Changing the Java and SSL Presentation to CLCL

Yesterday I decided to create a new library for crypto tasks: the com ltsllc crypto library or clcl.  I now need to change my presentation to incorporate clcl.

I decided to keep the same basic structure; just make clcl more of a solution to Java and SSL's problems.  The basic tasks remain the same:

• Create a key pair
• Create a CA
• Create a CSR
• Create a certificate

To this I have added various file-oriented tasks:

• Load/store a key pair in a Java key store
• Load/store a key pair in a PEM file
• Load/store a certificate in a Java key store
• Load/store a certificate in a PEM file

PEM files have an additional challenge in that they may be password protected.

Then I have to document each class.  Then I have to created tests for each class. Finally, I need to create wiki entries for the library.

I've completed the first set of tasks, so it looks like I have my work cut out for me. 

Hosting Secure Servlets: Jetty

This post is part of a series about the hosting secure servlets (that is, using HTTPS).  I hope to do 1 post a day on this topic. The resulting posts will become the basis a talk that I am scheduled to give on August 10 at the Denver/Boulder Cybersecurity Meetup.

Jetty

• Define properties
• Register servlets
• Start Jetty

I had to choose something as a servlet container and I chose Jetty.  Jetty has been around since 1995, so it has been around for a while. "Recently" (2009) it became part of the Eclipse project hence its URL.

Jetty has a reputation for being a good server for embedded applications, and at the time I didn't envision a separate project for the Miranda web stuff, so Jetty seemed like a natural choice.  Before that I was going to use Netty for all my web and servlet stuff.  But I became disenchanted with Netty when I ran into an SSL problem.

Before you can use Jetty to host servlets, you have to define a couple of properties.  Then you have to define a handler.  The documentation says that you can add and remove servlets after starting the server but I have not found this to be true so I recommend registering servlets before starting the server.  Starting Jetty involves 1 method call and is no big deal.

Hosting Secure Servlets

My presentation is not long enough.

Specifically the main presentation only took 38 minutes last time (at DOSUG), so I need to add more sections to it.  I had hoped that the section on SSL and Java would be longer but in when I practice it it takes around 6 minutes.

For that reason, I am going to add a section on hosting secure (HTTPS) servlets using Jetty and Tomcat.  These two sections should make the presentation take up enough time.

One Password and an Explaination

On Tuesday I did what I thought would be a bit of routine "housekeeping."

I changed my password on a bunch of sites.

I thought this would take me 15 minutes to do, 60 if I was really slow.

It took me a whole day.

That's why I haven't made very much progress on Miranda lately.

I hope to get the slides done on "Java and SSL" today, and maybe do a bit of work on the Miranda utilities (adding methods for creating CSRs and signing them).

Finish Java & SSL

I need to finish up the "Java & SSL" section of my presentation for the Denver/Boulder Cybersecurity Meetup that I'll be talking at on August 16th, so I'll be focusing on that today.  I need to create 4 slides: one on signing CSRs one detailing how to do this with openSSL, one detailing how to do this from Java and a summary for the section.

Amazon's Day

Today I will focus on AWS.  Miranda is designed to run on a service like AWS because it provides another "firewall" to problems.  If a fault is going to strike, it will probably take out your local data center so running something in the cloud, disconnected from your local data center, makes sense.  Also, I have an interview that focuses on AWS but that's another story.

So what does "EC2" stand for (electronic compute generation 2)?  What does S3 stand for (simple storage service)?  How do you spin up an instance?  These are the things that I'm going to be pondering today.

Writing a Key Pair with a Password

    public static void writeAsPem (String filename, String password, KeyPair keyPair) throws IOException {
        JcaPEMWriter pemWriter = null;

        try {
            FileWriter fileWriter = new FileWriter(filename);
            pemWriter = new JcaPEMWriter(fileWriter);
            JcePEMEncryptorBuilder builder = new JcePEMEncryptorBuilder(PEM_ENCRYPTION_ALGORITHM);
            builder.setProvider(new BouncyCastleProvider());
            pemWriter.writeObject(keyPair, builder.build(password.toCharArray()));
        } finally {
            Utils.closeIgnoreExceptions(pemWriter);
        }
    }

This should be easy but it isn't.  When I tried googling "java how to write a password protected key pair for openssl" I got, as my first result, "JAVA: How to save a private key in a pem file with password protection."  Note that this is for a private key, not a key pair. In fact there wasn't anything about key pairs on the first page. There also wasn't anything useful on the second page.

This is what I mean about Java being in a dark age when it comes to SSL - it is difficult to find out how to do the simplest things.

Weirdness with openSSL and Bouncy Castle

I spent most of the day trying to figure out why a private key wasn't loading only to find out that openSSL was behaving strangely.

I shouldn't put all the blame on openSSL, I was trying to use Bouncy Castle.

The problem appears to be that a file began with

-----BEGIN RSA PRIVATE KEY-----

instead of this

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,913379F68EA66ADB

I would think that Bouncy Castle would detect this but apparently, I'm wrong.

Instead Bouncy Castle continues on its merry way, until it tries to get the decryption algorithm, at which point it throws the following exception:

org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: unknown algorithm

Hence, my wasted day.

New Version Published

A new version of the utilities was pushed to github.  The big change was the addition of tests.

New Utility

I'm working on a new utility for Miranda at https://github.com/miranda-messaging/mirandaUtilities.  Currently, it is confined to creating users, but the plan is to create new CAs, nodes and subscriptions as well.