Re: needs someone to replicate a windows validator, done in non native (i.e. user mode) SSL.

On 12/30/11 1:34 PM, Peter Williams wrote:
> yes its another day, and the web is not cooperating (as usual). But, 
> it can be made too, at least for one trial. Someone with windows 
> programming tools is sought, to replicate a working validation of an 
> ODS client cert.
> Ive abandoned native windows SSL (if you recall), and native windows 
> serving of RDFa files (if you recall). Ive even abaonded trying to use 
> the RDFa examples in the spec, as definitive test cases. None of this 
> was productive.
> I have built a command-line tool on dotnet (on win32) that is a https 
> listener, courtesy of Mentalis <> (a "no GPL" 
> site). Since its source code SSL, it now accepts any client cert and 
> lets me control 100% issue of validity.
> I built the custom command window command-line browser tool, that does 
> https to said command window web server, listening on a socket. it 
> sends and receives fragments on the wire however I want them to be, 
> since its source code. It uses an ODS provisioned .p12  file for 
> client keying, exported from Opera.
> Both tools have been set to do https mutual auth with SSL3, and they 
> use and consume a .p12 and associated certs exported from a 
> webid/profile issued by THe latter serves the webid 
> profile resource publicly, and it also keyed the cert in the 
> particular trial. Yes, you can now also logon with webid to that 
> account, with admin privs...
> Using my webid validator from a month ago (moved over from IIS, to my 
> command tool web server now assured to have webid-friendly SSL and 
> http message handling), it uses the appspot translator now, rather 
> than talis. This is to avoid talis' propensity to scrape facts I didnt 
> assert, while putting any users document format in my readers 
> preffered reading format. It now also strips the fragment (if present) 
> from the SAN URI, before using it to collect triples via a translator 
> service.
> <> DOES 
> succeed to becomes a memory store of triples (when you remove the 
> final querystring html=1). Its easy to see the cert:key predicate (s) 
> for the right subject, in the right form. This is good.
> I then do the required ASK (the same one as used to work against my 
> own yorkporc RDFa card).
> <> xsd: 
> <>\nASK 
> <>
> {\n<> :key 
> [\n:modulus 
> \"a33d6be6af1abe197d1b9ce9f03b423ba90a264634e425be0f6ce237906784ec15c5d5de0fdbcb99fae0d6cf4ff5c4123187e3c19b2f55e9ce5bb5902485866ca6e60304458effe823837cc430b2d40369c7d2dcc3beaa4e22e094446b66f213b41a0c02ae17cbbc1ec863b1797624df36b307a270f162ef6358f48b4f0a447db50c477038b936b7b37e496af51f67156813e2372cf11abca89b615eba033d7cf932586794b96d7940ad61e0c516fdb0c07d2e1bb7cedb54fcd4c466c196d8db\"^^xsd:hexBinary 
> ;\n:exponent \"65537\"^^xsd:integer ;\n] .\n}\n"
> Guess what, it fails. Heys, it's the web.
> I notice the resource provider uses the int (not the integer) form of 
> data format for the string type of the modulus. Im going to guess 
> thats the issue.
> Whats the right thing to do, with my (older) class of Sparql engine? 
> What does the spec advise, to real world engineers with realworld 
> tools (of various vintages)? Not a lot.
> For now, I just do 2 ASK queries one assuming ^^xsd:integer and the 
> other assuming ^^xsd:int.
> That done, I can say I built a validator on windows. Of course, its 
> unassured (being crypto in user space, and does a funky logic for 
> verification). But, it soft of maps to the spec, in engineering terms. 
> Being all source, one works around "issues". It could be using 
> hardware crypto, given the excellent engineering Mentalis did.
> With that fix, I "validated" an ODS cert. There is only a rdfs 
> reasoner loaded, so I dont know how "well" I validated, though, in 
> terms of any owl statements.
> The zip file, with source and binaries, is 
> <>
> Obviously, all the usual rules apply (its as is, who knows about 
> rights and licenses Ive abused, and have fun coding). A windows 
> programmer should be able to replicate the experiment in an hour - 
> since it has all test inputs provided (server certs, client certs to 
> ODS, passwords, etc.). I used .Net 4 and Windows 2008 R2, well 
> patched. Its likely to rebuild and work on really 10 year old .NET and 
> windows platforms, too.
> Its all rather RSA focussed, due to the orientation of Mentalis.
> I didnt try TLS, and TLS 1.2 doesnt look like its offered.

Basic tests again the RDF resource using URIBurner's SPARQL endpoint:

1.   -- SPARQL SELECT results

2. -- SPARQL SELECT Query Text

More specific queries based on modulus component of Public Key via 

1. -- Query Results

2. -- Query Text.

Do you have a .p12 file I can look at? Or just confirm the URIs used in 
your Certs. SAN.



Kingsley Idehen	
Founder&  CEO
OpenLink Software
Company Web:
Personal Weblog:
Twitter/ handle: @kidehen
Google+ Profile:
LinkedIn Profile:

Received on Friday, 30 December 2011 20:07:38 UTC