---- simpatica - generate ca priv key + self signed certificate - generate server priv keys + certificates signed by the above ca certificate - generate client priv keys + certificates signed by the above ca certificate
The client and server certificate are generated after compilation of a form that requires the user to assign a password to protect the private key. The certificate + private keys are encoded in pkcs12 format downloadable to a browser or to be unpacked with openssl or similar tools after providing the above password. Remeber that if you loose the password you cannot open the pkcs12. There is a recovery mechanism in simpatica since the private keys are also encoded with a randomly generated secret that is crypted with the ca private key. It also send emails to email associated with the client informing that a certificate is ready to download. ----- Sample code Just look at gluon/contrib/login_methods/x509_auth.py. Look at the docstring in the X509_Auth class and put that code in your model to configure authentication with x509. Use the @auth.requires_login() annotation as you would with any action requiring authentication. It is explained in: http://web2py.com/books/default/chapter/29/10?search=rest#Access-Control mic 2012/7/25 Amit <amit.khaw...@gmail.com>: > sure Michele, let me go through the code,If i am not wrong simpatica is to > generate the certificate file for the client and if you are having any > sample code to use x509 in case of web service then please do share with me. > > Thanks, > Amit > > > On Wed, Jul 25, 2012 at 12:34 PM, Michele Comitini > <michele.comit...@gmail.com> wrote: >> >> Amit >> If you need advice with simpatica don't worry to ask. I never had time to >> write some documentation so you have to look at the code and/or ask... >> >> mic >> >> >> Il giorno mercoledì 25 luglio 2012 05:14:52 UTC+2, Amit ha scritto: >>> >>> Thanks Michele and Derek..nice post , i am looking exactly the same :) >>> >>> On Wed, Jul 25, 2012 at 4:09 AM, Michele Comitini >>> <michele.comit...@gmail.com> wrote: >>>> >>>> >>>> This is very similar to what TSL accomplishes with x509 certificates. >>>> There is a slight difference, the server does not own a public key for each >>>> client: it verifies that the client owns an x509 certificate signed by the >>>> correct certification authority. So no need to store public keys. in any >>>> case AFAIK in public/private key algorithms the private key always allows >>>> generation of the corresponding public key, not the contrary of course. >>>> >>>> To accomplish what you need in the simplest way you have to: >>>> >>>> - create a certification authority with self signed certificate >>>> - create certificate for you webserver signed with the private key of >>>> the certification authority above. >>>> - configure your webserver to require a client certificate (with rocket >>>> look at --ca-cert option) >>>> - In case you need to know some infos about the connecting client as >>>> reported in its certificate you can use x509_auth.py to use x509 >>>> authentication and configure your REST action with @auth.requires_login(). >>>> This will give you access to information contained in the certificate such >>>> common name or serial id. To customize you can extend the X509_Auth class. >>>> >>>> To generate test certificates fast you can use simpatica as Derek >>>> correctly suggests. >>>> >>>> mic >>>> >>>> Il giorno martedì 24 luglio 2012 10:33:48 UTC+2, Amit ha scritto: >>>>> >>>>> Hi, >>>>> I have to provide public/private key authentication for accessing web >>>>> service (REST) from client in my web2py application.How to achieve it? >>>>> >>>>> Scenario: >>>>> 1.Each client will have unique private key which will be sent to the >>>>> server alongwith request. >>>>> 2. Server has to authenticate private key using public key(unique for >>>>> each client) and then allow to access the web service method. For e.g. >>>>> suppose one client say X has requested for web service "add()" so server >>>>> has >>>>> to first validate the public key with client's private key and if >>>>> validation >>>>> is successful then allow to access the web service "add()". >>>>> >>>>> Challenges: >>>>> where to store public key of each client?we can't store it in the db >>>>> because server can't access db before validation of web service method.So >>>>> will it be store somewhere in PC(where server is running)?if yes then how >>>>> and which format? >>>>> >>>>> >>>>> NOTE: Here Server will be completely written in web2py and client is >>>>> separate application running on the hardware device. >>>>> >>>> -- >>>> >>>> >>>> >>> >>> >> -- >> >> >> > > > -- > > > --
