Project

General

Profile

Actions

Feature #2980

closed

SHA2 authentication

Added by L'Orphelin Cyril over 12 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
High
Assigned To:
-
Category:
-
Target version:
Start date:
07/20/2012
Due date:
% Done:

0%

Estimated time:
Model:
Est. resolution:
Story points-Velocity based estimate-

Description

- Integrate sha2 authentication

Dear all,

I am forwarding an email [(c) David Groep], originally written for
the SA2 verifiers to probe the middleware readiness for SHA2.
Please, let me know if there are questions:

----------------- Original Message -----------------

The easiest is to get an instant certificate from CILogon, using their
(unaccredited) OpenID provider like Google:

https://cilogon.org/

and select "Google" from the list of IdPs. After signing in to Google and
typing in a password, you can download a pkcs#12 file with your new
certificate and private key (you have ~ 2min to do this). To get
the conventional usercert.pem and userkey.pem, use openssl:

openssl pkcs12 -in myfile.p12 -info -out usercert.pem -nokeys
openssl pkcs12 -in myfile.p12 -info -out userkey.pem -nocerts
chmod 0600 userkey.pem

and give your passphrase a few times The new cert looks like:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7052 (0x1b8c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=org, DC=cilogon, C=US, O=CILogon, CN=CILogon OpenID CA 1
Validity
Not Before: Jul 17 06:20:35 2012 GMT
Not After : Aug 17 18:25:35 2013 GMT
Subject: DC=org, DC=cilogon, C=US, O=Google, CN=John Doe A5833
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:da:81:1f:6a:ea:dd:c8:56:42:ed:3c:1d:0c:35:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.34998.1.3.3

X509v3 CRL Distribution Points:
URI:http://crl.cilogon.org/cilogon-openid.crl
URI:http://crl.doegrids.org/cilogon-openid.crl
X509v3 Subject Alternative Name:
email:
Signature Algorithm: sha256WithRSAEncryption
3d:82:77:aa:ed:9c:9a:6f:89:3e:41:6d:16:15:e9:1f:3e:2c:
....

and you can install the unaccredited OpenID CA just like the other IGTF
CAs, but from the experimental repository:

<https://dist.eugridpma.info/distribution/current/experimental/RPMS/ca_cilogon-openid-1.48-1.noarch.rpm>

and corresponding tar-balls and JKS'es

----------------- End of Original Message -----------------

Cheers
Peter


Files

egi-sha2 (1).pptx (39.4 KB) egi-sha2 (1).pptx L'Orphelin Cyril, 07/20/2012 09:23 AM
Actions

Also available in: Atom PDF