Sean Mullan's Blog: February 2006 Archive

Posted by mullan on February 15, 2006 at 08:19 AM | Permalink | Comments (13)

Mustang Beta (JDK 6) was released today and contains many new security features:

JSR 105, the Java XML Digital Signature API and implementation.
Native Platform GSS/Kerberos Integration. This feature allows Java GSS applications to take advantage of features in the native GSS/Kerberos implementation available on the platform.
Support for Smart Card I/O API. The Sun JDK bundles the Smart Card I/O API defined by JSR 268. It also includes a provider that implements Smart Card I/O using the PC/SC functionality of the host platform. This gives Java applications a platform independent way to communicate with Smart Cards using ISO 7816 APDUs.
Access to native PKI and cryptographic services on Microsoft Windows. Added the SunMSCAPI JCE provider which uses the Microsoft CryptoAPI (CAPI) to offer a variety of RSA cryptographic functions. It acts as a bridge between Java applications and the services offered by the default RSA cryptographic service provider available via CAPI. It provides access to X.509 certificates and RSA key pairs, it performs RSA encryption and decryption, and it creates and validates RSA signatures. It also supports a cryptographic random number generator.
Support for SPNEGO in Java GSS. The Simple and Protected GSS-API Negotiation (SPNEGO) mechanism is a pseudo security mechanism that enables GSS-API peers to securely negotiate a common security mechanism to be used.
JSSE pluggability restrictions have been removed. You can now plug in 3rd party JSSE providers that implement non-standard ciphersuites.
JAAS-based authentication using LDAP. Added a JAAS login module which enables users to perform authentication using credentials stored in an LDAP directory service.
JSSE (SSL/TLS) FIPS 140 compliance. The SunJSSE provider now supports an experimental FIPS 140 compliant mode. When enabled and used in combination with the SunPKCS11 provider and an appropriate FIPS 140 certified PKCS#11 token, SunJSSE is FIPS 140 compliant.
Socket read timeouts are fully supported by SunJSSE SSLSockets. In previous releases, calling setSoTimeout() would sometimes lead to unpredictable results. This has been corrected.
Support for the Kerberos AES and RC4-HMAC Encryption Types.
Support for new Kerberos Pre-Authentication Mechanisms.
Enhancements to the implementation of PKI Certificate Path Builder and Validator. Added support for segmented and indirect CRLs and the authority information access extension, resulting in improved performance, path discovery, and PKIX compliance (RFC 3280).

See the Mustang security documentation for more details on these and all of the features of Java security.

More XML Signature debugging tips

Posted by mullan on February 14, 2006 at 08:24 AM | Permalink | Comments (0)

In a previous blog entry, I discussed how to determine what caused an invalid XML Signature and provided some code snippets. But for some programmers, this information may not be enough, and you may want to know more details.

Well then, good news. The reference implementation of XML DSig has extensive logging support, that when enabled, will provide you with lots of additional information. The log messages use the JDK logging facility (java.util.logging) so if you are familiar with how to format and configure that, you should breeze through the rest of my blog.

I'll show you two different ways to enable this logging, first if you are running your application from the command-line, and second if you are running it inside a J2EE container, in this case - Sun's Java System Application Server.

If you are running your application from the java command line, you need to configure the logging facility so that the XML DSig logging messages are emitted. You can do this by editing the JRE's default logging.properties file directly, or by creating your own file and set it with the java.util.logging.config.file property, ex:

java -Djava.util.logging.config.file=logging.properties ...

where logging.properties contains:

handlers= java.util.logging.ConsoleHandler
.level= INFO
java.util.logging.ConsoleHandler.level = FINER
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
org.jcp.xml.dsig.internal.level = FINER 
com.sun.org.apache.xml.internal.security.level = FINER

This will emit XML DSig log messages of level FINER and higher to the console. All other components will emit log messages of level INFO and higher.

With Sun's Application Server, enable logging using the Application Server admin console:

- In the tree component, select the Application Server node.
- Click the Logging tab.
- On the Logging Settings page, click the Log Levels tab.
- Add a new property named "org.jcp.xml.dsig.internal" with value "FINER"
- Add a new property named "com.sun.org.apache.xml.internal.security" with value "FINER"
- Click Save to save the changes

The log messages will be written to the application server log file.

I won't describe each and every log message in detail, but some of the most helpful are the following:

[java] FINER: Pre-digested input: ...

This message displays the content of the referenced data just before it was digested.

[java] FINE: Expected digest: ...

[java] FINE: Actual digest: ...

This message displays the expected and actual base64 encoded digest values of a Reference.

[java] FINE: Canonicalized SignedInfo: ...

This message displays the canonicalized SignedInfo element before it is signed.

You can get the reference implementation of JSR 105 from the Java Web Service Developer's Pack v2.0, an early access snapshot of JDK 6 (Mustang), or GlassFish.

Powered by
Movable Type 3.01D

java.net RSS Feeds