[foaf-protocols] webid-enabled client cert, with any modern (and professional) version of windows

Peter Williams home_pw at msn.com
Tue Dec 8 03:51:45 CET 2009 

Yes the exp. is missing (the UI said there was a default, so I didn't
populate the GUI field.) Let me try with a hex and then decimal encoded
exponent.

 

Ill try again with peter8 (since there is no way to edit peter7, yet)

 

 

Ill simplify the subject (vs alt subj) name of the cert, for triage
purposes.

 

 

From: Melvin Carvalho [mailto:melvincarvalho at gmail.com] 
Sent: Monday, December 07, 2009 6:36 PM
To: Peter Williams
Cc: foaf-protocols at lists.foaf-project.org
Subject: Re: [foaf-protocols] webid-enabled client cert, with any modern
(and professional) version of windows

 

Are you missing the exponent?

On Tue, Dec 8, 2009 at 3:22 AM, Peter Williams <home_pw at msn.com> wrote:

Can anyone suggest what is wrong with the foaf+ssl related elements of
http://foaf.me/peter7 ?

 

Ive managed to (a) mint a cert with a proposed webid (b) export it to  IE,
(c) access https://foaf.me using a client-cert initiated ssl session, (c1)
create a foaf card with the same webid (peter7 nick), and (d) save the
public key of my client cert in the security tab (to populate the
cert.identity property). I can click the foaf.me login button, and the site
DOES redirect to the IDP site (foafssl.org), which DOES prompt for the SSL
client cert (which I supply). The IDP does not seem recognize/validate the
cert (given the foaf card, perhaps), and returns an error code to the RP.

 

 The foaf card, the openid property is empty, and the cert module has the
following syntax:- 

 

<rsa:modulus rdf:parseType="Resource">

cert:hex>00 9e 57 3b 0d 68 6a 3d bd c9 32 51 6c c4 1a 16 44 3c 70 19 b2 ac
ce 5f 67 d0 81 eb 10 2b 03 b2 51 86 07 25 3f fe 4c 68 3b 11 24 3a ee 3b 8c
e1 c5 dd 53 c9 79 24 0b 8a 31 3b 19 e2 66 90 c9 37 b5 97 6d 4d 97 0e e8 4f
2e 72 42 82 aa 20 e9 a3 7f a5 bd b9 60 0f 30 60 7e e7 59 ea 86 29 f7 12 3a
b4 40 93 0d 33 1e 83 6c 09 d8 7b 09 b3 8b c8 bb 5f 0d f9 03 44 22 10 27 2c
a7 c2 e6 8c 0e 6d c4 17 66 9b 21 18 15 10 f3 e9 80 48 da 05 6b 88 b7 b7 36
39 95 3b b9 77 e8 32 1d f6 81 7d c5 6a 9a cb ea 67 a9 82 8b de 82 90 44 a6
7c ae c4 1b 37 f3 a1 31 36 fe a5 8d 3c cf 43 db 7b 9f 4d 2e ac 20 92 de 3d
93 1e 72 e1 b4 48 35 e9 9b aa 28 0c b3 82 dd ea cc 27 46 91 9b 01 41 2b cb
bc 92 c5 e0 e8 29 50 29 94 fd cb 81 e1 42 e2 02 66 74 57 95 47 ab 0b ef 3c
5d 88 74 5d 79 b3 93 33 7a 3f</cert:hex> 

  </rsa:modulus>

 

Anyone see anything obviously wrong (e.g. spaces, e.g. The leading 0 in the
modulus to make it positive 2's complement, e.g. lack of openid property)?

 

If I need the openid property, what should it be? Same as the webid, in this
case?

 

From: foaf-protocols-bounces at lists.foaf-project.org
[mailto:foaf-protocols-bounces at lists.foaf-project.org] On Behalf Of Peter
Williams
Sent: Monday, December 07, 2009 5:34 PM
To: foaf-protocols at lists.foaf-project.org
Subject: [foaf-protocols] webid-enabled client cert, with any modern (and
professional) version of windows

 

On a professional and modern version of windows, create a file called
foo.inf with content similar to:-

 

[NewRequest]

Subject = "CN=http://foaf.me/peter6#me,CN=Peter Williams"

KeyLength = 2048

ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"

Exportable = TRUE 

ExportableEncrypted = FALSE

KeySpec = "AT_KEYEXCHANGE" 

KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE"

RequestType = Cert

SMIME = FALSE

UserProtected=TRUE

[Extensions]

2.5.29.17 = "{text}URL=http://foaf.me/peter6#me"

 

 

NB Where you see "http://foaf.me/peter6#me", perhaps substitute with the
webid reported by the foaf.me site...AS you create a hosted foaf file,
there.

 

Using a command shell whose current directory contains foo.inf, execute the
command

 

certreq -NEW foo.inf "%USERPROFILE%\My
Documents\Fiddler2\ClientCertificate.cer"

 

Execute the following command to install/insert the keying material in a key
store (consult a security professional for security/assurance topics).

 

"%USERPROFILE%\My Documents\Fiddler2\ClientCertificate.cer"

 

Execute 

 

C:\Users\Administrator\Documents>certutil "%USERPROFILE%\My
Documents\Fiddler2\ClientCertificate.cer" 

 

to see what you have done. A earlier run for one of my requests (with
alternative parameters) produced

 

C:\Users\Administrator\Documents>certutil "%USERPROFILE%\My
Documents\Fiddler2\C

lientCertificate.cer"

X509 Certificate:

Version: 3

Serial Number: 6513b07e1e2af19945ef9ce809d27d0d

Signature Algorithm:

    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)

    Algorithm Parameters:

    05 00

Issuer:

    CN=http://foaf.me/peter6#me

    CN=Peter Williams

 

NotBefore: 12/7/2009 5:10 PM

NotAfter: 12/7/2010 5:30 PM

 

Subject:

    CN=http://foaf.me/peter6#me

    CN=Peter Williams

 

Public Key Algorithm:

    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)

    Algorithm Parameters:

    05 00

Public Key Length: 2048 bits

Public Key: UnusedBits = 0

    0000  30 82 01 0a 02 82 01 01  00 cb 46 e5 c6 25 4f 92

    0010  7b 8e 95 fd d5 fe 29 cd  a7 04 95 d1 1b 74 1f 36

    0020  af 38 ed 31 78 cb a1 de  df fb 9e b2 28 aa ab ff

    0030  f4 9b 03 2b ff e1 24 85  f2 1c a3 01 bc 1b a4 79

    0040  4c 98 06 13 c4 f4 e6 7f  c1 af ee d6 ad 25 20 7c

    0050  b3 7e 66 8b 43 7e 2f a1  9c 5d eb af 0b a6 85 52

    0060  2c 3b df 5b 65 51 52 e9  fb c4 0e 02 cc 70 ba 9d

    0070  c0 73 e4 4d 07 f0 21 bb  2e 1b 54 7d eb 71 03 af

    0080  f3 c5 20 fc 76 ae ba 1e  52 f0 ae a1 47 dd 62 b2

    0090  2e 0e 82 57 a6 e0 03 a5  d0 6b cc 96 4b fa 33 88

    00a0  e6 32 88 1f 75 bf 4c 80  d7 38 a9 4c 8c 4e 63 ca

    00b0  d4 99 60 65 c3 c4 94 27  a4 e8 d5 05 9b 75 9e 15

    00c0  73 a4 db 07 5c 91 b7 26  e4 6e 73 96 f7 66 d4 4f

    00d0  18 cc a6 74 10 1e 33 50  89 12 d4 f1 de 59 dd 95

    00e0  d6 e6 18 66 ec 99 e4 4c  fe e5 63 df 42 01 27 bf

    00f0  95 13 c5 5d 13 36 58 cd  d9 3d 4a b6 d7 9e 56 7c

    0100  b8 ed c4 e6 78 f0 6d 03  09 02 03 01 00 01

Certificate Extensions: 3

    2.5.29.15: Flags = 1(Critical), Length = 4

    Key Usage

        Digital Signature (80)

 

    2.5.29.17: Flags = 0, Length = 1c

    Subject Alternative Name

        URL=http://foaf.me/peter6#me

 

    2.5.29.14: Flags = 0, Length = 16

    Subject Key Identifier

        28 09 20 5a f2 ac c1 69 1d 56 f2 64 c3 ef 1b c6 86 32 3f f6

 

Signature Algorithm:

    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA

    Algorithm Parameters:

    05 00

Signature: UnusedBits=0

    0000  fb 96 48 66 15 fd 49 6a  91 1b 67 4d 9d b5 06 23

    0010  b9 f4 98 c0 82 47 b6 8d  f3 0e 40 48 da a5 52 4e

    0020  bf 39 35 d0 22 cc b8 20  90 ff d0 12 99 ab 20 30

    0030  c5 3c b6 66 64 91 84 0b  ed b7 b0 3f e2 4d ed 74

    0040  10 be 17 15 6f 77 68 50  22 ff f3 5e 5b 4c e9 75

    0050  11 e2 97 8a 3b 5d 04 64  67 10 da 24 1b 1e 38 93

    0060  ed ac e8 c1 1a 28 2d 14  db d8 42 3f 4a f9 be 11

    0070  c0 f2 4a 9a 38 06 32 2a  08 26 25 8e 79 cd bf 25

    0080  83 d6 b9 25 a8 a5 5f a7  2e 16 9b b5 77 7e f9 48

    0090  f7 f5 84 d4 44 dc c7 6c  5e a4 8a f6 b1 be 6b a7

    00a0  65 f7 f1 27 c3 ea 93 b7  da 4e d3 a7 e1 c0 4f 2b

    00b0  fc 14 7b 1b fd 59 c2 47  17 6b c4 68 6c 7b 61 cd

    00c0  07 d1 41 ea ca f3 24 be  c4 e9 db 11 3f ad c5 0b

    00d0  fb bf 24 51 36 b1 cf 87  04 4a f4 2b 59 9c fe 75

    00e0  a7 aa d6 ed f6 f8 cb b7  97 6c d1 e4 c2 4d 3b 59

    00f0  4a 72 03 a3 45 15 01 a7  10 c2 82 70 2c 50 5b 95

Signature matches Public Key

Root Certificate: Subject matches Issuer

Key Id Hash(rfc-sha1): 28 09 20 5a f2 ac c1 69 1d 56 f2 64 c3 ef 1b c6 86 32
3f

f6

Key Id Hash(sha1): 9c 33 c4 78 5b a6 30 22 aa cd 48 97 4e 3a ec 28 80 5a c7
be

Cert Hash(md5): f9 32 a3 88 4c 9a e8 7c e1 d0 fb ab 93 96 4c 78

Cert Hash(sha1): 57 23 49 cc 37 3a df 21 30 91 d4 3a eb de 7f 60 83 52 09 e2

CertUtil: -dump command completed successfully.

 

 

In IE browser, you might use the certificate export wizard to create a .p12
file, which enables you to migrate the (soft) credentials between machines.
I moved them from a windows server 2008 EE SP2 to Windows XP Home. From the
home machine, I accessed https://foaf.me/ (a site that duly prompted for my
foaf+ssl cert).

 

I cannot figure how to link this client-cert-enabled https with the
happenings at foaf.me (to create a foaf file and bind the cert) or then
login at foaf.me (which redirects to foafssl.org). Hopefully, someone can
post instructions. I can create the partial foaf file at foaf.me, but the
current SSL client cert context (with the webid) doesn't seem to populate
the pubkey wot of the foaf file (though it seems to be trying.)

 

 


_______________________________________________
foaf-protocols mailing list
foaf-protocols at lists.foaf-project.org
http://lists.foaf-project.org/mailman/listinfo/foaf-protocols

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20091207/ddfa52ad/attachment-0001.htm

More information about the foaf-protocols mailing list