From 595db6383d3e4ba50e3075459600ae3cd5298c5a Mon Sep 17 00:00:00 2001 From: fstoqnov Date: Fri, 4 Aug 2017 12:36:28 +0100 Subject: [PATCH 1/8] Update Getting-Started-with-Akka-http-signature.md --- Getting-Started-with-Akka-http-signature.md | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/Getting-Started-with-Akka-http-signature.md b/Getting-Started-with-Akka-http-signature.md index 8646ce4..4fed45e 100644 --- a/Getting-Started-with-Akka-http-signature.md +++ b/Getting-Started-with-Akka-http-signature.md @@ -102,11 +102,11 @@ publ: scala.util.Try[java.security.PublicKey] = Success( ``` The .readPublicKeyFrom() function returns a Try of Public/Private key depending on whether the String given can be parsed back to some valid key. If the operation is successful the value of the original key is assigned to the new value in BigInt format. -The user can then save his keys on his local filesystem by using the following ammonite commands: +The user can then save his keys on his local filesystem within a .keys directory which we will make use of later in the guide by using the following ammonite commands: ```scala -write(wd/"publicKey.pem", RSAKeys.save(pub)) -write(wd/"privateKey.pem", RSAKeys.save(priv)) +write(wd/".keys"/"publicKey.pem", RSAKeys.save(pub)) +write(wd/".keys"/"privateKey.pem", RSAKeys.save(priv)) ``` This will save the contents of the key in String format within the file found by following the specified path in .pem files. @@ -329,4 +329,19 @@ could not find actor for Actor[akka://rww/user/rootContainer/card]rww.ldp.LDPExc at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) ``` +## Certificate Authority + +We have now shown how to use public and private keys to verify the identity of the user. But often we also want to let the user be able to confirm the identity of the server they are connecting to as well. This can be done through Certificate Authority. The user can view this on the rww-play server as it makes a CA for the locally hosted server. + +In order to test whether this functionality works, one first has to save rww-play's certificate locally by using the following command after the server has been run: + +```bash +$ keytool -printcert -sslserver localhost:8443 -rfc > ~/.keys/localhost_8443.crt +``` +In the real world there tends to be a constant communication between the server and its clients so one doesn't have to retrieve the Certificate manually but for the purpose of this guide we will get that certificate in bash and store it in a file. + +The above command will retrieve the certificate and store it in a .crt file within the .keys directory, located in the current home directory for the user's system. For more information on SSL, one can refer to the [Quick start to WS SSL guide](http://typesafehub.github.io/ssl-config/WSQuickStart.html#obtain-the-root-ca-certificate). + +After that, the user can run the getTest script from within ammonite in order to verify the identity of the local server. + *** From 5aca3c7e96555928cc0c1a6a84dd5f683cd5509b Mon Sep 17 00:00:00 2001 From: fstoqnov Date: Fri, 4 Aug 2017 15:51:18 +0100 Subject: [PATCH 2/8] Update Getting-Started-with-Akka-http-signature.md --- Getting-Started-with-Akka-http-signature.md | 45 ++++++++++++++++++--- 1 file changed, 40 insertions(+), 5 deletions(-) diff --git a/Getting-Started-with-Akka-http-signature.md b/Getting-Started-with-Akka-http-signature.md index 4fed45e..84c7e77 100644 --- a/Getting-Started-with-Akka-http-signature.md +++ b/Getting-Started-with-Akka-http-signature.md @@ -102,11 +102,13 @@ publ: scala.util.Try[java.security.PublicKey] = Success( ``` The .readPublicKeyFrom() function returns a Try of Public/Private key depending on whether the String given can be parsed back to some valid key. If the operation is successful the value of the original key is assigned to the new value in BigInt format. -The user can then save his keys on his local filesystem within a .keys directory which we will make use of later in the guide by using the following ammonite commands: +One should then make a .keys directory in their home directory to store the keys in for later use. One can do this via the bash `mkdir` command or navigate to their home directory and make a folder there manually. + +The user can then save his keys within the .keys directory which we will make use of later in the guide by using the following ammonite commands: ```scala -write(wd/".keys"/"publicKey.pem", RSAKeys.save(pub)) -write(wd/".keys"/"privateKey.pem", RSAKeys.save(priv)) +write([default home Directory]/".keys"/"publicKey.pem", RSAKeys.save(pub)) +write([default home Directory]/".keys"/"privateKey.pem", RSAKeys.save(priv)) ``` This will save the contents of the key in String format within the file found by following the specified path in .pem files. @@ -329,7 +331,7 @@ could not find actor for Actor[akka://rww/user/rootContainer/card]rww.ldp.LDPExc at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) ``` -## Certificate Authority +## Adding a Certificate Authority to the trust store We have now shown how to use public and private keys to verify the identity of the user. But often we also want to let the user be able to confirm the identity of the server they are connecting to as well. This can be done through Certificate Authority. The user can view this on the rww-play server as it makes a CA for the locally hosted server. @@ -342,6 +344,39 @@ In the real world there tends to be a constant communication between the server The above command will retrieve the certificate and store it in a .crt file within the .keys directory, located in the current home directory for the user's system. For more information on SSL, one can refer to the [Quick start to WS SSL guide](http://typesafehub.github.io/ssl-config/WSQuickStart.html#obtain-the-root-ca-certificate). -After that, the user can run the getTest script from within ammonite in order to verify the identity of the local server. +After that, the user can run the getTest script from within ammonite in order to verify the identity of the local server like so: + +```scala +@ import $exec.getTest +SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". +SLF4J: Defaulting to no-operation (NOP) logger implementation +SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. +[WARN] [08/04/2017 14:49:20.738] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_3_public_primary_certification_authority_2.pem: Certificate failed: cert = "OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.739] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_1_public_primary_certification_authority.pem: Certificate failed: cert = "OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.740] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:equifax_secure_global_ebusiness_ca.pem: Certificate failed: cert = "CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.748] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_3_public_primary_certification_authority.pem: Certificate failed: cert = "OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.749] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_2_public_primary_certification_authority_-_g2.pem: Certificate failed: cert = "OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 2 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.750] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:equifax_secure_ebusiness_ca_1.pem: Certificate failed: cert = "CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.753] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:netlock_express_=class_c=_root.pem: Certificate failed: cert = "CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.753] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_3_public_primary_certification_authority_-_g2.pem: Certificate failed: cert = "OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 3 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.754] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:netlock_business_=class_b=_root.pem: Certificate failed: cert = "CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.754] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:equifax_secure_ca.pem: Certificate failed: cert = "OU=Equifax Secure Certificate Authority,O=Equifax,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.755] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_1_public_primary_certification_authority_-_g2.pem: Certificate failed: cert = "OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 1 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.867] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_3_public_primary_certification_authority_2.pem: Certificate failed: cert = "OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.868] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_1_public_primary_certification_authority.pem: Certificate failed: cert = "OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.868] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:equifax_secure_global_ebusiness_ca.pem: Certificate failed: cert = "CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.869] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_3_public_primary_certification_authority.pem: Certificate failed: cert = "OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.869] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_2_public_primary_certification_authority_-_g2.pem: Certificate failed: cert = "OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 2 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.870] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:equifax_secure_ebusiness_ca_1.pem: Certificate failed: cert = "CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.871] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:netlock_express_=class_c=_root.pem: Certificate failed: cert = "CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.872] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_3_public_primary_certification_authority_-_g2.pem: Certificate failed: cert = "OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 3 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.872] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:netlock_business_=class_b=_root.pem: Certificate failed: cert = "CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.872] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:equifax_secure_ca.pem: Certificate failed: cert = "OU=Equifax Secure Certificate Authority,O=Equifax,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +[WARN] [08/04/2017 14:49:20.873] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_1_public_primary_certification_authority_-_g2.pem: Certificate failed: cert = "OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 1 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 + +import $exec.$ +``` + +Currently if the user runs the getTest script they may be presented with SSL Warnings. For more information on the matter one can look at the [Debugging SSL Connections Help page](https://typesafehub.github.io/ssl-config/DebuggingSSL.html). *** From db93d1621e20183673a3a967f577b6224ef729c1 Mon Sep 17 00:00:00 2001 From: fstoqnov Date: Fri, 4 Aug 2017 17:34:00 +0100 Subject: [PATCH 3/8] Update Getting-Started-with-Akka-http-signature.md --- Getting-Started-with-Akka-http-signature.md | 33 ++++----------------- 1 file changed, 5 insertions(+), 28 deletions(-) diff --git a/Getting-Started-with-Akka-http-signature.md b/Getting-Started-with-Akka-http-signature.md index 84c7e77..41fb886 100644 --- a/Getting-Started-with-Akka-http-signature.md +++ b/Getting-Started-with-Akka-http-signature.md @@ -107,8 +107,8 @@ One should then make a .keys directory in their home directory to store the keys The user can then save his keys within the .keys directory which we will make use of later in the guide by using the following ammonite commands: ```scala -write([default home Directory]/".keys"/"publicKey.pem", RSAKeys.save(pub)) -write([default home Directory]/".keys"/"privateKey.pem", RSAKeys.save(priv)) +write(home/".keys"/"publicKey.pem", RSAKeys.save(pub)) +write(home/".keys"/"privateKey.pem", RSAKeys.save(priv)) ``` This will save the contents of the key in String format within the file found by following the specified path in .pem files. @@ -347,36 +347,13 @@ The above command will retrieve the certificate and store it in a .crt file with After that, the user can run the getTest script from within ammonite in order to verify the identity of the local server like so: ```scala -@ import $exec.getTest -SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". -SLF4J: Defaulting to no-operation (NOP) logger implementation -SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. -[WARN] [08/04/2017 14:49:20.738] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_3_public_primary_certification_authority_2.pem: Certificate failed: cert = "OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.739] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_1_public_primary_certification_authority.pem: Certificate failed: cert = "OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.740] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:equifax_secure_global_ebusiness_ca.pem: Certificate failed: cert = "CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.748] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_3_public_primary_certification_authority.pem: Certificate failed: cert = "OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.749] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_2_public_primary_certification_authority_-_g2.pem: Certificate failed: cert = "OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 2 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.750] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:equifax_secure_ebusiness_ca_1.pem: Certificate failed: cert = "CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.753] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:netlock_express_=class_c=_root.pem: Certificate failed: cert = "CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.753] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_3_public_primary_certification_authority_-_g2.pem: Certificate failed: cert = "OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 3 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.754] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:netlock_business_=class_b=_root.pem: Certificate failed: cert = "CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.754] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:equifax_secure_ca.pem: Certificate failed: cert = "OU=Equifax Secure Certificate Authority,O=Equifax,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.755] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_1_public_primary_certification_authority_-_g2.pem: Certificate failed: cert = "OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 1 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.867] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_3_public_primary_certification_authority_2.pem: Certificate failed: cert = "OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.868] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_1_public_primary_certification_authority.pem: Certificate failed: cert = "OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.868] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:equifax_secure_global_ebusiness_ca.pem: Certificate failed: cert = "CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.869] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_3_public_primary_certification_authority.pem: Certificate failed: cert = "OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.869] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_2_public_primary_certification_authority_-_g2.pem: Certificate failed: cert = "OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 2 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.870] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:equifax_secure_ebusiness_ca_1.pem: Certificate failed: cert = "CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.871] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:netlock_express_=class_c=_root.pem: Certificate failed: cert = "CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.872] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_3_public_primary_certification_authority_-_g2.pem: Certificate failed: cert = "OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 3 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.872] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:netlock_business_=class_b=_root.pem: Certificate failed: cert = "CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.872] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:equifax_secure_ca.pem: Certificate failed: cert = "OU=Equifax Secure Certificate Authority,O=Equifax,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 -[WARN] [08/04/2017 14:49:20.873] [main] [com.typesafe.sslconfig.ssl.ConfigSSLContextBuilder] validateStore: Skipping certificate with weak key size in debian:verisign_class_1_public_primary_certification_authority_-_g2.pem: Certificate failed: cert = "OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 1 Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US" failed on constraint RSA keySize < 2048, algorithm = RSA, keySize = 1024 +@ import $exec.getTest import $exec.$ ``` Currently if the user runs the getTest script they may be presented with SSL Warnings. For more information on the matter one can look at the [Debugging SSL Connections Help page](https://typesafehub.github.io/ssl-config/DebuggingSSL.html). +This will add the CA of the localhost to the user's trust store and it will be recognised by the client that the user is running. + *** From 9dca8c09eac671ac5cd8cb2750a7551c378414ba Mon Sep 17 00:00:00 2001 From: fstoqnov Date: Mon, 7 Aug 2017 17:18:41 +0100 Subject: [PATCH 4/8] Update Getting-Started-with-Akka-http-signature.md --- Getting-Started-with-Akka-http-signature.md | 122 ++++++++------------ 1 file changed, 47 insertions(+), 75 deletions(-) diff --git a/Getting-Started-with-Akka-http-signature.md b/Getting-Started-with-Akka-http-signature.md index 41fb886..0c83e0e 100644 --- a/Getting-Started-with-Akka-http-signature.md +++ b/Getting-Started-with-Akka-http-signature.md @@ -114,111 +114,77 @@ This will save the contents of the key in String format within the file found by ### Saving a public Key to RDF -A user can also transform his public keys to an RDF. In order to do this one must first import multiple files in order to resolve the required dependencies. +A user can also transform his public keys to an RDF. In order to do this one must first import multiple files in order to resolve the required dependencies: The org.w3 declarations required are: ```scala -import org.w3.banana.binder -import org.w3.banana.binder.RecordBinder -implicit val binder = RecordBinder -val cert = CertPrefix[Rdf] -``` -Several java imports from java's security and math library are also required for this process: +import $ivy.`run.cosy::solid-client:0.1-SNAPSHOT` +import run.cosy.auth.RSAKeys +import com.typesafe.sslconfig.akka._ +import akka.actor._ +import akka.http.scaladsl.model.Uri +import com.typesafe.config.ConfigFactory +import akka.event.Logging +import akka.stream.{ActorMaterializer, ActorMaterializerSettings,Supervision,_} +import akka.http.scaladsl.model.{Uri=>AkkaUri,_} -```scala -import java.math.BigInteger -import java.security.KeyFactory -import java.security.interfaces.RSAPublicKey -import java.security.spec.RSAPublicKeySpec -``` +import scala.concurrent.ExecutionContext + +import org.w3.banana.jena.Jena -After that the binder and all it's functionalities can be imported: +import Jena._ -```scala -import org.w3.banana.binder._ -import recordBinder._ +import run.cosy.solid.client.Web._ +import java.security.interfaces.RSAPublicKey ``` -Finally, after that, the user can create the Cert object that contains the required dependencies to turn a Key into a Pointed Graph +Finally, after that, the user can create a value for the public key String collected from the .pem file in located within the .keys directory. ```scala -@ object Cert { - - implicit val rsaClassUri = classUrisFor[RSAPublicKey](cert.RSAPublicKey) - val factory = KeyFactory.getInstance("RSA") - val exponent = property[BigInteger](cert.exponent) - val modulus = property[Array[Byte]](cert.modulus) - - implicit val binder: PGBinder[Rdf, RSAPublicKey] = - pgb[RSAPublicKey](modulus, exponent)( - (m, e) => factory.generatePublic(new RSAPublicKeySpec(new BigInteger(m), e)).asInstanceOf[RSAPublicKey], - key => Some((key.getModulus.toByteArray, key.getPublicExponent)) - ) // withClasses rsaClassUri -} +@ val pubStr = read(home/".keys"/"pubKey.pem") -defined object Cert +pubStr: String = """MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZXI44b8Qh7oNXzGvmdGSan1cisdzOur +WWWheSxvr9zHe5kyNh8UtVZeVjTsRr/SnwEwqm1KJRiu0CfnyjTZmhQZJitZDjg+sTdDx3pcxntC +MfckgRfaG+MjODbL2VTNHzaDYHlex0VwITcPH7RjPxJZyYmAlVg+MWMfX2VOBPqdBRZxO0DyH6ka +kENtgT0TJ9XNEVWH+gpezc66jgptz/wryzCaVobdF042TvQ5VoZC5gavUMgDuHS3TiT9LXBFT3Hg +A18h0qaZDkwJe6mHD/aULVrZYxf9irGJQAS2aTQHO/zdRJazlMX7oWQrVRpCmcz/BLpgxz4x9IC0 +hHhTWQIDAQAB""" -@ import Cert._ ``` -After this all dependencies should be resolved and the user will be able to transform the keys into a Pointed Graph: +After this all dependencies should be resolved and the user will be able to transform the keys into a Pointed Graph using the following function ```scala -@ val keyPG = pub.toPG +@ def pubKeyPG = { + import ops._ + implicit val bind = run.cosy.crypto.Cert.binderWithName[Rdf](Uri("#key")) + pubKey.map(_.toPG) + } -keyPG : PointedGraph[RDF] = org.w3.banana.PointedGraph$$anon$1@7f8fa63d +defined function pubKeyPG ``` -One can then retrieve both the pointer and the graph: +After that the user can simply call said function to get a pointed graph: ```scala -@ val keyGraph = keyGraph.graph +@ val keyGraph = pubKeyPG -keyGraph : RDF#Graph = {5880.026289.0-02638.0-6288.0-06411.0-23110.021178.029228.0 http://www.w3.org/ns/auth/cert#exponent "65537"^^http://www.w3.org/2001/XMLSchema#integer; 5880.026289.0-02638.0-6288.0-06411.0-23110.021178.029228.0 @http://www.w3.org/ns/auth/cert#modulus "00937adccd722bc982aed4847872b81e36b890bca13166714bc2befe4d8547b6218ecd2da1eb020198a4ea00e4db6757c7dda738ec8db8b3bf211d3a3a17e196a2035bc4c79d06d8a581487d9f49e86374712b10ef500dfa242a20cab52911e2636c9d99b21fe9768ef2381989a25dc8b0b7a46531249aac27c4b8ab451a19d5fbdfa5f78b0deac9778c7ff87cf6106ae4a6433466beb21df1265bf1fc9ab9cc80d7aff8cc4d0f67ae28647e4048da8df753493b8de6a8e0961416b4b37f7012907d2e756034b8a84c6e495c8f1d81f69843ae51379571d83b38e1c08a08c3748ef75ed7ecb016d0c8426b30c8c5060a08f87f6764b0ec14667cd6f0daa1244157"^^http://www.w3.org/2001/XMLSchema#hexBinary} - -@ val keyRDFPointer = keyGraph.pointer - -keyRDFPointer: RDF#Node = 5880.026289.0-02638.0-6288.0-06411.0-23110.021178.029228.0 -``` -As is evident, the pointer is an automatically generated Blank Node, which can be quite difficult to process. Because of this, it would be more optimal to change the pointer to not be a blank node but rather a #uri. The user can change the pointer by using the following function : - -```scala -@ implicit class PGwrapper(val pg: PointedGraph[Rdf]) extends AnyVal { - def rename(to: Rdf#Node)(implicit ops: RDFOps[Rdf]): PointedGraph[Rdf] = { - val oldNode = pg.pointer - PointedGraph[Rdf]( - to, - ops.makeGraph(pg.graph.triples.map{ triple => - ops.fromTriple(triple) match { - case (oldNode,rel,obj) => ops.makeTriple(to,rel,obj) - case (subj,rel,oldNode) => ops.makeTriple(subj,rel,to) - case _ => triple - } - }) - ) - } -} - -defined class PGwrapper +res44: Try[PointedGraph[Jena]] = Success(org.w3.banana.PointedGraph$$anon$1@5487b93e) ``` - -After this, one can simply change the header by into something simple by calling this function like so: +The function pubKeyPG returns a Try[PointedGraph[Jena]]. We can then retreive both the pointer and the graph from this PointedGraph like so: ```scala -@ val finalKeyPG = keyPG.rename(URI("#key")) +@ val keyFinalPointer= keyGraph.get.pointer -finalKeyPG: PointedGraph[Rdf] = org.w3.banana.PointedGraph$$anon$1@4353a749 +keyFinalPointer: Jena#Node = #key -@ finalKeyPGPointer = finalKeyPG.pointer -finalKeyPGPointer : Rdf#Node = #key +@ val keyFinalGraph = keyGraph.get.graph -@ finalKeyPGGraph = finalKeyPG.graph +keyFinalGraph: Jena#Graph = {#key @http://www.w3.org/1999/02/22-rdf-syntax-ns#type http://www.w3.org/ns/auth/cert#RSAPublicKey; #key @http://www.w3.org/ns/auth/cert#modulus "009195c8e386fc421ee8357cc6be674649a9f5722b1dccebab5965a1792c6fafdcc77b9932361f14b5565e5634ec46bfd29f0130aa6d4a2518aed027e7ca34d99a1419262b590e383eb13743c77a5cc67b4231f7248117da1be3233836cbd954cd1f368360795ec7457021370f1fb4633f1259c9898095583e31631f5f654e04fa9d0516713b40f21fa91a90436d813d1327d5cd115587fa0a5ecdceba8e0a6dcffc2bcb309a5686dd174e364ef439568642e606af50c803b874b74e24fd2d70454f71e0035f21d2a6990e4c097ba9870ff6942d5ad96317fd8ab1894004b66934073bfcdd4496b394c5fba1642b551a4299ccff04ba60c73e31f480b484785359"^^http://www.w3.org/2001/XMLSchema#hexBinary; #key @http://www.w3.org/ns/auth/cert#exponent "65537"^^http://www.w3.org/2001/XMLSchema#integer} -finalKeyPGGraph: Rdf#Graph = {#key @http://www.w3.org/ns/auth/cert#modulus "0087acb657366c6a911a0ce2470c24b8d85dd21ae76c6001db37d122c2eafe0fe2ae35541ccdd3c1c81603d98dd7d61b2c31c8605f81fbc3566604b7755793698836caaa99d868477c46b5b735529b50c0acfea6e10fc9b953697a67d57499801beb651e7e08343131a00d1873ab753ce5e79fc961874ee132472f7f210bc38966081fe263c620b67469b52cc555a26dee4fa10d8f40959e0e13516cc0bd1c1669ce53367d28248149142429b127f01e13d9bf21de52a4ac5694d5038a94178e144823b152fa19cbbc094dd40ddbd41e2195a19081125887fccedae21c50660c629a6f2ba4c85a54e1a6472f90b7b62ac7fe58fdae9daa0edc8edec49802fbfac7"^^http://www.w3.org/2001/XMLSchema#hexBinary; #key @http://www.w3.org/ns/auth/cert#exponent "65537"^^http://www.w3.org/2001/XMLSchema#integer} ``` - -As evident, the Blank node is now changed to something more readable and useful. +As evident, the pointer of this graph is a useful identifier "#key" and the graph itself is the key information. The user can transform his key graph into a one of several well-known formats before publishing it on the server. One such format is turtle. In order to do that however, more external libraries are required: @@ -231,7 +197,7 @@ import org.w3.banana.jena.Jena One can then represent the rdf of the key in turtle format: ```scala -@ val toTurtle = turtleWriter.asString(finalKeyPGGraph ,"").get +@ val toTurtle = turtleWriter.asString(keyFinalGraph ,"").get toTurtle: String = """<#key> 65537 ; @@ -249,6 +215,12 @@ write(wd/"publicKey.ttl", toTurtle) ### Attaching Public keys to a File/URI +The most efficient way to attach a public key to a server is by using the rww-play library's httpMethods.sc script which makes use of the solid-server POST definition. That way the user can use the postLocal() and postLocalGood() functions to pubish his public key on a web and local server respectively. + +```scala +Code but errors not resolved +``` + One can use the `cp` or the `mv` Ammonite commands to move the public key file into the test_www directory which resides within the rww-play directory. The process of attaching the file, containing the key to a URI is very similar. ```scala From 7281e3a9c09cb13ae600fd591b866bbdeeb08a56 Mon Sep 17 00:00:00 2001 From: fstoqnov Date: Tue, 8 Aug 2017 11:24:30 +0100 Subject: [PATCH 5/8] Update Getting-Started-with-Akka-http-signature.md --- Getting-Started-with-Akka-http-signature.md | 28 +++++++++------------ 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/Getting-Started-with-Akka-http-signature.md b/Getting-Started-with-Akka-http-signature.md index 0c83e0e..40e6a68 100644 --- a/Getting-Started-with-Akka-http-signature.md +++ b/Getting-Started-with-Akka-http-signature.md @@ -15,7 +15,7 @@ The user can also run the rww-play web server and manipulate the access control ## The Key Pair -The Akka-Http-Signature library uses asymmetrical cryptography. As detailed in the [Public-Key cryptography wikipedia page](https://en.wikipedia.org/wiki/Public-key_cryptography), this is a cryptographic system that uses pairs of private and public keys. The library uses them to form Digital Signatures. In such a system public keys can be looked up by anyone and private keys are only known by their owner. Communication is achieved the following way : +The Akka-Http-Signature library uses what is known as asymmetrical cryptography. As detailed in the [Public-Key cryptography wikipedia page](https://en.wikipedia.org/wiki/Public-key_cryptography), this is a cryptographic system that uses pairs of private and public keys. The library uses them to form Digital Signatures. In such a system public keys can be looked up by anyone and private keys are only known by their owner. Communication is achieved the following way : 1. The sender sends a message with a header that is signed by his own private key 2. The server then receives the message and uses the sender's public key to verify that sender's identity @@ -114,7 +114,7 @@ This will save the contents of the key in String format within the file found by ### Saving a public Key to RDF -A user can also transform his public keys to an RDF. In order to do this one must first import multiple files in order to resolve the required dependencies: +One can also transform his public keys to a Pointed Graph. In order to do this one must first import multiple files in order to resolve the required dependencies: The org.w3 declarations required are: @@ -139,7 +139,7 @@ import run.cosy.solid.client.Web._ import java.security.interfaces.RSAPublicKey ``` -Finally, after that, the user can create a value for the public key String collected from the .pem file in located within the .keys directory. +Finally, after that, the user can [marshal (de-serialise)](http://doc.akka.io/docs/akka-http/10.0.9/scala/http/common/unmarshalling.html#unmarshalling) the public key String collected from the .pem file in located within the .keys directory. Different software can make use of this key at different times so it needs to be stored in a readily available form ```scala @ val pubStr = read(home/".keys"/"pubKey.pem") @@ -153,7 +153,7 @@ hHhTWQIDAQAB""" ``` -After this all dependencies should be resolved and the user will be able to transform the keys into a Pointed Graph using the following function +After this all dependencies should be resolved and the user will be able to transform the keys into a Pointed Graph using the following code - one can always add more specifics and attributed to make turn this into a function. ```scala @ def pubKeyPG = { @@ -171,20 +171,16 @@ After that the user can simply call said function to get a pointed graph: res44: Try[PointedGraph[Jena]] = Success(org.w3.banana.PointedGraph$$anon$1@5487b93e) ``` -The function pubKeyPG returns a Try[PointedGraph[Jena]]. We can then retreive both the pointer and the graph from this PointedGraph like so: +The function pubKeyPG returns a Try[PointedGraph[Jena]]. We can then retreive both the pointer and the graph from this PointedGraph and return them as a pair like so: ```scala -@ val keyFinalPointer= keyGraph.get.pointer - -keyFinalPointer: Jena#Node = #key - - -@ val keyFinalGraph = keyGraph.get.graph - -keyFinalGraph: Jena#Graph = {#key @http://www.w3.org/1999/02/22-rdf-syntax-ns#type http://www.w3.org/ns/auth/cert#RSAPublicKey; #key @http://www.w3.org/ns/auth/cert#modulus "009195c8e386fc421ee8357cc6be674649a9f5722b1dccebab5965a1792c6fafdcc77b9932361f14b5565e5634ec46bfd29f0130aa6d4a2518aed027e7ca34d99a1419262b590e383eb13743c77a5cc67b4231f7248117da1be3233836cbd954cd1f368360795ec7457021370f1fb4633f1259c9898095583e31631f5f654e04fa9d0516713b40f21fa91a90436d813d1327d5cd115587fa0a5ecdceba8e0a6dcffc2bcb309a5686dd174e364ef439568642e606af50c803b874b74e24fd2d70454f71e0035f21d2a6990e4c097ba9870ff6942d5ad96317fd8ab1894004b66934073bfcdd4496b394c5fba1642b551a4299ccff04ba60c73e31f480b484785359"^^http://www.w3.org/2001/XMLSchema#hexBinary; #key @http://www.w3.org/ns/auth/cert#exponent "65537"^^http://www.w3.org/2001/XMLSchema#integer} +@ val(keyFinalPointer, keyFinalGraph) = (keyGraph.get.pointer -> keyGraph.get.graph) +pointer: Jena#Node = #key +graph: Jena#Graph = {#key @http://www.w3.org/1999/02/22-rdf-syntax-ns#type http://www.w3.org/ns/auth/cert#RSAPublicKey; #key @http://www.w3.org/ns/auth/cert#modulus "009195c8e386fc421ee8357cc6be674649a9f5722b1dccebab5965a1792c6fafdcc77b9932361f14b5565e5634ec46bfd29f0130aa6d4a2518aed027e7ca34d99a1419262b590e383eb13743c77a5cc67b4231f7248117da1be3233836cbd954cd1f368360795ec7457021370f1fb4633f1259c9898095583e31631f5f654e04fa9d0516713b40f21fa91a90436d813d1327d5cd115587fa0a5ecdceba8e0a6dcffc2bcb309a5686dd174e364ef439568642e606af50c803b874b74e24fd2d70454f71e0035f21d2a6990e4c097ba9870ff6942d5ad96317fd8ab1894004b66934073bfcdd4496b394c5fba1642b551a4299ccff04ba60c73e31f480b484785359"^^http://www.w3.org/2001/XMLSchema#hexBinary; #key @http://www.w3.org/ns/auth/cert#exponent "65537"^^http://www.w3.org/2001/XMLSchema#integer} + ``` -As evident, the pointer of this graph is a useful identifier "#key" and the graph itself is the key information. +As evident, the pointer of this graph uses the relative URL "#key" as its identifier. This is useful as it allows the parties that have access to the public key easier access to that information. It is also convenient as, when dealing with the access control one can use this identifier to make sure the .acl agents are linked to this specific key file. The user can transform his key graph into a one of several well-known formats before publishing it on the server. One such format is turtle. In order to do that however, more external libraries are required: @@ -215,10 +211,10 @@ write(wd/"publicKey.ttl", toTurtle) ### Attaching Public keys to a File/URI -The most efficient way to attach a public key to a server is by using the rww-play library's httpMethods.sc script which makes use of the solid-server POST definition. That way the user can use the postLocal() and postLocalGood() functions to pubish his public key on a web and local server respectively. +The most efficient way to attach a public key to a server is by using the httpMethods.sc script which can be found in the [Read-write-web/Banana-wiki github repository](https://github.com/read-write-web/banana-wiki). This script makes use of the solid-server POST definition. That way the user can use the postLocal() and postLocalGood() functions to pubish his public key on a web and local server respectively. ```scala -Code but errors not resolved +()Code but errors not resolved ``` One can use the `cp` or the `mv` Ammonite commands to move the public key file into the test_www directory which resides within the rww-play directory. The process of attaching the file, containing the key to a URI is very similar. From 77326af9fb697230e8e3c930b5d1975657bd0aa3 Mon Sep 17 00:00:00 2001 From: fstoqnov Date: Tue, 8 Aug 2017 15:51:08 +0100 Subject: [PATCH 6/8] Update Getting-Started-with-Akka-http-signature.md --- Getting-Started-with-Akka-http-signature.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Getting-Started-with-Akka-http-signature.md b/Getting-Started-with-Akka-http-signature.md index 40e6a68..4d22f40 100644 --- a/Getting-Started-with-Akka-http-signature.md +++ b/Getting-Started-with-Akka-http-signature.md @@ -4,7 +4,7 @@ ## Introduction -The Akka-Http Signature library is used to enforse access control and security accross the web. It is an improvement on other well-known authentification methods such as the [Basic Access Authentification](https://www.wikiwand.com/en/Basic_access_authentication). Compared to it the Akka-http signature is easier to use as the public private key pair which the library uses are automatically generated and easily stored on a web server or a local file system. +The Akka-Http Signature library is used to enforce access control and security accross the web. It is an improvement on other well-known authentification methods such as the [Basic Access Authentification](https://www.wikiwand.com/en/Basic_access_authentication). Compared to it the Akka-http signature is easier to use as the public private key pair which the library uses are automatically generated and easily stored on a web server or a local file system. Unlike passwords used in normal Passowrd authentfication strategies - the public and private key pair is almost impossible to replicate -making the authentification legitimate and the connection completely secure. From a10d456d479fe6cb07a39a11e24f44b0d93853eb Mon Sep 17 00:00:00 2001 From: fstoqnov Date: Tue, 8 Aug 2017 17:14:09 +0100 Subject: [PATCH 7/8] Update Getting-Started-with-Akka-http-signature.md --- Getting-Started-with-Akka-http-signature.md | 23 +++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/Getting-Started-with-Akka-http-signature.md b/Getting-Started-with-Akka-http-signature.md index 4d22f40..b860bd7 100644 --- a/Getting-Started-with-Akka-http-signature.md +++ b/Getting-Started-with-Akka-http-signature.md @@ -17,7 +17,7 @@ The user can also run the rww-play web server and manipulate the access control The Akka-Http-Signature library uses what is known as asymmetrical cryptography. As detailed in the [Public-Key cryptography wikipedia page](https://en.wikipedia.org/wiki/Public-key_cryptography), this is a cryptographic system that uses pairs of private and public keys. The library uses them to form Digital Signatures. In such a system public keys can be looked up by anyone and private keys are only known by their owner. Communication is achieved the following way : 1. The sender sends a message with a header that is signed by his own private key -2. The server then receives the message and uses the sender's public key to verify that sender's identity +2. The server then receives the message and discovers the sender's public key using the KeyID arguments passed in that message. It then uses said key to verify that sender's identity Because the messages have headers that are signed by the sender's private key and can only be verified via that sender's public key, and that public key is known to the server, the sender's identity can always be verified using it. This ensures a secure connection as all senders' identities can be verified when receiving messages. @@ -180,7 +180,10 @@ pointer: Jena#Node = #key graph: Jena#Graph = {#key @http://www.w3.org/1999/02/22-rdf-syntax-ns#type http://www.w3.org/ns/auth/cert#RSAPublicKey; #key @http://www.w3.org/ns/auth/cert#modulus "009195c8e386fc421ee8357cc6be674649a9f5722b1dccebab5965a1792c6fafdcc77b9932361f14b5565e5634ec46bfd29f0130aa6d4a2518aed027e7ca34d99a1419262b590e383eb13743c77a5cc67b4231f7248117da1be3233836cbd954cd1f368360795ec7457021370f1fb4633f1259c9898095583e31631f5f654e04fa9d0516713b40f21fa91a90436d813d1327d5cd115587fa0a5ecdceba8e0a6dcffc2bcb309a5686dd174e364ef439568642e606af50c803b874b74e24fd2d70454f71e0035f21d2a6990e4c097ba9870ff6942d5ad96317fd8ab1894004b66934073bfcdd4496b394c5fba1642b551a4299ccff04ba60c73e31f480b484785359"^^http://www.w3.org/2001/XMLSchema#hexBinary; #key @http://www.w3.org/ns/auth/cert#exponent "65537"^^http://www.w3.org/2001/XMLSchema#integer} ``` -As evident, the pointer of this graph uses the relative URL "#key" as its identifier. This is useful as it allows the parties that have access to the public key easier access to that information. It is also convenient as, when dealing with the access control one can use this identifier to make sure the .acl agents are linked to this specific key file. + +As evident, the pointer of this graph uses the relative URL "#key" as its identifier. This is because of the binderWithName function which transforms the default blank node to a useful String of the user's choice. + +This is very useful as it allows the parties that have access to the public key easier access to that information. It is also convenient as, when dealing with the access control one can use this identifier to make sure the .acl agents are linked to this specific key file. The user can transform his key graph into a one of several well-known formats before publishing it on the server. One such format is turtle. In order to do that however, more external libraries are required: @@ -235,6 +238,22 @@ To create a symbolic link, one can make a symbolic link to their public key file $ ln -s pubKey.ttl pubKey ``` +There are also a number of ad hoc ways to do this and one simple standard way to publish it. +The ad hoc ways requires placing the public key on the server by either copying it over to the right location with ftp, sftp, scp, ... or of connecting to the remote server using telnet, or ssh and building the object there. In each case this requires knowing a lot in addition to the location (URL) one wants the document to be found at. It requires knowing: + - the type of server that is running + + - which files are metadata files, their conventions and usually their syntax + + - how to make sure content negotiation is working correctly to avoid tying semantic web URIs to representations + + - where the root of the file system is + + - what the password or access control system is on that server + + - and usually getting access to the server via ssh gives access to all the conentent there, rather than allowing access control rules to be set per resource. + +For an illustration and more information please view the [Im not sure which document you mean] and the [Setup for rww-play](https://github.com/read-write-web/rww-play/blob/dev/README.md). + ## Running the server In order to run a local server one must first locally clone the [Read-write-web play repository](https://github.com/read-write-web/rww-play). After that the user must navigate to their local Rww-play directory and run sbt there. For more information on how to run the server and the exact command used refer to the [Rww-play README page](https://github.com/read-write-web/rww-play). From d4e379787b1a680a69f9937e88fab04ffccd9eb0 Mon Sep 17 00:00:00 2001 From: fstoqnov Date: Thu, 10 Aug 2017 16:31:13 +0100 Subject: [PATCH 8/8] Create httpMethods.sc Added functions that make use of the GETpg, DELETE, PUT and PATCHsparql functions from the solid-client library for a the local server. The patchLocal function takes as arguments the specific String identifier for the Sparql query which the user can choose when calling the function --- ammonite/httpMethods.sc | 160 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 160 insertions(+) create mode 100644 ammonite/httpMethods.sc diff --git a/ammonite/httpMethods.sc b/ammonite/httpMethods.sc new file mode 100644 index 0000000..04657ee --- /dev/null +++ b/ammonite/httpMethods.sc @@ -0,0 +1,160 @@ +// make sure one of your scripts has already loaded this one somewhere +// todo: is there a way we can make sure this is done? +// import $exec.bblfishRepo + +import $ivy.`run.cosy::solid-client:0.1-SNAPSHOT` + +import run.cosy.auth.RSAKeys + +import com.typesafe.sslconfig.akka._ +import akka.actor._ +import akka.http.scaladsl.model.Uri +import com.typesafe.config.ConfigFactory +import akka.event.Logging +import akka.stream.{ActorMaterializer, ActorMaterializerSettings,Supervision,_} +import akka.http.scaladsl.model.{Uri=>AkkaUri,_} + +import scala.concurrent.ExecutionContext + +import org.w3.banana.jena.Jena +import Jena._ + +//you need to place your files in ~/.keys +//see http://doc.akka.io/docs/akka/snapshot/scala/general/configuration.html +//and https://github.com/typesafehub/config +//and for the syntax see https://github.com/typesafehub/config/blob/master/HOCON.md + +val shortScriptConf = ConfigFactory.parseString(""" + |akka { + |# loggers = ["akka.event.Logging$DefaultLogger"] + |# logging-filter = "akka.event.DefaultLoggingFilter" + |# loglevel = "ERROR" + | + |# see http://typesafehub.github.io/ssl-config/ExampleSSLConfig.html#id5 + |# and http://typesafehub.github.io/ssl-config/WSQuickStart.html#connecting-to-a-remote-server-over-https + | ssl-config { + |# loose.acceptAnyCertificate = true # <- only uncomment when completely at a loss about tls connections + | trustManager = { + | stores = [ + | # 1. stores for test servers whose certificates can be retrieved with + | # keytool -printcert -sslserver localhost:8443 -rfc > ~/.keys/localhost_8443.crt + | { type = "PEM", path = ${user.home}/.keys/localhost_8443.crt } + | # 2. the default trust store + | { path : ${java.home}/lib/security/cacerts } # Fallback to default JSSE trust store + | ] + | } + | + | # for more info see: https://typesafehub.github.io/ssl-config/DebuggingSSL.html + | debug.ssl = false + | } + |} + """.stripMargin) +val regularConfig = ConfigFactory.load() +val ammConfig = shortScriptConf.withFallback(regularConfig).resolve +implicit val system = ActorSystem("akka_ammonite_script", ConfigFactory.load(ammConfig)) + +val log = Logging(system.eventStream, "banana-rdf") +implicit val materializer = ActorMaterializer( + ActorMaterializerSettings(system).withSupervisionStrategy(Supervision.resumingDecider)) +implicit val ec: ExecutionContext = system.dispatcher + + +object Test { + import run.cosy.solid.client.Web._ + import java.security.interfaces.RSAPublicKey + import run.cosy.auth.HttpSignature + + //just to play with + lazy val bblfish = AkkaUri("http://bblfish.net/people/henry/card#me") + lazy val timbl = AkkaUri("https://www.w3.org/People/Berners-Lee/card#i") + + lazy val privStr = read(home/".keys"/"privateKey.pem") + lazy val pubStr = read(home/".keys"/"pubKey.pem") + lazy val privKey = RSAKeys.readPrivateKeyFrom(privStr) + lazy val pubKey = RSAKeys.readPublicKeyFrom(pubStr).map(_.asInstanceOf[RSAPublicKey]) + + def pubKeyPG = { + import ops._ + implicit val bind = run.cosy.crypto.Cert.binderWithName[Rdf](Uri("#key")) + pubKey.map(_.toPG) + } + + lazy val localKey = run.cosy.auth.HttpSignature.Client( + Uri("https://localhost:8443/2013/key#"),privKey.get) + + lazy val cosyKey = HttpSignature.Client(Uri("https://cosy.run:8443/2013/key#"),privKey.get) + + lazy val http = new run.cosy.solid.client.HTTP() + lazy val web = new run.cosy.solid.client.Web[Rdf](http) + + import run.cosy.solid.RdfMediaTypes._ + import org.w3.banana.io.Turtle + import web._ + def fetchLocal = http.run(GETrdf(Uri("https://localhost:8443/2013/card")), + keyChain = List(localKey)) + def fetchCosy = http.run(GETrdf(Uri("https://cosy.run:8443/2013/card")), + keyChain = List(cosyKey)) + + def fetchLocalPg = { + import Jena._ + web.GETpg(Uri("https://localhost:8443/2013/card"),List(localKey)) + } + + def postLocalWrongKey = http.run( + req = POST[`text/turtle`]( + container = Uri("https://localhost:8443/2013/"), + graph = pubKeyPG.get.graph, + slug = Some("myKey") + ).get, + keyChain = List(cosyKey) + ) + def postLocalGoodKey = http.run( + req = POST[`text/turtle`]( + container = Uri("https://localhost:8443/2013/"), + graph = pubKeyPG.get.graph, + slug = Some("myKey") + ).get, + keyChain = List(localKey) + ) + + //it should be possible to see it first fail then succeed + def postLocalMultiKeys = http.run( + req = POST[`application/ld+json`]( + container = Uri("https://localhost:8443/2013/"), + graph = pubKeyPG.get.graph, + slug = Some("myKey") + ).get, + keyChain = List(cosyKey,localKey) + ) + + //---------------------------------------------------------------------------------------------- + + def deleteLocalKey = http.run( + req = DELETE[`text/turtle`]( + resource = Uri("https://localhost:8443/2013/") + ) + ) + + def getLocalKey = http.run( + req = GETpg( + uri = Uri("https://localhost:8443/2013/"), + keyChain = List(localKey) + ) + ) + + def putLocalKey = http.run( + req = PUT[`text/turtle`]( + resource = Uri("https://localhost:8443/2013/"), + graph = pubKeyPG.get.graph + ).get, + keyChain = List(localKey) + ) + + def patchLocal(sparqlUpdateCommand: String) = http.run( + req = PATCHsparql[`text/turtle`]( + resource = Uri("https://localhost:8443/2013/"), + sparqlUpdate = sparqlUpdateCommand + ) + ) + +}