Re: needs someone to replicate a windows validator, done in non native (i.e. user mode) SSL.

On 12/30/11 1:34 PM, Peter Williams wrote:
> yes its another day, and the web is not cooperating (as usual). But, 
> it can be made too, at least for one trial. Someone with windows 
> programming tools is sought, to replicate a working validation of an 
> ODS client cert.
>
> Ive abandoned native windows SSL (if you recall), and native windows 
> serving of RDFa files (if you recall). Ive even abaonded trying to use 
> the RDFa examples in the spec, as definitive test cases. None of this 
> was productive.
>
> I have built a command-line tool on dotnet (on win32) that is a https 
> listener, courtesy of Mentalis <http://www.mentalis.org/> (a "no GPL" 
> site). Since its source code SSL, it now accepts any client cert and 
> lets me control 100% issue of validity.
>
> I built the custom command window command-line browser tool, that does 
> https to said command window web server, listening on a socket. it 
> sends and receives fragments on the wire however I want them to be, 
> since its source code. It uses an ODS provisioned .p12  file for 
> client keying, exported from Opera.
>
> Both tools have been set to do https mutual auth with SSL3, and they 
> use and consume a .p12 and associated certs exported from a 
> webid/profile issued by id.myopenlink.net. THe latter serves the webid 
> profile resource publicly, and it also keyed the cert in the 
> particular trial. Yes, you can now also logon with webid to that 
> account, with admin privs...
>
> Using my webid validator from a month ago (moved over from IIS, to my 
> command tool web server now assured to have webid-friendly SSL and 
> http message handling), it uses the appspot translator now, rather 
> than talis. This is to avoid talis' propensity to scrape facts I didnt 
> assert, while putting any users document format in my readers 
> preffered reading format. It now also strips the fragment (if present) 
> from the SAN URI, before using it to collect triples via a translator 
> service.
>
> http://rdf-translator.appspot.com/parse?url=http%3a%2f%2fid.myopenlink.net%3a80%2fdataspace%2fperson%2fhome_pw&of=xml&html=1 
> <http://rdf-translator.appspot.com/parse?url=http%3a%2f%2fid.myopenlink.net%3a80%2fdataspace%2fperson%2fhome_pw&of=xml&html=1> DOES 
> succeed to becomes a memory store of triples (when you remove the 
> final querystring html=1). Its easy to see the cert:key predicate (s) 
> for the right subject, in the right form. This is good.
>
> I then do the required ASK (the same one as used to work against my 
> own yorkporc RDFa card).
> "PREFIX : <http://www.w3.org/ns/auth/cert#>\nPREFIX 
> <http://www.w3.org/ns/auth/cert#%3E%5CnPREFIX> xsd: 
> <http://www.w3.org/2001/XMLSchema#>\nASK 
> <http://www.w3.org/2001/XMLSchema#%3E%5CnASK>
> {\n<http://id.myopenlink.net/dataspace/person/home_pw#this> :key 
> [\n:modulus 
> \"a33d6be6af1abe197d1b9ce9f03b423ba90a264634e425be0f6ce237906784ec15c5d5de0fdbcb99fae0d6cf4ff5c4123187e3c19b2f55e9ce5bb5902485866ca6e60304458effe823837cc430b2d40369c7d2dcc3beaa4e22e094446b66f213b41a0c02ae17cbbc1ec863b1797624df36b307a270f162ef6358f48b4f0a447db50c477038b936b7b37e496af51f67156813e2372cf11abca89b615eba033d7cf932586794b96d7940ad61e0c516fdb0c07d2e1bb7cedb54fcd4c466c196d8db\"^^xsd:hexBinary 
> ;\n:exponent \"65537\"^^xsd:integer ;\n] .\n}\n"
>
> Guess what, it fails. Heys, it's the web.
>
> I notice the resource provider uses the int (not the integer) form of 
> data format for the string type of the modulus. Im going to guess 
> thats the issue.
>
> Whats the right thing to do, with my (older) class of Sparql engine? 
> What does the spec advise, to real world engineers with realworld 
> tools (of various vintages)? Not a lot.
>
>
> For now, I just do 2 ASK queries one assuming ^^xsd:integer and the 
> other assuming ^^xsd:int.
>
> That done, I can say I built a validator on windows. Of course, its 
> unassured (being crypto in user space, and does a funky logic for 
> verification). But, it soft of maps to the spec, in engineering terms. 
> Being all source, one works around "issues". It could be using 
> hardware crypto, given the excellent engineering Mentalis did.
>
> With that fix, I "validated" an ODS cert. There is only a rdfs 
> reasoner loaded, so I dont know how "well" I validated, though, in 
> terms of any owl statements.
>
> The zip file, with source and binaries, is 
> https://skydrive.live.com/redir.aspx?cid=05061d4609325b60&resid=5061D4609325B60!944&parid=5061D4609325B60!863&authkey=!ABbY7w72PSO17u4 
> <https://skydrive.live.com/redir.aspx?cid=05061d4609325b60&resid=5061D4609325B60%21944&parid=5061D4609325B60%21863&authkey=%21ABbY7w72PSO17u4>
>
> Obviously, all the usual rules apply (its as is, who knows about 
> rights and licenses Ive abused, and have fun coding). A windows 
> programmer should be able to replicate the experiment in an hour - 
> since it has all test inputs provided (server certs, client certs to 
> ODS, passwords, etc.). I used .Net 4 and Windows 2008 R2, well 
> patched. Its likely to rebuild and work on really 10 year old .NET and 
> windows platforms, too.
>
> Its all rather RSA focussed, due to the orientation of Mentalis.
>
> I didnt try TLS, and TLS 1.2 doesnt look like its offered.
>
>
>
>
>
>
Peter,

Basic tests again the RDF resource using URIBurner's SPARQL endpoint:


1. http://uriburner.com/c/IAMR6C   -- SPARQL SELECT results

2. http://uriburner.com/c/IAMR56 -- SPARQL SELECT Query Text

More specific queries based on modulus component of Public Key via 
SPARQL ASK:

1. http://uriburner.com/c/IAEAAM -- Query Results

2. http://uriburner.com/c/IAMR5Z -- Query Text.

Do you have a .p12 file I can look at? Or just confirm the URIs used in 
your Certs. SAN.

-- 

Regards,

Kingsley Idehen	
Founder&  CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen