The Java Keystore is a file that contains your security certificates and keys. It’s a convenient way to ship security information around with your application, but requires a little administration work to have one built.
The KeyStore java class natively works with this technology so that your security information can be easily used inside of your applications.
In today’s post, I’ll go through some basic usage of the keytool application. There are so many more features to this application that what I’ve listed below, so check out the man page for keytool as a reference.
This creates a key store and puts a key pair in it (based on the subject details that you provided). You can verify that the key pair is in the store by listing it out:
$ keytool -list-keystore keystore.jks
You should end up with output like the following
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
mydomain, 08/02/2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): 0F:42:6D:F6:48:85:99:4C:B5:97:0B:25:10:BF:83:F9:D5:2A:80:77
The text PrivateKeyEntry tells us the particular entry contains a secret/private key.
You see that this item doesn’t mention PrivateKeyEntry as there is no secret stored in this entry, it’s only the certificate (public key) so it lists as trustedCertEntry.
The visa certificate that I’d just imported can now be exported with the following command:
$ keytool -export-alias visa -file visa.crt -keystore keystore.jks -storepass password
Viewing certificate detail
You can view the details of any certificate that you have on your file system using keytool as well:
$ keytool -printcert-v-file visa.crt
The verbose output allows you to check all of the details in the certificate. You can perform this certificate printing process on any certificate inside of a keystore, as well. In this case though, you need to refer to the certificate by its alias:
$ keytool -list-v-keystore keystore.jks -storepass password -alias visa
You’ll end up with identical output.
Other utilities
Finally, you can remove certificates from a keystore. Again, you need to reference the certificate by its alias:
$ keytool -delete-alias visa -keystore keystore.jks -storepass password
You can change the password for a keystore as well:
Cairo is a cross platform 2D graphics library. It’s got a wide range of features that are exposed through a solid and easy to use API. From the website:
The cairo API provides operations similar to the drawing operators of PostScript and PDF. Operations in cairo including stroking and filling cubic Bézier splines, transforming and compositing translucent images, and antialiased text rendering. All drawing operations can be transformed by any affine transformation (scale, rotation, shear, etc.)
In today’s post, I’m going to re-implement a very simple version of the old windows screensaver, Mystify. In fact, it’s not even going to look as cool as the one in the video but it will take you through basic drawing with Cairo and animation using GTK+ and GDK.
Getting your feet wet
If you don’t want to dive right into doing animation with Cairo, I suggest that you take a look at the FAQ. Up there is a section on what a minimal C program looks like. For reference, I have included it below. You can see that it’s quite static in nature; writing a PNG of the result at the end:
There’s a shopping list of compiler and linker switches when building with Cairo, GTK+ and GDK. pkg-config has been a great help here, so here are the CFLAGS and LFLAGS definitions from my Makefile:
The Mystify effect is just a handful of vertices bouncing around the screen with lines connecting them. Really quite simple and we can get away with a basic data structure to defined this:
structtag_mystify_vert{intx,y;/* x and y positions */intvx,vy;/* x and y velocities */doubler,g,b;/* colour components */};typedefstructtag_mystify_vertmystify_vert;mystify_vertverts[N_VERTS];
Drawing the structure is just enumerating over the array defined above and drawing the lines:
staticgbooleanon_draw_event(GtkWidget*widget,cairo_t*cr,gpointeruser_data){intn;/* clear the background to black */cairo_set_source_rgb(cr,0,0,0);cairo_paint(cr);/* draw lines between verts */for(n=0;n<(N_VERTS-1);n++){cairo_set_source_rgb(cr,verts[n].r,verts[n].g,verts[n].b);cairo_move_to(cr,verts[n].x,verts[n].y);cairo_line_to(cr,verts[n+1].x,verts[n+1].y);cairo_set_line_width(cr,1);cairo_stroke(cr);}/* draw a line between the first and last vert */n=N_VERTS-1;cairo_set_source_rgb(cr,verts[n].r,verts[n].g,verts[n].b);cairo_move_to(cr,verts[n].x,verts[n].y);cairo_line_to(cr,verts[0].x,verts[0].y);cairo_set_line_width(cr,1);cairo_stroke(cr);returnFALSE;}
OpenSSL is the open source project that provides the world with SSL and TLS. In today’s post, I’ll walk through some simple tasks to encrypt and decrypt your data.
Features
OpenSSL is a very feature-rich library. It contains many pieces of functionality that you should study in more detail. The man page for it goes into all of these details in great depth.
Encoding information
Perhaps a slightly edge-case piece of functionality, OpenSSL has the ability to Base64 encode your information. It’s no where near actually securing your information, but the facility is there.
You can Base64 encode a string with the following command:
OpenSSL gives you the ability to encrypt a piece of information using a password. This is a simple way of securing your information without certificates, but isn’t a very strong strategy for information security.
Take a look under the Encoding and Cipher Commands for a full range of strategies here. Where we used the base64 options above, no password was asked for. This is because it’s just an encoding. If we were to use the bf option (which will use the Blowfish Cipher), we’re prompted for a password.
$ echo"Hello, world" | openssl enc -bf> password_enc.dat
enter bf-cbc encryption password:
Verifying - enter bf-cbc encryption password:
password_enc.dat contains what would appear to be garbage, but it is our string; just encrypted. To get our plain text back:
You need to enter the correct password in order to get your plain text back. Pretty simple. This is the process for any of the ciphers mentioned above.
Encrypt with a key pair
Stepping up the complexity, you can get OpenSSL to encrypt and decrypt your data using public-key cryptographyy.
First of all, we need to generate a public/private key pair. The following command will generate a private key. This will be an RSA keypair with a 4096 bit private key.
$ openssl genrsa -out private_key.pem 4096
Generating RSA private key, 4096 bit long modulus
....++
......................................................................................................................................................................................................................++
e is 65537 (0x10001)
Now that the private key has been generated, we extract the public key from it:
Generating a self-signed certificate is a fairly simple process. The following will generate a certificate and private key (in the one file) that’s valid for 1 year. This certificate’s key won’t be protected by a passphrase.
You can use OpenSSL to generate some random data for you as well. This is useful in scenarios where your application requires nonce data. The rand switch does this easily:
Asymmetric encryption is a category of cryptographic strategies employed to share information between two parties using two separate keys.
In today’s post, I want to show how the encryption flow actually works using some Ruby code.
Decisions
Before we can get started, we need to make some decisions regarding the encryption that we’re going to use. The two assumptions that I’ve made up front are about the key size and digest function. I’ve stored these assumptions in a hash up front:
We’ll use 4096 bit key lengths and SHA-256 as our digest function.
Parties
First thing that we have to establish is that we have two parties. They both want to send a message to each other that no one else can read. They’re both defined in our ruby code as party_a and party_b.
There’s no network separating these parties, so you’ll have to use your imagination.
To create a party, I’ve used the following:
defmake_party(conf,name)# create a public/private key pair for this partypair=OpenSSL::PKey::RSA.new(conf[:key_length])# extract the public key from the pairpub=OpenSSL::PKey::RSA.new(pair.public_key.to_der){:keypair=>pair,:pubkey=>pub,:name=>name}end
Using the configuration assumptions that we’d declared above, this function will create a key pair, extract the public key and give the party a name (nice for display purposes).
Processing a message
Next up, we’ll prepare a message to send. There’s a little trickery that you need to remember here:
:keypair is private and never seen by the other party
:pubkey is distributed between the parties
To prove that the message was sent by the originator, the sender generates a signature for the message. This is done by the sender using the sender’s private key and the pre-defined digest function:
# using the sender's private key, generate a signature for the messagesignature=from_party[:keypair].sign(conf[:digest_func],message)
Using the recipient’s public key, the sender will encrypt the plain text:
# messages are encrypted (by the sender) using the recipient's public keyencrypted=to_party[:pubkey].public_encrypt(message)
The recipient can now decrypt the message using their private key:
# messages are decrypted (by the recipient) using their private keydecrypted=to_party[:keypair].private_decrypt(encrypted)
Finally, the recipient can verify that the message is actually from the sender by checking the signature:
Generators are python functions that act like iterators. This abstraction allows you to simplify a lot of your for-loop code, implement lazy evaluation and even create more intelligent value producing iterators.
In today’s post, I’ll go through a basic usage of the yield keyword; the generator that’s created as a result and how you can interact with this function type.
Prime number example
To produce the generator, I’ve written a function that will filter through numbers picking out prime numbers. The algorithm isn’t highly optimised. It’s quite crude/brute-force in its approach, but it’ll be enough for us to understand the generator function.
We’re maintaining an internal list of primes that we’ve found. When we come across a potential candidate, we try to divide it by primes that we’ve already found. To cut down on the number of divides, we only go for numbers lower than the square root of the candidate.
Note the use of yield. As we call yield, this makes another value available in the iterator. You can see that this is an iterator that doesn’t end. Well, it will end - once the integer data type overflows. If we were using a data type that wasn’t susceptible to this type of overflow, we’d only be limited by the amount of memory in the machine.
Iterating
So, we’ve created what appears to be an infinite list. Testing it out in the REPL:
ps is the generator, and we’re able to call the next function on it. As we do that, we progress through the iterator. We can start to work with ps now as if it were any other iterator.
Using a list comprehension, we can find the first 10 primes:
>>> ps = primes()
>>> [ps.next() for _ in xrange(1, 10)]
[2, 3, 5, 7, 9, 11, 13, 15, 17]
Using itertools we can get all of the prime numbers under 100:
yield allows you to make generators which are the potential to create values, as opposed to the values themselves. It’s not until you start to iterate over the generator that the values start to materialise.