The whole shebang on Cryptography, SSL Certificates, IPSec, SSH - Part 4

The whole shebang on SSH

Part 1 > Part 2 > Part 3  >  Part 4

How SSL Certificates / IPSec / SSH differentiates ...

SSH (Secure Shell)

If you want to learn about Cryptography > Part 1 - The whole shebang on SSL certificates

If you want to learn about SSL certificates > Part 2 - The whole shebang on Cryptography

If you want to learn about SSH > Part 3 - The whole shebang on IPSec

The whole shebang on Cryptography, SSL Certificates, IPSec, SSH - Part 3

The whole shebang on IPSec

Part 1 > Part 2 > Part 3 > Part 4

How SSL Certificates / IPSec / SSH differentiates ...

IP Sec (Internet Protocol Security)

If you want to learn about Cryptography > Part 1 - The whole shebang on SSL certificates

If you want to learn about SSL certificates > Part 2 - The whole shebang on Cryptography

If you want to learn about SSH > Part 4 - The whole shebang on SSH

The whole shebang on Cryptography, SSL Certificates, IPSec, SSH - Part 2

The whole shebang on SSL Certificates

Part 1 > Part 2 > Part 3 > Part 4

How SSL Certificates / IPSec / SSH differentiates ...

SSL certificates

What is a SSL certificate?

• Certificate is simply a way of validating that site really is what is says.
• Certificates are used when you have decided you use Asymmetric encryption for your data exchange process
• Certificates are used to hold public keys, not private keys. (You will not be able to store/find a private key inside a certificate)

A legitimate company (Pizza Hut) would,

1. submit its company information to a registered certification authority.
2. obtain a SSL certificate from a CA.
3. Install the SSL Certificate on their web site.

When a client accesses their website (Pizza Hut Web Site) via a Web-Browser,

1. Browser will perform SSL handshake between customers browser and web server.
2. In the SSL handshake, the client browser requests the web server to prove its authenticity.
3. In response, the server sends certificate chain(root, primary and intermediate certificate) to the client browser.
4. Then browser checks this certificate chain against the local stored certificates as every browser has legitimate root certificate of authorities for verifying SSL handshake.
   E.g : Mozilla Included CA Certificate List    Apple Included CA Certificate List

Trusted Certificate Authority (CA)?

• Certificate Authorities / CAs, issue Digital Certificates. 
• Operating systems (OSes) and browsers maintain lists of trusted CA root certificates to verify certificates that a CA has issued and signed.

E.g : Mozilla Included CA Certificate List    Apple Included CA Certificate List

Certificate chain?

A certificate chain is an ordered list of certificates containing,

• User Certificate /End entity Certificate /Leaf Certificate
• Intermediary Certificate/s 
• Root Certificate

The chain or path begins with the User certificate, and each certificate in the chain is signed by the entity identified by the next certificate in the chain.

Use SSL Checker to identify the certificate chain installed on a site.
SSL Checker on https://www.pizzahut.com/

Types of Certificates?

-User Certificate /End entity Certificate /Leaf Certificate

• Is a digitally-signed statement issued by a Certificate Authority to a person or system.
• It cannot be used to sign other certificates.
• Its the certificate which will be installed on a site. (E.g: https://pizzahut.com)

-Intermediate Certificate/s

• Any certificate that sits between the User Certificate and the Root Certificate is called a chain or Intermediate Certificate. 
• A certificate used to sign other certificates, which is not self-signed. 
• An intermediate certificate must be signed by another intermediate certificate, or a root certificate.

-Root Certificate

• The Root CA Certificate is always signed by the CA itself.
• A self-signed certificate used to sign other certificates.
• The root certificate carries critical importance; The signatures of all certificates in the chain must be verified up to the Root CA Certificate.

Self Signed Certificate ?

• A certificate which is not signed by a CA.
• A certificate with a subject that matches its issuer, and a signature that can be verified by its own public key. 

Certificate standards
Certificate Standard defines the format of public key certificates.

X509 standard (format for public key certificates)

• Certificate
  • Version Number
  • Serial Number
  • Signature Algorithm ID
  • Issuer Name
  • Validity period
    • Not Before
    • Not After
  • Subject name
  • Subject Public Key Info
    • Public Key Algorithm
    • Subject Public Key
  • Issuer Unique Identifier (optional)
  • Subject Unique Identifier (optional)
  • Extensions (optional)
    • ...
• Certificate Signature Algorithm
• Certificate Signature

CSR (Certificate Signing Request) ?

• CSR contains information such as your domain name, your organization’s name, your location, and is filled out and submitted to a Certificate Authority(CA) such as SSL.com.

• The information in a CSR is used to verify and create your SSL certificate. 
• Most importantly, it also contains the public key that will be included in your certificate.

A CSR (Certificate Signing Request) which needs to be submitted to a Certificate Authority(CA) looks like (Most CSRs are created in the Base-64 encoded PEM format),

How do I generate a CSR and private key?

If you are familiar with OpenSSL,

you can use the following command to generate a CSR and private key

openssl req -new -newkey rsa:2048 -nodes -out servername.csr -keyout servername.key

Or else,

you can use one of the guidelines provided in the links and use the GUI tool,

Comodo CSR Generation Instructions
DigiCert CSR Generation Instructions
GeoTrust CSR Generation Instructions
Thawte CSR Generation Instructions
VeriSign CSR Generation Instructions

Note : The private key must not be shared with any party (Not even with the CA) except your intended parties. CA only requires the CSR to provide you with a SSL certificate.

Certificate Containers / Key Stores

Certificate container standards

PKCS#12(.p12 extension) : a standard for a container which can hold an X509certificates and the corresponding private keys.

E.g : If you're examining a PKCS#12 file (typically .p12 extension), then you already know:

• It contains at least one X509 client certificate, which contains a public key; and
• It contains the corresponding private keys.

What are types of key stores?

Useful facts when working with Certificates

Useful commands in private key/certificate conversion

For Advanced Learners

CA/Browser Forum

If you want to learn about Cryptography > Part 1 - The whole shebang on Cryptography

If you want to learn about IPSec > Part 3 - The whole shebang on IPSec

If you want to learn about SSH > Part 4 - The whole shebang on SSH

Dreamers and Realists

There are dreamers and there are realists in this world...

Dreamers	Realists

You might think the dreamers will find the dreamers and the realists would find the realists to work with, but more often they are not. The truth is the opposite ...

Dreamers need the realists to keep them from souring too close to the sun ...

And the realists, without the dreamers they might not ever get off the ground ...

The important fact here is, you and I both are lucky to have these pumpkins and poppies in our teams.. (No matter what industry we are in...)

Continues Inspection with SonarQube / Sonar plugins Part 1

Introduction to SonarQube

Part 1 >  Part 2 > Part 3  > Part 4

This will be the first part of a series of posts on Continues Inspection / Code Quality Assessment with SonarQube and will cover the use case with installation / configuration details.

What is SonarQube? 

SonarQube is a central place to manage code quality. It visualizes reporting on and across projects and enables us to replay the past evolution of projects. If you are aware of code quality checking plugins such as checkstyle, findbugs, PMD, etc. SonarQube is found as a collection of these plugins and more.

SonarQube,

• Analyzes source code and byte code.
• Computes hundreds of metrics.
• Provides moment-in-time quality snapshots (Associates metrics with analysis snapshots).
• Gives trends of lagging and leading indicators
• Tracks developers’ 7 deadly sins (Explained in below)
• Shows the results in dashboards and widgets , which are accessible any browser.

What is Code Quality?

in Gibberish -

Code Quality is a collection of factors such as Usability, Maintainability, Error management and Efficiency of a code.

in Simple Language -

It is an Indicator about, How quickly developers can add business value to a software system.

Why Measure Code Quality?

Because,

• A system is never “Finished”. (We don’t know where we need to modify it in the future)
• You can not improve if you don’t measure
• The Broken Windows Theory !
• If system was a person, Source Code is the Heart of the System.

What to Measure as Code Quality?

The makers of SonarQube, SonarSource has introduced us 7 facts to Measure as Code Quality. They call them "The 7 Deadly Sins"

1. Bugs and Potential Bugs
2. Coding Standards Breach
3. Duplication
4. Lack of Unit Tests
5. Bad Distribution of Complexity
6. Spaghetti Design
7. Not Enough or Too Many Comments

How to Measure Code Quality?

Of course that's where we use SonarQube. Its a tool for measuring the quality of code...

SonarQube is just a part of code quality management process. Code quality management process may also include,

• Code Reviews (includes Code Freezes as well)
• Pair programming, etc.

Code Freeze - If the current level of code quality is below than the acceptance level, new code generation will be stopped at a point. Then all team members will start working on improving the code quality until they reach the acceptable quality level. Only then the development shall begin again...

It is important to keep in mind that you should use the aforesaid quality management methods alongside SonarQube. If not your expectations on using this amazing tool might not be rightfully  achieved.  

"Start where you stand, and work with whatever tools you may have at your command, and better tools will be found as you go along" - George Herbert

SonarQube for every Programming Language?

• SonarQube was initially developed for JAVA
• Today it supports over 20+ languages (C, C++, Android, Java, JavaScript, etc.)
• List of Supported Languages.

If you want to learn how to install and configure SonarQube > Part 2 - SonarQube Installation and Configuration

If you want to analyze your source code straight away > Part 3 - Continues Inspection With Sonar (The Sonar Way)

If you want to configure Sonar Plugin for eclipse > Part 4 - Sonar Plugin Installation and Configuration for Eclipse IDE

Continues Inspection with SonarQube / Sonar plugins Part 4

Sonar Plugin Installation and Configuration for Eclipse IDE

Part 1 > Part 2 > Part 3  >  Part 4

It is important to have at-least one project appearing in the SonarQube server's dashboard before staring this section.
(If you do not have projects in your SonarQube server, please follow the Part 2 - Continues Inspection With Sonar of this Article)

SonarLint Plugin

• This plugin is also available on the eclipse market place. 
• You can visit market place and drag/drop the "install" button to  your eclipse IDE. (It will start the installation process for you)

• Or else inside the eclipse IDE goto "Help" > "Eclipse Marketplace"

• Type "sonarlint" in the Find: section of the Eclipse Market place and hit enter. 
• When search result appears, click on the "Install" button.

• When "Confirm Selected Features screen" appears, select "SonarLint for Eclipse" and "SonarLint for Eclipse Java Configuration Helper" 
• Then click the Confirm button.

• When "Review Licence" screen appears select "I accept the terms of the license agreement" radio button and click on the Finish button.

• Eclipse will continue the SonarLint plugin installation.

• When it asks to restart the IDE to finish installation, allow it to do so.

• Once eclipse restarts, create a sample Java project and a sample project as shown below.

CoreJavaDemo (Project)

     |--MySonar (Package)

              |--HelloWorld.java (Class)

• Right click on the project and select "SonarLint" > "Bind to a SonarQube project"

• When "Bind Eclipse projects to SonarQube projects" screen opens, select Eclipse project (CoreJavaDemos) and Type a SonarQube project name (which is already existing in SonarQube Dashboard)

• If "Select a SonarQube server:" dropdown list does not have the localhost as a value, you should configure it with following values. To check whether the server is accessible, click on "Test server" button after providing the below details.

Server name : http://localhost:9000/

User : admin

Password : admin

• Finally goto "Window" > "Show View" and select "SonarLint Issues" view

• Now you SonarLint plugin will analyze the source-code which is being developed in the eclipse project and notify issues in real-time. (A Summary of issues will be displayed in SonarLint issues view)

Continues Inspection with SonarQube / Sonar plugins Part 3

Continues Inspection With Sonar (The Sonar Way)

Part 1 > Part 2 > Part 3 > Part 4

Analyzing JAVA Projects with Maven

(Please note that in-order to perform this step in a simple manner, SonarQube server should be running in the default port  - localhost:9000. If it is not, additional maven configurations needs to be done as well)

Analyzing maven project for SonarQube is easy. Only a few simple steps need to be followed in order to perform this analysis. 

(If you do not have a maven project, please download following test project and extract to a preferred location)

JavaMavenProject-test.zip

• Open a command line (Run > Type "cmd")

• Goto the java maven project folder. (Where the "pom.xml" is located)

• Type "mvn sonar:sonar" and hit enter. (Maven will start analyzing the project)

("Build Success" message at the end of analysis confirms the analysis has completed successfully)

You should now be able to see your java project in the SonarQube dashboard.

Analyzing Unit Test Results/Code Coverage for JAVA Maven Projects

(Please note that you must include a set of plugins in your pom.xml to analyze the code coverage. 

E.g : "junit", "maven-surefire-plugin", "sonar-jacoco-listeners")

If you do not have the "junit", "maven-surefire-plugin", "sonar-jacoco-listeners" plugins in your pom.xml, simply copy and paste the same plugins from the following pom.xml. 

  pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  
  <groupId>com.mitrai</groupId>
  <artifactId>test</artifactId>
  <version>0.0.1-SNAPSHOT</version>
  
  <name>Java :: Mitrai-TestProject :: UT Coverage with JaCoCo</name>
  
  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
  </properties>

  <dependencies>
    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
      <!-- Minimal supported version is 4.7 -->
      <version>4.11</version>
      <scope>test</scope>
    </dependency>
  </dependencies>  
  
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-compiler-plugin</artifactId>
        <version>3.3</version>
        <configuration>
          <source>1.5</source>
          <target>1.5</target>
        </configuration>
      </plugin>
    </plugins>
  </build>
  
  <!-- BEGIN: Specific to mapping unit tests and covered code -->
  <profiles>
    <profile>
      <id>coverage-per-test</id>
      <build>
        <plugins>
          <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-surefire-plugin</artifactId>
            <!-- Minimal supported version is 2.4 -->
            <version>2.13</version>
            <configuration>
              <properties>
                <property>
                  <name>listener</name>
                  <value>org.sonar.java.jacoco.JUnitListener</value>
                </property>
              </properties>
            </configuration>
          </plugin>
        </plugins>
      </build>

      <dependencies>
        <dependency>
          <groupId>org.sonarsource.java</groupId>
          <artifactId>sonar-jacoco-listeners</artifactId>
          <version>3.8</version>
          <scope>test</scope>
        </dependency>
      </dependencies>
    </profile>
  </profiles>
  <!-- END: Specific to mapping unit tests and covered code -->
</project>

Also note that having the above plugins will analyze 0 unit tests, if you do not have any unit tests written in your code. (If you are using the test Java Maven project, you shall note there is one Unit test case while its being analyzed.)

• Open a command line (Run > Type "cmd")

• Goto the java maven project folder. (Where the "pom.xml" is located)

• Type "mvn clean org.jacoco:jacoco-maven-plugin:prepare-agent install" and hit enter. (Maven will Prepare jacoco agent to allow coverage report generation, build the project, and execute the unit tests)

• Type "mvn sonar:sonar" and hit enter. (Maven will start analyzing the project along with the unit test results created from the previous step and publish results in SonarQube dashboard)

SonarQube dashboard should now consist your java project's analysis results along with the the unit test results / code coverage. 

• Click on the project name (E.g. : "Java :: Mitrai-TestProject :: UT Coverage with JaCoCo")
• Click on "Coverage" tab)

> Part 4 - Sonar Plugin Installation and Configuration for Eclipse IDE