grpc-java programs using an Elliptic Curve certificate for SSL communication

Introduction

RSA cryptography based on the mathematical problem of factoring the product of two large prime numbers. Elliptic Curve Cryptography (ECC) is based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to RSA to provide equivalent security. So an ECC 256bit key is stronger than a 256bit RSA key.

In my last post, “Java gRPC client and server using secure HTTP/2 channels on the Hyperledger Fabric virtual machine“, I could have just as well used an Elliptic Curve certificate and private key instead of RSA to allow my two gRPC Java programs to communicate with each other securely over SSL/TLS.

In this post, I will demonstrate how to generate the ECC certificate and key, modify the Java examples and run them again.

 

Procedure

First, start our Hyperledger Fabric virtual image and log into it by SSH. Open a Cygwin prompt in Windows, do :

 cd /cygdrive/c/gocode/fabric_java_latest/fabric/devenv

vagrant up

vagrant ssh

Once in Linux, do:

cd /devenv/nodecode/certs

It’s important that the computer the TstServiceClient.java program will try to connect to, i.e. “hyperledger-devenv“, be found in the Elliptic Curve certificate we will generate.

15.png

It is also important that this computer name be resolved. A good way of ensuring the latter is to add a line in the file /etc/hosts:

 127.0.0.1  hyperledger-devenv

Next, do the following single OpenSSL command to generate the Elliptical Curve certificate and private key:

openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp256r1) -keyout ec.key -out ec.crt -days 3650

You will be prompted to enter information. It is critical that you enter the correct value for “Common Name” (indicated in red below):

using curve name prime256v1 instead of secp256r1
Generating a 256 bit EC private key
writing new private key to ‘ec.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Quebec
Locality Name (eg, city) []:Quebec City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bertrand Szoghy
Organizational Unit Name (eg, section) []:dev
Common Name (e.g. server FQDN or YOUR name) []:hyperledger-devenv
Email Address []:bertrandszoghy@gmail.com

10.png

Now, log in to the virtual machine through the Virtualbox window as user ubuntu:

10.png

Next, do the command to launch the graphical user interface:

sudo startxfce4&

Double-click to start Eclipse Neon, accept the workspace.

2.png

Expand our “JavaGrpc” Maven project.

Open file com.wordpress.bertranszoghy.grpc.TstServiceServer.java and change lines 11 and 12 from:

File cert = new File(“/opt/gopath/src/github.com/hyperledger/fabric/devenv/nodecode/certs/server.crt”);
File key = new File(“/opt/gopath/src/github.com/hyperledger/fabric/devenv/nodecode/certs/key.pem”);

4.png

to:

File cert = new File(“/opt/gopath/src/github.com/hyperledger/fabric/devenv/nodecode/certs/ec.crt”);
File key = new File(“/opt/gopath/src/github.com/hyperledger/fabric/devenv/nodecode/certs/ec.key”);

11.png

Next, open file com.wordpress.bertranszoghy.grpc.TstServiceClient.java and change line 20 from:

.trustManager(new File(“/opt/gopath/src/github.com/hyperledger/fabric/devenv/nodecode/certs/server.crt”)).build())

6.png

to:

.trustManager(new File(“/opt/gopath/src/github.com/hyperledger/fabric/devenv/nodecode/certs/ec.crt”)).build())

12.png

Next, we clean the project by clicking on the project name “JavaGrpc” > menu Project > Clean…

8.png

Next, right-click on the “JavaGrpc” project name > Build Project

6.png

 

Start the Java gRPC server

In Eclipse, right-click on file TstServiceServer.java > Run As > Java Application

7

Server start on port 7777 is displayed in the console, you can ignore the warning:

8.png

Leave the server running.

 

Run the Java gRPC client

Next, in Eclipse, right-click on file TstServiceClient.java > Run As > Java Application

9.png

As before, the communication over SSL/TLS is successful:

14.png

(end of post)

Bertrand Szoghy, 2017-06, Quebec City.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s