Using OpenSSL for Cardspace Demo on PHP

I believe some hardcore _WCS_ fanatics out there may have tried out Kim Cameron's IdentityBlog Cardspace demo on php. The tutorials can code samples can be found via his blog here. As of this time, I dont think he has updated it to work with the WinFX July CTP drop.

If you had played with those php samples, you will realize that nothing much has changed for the WinFX July CTP drop, we are still using the same version of _WS-Trust_ and _WS-Security_ specifications. While WS-Security has been pretty much baked, as the advanced WS-* specifications reach a better level of maturity and acceptance, it wont change as frequent anymore.

The only change to take note is the <object> element in the html page. The way claims are presented on a html page is now space-delimited and not comma-delimited as it was before.

<object type="application/x-informationcard" name="xmlToken" id="xmlToken">
<param name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" /><param name="issuer" value="http://schemas.microsoft.com/ws/2005/05/identity/issuer/self" /><param name="requiredClaims" value="http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname http://schemas.microsoft.com/ws/2005/05/identity/claims/surname http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress http://schemas.microsoft.com/ws/2005/05/identity/claims/privatepersonalidentifier" /></object>

I have been showing the php demos in my presentations around the Asia-Pacific circuits for some time now. One of the questions I frequently get asked is how do we get the RSA private key of the https site (Relying party) we are using to authenticate our users. While Kim has shown some briefs snippets of his php code here (It is fairly obvious why the entire Private Key cannot be disclosed here),

// Cardspace_demoprocessing.php
// Put your own PEM private key here and
// use the right password (for the demo
// we don't use MySql to store this stufffunction get_settings($key)
{
    if ($key == "infocard_key") {

$retVal = "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9266952B733BFBE0

Z4WmpirV4dXvYjNmfSN99Iu4iYzUWa4/CPZG0NParYSVHMOhb4lsS6iISjgniGG9
zhA862KDwsYUjgoyAIXfJAd5Z3hXiyJYdkygF/DUgeQFcwQjsWmkguq27EDHW6nS
.
.
.
3GkQxPLzTMFZYm7haU3WH+QYnNxz2bG0esUmB/YECXDCqFTbrUm/DUPd4YiI2HiL
+j40vRpPzY6ngd1QNOfd5jkin7sjW1YlsEsRPV8OzEJvNmBZF274Cw==
-----END RSA PRIVATE KEY-----";

    }
    else if ($key == "infocard_opener"){
        $retVal = "xY8O<|aBB";
    }
    else {
        $retVal = NULL;
    }
    return($retVal);
}

he did not show how he got that RSA Key.

There are, of course, a few ways to get that key. But since we are on the subject of Open-source and php being the flavour of the day, I thought why not show the readers how to get it using another popular utility out there called "OpenSSL". I am using version 0.9.8b the OpenSSL binaries/executables.

Once that is all downloaded, installed and setup - I used this command to retreive the RSA Private Key into a PEM file:

Openssl pkcs12 -in Softwaremaker.NET.Pte.Ltd_300607_SSLCert.pfx -out cert.pem -nodes

You will, of course, replace the "Softwaremaker.NET.Pte.Ltd_300607_SSLCert.pfx" with your own site's SSL digital certificate. The -nodes flag just tells the output not to have a passphase lock on the resulting PEM file. Of course, you can if you want to if you are afraid of others being able to view your site's Private Key from the php code file. The output cert.pem will contain the output:

Bag Attributes
    1.3.6.1.4.1.311.17.2: <No Values>
    localKeyID: 01 00 00 00
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
    friendlyName: 1a9c651d1153bf0e58ac3ff34c9fce1f_615cbd1c-54d4-4ea0-b0d4-5c14115c3abb
Key Attributes
    X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDElLoxJcOzWT0jHT6uvdDHpDBnZLa4AE/gznjcKuSIT880MAmL
ADVIoDP/0MPDucexjWCtJ33msRCmi2TOQ86dPhyc/kfrmpTnjG+Kwi7tR5x07rAM
...
XLj+knD7VxrZvE/CBJP5PgjuvqfcbiSGf4R8dVB/nVm6tw==
-----END RSA PRIVATE KEY-----
Bag Attributes
    localKeyID: 01 00 00 00
    friendlyName: Default Web Site
subject=/C=SG/ST=Singapore/L=Singapore/O=Softwaremaker.NET Pte Ltd/OU=Software Development and Architecture Research Unit/CN=swmvm2k3
issuer=/CN=Softwaremaker.NET Pte Ltd
-----BEGIN CERTIFICATE-----
MIIE1DCCA7ygAwIBAgIKYVFrDgABAAAACDANBgkqhkiG9w0BAQUFADAkMSIwIAYD
VQQDExlTb2Z0d2FyZW1ha2VyLk5FVCBQdGUgTHRkMB4XDTA2MDYzMDAyMjkyNFoX
...
Gl+c093/wY1RT9FhAyK0vpP/H9rFzyrCZbuyL69tWkTI1DGTuZHW5g==
-----END CERTIFICATE-----

Once you got the above output, you just have to replace the "-----BEGIN RSA PRIVATE KEY-----..." until the "-----END RSA PRIVATE KEY-----" with your own in the php code file (Cardspace_demoprocessing.php).

Hope this helps someone out there.

Published Wednesday, August 09, 2006 11:24 PM by Softwaremaker
Filed under: