Java Security and Networking

by Weijun - Re-read [capaths]

Weijun — Wed, 24 Apr 2013 03:06:37 PDT

Discovery [capaths] does not have the same meaning in JDK and the rest of the world (See references at the bottom). In JDK, each line describes a relation and one needs to consult multiple relations to create a path. In the rest of the world, each line itself is a path. So, suppose shared keys are between A and B, B and C, and, C and D. For a client in A, in order to visit a service in D, it needs A -> B -> C -> D. In JDK, the capaths is written as A = { B = . # I can go B directly C = B # To go C, I need to go B first D = C # To go D, I need to go C...

by Weijun - A Test for 2013

Weijun — Fri, 04 Jan 2013 19:01:57 PST

I want to see if this blog and its commenting system still works. Update: Aha, I have to manually approve each comment.

by Xuelei Fan - TLS Server Name Indication Extension and Unrecognized_name

Xuelei Fan — Fri, 15 Jun 2012 12:42:00 PDT

It's getting hot that some TLS/HTTPS server failed with "unrecognized_name". For example, the Adobe AIR 3 Code Signing Certificate Problem, the ADT handshake alert, and the jarsigner issue with timestamp.geotrust.com, etc. This entry will discussion some background of the "unrecognized_name" alert, and the TLS Server Name Indication (SNI) extension. Background "Unrecognized_name" is an error alert, define by RFC4366. In section 4 of RFC4366: - "unrecognized_name": this alert is sent by servers that receive a server_name extension request, but do not recognize the...

by Xuelei Fan - NIST Security Strength Time Frames

Xuelei Fan — Mon, 23 Apr 2012 23:36:00 PDT

Security Strength Time Frames of NIST SP 800-57 Part 1 Security Strength80112128192256 applying processing applying processing through 2010 acceptable acceptable acceptable acceptable acceptable acceptable acceptable 2011 through2013 deprecated legacy use acceptable acceptable acceptable acceptable acceptable 2014 through 2030 disallowed legacy use acceptable acceptable acceptable acceptable acceptable 2031 and Beyond disallowed legacy use disallowed legacy use acceptable acceptable acceptable Symmetric Algorithms 2TDEA 3TDEA AES-128 AES-192...

by Xuelei Fan - SSL Server Test Online Service

Xuelei Fan — Thu, 26 Jan 2012 10:20:00 PST

The SSL Server Test Online Service performs a deep analysis of the configuration of any SSL web server on the public Internet. It's a great web service to test the quality of a SSL web server.

by Xuelei Fan - Another Challenge of Hash Functions

Xuelei Fan — Thu, 29 Dec 2011 22:00:00 PST

No comments, please refer to the following docs: "Hash Table Collision Attacks Could Trigger DDoS on a Massive Scale | SecurityWeek.Com" and the research from n.runs AG

by Xuelei Fan - Search and Replace Strings in Files Under a Certain Directory

Xuelei Fan — Thu, 29 Dec 2011 10:52:00 PST

As simple as: $ find thePath -type f -name theFileNamePattern |xargs \ perl -e "s/toBeReplacedString/newString/g" -pi

by Weijun - Old Versions of Cisco AnyConnect and Java 6u29

Weijun — Mon, 07 Nov 2011 10:33:54 PST

In Oracle Java 6u14, we introduced blacklist support. The blacklist "is a list of signed jars that contain serious security vulnerabilities that can be exploited by untrusted applets or applications". Once a signed jar is listed here, it will never be loaded. Recently, in 6u29, we added more entries into the list. Some of them are for the Cisco AnyConnect Mobility Client, and you can see why this is a very serious problem on Cisco's own support page. Unfortunately, it seems quite a lot of AnyConnect servers out there are not updated to the latest version. Some are not that ancient, which...

by Xuelei Fan - A proposal to countermeasure BEAST attack

Xuelei Fan — Sun, 06 Nov 2011 11:35:00 PST

I posted the proposal to countermeasure the BEAST attack in Bug 665814 at Bugzilla@Mozilla. For quick reference, I copy it in the blog: Xuelei Fan 2011-07-20 20:35:42 PDT Comment 59: One significant drawback of the current proposed countermeasure (sending empty application data packets) is that the empty packet might be rejected by the TLS peer (see comments #30/#50/others: MSIE does not accept empty fragments, Oracle application server (non-JSSE) cannot accept empty fragments, etc.) We've been looking at a slightly...

by Xuelei Fan - Java SE 7 New Features Ed 1 course

Xuelei Fan — Fri, 26 Aug 2011 11:17:00 PDT

The first of the Java SE 7 courses - D72697GC10 - Java SE 7 New Features Ed 1 is now on the public schedule on education.oracle.com.

by Xuelei Fan - JSSE Oracle Provider Default Disabled TLS Cipher Suites

Xuelei Fan — Sun, 07 Aug 2011 11:04:00 PDT

The following TLS cipher suites are supported by Oracle provider, SunJSSE. These cipher suites are disabled by default because of one of the following reasons: obsoleted weak cipher suites anonymous cipher suites no encryption cipher suites (null cipher) Kerberos cipher suites Cipher suites for Kerberos (KRB5) need additional KRB5 service configuration, and these cipher suites are not common in practice. You are NOT supposed to use these cipher suites unless you really know what you're doing from a standpoint. Perference Value Description 1 0x00,0x6D ...

by Xuelei Fan - Java™ SE 7 Release Security Enhancements - Weak Cryptography Control

Xuelei Fan — Sat, 30 Jul 2011 21:09:00 PDT

Weak cryptographic algorithms can now be disabled in Java SE 7 release. The MD2 Message-Digest Algorithm was disabled by default in Sun PKIX provider and SunJSSE provider. The MD2 algorithm is a cryptographic hash function developed by Ronald Rivest in 1989, and was published in 1992 as an Informational RFC (RFC 1319).; RFC 6149 moves RFC 1319/MD2 to historic status, "Since its publication, MD2 has been shown to not be collision-free, albeit successful collision attacks for properly implemented MD2 are not that damaging. Successful pre-image and second pre-image attacks against MD2 have...

by Xuelei Fan - Time of ECC Algorithms in Web Services?

Xuelei Fan — Thu, 28 Jul 2011 18:56:00 PDT

It's a question, the answer depends on your application deployment. The browser market share in the following pie may be a fact of your consideration. From previous posts, I learned that out of the major market players, only Opera does not support ECC TLS cipher suites yet.

by Xuelei Fan - Oracle Launches Java 7

Xuelei Fan — Thu, 28 Jul 2011 10:37:00 PDT

Source: www.oracle.com. Oracle Announces Availability of Java SE 7, you are able to download and try Java SE 7 right now. You may also want to know Java™ SE 7 Release Security Enhancements. I may publish new post to introduce the new security features in the blog. Stay Tuned!

by Xuelei Fan - JSSE Oracle Provider Preference of TLS Cipher Suites

Xuelei Fan — Sat, 23 Jul 2011 13:32:00 PDT

Perference Order Value Description 1 0xC0,0x24 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 2 0xC0,0x28 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 3 0x00,0x3D TLS_RSA_WITH_AES_256_CBC_SHA256 4 0xC0,0x26 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 5 0xC0,0x2A TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 6 0x00,0x6B TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 7 0x00,0x6A TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 8 0xC0,0x0A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 9 0xC0,0x14 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 10 0x00,0x35 ...

by Xuelei Fan - Browser Safari Preference of TLS Cipher Suites

Xuelei Fan — Sat, 23 Jul 2011 13:01:00 PDT

Perference Order Value Description 1 0x00,0x2F TLS_RSA_WITH_AES_128_CBC_SHA 2 0x00,0x35 TLS_RSA_WITH_AES_256_CBC_SHA 3 0x00,0x05 TLS_RSA_WITH_RC4_128_SHA 4 0x00,0x0A TLS_RSA_WITH_3DES_EDE_CBC_SHA 5 0xC0,0x13 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 6 0xC0,0x14 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 7 0xC0,0x09 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 8 0xC0,0x0A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 9 0x00,0x32 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 10 0x00,0x38 TLS_DHE_DSS_WITH_AES_256_CBC_SHA 11 0x00,0x13 ...

by Xuelei Fan - Browser Opera Preference of TLS Cipher Suites

Xuelei Fan — Sat, 23 Jul 2011 12:51:00 PDT

Perference Order Value Description 1 0x00,0xFF TLS_EMPTY_RENEGOTIATION_INFO_SCSV [1] 2 0x00,0x6B TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 3 0x00,0x6A TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 4 0x00,0x69 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 5 0x00,0x68 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 6 0x00,0x3D TLS_RSA_WITH_AES_256_CBC_SHA256 7 0x00,0x39 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 8 0x00,0x38 TLS_DHE_DSS_WITH_AES_256_CBC_SHA 9 0x00,0x37 TLS_DH_RSA_WITH_AES_256_CBC_SHA 10 0x00,0x36 TLS_DH_DSS_WITH_AES_256_CBC_SHA ...

by Xuelei Fan - Google Chrome Preference of TLS Cipher Suites

Xuelei Fan — Sat, 23 Jul 2011 12:37:00 PDT

Perference Order Value Description 1 0xC0,0x0A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 2 0xC0,0x14 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 3 0x00,0x88 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 4 0x00,0x87 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA 5 0x00,0x39 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 6 0x00,0x38 TLS_DHE_DSS_WITH_AES_256_CBC_SHA 7 0xC0,0x0F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 8 0xC0,0x05 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 9 0x00,0x84 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 10 0x00,0x35 TLS_RSA_WITH_AES_256_CBC_SHA ...

by Xuelei Fan - Internet Explorer Preference of TLS Cipher Suites

Xuelei Fan — Sat, 23 Jul 2011 12:22:00 PDT

Perference Order Value Description 1 0x00,0x3C TLS_RSA_WITH_AES_128_CBC_SHA256 2 0x00,0x2F TLS_RSA_WITH_AES_128_CBC_SHA 3 0x00,0x3D TLS_RSA_WITH_AES_256_CBC_SHA256 4 0x00,0x35 TLS_RSA_WITH_AES_256_CBC_SHA 5 0x00,0x05 TLS_RSA_WITH_RC4_128_SHA 6 0x00,0x0A TLS_RSA_WITH_3DES_EDE_CBC_SHA 7 0xC0,0x27 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 8 0xC0,0x13 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 9 0xC0,0x14 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 10 0xC0,0x2B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 11 0xC0,0x23 ...

by Xuelei Fan - Firefox Preference of TLS Cipher Suites

Xuelei Fan — Sat, 23 Jul 2011 12:06:00 PDT

Order Value Description 1 0xC0,0x0A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 2 0xC0,0x14 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 3 0x00,0x88 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 4 0x00,0x87 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA 5 0x00,0x39 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 6 0x00,0x38 TLS_DHE_DSS_WITH_AES_256_CBC_SHA 7 0xC0,0x0F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 8 0xC0,0x05 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 9 0x00,0x84 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 10 0x00,0x35 TLS_RSA_WITH_AES_256_CBC_SHA 11 ...

by Xuelei Fan - Compare TLS Cipher Suites for Web Browsers

Xuelei Fan — Sat, 23 Jul 2011 01:22:00 PDT

The following table compares the default TLS cipher suites supported and enabled by web browsers [SOURCE] and Java SE 7. The comparison is not to show which browser is better, it is just a reference. ;-) Meanwhile, it does not mean the more cipher suites the browser supports, the better the browser is supposed to be. ValueDescriptionReferenceFirefox 5.0IE 9.0Chrome 14.0Opera 11.50Safari 5.0Java SE 7 ...

by Xuelei Fan - Compare TLS Extensions for Web Browsers

Xuelei Fan — Fri, 22 Jul 2011 22:50:00 PDT

A table worth a thousand words! ;-) ValueExtension nameReferenceFirefox 5.0IE 9.0Chrome 14.0Opera 11.50Safari 5.0Java SE 7 0server_nameRFC 6066√√√√√√ 1max_fragment_lengthRFC 6066 2client_certificate_urlRFC 6066 3trusted_ca_keysRFC 6066 4truncated_hmacRFC 6066 5status_requestRFC 6066√√√ 6user_mappinRFC 4681 7client_authzRFC 5878 8server_authzRFC 5878 9cert_typeRFC 6091 10elliptic_curvesRFC 4492√√√√√ 11ec_point_formatsRFC 4492√√√√√ 12srpRFC 5054 13signature_algorithms[1]RFC 5246√√√ 14use_srtpRFC 5746 35SessionTicket TLSRFC...

by Xuelei Fan - Countermeasures to Neutralize TLS Renegotiation MITM Vulnerability in JAVA

Xuelei Fan — Wed, 20 Jul 2011 01:33:00 PDT

The protocol level TLS renegotiation Man-In-The-Middle (MITM) vulnerability has already been fully fixed in Java SE for quite a while. The following table shows the status of JDK/JRE releases and updates to neutralize the vulnerability in Java. Renegotiation is VulnerableRenegotiation is DisabledRenegotiation is Secure JDK/JRE 7N/AN/AAll releases JDK/JRE 6Update 18 and earlierUpdates 19-21Update 22 JDK/JRE 5.0Update 23 and earlierUpdates 24-25Update 26 JDK/JRE 1.4.2Update 25 and earlierUpdates 26-27Update 28 Unfortunately, research shows many famous commercial sites on the Web...

by Xuelei Fan - A Simple Shell Script to Check the Trap of Case-Insensitive String

Xuelei Fan — Sat, 09 Jul 2011 14:49:00 PDT

In the post of "The Trap of Case-Insensitive String", it is talked about the locale sensitive of String.toUpperCase() or String.toLowerCase(). I wrote a very simple KSH script to check the potential problems in Java source code. The script may be useful to facilitate the checking of the trap. #!/bin/ksh set -A KEYWORDS KEYWORDS[0]="toLowerCase|toUpperCase" typeset -i keywords_number=1 # KEYWORDS[0]="toLowerCase.hashCode" # KEYWORDS[1]="toUpperCase.hashCode" # KEYWORDS[2]="toLowerCase.equals\(" #...

by Xuelei Fan - The Trap of Case-Insensitive String

Xuelei Fan — Thu, 07 Jul 2011 01:34:00 PDT

Let's start from an example. What's the expect result of the following simple code? // Example One String lower = "Simple Smiles!"; String upper = "SIMPLE SMILES!"; int lowerHashCode = lower.toUpperCase().hashCode(); int upperHashCode = upper.toUpperCase().hashCode(); boolean isEqual = (lowerHashCode == upperHashCode); System.out.println("The hash codes of the two case-insensitive " + "strings are the same: " + isEqual); What's the value of "isEqual" variable, "true" or "false"? If you try to compiler and run the above code, I believe, 99.9999 times out...

by Xuelei Fan - TLS Renegotiation MITM Vulnerability is Fully Fixed in Java SE

Xuelei Fan — Thu, 30 Jun 2011 21:23:00 PDT

It's time to upgrade your Java Runtime Environment to JRE 6 update 22, JRE 5.0 update 26, or JRE 1.4.2 update 28 at least , or the latest updates. Sooner, rather than later! Java SE has implemented RFC 5746, and fully fixed the TLS renegotiation MITM vulnerability from JDK 7 and above update release. Most of the SSL/TLS implementation vendors have already fixed the vulnerability in their product lines. Unfortunately, many famous commercial sites on the Web have not yet upgraded their software, according to the last report (by the edit time of this paper, it is Fri, Jul. 01, 2011) ,...

by Xuelei Fan - Best Practice: to Include the Complete Certificate Chain in the KeyStore

Xuelei Fan — Sun, 26 Jun 2011 00:23:00 PDT

Let's start from an example. Considering the following certification path, TrustAnchor issues IntermediateCert, and IntermediateCert issues EndEntiryCert. TrustAnchor | Subject: CN=TrustAnchor, OU=Example.COM V Issuer : CN=TrustAnchor, OU=Example.COM IntermediateCert | Subject: CN=Intermediate, OU=Example.COM V Issuer : CN=TrustAnchor, OU=Example.COM EndEntiryCert Subject: CN=EndEntiry, OU=Example.COM Issuer : CN=Intermediate, OU=Example.COM In practice, I noticed that some smart card...

by Xuelei Fan - Java Approach to Lightweight Servers

Xuelei Fan — Sun, 19 Jun 2011 17:37:00 PDT

My presentation about NIO.2 and JSSE in JavaOne Beijing 2010. The time has come for Web servers to handle tens of thousands of clients simultaneously. Using NIO.2, one of the major features of JDK 7, will prove to be a reliable approach to solving the C10K problem (the inability of most Web servers to handle more than 10,000 clients simultaneously). This session introduced NIO.2’s asynchronous I/O APIs and illustrated a simple framework for building a reliable, lightweight, secure server.

by Weijun - Kerberos Programming on Windows

Weijun — Mon, 23 May 2011 14:09:23 PDT

This article was published as http://java.sun.com/javase/6/docs/technotes/guides/security/kerberos/jgss-windows.html some time in 2009, but the original link does not exist anymore. It's copied here mainly for archive purpose and a lot of thing have changed since. I might or might not update it. This article talks about Kerberos programming on Windows, especially in a Kerberos environment of Windows Active Directory (AD), with all clients and services running on Windows platforms in AD domains. The typical client/server environment described here is Windows XP and Windows...

by Weijun - Some Kerberos Compiler Warnings on Windows

Weijun — Sun, 20 Mar 2011 20:25:22 PDT

There is a rather old bug on native code compiler warnings on Windows. I have been the responsible engineer for some time but never really started working on it. Unfortunately, some warnings result in a real runtime error now. Sorry. Here is the changeset for it. As you can see, we used the swprintf function in a not-so-standard way. The correct signature of the function is swprintf(buffer, size, format, args...) but we didn't provide the size argument. In the age of VC++ 2003, there were already warnings, but the runtime accepted this "overloaded" form and it ran fine. Starting from...

by Weijun - Jarsigner with Timestamping Behind a Firewall

Weijun — Thu, 17 Mar 2011 13:13:37 PDT

We've supported timestamping in jarsigner for a long time. By providing a -tsa option to the command when signing a jar file, a timestamping block will be added to the signed jar. This makes an application to be accepted by Java Plugin in a future time when the signer's certificate already expires. In a lot of enterprise environments, you need to go through a firewall to access the Internet, here, the TSA (Time Stamping Authority). We've noticed this some time ago. Therefore, when a connection to the TSA is not available, jarsigner would print out a message like this: jarsigner: unable to...

by Weijun - Fixed-width Font Widened on Bold

Weijun — Tue, 15 Mar 2011 12:01:57 PDT

So here is a screenshot of a JDK source file I am working on now, in NetBeans: It seems there is an extra space before the "// ok" comment on line 52 which makes the comments non-aligned. So I removed it. But then when I read the diff, it shows: @@ -49,7 +49,7 @@ \* Constructs an AS-REQ message. \*/ // Can be null? has default? - public KrbAsReq(EncryptionKey pakey, // ok + public KrbAsReq(EncryptionKey pakey, // ok KDCOptions options, // ok, new KDCOptions() ...

by Weijun - Cool Mercurial Bundles

Weijun — Sun, 13 Mar 2011 19:23:22 PDT

Although OpenJDK is mostly in open source state but there are still some code repositories closed. When I work from home and need to update these repositories, I'll have to connect to the Oracle VPN to access them. I always hesitate to use VPN at home because I won't be able to see other machines on the LAN (especially, VirtualBox guests using this machine as the host) and I don't like accessing the Internet using the Oracle proxy servers. My solution is to create a VirtualBox guest for VPN exclusively. But then I see a problem, there is a VirtualBox bug saying that symlinks in a shared...

by Weijun - PolicyTool Tiny Behavior Change

Weijun — Wed, 05 Jan 2011 10:42:59 PST

PolicyTool is the only GUI tool included in the JRE, which is used to generate a policy file for Java security permission management. You can use the tool to create a policy file or edit an existing one. The "Save As" command of the tool opens a file save dialog, let you choose a file, and save the current policy into that file. When the file you choose already exists, the tool will issue a warning asking you if you want to overwrite it. Here comes the problem, back in the old days, the file save dialog is drawn by Java itself, and it does not care about file overwriting at all....

by Weijun - I'm Still Here

Weijun — Mon, 03 Jan 2011 10:00:58 PST

Haven't written anything on this blog for a long time. I'm still in the Java SE core libraries team and we even have some new people. Oracle LEC in China was finished last September, JSRs for Java SE 7 and 8 were approved late last year and we are now busy adding the final bits for JDK 7 and testing it heavily. It's also time to think of what features I can add in JDK 8.

by Weijun - allow_weak_crypto for Kerberos

Weijun — Wed, 03 Mar 2010 10:53:27 PST

I just added allow_weak_crypto support in OpenJDK. With this property set to false, des-cbc-md5 and des-cbc-crc etypes are not supported, even if you include them i permitted_enctypes or default_{tkt|tgs}_enctypes settings. Please note that in MIT krb5-1.8, the default value for this property is false, which means the DES-related enctypes are disabled out-of-box. In Java, we choose to keep it true for compatibility reasons, which we've always cared most.

by Sean Mullan - Announcing XML Signature 1.1 and Signature Properties Last Call

Sean Mullan — Fri, 12 Feb 2010 06:11:02 PST

The W3C XML Security Working Group has released a Last Call Working Draft for XML Signature 1.1: http://www.w3.org/TR/xmldsig-core1/ An explanation of the changes against the XML Signature 1.0 specification is available: http://www.w3.org/TR/xmldsig-core1/explain.html Changes are focused on the set of mandatory to implement algorithms and markup for relevant key material. The Working Group has also released a Last Call Working Draft for XML Signature Properties: http://www.w3.org/TR/2010/WD-xmldsig-properties-20100204/ The Last Call period lasts until 18 March 2010; comments can...

by Weijun - Oracle

Weijun — Wed, 27 Jan 2010 07:24:26 PST

The future begins today. Let's embrace it.

by Weijun - Sun

Weijun — Wed, 20 Jan 2010 22:44:44 PST

Linked from James Gosling's blog.

by Sean Mullan - Secure Coding Guidelines for the Java Programming Language, Version 3.0

Sean Mullan — Tue, 05 Jan 2010 21:38:36 PST

A new version (3.0) of the Secure Coding Guidelines for the Java Programming Language has just been published at http://java.sun.com/security/seccodeguide.html The secure coding guidelines documents best practices and patterns that you should adhere to when writing Java code in order to avoid vulnerabilities. These guidelines are important for every Java developer, whether you are writing a trusted library or an end-user application. Version 3.0 is a significant enhancement and includes a new section on fundamentals as well as many new guidelines and enhancements. Please send me...

by Weijun - ExtendedGSSContext

Weijun — Mon, 14 Dec 2009 13:45:27 PST

We're doing some experiments in JDK 7 to add more JGSS APIs. Currently they're defined into the vendor-specific package com.sun.security.jgss, but we'd like to enhance them and finally get them into the standard org.ietf.jgss package. Basically, we defined a new ExtendedGSSContext interface. Now it has 3 methods: requestDelegPolicy(boolean state): Requests that the delegation policy be respected. When a true value is requested, the underlying context would use the delegation policy defined by the environment as a hint to determine whether credentials delegation should be performed. This...

by Sean Mullan - Using more recent Apache XML Security Libraries with JDK 6 or JDK 7

Sean Mullan — Thu, 01 Oct 2009 01:57:48 PDT

This question has come up in user forums quite a bit: "how can I use a more recent Apache XML Security library with the XML Signature APIs (JSR 105) in JDK 6 and JDK 7?" Most of the time, you will not need to do this. Our JDK 6/7 XML Signature implementation is based on Apache XML Security and we try to keep up with the latest release. However, there may be a bug fix or new algorithm that you really need and are willing to depend on a more recent version of the Apache XML Security library that has that fix. Here is what you need to do if so: Place the Apache...

by Sean Mullan - Using stronger XML Signature Algorithms in JDK 7

Sean Mullan — Fri, 24 Jul 2009 02:07:10 PDT

One of the new features of the XML Signature 1.1 specification, which is currently in draft review, is the addition of stronger cryptographic algorithms to the REQUIRED algorithms, such as the RSAwithSHA256 SignatureMethod algorithm. Additional RECOMMENDED and OPTIONAL algorithms have also been added. See section 6.1 for a complete list of algorithm requirements. In JDK 7, you can already use many of these stronger XML Signature algorithms in your Java applications. The following algorithms are newly supported: the RSAwithSHA256, RSAwithSHA384, RSAwithSHA512 signature algorithms and the...

by Sean Mullan - Hope to see you at our Java Security BOF next week at JavaOne

Sean Mullan — Fri, 29 May 2009 01:45:15 PDT

Just a reminder that we'll be holding a BOF at this year's JavaOne conference on "New Security Features in JDK™ Releases 6 and 7". It is on Wednesday at 6:45 PM in Gateway 102/103 in the Moscone Center. We plan to have a short presentation on the latest security features in JDK 6, JDK 7 and JavaFX. Then, we are going to show a demo of the new blacklist mechanism in the just-released JRE 6u14. The remaining time will be for Q&A so please bring your questions on Java Security as many members of Sun's Java Security team will be on hand to help answer them.

by Weijun - Subscribe to a mail list and start replying immediately

Weijun — Fri, 24 Apr 2009 23:31:53 PDT

Sometimes I browse through archives of a mail list and find some topics very interesting. I subscribe it, but only new messages come to my mail client, and those topics I found interesting initially won't appear anymore. How I wish I can reply to those topics. If it's also hosted on Google Groups, that's great. Just reply to it there. If you don't want to keep using your Google Account in the discussion. Reply with some nonsense in Google Groups, and then reply with your real identity after that nonsense reaches your mail box. If the list is available on gmane.org, you may be able to...

by Sean Mullan - Come to our Java Security BOF at JavaOne 2009

Sean Mullan — Fri, 24 Apr 2009 01:19:08 PDT

We'll be holding a BOF at this year's JavaOne conference on "New Security Features in JDK™ Releases 6 and 7". This is sure to be an interesting BOF, as we'll go over all of the latest security features that we have added to JDK 6 and new ones that are targeted for JDK 7. We also plan to show a demo of some of the features. There should be plenty of time for Q&A so please bring your questions on Java Security as many members of Sun's Java Security team will be on hand to help answer them. I'll add more details as we get closer to JavaOne.

by Weijun - Fedora 10

Weijun — Tue, 21 Apr 2009 18:03:08 PDT

Trying to install it again. Last time (probably F8) it does not support GUI login as a NIS user. GDM hangs. Hope it's fine now. Will see if it's a better system building OpenJDK. Update: NIS account can login, no +::: lines needed. However, system goes unstable when trying to change network setting to manual IP. Re grub-install and now back in Ubuntu. Anyway, OS is there now, might try again someday.

by Weijun - Several Enhancements for JarSigner

Weijun — Sun, 19 Apr 2009 11:55:31 PDT

There're several enhancements to the jarsigner tool in OpenJDK lately. First, jarsigner accepts a new option -certchain file to use a certificate chain in an external file. People can using PKCS #11 tokens to store their private keys. Some of these tokens are so small that there's no place to store the certificate chain inside it. Although you can access it with a KeyStore.getInstance("pkcs11"), the getCertificateChain() method returns nothing. Now you can use jarsigner with this kind of tokens, using the token as the keystore, but point your certchain to another file that contains the...

by Brad Wetmore - Would 6 units of band class qualify me for a free JavaOne 2009 pass?

Brad Wetmore — Fri, 17 Apr 2009 13:23:45 PDT

The worst thing about graduating and getting a job in the real world is that all the cool benefits dried up. Student rates on travel, movie passes, food...etc. I just noticed an offer on the J1 web site that appears to allow students (6 units or more) to get a free, FULL JavaOne 2009 conference pass. Even as a Sun employee, I only get a limited pass. Which got me thinking: I'm currently taking a 1 unit music performance class at a local community college. If I sign up for 5 more of these classes, would that qualify? Hm...I should check with my manager...

by Sean Mullan - New API to indicate the reason a certificate chain was invalid

Sean Mullan — Fri, 03 Apr 2009 04:39:42 PDT

In JDK 7, we have added a new method (getReason) to the java.security.cert.CertPathValidatorException class which returns an object indicating the reason a certificate chain, or CertPath, is invalid. Previously, there was no standard mechanism to determine the reason of failure, and applications had to depend on the exception message or the cause which could vary based on the underlying service provider implementation. The getReason method returns an instance of CertPathValidatorException.Reason, which is an interface. There are 2 subclasses of this interface. One is BasicReason which is...

by Sean Mullan - New CertificateRevokedException class in JDK 7

Sean Mullan — Fri, 27 Mar 2009 01:44:19 PDT

There is a new CertificateRevocationException class in JDK 7 in the java.security.cert package that indicates that an X.509 certificate is revoked and also allows you to determine additional information such as the reason the certificate has been revoked and when it was revoked. The getRevocationReason method returns a CRLReason, which is a new enum class that enumerates the different reasons an X.509 certificate can be revoked, such as compromise of the private key. In JDK 7, The Sun PKIX CertPathValidator service provider implementation has been enhanced to throw this exception....

by Sean Mullan - Greetings

Sean Mullan — Fri, 20 Mar 2009 05:49:12 PDT

Hello everyone. Although I have been with Sun for over 10 years, this is my first blog entry at blogs.sun.com. I already have a blog over at java.net (http://weblogs.java.net/blog/mullan/), but for now I will be posting new entries right here at blogs.sun.com. I may still update my blog at java.net from time to time, or figure out a way to cross-post my entries. A little about myself. I work on the Java Security Team and have spent almost 10 years working on the Java SE security technology. I was specification lead of JSR 55 and co-specification lead of JSR 105, both successful APIs that...

by Weijun - Another new keytool enhancement: -printcert -sslserver

Weijun — Sun, 22 Feb 2009 15:40:51 PST

Andreas has written a blog entry on retrieving certificates from an SSL server. Whenever I see someone asking this question on the Java forum I point the user to this entry. Now it's time for this function to be included in keytool. Call keytool -printcert -sslserver sun.com to see what's shown. During the implementation of this feature, there are some discussions on how the function should be called. Two topics are most interesting: What's the function name? At first, the plan is to add a new function to import the certificate into a keystore. The command will look like "-importcert...

by Weijun - keytool enhancements

Weijun — Sun, 22 Feb 2009 12:59:12 PST

Update: CRLDistributionPoints extension support added. There're two enhancements made to keytool today (the doc has not been updated, it's still for JDK 6): new commands and options We have 2 new commands: -gencert, -printcertreq and 1 new option -ext. Read the RFE descriptions. -printcertreq is simply for printing the content of a certificate request. It behaves like the -printcert command, reading a PKCS #10 format cert req from a file or stdin, and does not need a keystore to run with. -gencert is a big enhancement, which means you can setup a tiny CA now with keytool. The command...

by Brad Wetmore - Extra! Extra! Read all about it! OpenJDK Bugzilla Goes Live!

Brad Wetmore — Fri, 06 Feb 2009 12:50:04 PST

News at 11...or whenever the moderator on "announce at openjdk dot java dot net" approves my message...or just go to: http://openjdk.java.net/groups/web/bugzilla.html (Apologies to my younger or international readers if the title of this entry didn't make any sense.)

by Brad Wetmore - Update on the OpenJDK Bugzilla instance.

Brad Wetmore — Sun, 01 Feb 2009 13:42:26 PST

I've recently been leading the effort to get our OpenJDK Bugzilla instance in place, and just wanted to let folks know that we're pretty close. I took some time over the last couple days to take a snapshot of what we have and what's planned for the near and somewhat longer future. The short story is that we'll begin by tracking contributions from OpenJDK developers who do not have push rights to the JDK 6 and 7 forests. The next phase will expand the system to track most if not all of the OpenJDK projects under development. The longer story is now available on the OpenJDK...

by Weijun - Small Enhancements to HGrev

Weijun — Tue, 20 Jan 2009 17:10:45 PST

I've enhanced http://hgrev.appspot.com a little. Now the patch view has links to previous and new codes in raw form, so that you can download it directly to try on your own computer.

by Weijun - Who Moved My krb5.ini?

Weijun — Sun, 18 Jan 2009 18:59:47 PST

Java Kerberos 5, on Windows, looks for a config file named krb5.ini in the Windows directory, and a Windows directory is defined as the return value of the Win32 API GetWindowsDirectory(), which should normally return something like C:\\Windows. But, since Windows Server 2003, something has changed. The Terminal Services Programming Guidelines has these words: In a Terminal Services environment, the Windows directory is guaranteed to be private for each user. So this means if your (post Windows 2003) system has Terminal Services turned on, Java would look for krb5.ini inside...

by Weijun - NetBeans C++ is Cool

Weijun — Thu, 15 Jan 2009 17:04:08 PST

Although I use NetBeans a lot writing Java, I've never really tried its C/C++ Pack before. Today I need to read some MIT Kerberos codes. There's a long time I haven't worked heavily on C so I find it quite difficult to find out which function does what and where it's defined. And then, I think of NetBeans, it's very good at parsing Java codes and give you multiple ways to navigate through the method calls and field definitions. How about trying it for C? So I fire up NetBeans and go download the C/C++ pack. It's a huge 5MB module that takes care of projects, editing, debugging all in one...

by Weijun - Picasa for Mac

Weijun — Wed, 07 Jan 2009 16:23:18 PST

I'm happy to become a Picasa user again. For the last two years, I use Finder and Preview to take care of all my photos. It's a very difficult job － I leave quite some duplicates here and there, and I dare not edit photos except rotating them. I hate iPhoto, I don't want the files be moved to somewhere else, and I feel bad when I don't know what it's doing and how it stores things. Now I can do the so-called non-destructive edit again. Picasa for Mac still recognizes all previous edit made in Windows, the Picasa.ini file I mean. It would update the file if you make more edit. When there's...

by Weijun - OpenSolaris on Bare Metal

Weijun — Tue, 06 Jan 2009 13:50:45 PST

Finally I decide to install OpenSolaris on the bare metal, and probably use it as a nightly build machine. Create a USB installer using usbcopy Boot from this USB disk and install Reboot, disable network/physical:nwam, enable multicast and network/physical:default, call sys-unconfig Reconfigure the machine Reboot again I hadn't enabled/disabled the services first time when I run sys-unconfig, and the machine cannot reboot complaining avahi-bridge-dsd cannot start. Fortunately I can login to single user mode and do that again. I'm learning how to give more privileges to my NIS user...

by Brad Wetmore - You can teach a somewhat older dog new tricks-OpenSolaris 2008.11: Wow!

Brad Wetmore — Thu, 18 Dec 2008 13:30:16 PST

Way back in grad school (early 90's), I was called in to assist in the investigation of an internet porn exchange ring. The ring was using some unsecured FTP servers belonging to our state's government. Our team finished our initial assessment and called in the State Police to report our findings. I will never forget that day as long as I live. I said, "Yes, you've got a problem" and brought up one of the tamer images. This career cop was two years away from retirement, and he just rolled his eyes and said "I'm too old for this, I don't get this...

by Weijun - mechListMIC in SPNEGO

Weijun — Tue, 16 Dec 2008 11:37:36 PST

I try hard to understand when should mechListMIC be generated in SPNEGO, but still find the specification (RFC 4178) confusing. I'd like to interpret it this way: If the chosen mech is the first one in the list, don't bother to create it Generate the MIC whenever you think you can do it, i.e. mech's isEstablished() is true Response to a MIC whenever you receive one In case you believe the incoming token should have the MIC but it hasn't, if it's already marked COMPLETE, you go COMPLETE also. Otherwise, it may be expecting a MIC from you, either create the MIC and send back, or send back...

by Brad Wetmore - Consolidation of the JSN and TL gates.

Brad Wetmore — Wed, 12 Nov 2008 07:54:40 PST

For the last 4 years, I've been the "Gatekeeper" for the Java Security and Network (JSN) team. Gatekeepers are those under-appreciated but highly necessary folks who make sure that new changes work, and play nicely with what's already there. We're only as good as our test cases, but not all developers are as diligent about running everything that's available. A month ago, I was asked to take on a project to support the OpenJDK project. In order to free up time, we decided to decommission the JSN gate, and transition the JSN developers to the Tools and...

by Weijun - Mark Bristow, Today's Gold Medalist

Weijun — Mon, 08 Sep 2008 19:08:15 PDT

Silicon Valley? That's Sun Microsystems. Congratulations!

by Weijun - LiveCD of OpenSolaris in VMWare

Weijun — Mon, 25 Aug 2008 13:51:22 PDT

Normally I don't like running an OS as a LiveCD on a bare metal machine because accessing CD-ROM is too slow and makes very big noises. However as a VMWare guest, since the CD-ROM is in fact an ISO file on the hard disk, I guess the speed should be quite fast, I'm quite happy to only run it on the LiveCD. So I creates a new Virtual machine with two CD-ROM drives, put the LiveCD in the 1st one and the VMTools into the 2nd. When the system CD boots up, I will be able to install VMTools from the 2nd CD. This works quite fine for Ubuntu and the VMTools is installed correctly. But for...

by Weijun - F9 (Compile) for NetBeans Missing

Weijun — Sun, 03 Aug 2008 14:28:30 PDT

Just downloaded the latest DEV version of NetBeans, haven't done it for several weeks. One thing that confuses me is that F9 seems does not work for individual files in a Java project anymore. Pressing F9 has no impact, the edited Java file still shows an asterisk sign in the editor pane header, still dirty, not even saved. Looking at the right mouse menu of the file, and the compile item is grayed not completely. Strange, isn't it? Then I suddenly realized this might be because of the newly introduced compile-on-save feature. I try to add some runtime error into my Java file and save...

by Weijun - my webrev experiment: public, interactive and easy

Weijun — Wed, 11 Jun 2008 14:27:10 PDT

Inside Sun, we use webrev to do code reviews, you can see an example here. Well, there're several reasons I don't like webrev very much: It's a pile of static files, you must first create them, and upload them to a public website (possibly one by one). It used to be a nice archive of what you've done, but now in Mercurial we already have changesets. It includes no interactive review process OK, only the first reason is real. I just cannot resist the temptation to create a list. Recently I've done some experiments on creating a new review style which is meant to be: Public, the patch...

by Weijun - location.replace

Weijun — Wed, 04 Jun 2008 11:46:50 PDT

Just write a long web page using location.replace to move around to different corners of it. Find out these incompatibilities between different browsers: Firefox is fine Opera and WebKit save a history item for each replace call, which I don't like IE is not aware of javascript-generated anchors

by Brad Wetmore - He Is He, Don Quixote: The Lord of La Mancha!

Brad Wetmore — Tue, 03 Jun 2008 09:02:35 PDT

Folks have been asking what I'm up to outside of work. Way too many things for one blog entry, so I'll focus on the most recent. As you may know, one of the things I'm quite passionate about is music and performance. I'd started with church choirs, but I'd say I got really passionate about music in 5th grade, when I had to choose an instrument for the school band. I can't believe how practical I was back then: I asked myself what instrument(s) will allow me to do the most types of music. (pretty impressive for a 5th grader, no?) The answer was obvious: ...

by Brad Wetmore - I Have Met "The Man," and The Tail Will Not Be Pretty.

Brad Wetmore — Wed, 05 Mar 2008 06:53:40 PST

I love "dives." You know those places that you look at from the outside, and say..."hmm..." But with lines out the door, you know they must be doing something right. Once you get inside, you know there's something special going on in the kitchen. My wife has always accused me of taking her to only the "finest" establishments, but this one almost killed her. A little backstory: As my little brother was graduating from college, he was seduced by the Dark Side and moved to Redmond Washington to work for the large unnamed...

by Brad Wetmore - Leave me alone, I'm on vacation!

Brad Wetmore — Thu, 14 Feb 2008 09:02:14 PST

I've got no qualms about giving my all when I'm working. I've done the long days, the long nights, the long weekends. But when I officially pull the plug and go on vacation, I expect to be able to leave Sun behind, and enjoy some well-deserved time off without any reminders of what I do the rest of the year. I don't think that's too much to ask. But have you ever tried to unplug yourself completely when you work for a "network" company like Sun? I first noticed it on a trip to Nepal. I had just finished a rather stressful project, and was glad...

by Brad Wetmore - "You're a...Gatekeeper? Uh huh. What's a Gatekeeper?"

Brad Wetmore — Mon, 11 Feb 2008 07:12:41 PST

(You might want to read Kelly O'Hair's "OpenJDK Mercurial Wheel" blog entry before reading this.) Besides my normal job as a developer in the Java Security and Networking (JSN) and the Java Tools/Libraries (TL) groups, I have been tasked from time to time as the "Gatekeeper" (also known as an "Integrator") for the JSN group. Some of you have asked on the IRC channel #openjdk, "What's a Gatekeeper?" Good question. Ask any of the N gatekeepers, and you'll get N different answers. Since I'm a musician by night, I had to distill it...

by Brad Wetmore - Nice Overview for Getting Started with OpenJDK

Brad Wetmore — Mon, 11 Feb 2008 07:08:35 PST

Lars Westergren posted an article in his blog about what the OpenJDK project is and how it works. I found it to be a great overview, as he did a nice job on culling information from various sources and presenting it in a very coherent manner.