How to get a certificate from a SASL CA server
From GEANT2-JRA1 Wiki
Getting a valid certificate from a SASL CA it's not a trivial operation, as we see in the following diagram:
- Start connection
- Init TLS socket: client and server init an encrypted socket using TLS. For this step, it's only checked the server certificate, so clients have to use this keystore which contains the SASL CA server certificate.
- Send user credentials + certificate request: clients send a pair username/password plus a certificate request (CSR) to the SASL CA server. For generating the CSR, clients have to use a private key. See SASL CA PKI Specification section for more information.
- Send certificates chain: if the authentication of the user has been valid, the SASL CA server returns a certificates chain which contains the signed certificate of the client and the certificate(s) of the SASL CA server (first the signed CSR and last the CA root certificate).
Technical documents about SASL CA are:
Actually, perfSONAR developers should use developed libraries for connecting to SASL CA servers, because it's very difficult to implement the SASL CA protocol.
[edit]
Java Library
There are some classes available in the perfSONAR for requesting a valid certificate from a SASL CA server:
Steps for getting a certificate from a SASL CA server are:
- The class org.perfsonar.client.base.authn.saslca.UserID contains the name and the password of the user for the authentication process.
UserID userID = new UserID(PARAM_USERNAME, PARAM_USERPASS);
- The class org.perfsonar.client.base.authn.saslca.SASLCAClientConfiguration has the information about the SASL CA server.
SASLCAClientConfiguration clientConfig = new SASLCAClientConfiguration(PARAM_SASLCAHOST, PARAM_SASLCAPORT,"RSA",1024,"auth-only");
- The class org.perfsonar.client.base.authn.saslca.SASLCAClient is the interface for connecting to the SASL CA server, using the both previous objects.
SASLCAClient client = new SASLCAClient(userID, clientConfig);
- The method generateKeyPair() of the class SASLCAClient returns a new pair of private and public keys.
KeyPair keyPair = client.generateKeyPair();
- The method getCertificate(KeyPair keys) of the class SASLCAClient makes a connection to the SASL CA server and get the signed X.509 certificate.
X509Certificate certificate = client.getCertficate(keyPair);
- For debugging the final results:
System.out.println("Issuer DN: "+certificate.getIssuerDN().toString()); System.out.println("Subject DN: "+certificate.getSubjectDN().toString()); Collection<List<?>> collection = certificate.getSubjectAlternativeNames(); Iterator<List<?>> it = collection.iterator(); while (it.hasNext()) { List<?> list = it.next(); for (int i = 0; i < list.size(); i++) { if (list.get(i).toString().startsWith("http")) { System.out.println("Subject Alternative Name:" +list.get(i).toString()); } } } System.out.println("Valid from: "+DateFormat.getInstance().format(certificate.getNotBefore())); System.out.println("Valid until: "+DateFormat.getInstance().format(certificate.getNotAfter()));
An output of this example is:
Issuer DN: CN=A, OU=B, O=C, L=D, ST=E, C=ES Subject DN: CN=3c08f6da-177b-498e-8a79-b18e235dae69, O=rediris Subject Alternative Name:https://registry.edugain.org/resolver?urn=urn%3Ageant%3Aedugain%3Acomponent%3Aee%3Arediris%3A3c08f6da-177b-498e-8a79-b18e235dae69 Valid from: 16/10/07 12:26 Valid until: 16/10/07 20:26
[edit]
SASL CA PKI Specification
At the moment, the pair of private and public keys of SASL CA servers are not definitive and we're using for testing purposes. eduGAIN team have to define a new sub-CA of eduGAIN for online CAs or define a new CA for it. But, until that moment, developers have to use the following truststore:
- Download KeyStore 1.0
- KeyStore type: JCEKS
- KeyStore password: 123456
- Example: using keytool command for getting information of this keystore:
keytool -list -v -keystore ClientSASLCA.jks -storetype jceks -storepass 123456
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1187858471 (0x46cd4827)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ES, ST=E, L=D, O=C, OU=B, CN=A
Validity
Not Before: Aug 23 08:41:11 2007 GMT
Not After : Aug 22 08:41:11 2008 GMT
Subject: C=ES, ST=E, L=D, O=C, OU=B, CN=A
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:81:49:06:0d:62:03:b5:88:13:f5:d0:75:a6:ec:
fa:a8:16:a1:b1:22:f6:da:97:90:c3:a2:ca:64:a2:
ad:fb:91:74:8c:21:7f:3d:5c:38:4e:fd:1d:6a:3b:
27:07:f6:ed:20:a5:52:6d:19:79:b9:21:20:7f:21:
9c:a6:7f:9d:ee:a0:63:64:79:df:95:66:ee:24:a7:
f7:54:d6:42:6e:52:33:7f:c9:1f:74:26:a0:ed:e2:
09:1d:f0:ea:e2:79:0e:8f:58:97:94:03:31:7f:61:
2c:3e:0c:1b:69:45:20:9e:c4:52:e7:8a:fd:8e:9c:
a1:d9:f5:c9:37:d9:31:c0:98:d0:43:be:23:56:f1:
fb:e3:8f:c7:28:59:b1:78:7e:b0:22:b1:d5:93:c4:
7b:e8:50:66:07:1b:64:f6:79:9d:6a:92:3d:97:28:
a4:2b:33:6d:2d:d1:b4:6d:d1:e2:f4:67:ec:20:63:
48:a5:dd:2f:e7:ea:13:37:dd:13:c7:ed:13:93:1e:
a8:e6:b0:30:de:ab:44:cd:c6:45:16:ec:ab:44:0b:
26:52:fe:ac:de:e6:6b:94:63:85:d6:fa:1d:81:cc:
ff:15:44:83:9d:18:83:02:ef:dd:52:a5:ad:2d:55:
18:19:3f:aa:d0:c2:56:12:5d:13:4b:5a:4a:64:35:
1d:29
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
1f:90:18:8c:20:01:cd:66:4e:cf:33:2f:b6:4a:d6:8d:f0:5d:
e3:a9:71:f7:c0:84:aa:a0:f4:a8:a0:e7:92:fd:b8:86:5d:1b:
1b:de:36:64:71:f4:05:f0:74:7f:6f:ef:c6:db:f6:c3:5f:4a:
06:60:67:2a:11:ab:1c:52:85:ec:56:1f:af:53:70:d7:61:96:
5e:47:69:a5:d6:0e:a4:69:89:db:dd:0c:e4:61:08:1f:6c:e8:
89:0a:45:b3:53:bd:d8:1c:50:55:4e:ec:8c:4c:6a:95:4b:64:
3f:91:5b:0e:7c:61:2d:db:20:92:d3:2c:f2:a1:8d:c1:df:d0:
0f:40:10:e0:06:bd:16:5a:f8:c8:40:39:f2:09:fd:5e:c9:0d:
e5:4e:5f:30:00:0a:29:f3:50:2f:06:0f:c7:46:96:8f:4b:69:
9e:9c:3e:75:ce:36:8f:bf:56:41:92:75:01:be:f3:56:2a:3f:
ac:80:b5:d1:b8:43:d2:82:46:33:65:76:06:33:63:c2:9a:ab:
ce:94:94:56:e4:ef:5f:0f:33:9f:6c:b4:2e:d2:2e:f7:3a:fd:
ff:7a:ad:64:31:db:d9:90:6d:c0:3a:31:63:ba:61:a0:1b:a4:
f4:42:38:b9:64:33:57:19:bd:74:54:e0:06:59:03:54:eb:dd:
ae:52:a2:bf
