I am having difficulty understanding how to use <keygen>.
I could not find the demo for it, which is used for authentication. When I add the <keygen> tag to the form, it sends the public key.
What should be done after getting the public key?
Can someone please give me sample application which uses <keygen> and does the authentication?
My explanations come from this PHP/Apache example. It's a simplified explanation, look at the original example for full details.
The client generate a public key for the server and keep a private key.
<form>
<keygen name="pubkey" challenge="randomchars">
<input type="submit" name="createcert" value="Generate">
</form>
The public key is extracted by the server:
$key = $_REQUEST['pubkey'];
The server build a client certificate:
$command = "/usr/bin/openssl ca -config ".$opensslconf." -days ".$days." -notext -batch -spkac ".$certfolder.$uniq.".spkac -out ".$certfolder.$uniq." -passin pass:'".$capw."' 2>&1";
$output = shell_exec($command);
and send it back to the client.
You can then configure Apache to allow access to authentified clients:
SSLEngine on
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/CA/certs-pub/domain.der
SSLCertificateKeyFile /etc/CA/certs-priv/domain.pem
SSLCACertificateFile /etc/CA/certs-pub/ca.pem
SSLCARevocationFile /etc/CA/crl/cacrl.pem
<Location /secure_area/>
SSLVerifyClient require
SSLVerifyDepth 1
</Location>
Mozilla has some working examples here:
https://developer.mozilla.org/en-US/docs/HTML/Element/keygen
Related
Because APIM sits behind an Application Gateway, it will only see traffic as coming from the app gateway, so I do not believe the simple ip-filter policy will work. App gateway does add the original source IP to the x-original-host header though.
I am new to APIM policy and do not know how to build logic into it. What I want to do is IF the x-forwarded for value IS in a private IP, allow...else, deny. I see that policy expressions are written in C#, which I know nothing about.
Was thinking something like this
<policies>
<inbound>
<base />
<check-header name="" x-original-host="" failed-check-error-message="" ignore-case="true">
<value>This is where I need to go through the list of private IP ranges</value>
</check-header>
</inbound>
[...]
</policies>
That could can be completely wrong too. My intent is to create rule that allows private IPs only, and denies everything else. Here are the private IPs to allow:
Class A: 10.0.0.0 to 10.255.255.255
Class B: 172.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255
See this Filter on request IP Address when using an Application Gateway
https://www.mediawiki.org/wiki/MediaWiki_1.35 is out and one of the advertise features seems to be the "built in"/"out of the box" Visual Editor that doesn't need an external server anymore.
So downloaded and installed the version just released and clicked "VisualEditor" so that it would appear in my LocalSettings.php as:
wfLoadExtension( 'VisualEditor' );
But when trying to edit a page the error message:
Error contacting the Parsoid/RESTBase server: http-bad-status
With no further hint on what to do.
The information in https://www.mediawiki.org/wiki/Extension:VisualEditor is still intimidating for me - it doesn't look like an "out of the box" configuration at all. I did not find anything there about the dialog's message content.
Where do i find the official information on how to avoid this dialog?
I've managed to wake up visual editor on an apache / ubuntu with mediawiki 1.37 set to private wiki.
This is what I've done
$wgServer = "https://example.org";
Note the https in wgServer!
End of my LocalSettings.php
if ( isset( $_SERVER['REMOTE_ADDR'] ) &&
in_array( $_SERVER['REMOTE_ADDR'], [ $_SERVER['SERVER_ADDR'], '127.0.0.1' ] ) ) {
$wgGroupPermissions['*']['read'] = true;
$wgGroupPermissions['*']['edit'] = true;
$wgGroupPermissions['*']['writeapi'] = true;
}
Making sure that $wgServer in LocalSettings.php has https and not http in the string solved it for me.
If you are using the HTTP based authentication of your webserver you have to allow localhost to be whitelisted, so MediaWiki can reach itself.
For Apache you can do this with
Require local
at the same spot where you configured the authentication. You can find detailed configuration descriptions in the MediaWiki Wiki.
https://www.mediawiki.org/wiki/Topic:Vwkv6abtipmknci8
However i would not recommend to use whitelisting based on the user agent. Attackers could circumvent the authentication just by changing their user agent string.
In my case I only run into this problem, when I use a "nested" or structured wiki page.
It works for pages like
TestPage, VideoCut, BestPractices but not pages like
TestPage/Test1, TestPage/Hugo and so on.
When looking at the webserver log page it seams the rest.php URL is not build correctly.
In the good case the build rest.php send the following POST request:
POST /wiki/rest.php/localhost/v3/transform/html/to/wikitext/TestPage/12 HTTP/1.1" 200 521 "-" "VisualEditor-MediaWiki/1.38.2"
In the bad case the request looks like:
POST /wiki/rest.php/localhost/v3/transform/html/to/wikitext/TestPage%2FTest1 HTTP/1.1" 404 981 "-" "VisualEditor-MediaWiki/1.38.2"
It ends-up in a 404 instead of a successful 200. The problem seams to be the coded %2F (/) inside the Page-Path (TestPage/Test1 -> TestPage%2FTest1).
Hope somebody can get me past this point... because I spend pretty much time on it and still not working.
Short story is that I want to use Azure Notification Hub for my Xamarin.Forms app.
It want's these info to work:
That's all good and I got all of them under control, expect the Token one.
Ok, so I follow the Microsoft docs on the subject:
https://learn.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-http2-token-authentification
I follow along and got things under controls I think, until I get to:
"Authentication token"
Here it says:
The authentication token can be downloaded after you generate a token for your application. For details on how to generate this token, refer to Appleās Developer documentation.
Like it's no big deal and then it links to this page, which is suppose to help me. Read through it, clicked the links etc. read stuff.
I end up on this page: Establishing a Token-Based Connection to APNs
And the the craziness and confusion really kicks off for me, because, it then says, like it's the most common thing in the world:
Encrypt the resulting JSON data using your authentication token signing key and the specified algorithm
It doesn't really explain much, other than link to the jwt.io tool.
Well, that would have been great if I could make the tool work...
On the surface it's pretty easy, as the docs explains what to put in where, so I do that:
So the "header" and the "payload" is filled in and I assume it's correct - however, at the bottom I clearly need to put in some keys for this to be able to decrypted correctly on the other end...the question what do I put in here?
When I created my key in the Apple Developer portal, I of cause downloded the .p8 file, which I can see contains my PRIVATE key...but I have 2 problems.
Putting that into this jwt.io tool, result in a "invalid signature" right away, and I have no idea what to put into the "PUBLIC KEY" part.
So, what am I doing wrong?
Thanks in advance and really hope somebody can help me, as I'm starting to go crazy over this, "tiny" step in the development that have been taking WAY too long now.
At the bottom of jwt.io there are libraries you can use to encrypt the token on your server. For example, this php library: https://github.com/lcobucci/jwt/blob/3.3/README.md
About public key. I think it's the KeyID that is the public key that APNs uses to verify. You only need the private key to generate the token. It goes like this in this php sample:
$token = (new Builder())->issuedBy('http://example.com') // Configures the issuer (iss claim)
->permittedFor('http://example.org') // Configures the audience (aud claim)
->identifiedBy('4f1g23a12aa', true) // Configures the id (jti claim), replicating as a header item
->issuedAt($time) // Configures the time that the token was issue (iat claim)
->canOnlyBeUsedAfter($time + 60) // Configures the time that the token can be used (nbf claim)
->expiresAt($time + 3600) // Configures the expiration time of the token (exp claim)
->withClaim('uid', 1) // Configures a new claim, called "uid"
->getToken($signer, $privateKey); // Retrieves the generated token
Just to whoever stumbles upon this question.
The token field in the Azure Notification Hubs Settings is the private key which you will find inside the .p8 file you downloaded from Apple Developer Account for Universal APN.
As for the JWT encryption, you need that when you sending a request to apple's apn server directly. You will need to send a Bearer token by encrypting the header and payload ( specifications are in apple's website). The encryption is done by crypto libraries, using algorithm ES256 ( only one supported for APN ) and the signing key is the token we mentioned above, that is the private key in the .p8. This creates a JWT that you include in your Authorization header for the request to APN server
I've got some trouble with expiring client certificates on some project I'm working on, occuring in Firefox 21 and versions below.
The environment: There are client-pcs, which have one single client certificate for each of them. Those client certificates were installed by using the PKCS12 file format with export password set. The clients are calling a site with domain 'a.somedomain.net', every server request has 'b.somedomain.net' as target. The certificates are valid for '*.somedomain.net'. So far, so good, everything's fine.
Now they're expiring, so I wanted to have some update mechanism doing a quiet, no-user-action-required update of the certificates. I am checking the $_SERVER['SSL_CLIENT_V_REMAIN'] variable and performing an update if the number of remaining days is below a predefined value. That also works.
In case an update is required, I'm doing some http redirect to a script located at "b.somedomain.net". The form includes all DN data HTML5 browsers need for creating the public/private key pair and sending the public key to the form action url. That also works.
Now the server's signing the certificate via OpenSSL/PHP and returns the certificate with correct headers for recognization by the browser. But then FF tells me "This personal certificate can't be installed because you do not own the corresponding private key which was created when the certificate was requested."
The private key stays behind FFs doors, I only get the public key from FF, OpenSSL is fine with it and throws no errors. What am I doing wrong?
If there's more information needed, please comment.
Thanks in advance.
in the other Question Generating client side certificates in browser and signing on server">Generating client side certificates in browser and signing on server there is an Answer with an Link to crosskeygen.js and the HTML Templates HTML-Templates that show how it works.
For me this was an great help.
I want to get the remote IP of the machine accessing my website.
I am using Interchange Server IC. IC perl code in embedded into HTML.
In perl i could find out this solution :
use CGI; <!-- load the cgi module-->
print "Content-type: text/plain; charset=iso-8859-1\n\n";
my $q = new CGI; <!--create a CGI object-->
print $q->remote_host(); <!-- print the user ip address-->
use $ENV{REMOTE_HOST}
use $ENV{REMOTE_ADDR}
but syntax of IC is different and am new to it.
Pls help.
Thanks
Rachel
A file linked from the documentation use the CGI module and fetches the remote address using CGI's remote_addr function, so I presume that information is available to you.
Doing a reverse DNS lookup of the remote address can be expensive to do, so web servers don't always do this by default. remote_host would return nothing on those systems.