On 11 Feb 2010, at 20:24, Sergiu Dumitriu wrote: > On 02/10/2010 12:44 PM, Story Henry wrote: >> Hi, >> >> Having got Xwiki to produce RDFa (very easy), and having switched of >> Twitter to allow me to concentrate,I am now working on allowing a >> user to click a button in his profile, and have it create a foaf+ssl >> certificate (which is just a normal certificate, but with a URL in >> the subject alternative name). The code for this is very simple: >> >> http://github.com/harbulot/keygenapp/blob/master/samplewebapp/src/main/java/uk/ac/manchester/_rcs/bruno/keygenapp/webapp/MiniCaServlet.java >> >> (with a few lines of tweaks required to add the certificate >> information to the profile page). >> >> What happens is that a<keygen> XML element is added to a<form> >> element in the user's profile page. This forces the browser (Safari, >> Firefox, Opera) to create a<public, private> key pair and send the >> public part to the servlet referred to above (MiniCaServlet). That > > What about IE? Not that I like it, but most enterprise users are still > on IE6.
You can do it as shown here I think. This html calls this javascript: http://github.com/harbulot/keygenapp/blob/master/samplewebapp/src/main/webapp/index.html will call this javascript http://github.com/harbulot/keygenapp/blob/master/samplewebapp/src/main/webapp/crosskeygen.js With IE one has to use an ActiveX component. We have not checked this out that much yet, and it may be possible to do a lot better that that javascript.... More on http://esw.w3.org/topic/foaf+ssl > >> servlet creates a certificate and sends it back to an invisible >> iframe. The browser then adds that cert to the keystore (this is done >> automatically, it's part of browser behavior). > > Do you have a link to some documentation about this behavior? Yes, it is now defined in HTML5 http://dev.w3.org/html5/spec/Overview.html#the-keygen-element > >> So to move this code to XWiki, I understand I should create a >> component. I read about it here: >> >> http://platform.xwiki.org/xwiki/bin/view/DevGuide/WritingComponents > > Yes, that's the right approach. You should also read about the new > scripting service, see http://jira.xwiki.org/jira/browse/XWIKI-4853 and > http://markmail.org/thread/g4z56pl734lng2ym > >> and it makes sense. From a component I can get the user, and from >> that I can get his profile page, and then I can add the public key >> information to his profile (I wrote a RSAKeyClass in Xwiki to do >> this). > > RSAKeyClass as a class inside com.xpn.xwiki.objects.classes, similar to > PasswordClass, NumberClass and the like? Yes, that is good. You also > need a RSAKeyMetaClass in com.xpn.xwiki.objects.meta, and register it in > com.xpn.xwiki.objects.meta.MetaClass > > Alternatively, you could just use the TextAreaClass for the moment, > although that's 0 security. (No we don't want people to edit their public/private keys. That would just cause confusion.) > >> The component should finally send the newly generated certificate >> back to the client, which it can do because it has access the the >> HTTPServletResponse. >> >> But where would I put such a component? In a specific wiki page? > > Better as a jar inside WEB-INF/lib. Given that it adds a new property > type to the data model, it should be a key component inside the platform. > >> Does all that make sense? If not let me know before I go and code it >> up. > > Looks good to me so far, but I have a couple more questions/suggestions: > > - You must make sure that the private key can't be publicly accessed There are two keys that need to be mentioned here: - the key from the browser: the browser will only send the public key to the server, so it is up to the client to be careful about this - the key of the Xwiki server that will sign the incoming keys One could create a certificate on the fly per installation of an Xwiki server, as this just needs to be self signed. Well it would be useful to make it a little specific, by for example giving a reasonable LDAP name (Distinguished Name) to it > - What do you plan to do with these keys afterwards? > - The process that you described (browser creates key, sends public part > to server, server creates certificate and sends back to browser) does > not mention anything about what happens within the user profile. Could > you go into more details? The user profile will show a public key marked up in RDFa. There could be a number of them. See my profile http://bblfish.net/ for an example. This is then used to authenticate the user. More on the wiki, but the short version is here: http://blogs.sun.com/bblfish/entry/foaf_ssl_adding_security_to Henry > >> Henry >> >> PS. It would be fun later to have the User's Profile page be a bit >> Ajaxy, so that if it notices a change to the invisible iframe the >> browser can make a reques to XWiki to refresh the table of public >> keys displayed to the user. >> >> Social Web Architect http://bblfish.net/ > > -- > Sergiu Dumitriu > http://purl.org/net/sergiu/ > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
