Quantcast

Extended Validation Certificates Support JNDIRealm

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Extended Validation Certificates Support JNDIRealm

Lucas S. Silva
Hi,

I am trying to implement a custom JNDIRealm that will do some
validations based on the Extended Validation Certificates like the
OID it this supported by tomcat? Or I will just get whatever the LDAP
server supports?
I could not find which method I would have to overwrite to get the
extended validation certificates:

https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/realm/JNDIRealm.html

Regards,
Lucas
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Extended Validation Certificates Support JNDIRealm

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Lucas,

On 4/20/17 1:12 PM, Lucas S. Silva wrote:
> I am trying to implement a custom JNDIRealm that will do some
> validations based on the Extended Validation Certificates like the
> OID it this supported by tomcat?

The term "Extended Validation" has a special meaning when you are
talking about X.509 certificates. What do you mean, here,
specifically, when you say "Extended Validation Certificates"?

> Or I will just get whatever the LDAP server supports? I could not
> find which method I would have to overwrite to get the extended
> validation certificates:>
> https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/realm
/JNDIRealm.html

What,
>
specifically, are you trying to accomplish?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJY+PTWAAoJEBzwKT+lPKRYkBkQALUuoaZzZzK4DsogcSqIu1/Y
gh7xaJFg7iHkM2Jd9oFp/MDLT+PINv3AuYqJ083jGJ3KOgbGR4qovGfboIL1HUMY
P0w/wwXqhPISUiRnjEmiCf4zQMvdnOdhbcfs269qCTwtAMWNZ/wJVrtFEntYiVhD
c2voTvYkYs7iiqPCgETFa2fblgfTQ8jcd0AuDge+VV3vWTi6wNGsclpiERZ73M9g
7lYHginS605cUo7KgBTEH4nqWyQIaIVWEdU+2O7ZFz1PBJrSo/+ez8Rh/mV3Ld98
xfuoLLM3CRH7rU65Y3DOrzCQ4z4UKlQ5e4NTb0GZEs42TBf6x0VDzzqcNCcg892d
4UNfTQ9VqdZMrPEzyklytYVC32P6aUbF6GYb74GvhLAIxkEV3aoAYGt6QxCTEkoq
2opD4mEDibPT3gb1M2/f9zjq9zJ4FSsv4EdFDiDWffcR6CDscl8kT0gRnMYZKFWk
mirLjnSPxXtwx3ClYGlMvQwfZi6qULgrCaMfWqYIejJN7wQA8J8u6NA2kjVn9wTA
cCJKQAzsw9zUv1eCmBsJv66lvfzyOUJLVxTeJ3wmg6ShcTee0DgcVBVT3nggMmFa
F8586TLqqi8Xie/HHRCd+JrfVGlJpPPj6btpaBehyMoyj6G/SiZwmCH9TX0UADi5
Ra6J6JO46bahywrEDt+r
=jHk3
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Extended Validation Certificates Support JNDIRealm

Lucas S. Silva
Hi Christopher,

Thanks for the reply.

My end goal is to check the certificates OID I did some research and I
found that in the
RealmBase there is a method

authenticate(X509Certificate
<http://docs.oracle.com/javase/7/docs/api/java/security/cert/X509Certificate.html?is-external=true>[]
certs)

and int the X509Certificate there is

public abstract String
<http://docs.oracle.com/javase/7/docs/api/java/lang/String.html>
getSigAlgOID()

https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/realm/RealmBase.html#authenticate(java.security.cert.X509Certificate[])

I suspect those should help me checking the certificate Assurance Levels?

Thanks,
Lucas

On 20 April 2017 at 19:50, Christopher Schultz <[hidden email]
> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Lucas,
>
> On 4/20/17 1:12 PM, Lucas S. Silva wrote:
> > I am trying to implement a custom JNDIRealm that will do some
> > validations based on the Extended Validation Certificates like the
> > OID it this supported by tomcat?
>
> The term "Extended Validation" has a special meaning when you are
> talking about X.509 certificates. What do you mean, here,
> specifically, when you say "Extended Validation Certificates"?
>
> > Or I will just get whatever the LDAP server supports? I could not
> > find which method I would have to overwrite to get the extended
> > validation certificates:>
> > https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/realm
> /JNDIRealm.html
>
> What,
> >
> specifically, are you trying to accomplish?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJY+PTWAAoJEBzwKT+lPKRYkBkQALUuoaZzZzK4DsogcSqIu1/Y
> gh7xaJFg7iHkM2Jd9oFp/MDLT+PINv3AuYqJ083jGJ3KOgbGR4qovGfboIL1HUMY
> P0w/wwXqhPISUiRnjEmiCf4zQMvdnOdhbcfs269qCTwtAMWNZ/wJVrtFEntYiVhD
> c2voTvYkYs7iiqPCgETFa2fblgfTQ8jcd0AuDge+VV3vWTi6wNGsclpiERZ73M9g
> 7lYHginS605cUo7KgBTEH4nqWyQIaIVWEdU+2O7ZFz1PBJrSo/+ez8Rh/mV3Ld98
> xfuoLLM3CRH7rU65Y3DOrzCQ4z4UKlQ5e4NTb0GZEs42TBf6x0VDzzqcNCcg892d
> 4UNfTQ9VqdZMrPEzyklytYVC32P6aUbF6GYb74GvhLAIxkEV3aoAYGt6QxCTEkoq
> 2opD4mEDibPT3gb1M2/f9zjq9zJ4FSsv4EdFDiDWffcR6CDscl8kT0gRnMYZKFWk
> mirLjnSPxXtwx3ClYGlMvQwfZi6qULgrCaMfWqYIejJN7wQA8J8u6NA2kjVn9wTA
> cCJKQAzsw9zUv1eCmBsJv66lvfzyOUJLVxTeJ3wmg6ShcTee0DgcVBVT3nggMmFa
> F8586TLqqi8Xie/HHRCd+JrfVGlJpPPj6btpaBehyMoyj6G/SiZwmCH9TX0UADi5
> Ra6J6JO46bahywrEDt+r
> =jHk3
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Extended Validation Certificates Support JNDIRealm

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Lucas,

(Bringing this back onto the list; apologies for inadvertently
replying off-list)

On 4/21/17 12:25 PM, Lucas S. Silva wrote:
> Hi Christopher,
>
> Thanks for the reply.
>
> Yes, the goal is to check the user certificate against some
> configurable OIDs.

If you want to check the user certificate for some OID other than the
usual subject DN, you want to use a custom username-retriever on your
realm:

http://tomcat.apache.org/tomcat-8.0-doc/config/realm.html

Search for "X509UsernameRetrieverClassName", then write a class that
implements that interface. You can return any String value you can
pull from the certificate. The OID is up to you. The authenticator
will use the username returned by that class's
getUsername(X509Certificate) method against whatever user data store
you have configured (e.g. DataSource/JNDI/etc.).

If you want to perform some other kind of authentication (like just
verifying that the user's certificate meets some kind of requirement,
like the validity period is less than 30 days or whatever), then you
only have a few options IMO:

1. Write your own authenticator (I'd recommend subclassing whichever
one you like already, and just add your own checks before/afetr
delegating authentication to the superclass).

2. Use a X509UsernameRetriever as above and throw an exception if the
certificate doesn't meet your requirements.

3. Write a Filter that takes the client's certificate from the request
attributes, checks it, and takes appropriate action (logout? throw an
exception? log an error?) if the cert doesn't meet your requirements.

Hope that helps.

- -chris

> On 21 April 2017 at 16:02, Christopher Schultz
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
> Lucas,
>
> On 4/21/17 2:55 AM, Lucas S. Silva wrote:
>> My end goal is to check the certificates OID I did some research
>> and I found that in the RealmBase there is a method>
>> authenticate(X509Certificate certs)
>>
>> and int the X509Certificate there is
>>
>> public abstract String getSigAlgOID()
>>
>> https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/real
m/RealmBase.html#authenticate(java.security.cert.X509Certificate[])
>
>>
>>
<https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/realm/
RealmBase.html#authenticate(java.security.cert.X509Certificate[])>

>>
>> I suspect those should help me checking the certificate
>> Assurance Levels?
>
> Are you trying to authenticate a user using a specific OID (which
> one?) in the cert, or are you trying to determine if the
> certificate is an EV certificate specifically?
>
> -chris
>
>> On 20 April 2017 at 19:50, Christopher Schultz
>> <[hidden email]
>> <mailto:[hidden email]>
>>> wrote:
>>
>> Lucas,
>>
>> On 4/20/17 1:12 PM, Lucas S. Silva wrote:
>>>>> I am trying to implement a custom JNDIRealm that will do
>>>>> some validations based on the Extended Validation
>>>>> Certificates like the OID it this supported by tomcat?
>>
>> The term "Extended Validation" has a special meaning when you are
>> talking about X.509 certificates. What do you mean, here,
>> specifically, when you say "Extended Validation Certificates"?
>>
>>>>> Or I will just get whatever the LDAP server supports? I
>>>>> could not find which method I would have to overwrite to
>>>>> get the extended validation certificates:>
>>>>> https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/r
ealm
>
>>>>>
>>>>>
<https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/realm>
>> /JNDIRealm.html
>>
>> What,
>>>>>
>> specifically, are you trying to accomplish?
>>
>> -chris
>>>
>>> --------------------------------------------------------------------
- -

>
>>>
>>>
>> To unsubscribe, e-mail: [hidden email]
> <mailto:[hidden email]>
>>> For additional commands, e-mail: [hidden email]
> <mailto:[hidden email]>
>>>
>>>
>>
>
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJY+kSGAAoJEBzwKT+lPKRYKAoP/2UuBb5zeJoz0D1RU5Fsy9/G
VRB09r0V133csXQ2m3C4bVzUepEteZgMvor+aag9L0cZv5IoupMzpUAblp/J6gp8
vKqXNFTZH67KGCl1DgndIDrDkcKGRJIFksCWqk0p+ZR4+xPK/Rp2U++77QpaeVMG
38pHn5DKT4/uM5lIo4NrAunin5b5a4JmeU7jFDi1eucHvBhsoMx1HamZwWBbCHx1
ux4MssGKM1OkiW1ogqctkOronQLo5VhTunRKJKyKedbpfsYbDhAKaCBCQcnMEokF
VOPJ1OnN+bCos7pbeP7wQ+tO7SWgE7qsLjMVhEjZkz1W740d8i0QyZMu/3pGNEWq
mclkDi+P8nXnNQENaiE0ZfTACh2ifiOL5B/QVfTpUh+NSsk5uMQYi6o4yL7iD5Lk
1kQAYCqMGVQuDy0Vdl3+go6mN0TZiq+iYKFOKxx3dn8aWqhLOGISOaqrIrTjIGK7
BP8A1eTIL7wR8BKHXuj0fybzO+MX8y2S6fTWHVSwVSPohkgxLLNNE8FCx8Goh/Dk
zDrd1qCh0P23FF8VlcczlCQk0PVBvd/575k10OtOw2IFkJZL5OPgXq14nY8GU51O
fvvMVlgOY6glFT6Z70xcCDczDuh15KP1riNc0vLeJIeR/Ng5nOnhbUZLD1dKC0Bk
qVg+uPvtCkzaA73mkqDe
=THjK
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...