Pragmatic XML security Hans Granqvist Apache Con 2005

Pragmatic XML security Hans Granqvist, Apache. Con 2005

Agenda + XML Basics ▪ Schemas, namespaces + XML security ▪ Keys, certificates ▪ Signatures, encryption + Apache TSIK ▪ Origins, status ▪ WSS 4 J, XML Security 2 + Coding examples ▪ Utility classes ▪ Signing ▪ Encryption ▪ Graphs and Actions + Future directions ▪ Key Management, WS-* ▪ SAML ▪ Identities

XML Basics 3

Quick XML recap Default namespace Element Welcome to Apache. Con 2005! Schema Attribute 4 Namespace declaration

XML Security 5

XML security + Same issues as any old security problem ▪ Integrity, confidentiality, authentication + Solved in the same way ▪ Keys, certificates + Specifications ▪ Key management, Encryption, Signature + Web services ▪ SOAP envelope, headers, body + SOAP security ▪ Not further discussed here! 6

Apache TSIK 7

Origins, status + In Apache incubation since August 2005 ▪ http: //incubator. apache. org/tsik + Closed source 2000 -2004 ▪ Basis of several products ▪ XML firewalls, PKI lifecycle management, Multi-factor authentication + Security ▪ XML signature, encryption, Pkcs#7 streaming, Key management ▪ WS-Security, WS-* + Utility classes ▪ DOM, XPath, SOAP + Addons, plugins ▪ Plug-in SOAP implementation ▪ Add-on XML messaging 8

XML Security, ws. apache. org + Apache XMLSecurity ▪ XML signature and XML encryption + ws. apache. org ▪ Aims at implementing existing WS* standards ▪ An umbrella for several sub projects ▪ Axis filters + Apache TSIK ▪ Toolkit model – Single JAR ▪ Philosophy: – Simplify security usage as much as possible – Make it hard to commit security mistakes 9

Projects comparison Completeness ws. apache. org TSIK xmlsec Simplicity of use 10

Code examples 11

What we'll look at + DOM cursors ▪ Simplified Document Object Model interface ▪ Traverse, get info, create elements, move around, copy sub-trees – Avoids DOM API, interface level, or implementation differences – All DOM namespaces automatically handled and kept in context + XPaths ▪ Simplified XPath interface used in all APIs + Signing + Encryption + Trust + Graphs and Actions 12

DOM cursors + Reads and writes + Element-oriented ▪ No "mixed content" (text and element siblings). + Intended for structured data ▪ Not for human written or free-form documents ▪ Access to text nodes only provided via parent element + No low-level DOM access ▪ Not for implementing XPath, XSLT or C 14 N + Manipulates three node types: elements, attributes and text ▪ Other node types ignored and preserved 13

org. apache. tsik. domutil // creating // DOMCursor c = new DOMCursor(document | element | node); DOMCursor clone. Cursor() // clones cursor, not DOM // inquiring // boolean at. Top() boolean at. Element(uri, name) boolean contains(other. Cursor) XPath create. XPath( | relative. To. Other. Cursor) String get. Attribute([String uri, ] String local. Name) // traversing // boolean move. To[Child|Sibling](int index) boolean move. To[Child|Sibling](String uri, String local. Name) // (cont. ) 14

org. apache. tsik. domutil // traversing (cont. ) // boolean move. To. Descendant(String uri, String local. Name, boolean include. Self) boolean move. Top() boolean move. To. Parent() boolean move. To. XPath(XPath xpath) // Write cursors // DOMWrite. Cursor wc = new DOMWrite. Cursor(); // writing // add[Before|Under](String uri, String prefix, String name) copy[Before|Over|Under](Dom. Cursor copy. From) move[Before|Over|Under](Dom. Cursor move. From) 15

XPath + XPath is a W 3 C language for addressing parts of an XML document ▪ Non-XML syntax ▪ Pattern matching + Examples ▪ ▪ /this/that/ns: theother //*[@id='b 1'] + TSIK XPaths encapsulate a W 3 C XPath expression and namespaces that relate to the expression + Used in TSIK packages to reference nodes 16

org. apache. tsik. xpath // create // XPath(String expr) XPath(String expr, Map namespaces) XPath(String expr, String[] namespaces) // prefix->uri // prefix, uri // create from id('id. Value') // static XPath from. ID(String id. Value) // create from #xpointer(xpath), #id. Value // static XPath from. XPointer(String xpointer) static XPath from. XPointer(String xpointer, Map namespaces) 17

Signing and Verifying + Sign and verify a W 3 C XML Digital Signature + RSA, DSA, HMAC, hardware keys ▪ X. 509 certificate chains, Key. Infos or raw keys + Use XPath expressions for locations in a document + Multiple signatures ▪ As well as signatures with multiple references + Sign in place or return new document + Verify signatures with ▪ Verification key supplied in the document, or ▪ User-supplied key 18

Sign with org. apache. tsik. xmlsig // Sign a document. Implicitly tell it to add the // public verification key to output. // Signer s = new Signer(document, private. Key, public. Key); // Supply two locations to be signed. // XPath loc 1 = new XPath("id('some. ID')"); s. add. Reference(loc 1); XPath loc 2 = new XPath("/some/element"); s. add. Reference(loc 2); // Specify a // resulting // XPath output Document d = 19 location where we want the signature to be placed. = new XPath("/"); s. sign(output);

Verify with org. apache. tsik. xmlsig // Specify signature location String ns[] = {"ds", "http: //www. w 3. org/2000/09/xmldsig#"}; XPath signature. Location = new XPath("//ds: Signature", ns); // Verify using key contained in document Verifier v = new Verifier(doc, signature. Location); boolean is. Verified = v. verify(); // Verify using specified key Verifier v = new Verifier(doc, signature. Location); RSAPublic. Key verifying. Key = [some public key]; boolean is. Verified = v. verify(verifying. Key); // Make sure signature is over what we expect XPath loc = new XPath("/some/element"); boolean b = v. is. Referenced(loc); 20

Trust Verifier + Verifies trust of public keys and certificates. + Use as is or as plug-in/adapter ▪ Used in TSIK messaging (org. apache. tsik. addon. messaging) + Verify based on a given collection of trusted keys and certificates. + Chain verifiers to perform multiple checks ▪ For example all must pass, or one must pass + Automatic caching for expensive verifications ▪ For example XKMS, CRL 21

org. apache. tsik. verifier // Get the certificate(s) from the verifier // X 509 Certificate[] chain = v. get. Certificate. Chain(); // Use an X. 509 trust verifier with trusted certs // Array. List list = new Array. List(); list. add(. . . ); X 509 Trust. Verifier trust. Verifier = new X 509 Trust. Verifier(list); trust. Verifier. verify. Trust(chain); // We can also use a CRL trust verifier. Specify which // entities we accept as signers on the CRL and verify. // CRLTrust. Verifier ctv = new CRLTrust. Verifier(); list. add(. . . ); ctv. add. CRLsigners(list); ctv. verify. Trust(chain); 22

Encrypting and decrypting + Encrypt and decrypt according to W 3 C standard ▪ Key and data encryption + Supports element and element content encryption + Uses XPath expressions for all locations in a document + Encrypt/Decrypt in place or return new document 23

Encrypt with org. apache. tsik. xmlenc // Create an Encryptor on the document Encryptor e = new Encryptor(doc, key, Algorithm. Type. TRIPLEDES); // create an XPath expression with the namespaces we need String[] ns = {"a", "urn: some-uri", "b", "urn: some-other-uri"}; XPath xpath = new XPath("/a: foo/b: bar", ns); // Encrypt in place according to xpath e. encrypt. In. Place(xpath); This is some text. . . . . . . 24

Decrypt with org. apache. tsik. xmlenc . . . // Create a Decryptor on the doc, specify the location of the // encrypted data. // String[] ns = {"a", "urn: some-uri", "xenc", "http: //www. w 3. org/2001/04/xmlenc#"}; XPath xpath = new XPath("/foo: a/xenc: Encrypted. Data", ns); Decryptor d = new Decryptor(d, key, xpath); // Decrypt the document in place // d. decrypt. In. Place(); 25

Graphs and Actions + Graphs ▪ Policy derived [to be done] ▪ Executable dependency chains – Chains of independent Actions + Actions ▪ Atomic building blocks – no dependencies to other Actions ▪ Either: reads or writes to a DOM (or both) ▪ Or: maps or re-maps values + A number of pre-packaged actions and graphs ▪ Now: Mainly used for WS-* ▪ 26 org. apache. tsik. wsp. Action and org. apache. tsik. wsp. Dependency. Graph

Future directions 27

TSIK future + Collaboration with other Apache projects ▪ Overlap, re-use, commons + Key Management, WS-* ▪ Dozens of standards + (Federated) Identities ▪ Liberty ▪ SAML ▪ Info. Card ▪ Non-XML? + Roadmap still being decided ▪ Driven by developers! ▪ http: //incubator. apache. org/tsik 28

Thanks! Questions? Hans Granqvist