1 / 29

Pragmatic XML security

Pragmatic XML security. Hans Granqvist, ApacheCon 2005 <hans@apache.org>. XML Basics Schemas, namespaces XML security Keys, certificates Signatures, encryption Apache TSIK Origins, status WSS4J, XML Security. Coding examples Utility classes Signing Encryption Graphs and Actions

wilma-beard
Download Presentation

Pragmatic XML security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Pragmatic XML security Hans Granqvist, ApacheCon 2005 <hans@apache.org>

  2. XML Basics Schemas, namespaces XML security Keys, certificates Signatures, encryption Apache TSIK Origins, status WSS4J, XML Security Coding examples Utility classes Signing Encryption Graphs and Actions Future directions Key Management, WS-* SAML Identities Agenda

  3. XML Basics

  4. Quick XML recap Default namespace Namespace declaration Element <Start xmlns="urn:some-uri"> <ex:bar xmlns:wg="http://that-url.com"> <ex:Greeting> Welcome to ApacheCon 2005! </ex:Greeting> </ex:bar> <Extra id="1234"/> </Start> Schema Attribute

  5. XML Security

  6. XML security • Same issues as any old security problem • Integrity, confidentiality, authentication • Solved in the same way • Keys, certificates • Specifications • Key management, Encryption, Signature • Web services • SOAP envelope, headers, body • SOAP security • Not further discussed here!

  7. Apache TSIK

  8. Origins, status • In Apache incubation since August 2005 • http://incubator.apache.org/tsik • Closed source 2000-2004 • Basis of several products • XML firewalls, PKI lifecycle management, Multi-factor authentication • Security • XML signature, encryption, Pkcs#7 streaming, Key management • WS-Security, WS-* • Utility classes • DOM, XPath, SOAP • Addons, plugins • Plug-in SOAP implementation • Add-on XML messaging

  9. XML Security, ws.apache.org • Apache XMLSecurity • XML signature and XML encryption • ws.apache.org • Aims at implementing existing WS* standards • An umbrella for several sub projects • Axis filters • Apache TSIK • Toolkit model • Single JAR • Philosophy: • Simplify security usage as much as possible • Make it hard to commit security mistakes

  10. Projects comparison ws.apache.org Completeness TSIK xmlsec Simplicity of use

  11. Code examples

  12. What we'll look at • DOM cursors • Simplified Document Object Model interface • Traverse, get info, create elements, move around, copy sub-trees • Avoids DOM API, interface level, or implementation differences • All DOM namespaces automatically handled and kept in context • XPaths • Simplified XPath interface used in all APIs • Signing • Encryption • Trust • Graphs and Actions

  13. DOM cursors • Reads and writes • Element-oriented • No "mixed content" (text and element siblings). • Intended for structured data • Not for human written or free-form documents • Access to text nodes only provided via parent element • No low-level DOM access • Not for implementing XPath, XSLT or C14N • Manipulates three node types: elements, attributes and text • Other node types ignored and preserved

  14. org.apache.tsik.domutil // creating // DOMCursor c = new DOMCursor(document | element | node); DOMCursor cloneCursor() // clones cursor, not DOM // inquiring // boolean atTop() boolean atElement(uri, name) boolean contains(otherCursor) XPath createXPath( | relativeToOtherCursor) String getAttribute([String uri,] String localName) // traversing // boolean moveTo[Child|Sibling](int index) boolean moveTo[Child|Sibling](String uri, String localName) // (cont.)

  15. org.apache.tsik.domutil // traversing (cont.) // boolean moveToDescendant(String uri, String localName, boolean includeSelf) boolean moveToTop() boolean moveToParent() boolean moveToXPath(XPath xpath) // Write cursors // DOMWriteCursor wc = new DOMWriteCursor(); // writing // add[Before|Under](String uri, String prefix, String name) copy[Before|Over|Under](DomCursor copyFrom) move[Before|Over|Under](DomCursor moveFrom)

  16. XPath • XPath is a W3C language for addressing parts of an XML document • Non-XML syntax • Pattern matching • Examples • /this/that/ns:theother • //*[@id='b1'] • TSIK XPaths encapsulate a W3C XPath expression and namespaces that relate to the expression • Used in TSIK packages to reference nodes

  17. org.apache.tsik.xpath // create // XPath(String expr) XPath(String expr, Map namespaces) // prefix->uri XPath(String expr, String[] namespaces) // prefix, uri // create from id('idValue') // static XPath fromID(String idValue) // create from #xpointer(xpath), #idValue // static XPath fromXPointer(String xpointer) static XPath fromXPointer(String xpointer, Map namespaces)

  18. Signing and Verifying • Sign and verify a W3C XML Digital Signature • RSA, DSA, HMAC, hardware keys • X.509 certificate chains, KeyInfos or raw keys • Use XPath expressions for locations in a document • Multiple signatures • As well as signatures with multiple references • Sign in place or return new document • Verify signatures with • Verification key supplied in the document, or • User-supplied key

  19. Sign with org.apache.tsik.xmlsig // Sign a document. Implicitly tell it to add the // public verification key to output. // Signer s = new Signer(document, privateKey, publicKey); // Supply two locations to be signed. // XPath loc1 = new XPath("id('someID')"); s.addReference(loc1); XPath loc2 = new XPath("/some/element"); s.addReference(loc2); // Specify a location where we want the // resulting signature to be placed. // XPath output = new XPath("/"); Document d = s.sign(output);

  20. Verify with org.apache.tsik.xmlsig // Specify signature location String ns[] = {"ds", "http://www.w3.org/2000/09/xmldsig#"}; XPath signatureLocation = new XPath("//ds:Signature", ns); // Verify using key contained in document Verifier v = new Verifier(doc, signatureLocation); boolean isVerified = v.verify(); // Verify using specified key Verifier v = new Verifier(doc, signatureLocation); RSAPublicKey verifyingKey = [some public key]; boolean isVerified = v.verify(verifyingKey); // Make sure signature is over what we expect XPath loc = new XPath("/some/element"); boolean b = v.isReferenced(loc);

  21. Trust Verifier • Verifies trust of public keys and certificates. • Use as is or as plug-in/adapter • Used in TSIK messaging (org.apache.tsik.addon.messaging) • Verify based on a given collection of trusted keys and certificates. • Chain verifiers to perform multiple checks • For example all must pass, or one must pass • Automatic caching for expensive verifications • For example XKMS, CRL

  22. org.apache.tsik.verifier // Get the certificate(s) from the verifier // X509Certificate[] chain = v.getCertificateChain(); // Use an X.509 trust verifier with trusted certs // ArrayList list = new ArrayList(); list.add(...); X509TrustVerifier trustVerifier = new X509TrustVerifier(list); trustVerifier.verifyTrust(chain); // We can also use a CRL trust verifier. Specify which // entities we accept as signers on the CRL and verify. // CRLTrustVerifier ctv = new CRLTrustVerifier(); list.add(. . .); ctv.addCRLsigners(list); ctv.verifyTrust(chain);

  23. Encrypting and decrypting • Encrypt and decrypt according to W3C standard • Key and data encryption • Supports element and element content encryption • Uses XPath expressions for all locations in a document • Encrypt/Decrypt in place or return new document

  24. Encrypt with org.apache.tsik.xmlenc // Create an Encryptor on the document Encryptor e = new Encryptor(doc, key, AlgorithmType.TRIPLEDES); // create an XPath expression with the namespaces we need String[] ns = {"a", "urn:some-uri", "b", "urn:some-other-uri"}; XPath xpath = new XPath("/a:foo/b:bar", ns); // Encrypt in place according to xpath e.encryptInPlace(xpath); <foo xmlns="urn:some-uri"> <bar xmlns="urn:some-other-uri"> This is some text. </bar> </foo> ... <foo xmlns="urn:some-uri"> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"> ... </EncryptedData> </foo>

  25. Decrypt with org.apache.tsik.xmlenc <foo xmlns="urn:some-uri"> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"> ... </EncryptedData> </foo> // Create a Decryptor on the doc, specify the location of the // encrypted data. // String[] ns = {"a", "urn:some-uri", "xenc", "http://www.w3.org/2001/04/xmlenc#"}; XPath xpath = new XPath("/foo:a/xenc:EncryptedData", ns); Decryptor d = new Decryptor(d, key, xpath); // Decrypt the document in place // d.decryptInPlace();

  26. Graphs and Actions • Graphs • Policy derived [to be done] • Executable dependency chains • Chains of independent Actions • Actions • Atomic building blocks • no dependencies to other Actions • Either: reads or writes to a DOM (or both) • Or: maps or re-maps values • A number of pre-packaged actions and graphs • Now: Mainly used for WS-* • org.apache.tsik.wsp.Action and org.apache.tsik.wsp.DependencyGraph

  27. Future directions

  28. TSIK future • Collaboration with other Apache projects • Overlap, re-use, commons • Key Management, WS-* • Dozens of standards • (Federated) Identities • Liberty • SAML • InfoCard • Non-XML? • Roadmap still being decided • Driven by developers! • http://incubator.apache.org/tsik

  29. Thanks!Questions? Hans Granqvist <hans@apache.org>

More Related