jueves, 10 de mayo de 2007
jueves, 3 de mayo de 2007
Will post everything in the engineering server
miércoles, 2 de mayo de 2007
XML signatures are flexible and usually are applied in three ways: detached, enveloping, and enveloped. The data signed is identified via a URI or XML transform.
- Detached XML signatures can sign content external to the XML document itself.
- Enveloping are those that sign an entire document
- Enveloped are those that can be applied within the same XML document, where the XML signature and the data are sibling elements within that document. Signs data that contains the signature itself as an element.
There are libraries that implement XML digital signatures for many languages: C, Pearl, Java, among others. The bad thing about it is that as this technology is changing, those toolkits are changing and the documentation is not very good.
So, basically we end up with the following: our original XML file with its elements and the desired (and digitally signed) new XML file, in my case I wanted to sign each child element of the root element (enveloped signature).
So, I needed to program what converts my original XML to signed XML, for that i chose to work in JAVA, using DOM to parse my XML file and the Apache XML Security Toolkit to handle the digital signature elements. For example, to create a new digital signature we have the following function:
We get that functionality from the xml security jar file, we only need to import it:
And we actually create the signature with the following lines (the transforms are indicating that it is an enveloped signature, that we want canonicalization and that we want to use the SHA1 algorithm to create the digital signature -- you have to previously load your key information --):
sig.addDocument("", transforms, org.apache.xml.security.utils.Constants.ALGO_ID_DIGEST_SHA1);
FileOutputStream f = new FileOutputStream(new File("signatureFileName.xml"));
Trying to understand what steps you have to follow to sign your xml document was a challenge, the toolkit only provides examples and no documentation, so you I had to dedicate much more time than expected to this implementation.
After understanding what to do in the program, another challenging part was getting it to compile! I was really lost sometimes, as any newby would be, when it did not compile, I didn't know if the problem was in my code or what... anyway, in my case to compile, I had to include in my CLASSPATH all the jar files provided on the toolkit, so my usual compilation line looked like this:
And to run the file, you have to again include all the jar files...
At the end i was able to digitally sign the elements from my XML file :o)
First, i want to state two great sources to get you started on AJAX: the W3C AJAX tutorial and a AJAX Design Strategies Article. In those places i learned so much about this technology and in fact the last one provides the following great image that shows how AJAX works:
So, what is AJAX about??, well, it is about enhancing the User Interface of our web application, making it highly responsive to events triggered by the user. AJAX is not something new, is more a set of technologies that work together to give this highly responsive effect because it supports asynchronous and partial refreshes of a web page.
The Asynchronous part is about leaving the server do its work, without having to wait for its response in the client.
For the presentation the popup was finally working!
My next step would be to show a picture along with the data in that popup window. To finally be happy about the AJAX implementation (updates tomorrow)
A DOM object will represent the XML document as a tree, everything is in memory, but you can go from one element to another and return in case that you need it, but to allow that it is more resource intensive.
The DOM technology is not new, it existed way before XML, but due to the XML sintaxis, they are a great match.
In the case of my project i'm using the DOM with a PHP script (used in the AJAX implementation) and with Java (used for the XML Signatures implementation).
DOM with PHP is really simple, and you can find good documentation searching on the internet. Next i'll show some lines of code using functions that are specially useful:
$xmlDoc = new DOMDocument();
DOM with Java is simple too, the equivalent for the above php implementation would be:
File file = new File("myXmlFile.xml");and the documentation is pretty good too, so you just have to know what you need, research to figure out which functions will help you and you can parse the document to get the information that you want.
Document doc = builder.parse(file);
NodeList nodes = doc.getElementsByTagName("element_name");
In my defense i've to say that the majority of the articles that i read about XML Security talked about the different design alternatives for your XML documents, and about possible use for those technologies. For example, in the case of web services, you are requesting information and a server sends you your response, usually in the form of an XML document, so, if an attacker is clever enough, he or she can modify what the server is sending you and in that case the xml that you receive is not valid information, but how to validate it? well, that is where the XML Signatures enter into action. I also read examples where the Body from a SOAP envelope was Digitally signed to prove the identity of the parties.
And well, they talk about that, and leave the implementation details in the dark, usually saying that as it is a new technology and is evolving there is no point in talking about x or y toolkit because it would surely change in the near future. So, when i started to get my hands around the implementation, i looked for a toolkit to do it, there are a few of them, in different programming languages, and i chose to work with the Apache XML Security Toolkit, because it was written on Java and i thought that later i could create a servlet.
The thing is, there is not much documentation, they even tell you that they don't have much, but that you are welcome at studying the sample code that they provide, which is great, but some of the codes don't have much comments. Anyway, the truth is that they were helpful, and when implementing is where i finally realized that i needed to parse the document!! that to include my digital signatures!! I really had the idea that it was a more automated process, but no, i needed to practically create a new xml document taking the original information and adding the signatures... For that DOM parsing was great and that is when i left out the XML Encryption, not intentionally, it is just that i started working on the signatures first.
As this post is already too big, in the next ones i will explain the three technologies implemented.
martes, 27 de marzo de 2007
I've found this article that gives a very good insight in this XML technology:
"XML Encryption is not intended to replace or supersede SSL/TLS. Rather, it provides a mechanism for security requirements that are not covered by SSL. The following are a two important areas not addressed by SSL:
- Encrypting part of the data being exchanged
- Secure sessions between more than two parties
With XML Encryption, each party can maintain secure or insecure states with any of the communicating parties. Both secure and non-secure data can be exchanged in the same document. For example, think of a secure chat application containing a number of chat rooms with several people in each room. XML-encrypted files can be exchanged between chatting partners so that data intended for one room will not be visible to other rooms."
In short, the objective is to provide end-to-end confidentiality in the application layer, given that XML is an integral part of web-based bussines applications, security is a major concern. Along with XML Encryption we also have XML Signatures, which provide data integrity, i'll post about them soon.