pragmatic xml security hans granqvist, apachecon 2005
TRANSCRIPT
2
Agenda
+ XML Basics▪ Schemas, namespaces
+ XML security▪ Keys, certificates▪ Signatures, encryption
+ Apache TSIK▪ Origins, status▪ WSS4J, XML Security
+ Coding examples▪ Utility classes▪ Signing▪ Encryption▪ Graphs and Actions
+ Future directions▪ Key Management, WS-*▪ SAML▪ Identities
3
XML Basics
4
Quick XML recap
<Start xmlns="urn:some-uri"> <ex:bar xmlns:wg="http://that-url.com"> <ex:Greeting> Welcome to ApacheCon 2005! </ex:Greeting> </ex:bar> <Extra id="1234"/></Start>
Element
Attribute
Namespace declaration
Schema
Default namespace
5
XML Security
6
XML security
+ Same issues as any old security problem▪ Integrity, confidentiality, authentication
+ Solved in the same way ▪ Keys, certificates
+ Specifications▪ Key management, Encryption, Signature
+ Web services▪ SOAP envelope, headers, body
+ SOAP security▪ Not further discussed here!
7
Apache TSIK
8
Origins, status
+ In Apache incubation since August 2005▪ http://incubator.apache.org/tsik
+ Closed source 2000-2004 ▪ Basis of several products▪ XML firewalls, PKI lifecycle management, Multi-factor authentication
+ Security ▪ XML signature, encryption, Pkcs#7 streaming, Key management▪ WS-Security, WS-*
+ Utility classes▪ DOM, XPath, SOAP
+ Addons, plugins▪ Plug-in SOAP implementation▪ Add-on XML messaging
9
XML Security, ws.apache.org
+ Apache XMLSecurity▪ XML signature and XML encryption
+ ws.apache.org ▪ Aims at implementing existing WS* standards ▪ An umbrella for several sub projects ▪ Axis filters
+ Apache TSIK▪ Toolkit model
– Single JAR
▪ Philosophy:– Simplify security usage as much as possible– Make it hard to commit security mistakes
10
Projects comparison
Simplicity of use
Co
mp
lete
nes
s
TSIK
ws.apache.org
xmlsec
11
Code examples
12
What we'll look at
+ DOM cursors▪ Simplified Document Object Model interface▪ Traverse, get info, create elements, move around, copy sub-trees
– Avoids DOM API, interface level, or implementation differences – All DOM namespaces automatically handled and kept in context
+ XPaths▪ Simplified XPath interface used in all APIs
+ Signing
+ Encryption
+ Trust
+ Graphs and Actions
13
DOM cursors
+ Reads and writes
+ Element-oriented▪ No "mixed content" (text and element siblings).
+ Intended for structured data▪ Not for human written or free-form documents ▪ Access to text nodes only provided via parent element
+ No low-level DOM access▪ Not for implementing XPath, XSLT or C14N
+ Manipulates three node types: elements, attributes and text▪ Other node types ignored and preserved
14
org.apache.tsik.domutil
// creating//DOMCursor c = new DOMCursor(document | element | node);DOMCursor cloneCursor() // clones cursor, not DOM
// inquiring//boolean atTop()boolean atElement(uri, name) boolean contains(otherCursor)XPath createXPath( | relativeToOtherCursor)String getAttribute([String uri,] String localName)
// traversing//boolean moveTo[Child|Sibling](int index)boolean moveTo[Child|Sibling](String uri, String localName)
// (cont.)
15
org.apache.tsik.domutil
// traversing (cont.)//boolean moveToDescendant(String uri, String localName, boolean includeSelf)
boolean moveToTop()boolean moveToParent()boolean moveToXPath(XPath xpath)
// Write cursors//DOMWriteCursor wc = new DOMWriteCursor();
// writing//add[Before|Under](String uri, String prefix, String name)copy[Before|Over|Under](DomCursor copyFrom)move[Before|Over|Under](DomCursor moveFrom)
16
XPath
+ XPath is a W3C language for addressing parts of an XML document▪ Non-XML syntax▪ Pattern matching
+ Examples▪ /this/that/ns:theother▪ //*[@id='b1']
+ TSIK XPaths encapsulate a W3C XPath expression and
namespaces that relate to the expression
+ Used in TSIK packages to reference nodes
17
org.apache.tsik.xpath
// create//XPath(String expr)XPath(String expr, Map namespaces) // prefix->uriXPath(String expr, String[] namespaces) // prefix, uri
// create from id('idValue')//static XPath fromID(String idValue)
// create from #xpointer(xpath), #idValue//static XPath fromXPointer(String xpointer)static XPath fromXPointer(String xpointer, Map namespaces)
18
Signing and Verifying
+ Sign and verify a W3C XML Digital Signature
+ RSA, DSA, HMAC, hardware keys▪ X.509 certificate chains, KeyInfos or raw keys
+ Use XPath expressions for locations in a document
+ Multiple signatures▪ As well as signatures with multiple references
+ Sign in place or return new document
+ Verify signatures with▪ Verification key supplied in the document, or ▪ User-supplied key
19
Sign with org.apache.tsik.xmlsig
// Sign a document. Implicitly tell it to add the// public verification key to output. //Signer s = new Signer(document, privateKey, publicKey);
// Supply two locations to be signed. //XPath loc1 = new XPath("id('someID')");s.addReference(loc1);
XPath loc2 = new XPath("/some/element");s.addReference(loc2);
// Specify a location where we want the // resulting signature to be placed. //XPath output = new XPath("/");Document d = s.sign(output);
20
Verify with org.apache.tsik.xmlsig
// Specify signature locationString ns[] = {"ds", "http://www.w3.org/2000/09/xmldsig#"};XPath signatureLocation = new XPath("//ds:Signature", ns);
// Verify using key contained in documentVerifier v = new Verifier(doc, signatureLocation); boolean isVerified = v.verify();
// Verify using specified key Verifier v = new Verifier(doc, signatureLocation); RSAPublicKey verifyingKey = [some public key];boolean isVerified = v.verify(verifyingKey);
// Make sure signature is over what we expectXPath loc = new XPath("/some/element");boolean b = v.isReferenced(loc);
21
Trust Verifier
+ Verifies trust of public keys and certificates.
+ Use as is or as plug-in/adapter▪ Used in TSIK messaging (org.apache.tsik.addon.messaging)
+ Verify based on a given collection of trusted keys and certificates.
+ Chain verifiers to perform multiple checks ▪ For example all must pass, or one must pass
+ Automatic caching for expensive verifications▪ For example XKMS, CRL
22
org.apache.tsik.verifier
// Get the certificate(s) from the verifier//X509Certificate[] chain = v.getCertificateChain();
// Use an X.509 trust verifier with trusted certs//ArrayList list = new ArrayList();list.add(...);X509TrustVerifier trustVerifier = new X509TrustVerifier(list);trustVerifier.verifyTrust(chain);
// We can also use a CRL trust verifier. Specify which// entities we accept as signers on the CRL and verify.//CRLTrustVerifier ctv = new CRLTrustVerifier();list.add(. . .);ctv.addCRLsigners(list);ctv.verifyTrust(chain);
23
Encrypting and decrypting
+ Encrypt and decrypt according to W3C standard▪ Key and data encryption
+ Supports element and element content encryption
+ Uses XPath expressions for all locations in a document
+ Encrypt/Decrypt in place or return new document
24
Encrypt with org.apache.tsik.xmlenc
// Create an Encryptor on the documentEncryptor e = new Encryptor(doc, key, AlgorithmType.TRIPLEDES);
// create an XPath expression with the namespaces we need String[] ns = {"a", "urn:some-uri", "b", "urn:some-other-uri"};XPath xpath = new XPath("/a:foo/b:bar", ns);
// Encrypt in place according to xpathe.encryptInPlace(xpath);
<foo xmlns="urn:some-uri"> <bar xmlns="urn:some-other-uri"> This is some text. </bar></foo>... <foo xmlns="urn:some-uri"> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"> ... </EncryptedData></foo>
25
Decrypt with org.apache.tsik.xmlenc
<foo xmlns="urn:some-uri"> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"> ... </EncryptedData></foo>
// Create a Decryptor on the doc, specify the location of the // encrypted data.//String[] ns = {"a", "urn:some-uri", "xenc", "http://www.w3.org/2001/04/xmlenc#"};
XPath xpath = new XPath("/foo:a/xenc:EncryptedData", ns);Decryptor d = new Decryptor(d, key, xpath);
// Decrypt the document in place//d.decryptInPlace();
26
Graphs and Actions
+ Graphs ▪ Policy derived [to be done]▪ Executable dependency chains
– Chains of independent Actions
+ Actions▪ Atomic building blocks
– no dependencies to other Actions
▪ Either: reads or writes to a DOM (or both)▪ Or: maps or re-maps values
+ A number of pre-packaged actions and graphs▪ Now: Mainly used for WS-* ▪ org.apache.tsik.wsp.Action and
org.apache.tsik.wsp.DependencyGraph
27
Future directions
28
TSIK future
+ Collaboration with other Apache projects▪ Overlap, re-use, commons
+ Key Management, WS-*▪ Dozens of standards
+ (Federated) Identities▪ Liberty▪ SAML▪ InfoCard▪ Non-XML?
+ Roadmap still being decided▪ Driven by developers!▪ http://incubator.apache.org/tsik
Thanks!Questions?
Hans Granqvist <[email protected]>