Monday Jan 14, 2013

Secure Email from Java

I've been working recently with a client to do some rather useful things with notifications, and one of them involved sending a secure email from within a Java program. We encountered some interesting (translation: weird!) challenges, and in overcoming them, I worked out a reasonably straightforward path through the minefield. If you've been thinking about secure-email-enabling your Java app but aren't sure where to start, hopefully this will serve as a fairly quick and mostly painless primer.  :-)

The Problem

Let me first say that if you only want to send a plain-text email from Java, there are ways to do that without much fuss and without any external players. If you want to sign or encrypt your emails, though, you'll need a couple of extra components:
1. a digital certificate (private/public key pair issued by a recognized Certificate Authority, or "CA") and
2. a means of using the certificate to sign and/or encrypt the email

The goal is to digitally sign an email to assure recipients that the sender of the mail is indeed me (or you, if you're following along at work/home). Let's get started!

Getting Your Tools in Order

Getting a Certificate

First, we have to have a digital certificate. If you already have one, you can skip this step...but if not, StartSSL offers free user/email certificates for personal use. Just point your browser to the StartSSL site and click the large button labeled "Sign-up". You'll need to provide them some information, enter the verification code they email to the address you provide, and they do the rest...including installing your new cert and the certificate chain into your web browser.

Freeing the Certificate from your Browser

Perhaps the easiest way to use a certificate is to store it (keys, certificate chain) in a Java Keystore (jks). Extracting your shiny new certificate from your browser is a relatively easy (albeit drawn-out) process. From your browser, export your certificate, including private key. This will produce a .pfx file, which is a PKCS12 keystore. From Chrome, you simply:
  1. Click on the Wrench (or Lines) icon in the upper-right corner
  2. Select "Settings" from the menu
  3. "Show advanced settings..." at the bottom of the page
  4. Scroll down to the section labeled "HTTPS/SSL"
  5. Click the "Manage certificates..." button to display your certificates.
Then, from the certificates window:
  1. Select the target certificate and click the "Export..." button
  2. Click "Next" from the Export Wizard window
  3. Choose "Yes, export the private key" and click "Next"
  4. Under the "Personal Information Exchange - PKCS #12 (.PFX)" entry, select the options to "Include all certificates in the certification path if possible" and "Export all extended properties" (NOTE: Do NOT choose to "Delete the private key if the export is successful". No no no!) and click "Next"
  5. Enter a password (twice) and click "Next"
  6. Provide a path/filename for the export and click "Next", and finally...
  7. Confirm the export options and click "Finish".
Now that we've liberated your cert from the browser, let's make it usable by our (non-browser) Java program.

Creating a Java Keystore

The fastest, easiest way I've found to convert a .pfx file to a .jks (Java Keystore) file is with the Oracle 11g database client. The database client can be downloaded by following this link, selecting the "See All" link to the right of your listed operating system, and choosing the 11g client from the OS-specific download page. Once it's downloaded and installed, you're ready to proceed.

Like the .pfx file, the Oracle wallet is a PKCS12 keystore, and the orapki utility (and other tools) included with the database client can be used to manipulate it...as long as it thinks it's dealing with an Oracle wallet. To make that happen, simply rename the .pfx file to ewallet.p12. Since we aren't dealing with the Oracle Wallet Manager, we don't have to worry about meeting OWM's password criteria or other niceties. Yes, that really is all there is to it!

Now, to make a Java Keystore. To do that, you'll need to open a command prompt and do the following tasks:
  1. Create an ORACLE_HOME environment variable that points to the install location of the Oracle client
  2. Run the following command, pointing to the orapki utility under %ORACLE_HOME%\bin (in Windows) or $ORACLE_HOME/bin (Mac/Linux/UNIX):
orapki wallet pkcs12_to_jks -wallet <wallet_directory> -pwd <wallet_password> -jksKeyStoreLoc <java_key_store_path_and_filename> -jksKeyStorepwd <jks_password>

You should now have a brand new Java KeyStore! You can verify its contents with the OpenSSL keytool utility:
keytool -list -keystore <java_key_store>

Now that we have our credentials in order, on to the Java side of things!

Building the Solution

There are several Java libraries available that aid in signing and/or encrypting email. Of the non-commercial options I found, all use the Bouncy Castle Crypto API and libraries as their underpinnings. Bouncy Castle (BC) may have a funny name, but it's all business with regard to encryption.

At a very high level, you need to do the following things to create/send a signed email:
  1. Provide the email "essentials": SMTP server host & port, email addresses (sender & receiver), a subject, content, and the sending user's password
  2. Add BC as a new crypto provider
  3. Retrieve the cert from your Java Keystore
  4. Create and sign the email using the BC API/libraries
  5. Send the email
There is much more you can do of course, but these are the "must-haves".

In preparation for developing our secure email module, I created a proof of concept (BCCrypTool) by marrying a Java email program I'd written previously and some BC sample code...code reuse at its lowest level, but still good for the environment. :-) What you see here in my GitHub repo is a bit of streamlined Java code that should be pretty easy to repurpose. Please feel free to take a copy and do just that, and if you make significant changes/improvements and are able and inclined to share them, please feel free to do that as well. Sharing is caring.  :-)

A quick note on libraries. You'll need the following to make this work:
And from Bouncy Castle, the following:
  • The BC provider library (bcprov-jdk15on-147.jar)
  • The BC S/MIME library (bcmail-jdk15on-147.jar)
  • The BC security library (bcpkix-jdk15on-147.jar)
There are other BC libraries available here if you'd like to take things even further.

All the best to you in your Java secure email adventures!

Mark

Monday Dec 31, 2012

Creating a Portable Java/JavaFX Rig using the Raspberry Pi

So you're a mobile/embedded Java developer who just can't get enough time with your devices? Need to get your JDK/JavaFX ARM fix on the go? It's easy and inexpensive to do just that with only a few essential parts:

  • Raspberry Pi
  • Atrix Lapdock, which provides portable keyboard/video/mouse and power for the Raspberry Pi!
  • A few cables and adapters (shown in videos, described in linked article below)
  • SD card (8G or more, Class 6 or higher)
  • Edimax EW-7811Un wi-fi adapter

That's all the hardware you'll need to make some serious, very portable ARM Java magic. Total cost was under $120 when I started this adventure; YMMV.  :-)

There are a few differences between setting up the soft-float (SF) and hard-float (HF) versions of Raspbian, but this recent post covers the basics of getting an OS on the SD card for booting and configuring the Pi. The two key differences between SF and HF configuration to this point:

  1. Overclocking. HF Raspbian allows for easy overclocking from the raspi-config utility. A word of warning, though: The OS devs caution that the maximum overclocking setting has been known to corrupt SD cards, and I've found this to be the case several times. Stepping down one level to the next-to-fastest overclocking setting works a treat.
  2. Wi-fi configuration. SF Debian/Raspbian wi-fi configuration can be best accomplished using the instructions in the aforementioned post. Trying the same thing in HF Raspbian results in a message suggesting the use of the wi-fi graphical configuration tool...and it's even easier. With the Edimax, all I did was boot with both ethernet cable & Edimax connected, sudo su, startx, and run wpa_gui under the Internet menu (WiFi Config on the desktop if not root). Fill in your wi-fi details (I used WPA2/CCMP for my WAP) and then File|Save Configuration when finished. Quick, easy, and done.  :-)

Below are links to a couple of short video tours of my mobile Java/JavaFX "testing rig". I'd embed them directly if the Roller blog software supported it (if someone knows how, please let me know!). After the video links is a link to an article/video I used as a template when I originally made mine. Great stuff, fun, and extremely useful...for me, anyway. Hope you enjoy it!

Video 1: Intro to Raspberry Pi & Atrix Lapdock, Part 1 of 2
Video 2: Follow-on to Raspberry Pi & Atrix Lapdock, Part 2 of 2

Reference article/video

Happy hardware hacking,
Mark

Tuesday Dec 18, 2012

Developer Preview of JDK8, JavaFX8 *HARD-FLOAT ABI* for Linux/ARM Now Available!

Just a quick post to spread the good word: the Developer Preview of JDK8 and JavaFX8 for Linux on ARM processors - hard-float ABI - is now available here. Right here.

It's been tested on the Raspberry Pi, and many of us plan to (unofficially) test it on a variety of other ARM platforms. This could be the beginning of something big.

So...what are you still doing here? Go download it already! (Did I mention you could get it here?) :-D

All the best,
Mark

Sunday Nov 25, 2012

Prepping the Raspberry Pi for Java Excellence (part 1)

I've only recently been able to begin working seriously with my first Raspberry Pi, received months ago but hastily shelved in preparation for JavaOne. The Raspberry Pi and other diminutive computing platforms offer a glimpse of the potential of what is often referred to as the embedded space, the "Internet of Things" (IoT), or Machine to Machine (M2M) computing.

I have a few different configurations I want to use for multiple Raspberry Pis, but for each of them, I'll need to perform the following common steps to prepare them for their various tasks:

  • Load an OS onto an SD card
  • Get the Pi connected to the network
  • Load a JDK

I've been very happy to see good friend and JFXtras teammate Gerrit Grunwald document how to do these things on his blog (link to article here - check it out!), but I ran into some issues configuring wi-fi that caused me some needless grief. Not knowing if any of the pitfalls were caused by my slightly-older version of the Pi and not being able to find anything specific online to help me get past it, I kept chipping away at it until I broke through. The purpose of this post is to (hopefully) help someone else recognize the same issues if/when they encounter them and work past them quickly.

There is a great resource page here that covers several ways to get the OS on an SD card, but here is what I did (on a Mac):

  • Plug SD card into reader on/in Mac
  • Format it (FAT32)
  • Unmount it (diskutil unmountDisk diskn, where n is the disk number representing the SD card)
  • Transfer the disk image for Debian to the SD card (dd if=2012-08-08-wheezy-armel.img of=/dev/diskn bs=1m)
  • Eject the card from the Mac (diskutil eject diskn)

There are other ways, but this is fairly quick and painless, especially after you do it several times. Yes, I had to do that dance repeatedly (minus formatting) due to the wi-fi issues, as it kept killing the ability of the Pi to boot. You should be able to dramatically reduce the number of OS loads you do, though, if you do a few things with regard to your wi-fi.

Firstly, I strongly recommend you purchase the Edimax EW-7811Un wi-fi adapter. This adapter/chipset has been proven with the Raspberry Pi, it's tiny, and it's cheap. Avoid unnecessary aggravation and buy this one!

Secondly, visit this page for a script and instructions regarding how to configure your new wi-fi adapter with your Pi. Here is the rub, though: there is a missing step. At least there was for my combination of Pi version, OS version, and uncanny gift of timing and luck. :-)

Here is the sequence of steps I used to make the magic happen:

  • Plug your newly-minted SD card (with OS) into your Pi and connect a network cable (for internet connectivity)
  • Boot your Pi. On the first boot, do the following things:
    • Opt to have it use all space on the SD card (will require a reboot eventually)
    • Disable overscan
    • Set your timezone
    • Enable the ssh server
    • Update raspi-config
  • Reboot your Pi. This will reconfigure the SD to use all space (see above).
  • After you log in (UID: pi, password: raspberry), upgrade your OS. This was the missing step for me that put a merciful end to the repeated SD card re-imaging and made the wi-fi configuration trivial. To do so, just type sudo apt-get upgrade and give it several minutes to complete. Pour yourself a cup of coffee and congratulate yourself on the time you've just saved.  ;-)
  • With the OS upgrade finished, now you can follow Mr. Engman's directions (to the letter, please see link above), download his script, and let it work its magic. One aside: I plugged the little power-sipping Edimax directly into the Pi and it worked perfectly. No powered hub needed, at least in my configuration.

To recap, that OS upgrade (at least at this point, with this combination of OS/drivers/Pi version) is absolutely essential for a smooth experience. Miss that step, and you're in for hours of "fun". Save yourself!

I'll pick up next time with more of the Java side of the RasPi configuration, but as they say, you have to cross the moat to get into the castle. Hopefully, this will help you do just that. Until next time!

All the best,
Mark

Saturday Nov 10, 2012

Polishing the MonologFX API

Earlier this week, I released "into the wild" a new JavaFX 2.x dialog library, MonologFX, that incorporated some elements of DialogFX and new features I'd been working on over time. While I did try to get the API to a point of reasonable completion (nothing is ever truly "finished", of course!), there was one bit of functionality that I'd included without providing any real "polish": that of the button icons.

Good friend and fellow JFXtras teammate José Pereda Llamas suggested I fix that oversight and provide an update (thanks much, José!), thus this post. If you'd like to take a peek at the new streamlined syntax, I've updated the earlier post; please click here if you'd like to review it. If you want to give MonologFX a try, just point your browser to GitHub to download the updated code and/or .jar.

All the best,
Mark

About

The Java Jungle addresses topics from mobile to enterprise Java, tech news to techniques, and anything even remotely related. The goal is to help us all do our work better with Java, however we use it.

Your Java Jungle guide is Mark Heckler, an Oracle Senior Java/Middleware/Core Engineer with development experience in numerous environments. Mark's current work pursuits and passions all revolve around Java and leave little time to blog or tweet - but somehow, he finds time to do both anyway.

Mark lives with his very understanding wife & kids in the St. Louis, MO area.



Stay Connected

Search

Archives
« June 2015
SunMonTueWedThuFriSat
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today