[foaf-protocols] webid-enabled client cert, with any modern (and professional) version of windows
Peter Williams
home_pw at msn.com
Tue Dec 8 04:33:30 CET 2009
With exponent added (and an openid property == webid added, too),
simplelogin says what is included below.
So the guts of the process is working.
Now to make the login work (so I can edit the foaf card). Any ideas?
In pure math, the 2 modulus integers are not actually equal (given they are
2s complement). Is that the issue?
FOAF+SSL Simple Login Page
Not Logged In
SSL Client Certificate: detected!
Client Certificate Public Key detected! (HEX):
Array
(
[modulus] =>
B881394BEF1AAE5DC31B6D73D9C217AA1388A253E5833CB33D37E78BBEEEECD62F8306C06AC0
D3EF7EB9CBF84618789CDF194517748C76CEDD3629C32032F4919917C1C982F6373271594976
4FACC5A367D70DF123C7069AB5ABC70E63152239B2A8F0B980DC25ED49250DDF51E657BC7954
D8A45B44DEBC65177500894B795CD049812A86C1250DD7759F8B883034E1719AAC5B5BFD31BE
406877A4AB369FB7BCF705E02AA5DB8043A26E9D169AEB13F4DD87AD1407DAB9ED225E024947
EBE3A8DE95D102D422041B512DCA32E73B4C06BFF60DC86BD47BBB7A8CF45E3DCF6A4246CB75
81FAB7BD9EB0A5D4DC649C575BB30AF10893F115FA0D9E89014AEA23
[exponent] => 65537
)
Subject Alt Name (FOAF Profile): detected!: http://foaf.me/peter8#me
FOAF Remote Public Key found in http://foaf.me/peter8#me:
Array
(
[modulus] =>
00B881394BEF1AAE5DC31B6D73D9C217AA1388A253E5833CB33D37E78BBEEEECD62F8306C06A
C0D3EF7EB9CBF84618789CDF194517748C76CEDD3629C32032F4919917C1C982F63732715949
764FACC5A367D70DF123C7069AB5ABC70E63152239B2A8F0B980DC25ED49250DDF51E657BC79
54D8A45B44DEBC65177500894B795CD049812A86C1250DD7759F8B883034E1719AAC5B5BFD31
BE406877A4AB369FB7BCF705E02AA5DB8043A26E9D169AEB13F4DD87AD1407DAB9ED225E0249
47EBE3A8DE95D102D422041B512DCA32E73B4C06BFF60DC86BD47BBB7A8CF45E3DCF6A4246CB
7581FAB7BD9EB0A5D4DC649C575BB30AF10893F115FA0D9E89014AEA23
[exponent] => 65537
)
From: Melvin Carvalho [mailto:melvincarvalho at gmail.com]
Sent: Monday, December 07, 2009 6:36 PM
To: Peter Williams
Cc: foaf-protocols at lists.foaf-project.org
Subject: Re: [foaf-protocols] webid-enabled client cert, with any modern
(and professional) version of windows
Are you missing the exponent?
On Tue, Dec 8, 2009 at 3:22 AM, Peter Williams <home_pw at msn.com> wrote:
Can anyone suggest what is wrong with the foaf+ssl related elements of
http://foaf.me/peter7 ?
Ive managed to (a) mint a cert with a proposed webid (b) export it to IE,
(c) access https://foaf.me using a client-cert initiated ssl session, (c1)
create a foaf card with the same webid (peter7 nick), and (d) save the
public key of my client cert in the security tab (to populate the
cert.identity property). I can click the foaf.me login button, and the site
DOES redirect to the IDP site (foafssl.org), which DOES prompt for the SSL
client cert (which I supply). The IDP does not seem recognize/validate the
cert (given the foaf card, perhaps), and returns an error code to the RP.
The foaf card, the openid property is empty, and the cert module has the
following syntax:-
<rsa:modulus rdf:parseType="Resource">
cert:hex>00 9e 57 3b 0d 68 6a 3d bd c9 32 51 6c c4 1a 16 44 3c 70 19 b2 ac
ce 5f 67 d0 81 eb 10 2b 03 b2 51 86 07 25 3f fe 4c 68 3b 11 24 3a ee 3b 8c
e1 c5 dd 53 c9 79 24 0b 8a 31 3b 19 e2 66 90 c9 37 b5 97 6d 4d 97 0e e8 4f
2e 72 42 82 aa 20 e9 a3 7f a5 bd b9 60 0f 30 60 7e e7 59 ea 86 29 f7 12 3a
b4 40 93 0d 33 1e 83 6c 09 d8 7b 09 b3 8b c8 bb 5f 0d f9 03 44 22 10 27 2c
a7 c2 e6 8c 0e 6d c4 17 66 9b 21 18 15 10 f3 e9 80 48 da 05 6b 88 b7 b7 36
39 95 3b b9 77 e8 32 1d f6 81 7d c5 6a 9a cb ea 67 a9 82 8b de 82 90 44 a6
7c ae c4 1b 37 f3 a1 31 36 fe a5 8d 3c cf 43 db 7b 9f 4d 2e ac 20 92 de 3d
93 1e 72 e1 b4 48 35 e9 9b aa 28 0c b3 82 dd ea cc 27 46 91 9b 01 41 2b cb
bc 92 c5 e0 e8 29 50 29 94 fd cb 81 e1 42 e2 02 66 74 57 95 47 ab 0b ef 3c
5d 88 74 5d 79 b3 93 33 7a 3f</cert:hex>
</rsa:modulus>
Anyone see anything obviously wrong (e.g. spaces, e.g. The leading 0 in the
modulus to make it positive 2's complement, e.g. lack of openid property)?
If I need the openid property, what should it be? Same as the webid, in this
case?
From: foaf-protocols-bounces at lists.foaf-project.org
[mailto:foaf-protocols-bounces at lists.foaf-project.org] On Behalf Of Peter
Williams
Sent: Monday, December 07, 2009 5:34 PM
To: foaf-protocols at lists.foaf-project.org
Subject: [foaf-protocols] webid-enabled client cert, with any modern (and
professional) version of windows
On a professional and modern version of windows, create a file called
foo.inf with content similar to:-
[NewRequest]
Subject = "CN=http://foaf.me/peter6#me,CN=Peter Williams"
KeyLength = 2048
ProviderName = "Microsoft Enhanced Cryptographic Provider v1.0"
Exportable = TRUE
ExportableEncrypted = FALSE
KeySpec = "AT_KEYEXCHANGE"
KeyUsage = "CERT_DIGITAL_SIGNATURE_KEY_USAGE"
RequestType = Cert
SMIME = FALSE
UserProtected=TRUE
[Extensions]
2.5.29.17 = "{text}URL=http://foaf.me/peter6#me"
NB Where you see "http://foaf.me/peter6#me", perhaps substitute with the
webid reported by the foaf.me site...AS you create a hosted foaf file,
there.
Using a command shell whose current directory contains foo.inf, execute the
command
certreq -NEW foo.inf "%USERPROFILE%\My
Documents\Fiddler2\ClientCertificate.cer"
Execute the following command to install/insert the keying material in a key
store (consult a security professional for security/assurance topics).
"%USERPROFILE%\My Documents\Fiddler2\ClientCertificate.cer"
Execute
C:\Users\Administrator\Documents>certutil "%USERPROFILE%\My
Documents\Fiddler2\ClientCertificate.cer"
to see what you have done. A earlier run for one of my requests (with
alternative parameters) produced
C:\Users\Administrator\Documents>certutil "%USERPROFILE%\My
Documents\Fiddler2\C
lientCertificate.cer"
X509 Certificate:
Version: 3
Serial Number: 6513b07e1e2af19945ef9ce809d27d0d
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Issuer:
CN=http://foaf.me/peter6#me
CN=Peter Williams
NotBefore: 12/7/2009 5:10 PM
NotAfter: 12/7/2010 5:30 PM
Subject:
CN=http://foaf.me/peter6#me
CN=Peter Williams
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 cb 46 e5 c6 25 4f 92
0010 7b 8e 95 fd d5 fe 29 cd a7 04 95 d1 1b 74 1f 36
0020 af 38 ed 31 78 cb a1 de df fb 9e b2 28 aa ab ff
0030 f4 9b 03 2b ff e1 24 85 f2 1c a3 01 bc 1b a4 79
0040 4c 98 06 13 c4 f4 e6 7f c1 af ee d6 ad 25 20 7c
0050 b3 7e 66 8b 43 7e 2f a1 9c 5d eb af 0b a6 85 52
0060 2c 3b df 5b 65 51 52 e9 fb c4 0e 02 cc 70 ba 9d
0070 c0 73 e4 4d 07 f0 21 bb 2e 1b 54 7d eb 71 03 af
0080 f3 c5 20 fc 76 ae ba 1e 52 f0 ae a1 47 dd 62 b2
0090 2e 0e 82 57 a6 e0 03 a5 d0 6b cc 96 4b fa 33 88
00a0 e6 32 88 1f 75 bf 4c 80 d7 38 a9 4c 8c 4e 63 ca
00b0 d4 99 60 65 c3 c4 94 27 a4 e8 d5 05 9b 75 9e 15
00c0 73 a4 db 07 5c 91 b7 26 e4 6e 73 96 f7 66 d4 4f
00d0 18 cc a6 74 10 1e 33 50 89 12 d4 f1 de 59 dd 95
00e0 d6 e6 18 66 ec 99 e4 4c fe e5 63 df 42 01 27 bf
00f0 95 13 c5 5d 13 36 58 cd d9 3d 4a b6 d7 9e 56 7c
0100 b8 ed c4 e6 78 f0 6d 03 09 02 03 01 00 01
Certificate Extensions: 3
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Digital Signature (80)
2.5.29.17: Flags = 0, Length = 1c
Subject Alternative Name
URL=http://foaf.me/peter6#me
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
28 09 20 5a f2 ac c1 69 1d 56 f2 64 c3 ef 1b c6 86 32 3f f6
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 fb 96 48 66 15 fd 49 6a 91 1b 67 4d 9d b5 06 23
0010 b9 f4 98 c0 82 47 b6 8d f3 0e 40 48 da a5 52 4e
0020 bf 39 35 d0 22 cc b8 20 90 ff d0 12 99 ab 20 30
0030 c5 3c b6 66 64 91 84 0b ed b7 b0 3f e2 4d ed 74
0040 10 be 17 15 6f 77 68 50 22 ff f3 5e 5b 4c e9 75
0050 11 e2 97 8a 3b 5d 04 64 67 10 da 24 1b 1e 38 93
0060 ed ac e8 c1 1a 28 2d 14 db d8 42 3f 4a f9 be 11
0070 c0 f2 4a 9a 38 06 32 2a 08 26 25 8e 79 cd bf 25
0080 83 d6 b9 25 a8 a5 5f a7 2e 16 9b b5 77 7e f9 48
0090 f7 f5 84 d4 44 dc c7 6c 5e a4 8a f6 b1 be 6b a7
00a0 65 f7 f1 27 c3 ea 93 b7 da 4e d3 a7 e1 c0 4f 2b
00b0 fc 14 7b 1b fd 59 c2 47 17 6b c4 68 6c 7b 61 cd
00c0 07 d1 41 ea ca f3 24 be c4 e9 db 11 3f ad c5 0b
00d0 fb bf 24 51 36 b1 cf 87 04 4a f4 2b 59 9c fe 75
00e0 a7 aa d6 ed f6 f8 cb b7 97 6c d1 e4 c2 4d 3b 59
00f0 4a 72 03 a3 45 15 01 a7 10 c2 82 70 2c 50 5b 95
Signature matches Public Key
Root Certificate: Subject matches Issuer
Key Id Hash(rfc-sha1): 28 09 20 5a f2 ac c1 69 1d 56 f2 64 c3 ef 1b c6 86 32
3f
f6
Key Id Hash(sha1): 9c 33 c4 78 5b a6 30 22 aa cd 48 97 4e 3a ec 28 80 5a c7
be
Cert Hash(md5): f9 32 a3 88 4c 9a e8 7c e1 d0 fb ab 93 96 4c 78
Cert Hash(sha1): 57 23 49 cc 37 3a df 21 30 91 d4 3a eb de 7f 60 83 52 09 e2
CertUtil: -dump command completed successfully.
In IE browser, you might use the certificate export wizard to create a .p12
file, which enables you to migrate the (soft) credentials between machines.
I moved them from a windows server 2008 EE SP2 to Windows XP Home. From the
home machine, I accessed https://foaf.me/ (a site that duly prompted for my
foaf+ssl cert).
I cannot figure how to link this client-cert-enabled https with the
happenings at foaf.me (to create a foaf file and bind the cert) or then
login at foaf.me (which redirects to foafssl.org). Hopefully, someone can
post instructions. I can create the partial foaf file at foaf.me, but the
current SSL client cert context (with the webid) doesn't seem to populate
the pubkey wot of the foaf file (though it seems to be trying.)
_______________________________________________
foaf-protocols mailing list
foaf-protocols at lists.foaf-project.org
http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20091207/5c77b1ba/attachment-0001.htm
More information about the foaf-protocols
mailing list