File Release Notes and Changelog
Release Name: 1.1
Notes:
net.sourceforge.sacred v1.1 released 2004-10-26
http://sourceforge.net/projects/sacred/
This package provides a Java implementation of the Securely Available
Credentials Protocol (SACRED), as specified in IETF RFC 3767, for the
secure exchange of security credentials. Security credentials are
stored in an account on a SACRED server for later retrieval, subject
to access control.
We believe that this implementation is compliant with RFC 3767,
except for the fact that we use PKCS#12 instead of PKCS#15.
Please report discovered compliance issues as bugs at
<http://sourceforge.net/projects/sacred/>.
This is an alpha release. Interfaces are subject to change.
1. Package Overview
Files:
a. README.txt -- this file
b. run.bat -- starts two command windows running example client and server
c. build.xml -- an ant build file, description follows:
ant -- defaults to the dist target
ant doc -- generates JavaDocs
ant init -- creates directories for compile and dist
ant compile -- compiles everything in the src directory
ant dist -- creates a jar from the compiled src
ant clean -- removes the build and dist directories
ant server -- starts a server with configuration specified in
src/net/sourceforge/sacred/example/server/SACRED_Server_Config.xml
ant client -- starts a command line client that uses the SACREDclient
interface to communicate with the server (localhost:10288).
d. license files
LICENSE.txt -- The license for this SACRED implementation
LICENSE.beepcore -- The license for BEEP
LICENSE.bouncycastle -- bouncycastle.org license
LICENSE.commons-logging -- logger license
LICENSE.cryptix -- crptix license
LICENSE.puretls -- PureTLS license
LICENSE.xerces -- Xerces license
Directories:
a. src -- the source directory
b. lib -- required libraries
beepcore.jar
beeptls-ptls.jar
beepsasl.jar
beeptls-jsse.jar
cryptix32.jar
commons-logging.jar
cryptix-asn1.jar
puretls.jar
concurrent.jar
xerces.jar
2. Installation Instruction
a. Client side
Client side code is located at src/net/sourceforge/sacred/example/client
You will find the following files:
ClientApp.java -- client side example code
SACRED_Client_Config.xml -- configuration file for client side
rootCArorootCA~root.cer -- trusted certificate for server
A sample configuration file looks like:
<?xml version="1.0"?>
<SACREDclient
server="localhost" port="10288"
transport="net.sourceforge.sacred.transport.BEEPtransport"
receivedCredentialDir="src/net/sourceforge/sacred/example/client/receivedCreds">
<profiles>
<profile
uri="http://iana.org/beep/TLS"
class="org.beepcore.beep.profile.tls.ptls.TLSProfilePureTLSPemInit">
<parameter name="Trusted Certificates"
value="src/net/sourceforge/sacred/example/client/rootCAtorootCA~Root.cer"/>
</profile>
<profile
uri="http://iana.org/beep/SASL/DIGEST-MD5"
class="net.sourceforge.sacred.transport.digestmd5.DigestMD5Profile"/>
</profiles>
</SACREDclient>
You need to specify the server address, port, the transport you will
use (currently we only support BEEPtransport), and
receivedCredentialDir (where you put your downloaded credentials from
the server).
In the current SACRED implementation, we use TLS to achieve server
authentication and use SASL DIGEST-MD5 to achieve mutual
authentication. You have to supply the Trusted Certificates for
server.
The client sample file is in src/net/sourceforge/sacred/client/ClientApp.java.
To run the sample client application, use "ant client".
Note all the file or directory pathes are relative paths to where the program
runs.
b.Server side
Server side example code is located at
src/net/sourceforge/sacred/example/server, where you
will find the following files:
ServerApp.java -- Sample code
SACRED_Server_Config.xml -- Sample server configuration File
serverCerts directory -- Server certificate and private key
SACRED_Server_Config.xml is need to run Server properly.
A sample configuration file looks like:
<?xml version="1.0" ?>
<SACRED_Server port="10288" serverID="SACRED_Server_1">
<digestMD5AuthParams> <Realm value="sacred.ncsa" /> </digestMD5AuthParams>
<userDB location="src/net/sourceforge/sacred/example/server/users.xml" />
<credentialStorage
indexFile="src/net/sourceforge/sacred/example/server/credentials.xml"
directory ="src/net/sourceforge/sacred/example/server/credentials"/>
<transports currentTransport="BEEPtransport">
<transport name="BEEPtransport"
class="net.sourceforge.sacred.transport.BEEPtransport">
<transportSpecificConfig>
</transportSpecificConfig>
</transport>
</transports>
<profiles>
<profile
uri="http://iana.org/beep/TLS"
class="org.beepcore.beep.profile.tls.ptls.TLSProfilePureTLSPemInit">
<parameter name="Client Authenticaton Required" value="false"/>
<parameter name="Certificates"
value="src/net/sourceforge/sacred/example/server/serverCerts/rootCAtoSACRED_Server~SACRED_server.cer"/>
<parameter name="Private Key"
value="src/net/sourceforge/sacred/example/server/serverCerts/SACRED_Server.pem"/>
<parameter name="Private Key Passphrase" value=""/>
<parameter name="Private Key Type" value="RSA"/>
<parameter name="Trusted Certificates"
value="src/net/sourceforge/sacred/example/server/dummy.cer"/>
</profile>
<profile
uri="http://iana.org/beep/SASL/DIGEST-MD5"
class="net.sourceforge.sacred.transport.digestmd5.DigestMD5Profile">
<parameter name="userDBFile"
value="src/net/sourceforge/sacred/example/server/users.xml"/>
</profile>
<profile uri="http://iana.org/beep/sacred/bss"
class="net.sourceforge.sacred.transport.SACREDprofile"/>
</profiles>
</SACRED_Server>
You need to specify:
1. The port the server will be listening
2. The location of UserDB file
3. The realm(s), you can specify multi realms for client to
choose. The sample client application currently
only pick up the first realm.
4. The location of database file to index credential storages
5. The profiles your server support (you need to supply TLS,
SASL/DIGEST-MD5, SACRED)
The server main file is located at
src/net/sourceforge/sacred/sacred/server/SacredServer.java.
To run the server, use "ant server".
3. Generating Certificates, Private Keys and PKCS12 Credentials
a. Generate PKCS12 Credentials
Assume you have the private key in the file userkey.pem, certificate in the
file usercert.pem, to create pkcs12 credential(say, filename user.p12) using
openssl:
openssl pkcs12 -export -inkey userkey.pem -in usercert.pem -out user.p12 -name
"My Certificate"
You will be asked to provide the pass phrase to load private key, and the new
pass phrase to protect the pkcs12 credential.
Detailed information on how to use openssl pkcs12, see
http://www.openssl.org/docs/apps/pkcs12.html#
b. Create the CA
Generate a private key and a certificate request, and then self-sign the
certificate.
openssl genrsa -out ca.key -des3 1024
openssl req -new -key ca.key -out ca.csr -config config_file
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
You need to specify the config_file for req command.
You can find detailed usage and a sample configuration file at
http://www.openssl.org/docs/apps/genrsa.html#
http://www.openssl.org/docs/apps/req.html#
http://www.openssl.org/docs/apps/x509.html#
c. Sign User Certificates
You need to generate a private key and a certificate request, and then sign
the certificate by CA.
openssl genrsa -out user.key -des3 1024
openssl req -new -key user.key -out user.csr -config config_file
openssl ca -config ca.config -out user.crt -infiles user.csr
You need to setup the ca.config, detailed usage and a sample ca.config can be
found at:
http://www.openssl.org/docs/apps/ca.html#
Changes:
New in 1.1
----------
* Clients can verify server's TLS-authenticated identity.
* Clients no longer need dummy credentials for TLS.
* Better Javadocs.
* A number of SASL DIGEST-MD5 protocol fixes, including realm
and charset handling.
* Synchronization locks in server for database consistency during
concurrent access.
* Piggybacking initial SACRED and DIGEST-MD5 messages on BEEP channel
creation.
New in 1.0
----------
* Initial implementation of RFC 3767, with PKCS#12 instead of PKCS#15,
using beepcore-java and our own SASL DIGEST-MD5 implementation.
* A simple SACRED client and server.
