Michele, I tried to use simpatica, but getting error : <type 'exceptions.ImportError'> DLL load failed: The operating system cannot run %1.what i observed is this error coming wherever M2Crypto import statement is there:
File "D:/Softwares/Python2.7/web2py_src/web2py/applications/simpatica/controllers/ca.py" <http://127.0.0.1:8000/admin/default/edit/simpatica/controllers/ca.py>, line 27, in <module> from M2Crypto import X509, RSA, EVP File "D:/Softwares/Python2.7/web2py_src/web2py/applications/simpatica/controllers/public.py" <http://127.0.0.1:8000/admin/default/edit/simpatica/controllers/public.py>, line 28, in <module> from M2Crypto import X509, ASN1, Rand, EVP, RSA So not able to execute it :(. I have installed M2Crypto-0.21.1-py2.7.egg-info for windows . I couldn't able to identify what is the exact problem, so can you please help me to resolve it? Thanks, Amit On Thu, Jul 26, 2012 at 10:50 AM, Amit <amit.khaw...@gmail.com> wrote: > Thanks Michele,I am going to generate keys using simpatica, I will let you > know if i face any problem. > > Thanks, > Amit > > > On Wed, Jul 25, 2012 at 7:01 PM, Michele Comitini < > michele.comit...@gmail.com> wrote: > >> 2012/7/25 Amit <amit.khaw...@gmail.com>: >> > Michele, >> > >> > I have gone through the X509_Auth class and its methods : >> > >> > login_form >> > >> > login_url >> > get_user >> > >> > But not able to visualize how to use this class in my model/controller, >> I >> > just write below what I understood, please confirm >> > whether I understood correctly or not. >> > >> > >> > My requirement is : I have one web service method add() in controller >> > default.py , I just want to enable x509 authentication >> > so for that purpose i will use simpatica to generate keys and >> certificates >> > then in model class db.py I will use below code: >> > >> > >> > """ >> > Login using x509 cert from client. >> > >> > from gluon.contrib.login_methods.x509_auth import X509Account >> > auth.settings.actions_disabled=['register','change_password', >> > >> > 'request_reset_password','profile'] >> > auth.settings.login_form = X509Account() >> > >> > """ >> > >> > >> > and then in add method I will put @auth.requires_login() annotation . >> > >> > My doubt: >> > 1. how to configure certificate with Rocket and apache server? >> > 2. how to make call of web service method with private keys from the >> client? >> > >> > 3. I din't find X509Account class instead of that I found X509Auth >> class, so >> > is it the same, if yes then I need to create >> > >> >> 1 rocket: >> python web2py.py --ssl_certificate=<server pem encoded cert file> >> --ssl_private_key=<server pem encoded key file> --ca-cert=<CA >> certificate pem encoded file> >> apache see mod_ssl config: >> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html >> >> You can use a single file pem encoded containing: server cert, server >> key, CA cert. Pass it to all the options. >> >> 2 What is the client? With curl: >> curl --cert <client pem encoded cert + key file> ... >> >> With python: >> you can use pycurl or httplib >> (http://docs.python.org/library/httplib.html) see their docs. >> >> >> 3 You did the right thing using X509_Auth. The error in the comment >> is corrected in trunk. >> The interesting part that you may want to override in a child class >> is the get_user() method. Look how certificate properties are mapped >> to the auth.user record (the profile variable that). You may override >> those to fit your needs. >> >> mic >> >> >> >> > >> > auth.settings.login_form = X509Auth() instance ? >> > >> > >> > >> > Thanks, >> > Amit >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > On Wed, Jul 25, 2012 at 2:28 PM, Michele Comitini >> > <michele.comit...@gmail.com> wrote: >> >> >> >> ---- >> >> simpatica >> >> >> >> - generate ca priv key + self signed certificate >> >> - generate server priv keys + certificates signed by the above ca >> >> certificate >> >> - generate client priv keys + certificates signed by the above ca >> >> certificate >> >> >> >> The client and server certificate are generated after compilation of a >> >> form that requires the user to assign a password to protect the >> >> private key. >> >> The certificate + private keys are encoded in pkcs12 format >> >> downloadable to a browser or to be unpacked with openssl or similar >> >> tools after providing the above password. Remeber that if you loose >> >> the password you cannot open the pkcs12. There is a recovery >> >> mechanism in simpatica since the private keys are also encoded with a >> >> randomly generated secret that is crypted with the ca private key. >> >> It also send emails to email associated with the client informing that >> >> a certificate is ready to download. >> >> >> >> ----- >> >> Sample code >> >> >> >> Just look at gluon/contrib/login_methods/x509_auth.py. Look at the >> >> docstring in the X509_Auth class and put that code in your model to >> >> configure authentication with x509. >> >> >> >> Use the @auth.requires_login() annotation as you would with any action >> >> requiring authentication. It is explained in: >> >> >> >> >> http://web2py.com/books/default/chapter/29/10?search=rest#Access-Control >> >> >> >> >> >> mic >> >> >> >> >> >> 2012/7/25 Amit <amit.khaw...@gmail.com>: >> >> > sure Michele, let me go through the code,If i am not wrong simpatica >> is >> >> > to >> >> > generate the certificate file for the client and if you are having >> any >> >> > sample code to use x509 in case of web service then please do share >> with >> >> > me. >> >> > >> >> > Thanks, >> >> > Amit >> >> > >> >> > >> >> > On Wed, Jul 25, 2012 at 12:34 PM, Michele Comitini >> >> > <michele.comit...@gmail.com> wrote: >> >> >> >> >> >> Amit >> >> >> If you need advice with simpatica don't worry to ask. I never had >> time >> >> >> to >> >> >> write some documentation so you have to look at the code and/or >> ask... >> >> >> >> >> >> mic >> >> >> >> >> >> >> >> >> Il giorno mercoledì 25 luglio 2012 05:14:52 UTC+2, Amit ha scritto: >> >> >>> >> >> >>> Thanks Michele and Derek..nice post , i am looking exactly the >> same :) >> >> >>> >> >> >>> On Wed, Jul 25, 2012 at 4:09 AM, Michele Comitini >> >> >>> <michele.comit...@gmail.com> wrote: >> >> >>>> >> >> >>>> >> >> >>>> This is very similar to what TSL accomplishes with x509 >> certificates. >> >> >>>> There is a slight difference, the server does not own a public key >> >> >>>> for each >> >> >>>> client: it verifies that the client owns an x509 certificate >> signed >> >> >>>> by the >> >> >>>> correct certification authority. So no need to store public keys. >> in >> >> >>>> any >> >> >>>> case AFAIK in public/private key algorithms the private key always >> >> >>>> allows >> >> >>>> generation of the corresponding public key, not the contrary of >> >> >>>> course. >> >> >>>> >> >> >>>> To accomplish what you need in the simplest way you have to: >> >> >>>> >> >> >>>> - create a certification authority with self signed certificate >> >> >>>> - create certificate for you webserver signed with the private >> key of >> >> >>>> the certification authority above. >> >> >>>> - configure your webserver to require a client certificate (with >> >> >>>> rocket >> >> >>>> look at --ca-cert option) >> >> >>>> - In case you need to know some infos about the connecting client >> as >> >> >>>> reported in its certificate you can use x509_auth.py to use x509 >> >> >>>> authentication and configure your REST action with >> >> >>>> @auth.requires_login(). >> >> >>>> This will give you access to information contained in the >> >> >>>> certificate such >> >> >>>> common name or serial id. To customize you can extend the >> X509_Auth >> >> >>>> class. >> >> >>>> >> >> >>>> To generate test certificates fast you can use simpatica as Derek >> >> >>>> correctly suggests. >> >> >>>> >> >> >>>> mic >> >> >>>> >> >> >>>> Il giorno martedì 24 luglio 2012 10:33:48 UTC+2, Amit ha scritto: >> >> >>>>> >> >> >>>>> Hi, >> >> >>>>> I have to provide public/private key authentication for accessing >> >> >>>>> web >> >> >>>>> service (REST) from client in my web2py application.How to >> achieve >> >> >>>>> it? >> >> >>>>> >> >> >>>>> Scenario: >> >> >>>>> 1.Each client will have unique private key which will be sent to >> the >> >> >>>>> server alongwith request. >> >> >>>>> 2. Server has to authenticate private key using public key(unique >> >> >>>>> for >> >> >>>>> each client) and then allow to access the web service method. For >> >> >>>>> e.g. >> >> >>>>> suppose one client say X has requested for web service "add()" so >> >> >>>>> server has >> >> >>>>> to first validate the public key with client's private key and if >> >> >>>>> validation >> >> >>>>> is successful then allow to access the web service "add()". >> >> >>>>> >> >> >>>>> Challenges: >> >> >>>>> where to store public key of each client?we can't store it in >> the db >> >> >>>>> because server can't access db before validation of web service >> >> >>>>> method.So >> >> >>>>> will it be store somewhere in PC(where server is running)?if yes >> >> >>>>> then how >> >> >>>>> and which format? >> >> >>>>> >> >> >>>>> >> >> >>>>> NOTE: Here Server will be completely written in web2py and >> client is >> >> >>>>> separate application running on the hardware device. >> >> >>>>> >> >> >>>> -- >> >> >>>> >> >> >>>> >> >> >>>> >> >> >>> >> >> >>> >> >> >> -- >> >> >> >> >> >> >> >> >> >> >> > >> >> > >> >> > -- >> >> > >> >> > >> >> > >> >> >> >> -- >> >> >> >> >> >> >> > >> > -- >> > >> > >> > >> >> -- >> >> >> >> > --
