Tuesday, June 21, 2016

Setting Up a SOLiD Server Using the WebID from databox.me {draft}

The SOLiD Server [1] is a later generation of the personal data store rww.io described in Dr. Andrei Sambra's Dissertation [2] and implemented as part of CIMBA or Client-Integrated MicroBlogging Application [3].

CIMBA decoupled the front end of the web application from the back end data such that the data can exist on any server and the front end application can exist on another server. Sandro Hawke posted several videos beginning with the title "Building Social Applications with Linked Data Platform (LDP) -- Crosscloud"
Part 2 of this video series [4] shows a demonstration of CIMBA by Dr. Andrei Sambra.

Although CIMBA was targeted towards microblogging, the personal data store can be targeted at any front end application. For microblogging, and other applications, a special standard pattern is developed that utilizes the linked data platform [5],[6].

SOLiD, a platform  that gained a lot of energy in mid-2015 with the Crosscloud project [7], is described on GitHub [8] and serves as a foundation in the initiative. It follows the Linked Data Platform standard that is used to build the LDP server Apache Marmotta [9] and in Fedora 4 in Islandora [10] for organizing library collections, amongst other things. One thing that is unique about SOLiD is its use of the WebID URI in the authentication and authorization process.

Athough many implementations of SOLiD exist [11], the one with present significant effort is for Node.js. This is available through the link at [1].

In a previous post [15], the use of databox.me to create a WebID, client certificate, and private key was presented. This is useful for authenticating as a user to a SOLiD based server and authorizing the user to access resources through the access control language [12].

In order to launch our own SOLiD server, we need a server side certificate to support HTTPS in order to verify the servers integrity to the client [13]. We could run it without TLS/SSL, that is over HTTP, but this is risky. For proof of this, the author has run a SOLiD server (previously called ldnode) with a Linked Data File Manager called WARP [14]; and achieved an environment on localhost (i.e. on the local machine) that looked very similar to rww.io when it was operational.

Fortunately, the README for node-solid-server [1] goes into how to set this up. We already created a client side certificate and private key with databox.me and stored it in our browser. The public personal profile document  created upon databox.me signup and used for FOAF+SSL authentication is available at http://bshambaugh.databox.me/profile/card .

We could have a similar setup elsewhere as the requirement for FOAF+SSL is that we have RDF somewhere that points a WebID to a public key (in this case, modulus and exponent) along with the following in the browser:  a client certificate in the form of the previous databox.me post along with the corresponding private key.

To create the server side certificate (as opposed to the client side certificate to authenticate an entity with a WebID)  to allow the SOLiD server to serve itself over HTTPS we have multiple options. We could purchase one online signed by a root certificate authority [16], obtain a free one through a service like letsencrypt [17], or create our own self-signed certificate with openssl (or the like).

Since we are testing SOLiD locally, lets try using a server side certificate. The README [1] suggests the following commands:

openssl genrsa 2048 > ../localhost.key
openssl req -new -x509 -nodes -sha256 -days 3650 -key ../localhost.key -subj '/CN=*.localhost' > ../localhost.cert

This creates a private key called localhost.key and a certificate called localhost.cert in the directory above the local one. I went ahead and added the extension .pem to both of them since they are already in the PEM [18] format.

cp localhost.key localhost.key.pem
cp localhost.cert localhost.cert.pem

Now that we have our server certificates, we need to have node-solid-server running. In order to do this, we need Node.js v6.  I chose to also have the latest version of Ubuntu, 16.04 to run Node. N.B: I was running with Ubuntu 12.04 before but I discovered that this required a special configuration as the version of g++ included with the distribution did not support some of the recent additions in v8 requiring me to configure for another C compiler [19].

I found the instructions at Digital Ocean useful [20], specifically the section titled "How To Install Using NVM" .

Once I have Node.js Installed I can install node solid server. I do this by following the instructions in the README [1]. Specifically:

npm install -g solid-server

Now that I have solid server installed with the -g flag (which means I can access it globally) I can tell it about my server side certificates. There are two ways to do this.
I can either use the solid-server installation to create a json file to point to them, or I can tell solid about then at each startup.

To create the json [21] file I use the following command:

solid init

I then follow by pressing enter for each input request except for those that prompt with a y/N option or a path the SSL private key or SSL certificate.

For the y/N options I select y (at least for "Enable WebID authentication"). For the path to the SSL certificate and SSL key I point to the relative path to them. Since the ones I created were in the present directory where initiated solid with "solid init" then they are simply localhost.key (or localhost.key.pem) and localhost.cert (or localhost.cert.pem or localhost.crt.pem, or localhost.crt) .

Going through this process creates a file called config.json . After this I can go ahead and start the solid server from the same directory using the command:

solid start

Alternatively, I may want to avoid  using the config.json file and pass everything in as an input parameter in the shell at startup. I found it effective to delete the config.json file (if it exists) before trying this.

solid start ---port 8443 --ssl-key localhost.key.pem --ssl-cert localhost.cert.pem \
--webid -v

I am specifying port 8443, localhost.key.pem as private key for my server certificate, localhost.cert.pem as the server certificate, use of webid based authentication with --webid, and verbose output in the shell with -v .

[1] https://github.com/solid/node-solid-server
[2] https://halshs.archives-ouvertes.fr/tel-00917965/document
[3] http://crosscloud.org/2014/iswc-sambra-pdf.pdf
[4] https://www.youtube.com/watch?v=GtnB7aM1mTM
[5] https://www.w3.org/TR/ldp-primer/
[6] https://www.youtube.com/watch?v=Yth7O6yeZRE&t=1h34m50s
[7] http://crosscloud.org/
[8] https://github.com/solid/solid
[9] http://marmotta.apache.org/
[10] https://www.youtube.com/watch?v=9wTFAwvBRbY
[11] http://crosscloud.org/2016/www-mansour-pdf.pdf
[12] https://www.w3.org/wiki/WebAccessControl
[13] http://robertheaton.com/2014/03/27/how-does-https-actually-work/
[14] https://github.com/linkeddata/warp
[15] http://adistributedeconomy.blogspot.com/2016/06/creating-client-side-certificate.html
[16] https://en.wikipedia.org/wiki/Root_certificate
[17] https://letsencrypt.org/
[18] http://how2ssl.com/articles/working_with_pem_files/
[19] https://github.com/nodesource/distributions/blob/master/OLDER_DISTROS.md
[20] https://www.digitalocean.com/community/tutorials/how-to-install-node-js-on-ubuntu-16-04
[21] http://json.org/

Accessing the Linked Data Platform based SOLiD Server created with databox.me

Type in https://yourusername.databox.me/ . For me it was https://bshambaugh.databox.me/ .

A certificate authentication should be presented. Make sure you are presented with the client certificate that was created by the method of the previous post (or if everything was done manually, in the same form as the result). Press okay. If you see the certificate again, press okay again.

Enter location of the LDP server. In this case, https://bshambaugh.databox.me/ .

If all goes well, you should see the contents of your "file system" . That is the Linked Data Platform Resources which consist of Linked Data Platform Containers (LDP standardized RDF) and RDF and non-RDF resources (binary or text) [1].

I see things served from the URL http://linkeddata.github.io/warp/#/list/https/bshambaugh.databox.me/ .

Edit: It is also a useful exercise to start this process with something like https://bshambaugh.databox.me/storage/ in the browser bar with https://bshambaugh.databox.me/storage/ as the location for the LDP server. Occasionally, this can fail with a 304 Not Modified Response or even a CORS failure as it did later when I tried it again. I started out with https://bshambaugh.databox.me/storage/ when I first discovered this process.

[1] https://www.w3.org/TR/ldp/

Monday, June 20, 2016

Creating an Client Side Certificate , Private Key, and WebID with databox.me

Databox.me is an experimental service that allows a person to create a client side certificate with a WebID and a corresponding private Key. It is an implementation of FOAF+SSL invented by Dr. Henry Story. More information is available in a whitepaper [1] and in a W3C specification [2].
When https://databox.me is visited, a welcome screen is presented that allows a person to create an account with a particular name. I chose bshambaugh.

databox.me checks for the name I selected. If it does not exist, I get an option to choose an optional backup e-mail for account recovery purposes.

In the second step, I provide the name and gravatar I want associated with my account. In the third step I choose to create my keys.

The certificate and private key are saved in my browser, and a publicly available personal profile document is placed at https://bshambaugh.databox.me/profile/card .
Using curl to retrieve this document gives:

@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .

a <http://xmlns.com/foaf/0.1/PersonalProfileDocument> ;
<http://xmlns.com/foaf/0.1/maker> <#me> ;
<http://xmlns.com/foaf/0.1/primaryTopic> <#me> .

a <http://www.w3.org/ns/auth/cert#RSAPublicKey> ;
<http://www.w3.org/2000/01/rdf-schema#label> "Created 15 Apr 16 20:57 UTC on bshambaugh.databox.me" ;
<http://www.w3.org/ns/auth/cert#exponent> "65537"^^<http://www.w3.org/2001/XMLSchema#int> ;
<http://www.w3.org/ns/auth/cert#modulus> "bb474500cdcd466b1d03c9d83b94673bbf6a3a4d4e98afc62ce0dd29b15fe2ec09c4bf64c2dbeb5406e53a255d0e37e396dce2a89bed42242697e26dd928cfb4af4a4960a4992c77bce52fd0aa57319aa2f4af6714412b31030008acba0f8f5f5a1f0e69c55e7f8a1eb29a490e8db29884bd40db123c26f267ea68840574da80fa08461a10b1bfe71cd5575fba8bb32e6355472dc4ff93717bb12dc349d5bcd32807fe843dee44003879e87d6263a61193c434799e1219230b2d7f54e5e75a56fbb1df43792ce38b6264ca5b05b9ad26a32472af7da358511e2e0c162a81d17ac7f03cc31b8522cb235caf546b2cb157a7008fd01cf1bd1400d3bd784866495b"^^<http://www.w3.org/2001/XMLSchema#hexBinary> .

a <http://xmlns.com/foaf/0.1/Person> ;
<http://www.w3.org/ns/auth/cert#key> <#key294f> ;
<http://www.w3.org/ns/pim/space#preferencesFile> <../Preferences/prefs.ttl> ;
<http://www.w3.org/ns/pim/space#storage> <../> ;
<http://www.w3.org/ns/solid/terms#inbox> <../Inbox/> ;
<http://www.w3.org/ns/solid/terms#timeline> <../Timeline/> ;
<http://xmlns.com/foaf/0.1/img> <https://www.gravatar.com/avatar/44ddb1f95dd88538aba49334131c4295?d=404&s=300> ;
<http://xmlns.com/foaf/0.1/name> "Brent Shambaugh" . 

I notice four things in particular that are interesting. The first three have to deal with the URIs http://www.w3.org/ns/auth/cert#exponent  , http://www.w3.org/ns/auth/cert#modulus and  http://www.w3.org/ns/auth/cert#RSAPublicKey . These all have to do with the cert vocabulary ( http://www.w3.org/ns/auth/cert# ) . Upon review of cryptography [3] [4], I note that this means I have the modulus and exponent of an RSA Public Key expressed in terms of the cert vocabulary. 

The modulus and exponent give me the public key, and vice versa. In fact, I can look at the certificate that databox.me created and see that I can get the modulus found at https://bshambaugh.databox.me/profile/card .

To accomplish this, I first export the certificate from my browser. In this case, I am using Firefox 47.0 . This browser requires me to go to the button at the top right that resembles three horizontal line segments (like a cat scratch). Once there, I click on preferences (the button that looks like a gear) and then to the wizard hat for Advanced. I am presented with a tab labeled Certificates. I click on the Certificates Tab and then click on the View Certificates button. 

This gives me the certificate manager.

If I click view certificate, I can see some general information about the certificate.

Clicking on Details and then Certificate Subject Alt Name tells me that the certificate is associated with https://bshambaugh.databox.me/profile/card#me tells me that this certificate could be associated with the https://bshambaugh.databox.me/profile/card Personal Profile Document. The dereferencable URI https://bshambaugh.databox.me/profile/card#me is called my WebID..

I need to certificate to also contains the public key modulus and exponent contained at https://bshambaugh.databox.me/profile/card . Scrolling up and selecting the Subject's Public Key gives me this modulus, as well as the exponent 65537 .

I notice that the exponent matches the exponent at https://bshambaugh.databox.me/profile/card . However, I am unsure about the modulus because it is in hexadecimal format instead of the hex Binary format that I want.

In order to get the hex Binary format I export the certificate by clicking Backup.

This prompts me to give a name for the backup and a password for the backup to save my Export as a pcks12 file.

Once I have the pcks12 file with my certificate and private key, I can use the openssl command line tool to analyze it.

The command:
 openssl pkcs12 -in backupcert.p12
 gives me a dump of the private key and the certificate.

I am interested in the certificate, so I take the output for the certificate below and paste it into another file .

Bag Attributes
    friendlyName: Brent Shambaugh [on bshambaugh.databox.me]
    localKeyID: F8 2E E8 AB 62 66 4C A8 00 BD 65 02 88 2B 6B 8F 58 25 93 1F
subject=/O=WebID/CN=Brent Shambaugh [on bshambaugh.databox.me]
issuer=/O=WebID/CN=Brent Shambaugh [on bshambaugh.databox.me]

I called this file brents_cert.crt.pem .
Performing the following openssl command on the certificate file gives me a modulus that matches the one in https://bshambaugh.databox.me/profile/card .
openssl x509 -noout -modulus -in brents_cert.crt.pem

I can also see the entire text of my certificate with:

openssl x509 -noout -text -in brents_cert.crt.pem

        Version: 3 (0x2)
        Serial Number: 42 (0x2a)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=WebID, CN=Brent Shambaugh [on bshambaugh.databox.me]
            Not Before: Jan  1 00:00:00 2000 GMT
            Not After : Dec 31 23:59:59 2049 GMT
        Subject: O=WebID, CN=Brent Shambaugh [on bshambaugh.databox.me]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

            X509v3 Subject Alternative Name:
    Signature Algorithm: sha256WithRSAEncryption

The local key ID for the certificate and the private key also match.
Thus I have the certificate for the WebID https://bshambaugh.databox.me/profile/card#me and the appropriate public key. Since I have the private key, I can also authenticate myself for this WebID.

The whole process for authentication is like that for server side certificates over https, yet the client and server reverse roles and it is with a WebID. The process is described in sources [1] and [2]. A good source for how authentication with servers and https works is Robert Heaton's Article "How Does HTTPS Actually Work".
In the next post I will talk about SOLiD server for Node.js [6], and how the WebID created with databox.me fits in with it.

 [1] http://dig.csail.mit.edu/2009/Papers/SPOT/foaf-ssl-spot2009.pdf
 [2] https://www.w3.org/2005/Incubator/webid/spec/tls/
 [4]  http://stackoverflow.com/questions/3116907/rsa-get-exponent-and-modulus-given-a-public-key

Sunday, June 5, 2016

Links about Client Side Certificates for SOLiD

On May 16th  I had a discussion with Melvin Carvalho about client side certificates on https://gitter.im/linkeddata/chat . I was not sure what they were, so I dug up some papers to try to understand it. I found "Using RDF Metadata to Enable Access Control on the Social Semantic Web" [1] and "FOAF+SSL: RESTful Authentication for the Social Web" [2]. I was trying to understand how Node SOLID Server [3] was set up because I was getting authentication an authorization errors.

Fortunately, I just found a document called "Client Side certificates" [4] by Tim Berners-Lee and a spec called "WebID-TLS" [5] .

 [1] http://dig.csail.mit.edu/2009/Papers/ISWC/rdf-access-control/paper.pdf
 [2] http://dig.csail.mit.edu/2009/Papers/SPOT/foaf-ssl-spot2009.pdf
 [3] https://github.com/solid/node-solid-server
 [4] https://www.w3.org/DesignIssues/Security-ClientCerts.html
 [5] https://www.w3.org/2005/Incubator/webid/spec/tls/