Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cross-platform authentication


On Jul 16, 2006, at 6:28 PM, Greg Guerin wrote:


The OS enforces BSD access permissions. If you don't trust those to work,
you're dead, because nothing else is trustworthy: not the OS, the JVM, your
app, your database file, etc.:

This assumes OS X where JAAS UnixLoginModule determining the correct Principal to use to access the user private information _may_ be fine. But again not a platform neutral solution where there is no 'user' based JAAS login module provided.


The Apple Keychain might be a good repository but I don't think any
real authentication is required to get at either certificates or keys
in it.


There is if the user sets it up that way.  The user can choose the
access-granting policies, and can restrict or expand at any time.  See
Keychain Access.app and its builtin help.

I may have loosened up some restrictions here without being aware of it. I can look into that.


Maybe that is because some automatic authentication outside
java has been done establishing that you are a correct user to access
the information, I haven't tested that. But it doesn't seem to have
required a valid password or produce a dialog or whatever to get at
KeyChain? Or did I test that incorrectly?

Can't tell. With such a vague description, we don't know what you tested,
nor how.

Maybe you have login keychain access enabled:

I don't think so on this one but again I can check. I have indicated my concerns with what seems to be the free access to KeyChain from java in the past, but I'll indicate some examples at the end.

Maybe your app is listed as a trusted app for the things it retrieves from
the keychain, simply because it put them there. In that case your app
won't be re-authenticated unless Keychain Services detects that your app
changed:

<http://developer.apple.com/documentation/Security/Conceptual/ keychainServConcep
ts/02concepts/chapter_2_section_4.html>


Again I'm pretty sure I didn't use the application('s), or java test programs to add them so I'm pretty sure this is the case either. The following examples might clarify things.

KeyStore java doc
_______________

public final void load(InputStream stream,
                       char[] password)

__________________

Email code getting my Thawte freemail certificate from the Apple KeyChainStore

if (maildlog.isSigned()) {
Security.addProvider(new BouncyCastleProvider());
KeyStore ks = KeyStore.getInstance("KeychainStore","Apple");
ks.load(null,null);
chain = ks.getCertificateChain(maildlog.getFrom());
k = ks.getKey(maildlog.getFrom(),"test".toCharArray());
certsAndCRLs = CertStore.getInstance("Collection",
new CollectionCertStoreParameters (Arrays.asList(chain)), "BC");
cert = (X509Certificate)chain[0];
}

Note the ks.load(null,null);
No password is required to retrieve the certificate?

A more standalone test program...

import java.io.*;
import java.security.*;
import java.security.cert.*;
import java.util.Enumeration;
import java.util.StringTokenizer;

public class KeychainStoreTest {

public static void main(String[] args) {
boolean keyentries = false,showcerts = false;
String password = null,storepass = null,cert_alias = null;
try {
if (args.length > 0 && args[0].equals("-k")) keyentries = true;
if (keyentries & args.length > 1)
password = args[1];
if (args.length > 0 && args[0].equals("-c")) {
showcerts = true;
if (args.length > 1)
for (int i=1;i<args.length;i++)
if (args[i].equals("-alias")) cert_alias = args[++i];
else if (args[i].equals("-storepass")) storepass = args[++i];
if (cert_alias == null)
throw new IllegalArgumentException("listing certificates requires an alias");
// if (storepass = null)
// throw new IllegalArgumentException("listing certificates requires the keystore password");
}
KeyStore ks = KeyStore.getInstance("KeychainStore","Apple");
// String path = rtexec(new String[] { "Security","default- keychain" });
// path = path.substring(path.indexOf("\"")+1,path.lastIndexOf("\""));
// System.out.println("type: " + ks.getType() + " " + path);
// ks.load(new FileInputStream(path),null);
// ks.load(new FileInputStream("/Users/mjh/Library/Keychains/ Microsoft_Intermediate_Certificates"),null);
ks.load(null,null);
if (showcerts) {
java.security.cert.Certificate[] chain = ks.getCertificateChain (cert_alias);
for (int i=0;i<chain.length;i++)
System.out.println(chain[0]);
return;
}
Enumeration e = ks.aliases();
while (e.hasMoreElements()) {
String alias = (String)e.nextElement();
if (keyentries && ks.isKeyEntry(alias)) {
System.out.println(alias + " is key entry is " + ks.isKeyEntry (alias));
Key k = ks.getKey(alias,password.toCharArray());
System.out.println(k);
}
else if (!keyentries)
System.out.println(alias);
}
}
catch (Exception ex) { ex.printStackTrace(); }
}
}

shows that since KeyChainStore now supports keys, public, private, you also seem to have ready access to them with the same ks.load (null,null);

Normally I didn't think KeyChain ever gave you access like this without at least some kind of admin password prompt or something? But I haven't used it that much and might be misunderstanding something.


Mike Hall        mikehall at spacestar dot net
http://www.spacestar.net/users/mikehall
http://sourceforge.net/projects/macnative



Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden

This email sent to email@hidden
References: 
 >Re: Cross-platform authentication (From: Greg Guerin <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.