-
Notifications
You must be signed in to change notification settings - Fork 59
WebID authentication
The server can be configured to authenticate clients through WebID. WebID uses HTTPS and SSL certificates to create a trusted peer network.
To secure your server using HTTPS, you need certificates. To generate these, use the ./make-server-certificates.sh
script we included in the server software under the keys folder. Pay close attention to enter the correct information for your domain! The first argument of the script takes the FQDN (domain name) of your server, the second argument the port on which the server runs, and the third to sixth arguments the country, state, locale, and organization, respectively. For example:
./make-server-certificates.sh example.test.iminds.be \
8900 BE Oost-Vlaanderen Ghent iMinds
Alternatively, you could also generate the certificates manually, as follows:
You'll need a Root Certificate Authority (private key) to sign the certificates of trusted clients.
openssl genrsa \
-out certs/ca/my-root-ca.key.pem \
2048
Self-sign your Root Certificate Authority by creating a certificate request. Since this is private, the details can be anything you like.
openssl req \
-x509 \
-new \
-nodes \
-key certs/ca/my-root-ca.key.pem \
-days 3652 \
-out certs/ca/my-root-ca.crt.pem \
-subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"
Create a private key to create certificates.
openssl genrsa \
-out certs/server/my-server.key.pem \
2048
Create a certificate request for your server.
openssl req -new \
-key certs/server/my-server.key.pem \
-out certs/tmp/my-server.csr.pem \
-subj "/C=US/ST=Utah/L=Provo/O=ACME Service/CN=example.com"
Finally, sign the request from your server with your Root CA.
openssl x509 \
-req -in certs/tmp/my-server.csr.pem \
-CA certs/ca/my-root-ca.crt.pem \
-CAkey certs/ca/my-root-ca.key.pem \
-CAcreateserial \
-out certs/server/my-server.crt.pem \
-days 1095
The server can be easily configured to use HTTPS in combination with WebID like so.
{
"protocol": "https",
"sslKey": "keys/certs/server/my-server.key.pem",
"sslCa": ["keys/certs/server/my-root-ca.crt.pem"],
"sslCert": "keys/certs/server/my-server.crt.pem"
}
With this configuration, the server will use WebID Authentication over TLS to authenticate trusted clients. Make sure the client's certificate is signed by your Root CA beforehand.
A WebID is an RDF file that describes the social profile of you or your organization. It is published under a unique URI, which is used for identification and authentication.
For instance, the WebID of a person called Bob can look like this:
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
<> a foaf:PersonalProfileDocument ;
foaf:maker <#me> ;
foaf:primaryTopic <#me> .
<#me> a foaf:Person ;
foaf:name "Bob" ;
foaf:knows <https://example.edu/p/Alice#MSc> ;
foaf:img <https://bob.example.org/picture.jpg> .
For an organization, the document looks similar as, for instance, :
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
<> a foaf:PersonalProfileDocument ;
foaf:maker <#webid> ;
foaf:primaryTopic <#webid> .
<#webid> a foaf:Organization ;
foaf:name "W3C" ;
foaf:img <https://www.w3.org/2008/site/images/logo-w3c-mobile-lg> .
First, create a private key to create certificates.
openssl genrsa \
-out certs/client/my-app-client.key.pem \
2048
Create a SSL client certificate that includes your WebID in the subjectAltName
.
Don't forget to correctly fill in the Country (C), Locale (L), Organization (O) and Canonical Name (CN). Also remember to escape () the forward slashes in the subjectAltname URI.
# Create a trusted client cert
# NOTE: You MUST match CN to the domain name or ip address you want to use
openssl req -new \
-key certs/client/my-app-client.key.pem \
-out certs/tmp/my-app-client.csr.pem \
-subj "/C=US/ST=Utah/L=Provo/O=ACME App Client/CN=client.example.net/subjectAltName=uniformResourceIdentifier:https://bob.example.org/profile#me"
Additionally, add your public key to the WebID document.
<#webid> cert:key [ a cert:RSAPublicKey;
cert:modulus "00cb24ed85d64d794b..."^^xsd:hexBinary;
cert:exponent 65537 ] .
You need the modulus and exponent. To get them, execute the following commands:
modulus:
openssl rsa -in certs/client/my-app-client.key.pem -modulus -noout
exponent:
openssl rsa -in certs/client/my-app-client.key.pem -text -noout | awk '/Exponent/ { print $2 }'
Exchange your certificate request with the server so it can sign it. To add a client to your pool of trusted peers, you must collect and sign its certificate before communicating. After signing, you return the certificate to the client.
openssl x509 \
-req -in certs/tmp/my-app-client.csr.pem \
-CA certs/ca/my-root-ca.crt.pem \
-CAkey certs/ca/my-root-ca.key.pem \
-CAcreateserial \
-out certs/client/my-app-client.crt.pem \
-days 1095
To test your own server setup from the same machine, you can generate trusted client certificates using the ./make-trusted-client-certificates.sh
script we included in the server software under the keys folder. The first argument of the script takes the FQDN (domain name) of your server, the second argument the WebID of the client, and the third to sixth arguments the country, state, locale, and organization, respectively. For example:
./make-trusted-client-certificates.sh combust.test.iminds.be \
"http:\/\/combust.test.iminds.be\/combusttestclient.ttl#webid" \
BE Oost-Vlaanderen Ghent iMinds
To test the setup, import the client certificates keys/certs/my-app-client.crt.pem
and keys/certs/my-app-client.p12
into your browser. Just make sure the client’s WebID includes the correct modulus, which you can obtain with the following command:
openssl rsa -in keys/certs/client/my-app-client.key.pem -modulus -noout
The client can the be easily configured to use HTTPS in combination with WebID like so. Note that you can add certificates for each data source separately.
{
"ssl": {
"https://localhost:8900/testdata": {
"key": "certs/client/my-app-client.key.pem",
"cert": "certs/client/my-app-client.crt.pem"
}
}
}
Make sure your WebID is online so the server is able to download it.
When querying, it is possible that your machine doesn’t accept self-signed certificates, in which case you need to tell it to allow that:
export NODE_TLS_REJECT_UNAUTHORIZED="0"