:8080/admin


Testing

Shutdown Tomcat.

Visit Tomcat from a browser.

Use https://localhost:8443/

You can also visit your other installed web apps through https.

https://localhost:8443/





Protecting A Servlet

The servlet should test the protocol to ensure that itis being accessed through https.

A simple servlet that takes votes over SSL…


VoterServlet.java// VoterServlet.java -- Handle the voting form sent by index.html

import java.io.*;import javax.servlet.*;import javax.servlet.http.*;

public class VoterServlet extends HttpServlet {

public void doPost(HttpServletRequest req, HttpServletResponse response) throws ServletException, IOException { doGet(req, response); }


public void doGet(HttpServletRequest req, HttpServletResponse response) throws ServletException, IOException { String scheme = req.getScheme(); if(scheme.equals("https")) {

String newPresident = req.getParameter("president"); System.out.println("Got Connection"); response.setContentType("text/html");

PrintWriter out = response.getWriter();


String docType = "<!DOCTYPE HTML PUBLIC \"//W3C//DTD HTML 4.0 "; docType += "Transitional//EN\">\n";

out.println(docType + "<HTML>\n" + "<HEAD><TITLE>Presidential Servlet" + "</TITLE></HEAD>\n" + "<BODY>\n" + "<H1>The new president is "+ newPresident + "</H1>\n" + "</BODY></HTML>"); } }

}


index.html<html> <head> <title>Democracy</title> </head> <body BGCOLOR="WHITE"> <form action="https://localhost:8443/VoteServlet/VoterServlet/"> <dl> <dt> Please Vote </dt> <dd><Input type = "Radio" name = "president" value= "Bush"> <b>George W. Bush</b> <dd><Input type = "Radio" name = "president“ value = "Gore"> Al Gore <dd><Input type = "Radio" name = "president“ value = "Buchanan"> Pat Buchanan


<dd><Input type = "Radio" name = "president" value = "Nader"> Ralph Nader <p> <input type = "submit"> </dl> </form> </body> </html>




File OrganizationD:\MCCARTHY\WWW\95-804\EXAMPLES\PRESIDENT│ build.properties build.properties contains app.path=/VoteServlet│ build.xml holds ant program│├───build build directory created by ant compile│ │ index.html the html file asking for a vote│ ││ └───WEB-INF│ │ │ │ web.xml deployment descriptor│ ││ ├───classes│ │ VoterServlet.class the compiled servlet│ ││ └───lib


├───src src directory holds servlet│ VoterServlet.java servlet│└───web │ index.html the html file asking for vote │ └───WEB-INF │ │ web.xml the deployment descriptor that maps │ a URL pattern to the servlet └───classes


Web.xml deployment descriptorD:\McCarthy\www\95-804\examples\president\web\WEB-INF>type web.xml<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd"> <web-app> <servlet> <servlet-name>VoteForPres</servlet-name> <servlet-class>VoterServlet</servlet-class> <load-on-startup/> </servlet>


<servlet-mapping> <servlet-name>VoteForPres</servlet-name> <url-pattern>/VoterServlet/*</url-pattern> </servlet-mapping></web-app>


Build.properties

D:\McCarthy\www\95-804\examples\president>type build.properties# Context path to install this application onapp.path=/VoteServlet

# Tomcat 4 installation directorycatalina.home=d:/jwsdp-1_0_01

# Established when installing the JWSDPmanager.username=XXXXXXRequired and case sensitivemanager.password=XXXXXXRequired and case sensitive


Send Vote With SOAP over HTTPS (Server Authentication)

Use Java API for XML Messaging (JAXM)

Work with a new kind of servlet

The input is a SOAP message and the output is a SOAPMessage

Tomcat has a keystore (.keystore) that sends certificates self-signed by localhost

The client trusts certificates signed by localhost


NoteThere may be sever copies of the file java.security on yoursystem. Make sure they all contain the line:

security.provider.n=com.sun.net.ssl.internal.ssl.Provider


Output First

D:..\examples\SOAPAndSSL\server>shutdownD:..\examples\SOAPAndSSL\server>startupD:..\examples\SOAPAndSSL\server>ant installBuildfile: build.xmlprepare:compile:install: [install] OK - Installed application at context path /Vote [install]BUILD SUCCESSFULTotal time: 1 minute 33 secondsD:\McCarthy\www\95-804\examples\SOAPAndSSL\server>

Server Side


Output First – SOAP ClientClient Side

D:..\examples\SOAPAndSSL\client>java VotingClient NixonSending the following message<?xml version="1.0" encoding="UTF-8"?><soap-env:Envelope xmlns:soap-env= "http://schemas.xmlsoap.org/soap/envelope/"> <soap-env:Header/> <soap-env:Body>Nixon </soap-env:Body></soap-env:Envelope>


providers com.sun.net.ssl.internal.www.protocol

Got back the following response

<?xml version="1.0" encoding="UTF-8"?><soap-env:Envelope xmlns:soap-env= "http://schemas.xmlsoap.org/soap/envelope/"> <soap-env:Header/> <soap-env:Body>Vote for Nixon accepted </soap-env:Body></soap-env:Envelope>The result is Vote for Nixon accepted

D:..\examples\SOAPAndSSL\client>


A SOAP CLIENT Using SSL// VotingClient.java

// for wrapping a SOAP documentimport javax.xml.soap.*;

// for sending the SOAP documentimport javax.xml.messaging.*;

// Standard Java importsimport java.io.*;import java.net.URL;import java.util.Iterator;import java.math.*;import java.security.*;


// For writing the XML documentimport org.apache.xml.serialize.XMLSerializer; // not standardimport org.apache.xml.serialize.OutputFormat; // not standardimport org.xml.sax.InputSource;

public class VotingClient {

// Establish a connection and a message factory private SOAPConnectionFactory soapConnectionFactory; private MessageFactory messageFactory;


public VotingClient() throws SOAPException { // get connection factory soapConnectionFactory = SOAPConnectionFactory.newInstance(); // get a message factory messageFactory = MessageFactory.newInstance(); // set system property to point to our provider System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol"); } public String castVote(String candidate) throws IOException, SOAPException { // invoke web service SOAPMessage result = sendInVote(candidate); return handleResult(result); }


private SOAPMessage sendInVote(String candidate) {

SOAPMessage soapResponse = null; try {

// get a SOAPConnection from the factory SOAPConnection soapConnection = soapConnectionFactory.createConnection(); // get a SOAPMessage from the factory SOAPMessage soapRequest = messageFactory.createMessage();

// Establish the truststore of who this client trusts System.setProperty("javax.net.ssl.trustStore","tomcat.truststore");

// establish a url endpoint for the SSL request URLEndpoint urlEndpoint = new URLEndpoint( "https://localhost:8443/Vote/VotingServlet");


// place a vote in the SOAP body SOAPPart sp = soapRequest.getSOAPPart();

SOAPEnvelope se = sp.getEnvelope(); SOAPBody sb = se.getBody(); SOAPHeader sh = se.getHeader();

sb.addTextNode(candidate);

System.out.println("Sending the following message"); soapRequest.writeTo(System.out);

soapResponse = soapConnection.call(soapRequest, urlEndpoint);

System.out.println("Got back the following response"); soapResponse.writeTo(System.out); soapConnection.close();


} catch(SOAPException se) { System.out.println("I found the SOAP exception" + se); } catch(IOException ioe) {

System.out.println("IO Exception thrown"); } return soapResponse; }


private String handleResult(SOAPMessage fromVotingServlet) throws SOAPException {

Text value; try {

SOAPPart sr = fromVotingServlet.getSOAPPart(); SOAPEnvelope sre = sr.getEnvelope(); SOAPBody srb = sre.getBody(); SOAPHeader srh = sre.getHeader();

Iterator iter = srb.getChildElements(); value = (Text)iter.next();

}


catch(Exception er) { System.out.println("Exception in handleResult()" + er); return null; }

return (String)(value.getValue()); } public static void main(String a[]) throws Exception {

VotingClient vc = new VotingClient(); String result = vc.castVote(a[0]); System.out.println("The result is " + result); }

}


SOAP Servlet Using SSL

// JAXM servlet VotingServlet.java// Takes a vote from the SOAP body and returns a SOAP response // to the client

import java.io.IOException;import java.util.Iterator;

import javax.servlet.*;import javax.xml.messaging.*;import javax.xml.soap.*;import java.util.*;


public class VotingServlet extends JAXMServlet implements ReqRespListener {

// we need to create a return message private MessageFactory messageFactory;

// onMessage hit on each visit public SOAPMessage onMessage( SOAPMessage messageIn ) {

try { // read data from input message SOAPPart inSoapPart = messageIn.getSOAPPart(); SOAPEnvelope inSoapEnvelope = inSoapPart.getEnvelope();

SOAPBody inSoapBody = inSoapEnvelope.getBody();


Iterator it = inSoapBody.getChildElements();

Text content = (Text)it.next();

System.out.println("Collected vote for " +content.getValue());

// Build SOAP response

messageFactory = MessageFactory.newInstance();

SOAPMessage messageOut = messageFactory.createMessage();

SOAPPart soapPart = messageOut.getSOAPPart(); SOAPEnvelope soapEnvelope = soapPart.getEnvelope();SOAPBody soapBody = soapEnvelope.getBody();


soapBody.addTextNode( "Vote for " + content.getValue() + " accepted");

return messageOut;}catch(NullPointerException np) {

System.out.println("Null pointer all bets are off");return null;

} catch(SOAPException s) { System.out.println("Voting Servlet SOAP Exception"); return null;}catch(Exception e) { System.out.println("exception " + e); return null;}}}


Send Vote With SOAP over HTTPS (Client & Server Authentication)

What we have so far:

SOAP Client SOAP Server

-- has a truststore but no -- has a file called keys of its own .keystore holding keysWe need to:

-- give the client some keys -- set the server to trust those keys


Client Authentication

(1) Generate a key set for the client(2) Generate a certificate from the keys(3) Place the certificate in the server’s keystore(4) Tell Tomcat to authenticate clients(5) Tell the client to load its keys for SSL


(1) Generate a key set for the client

D:..\examples\SOAPAndSSL\client>keytool -genkey -alias mjm -keyalg RSA -storepass sesame -keystore client.keystore

What is your first and last name? [Unknown]: Michael McCarthyWhat is the name of your organizational unit? [Unknown]: Heinz SchoolWhat is the name of your organization? [Unknown]: CMUWhat is the name of your City or Locality? [Unknown]: Pittsburgh


What is the name of your State or Province? [Unknown]: PAWhat is the two-letter country code for this unit? [Unknown]: USIs CN=Michael McCarthy, OU=Heinz School, O=CMU, L=Pittsburgh, ST=PA, C=US correct? [no]: yes

Enter key password for <mjm> <RT> (RETURN if same as keystore password):


(2) Generate a certificate from the keys

D:..\examples\SOAPAndSSL\client>keytool -export -alias mjm -storepass sesame -file client.cer -keystore client.keystore

Certificate stored in file <client.cer>

D:..examples\SOAPAndSSL\client>


(3) Place the client’s certificate into the server’s keystore

a. Copy client.cer over to the serverb. Add client.cer to the server’s keystore

D:..\examples\SSLAndTomcat>keytool -import -v -trustcacerts -alias mjmservercert -file client.cer -keystore .keystore -storepass sesame

Owner: CN=Michael McCarthy, OU=Heinz School, O=CMU, L=Pittsburgh, ST=PA, C=USIssuer: CN=Michael McCarthy, OU=Heinz School, O=CMU, L=Pittsburgh, ST=PA, C=USSerial number: 3e7396d6


Valid from: Sat Mar 15 16:10:46 EST 2003 until: Fri Jun 13 17:10:46 EDT 2003

Certificate fingerprints: MD5: CB:49:42:25:DC:FF:B8:0C:02:0F:31:29:B4:E8:B1:00 SHA1: D8:8E:AA:B6:55:17:39:1B:CF:14:24:A9:0E:65:E4:29:52:30:4C:E4

Trust this certificate? [no]: yCertificate was added to keystore[Saving .keystore]

D..\examples\SSLAndTomcat>


(4) Tell Tomcat to authenticate clients

Client authentiaction

Server’skeystore


(5) Tell the client to load its keys for SSL

public VotingClient() throws SOAPException {

// get connection factory soapConnectionFactory = SOAPConnectionFactory.newInstance(); // get a message factory messageFactory = MessageFactory.newInstance();

//Almost the same client as before…


But with the following// use Sun's reference implementation of a URL handler for // the https protocolSystem.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");

// Establish the truststore of who this client trustsSystem.setProperty("javax.net.ssl.trustStore","tomcat.truststore");

// Establish the keystore of this clientSystem.setProperty("javax.net.ssl.keyStore","client.keystore");System.setProperty("javax.net.ssl.keyStorePassword","sesame"); // dynamically register SUN's SSL providerSecurity.addProvider(new com.sun.net.ssl.internal.ssl.Provider());}


XKMSPKI HOST

XMK Key Management Specification

Holds keys, certificates and certificate revocation list

Signer

VerifierSigned document

(SOAP)

Verify signatureX-KISSXML Key Information Service Specification

Register keyRevoke CertificateRecover KeyX-KRSSXML Key Registration Service Specification

Signer generates key pair or requests the pair from the PKI host

Key registration request Certificate sent to Signer Signed document sent to Verifier Verifier requests certificate from PKI host Key and certificate sent to Verifier

(S

OA

P)

(SO

AP

)

The Signer may request that a certificate be revoked The Signer may request copy

of lost keys

Applied Cryptography1 Michael McCarthy. Applied Cryptography2 “SOAP is going to open up a whole new avenue for security vulnerabilities” Bruce Schneier,

Documents

rsa slide

truststore d

truststore slide

applied cryptography9

keystore password

mjmkeystore slide

private key d

file d