Feature #2980: SHA2 authentication - operations-portal-users - IN2P3-Forge

Actions

Copy link

Feature #2980

closed

SHA2 authentication

Added by L'Orphelin Cyril over 11 years ago. Updated almost 10 years ago.

Status:

Resolved

Priority:

High

Assigned To:

Category:

Target version:

SAND BOX

Start date:

07/20/2012

Due date:

% Done:

Estimated time:

Model:

Est. resolution:

Story points-Velocity based estimate-

Description

- Integrate sha2 authentication

Dear all,

I am forwarding an email [(c) David Groep], originally written for
the SA2 verifiers to probe the middleware readiness for SHA2.
Please, let me know if there are questions:

----------------- Original Message -----------------

The easiest is to get an instant certificate from CILogon, using their
(unaccredited) OpenID provider like Google:

https://cilogon.org/

and select "Google" from the list of IdPs. After signing in to Google and
typing in a password, you can download a pkcs#12 file with your new
certificate and private key (you have ~ 2min to do this). To get
the conventional usercert.pem and userkey.pem, use openssl:

openssl pkcs12 -in myfile.p12 -info -out usercert.pem -nokeys
 openssl pkcs12 -in myfile.p12 -info -out userkey.pem -nocerts
 chmod 0600 userkey.pem

and give your passphrase a few times The new cert looks like:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7052 (0x1b8c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=org, DC=cilogon, C=US, O=CILogon, CN=CILogon OpenID CA 1
Validity
Not Before: Jul 17 06:20:35 2012 GMT
Not After : Aug 17 18:25:35 2013 GMT
Subject: DC=org, DC=cilogon, C=US, O=Google, CN=John Doe A5833
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:da:81:1f:6a:ea:dd:c8:56:42:ed:3c:1d:0c:35:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.34998.1.3.3

X509v3 CRL Distribution Points:
                URI:http://crl.cilogon.org/cilogon-openid.crl
                URI:http://crl.doegrids.org/cilogon-openid.crl

X509v3 Subject Alternative Name:
                email:johndoe@googlemail.com
    Signature Algorithm: sha256WithRSAEncryption
        3d:82:77:aa:ed:9c:9a:6f:89:3e:41:6d:16:15:e9:1f:3e:2c:
        ....

and you can install the unaccredited OpenID CA just like the other IGTF
CAs, but from the experimental repository:

&lt;https://dist.eugridpma.info/distribution/current/experimental/RPMS/ca_cilogon-openid-1.48-1.noarch.rpm&gt;

and corresponding tar-balls and JKS'es

----------------- End of Original Message -----------------

Cheers
Peter

Files

egi-sha2 (1).pptx (39.4 KB) egi-sha2 (1).pptx

L'Orphelin Cyril, 07/20/2012 09:23 AM

Actions

Copy link

Updated by L'Orphelin Cyril almost 10 years ago

Status changed from New to Resolved

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

operations-portal-users

Custom queries

Feature #2980

SHA2 authentication

Updated by L'Orphelin Cyril almost 10 years ago