Archive for January 2007
JXTA joins the community of freestanding JKS keystore use
Tomcat does it, JBoss does it, Glassfish does it, Jetty does it. Now JXTA does it: allows the use of a freestanding JKS keystore file to manage platform keys and certificates.
The version of NetworkConfigurator at the head of CVS (to be part of the upcoming Pavlova release) has a new method call to allow the developer to point to an external, freestanding keystore file: configurator.setKeyStoreLocation().
The method takes advantage of the the fact that JXTA has long used a JKS keystore to store platform credentials, but there was no easy way to access it. Prior to this pending release, the keystore was stored as a binary blob in the peer’s cm/ directory, making it practically inaccessible to anything but platform code. Moving the keystore out of cm/ and into a freestanding file is the first step toward understanding and taking control of the PSE Membership Service, which allows TLS sessions to be established between peers.
Directing JXTA to use a freestanding keystore requires only one additional call:
configurator.setKeyStoreLocation(new File(jxtaHome,"keystore").toURI()); // the new call
configurator.setPrincipal("IAmCertPrincipal");
configurator.setPassword("changeit");
resulting in a PlatformConfig which includes a new element on-par with the familiar <RootCert> element of PSEConfig
<RootCert>
...
</RootCert>
<KeyStoreLocation>
file:/home/foo/.node/keystore
</KeyStoreLocation>
However, real exhilaration does not set in until we start the platform and examine the keystore contents.
Cinch your belt up, pull back your hair, and commence to jubilating with the Snoopy dance: using the familiar keytool utility bundled with the JDK:
$ keytool -v -list -keystore .node/keystore -storepass changeit -keypass changeit
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: urn:jxta:uuid-deadbeefdeafbabafeedbabe0000000d05
Creation date: Jan 19, 2007
Entry type: keyEntry
Certificate chain length: 2
Certificate[1]:
Owner: OU=482FE55AFFBDE677B6F1, CN=IAmCertPrincipal, O=www.jxta.org
Issuer: OU=4D66F4EF921D40AFAA36, CN=IAmCertPrincipal-CA, O=www.jxta.org
Serial number: 1
Valid from: Fri Jan 19 06:14:04 PST 2007 until: Thu Jan 19 06:14:04 PST 2017
Certificate fingerprints:
MD5: 98:33:53:C3:97:FE:94:1E:5F:2E:25:CB:55:04:15:A2
SHA1: F0:D3:06:BA:15:B8:EF:E4:E7:CB:7F:1B:78:D7:26:FD:3F:79:6F:37
Certificate[2]:
Owner: OU=4D66F4EF921D40AFAA36, CN=IAmCertPrincipal-CA, O=www.jxta.org
Issuer: OU=4D66F4EF921D40AFAA36, CN=IAmCertPrincipal-CA, O=www.jxta.org
Serial number: 1
Valid from: Fri Jan 19 06:13:50 PST 2007 until: Thu Jan 19 06:13:50 PST 2017
Certificate fingerprints:
MD5: 97:B6:93:D7:46:8C:33:7B:91:B9:F1:97:D5:E1:F0:0E
SHA1: 3D:6C:66:F2:2A:FE:A2:96:C7:84:5F:5D:D2:2D:A8:57:29:5C:21:30
*******************************************
*******************************************
Alias name: urn:jxta:uuid-79b6a084d3264df8b641867d926c48d9f8ba10f44ba74475abe2bb568892b0dc03
Creation date: Jan 19, 2007
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: OU=4D66F4EF921D40AFAA36, CN=IAmCertPrincipal-CA, O=www.jxta.org
Issuer: OU=4D66F4EF921D40AFAA36, CN=IAmCertPrincipal-CA, O=www.jxta.org
Serial number: 1
Valid from: Fri Jan 19 06:13:50 PST 2007 until: Thu Jan 19 06:13:50 PST 2017
Certificate fingerprints:
MD5: 97:B6:93:D7:46:8C:33:7B:91:B9:F1:97:D5:E1:F0:0E
SHA1: 3D:6C:66:F2:2A:FE:A2:96:C7:84:5F:5D:D2:2D:A8:57:29:5C:21:30
*******************************************
*******************************************
This is nothing short of glorious. Time for a smoke.
Note that the keystore contains two platform-generated trusted key entries, one whose alias is the peer’s PeerID, and the other whose alias is the MCID of the tlsProtocol. The former is termed the “platform” key, the latter the “client” key. The client key is used as the credential used to authenticate this peer during TLS handshakes, and subsequent to that for message block encryption.
The method of using freestanding keystores can be extended in an interesting way: we are free to install our own platform trusted key, rather than let JXTA do it, and perhaps an issuing root certificate. Just make sure the alias of our platform key entry is the PeerID of this peer. To coax JXTA into using this key fully, we set not the principal on the NetworkConfigurator, but instead set the key entry’s certificate and private key:
configurator.setCertificate(theCert);
configurator.setPrivateKey((thePrivateKey);
where, if we have the keystore in-hand (and we do), get the certificate and private key entries using the standard java.security.KeyStore interface. We must continue to set the configurator password, as this is precisely the keystore storepass and keypass needed to unlock the keystore credentials during the familiar JXTA “login” idiom.
Many thanks to Mike Duigou for patiently leading me through a PSE education just prior to Christmas.
[tags]jks keystore,jxta,pse membership[/tags]
OnJava Java security article
Thanks to Chris Adamson, my editor at OnJava.com, for helping me get my Java security manager work published.
[tags]java security[/tags]
Garry Betty
A man for whom I had tremendous respect and affection has passed away: Garry Betty, CEO of EarthLink. And so very far before his time.
Garry was my first-line boss for many years while I was at EarthLink, and never to me a sharp or discouraging word did he utter. As the man who paid me, he bought my house and everything in it. He bought my life in California and paid for my kids’ education.
To all those who will miss this good man, with a very heavy heart I respectfully add my name.
[tags]Garry Betty[/tags]
