Monday, June 20, 2016

Creating an Client Side Certificate , Private Key, and WebID with databox.me

Databox.me is an experimental service that allows a person to create a client side certificate with a WebID and a corresponding private Key. It is an implementation of FOAF+SSL invented by Dr. Henry Story. More information is available in a whitepaper [1] and in a W3C specification [2].
When https://databox.me is visited, a welcome screen is presented that allows a person to create an account with a particular name. I chose bshambaugh.


 
databox.me checks for the name I selected. If it does not exist, I get an option to choose an optional backup e-mail for account recovery purposes.


In the second step, I provide the name and gravatar I want associated with my account. In the third step I choose to create my keys.




The certificate and private key are saved in my browser, and a publicly available personal profile document is placed at https://bshambaugh.databox.me/profile/card .
Using curl to retrieve this document gives:



@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .

<>
a <http://xmlns.com/foaf/0.1/PersonalProfileDocument> ;
<http://xmlns.com/foaf/0.1/maker> <#me> ;
<http://xmlns.com/foaf/0.1/primaryTopic> <#me> .

<#key294f>
a <http://www.w3.org/ns/auth/cert#RSAPublicKey> ;
<http://www.w3.org/2000/01/rdf-schema#label> "Created 15 Apr 16 20:57 UTC on bshambaugh.databox.me" ;
<http://www.w3.org/ns/auth/cert#exponent> "65537"^^<http://www.w3.org/2001/XMLSchema#int> ;
<http://www.w3.org/ns/auth/cert#modulus> "bb474500cdcd466b1d03c9d83b94673bbf6a3a4d4e98afc62ce0dd29b15fe2ec09c4bf64c2dbeb5406e53a255d0e37e396dce2a89bed42242697e26dd928cfb4af4a4960a4992c77bce52fd0aa57319aa2f4af6714412b31030008acba0f8f5f5a1f0e69c55e7f8a1eb29a490e8db29884bd40db123c26f267ea68840574da80fa08461a10b1bfe71cd5575fba8bb32e6355472dc4ff93717bb12dc349d5bcd32807fe843dee44003879e87d6263a61193c434799e1219230b2d7f54e5e75a56fbb1df43792ce38b6264ca5b05b9ad26a32472af7da358511e2e0c162a81d17ac7f03cc31b8522cb235caf546b2cb157a7008fd01cf1bd1400d3bd784866495b"^^<http://www.w3.org/2001/XMLSchema#hexBinary> .

<#me>
a <http://xmlns.com/foaf/0.1/Person> ;
<http://www.w3.org/ns/auth/cert#key> <#key294f> ;
<http://www.w3.org/ns/pim/space#preferencesFile> <../Preferences/prefs.ttl> ;
<http://www.w3.org/ns/pim/space#storage> <../> ;
<http://www.w3.org/ns/solid/terms#inbox> <../Inbox/> ;
<http://www.w3.org/ns/solid/terms#timeline> <../Timeline/> ;
<http://xmlns.com/foaf/0.1/img> <https://www.gravatar.com/avatar/44ddb1f95dd88538aba49334131c4295?d=404&s=300> ;
<http://xmlns.com/foaf/0.1/name> "Brent Shambaugh" . 


I notice four things in particular that are interesting. The first three have to deal with the URIs http://www.w3.org/ns/auth/cert#exponent  , http://www.w3.org/ns/auth/cert#modulus and  http://www.w3.org/ns/auth/cert#RSAPublicKey . These all have to do with the cert vocabulary ( http://www.w3.org/ns/auth/cert# ) . Upon review of cryptography [3] [4], I note that this means I have the modulus and exponent of an RSA Public Key expressed in terms of the cert vocabulary. 

The modulus and exponent give me the public key, and vice versa. In fact, I can look at the certificate that databox.me created and see that I can get the modulus found at https://bshambaugh.databox.me/profile/card .

To accomplish this, I first export the certificate from my browser. In this case, I am using Firefox 47.0 . This browser requires me to go to the button at the top right that resembles three horizontal line segments (like a cat scratch). Once there, I click on preferences (the button that looks like a gear) and then to the wizard hat for Advanced. I am presented with a tab labeled Certificates. I click on the Certificates Tab and then click on the View Certificates button. 

This gives me the certificate manager.


If I click view certificate, I can see some general information about the certificate.

Clicking on Details and then Certificate Subject Alt Name tells me that the certificate is associated with https://bshambaugh.databox.me/profile/card#me tells me that this certificate could be associated with the https://bshambaugh.databox.me/profile/card Personal Profile Document. The dereferencable URI https://bshambaugh.databox.me/profile/card#me is called my WebID..


I need to certificate to also contains the public key modulus and exponent contained at https://bshambaugh.databox.me/profile/card . Scrolling up and selecting the Subject's Public Key gives me this modulus, as well as the exponent 65537 .



I notice that the exponent matches the exponent at https://bshambaugh.databox.me/profile/card . However, I am unsure about the modulus because it is in hexadecimal format instead of the hex Binary format that I want.

In order to get the hex Binary format I export the certificate by clicking Backup.

This prompts me to give a name for the backup and a password for the backup to save my Export as a pcks12 file.

Once I have the pcks12 file with my certificate and private key, I can use the openssl command line tool to analyze it.

The command:
 openssl pkcs12 -in backupcert.p12
 gives me a dump of the private key and the certificate.

I am interested in the certificate, so I take the output for the certificate below and paste it into another file .

Bag Attributes
    friendlyName: Brent Shambaugh [on bshambaugh.databox.me]
    localKeyID: F8 2E E8 AB 62 66 4C A8 00 BD 65 02 88 2B 6B 8F 58 25 93 1F
subject=/O=WebID/CN=Brent Shambaugh [on bshambaugh.databox.me]
issuer=/O=WebID/CN=Brent Shambaugh [on bshambaugh.databox.me]
-----BEGIN CERTIFICATE-----
MIIDEDCCAnmgAwIBAgIBKjANBgkqhkiG9w0BAQsFADBFMQ4wDAYDVQQKEwVXZWJJ
RDEzMDEGA1UEAwwqQnJlbnQgU2hhbWJhdWdoIFtvbiBic2hhbWJhdWdoLmRhdGFi
b3gubWVdMB4XDTAwMDEwMTAwMDAwMFoXDTQ5MTIzMTIzNTk1OVowRTEOMAwGA1UE
ChMFV2ViSUQxMzAxBgNVBAMMKkJyZW50IFNoYW1iYXVnaCBbb24gYnNoYW1iYXVn
aC5kYXRhYm94Lm1lXTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALtH
RQDNzUZrHQPJ2DuUZzu/ajpNTpivxizg3SmxX+LsCcS/ZMLb61QG5TolXQ4345bc
4qib7UIkJpfibdkoz7SvSklgpJksd7zlL9CqVzGaovSvZxRBKzEDAAisug+PX1of
DmnFXn+KHrKaSQ6NspiEvUDbEjwm8mfqaIQFdNqA+ghGGhCxv+cc1VdfuouzLmNV
Ry3E/5Nxe7Etw0nVvNMoB/6EPe5EADh56H1iY6YRk8Q0eZ4SGSMLLX9U5edaVvux
30N5LOOLYmTKWwW5rSajJHKvfaNYUR4uDBYqgdF6x/A8wxuFIssjXK9UayyxV6cA
j9Ac8b0UANO9eEhmSVsCAwEAAaOBizCBiDAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBQwggEiMA0GCSqGSIb3DQEBAQUAAzAfBgNVHSMEGDAWgBQwggEiMA0GCSqGSIb3
DQEBAQUAAzA4BgNVHREEMTAvhi1odHRwczovL2JzaGFtYmF1Z2guZGF0YWJveC5t
ZS9wcm9maWxlL2NhcmQjbWUwDQYJKoZIhvcNAQELBQADgYEADz84kpye2ALd+YIV
a4xz1ssgPzH3JD4VGHyfHOC10rXg8dqJPaIZrgJ6RHToIviQ5QG7BIgugKZr9yvh
TB9M6d8jK10duQHSqZzns31OSlE1crWmjaQmLiMSleytVf6ULtOByDGMGtEoEQka
Ap08T29HjCTcx1UNWwDseFu7EzQ=
-----END CERTIFICATE-----

I called this file brents_cert.crt.pem .
Performing the following openssl command on the certificate file gives me a modulus that matches the one in https://bshambaugh.databox.me/profile/card .
openssl x509 -noout -modulus -in brents_cert.crt.pem
Modulus=BB474500CDCD466B1D03C9D83B94673BBF6A3A4D4E98AFC62CE0DD29B15FE2EC09C4BF64C2DBEB5406E53A255D0E37E396DCE2A89BED42242697E26DD928CFB4AF4A4960A4992C77BCE52FD0AA57319AA2F4AF6714412B31030008ACBA0F8F5F5A1F0E69C55E7F8A1EB29A490E8DB29884BD40DB123C26F267EA68840574DA80FA08461A10B1BFE71CD5575FBA8BB32E6355472DC4FF93717BB12DC349D5BCD32807FE843DEE44003879E87D6263A61193C434799E1219230B2D7F54E5E75A56FBB1DF43792CE38B6264CA5B05B9AD26A32472AF7DA358511E2E0C162A81D17AC7F03CC31B8522CB235CAF546B2CB157A7008FD01CF1BD1400D3BD784866495B

I can also see the entire text of my certificate with:

openssl x509 -noout -text -in brents_cert.crt.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 42 (0x2a)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=WebID, CN=Brent Shambaugh [on bshambaugh.databox.me]
        Validity
            Not Before: Jan  1 00:00:00 2000 GMT
            Not After : Dec 31 23:59:59 2049 GMT
        Subject: O=WebID, CN=Brent Shambaugh [on bshambaugh.databox.me]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bb:47:45:00:cd:cd:46:6b:1d:03:c9:d8:3b:94:
                    67:3b:bf:6a:3a:4d:4e:98:af:c6:2c:e0:dd:29:b1:
                    5f:e2:ec:09:c4:bf:64:c2:db:eb:54:06:e5:3a:25:
                    5d:0e:37:e3:96:dc:e2:a8:9b:ed:42:24:26:97:e2:
                    6d:d9:28:cf:b4:af:4a:49:60:a4:99:2c:77:bc:e5:
                    2f:d0:aa:57:31:9a:a2:f4:af:67:14:41:2b:31:03:
                    00:08:ac:ba:0f:8f:5f:5a:1f:0e:69:c5:5e:7f:8a:
                    1e:b2:9a:49:0e:8d:b2:98:84:bd:40:db:12:3c:26:
                    f2:67:ea:68:84:05:74:da:80:fa:08:46:1a:10:b1:
                    bf:e7:1c:d5:57:5f:ba:8b:b3:2e:63:55:47:2d:c4:
                    ff:93:71:7b:b1:2d:c3:49:d5:bc:d3:28:07:fe:84:
                    3d:ee:44:00:38:79:e8:7d:62:63:a6:11:93:c4:34:
                    79:9e:12:19:23:0b:2d:7f:54:e5:e7:5a:56:fb:b1:
                    df:43:79:2c:e3:8b:62:64:ca:5b:05:b9:ad:26:a3:
                    24:72:af:7d:a3:58:51:1e:2e:0c:16:2a:81:d1:7a:
                    c7:f0:3c:c3:1b:85:22:cb:23:5c:af:54:6b:2c:b1:
                    57:a7:00:8f:d0:1c:f1:bd:14:00:d3:bd:78:48:66:
                    49:5b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                30:82:01:22:30:0D:06:09:2A:86:48:86:F7:0D:01:01:01:05:00:03
            X509v3 Authority Key Identifier:
                keyid:30:82:01:22:30:0D:06:09:2A:86:48:86:F7:0D:01:01:01:05:00:03

            X509v3 Subject Alternative Name:
                URI:https://bshambaugh.databox.me/profile/card#me
    Signature Algorithm: sha256WithRSAEncryption
         0f:3f:38:92:9c:9e:d8:02:dd:f9:82:15:6b:8c:73:d6:cb:20:
         3f:31:f7:24:3e:15:18:7c:9f:1c:e0:b5:d2:b5:e0:f1:da:89:
         3d:a2:19:ae:02:7a:44:74:e8:22:f8:90:e5:01:bb:04:88:2e:
         80:a6:6b:f7:2b:e1:4c:1f:4c:e9:df:23:2b:5d:1d:b9:01:d2:
         a9:9c:e7:b3:7d:4e:4a:51:35:72:b5:a6:8d:a4:26:2e:23:12:
         95:ec:ad:55:fe:94:2e:d3:81:c8:31:8c:1a:d1:28:11:09:1a:
         02:9d:3c:4f:6f:47:8c:24:dc:c7:55:0d:5b:00:ec:78:5b:bb:
         13:34


The local key ID for the certificate and the private key also match.
Thus I have the certificate for the WebID https://bshambaugh.databox.me/profile/card#me and the appropriate public key. Since I have the private key, I can also authenticate myself for this WebID.

The whole process for authentication is like that for server side certificates over https, yet the client and server reverse roles and it is with a WebID. The process is described in sources [1] and [2]. A good source for how authentication with servers and https works is Robert Heaton's Article "How Does HTTPS Actually Work".
In the next post I will talk about SOLiD server for Node.js [6], and how the WebID created with databox.me fits in with it.

 [1] http://dig.csail.mit.edu/2009/Papers/SPOT/foaf-ssl-spot2009.pdf
 [2] https://www.w3.org/2005/Incubator/webid/spec/tls/
 [4]  http://stackoverflow.com/questions/3116907/rsa-get-exponent-and-modulus-given-a-public-key


No comments:

Post a Comment