radioAe6rt

JXTA’s Personal Security Environment (PSE) allows peers to exchange messages over TLS. PSE is based on public key cryptography, and configuring PSE amounts to creating and pointing to key material (typically X.509 keys and certificates) for use during that TLS handshaking and encryption of session data.

JXTA can create this key material for us, but as helpful as that is, it is mysterious and therefore somewhat unsatisfying. We want knowledge of how to set up PSE, which allows us to use our own key material, perhaps issued by a well-known trusted certificate authority.

Here is the course of study. It is all about fundamentals. As calculus is to physics, PKI is to PSE, and keystores are to PKI.

• Read Simson Garfinkel’s gentle intro to public key cryptography “PGP” (O’Reilly, 1995)
• Read David Hook’s book Beginning Java Cryptography (Wrox, 2005). An excellent book on many Java security topics.
• Know the Java keytool command inside and out. Without keytool mastery, we are lost.
• Write a simple program that uses the java.security.KeyStore API to look inside the keystores we create with keytool.
• Configure JXTA to use an external keystore
• Study the JXTA platform PSEUtils.code, where much of the PKI key material action takes place.

If we work our way through those references we have accomplished a great deal. We have reached a critical confluence in what we know about keytool and what we know about JXTA PSE: we have a freestanding keystore that is used by the platform and that we can examine in great detail using keytool. This is where TLS configuration suites for containers like Tomcat or Jetty begin, and we now recognize where we are. (If one is pressed for time, the reading of Hook’s book may be restricted to the chapters on KeyStores, SSL, and X.509 certificates).

The next phases in extending our configuration of PSE are

• Building the keystore ourselves
• Configuring an application subgroup to use PSE

Building the keystore ourselves consists of a) installing in the keystore a root certificate that all peers recognize, and b) installing in the keystore a keypair signed by the recognized root. Executing (a) is to essentially create what is known as a “trust store”. Trust stores are where we put certificates that help us identify the other end of a TLS session (the cacerts file bundled with the JRE is a big trust store). Executing (b) is essentially establishing a “key store”, which helps us identify ourselves to the other end of the TLS session through our possessed keypair.

Configuring an application subgroup to use PSE is nontrivial but not beyond our ability. It requires a dozen or so lines of JXTA application code. The best reference we have is build_psegroup_impl_adv() in tutorials/psesample/src/psesample/Main.java in the JXTA source distribution.

If we wish to base PSE on certificates and keypairs we create, be aware that JXTA Platform issue 1609 bears on the outcome. Work is ongoing on how to manage keys during the TLS handshake, but fixing this is only a matter of time.

PSE is all about keystores and certificates. But it takes a bit of work to get to the point where we can say that. Hopefully, we have a start.

[tags]jxta,pse[/tags]