Skip to main content

How to create a secure pipe?

5 replies [Last post]
thomas_p
Offline
Joined: 2007-05-22
Points: 0

Hi folks,

for my bachelor thesis I want to develop a little application for secure network communication using JXTA . Instead of developing my own protocol for secure communication, I decided that i would be smart to use the JXTA secure pipes. But unfortunately i have no clue how to create such a secure pipe using TLS/SSL.

All the examples in my books ("mastering jxta" and "jxta in a nutshell") are completely outdated. They refer to JXTA 1.0 and I'm using 2.4.1. If I use the source code from these examples, i get an "Pipe is closed"-Exception when I send data to the secure input pipe.

Haven't found any up-to-date examples in the net either. Besides the code from here: http://forums.java.net/jive/thread.jspa?messageID=209645&#209645 (seems which i have the same problem as t0bis). But I don't understand which part in tra's example is needed to create a secure pipe and which parts are important for the other stuff...

The whole PSEMembershipService is still quite a mystery for me. I know how certificates work but the PSEMembershipService without up-to-date documentation is quite difficult to understand.

So I would appreciate it very much if someone could post or has a link to a short code example just about creating a secure input pipe and connecting to it.

greetings thomas :-)

ohh and I'm sorry for potential violation of the english language but second-language speaker ;-)

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
flort
Offline
Joined: 2007-04-11
Points: 0

(You probably would have done better on the dev or user mailing list.)

The JXTA UnicastSecure Pipes work. The only thing you have to do is work out how to get the other side to trust your Certificate. Out of the box, JXTA doesn't handle Certificate chains properly (see http://platform.jxta.org/issues/show_bug.cgi?id=1609, for example) but if you can preshare the Certificates you want to use you can force them into the keystore manually and it all works.

This means you need to control the generation of each peer's RootCertificate, which leads into the sometimes troublesome world of JXTA configuration. This is getting easier with 2.5, but Certificate handling appears to be still difficult.

drrsatzteil
Offline
Joined: 2007-03-23
Points: 0

Hi Thomas

As flort already mentioned it is possible to use secure pipes. I also spent a lot of time on getting this to work properly. First of all be sure to set up the configuration with a principal and password so that a certificate will be generated like shown in the javadoc example.

config.setPrincipal(PRINCIPAL);
config.setPassword(PASSWORD);

After setting up the group log in by using a method like this as already shown in some older examples.

public static void login(PeerGroup group, char[] keystore_password,
char[] principal_password) throws Exception {
StringAuthenticator auth;
MembershipService membership = group.getMembershipService();
Credential cred = membership.getDefaultCredential();
if (cred == null) {
AuthenticationCredential authCred = new AuthenticationCredential(
group, "StringAuthentication", null);
auth = (StringAuthenticator) membership.apply(authCred);
if (auth != null) {
auth.setAuth1_KeyStorePassword(keystore_password);
auth.setAuth2Identity(group.getPeerID());
auth.setAuth3_IdentityPassword(principal_password);

if (auth.isReadyForJoin()) {
membership.join(auth);
return;
}
}
} else {
return;
}

throw new Exception();
}

To set up a secure pipe simply set the type of the advertisement to UnicastSecureType.

pipeAdv.setType(PipeService.UnicastSecureType);

The last thing you need to do is import the public key of those clients you wish to communicate with. You could use whatever way you want to get them. In the project I worked on they were propagated through the network upon joining. Extract the certificates from the PeerAdvertisments of the peers you want to contact and add them to your keystore. This code is also part of an older example:

public void importCertificate(PeerAdvertisement peerAdv) {

PSEMembershipService pse = (PSEMembershipService) group
.getMembershipService();

StructuredDocument rootParams = peerAdv
.getServiceParam(PeerGroup.peerGroupClassID);

if (null == rootParams) {
throw new IllegalArgumentException(
"Peer advertisement does not contain group parameters");
}

Enumeration eachRoot = rootParams.getChildren("RootCert");

if (!eachRoot.hasMoreElements()) {
throw new IllegalArgumentException(
"Peer advertisement does not contain root certificate");
}

Element root = (Element) eachRoot.nextElement();

if (root instanceof Attributable) {
// XXX 20040719 bondolo Backwards compatibility hack. Adds type so
// cert chain is recognized.
((Attributable) root).addAttribute("type", Certificate
.getMessageType());
}

Certificate cert_msg = new Certificate(root);

try {
Iterator sourceChain = Arrays.asList(cert_msg.getCertificates())
.iterator();
int imported = 0;
X509Certificate aCert = (X509Certificate) sourceChain.next();

do {
if (null != pse.getPSEConfig().getTrustedCertificateID(aCert)) {
break;
}

pse.getPSEConfig().erase(peerAdv.getPeerID());
pse.getPSEConfig().setTrustedCertificate(peerAdv.getPeerID(), aCert);
imported++;

// create a codat id for the next certificate in the chain.
aCert = null;
if (sourceChain.hasNext()) {
aCert = (X509Certificate) sourceChain.next();

byte[] der = aCert.getEncoded();
IDFactory.newCodatID(group.getPeerGroupID(), new ByteArrayInputStream(der));
}
} while (null != aCert);

} catch (CertificateEncodingException failure) {
IllegalStateException failed = new IllegalStateException(
"Bad certificate");
failed.initCause(failure);
throw failed;
} catch (KeyStoreException failure) {
IllegalStateException failed = new IllegalStateException(
"KeyStore failure while importing certificate.");
failed.initCause(failure);
throw failed;
} catch (IOException failure) {
IllegalStateException failed = new IllegalStateException(
"IO failure while importing certificate.");
failed.initCause(failure);
throw failed;
}

}

Don't forget that it is necessary that not only you know the key of the other peer, but the other one also knows yours.

Unfortunately I had to use standard pipes after I finally got that to work because I found out that establishing secure connections with secure pipes was way to slow for my purposes.

so long,
Thomas

asghar
Offline
Joined: 2005-07-26
Points: 0

Hi Thomas,

Did you try with the sample for secure peergroup, included in the Programmer’s Guide 2.3.x?

I don’t have any experience with JXTA base security mechanism jet and currently (unfortunately) out of JXTA world.

Please let me know, where are you located?

Asghar

thomas_p
Offline
Joined: 2007-05-22
Points: 0

Oh an answer, didn't expect one anymore ;-)

Hi asghar,

I've tried the sample for secure peergroup in the Programmer's Guide 2.3.x, but it's just about password authorisation for a peer group. To my mind it has nothing in common with the PSE MembershipService.

Nevertheless I've used this expample to build my own password authorisation for a peer group with a better crypto-algorithm.

For the pipes I use the standard unicast pipe and implement security by my own using the java crpyto api. I've implemented a key exchange protocol using RSA with 1024 bit keys, for encrpyting the data I use AES with 256 bit key and SHA1withRSA for signing the data...works just fine, so I'm going to leave that way. Especially because I've to finish my thesis until beginnig of august.

Maybe if I've finished my thesis I will search for a way to make the PSE MembersipService run. :-)

so greetings from Hamburg, Germany
thomas

yonder
Offline
Joined: 2005-01-04
Points: 0

There's a sample for PSE membership service. You can find it in the tutorial included in Jxta JSe source package,but I can't fully understand it because my poor English skills.

The nightly build can download at http://download.java.net/jxta/build/nightly/.