Thanks for the effort. I have no problem in encoding/decoding the signature, in fact I already have that implemented. My challenge data (Base64 string) contains signature and signature contains certificate, so there is no problem to get them from challenge, but the problem is the lack of knowledge of how CAS is implemented. This use case is for authentication mechanism (user responds on challenge message from server by signing it with own certificate and when that signed challenge returns to server there "just" need to be extracted certificate from signature, validate it and compare with user's certificate on LDAP and if everything goes well user is authenticated). Can You just explain to me how works X509 authentication that is already implemented. When You said hardware token, what precisely You mean by that? Can I try to authenticate with some certificate (on client side) from keystore or in file system? Maybe that can help me to achieve what I want?!
On Fri, Feb 15, 2013 at 3:13 PM, Marvin Addison <[email protected]>wrote: > > I'll explain to You once more time my business logic. I was implemented > some > > services for dynamic jnlp file with some parameters (there are > JSESSIONID, > > action, loginTicket, execution and challenge - challenge contains some > > server data/description, timestamp(putted in session scope), sequence > > number(putted in session scope) and issuer(CAS) signature, so challenge > was > > xml but converted to Base64 String), now on client side when user > > "download"(run) that generated jnlp, next what he need to do is to sign > that > > challenge with his own certificate on smartcard and send POST request > with > > needed parameters and also challenge(again as Base64) to CAS. > > I must admit I'm a little puzzled by your use case and the obstacles > for which you've reached out for help. I would imagine generating the > signature and interacting with a browser or other user agent to send > both the signature and the cert are orders of magnitude harder than > figuring out how to make case validate it as an authentication > mechanism. > > > Than on server > > side I meant to implement custom credentials but I'm not sure how, don't > > know much about CAS and how X509Credentials now operate. > > Assuming base64 for both sig and cert you would have the following: > > public class X509SignatureCredentials { > private String certificate; > > private String signature; > > public X509SignatureCredentials(final String certificate, final > String signature) { > this.certificate = certificate; > this.signature = signature; > } > > public X509Certificate decodeCertificate() { > // TODO: decode base64-encoded cert > } > > public Signature decodeSignature() { > // TODO: decode base64-encoded signature data > } > } > > The signature data could just be the signed bytes and you would have > to assume the signature algorithm (e.g. RSA) and algorithm parameters; > otherwise you've have to devise an encoding mechanism for that data. > There is no existing standard for this afaik. > > You will also have to tackle the problem of getting the data you POST > into your credentials object. Review the Spring Webflow for that. > > I would rate this implementation as advanced; you'll need a > substantial knowledge of crypto and X.509 in addition to CAS to > succeed. Best of luck. > > M > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- *Pozdrav, Mihalj* -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
