- From: Kingsley Idehen <kidehen@openlinksw.com>
- Date: Fri, 30 Dec 2011 15:07:14 -0500
- To: public-xg-webid@w3.org
- Message-ID: <4EFE19F2.6000600@openlinksw.com>
On 12/30/11 1:34 PM, Peter Williams wrote: > yes its another day, and the web is not cooperating (as usual). But, > it can be made too, at least for one trial. Someone with windows > programming tools is sought, to replicate a working validation of an > ODS client cert. > > Ive abandoned native windows SSL (if you recall), and native windows > serving of RDFa files (if you recall). Ive even abaonded trying to use > the RDFa examples in the spec, as definitive test cases. None of this > was productive. > > I have built a command-line tool on dotnet (on win32) that is a https > listener, courtesy of Mentalis <http://www.mentalis.org/> (a "no GPL" > site). Since its source code SSL, it now accepts any client cert and > lets me control 100% issue of validity. > > I built the custom command window command-line browser tool, that does > https to said command window web server, listening on a socket. it > sends and receives fragments on the wire however I want them to be, > since its source code. It uses an ODS provisioned .p12 file for > client keying, exported from Opera. > > Both tools have been set to do https mutual auth with SSL3, and they > use and consume a .p12 and associated certs exported from a > webid/profile issued by id.myopenlink.net. THe latter serves the webid > profile resource publicly, and it also keyed the cert in the > particular trial. Yes, you can now also logon with webid to that > account, with admin privs... > > Using my webid validator from a month ago (moved over from IIS, to my > command tool web server now assured to have webid-friendly SSL and > http message handling), it uses the appspot translator now, rather > than talis. This is to avoid talis' propensity to scrape facts I didnt > assert, while putting any users document format in my readers > preffered reading format. It now also strips the fragment (if present) > from the SAN URI, before using it to collect triples via a translator > service. > > http://rdf-translator.appspot.com/parse?url=http%3a%2f%2fid.myopenlink.net%3a80%2fdataspace%2fperson%2fhome_pw&of=xml&html=1 > <http://rdf-translator.appspot.com/parse?url=http%3a%2f%2fid.myopenlink.net%3a80%2fdataspace%2fperson%2fhome_pw&of=xml&html=1> DOES > succeed to becomes a memory store of triples (when you remove the > final querystring html=1). Its easy to see the cert:key predicate (s) > for the right subject, in the right form. This is good. > > I then do the required ASK (the same one as used to work against my > own yorkporc RDFa card). > "PREFIX : <http://www.w3.org/ns/auth/cert#>\nPREFIX > <http://www.w3.org/ns/auth/cert#%3E%5CnPREFIX> xsd: > <http://www.w3.org/2001/XMLSchema#>\nASK > <http://www.w3.org/2001/XMLSchema#%3E%5CnASK> > {\n<http://id.myopenlink.net/dataspace/person/home_pw#this> :key > [\n:modulus > \"a33d6be6af1abe197d1b9ce9f03b423ba90a264634e425be0f6ce237906784ec15c5d5de0fdbcb99fae0d6cf4ff5c4123187e3c19b2f55e9ce5bb5902485866ca6e60304458effe823837cc430b2d40369c7d2dcc3beaa4e22e094446b66f213b41a0c02ae17cbbc1ec863b1797624df36b307a270f162ef6358f48b4f0a447db50c477038b936b7b37e496af51f67156813e2372cf11abca89b615eba033d7cf932586794b96d7940ad61e0c516fdb0c07d2e1bb7cedb54fcd4c466c196d8db\"^^xsd:hexBinary > ;\n:exponent \"65537\"^^xsd:integer ;\n] .\n}\n" > > Guess what, it fails. Heys, it's the web. > > I notice the resource provider uses the int (not the integer) form of > data format for the string type of the modulus. Im going to guess > thats the issue. > > Whats the right thing to do, with my (older) class of Sparql engine? > What does the spec advise, to real world engineers with realworld > tools (of various vintages)? Not a lot. > > > For now, I just do 2 ASK queries one assuming ^^xsd:integer and the > other assuming ^^xsd:int. > > That done, I can say I built a validator on windows. Of course, its > unassured (being crypto in user space, and does a funky logic for > verification). But, it soft of maps to the spec, in engineering terms. > Being all source, one works around "issues". It could be using > hardware crypto, given the excellent engineering Mentalis did. > > With that fix, I "validated" an ODS cert. There is only a rdfs > reasoner loaded, so I dont know how "well" I validated, though, in > terms of any owl statements. > > The zip file, with source and binaries, is > https://skydrive.live.com/redir.aspx?cid=05061d4609325b60&resid=5061D4609325B60!944&parid=5061D4609325B60!863&authkey=!ABbY7w72PSO17u4 > <https://skydrive.live.com/redir.aspx?cid=05061d4609325b60&resid=5061D4609325B60%21944&parid=5061D4609325B60%21863&authkey=%21ABbY7w72PSO17u4> > > Obviously, all the usual rules apply (its as is, who knows about > rights and licenses Ive abused, and have fun coding). A windows > programmer should be able to replicate the experiment in an hour - > since it has all test inputs provided (server certs, client certs to > ODS, passwords, etc.). I used .Net 4 and Windows 2008 R2, well > patched. Its likely to rebuild and work on really 10 year old .NET and > windows platforms, too. > > Its all rather RSA focussed, due to the orientation of Mentalis. > > I didnt try TLS, and TLS 1.2 doesnt look like its offered. > > > > > > Peter, Basic tests again the RDF resource using URIBurner's SPARQL endpoint: 1. http://uriburner.com/c/IAMR6C -- SPARQL SELECT results 2. http://uriburner.com/c/IAMR56 -- SPARQL SELECT Query Text More specific queries based on modulus component of Public Key via SPARQL ASK: 1. http://uriburner.com/c/IAEAAM -- Query Results 2. http://uriburner.com/c/IAMR5Z -- Query Text. Do you have a .p12 file I can look at? Or just confirm the URIs used in your Certs. SAN. -- Regards, Kingsley Idehen Founder& CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Friday, 30 December 2011 20:07:38 UTC