Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMI is partially funded by the European Commission under Grant Agreement RI-261611 Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF.

Similar presentations


Presentation on theme: "EMI is partially funded by the European Commission under Grant Agreement RI-261611 Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF."— Presentation transcript:

1 EMI is partially funded by the European Commission under Grant Agreement RI-261611 Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF 2012, Prague

2 EMI INFSO-RI-261611 Common security layer (PKI) used but no common code in applications – Expensive maintenance – No common profile for SSL and X.509 – Difficult to add new features – Security audit of code quite hard Adapting CANL decreases cost of maintenance and further develpment Motivation

3 EMI INFSO-RI-261611 Simple API to support authentication using X.509 TLS/SSL – Delegation, authorization, other sec. mechanisms, out of scope Functionality to deal with Grid specifics Cover popular languages – Native API for C,C++,Java APIs easy to understood and use – Differences between the bindings Main Goals

4 EMI INFSO-RI-261611 APIs designed and underwent detailed expert reviews Implementations delivered as part of EMI-2 Main features provided by all three libs – Credentials handling – Trust store handling – Name constraints checking – CRL – Proxy: verification, generation, proxy CSRs, utilities – Partially unified error codes and messages Current Status

5 EMI INFSO-RI-261611 Differences are mostly between Java and non- Java. Truststores – Java: several different – C&C++: only OpenSSL-style Distinguished names handling – Java: extensive support, RFC 2253 based – C & C++: minimal handling, currently OpenSLL syntax is used – C & C++ will add (configurable) support for RFC 2253, with RFC format being the suggested one. No network IO in Java (integrated with Java API) API Differences

6 EMI INFSO-RI-261611 API documentations available – JAVA: http://unicore-dev.zam.kfa- juelich.de/documentation/canl-1.0.1/manual.pdfhttp://unicore-dev.zam.kfa- juelich.de/documentation/canl-1.0.1/manual.pdf – C: http://egee.cesnet.cz/cvsweb/SEC/canl.pdfhttp://egee.cesnet.cz/cvsweb/SEC/canl.pdf – C++: Comments included in header files Samples of codes provided – Connection establishment, delegation, proxy mgmt Developers will need to replace their code with calls to canl Integration with applications

7 EMI INFSO-RI-261611 Example C: proxy creation ctx = canl_create_ctx(); /* First create a certificate request with a brand-new keypair */ ret = canl_cred_new(ctx, &proxy); ret = canl_cred_new_req(ctx, proxy, bits); /*Create key-pairs implicitly*/ ret = canl_cred_set_lifetime(ctx, proxy, lifetime); ret = canl_cred_set_cert_type(ctx, proxy, CANL_RFC); /* Load the signing credentials */ ret = canl_cred_new(ctx, &signer); ret = canl_cred_load_cert_file(ctx, signer, user_cert); ret = canl_cred_load_priv_key_file(ctx, signer, user_key, NULL, NULL); /* Create the proxy certificate and store it in a file*/ ret = canl_cred_sign_proxy(ctx, signer, proxy); ret = canl_cred_save_proxyfile(ctx, proxy, output);

8 EMI INFSO-RI-261611 Example C++: delegation, proxies //EEC acquisition AuthN::Context full_ctx(AuthN::Context::ClientFullContext); AuthN::Credentials eec_cred(full_ctx); //Proxy request AuthN::Context empty_ctx(AuthN::Context::EmptyContext); AuthN::ProxyCredentialsRequest proxyreq(empty_ctx); proxyreq.MakeKeys(1024); AuthN::Credentials::Extension policy; policy.value = "my test proxy policy"; proxyreq.SetPolicy(policy); proxyreq.SetValidFrom(time(NULL)); proxyreq.SetValidTill(time(NULL) + 3600*12); //Proxy signing AuthN::Credentials proxy(empty_ctx); AuthN::Status st = eec_cred.Sign(proxyreq, proxy, opensslcnf); std::string cert, key, chain; proxy.GetCertificate(cert); proxy.GetPrivateKey(key); proxy.GetChain(chain);

9 EMI INFSO-RI-261611 Example Java: Chain verification /* * Validates toBeChecked chain using Openssl style truststore, from * the /etc/grid-security/certificates directory. Both kinds of * namespaces are checked and forced if are present. Truststore is * reread every minute. The additional settings are not defined and * so defaults are used: CRLs are forced if are present. Proxy * certificates are supported. */ X509Certificate[] toBeChecked = null; X509CertChainValidator vff = new OpensslCertChainValidator( "/etc/grid-security/certificates", NamespaceCheckingMode.EUGRIDPMA_AND_GLOBUS, 60000); ValidationResult result = vff.validate(toBeChecked); if (result.isValid()) { //... } else { List errors = result.getErrors(); //... }

10 EMI INFSO-RI-261611 Thank you


Download ppt "EMI is partially funded by the European Commission under Grant Agreement RI-261611 Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF."

Similar presentations


Ads by Google