[foaf-protocols] HOWTO: Use FOAF+SSL from a command line

Bruno Harbulot Bruno.Harbulot at manchester.ac.uk
Mon Apr 12 13:19:40 CEST 2010


Hi Melvin,

How about *NOT* using --no-check-certificate, but --ca-certificate or 
--ca-directory instead, with wget? Not checking the server certificate 
defeats the point of using TLS.

For curl, the options are similar: --cert, --key, --cacert, --capath. 
However, the user's certificate must be in PEM format (this is what's 
produced by the openssl command you've given anyway, so that's not a 
problem).

Best wishes,

Bruno.

Melvin Carvalho wrote:
> 1. Preparation
> ===========
> 
> You are assumed to already have a FOAF+SSL certificate in your browser.
> 
> If you have not already, save a backup of this (in firefox 
> Edit->Preferences->Advanced->Encryption View Certificates->Backup)
> 
> 
> 2. Create .cer and .key
> =================
> 
> Use openssl to create a .cer and .key file that you will need to access 
> a page later. 
> 
> I am assuming the saved file is foafssl.p12
> 
> openssl pkcs12 -in foafssl.p12 -nocerts -out foafssl.key
> openssl pkcs12 -clcerts -nokeys -in foafssl.p12 -out foafssl.cer
> 
> 
> 3. Use wget to access a foaf+ssl protected resource
> =======================================
> 
> In this example I'm just using a test page i made at 
> https://foaf.cc/everyone, but any foaf+ssl resource should work, e.g. 
> https://foaf.me/simpleLogin.php or https://dig.xvm.mit.edu/test/everyone
> 
> *3.1 Without a WebID*
> 
> wget -qO- --no-check-certificate https://foaf.cc/everyone
> Array
> (
>     [REMOTE_USER] =>
>     [SSL_CLIENT_VERIFY] => NONE
>     [SSL_CLIENT_CERT] =>
> )
> 
> *3.2 With a WebID*
> 
>  wget -qO- --no-check-certificate https://foaf.cc/everyone 
> --certificate=./foafssl.cer --private-key=./foafssl.key
> Enter PEM pass phrase:
> Array
> (
>     [REMOTE_USER] => <http://foaf.me/melvincarvalho#me>
> 
>     [SSL_CLIENT_VERIFY] => GENEROUS
>     [SSL_CLIENT_M_VERSION] => 3
>     [SSL_CLIENT_M_SERIAL] => 0255
>     [SSL_CLIENT_V_START] => Oct 30 12:34:20 2009 GMT
>     [SSL_CLIENT_V_END] => Oct 30 12:34:20 2010 GMT
>     [SSL_CLIENT_V_REMAIN] => 202
>     [SSL_CLIENT_S_DN] => /CN=FOAF ME Cert http://foaf.me/melvincarvalho
>     [SSL_CLIENT_S_DN_CN] => FOAF ME Cert http://foaf.me/melvincarvalho
>     [SSL_CLIENT_I_DN] => 
> /C=GB/ST=LONDON/L=Wimbledon/O=FOAF.ME/CN=FOAF.ME/emailAddress=ca at foaf.me 
> <http://FOAF.ME/CN=FOAF.ME/emailAddress=ca@foaf.me>
> 
>     [SSL_CLIENT_I_DN_C] => GB
>     [SSL_CLIENT_I_DN_ST] => LONDON
>     [SSL_CLIENT_I_DN_L] => Wimbledon
>     [SSL_CLIENT_I_DN_O] => FOAF.ME <http://FOAF.ME>
>     [SSL_CLIENT_I_DN_CN] => FOAF.ME <http://FOAF.ME>
>     [SSL_CLIENT_I_DN_Email] => ca at foaf.me <mailto:ca at foaf.me>
> 
>     [SSL_CLIENT_A_KEY] => rsaEncryption
>     [SSL_CLIENT_A_SIG] => md5WithRSAEncryption
>     [SSL_CLIENT_CERT] => -----BEGIN CERTIFICATE-----
> MIID0jCCAzugAwIBAgICAlUwDQYJKoZIhvcNAQEEBQAwcTELMAkGA1UEBhMCR0Ix
> DzANBgNVBAgTBkxPTkRPTjESMBAGA1UEBxMJV2ltYmxlZG9uMRAwDgYDVQQKEwdG
> T0FGLk1FMRAwDgYDVQQDEwdGT0FGLk1FMRkwFwYJKoZIhvcNAQkBFgpjYUBmb2Fm
> Lm1lMB4XDTA5MTAzMDEyMzQyMFoXDTEwMTAzMDEyMzQyMFowNTEzMDEGA1UEAxMq
> Rk9BRiBNRSBDZXJ0IGh0dHA6Ly9mb2FmLm1lL21lbHZpbmNhcnZhbGhvMIIBIjAN
> BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv0aWEsahXIsyM+RFfrk5peo2CbHf
> MP8V9Jd1rZrEH1f0I6x8wnootCKxF4efROytvSSsLZSDqodjVoV88UuFfHV8rgf3
> gKfm2S7pmy6O84k7PxeqXO+dPsEW5xgqYN5wxI7agmNQRTOAWvJmZnKzzAs2Whjr
> QLwAr9WeFSF0MKQpCtDNk+nm9tWuMmSrBTLK8/6hWLU5eOfRtjFU3SsgWDici5if
> jRVVAirP2pkC+gyNgZIWCVZa9CR1qT9f6TWXiKSHA0mbWWoL3HAqjU2wka9ZWrcN
> B6WiTeBbJfrphIw8xNm9PP9OQWYabBWfgq+7OcXbuzZs9KLHJWhyRa90nQIDAQAB
> o4IBLzCCASswCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5l
> cmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFFbD6dcbXxx2B5tXtRUWKR9bYde/
> MIGjBgNVHSMEgZswgZiAFELZDvt6tNTvvl9Lh36+061MZMMzoXWkczBxMQswCQYD
> VQQGEwJHQjEPMA0GA1UECBMGTE9ORE9OMRIwEAYDVQQHEwlXaW1ibGVkb24xEDAO
> BgNVBAoTB0ZPQUYuTUUxEDAOBgNVBAMTB0ZPQUYuTUUxGTAXBgkqhkiG9w0BCQEW
> CmNhQGZvYWYubWWCCQC4izjTitF14jArBgNVHREEJDAihiBodHRwOi8vZm9hZi5t
> ZS9tZWx2aW5jYXJ2YWxobyNtZTANBgkqhkiG9w0BAQQFAAOBgQBe9Fssxq2+t/UR
> tAYgGStbcKyn66beZGmIb89zFtnjY2PNJOpfIMZtgsJKEAgAWdnxtoXsmmE7yJEd
> L9hXruqk2oJix2qm/Po/MxnUaVnhdVMM+UHyOsNkg+4natLVkdkDlLlRDbPl650T
> s2nMES7pyN3VbrUv1l+kbcfSZIMgvg==
> -----END CERTIFICATE-----
> 
> 
> In this way you can automate the process of sending authenticated 
> requests to resources across the web, getting responses, processing 
> them, and acting on the information.  Hopefully this will be one more 
> tool for us to be able to generate data centric communities.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols


More information about the foaf-protocols mailing list