I wanted to know if there is any way to call OpenSSL library functions (not the command-line tools) from Java code. Specifically I want to use OpenSSL to securely read from and write to a socket created by Java code. If JNI is the solution then is there any pre-written JNI that I can use? I am also aware of JSSE and JCE but I'd still like more information regarding this query.
Related
Setup:
Linux with GnuPG or Windows with GPG4Win(OpenPGP)
A 2048 RSA keypair has been created by a privileged user who can access the key ring
A second lower privilege user has been created for a java application to run under
Permission has been granted for this user to run GPG commands but cannot access physical key ring files
The key IDs are known to the java application and so is the passphrase to extract private key
Java application has imported Bouncycastle library
The java program needs to perform an encryption and decryption using the key pair
Problem:
I have successfully performed encryption and decryption using Bouncycastle. But it involved trying to read the public and private keys from the pubring and secring files.
For security, I would rather not have the java application have direct access to the key ring files.
What are my options. Are there any options in Bouncycastle to do this without reading the key rings or exporting the keys to separate files?
Note: Using Bouncy castle is not necessary.
Your Java application can call gnupg with whatever privileges the user that executes the application currently has. Fortunately, gnupg supports a wealth of command-line options that allow you to supply all necessary arguments and read/collect back status and results, such as -batch, -options or -status-fd. You can call programs from Java and read their results back using Java's ProcessBuilder or higher level libraries such as Plexus Utils
On the other hand, there is at least one java-based wrapper library that speaks directly with the GnuPG executable. While platform-dependent, this probably has speed advantages over spawning a process for each transaction; and will probably spare you a lot of implementation effort figuring out command-line options.
Note that using GnuPG this way bypasses BouncyCastle entirely -- you would be automating calls to GnuPG, effectively using it as your "library".
BouncyCastle requires direct access to the key files, both the public and private keys.
Not Using BouncyCastle
If you want to prevent the Java application from accessing the key files, but still use it for encryption and decryption, you might be successful using GnuPG 2.1 which offloads all operation requiring access to the private keyring to the gpg-agent. A setup that might work would look somewhat like that:
Start gpg-agent
Restrict access for your Java application, so it can access the gpg-agent socket, but not the private key files
In Linux, you might consider using chroot or appropriate permissions for the socket and keyring files. In Windows, there might be something like a sandbox solution.
Building your own BouncyCastle Daemon
Similar to the small-weight gpg-agent, you could write your own daemon that handles all secret key operations, while not exposing the key at the same time (so you've got a small daemon with much lower chance of critical bugs; while the large, possibly insecure and exposed main application can send requests for encryption/decryption to the "agent" application).
Is there a way to create a pkcs10 CSR using native java library?
Hello there, i am looking for a way to generate a PKCS10 CSR within an java application.
I prefer native java librarys. Absolutely obsolet are commandline tools. I know it is possible by using BouncyCastle, but currently i am looking for a alternative way to do that.
The library itself should be free to use for commertial belongings.
Have a look into answer number 2 on Building a Certificate Authority architecture. There seems to be no way to do what you want with JSSE directly.
I want to exchange a public key between a c++ application and and android application.
I decided to use Diffie-Hellman. On the C++ side this library looks promising for generating the keys with c++. Now I am looking for an implementation for java to generate the keys on the android smartphone.
What libraries would you suggest, also on the c++ side?
In the end i want to share the public key as a string via UDP.
kind regards
A long time ago I used Crypto++ for the C++ which worked well for me and has support for many different algorithms.
http://www.cryptopp.com/
For android the KeyAgreement class can be used on some JavaVM, it is initialized with a String to choose the algorithm. You could try to instantiate it with "DiffieHellman" and see if you get an instance.
According to Java7 docs, http://docs.oracle.com/javase/7/docs/api/javax/crypto/KeyAgreement.html -
"Every implementation of the Java platform is required to support the following standard KeyAgreement algorithm:
DiffieHellman"
Test it and see if that includes dalvik or not.
I'm writing java swing app. I need my app connect to server CentOS 5.5, using username + *.ppk file (I don't have password). Then, my app execute some command line on this server.
Is this possible ? What library is best for it ?
There is a number of libraries that support what you're trying to achieve in different ways.
Connecting to an SSH server via Java is no big thing anymore these days.
Those are some libraries that you might consider:
Ganymede
http://www.cleondris.ch/opensource/ssh2/
Ganymede was made by some students at the ETH Zurich and works quite well. I personally use it in a project that runs on a very old machine using Java 1.3. It doesn't require anything besides a JRE. It is, however, not very active anymore. There is that company that seems to support it (Cleondris), but I wouldn't know how reliable they are. Doesn't matter much though since it's open source anyways. If you need to run your app on old java versions or need to know, that your app runs withou the Java Cryptography Extension (JCE), you could chose this.
JSch
http://sourceforge.net/projects/jsch/
JSch too is a mature piece of software and just works. If you've ever used ant to do SSH/SCP related tasks, you probably know it already. It's always a bother since you have to provide it to ant manually :-)
The project is well maintained, as it seems and widely used. I used it in a lot of modern UI/Batch applications and was/am always happy with it. It does use JCE though and I did once experience problems with that (on an older JRE, but still). If you plan to distribute your software to clients unknown to you, this might be a problem. JCE needs stuff installed / configured inside the JRE installation itself. Probably works 99% of the time, but still...
SSHTools
http://sshtools.sourceforge.net/
Never used this one but heard good things. May be worth a try.
Converting ppk to OpenSSH format using Java
As this is obviously possible, it's only a matter of implementing it. Fortunately for you, there are actually multiple implementations around. It might even be implemented in one of the suggested SSH libraries, but I didn't check.
A quick google search revealed two choices to me:
trilead-putty-extension
https://github.com/kohsuke/trilead-putty-extension
Seems to me like a very nice choice. Even though it's an extension to Trilead SSH library (which, it seems, isn't available anymore), it's not a lot of code and could easily be integrated into an existing project. There is one class that does the work and can convert a ppk key into a openssh one. String to string, so no surprises there. Should really be a piece of cake.
I don't know what happend to Trilead. The company doesn't mention it anymore on their website, but it certrainly existed at some point (http://techtavern.wordpress.com/2008/11/13/about-trilead-ssh-open-source-project/).
By the way: The guy who wrote it is the one who also wrote Jenkins/Hudson. http://kohsuke.org/
"ChillKat" Java Library
http://www.example-code.com/java/ssh_ppk_to_pem.aspn
Well... this just as an alternative. Doesn't seem worth the effort and overhead to download a "multi-purpose" library just for that. You could maybe extract the relevant parts or let yourself be inspired by it. Maybe the trilead extension doesn't work and you have to pick this one, but I wouldn't consider it first choice.
You can of course always convert the .ppk file manually, as explained here: http://www.lmolnar.com/geek/how-to-convert-puttys-private-key-ppk-into-opensshs-private-key-format-in-linux/
And other places, I guess. There is the graphical tool puttygen too, which is included in putty-installer or downloadable standalone via the putty website (http://www.chiark.greenend.org.uk/~sgtatham/putty/).
Would you like to know more?
Check this: http://linuxmafia.com/ssh/java.html or write a comment.
If converting the .ppk to a less proprietary format (i.e. .pub rsa or dsa) is an option, then give a try to puttygen (usage: "puttygen keyfile.ppk -o id_rsa -O private-openssh") from the putty-tools package.
Then use SSHTools, a java API for SSH (and more)
One of options is to use SSHBlackbox package of our SecureBlackbox product. It supports loading of Putty keys and full scope of SSH-related functionality (SFTP requires SFTPBlackbox package). SecureBlackbox comes with extensive samples and support.
The current JSch version does not support *.ppk files,
but JSch can use those files by using jsch-agent-proxy via Putty's Pageant.
Install and open puttygen
Click on "Load an existing private key file"
Click on menu item "Conversions" -> "Export OpenSSH key"
Save file, and use this in your Java app
I'm looking to port a small Java security library to PHP. The Java implementation makes use of a keystore for signing some stuff and I'm wondering how to go about recreating this functionality in PHP. Of course the original Java implementation must still work with the same key pair/keystore.
I have very little experience with PHP and havn't tried to do anything portable with Java keystores before.
I expect there is some way to export the private key to a format that can be used by PHP.
Does anyone know exactly what I need to do in this situation?
If you aren't absolutely set on porting your code to php, you can use the php-java bridge to make calls to it from php. If your java code is proven, there's no reason to discard it out of hand.
http://phpkeystore.org/ may be of use.
EDIT: As implied by Mihir below, that site appears to be gone.
The last "good" archive of it is available at https://web.archive.org/web/20170607151254/http://phpkeystore.org/