Thread: Fwd: [Jsdsi-users] KeyStore
Status: Pre-Alpha
Brought to you by:
sajma
Menu
▾
▴
jsdsi-users
|
From: Dav C. <dav...@gm...> - 2004-08-11 15:13:49
|
oops, missed the list
---------- Forwarded message ----------
Subject: Re: [Jsdsi-users] KeyStore
To: Luis Pedro <lp...@ne...>
Hi, thanks for the Provider.install(), that worked (with the addition
of cryptix32.jar to the classpath). I didn't expect to need to do
anything more to read the keystore than I needed to create it!
You're probably right about not needing certificate chains. I'm
writing this utility so I can try to understand how to use SPKI/SDSI,
but at the same time I'm working with the java.security package for
the first time so I'm not sure which parts of it to ignore. All I want
to do now is create some kind of store so that I can create a
principal keypair and save it to the filesystem in one invocation,
unlock it and load it back into memory in another invocation and then
use it to create a NameCert (sign another user's principal pubkey and
assign it a local name) and store the NameCert somewhere too. If I can
get all that working, I'll move on to the ACL stuff :)
Incidentally, if I can get this simple example utility working I'd be
happy to make the source of it publically available for others as a
resource. I'm hoping to get something together to demo at FOO Camp
this year, so I'll be working on this a lot over the next month or so.
On Wed, 11 Aug 2004 11:34:47 +0100, Luis Pedro <lp...@ne...> wrote:
> Hi (again) Dav,
>
> I've been looking better your example, and really don't understand why u
> want to create certifcate chains(spki is not like x509). U don't need to
> create certs chains, instead u have to proof your spki/sdsi certs. The id=
eia
> is to have "CertStore's" which contain spki/sdsi certs, with this CertSto=
re
> u i'll be able to make proofs of u certs. Take a better look at tests
> examples, like "CertPathTest".
>
>
>
> -- Lu=EDs Pedro
>
> _____________________
> yahoo: lpv_pt
> msn: lp...@ne...
>
> =BB -----Original Message-----
> =BB From: jsd...@li...
> =BB [mailto:jsd...@li...] On
> =BB Behalf Of Dav Coleman
> =BB Sent: quarta-feira, 11 de Agosto de 2004 6:00
> =BB To: jsd...@li...
> =BB Subject: [Jsdsi-users] KeyStore
> =BB
> =BB Hi,
> =BB
> =BB I'm trying to save a Private Key and Certificate to a KeyStore an=
d
> =BB then load it back. I'm able to create the keystore on the
> =BB file system
> =BB without throwing any exceptions, but when I try to load it I get
> =BB
> =BB java.security.cert.CertificateException: SPKI not found
> =BB at
> =BB java.security.cert.CertificateFactory.getInstance(Certific
> =BB ateFactory.java:191)
> =BB at
> =BB sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore
> =BB .java:670)
> =BB at java.security.KeyStore.load(KeyStore.java:652)
> =BB at com.s0ciety.demo.CLI.loadKeyStore(CLI.java:129)
> =BB
> =BB Any ideas on what would cause that?
> =BB
> =BB Here is the (I hope) relevant code snippets
> =BB
> =BB create and save keystore:
> =BB
> =BB pair =3D jsdsi.RSAPublicKey.create();
> =BB java.security.PrivateKey privKey =3D pair.getPrivate();
> =BB java.security.PublicKey pubKey =3D pair.getPublic();
> =BB
> =BB jsdsi.RSAPublicKey jsdsiPubKey =3D
> =BB (jsdsi.RSAPublicKey)pair.getPublic();
> =BB Date expire =3D new Date(now.getTime() + (86400 * 30));
> =BB jsdsi.Validity validity =3D new jsdsi.Validity(now, expire);
> =BB jsdsi.Cert cert =3D new jsdsi.NameCert(jsdsiPubKey,
> =BB jsdsiPubKey,
> =BB validity, "display hint", "blah... comment field", "my
> =BB jsdsi pubkey");
> =BB jsdsi.Hash hash =3D new jsdsi.Hash("MD5", cert.toByteArray(=
));
> =BB jsdsi.Signature signature =3D null;
> =BB jsdsi.Principal principal =3D (jsdsi.Principal)
> =BB pair.getPublic();
> =BB signature =3D jsdsi.Signature.create(pair, cert,
> =BB "MD5withRSA");
> =BB jsdsi.Certificate certificate =3D new
> =BB jsdsi.Certificate(cert, signature);
> =BB jsdsi.Certificate[] certificate_chain =3D new
> =BB jsdsi.Certificate[]
> =BB { certificate };
> =BB // Create an empty keystore object
> =BB keystore =3D KeyStore.getInstance(KeyStore.getDefaultType()=
);
> =BB keystore.load(null, password.toCharArray()); // null input
> =BB stream to create empty keystore
> =BB keystore.setKeyEntry("myalias", privKey,
> =BB password.toCharArray(),
> =BB certificate_chain);
> =BB // Save the new keystore contents
> =BB FileOutputStream out =3D new FileOutputStream(keystoreFile)=
;
> =BB keystore.store(out, password.toCharArray());
> =BB out.close();
> =BB
> =BB load keystore:
> =BB
> =BB FileInputStream fis =3D new FileInputStream(file);
> =BB keystore =3D KeyStore.getInstance(KeyStore.getDefaultType()=
);
> =BB keystore.load(fis, password.toCharArray());
> =BB fis.close();
> =BB System.out.println("- keystore loaded");
> =BB System.out.println("- contains "+keyStore.size()+"
> =BB entries");
> =BB
> =BB
> =BB Are there any code examples available for integrating
> =BB JSDSI into an
> =BB application? I've read a lot of docs and published papers
> =BB online and I
> =BB think I have a basic understanding of SPKI/SDSI
> =BB capabilities, but I'm
> =BB completely new to PKI application development so I feel a
> =BB little lost.
> =BB
> =BB --
> =BB Dav Coleman
> =BB http://AkuAku.org/
> =BB
> =BB
> =BB -------------------------------------------------------
> =BB SF.Net email is sponsored by Shop4tech.com-Lowest price
> =BB on Blank Media
> =BB 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> =BB Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> =BB http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> =BB _______________________________________________
> =BB Jsdsi-users mailing list
> =BB Jsd...@li...
> =BB https://lists.sourceforge.net/lists/listinfo/jsdsi-users
>
>
--
Dav Coleman
http://AkuAku.org/
--=20
Dav Coleman
http://AkuAku.org/
|
|
From: Sean R. <sra...@ae...> - 2004-08-12 10:26:06
|
Dav Coleman wrote: >oops, missed the list > >---------- Forwarded message ---------- >Subject: Re: [Jsdsi-users] KeyStore >To: Luis Pedro <lp...@ne...> > >Hi, thanks for the Provider.install(), that worked (with the addition >of cryptix32.jar to the classpath). I didn't expect to need to do >anything more to read the keystore than I needed to create it! > >You're probably right about not needing certificate chains. I'm >writing this utility so I can try to understand how to use SPKI/SDSI, >but at the same time I'm working with the java.security package for >the first time so I'm not sure which parts of it to ignore. All I want >to do now is create some kind of store so that I can create a >principal keypair and save it to the filesystem in one invocation, >unlock it and load it back into memory in another invocation and then >use it to create a NameCert (sign another user's principal pubkey and >assign it a local name) and store the NameCert somewhere too. If I can >get all that working, I'll move on to the ACL stuff :) > >Incidentally, if I can get this simple example utility working I'd be >happy to make the source of it publically available for others as a >resource. I'm hoping to get something together to demo at FOO Camp >this year, so I'll be working on this a lot over the next month or so. > > > Sorry guys but I have been offline on business. Dav, are you still having problems. If so, let me know and I should be around for the next few days and will do my best to help. Any example code you can make available will be *much* appreciated. I'd also be keen (time permitting of course) to help you get your stuff done for the FOO Camp. Which FOO camp is this for? Regards, Sean -- Dr. Sean Radford, MBBS, MSc sra...@ae... http://www.aegeus-technology.com/ |
|
From: Sean R. <sra...@ae...> - 2004-08-12 23:52:06
|
Dav Coleman wrote:
>On Thu, 12 Aug 2004 11:23:22 +0100, Sean Radford
><sra...@ae...> wrote:
>
>
>Hi Sean,
>
>I have to admit I'm still a little confused. I took a look at the
>CertPathTest and it uses Loader to load some plain text files with
>certificate representations, but they aren't a text format I was
>expecting (the sexp lisp-like stuff), and it's not clear how you would
>create them (there's no Saver class that I found). The
>SexpMarshallingTest source was good for showing me a simpler way of
>creating Name/Auth certs however.
>
>
Don't worry about being confused. It does take some time I'm afraid,
mainly because there is currently very little / no help or getting
started documentation.
>What is the standard/best/accepted way of creating "your own" keypairs
>(Prinicpals) and saving them to the file system between application
>invocations? And what about storing other people's public keys in your
>name space? I assume in X.509 all this was done in a single KeyStore
>(which comes with load/save methods), but apparently that's not
>correct for a SPKI system?
>
>
Creating KeyPairs: jsdsi.util.KeyPairFactory.create("RSA", 512);
Saving a KeyPair to file.... For this I think we really need an
implementation of a KeyStore that supports JSDSI objects (well
SExpressions really). If I remember correctly the Sun and BouncyCastle
ones do not work (you can save but they have trouble loading). I did
have a modified BouncyCastle keystore a long time back that worked(I
took the original source and added about 3 lines of code) - not sure
where it is now but could hunt down I guess...
To store other peoples public keys one would create NameCertificates for
them and store them in a CertStore. If there is a limited number of
proof searching using a jsdsi.Prover is not required I guess you could
use a KeyStore?
>The FOO Camp is the one at O'Reilly headquarters in Sebastapol, CA.
>It's in mid september so I figure my chances of finishing this in time
>aren't great (especially with 10 days at Burning Man between now and
>then), but I'm seriously going to try. I have friends going to the
>European one, although I'm not sure when/where that is exactly. If I
>had it done in time they could possibly do a short demo for me there.
>
>
>
The one in Europe I think is at the end of this month. Somewhere in
Scandanavia I think. I'll hunt down my modified bouncastle keystore if
that will help you get going?
>The system I'm trying to build is a trusted brokered p2p network (and
>eventually, a trusted brokered p2p darknet) that uses SPKI/SDSI to
>control authentication/authorization in a way that maps to social
>network concepts. It's just a general concept at the moment, but I
>need to get something to play with to flesh it out. I'm comfortable
>with the network and application programming, but I'm new to PKI
>programming. I've been a PGP user for years but the concepts I've
>learned from that are probably hurting as much as helping.
>
>
>
>
Stick with SPKI! ;-) (I'm probably biased) Seriously though, I should
imagine that the A&A stuff in SPKI is what you need, and correct me if
I'm wrong, but PGP doesn't really support authorisation?
Regards,
Sean
--
Dr. Sean Radford, MBBS, MSc
sra...@ae...
http://www.aegeus-technology.com/
|
|
From: Sameer A. <aj...@gm...> - 2004-08-13 00:06:56
|
Dav,
fyi, Loader is purely for testing. It creates fake certificates, not
real ones! You're aboslutely right that real certificates would be
stored as S-expressions. Sorry for the confusion.
Developers: could one of you add a *** big *** warning on Loader that
it's just for testing purposes? Thanks!
Sameer
On Fri, 13 Aug 2004 00:49:24 +0100, Sean Radford
<sra...@ae...> wrote:
> Dav Coleman wrote:
>
> >On Thu, 12 Aug 2004 11:23:22 +0100, Sean Radford
> ><sra...@ae...> wrote:
> >
> >
> >Hi Sean,
> >
> >I have to admit I'm still a little confused. I took a look at the
> >CertPathTest and it uses Loader to load some plain text files with
> >certificate representations, but they aren't a text format I was
> >expecting (the sexp lisp-like stuff), and it's not clear how you would
> >create them (there's no Saver class that I found). The
> >SexpMarshallingTest source was good for showing me a simpler way of
> >creating Name/Auth certs however.
> >
> >
> Don't worry about being confused. It does take some time I'm afraid,
> mainly because there is currently very little / no help or getting
> started documentation.
>
> >What is the standard/best/accepted way of creating "your own" keypairs
> >(Prinicpals) and saving them to the file system between application
> >invocations? And what about storing other people's public keys in your
> >name space? I assume in X.509 all this was done in a single KeyStore
> >(which comes with load/save methods), but apparently that's not
> >correct for a SPKI system?
> >
> >
> Creating KeyPairs: jsdsi.util.KeyPairFactory.create("RSA", 512);
>
> Saving a KeyPair to file.... For this I think we really need an
> implementation of a KeyStore that supports JSDSI objects (well
> SExpressions really). If I remember correctly the Sun and BouncyCastle
> ones do not work (you can save but they have trouble loading). I did
> have a modified BouncyCastle keystore a long time back that worked(I
> took the original source and added about 3 lines of code) - not sure
> where it is now but could hunt down I guess...
>
> To store other peoples public keys one would create NameCertificates for
> them and store them in a CertStore. If there is a limited number of
> proof searching using a jsdsi.Prover is not required I guess you could
> use a KeyStore?
>
> >The FOO Camp is the one at O'Reilly headquarters in Sebastapol, CA.
> >It's in mid september so I figure my chances of finishing this in time
> >aren't great (especially with 10 days at Burning Man between now and
> >then), but I'm seriously going to try. I have friends going to the
> >European one, although I'm not sure when/where that is exactly. If I
> >had it done in time they could possibly do a short demo for me there.
> >
> >
> >
> The one in Europe I think is at the end of this month. Somewhere in
> Scandanavia I think. I'll hunt down my modified bouncastle keystore if
> that will help you get going?
>
> >The system I'm trying to build is a trusted brokered p2p network (and
> >eventually, a trusted brokered p2p darknet) that uses SPKI/SDSI to
> >control authentication/authorization in a way that maps to social
> >network concepts. It's just a general concept at the moment, but I
> >need to get something to play with to flesh it out. I'm comfortable
> >with the network and application programming, but I'm new to PKI
> >programming. I've been a PGP user for years but the concepts I've
> >learned from that are probably hurting as much as helping.
> >
> >
> >
> >
> Stick with SPKI! ;-) (I'm probably biased) Seriously though, I should
> imagine that the A&A stuff in SPKI is what you need, and correct me if
> I'm wrong, but PGP doesn't really support authorisation?
>
>
>
> Regards,
>
> Sean
>
> --
> Dr. Sean Radford, MBBS, MSc
> sra...@ae...
> http://www.aegeus-technology.com/
>
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Jsdsi-users mailing list
> Jsd...@li...
> https://lists.sourceforge.net/lists/listinfo/jsdsi-users
>
>
--
Sameer Ajmani
http://ajmani.net
|
|
From: Dav C. <dav...@gm...> - 2004-08-13 16:22:20
|
On Thu, 12 Aug 2004 20:06:49 -0400, Sameer Ajmani <aj...@gm...> wrote: > fyi, Loader is purely for testing. It creates fake certificates, not > real ones! You're aboslutely right that real certificates would be > stored as S-expressions. Sorry for the confusion. > > Developers: could one of you add a *** big *** warning on Loader that > it's just for testing purposes? Thanks! Yeah I realized that after I took a look at the java docs for Loader. It already explains it explicitly, I just failed to check the docs before registering my confusion. -- Dav Coleman http://AkuAku.org/ |
|
From: Dav C. <dav...@gm...> - 2004-08-13 16:56:23
|
On Fri, 13 Aug 2004 00:49:24 +0100, Sean Radford <sra...@ae...> wrote: > Saving a KeyPair to file.... For this I think we really need an > implementation of a KeyStore that supports JSDSI objects (well > SExpressions really). If I remember correctly the Sun and BouncyCastle > ones do not work (you can save but they have trouble loading). I did > have a modified BouncyCastle keystore a long time back that worked(I > took the original source and added about 3 lines of code) - not sure > where it is now but could hunt down I guess... > > To store other peoples public keys one would create NameCertificates for > them and store them in a CertStore. If there is a limited number of > proof searching using a jsdsi.Prover is not required I guess you could > use a KeyStore? OK, well for now I suppose I can just save/load my keypairs as java object sreams without a passphrase until I figure out a way to do it securely. I think I'm starting to get a better mental picture of how this should look. The application should have 1) some sort of file system storage for the user's personal key pairs 2) some sort of file system storage for the name certificates that bind public keys to the user's local names 3) some sort of file system storage for auth certificates which define access to the user's resources - ideally #1 should be encrypted with a pass phrase, since that's the only thing with private keys - I thought I could use a sun java.security.KeyStore for #1 (in memory and fs), but I can't, and there is no equivalent as of yet in jsdsi - #2 and #3 don't need any encryption on the file system - in memory, #2 and #3 can both be in jsdsi.CertStores - #2 and #3 could actually be in the same jsdsi.CertStore - there's no defined methods to store/load a CertStore to the fs Assuming all the above is correct, my main conceptual confusion now is with how best to reference the user's keypairs when he needs to use them (for signing new name certificates or whatever). Let's say I have two keypairs, one for signing things as 'Dav the private person' and one for signing things as 'Dav the employee'. I could bind each in a name certificate (as "me-private" and "me-work" perhaps) and place them in my own cert store, but when I need to access them that means I could get the public key from the cert store easily, but the private key is stored in another collection. Is the standard method to do this and then search my keypairs for the pubkey match? That would work I'm sure, but I don't want to reinvent the wheel (badly) if there is a better way already implemented somewhere. For that matter, am I correct in assuming that a user would have two keys like that, or is it more in line with the SPKI/SDSI vision that I'd have one keypair and it would be granted permission to sign things under differnt roles? I think I read something about that somewhere, but I can't find it at the moment. > Stick with SPKI! ;-) (I'm probably biased) Seriously though, I should > imagine that the A&A stuff in SPKI is what you need, and correct me if > I'm wrong, but PGP doesn't really support authorisation? I'm sure you're not wrong, I can barely keep my head straight about all the PGP/X509/SPKI/SDSI stuff I've been reading :) -- Dav Coleman http://AkuAku.org/ |
|
From: Sean R. <sra...@ae...> - 2004-08-14 15:32:36
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Dav Coleman wrote:
<blockquote cite="mid...@ma..."
type="cite">
<pre wrap="">
OK, well for now I suppose I can just save/load my keypairs as java
object sreams without a passphrase until I figure out a way to do it
securely. I think I'm starting to get a better mental picture of how
this should look. The application should have
1) some sort of file system storage for the user's personal key pairs
2) some sort of file system storage for the name certificates that
bind public keys to the user's local names
3) some sort of file system storage for auth certificates which define
access to the user's resources
- ideally #1 should be encrypted with a pass phrase, since that's the
only thing with private keys
- I thought I could use a sun java.security.KeyStore for #1 (in memory
and fs), but I can't, and there is no equivalent as of yet in jsdsi
- #2 and #3 don't need any encryption on the file system
- in memory, #2 and #3 can both be in jsdsi.CertStores
- #2 and #3 could actually be in the same jsdsi.CertStore
- there's no defined methods to store/load a CertStore to the fs
</pre>
</blockquote>
#2 and #3 should be combined to just be a single Certificate Store. As
you rightly have seen jsdsi.CertStore (as it folows the JCE and
implements java.security.CertStore) has no methods for certificate
storagre. Paryly because of this, I have played around with how I think
the CertStore stuff should be refactored. It is in a branch called
'branch-jdbc' (as the aim is to produce a JDBC enabled CertStore). It
is still a branch for 2 reasons: 1. I haven't finished it! and 2. The
other developers need to vet it (esp. Sameer).<br>
<br>
<blockquote cite="mid...@ma..."
type="cite">
<pre wrap="">Assuming all the above is correct, my main conceptual confusion now is
with how best to reference the user's keypairs when he needs to use
them (for signing new name certificates or whatever). Let's say I have
two keypairs, one for signing things as 'Dav the private person' and
one for signing things as 'Dav the employee'. I could bind each in a
name certificate (as "me-private" and "me-work" perhaps) and place
them in my own cert store, but when I need to access them that means I
could get the public key from the cert store easily, but the private
key is stored in another collection. Is the standard method to do this
and then search my keypairs for the pubkey match? That would work I'm
sure, but I don't want to reinvent the wheel (badly) if there is a
better way already implemented somewhere.
</pre>
</blockquote>
A 'standard' KeyStore allows you to store your private keys indexed by
a name (i.e. 'work' or 'personal) along with the public key as a
certificate. I would take this approach, with the certificate being
stored an Auto Certificate - that is a self signed Auth Certificate,
probably with some simple info as String Tags, e.g. name and email
address.<br>
<br>
I'll try and hunt down my bouncycastle keystore that works for jsdsi in
the next couple of days.<br>
<blockquote cite="mid...@ma..."
type="cite">
<pre wrap="">
For that matter, am I correct in assuming that a user would have two
keys like that, or is it more in line with the SPKI/SDSI vision that
I'd have one keypair and it would be granted permission to sign things
under differnt roles? I think I read something about that somewhere,
but I can't find it at the moment.
</pre>
</blockquote>
yep, most likely to have 1 keypair per identity/persona.<br>
<br>
<blockquote cite="mid...@ma..."
type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">Stick with SPKI! ;-) (I'm probably biased) Seriously though, I should
imagine that the A&A stuff in SPKI is what you need, and correct me if
I'm wrong, but PGP doesn't really support authorisation?
</pre>
</blockquote>
<pre wrap=""><!---->
I'm sure you're not wrong, I can barely keep my head straight about
all the PGP/X509/SPKI/SDSI stuff I've been reading :)
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Dr. Sean Radford, MBBS, MSc
<a class="moz-txt-link-abbreviated" href="mailto:sra...@ae...">sra...@ae...</a>
<a class="moz-txt-link-freetext" href="http://www.aegeus-technology.com/">http://www.aegeus-technology.com/</a>
</pre>
</body>
</html>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X