Pragmatic XML security

Hans Granqvist,

ApacheCon 2005

<hans@apache.org>

2

Agenda

+ XML Basics▪ Schemas, namespaces

+ XML security▪ Keys, certificates▪ Signatures, encryption

+ Apache TSIK▪ Origins, status▪ WSS4J, XML Security

+ Coding examples▪ Utility classes▪ Signing▪ Encryption▪ Graphs and Actions

+ Future directions▪ Key Management, WS-*▪ SAML▪ Identities

3

XML Basics

4

Quick XML recap

<Start xmlns="urn:some-uri"> <ex:bar xmlns:wg="http://that-url.com"> <ex:Greeting> Welcome to ApacheCon 2005! </ex:Greeting> </ex:bar> <Extra id="1234"/></Start>

Element

Attribute

Namespace declaration

Schema

Default namespace

5

XML Security

6

XML security

+ Same issues as any old security problem▪ Integrity, confidentiality, authentication

+ Solved in the same way ▪ Keys, certificates

+ Specifications▪ Key management, Encryption, Signature

+ Web services▪ SOAP envelope, headers, body

+ SOAP security▪ Not further discussed here!

7

Apache TSIK

8

Origins, status

+ In Apache incubation since August 2005▪ http://incubator.apache.org/tsik

+ Closed source 2000-2004 ▪ Basis of several products▪ XML firewalls, PKI lifecycle management, Multi-factor authentication

+ Security ▪ XML signature, encryption, Pkcs#7 streaming, Key management▪ WS-Security, WS-*

+ Utility classes▪ DOM, XPath, SOAP

+ Addons, plugins▪ Plug-in SOAP implementation▪ Add-on XML messaging

9

XML Security, ws.apache.org

+ Apache XMLSecurity▪ XML signature and XML encryption

+ ws.apache.org ▪ Aims at implementing existing WS* standards ▪ An umbrella for several sub projects ▪ Axis filters

+ Apache TSIK▪ Toolkit model

– Single JAR

▪ Philosophy:– Simplify security usage as much as possible– Make it hard to commit security mistakes

10

Projects comparison

Simplicity of use

Co

mp

lete

nes

s

TSIK

ws.apache.org

xmlsec

11

Code examples

12

What we'll look at

+ DOM cursors▪ Simplified Document Object Model interface▪ Traverse, get info, create elements, move around, copy sub-trees

– Avoids DOM API, interface level, or implementation differences – All DOM namespaces automatically handled and kept in context

+ XPaths▪ Simplified XPath interface used in all APIs

+ Signing

+ Encryption

+ Trust

+ Graphs and Actions

13

DOM cursors

+ Reads and writes

+ Element-oriented▪ No "mixed content" (text and element siblings).

+ Intended for structured data▪ Not for human written or free-form documents ▪ Access to text nodes only provided via parent element

+ No low-level DOM access▪ Not for implementing XPath, XSLT or C14N

+ Manipulates three node types: elements, attributes and text▪ Other node types ignored and preserved

14

org.apache.tsik.domutil

// creating//DOMCursor c = new DOMCursor(document | element | node);DOMCursor cloneCursor() // clones cursor, not DOM

// inquiring//boolean atTop()boolean atElement(uri, name) boolean contains(otherCursor)XPath createXPath( | relativeToOtherCursor)String getAttribute([String uri,] String localName)

// traversing//boolean moveTo[Child|Sibling](int index)boolean moveTo[Child|Sibling](String uri, String localName)

// (cont.)

15

org.apache.tsik.domutil

// traversing (cont.)//boolean moveToDescendant(String uri, String localName, boolean includeSelf)

boolean moveToTop()boolean moveToParent()boolean moveToXPath(XPath xpath)

// Write cursors//DOMWriteCursor wc = new DOMWriteCursor();

// writing//add[Before|Under](String uri, String prefix, String name)copy[Before|Over|Under](DomCursor copyFrom)move[Before|Over|Under](DomCursor moveFrom)

16

XPath

+ XPath is a W3C language for addressing parts of an XML document▪ Non-XML syntax▪ Pattern matching

+ Examples▪ /this/that/ns:theother▪ //*[@id='b1']

+ TSIK XPaths encapsulate a W3C XPath expression and

namespaces that relate to the expression

+ Used in TSIK packages to reference nodes

17

org.apache.tsik.xpath

// create//XPath(String expr)XPath(String expr, Map namespaces) // prefix->uriXPath(String expr, String[] namespaces) // prefix, uri

// create from id('idValue')//static XPath fromID(String idValue)

// create from #xpointer(xpath), #idValue//static XPath fromXPointer(String xpointer)static XPath fromXPointer(String xpointer, Map namespaces)

18

Signing and Verifying

+ Sign and verify a W3C XML Digital Signature

+ RSA, DSA, HMAC, hardware keys▪ X.509 certificate chains, KeyInfos or raw keys

+ Use XPath expressions for locations in a document

+ Multiple signatures▪ As well as signatures with multiple references

+ Sign in place or return new document

+ Verify signatures with▪ Verification key supplied in the document, or ▪ User-supplied key

19

Sign with org.apache.tsik.xmlsig

// Sign a document. Implicitly tell it to add the// public verification key to output. //Signer s = new Signer(document, privateKey, publicKey);

// Supply two locations to be signed. //XPath loc1 = new XPath("id('someID')");s.addReference(loc1);

XPath loc2 = new XPath("/some/element");s.addReference(loc2);

// Specify a location where we want the // resulting signature to be placed. //XPath output = new XPath("/");Document d = s.sign(output);

20

Verify with org.apache.tsik.xmlsig

// Specify signature locationString ns[] = {"ds", "http://www.w3.org/2000/09/xmldsig#"};XPath signatureLocation = new XPath("//ds:Signature", ns);

// Verify using key contained in documentVerifier v = new Verifier(doc, signatureLocation); boolean isVerified = v.verify();

// Verify using specified key Verifier v = new Verifier(doc, signatureLocation); RSAPublicKey verifyingKey = [some public key];boolean isVerified = v.verify(verifyingKey);

// Make sure signature is over what we expectXPath loc = new XPath("/some/element");boolean b = v.isReferenced(loc);

21

Trust Verifier

+ Verifies trust of public keys and certificates.

+ Use as is or as plug-in/adapter▪ Used in TSIK messaging (org.apache.tsik.addon.messaging)

+ Verify based on a given collection of trusted keys and certificates.

+ Chain verifiers to perform multiple checks ▪ For example all must pass, or one must pass

+ Automatic caching for expensive verifications▪ For example XKMS, CRL

22

org.apache.tsik.verifier

// Get the certificate(s) from the verifier//X509Certificate[] chain = v.getCertificateChain();

// Use an X.509 trust verifier with trusted certs//ArrayList list = new ArrayList();list.add(...);X509TrustVerifier trustVerifier = new X509TrustVerifier(list);trustVerifier.verifyTrust(chain);

// We can also use a CRL trust verifier. Specify which// entities we accept as signers on the CRL and verify.//CRLTrustVerifier ctv = new CRLTrustVerifier();list.add(. . .);ctv.addCRLsigners(list);ctv.verifyTrust(chain);

23

Encrypting and decrypting

+ Encrypt and decrypt according to W3C standard▪ Key and data encryption

+ Supports element and element content encryption

+ Uses XPath expressions for all locations in a document

+ Encrypt/Decrypt in place or return new document

24

Encrypt with org.apache.tsik.xmlenc

// Create an Encryptor on the documentEncryptor e = new Encryptor(doc, key, AlgorithmType.TRIPLEDES);

// create an XPath expression with the namespaces we need String[] ns = {"a", "urn:some-uri", "b", "urn:some-other-uri"};XPath xpath = new XPath("/a:foo/b:bar", ns);

// Encrypt in place according to xpathe.encryptInPlace(xpath);

<foo xmlns="urn:some-uri"> <bar xmlns="urn:some-other-uri"> This is some text. </bar></foo>... <foo xmlns="urn:some-uri"> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"> ... </EncryptedData></foo>

25

Decrypt with org.apache.tsik.xmlenc

<foo xmlns="urn:some-uri"> <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns="http://www.w3.org/2001/04/xmlenc#"> ... </EncryptedData></foo>

// Create a Decryptor on the doc, specify the location of the // encrypted data.//String[] ns = {"a", "urn:some-uri", "xenc", "http://www.w3.org/2001/04/xmlenc#"};

XPath xpath = new XPath("/foo:a/xenc:EncryptedData", ns);Decryptor d = new Decryptor(d, key, xpath);

// Decrypt the document in place//d.decryptInPlace();

26

Graphs and Actions

+ Graphs ▪ Policy derived [to be done]▪ Executable dependency chains

– Chains of independent Actions

+ Actions▪ Atomic building blocks

– no dependencies to other Actions

▪ Either: reads or writes to a DOM (or both)▪ Or: maps or re-maps values

+ A number of pre-packaged actions and graphs▪ Now: Mainly used for WS-* ▪ org.apache.tsik.wsp.Action and

org.apache.tsik.wsp.DependencyGraph

27

Future directions

28

TSIK future

+ Collaboration with other Apache projects▪ Overlap, re-use, commons

+ Key Management, WS-*▪ Dozens of standards

+ (Federated) Identities▪ Liberty▪ SAML▪ InfoCard▪ Non-XML?

+ Roadmap still being decided▪ Driven by developers!▪ http://incubator.apache.org/tsik

Thanks!Questions?

Hans Granqvist <hans@apache.org>