Pragmatic XML security Hans Granqvist, ApacheCon 2005

2 Agenda + XML Basics ▪ Schemas, namespaces + XML security ▪ Keys, certificates ▪ Signatures, encryption + Apache TSIK ▪ Origins, status ▪ WSS4J, XML Security + Coding examples ▪ Utility classes ▪ Signing ▪ Encryption ▪ Graphs and Actions + Future directions ▪ Key Management, WS-* ▪ SAML ▪ Identities

3 XML Basics

4 Quick XML recap Welcome to ApacheCon 2005! Element Attribute Namespace declaration Schema Default namespace

5 XML Security

6 XML security + Same issues as any old security problem ▪ Integrity, confidentiality, authentication + Solved in the same way ▪ Keys, certificates + Specifications ▪ Key management, Encryption, Signature + Web services ▪ SOAP envelope, headers, body + SOAP security ▪ Not further discussed here!

7 Apache TSIK

8 Origins, status + In Apache incubation since August 2005 ▪ + Closed source ▪ Basis of several products ▪ XML firewalls, PKI lifecycle management, Multi-factor authentication + Security ▪ XML signature, encryption, Pkcs#7 streaming, Key management ▪ WS-Security, WS-* + Utility classes ▪ DOM, XPath, SOAP + Addons, plugins ▪ Plug-in SOAP implementation ▪ Add-on XML messaging

9 XML Security, ws.apache.org + Apache XMLSecurity ▪ XML signature and XML encryption + ws.apache.org ▪ Aims at implementing existing WS* standards ▪ An umbrella for several sub projects ▪ Axis filters + Apache TSIK ▪ Toolkit model – Single JAR ▪ Philosophy: – Simplify security usage as much as possible – Make it hard to commit security mistakes

10 Projects comparison Simplicity of use Completeness TSIK ws.apache.org xmlsec

11 Code examples

12 What we'll look at + DOM cursors ▪ Simplified Document Object Model interface ▪ Traverse, get info, create elements, move around, copy sub-trees – Avoids DOM API, interface level, or implementation differences – All DOM namespaces automatically handled and kept in context + XPaths ▪ Simplified XPath interface used in all APIs + Signing + Encryption + Trust + Graphs and Actions

13 DOM cursors + Reads and writes + Element-oriented ▪ No "mixed content" (text and element siblings). + Intended for structured data ▪ Not for human written or free-form documents ▪ Access to text nodes only provided via parent element + No low-level DOM access ▪ Not for implementing XPath, XSLT or C14N + Manipulates three node types: elements, attributes and text ▪ Other node types ignored and preserved

14 org.apache.tsik.domutil // creating // DOMCursor c = new DOMCursor(document | element | node); DOMCursor cloneCursor() // clones cursor, not DOM // inquiring // boolean atTop() boolean atElement(uri, name) boolean contains(otherCursor) XPath createXPath( | relativeToOtherCursor) String getAttribute([String uri,] String localName) // traversing // boolean moveTo[Child|Sibling](int index) boolean moveTo[Child|Sibling](String uri, String localName) // (cont.)

15 org.apache.tsik.domutil // traversing (cont.) // boolean moveToDescendant(String uri, String localName, boolean includeSelf) boolean moveToTop() boolean moveToParent() boolean moveToXPath(XPath xpath) // Write cursors // DOMWriteCursor wc = new DOMWriteCursor(); // writing // add[Before|Under](String uri, String prefix, String name) copy[Before|Over|Under](DomCursor copyFrom) move[Before|Over|Under](DomCursor moveFrom)

16 XPath + XPath is a W3C language for addressing parts of an XML document ▪ Non-XML syntax ▪ Pattern matching + Examples ▪ /this/that/ns:theother ▪ + TSIK XPaths encapsulate a W3C XPath expression and namespaces that relate to the expression + Used in TSIK packages to reference nodes

17 org.apache.tsik.xpath // create // XPath(String expr) XPath(String expr, Map namespaces) // prefix->uri XPath(String expr, String[] namespaces) // prefix, uri // create from id('idValue') // static XPath fromID(String idValue) // create from #xpointer(xpath), #idValue // static XPath fromXPointer(String xpointer) static XPath fromXPointer(String xpointer, Map namespaces)

18 Signing and Verifying + Sign and verify a W3C XML Digital Signature + RSA, DSA, HMAC, hardware keys ▪ X.509 certificate chains, KeyInfos or raw keys + Use XPath expressions for locations in a document + Multiple signatures ▪ As well as signatures with multiple references + Sign in place or return new document + Verify signatures with ▪ Verification key supplied in the document, or ▪ User-supplied key

19 Sign with org.apache.tsik.xmlsig // Sign a document. Implicitly tell it to add the // public verification key to output. // Signer s = new Signer(document, privateKey, publicKey); // Supply two locations to be signed. // XPath loc1 = new XPath("id('someID')"); s.addReference(loc1); XPath loc2 = new XPath("/some/element"); s.addReference(loc2); // Specify a location where we want the // resulting signature to be placed. // XPath output = new XPath("/"); Document d = s.sign(output);

20 Verify with org.apache.tsik.xmlsig // Specify signature location String ns[] = {"ds", " XPath signatureLocation = new XPath("//ds:Signature", ns); // Verify using key contained in document Verifier v = new Verifier(doc, signatureLocation); boolean isVerified = v.verify(); // Verify using specified key Verifier v = new Verifier(doc, signatureLocation); RSAPublicKey verifyingKey = [some public key]; boolean isVerified = v.verify(verifyingKey); // Make sure signature is over what we expect XPath loc = new XPath("/some/element"); boolean b = v.isReferenced(loc);

21 Trust Verifier + Verifies trust of public keys and certificates. + Use as is or as plug-in/adapter ▪ Used in TSIK messaging ( org.apache.tsik.addon.messaging ) + Verify based on a given collection of trusted keys and certificates. + Chain verifiers to perform multiple checks ▪ For example all must pass, or one must pass + Automatic caching for expensive verifications ▪ For example XKMS, CRL

22 org.apache.tsik.verifier // Get the certificate(s) from the verifier // X509Certificate[] chain = v.getCertificateChain(); // Use an X.509 trust verifier with trusted certs // ArrayList list = new ArrayList(); list.add(...); X509TrustVerifier trustVerifier = new X509TrustVerifier(list); trustVerifier.verifyTrust(chain); // We can also use a CRL trust verifier. Specify which // entities we accept as signers on the CRL and verify. // CRLTrustVerifier ctv = new CRLTrustVerifier(); list.add(...); ctv.addCRLsigners(list); ctv.verifyTrust(chain);

23 Encrypting and decrypting + Encrypt and decrypt according to W3C standard ▪ Key and data encryption + Supports element and element content encryption + Uses XPath expressions for all locations in a document + Encrypt/Decrypt in place or return new document

24 Encrypt with org.apache.tsik.xmlenc // Create an Encryptor on the document Encryptor e = new Encryptor(doc, key, AlgorithmType.TRIPLEDES); // create an XPath expression with the namespaces we need String[] ns = {"a", "urn:some-uri", "b", "urn:some-other-uri"}; XPath xpath = new XPath("/a:foo/b:bar", ns); // Encrypt in place according to xpath e.encryptInPlace(xpath); This is some text.... <EncryptedData Type=" xmlns="

25 Decrypt with org.apache.tsik.xmlenc <EncryptedData Type=" xmlns=" // Create a Decryptor on the doc, specify the location of the // encrypted data. // String[] ns = {"a", "urn:some-uri", "xenc", " XPath xpath = new XPath("/foo:a/xenc:EncryptedData", ns); Decryptor d = new Decryptor(d, key, xpath); // Decrypt the document in place // d.decryptInPlace();

26 Graphs and Actions + Graphs ▪ Policy derived [to be done] ▪ Executable dependency chains – Chains of independent Actions + Actions ▪ Atomic building blocks – no dependencies to other Actions ▪ Either: reads or writes to a DOM (or both) ▪ Or: maps or re-maps values + A number of pre-packaged actions and graphs ▪ Now: Mainly used for WS-* ▪ org.apache.tsik.wsp.Action and org.apache.tsik.wsp.DependencyGraph

27 Future directions

28 TSIK future + Collaboration with other Apache projects ▪ Overlap, re-use, commons + Key Management, WS-* ▪ Dozens of standards + (Federated) Identities ▪ Liberty ▪ SAML ▪ InfoCard ▪ Non-XML? + Roadmap still being decided ▪ Driven by developers! ▪

Thanks! Questions? Hans Granqvist