Hi Michele,
Still I am not able to achieve X509 authentication, I am able to generate
following files using CA menu:
cacert.key (CA private key)
CA certificate request (cacsr.pem)
CA self signed certificate(cacrt.pem)
there is one more menu called Public which is having options "Get CA
certificate","Get CA certificate revocation list" and "Require New
certificate"
I tried using Required New certificate option and it generates some
certificate something like below:
Certificate Request for
/C=ZZ/CN=ffdfdf/L=YYYYY/O=ACME/ST=XXXXX/emailAddress=rt...@dfgdg.com/SN=jhjhjhj/GN=fghfhfh/OU=Certification
Authority
-----BEGIN CERTIFICATE REQUEST-----
MIIC+DCCAeACADCBszELMAkGA1UEBhMCWloxDzANBgNVBAMTBmZmZGZkZjEOMAwG
A1UEBxMFWVlZWVkxDTALBgNVBAoTBEFDTUUxDjAMBgNVBAgTBVhYWFhYMR4wHAYJ
KoZIhvcNAQkBFg9ydGVldEBkZmdkZy5jb20xEDAOBgNVBAQTB2poamhqaGoxEDAO
BgNVBCoTB2ZnaGZoZmgxIDAeBgNVBAsTF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo9PxvzHv/NAqYsUxm3YD
MvW6GohKWPrHAP8XftRthBu4hDWUKT0IjOF6Sva4Pi7PkRuA9z2HfKVDETs5wy3o
InvPcmjhUSTGynNI95AkXrGoBsiIlQwPNbBtRNLRA870OPDAlM04LQEj4+tIndtE
jrNliOseAp286opRqQbA3bnB2wY4HKHxe3c118qeTmuv2B5g8fwbmADkp8N/PKk5
Ami7d31Ava41m8x4k1hJ9SBitimmiOLs0Ua37BY/rtm57g6m0PqXhlPWvaBtnfr7
6q+E9ram6t9zWGFdNedfQjhGvyCUEMieXlRhCOC9J/6/al0WJ3mln02gY/sSS3TF
8QIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAJIKf7kwxVGvlrATk6DPhu7dqEjw
iAL41XTNjlR2780/wDBR5yUiCTtXFFuqAPagAn9i/qjb2gC5jZZmbUOhgYSyZpp/
qznZFTg9MsVdszC/LBLkRpDCxqLm1m61WCi5qmHGq9nN55rtdwiJsglQkUwvFeUK
SaMY95U+qakWqveCGzcmCoWir9zWKpBH1/Z89r5ktAsi7CdH9RdGQJeM8K8lBK3F
fqhakKXiA+afPFnhwK+KSisJGJl573ocHXGL/obhuOPj0uunfgxIBxION4nVDPCn
CTz7or24EltIZ5/e6T9PgvBbfUeMJ8WQEKVFlaqaJ+gAtl7FDHfOQmmUXN4= -----END
CERTIFICATE REQUEST-----
what is this certificate and where it is stored because i checked in
private/ssl folder and i din't find any other certificate generated ?
How to generate server and client private keys and certificates? as per
your previous mail simaptica should generate following certificates:
1. generate ca priv key + self signed certificate
2. generate server priv keys + certificates signed by the above ca
certificate
3. generate client priv keys + certificates signed by the above ca
certificate
but I am not able to generate above 2. and 3. so pleae guide me to generate
the same.
Thanks,
Amit
>
>
> On Thu, Jul 26, 2012 at 10:50 AM, Amit <amit.khaw...@gmail.com> wrote:
>
>> Thanks Michele,I am going to generate keys using simpatica, I will let
>> you know if i face any problem.
>>
>> Thanks,
>> Amit
>>
>>
>> On Wed, Jul 25, 2012 at 7:01 PM, Michele Comitini <
>> michele.comit...@gmail.com> wrote:
>>
>>> 2012/7/25 Amit <amit.khaw...@gmail.com>:
>>> > Michele,
>>> >
>>> > I have gone through the X509_Auth class and its methods :
>>> >
>>> > login_form
>>> >
>>> > login_url
>>> > get_user
>>> >
>>> > But not able to visualize how to use this class in my
>>> model/controller, I
>>> > just write below what I understood, please confirm
>>> > whether I understood correctly or not.
>>> >
>>> >
>>> > My requirement is : I have one web service method add() in controller
>>> > default.py , I just want to enable x509 authentication
>>> > so for that purpose i will use simpatica to generate keys and
>>> certificates
>>> > then in model class db.py I will use below code:
>>> >
>>> >
>>> > """
>>> > Login using x509 cert from client.
>>> >
>>> > from gluon.contrib.login_methods.x509_auth import X509Account
>>> > auth.settings.actions_disabled=['register','change_password',
>>> >
>>> > 'request_reset_password','profile']
>>> > auth.settings.login_form = X509Account()
>>> >
>>> > """
>>> >
>>> >
>>> > and then in add method I will put @auth.requires_login() annotation .
>>> >
>>> > My doubt:
>>> > 1. how to configure certificate with Rocket and apache server?
>>> > 2. how to make call of web service method with private keys from the
>>> client?
>>> >
>>> > 3. I din't find X509Account class instead of that I found X509Auth
>>> class, so
>>> > is it the same, if yes then I need to create
>>> >
>>>
>>> 1 rocket:
>>> python web2py.py --ssl_certificate=<server pem encoded cert file>
>>> --ssl_private_key=<server pem encoded key file> --ca-cert=<CA
>>> certificate pem encoded file>
>>> apache see mod_ssl config:
>>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
>>>
>>> You can use a single file pem encoded containing: server cert, server
>>> key, CA cert. Pass it to all the options.
>>>
>>> 2 What is the client? With curl:
>>> curl --cert <client pem encoded cert + key file> ...
>>>
>>> With python:
>>> you can use pycurl or httplib
>>> (http://docs.python.org/library/httplib.html) see their docs.
>>>
>>>
>>> 3 You did the right thing using X509_Auth. The error in the comment
>>> is corrected in trunk.
>>> The interesting part that you may want to override in a child class
>>> is the get_user() method. Look how certificate properties are mapped
>>> to the auth.user record (the profile variable that). You may override
>>> those to fit your needs.
>>>
>>> mic
>>>
>>>
>>>
>>> >
>>> > auth.settings.login_form = X509Auth() instance ?
>>> >
>>> >
>>> >
>>> > Thanks,
>>> > Amit
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Wed, Jul 25, 2012 at 2:28 PM, Michele Comitini
>>> > <michele.comit...@gmail.com> wrote:
>>> >>
>>> >> ----
>>> >> simpatica
>>> >>
>>> >> - generate ca priv key + self signed certificate
>>> >> - generate server priv keys + certificates signed by the above ca
>>> >> certificate
>>> >> - generate client priv keys + certificates signed by the above ca
>>> >> certificate
>>> >>
>>> >> The client and server certificate are generated after compilation of a
>>> >> form that requires the user to assign a password to protect the
>>> >> private key.
>>> >> The certificate + private keys are encoded in pkcs12 format
>>> >> downloadable to a browser or to be unpacked with openssl or similar
>>> >> tools after providing the above password. Remeber that if you loose
>>> >> the password you cannot open the pkcs12. There is a recovery
>>> >> mechanism in simpatica since the private keys are also encoded with a
>>> >> randomly generated secret that is crypted with the ca private key.
>>> >> It also send emails to email associated with the client informing that
>>> >> a certificate is ready to download.
>>> >>
>>> >> -----
>>> >> Sample code
>>> >>
>>> >> Just look at gluon/contrib/login_methods/x509_auth.py. Look at the
>>> >> docstring in the X509_Auth class and put that code in your model to
>>> >> configure authentication with x509.
>>> >>
>>> >> Use the @auth.requires_login() annotation as you would with any action
>>> >> requiring authentication. It is explained in:
>>> >>
>>> >>
>>> http://web2py.com/books/default/chapter/29/10?search=rest#Access-Control
>>> >>
>>> >>
>>> >> mic
>>> >>
>>> >>
>>> >> 2012/7/25 Amit <amit.khaw...@gmail.com>:
>>> >> > sure Michele, let me go through the code,If i am not wrong
>>> simpatica is
>>> >> > to
>>> >> > generate the certificate file for the client and if you are having
>>> any
>>> >> > sample code to use x509 in case of web service then please do share
>>> with
>>> >> > me.
>>> >> >
>>> >> > Thanks,
>>> >> > Amit
>>> >> >
>>> >> >
>>> >> > On Wed, Jul 25, 2012 at 12:34 PM, Michele Comitini
>>> >> > <michele.comit...@gmail.com> wrote:
>>> >> >>
>>> >> >> Amit
>>> >> >> If you need advice with simpatica don't worry to ask. I never had
>>> time
>>> >> >> to
>>> >> >> write some documentation so you have to look at the code and/or
>>> ask...
>>> >> >>
>>> >> >> mic
>>> >> >>
>>> >> >>
>>> >> >> Il giorno mercoledì 25 luglio 2012 05:14:52 UTC+2, Amit ha scritto:
>>> >> >>>
>>> >> >>> Thanks Michele and Derek..nice post , i am looking exactly the
>>> same :)
>>> >> >>>
>>> >> >>> On Wed, Jul 25, 2012 at 4:09 AM, Michele Comitini
>>> >> >>> <michele.comit...@gmail.com> wrote:
>>> >> >>>>
>>> >> >>>>
>>> >> >>>> This is very similar to what TSL accomplishes with x509
>>> certificates.
>>> >> >>>> There is a slight difference, the server does not own a public
>>> key
>>> >> >>>> for each
>>> >> >>>> client: it verifies that the client owns an x509 certificate
>>> signed
>>> >> >>>> by the
>>> >> >>>> correct certification authority. So no need to store public
>>> keys. in
>>> >> >>>> any
>>> >> >>>> case AFAIK in public/private key algorithms the private key
>>> always
>>> >> >>>> allows
>>> >> >>>> generation of the corresponding public key, not the contrary of
>>> >> >>>> course.
>>> >> >>>>
>>> >> >>>> To accomplish what you need in the simplest way you have to:
>>> >> >>>>
>>> >> >>>> - create a certification authority with self signed certificate
>>> >> >>>> - create certificate for you webserver signed with the private
>>> key of
>>> >> >>>> the certification authority above.
>>> >> >>>> - configure your webserver to require a client certificate (with
>>> >> >>>> rocket
>>> >> >>>> look at --ca-cert option)
>>> >> >>>> - In case you need to know some infos about the connecting
>>> client as
>>> >> >>>> reported in its certificate you can use x509_auth.py to use x509
>>> >> >>>> authentication and configure your REST action with
>>> >> >>>> @auth.requires_login().
>>> >> >>>> This will give you access to information contained in the
>>> >> >>>> certificate such
>>> >> >>>> common name or serial id. To customize you can extend the
>>> X509_Auth
>>> >> >>>> class.
>>> >> >>>>
>>> >> >>>> To generate test certificates fast you can use simpatica as Derek
>>> >> >>>> correctly suggests.
>>> >> >>>>
>>> >> >>>> mic
>>> >> >>>>
>>> >> >>>> Il giorno martedì 24 luglio 2012 10:33:48 UTC+2, Amit ha scritto:
>>> >> >>>>>
>>> >> >>>>> Hi,
>>> >> >>>>> I have to provide public/private key authentication for
>>> accessing
>>> >> >>>>> web
>>> >> >>>>> service (REST) from client in my web2py application.How to
>>> achieve
>>> >> >>>>> it?
>>> >> >>>>>
>>> >> >>>>> Scenario:
>>> >> >>>>> 1.Each client will have unique private key which will be sent
>>> to the
>>> >> >>>>> server alongwith request.
>>> >> >>>>> 2. Server has to authenticate private key using public
>>> key(unique
>>> >> >>>>> for
>>> >> >>>>> each client) and then allow to access the web service method.
>>> For
>>> >> >>>>> e.g.
>>> >> >>>>> suppose one client say X has requested for web service "add()"
>>> so
>>> >> >>>>> server has
>>> >> >>>>> to first validate the public key with client's private key and
>>> if
>>> >> >>>>> validation
>>> >> >>>>> is successful then allow to access the web service "add()".
>>> >> >>>>>
>>> >> >>>>> Challenges:
>>> >> >>>>> where to store public key of each client?we can't store it in
>>> the db
>>> >> >>>>> because server can't access db before validation of web service
>>> >> >>>>> method.So
>>> >> >>>>> will it be store somewhere in PC(where server is running)?if yes
>>> >> >>>>> then how
>>> >> >>>>> and which format?
>>> >> >>>>>
>>> >> >>>>>
>>> >> >>>>> NOTE: Here Server will be completely written in web2py and
>>> client is
>>> >> >>>>> separate application running on the hardware device.
>>> >> >>>>>
>>> >> >>>> --
>>> >> >>>>
>>> >> >>>>
>>> >> >>>>
>>> >> >>>
>>> >> >>>
>>> >> >> --
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >
>>> >> >
>>> >> > --
>>> >> >
>>> >> >
>>> >> >
>>> >>
>>> >> --
>>> >>
>>> >>
>>> >>
>>> >
>>> > --
>>> >
>>> >
>>> >
>>>
>>> --
>>>
>>>
>>>
>>>
>>
>
--
