Reading Client certificate - webid implementation

707 views
Skip to first unread message

Thomas Fritz

unread,
Aug 29, 2011, 1:15:12 PM8/29/11
to nodejs list

Hello.
Has anyone implemented webid in node so far?
How can i read the clients certificate from node? Especially the subject alternative name from the clients certificate. I also have to trigger the certificate selector in the browser.  Therefore ssl hast to be configured correctly. Is that possible?
Kind regards

Thomas Fritz

unread,
Aug 30, 2011, 6:14:01 AM8/30/11
to nodejs list
So i found this issue: https://github.com/joyent/node/issues/1568 .
The documentation
(http://nodejs.org/docs/v0.5.5/api/all.html#request.connection).
To access the SAN Subject Alternative Name:
req.connection.getPeerCertificate().subject.subjectAltName should
work.

I had no time to try this out yet, but it looks promising.

Has anyone else experience with WebID (X509 Client Certificates) ?

Kind regards

---
Thomas FRITZ
web http://fritzthomas.com
twitter http://twitter.com/thomasf

2011/8/29 Thomas Fritz <frit...@gmail.com>:

Thomas Fritz

unread,
Aug 30, 2011, 3:14:59 PM8/30/11
to nodejs list
OK.

I have the following code:
var https = require("https");
var fs = require("fs");

var options = {
key: fs.readFileSync('keys/agent-key.pem'),
cert: fs.readFileSync('keys/agent-cert.pem'),
requestCert:true
};

https.createServer(options, function(req, res) {
console.log(req.connection.getPeerCertificate());
res.writeHead(200);
res.end("Hello WebID\n");
}).listen(8000);


The browser asks me correctly for my client certificate ( do not
forget to add the requestCert: true option value ).
When i then select a certificate which has a subject alternative name
in it, it just prints:
{ subject:
{ C: 'Austria',
O: 'Test Org',
OU: 'Test Unit',
CN: 'Thomas Fritz 2',
emailAddress: 'frit...@gmail.com' },
issuer:
{ C: 'FR',
ST: 'Essonne',
O: 'webid.fcns.eu',
CN: 'webid.fcns.eu',
emailAddress: 'we...@fcns.eu' },
valid_from: 'Aug 30 18:21:02 2011 GMT',
valid_to: 'Aug 29 18:21:02 2012 GMT',
fingerprint: '9C:74:C6:AA:95:41:FC:C2:6A:76:61:D7:2C:45:F9:28:8B:0B:69:F6' }


Actually there should be a subject alternative name. I have generated
my client certificate here: https://webid.fcns.eu/certgen.php .


When i export the certificate and read it with openssl:
openssl x509 -in ThomasFritz2-cert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f5:8a:b2:d1:76:06:13:d7
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=FR, ST=Essonne, O=webid.fcns.eu,
CN=webid.fcns.eu/emailAddress=we...@fcns.eu
Validity
Not Before: Aug 30 18:21:02 2011 GMT
Not After : Aug 29 18:21:02 2012 GMT
Subject: C=Austria, O=Test Org, OU=Test Unit, CN=Thomas Fritz
2/emailAddress=frit...@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bc:ea:02:e3:4a:1e:c4:f2:a2:c9:db:6b:51:02:
84:22:ce:61:53:0e:9f:ce:bd:bc:2f:17:60:c5:e0:
4b:c4:65:57:f1:a3:9c:7d:b9:60:69:65:71:ee:1d:
40:eb:7f:3d:2c:2a:ff:27:f0:9e:c4:dd:7b:03:b2:
52:a2:e2:e5:1b:62:27:f1:07:9b:85:e5:51:79:2a:
71:63:f8:fa:1b:46:70:64:10:0c:90:33:75:3b:a7:
61:ea:2a:83:03:cb:94:38:f6:45:25:0f:bb:a4:1c:
92:04:53:80:b8:d2:c6:76:7c:43:cf:c7:c5:4d:8c:
ba:50:9e:44:7e:fe:d1:0f:3b:78:4d:eb:6f:01:e9:
af:a5:fb:ed:49:35:55:07:b4:10:4a:a4:a0:1f:c9:
0e:8b:7d:6a:f0:7e:7e:04:64:10:3d:4c:31:e3:88:
5b:38:bc:03:e4:a1:09:ec:3e:e5:0d:ba:9d:6a:fa:
9b:22:a0:b1:1b:2b:69:5a:e1:51:7c:73:96:a9:13:
18:9c:b8:9d:24:7d:d9:28:34:52:f5:67:3f:35:98:
76:f2:43:da:d3:9a:82:a4:21:7b:56:cd:26:ae:59:
48:14:44:ac:b5:0d:86:cf:86:90:89:31:65:b6:10:
5d:a2:0d:4f:90:29:35:a3:bb:41:f9:76:65:16:d3:
b0:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
56:81:A8:D8:D7:2E:91:E3:2A:F4:BA:B9:F8:07:1D:6C:C5:24:49:3A
X509v3 Authority Key Identifier:

keyid:2B:DF:EF:BF:79:13:73:CB:E4:D4:35:A5:0B:EC:18:2C:63:E4:D2:F0

X509v3 Subject Alternative Name:
email:frit...@gmail.com, URI:http://fritzthomas.com/profile#me
Signature Algorithm: sha1WithRSAEncryption
8d:d9:06:54:1a:13:27:91:33:1d:a9:a0:33:b9:16:96:69:3a:
ae:18:39:08:e2:ad:c5:dc:45:0e:b9:21:21:4b:0b:28:08:e8:
d8:8a:3d:82:c1:cd:c2:5d:35:7e:79:d7:ad:04:c4:74:4f:7c:
aa:65:49:27:c2:1f:21:a8:37:c0:1b:35:f4:eb:d6:f2:4b:40:
1b:4a:8b:97:8f:d9:a2:ef:cf:82:ea:7b:1d:6f:95:e2:5e:7b:
49:f9:a9:41:f7:a0:b9:b6:c1:90:c3:f1:d3:7e:2c:2d:d3:ec:
e3:ee:c5:7d:7d:0d:73:a7:f0:f7:d7:20:a9:61:a1:0e:e2:88:
9f:cb
-----BEGIN CERTIFICATE-----
MIIDozCCAwygAwIBAgIJAPWKstF2BhPXMA0GCSqGSIb3DQEBBQUAMG0xCzAJBgNV
BAYTAkZSMRAwDgYDVQQIEwdFc3Nvbm5lMRYwFAYDVQQKEw13ZWJpZC5mY25zLmV1
MRYwFAYDVQQDEw13ZWJpZC5mY25zLmV1MRwwGgYJKoZIhvcNAQkBFg13ZWJpZEBm
Y25zLmV1MB4XDTExMDgzMDE4MjEwMloXDTEyMDgyOTE4MjEwMlowdTEQMA4GA1UE
BhMHQXVzdHJpYTERMA8GA1UEChMIVGVzdCBPcmcxEjAQBgNVBAsTCVRlc3QgVW5p
dDEXMBUGA1UEAxMOVGhvbWFzIEZyaXR6IDIxITAfBgkqhkiG9w0BCQEWEmZyaXR6
dGhvQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALzq
AuNKHsTyosnba1EChCLOYVMOn869vC8XYMXgS8RlV/GjnH25YGllce4dQOt/PSwq
/yfwnsTdewOyUqLi5RtiJ/EHm4XlUXkqcWP4+htGcGQQDJAzdTunYeoqgwPLlDj2
RSUPu6QckgRTgLjSxnZ8Q8/HxU2MulCeRH7+0Q87eE3rbwHpr6X77Uk1VQe0EEqk
oB/JDot9avB+fgRkED1MMeOIWzi8A+ShCew+5Q26nWr6myKgsRsraVrhUXxzlqkT
GJy4nSR92Sg0UvVnPzWYdvJD2tOagqQhe1bNJq5ZSBRErLUNhs+GkIkxZbYQXaIN
T5ApNaO7Qfl2ZRbTsJcCAwEAAaOBvjCBuzAJBgNVHRMEAjAAMCwGCWCGSAGG+EIB
DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVoGo
2NcukeMq9Lq5+AcdbMUkSTowHwYDVR0jBBgwFoAUK9/vv3kTc8vk1DWlC+wYLGPk
0vAwQAYDVR0RBDkwN4ESZnJpdHp0aG9AZ21haWwuY29thiFodHRwOi8vZnJpdHp0
aG9tYXMuY29tL3Byb2ZpbGUjbWUwDQYJKoZIhvcNAQEFBQADgYEAjdkGVBoTJ5Ez
HamgM7kWlmk6rhg5COKtxdxFDrkhIUsLKAjo2Io9gsHNwl01fnnXrQTEdE98qmVJ
J8IfIag3wBs19OvW8ktAG0qLl4/Zou/Pgup7HW+V4l57SfmpQfegubbBkMPx034s
LdPs4+7FfX0Nc6fw99cgqWGhDuKIn8s=
-----END CERTIFICATE-----


What i want to do is to play around with the WebID Stack. Therefore i
have to read the client certificates Subject Alternative Name, which
should be a valid URI which i then can read from. This URI should be a
valid foaf profile. In my case this is
http://fritzthomas.com/profile#me But the problem now is some that i
can not read this property from the clients cert from within node.
Is it possible to read this properties from the client certificate?
Can someone help me out? I actually do not think that the issue i
mentioned above has something todo with that one.


Kind regards


---
Thomas FRITZ
web http://fritzthomas.com
twitter http://twitter.com/thomasf

2011/8/30 Thomas Fritz <frit...@gmail.com>:

Thomas Fritz

unread,
Aug 31, 2011, 2:58:39 AM8/31/11
to nodejs list
There is another issue / merge request which adds more properties to
the peer certificate in node. https://github.com/joyent/node/pull/1286
When fixed and tested it seems that it is in the next version of node
(0.5.6 ??) - so it is "foaf+ssl ready" (tm)

In the meantime i came to this project which solves it in another way:
http://lists.foaf-project.org/pipermail/foaf-protocols/2011-May/004942.html

Regards

---
Thomas FRITZ
web http://fritzthomas.com
twitter http://twitter.com/thomasf

2011/8/30 Thomas Fritz <frit...@gmail.com>:

Reply all
Reply to author
Forward
0 new messages