jdev - 2020-03-29

  1. lovetox

    how does auth with client cert work?

  2. lovetox

    is there a rfc or xep on that?

  3. Link Mauve

    XEP-0257 might tell you about it.

  4. Link Mauve

    Maybe more XEP-0178.

  5. lovetox


  6. lovetox

    ok i want to test that on my server, what would i use to create a CA cert on the server then sign a user cert with it?

  7. lovetox

    i guess i can do this with openssl

  8. pep.

    Creating a CA cert yes for sure. Have a look into easy-something, what was it again, I think it comes packaged with openvpn

  9. pep.

    Helpers to create self-signed CA etc.

  10. pep.


  11. pep.

    https://github.com/OpenVPN/easy-rsa. Or ride the openssl like a warrior

  12. adrien

    Hello, I'm pending some time on a little xmpp client project to do my own pubsub explorer. Actually, I'm able to connect to my server and I'm working with libxml2++. libxml2++ is a bit hard to use, because almost every object of this libxml2 wrapper isn't copyable. So, I'm looking for another XML parser and I've found that some people use directly XML Schema to automatically parse and create c++ objects (see https://codesynthesis.com/products/xsd/). Do you think, that's a good option to work directly with rfc/xep provided xsd files ?

  13. Syndace

    Hi adrien, sorry to disappoint you but the XSD's are not always accurate and are not normative either. You will most probably run into issues when using them.

  14. Syndace

    Also, do you write the pubsub explorer for fun or because you need it for something else?

  15. Link Mauve

    adrien, in xmpp-parsers (https://crates.io/crates/xmpp-parsers) I’ve been trying to automatically create parsers and serialisers for all relevant XMPP stanzas and payloads.

  16. Link Mauve

    I couldn’t use schemas because they aren’t strict enough for Rust in their types.

  17. mathieui

    lovetox, Link Mauve told me you were trying to setup a CA and stuff for SASL EXTERNAL; I have never done it for poezio because the supported use case was only use with custom certs through XEP-0257

  18. mathieui

    if you really need it I could find generatl documentation as I have to fiddle with CAs and X.509 certs at work too

  19. lovetox

    mathieui, that would be great, otherwise i dont know how long i have to spend to get this right, never created a cert

  20. lovetox

    Gajim supports that forever

  21. lovetox

    i just need to test it now to see if it even works

  22. adrien

    @Syndace that's for fun to try to write application with modern c++

  23. adrien

    Thanks, for the advice about the xsd, so I won't try to use them directyl

  24. mathieui

    lovetox, I think I have this https://gist.github.com/mtigas/952344 that should cover most of what you want

  25. mathieui

    (for XEP-0257 setups you only need to generate a self-signed cert, that’s easier, but if you have the server setup with a CA and everything, that page should cover most of it)

  26. Link Mauve

    adrien, maybe have a look at Swiften, it also has such XMPP parsers and is written in modern C++.

  27. lovetox

    thanks mathieui

  28. lovetox

    just to be correct, gajim does not support 257, the cert management stuff

  29. lovetox

    i just want to connect using a client cert

  30. pep.

    lovetox, have you looked into easy-rsa?

  31. mathieui

    ok, then either you need the server setup, or you use another client supporting 0257 to set your cert, then use gajim to connect

  32. lovetox

    ok maybe i misunderstand something, i thought i can just add a cert to the trust store on the server

  33. lovetox

    and if some client auths with a cert that was signed by that cert

  34. lovetox

    the server says: ok

  35. lovetox

    so i thought i create a self signed cert, add it to the server

  36. lovetox

    then sign another cert, and give it to the user

  37. lovetox

    is that not how it works?

  38. mathieui

    lovetox, on prosody I guess you can just use https://modules.prosody.im/mod_auth_ccert.html and add your CA to the server, then connect using a client signed with it, I don’t know how much of https://xmpp.org/extensions/xep-0178.html is implemented in there

  39. mathieui

    For 0257 auth there is https://modules.prosody.im/mod_client_certs.html

  40. lovetox

    yes exactly thats what im planning to do

  41. lovetox

    but does your doc also cover that?

  42. lovetox

    so i need to create a CA cert, then sign one other cert

  43. lovetox

    is a CA cert in any way special? or is it just a cert that signed another cert

  44. Zash

    A CA cert is a self-signed cert.

  45. pep.

    Zash, "it depends"? Somewhere on top of the chain there is a self-signed cert :p

  46. Zash


  47. Zash

    I guess you could call the intermediate certs CA certs too

  48. pep.

    Yes and they wouldn't be self-signed :-°

  49. Zash

    There's an CA:TRUE flag in the cert data structure on the root certs

  50. mathieui

    lovetox, yes, it is a self signed-cert

  51. mathieui

    FYI for XMPP you might need to use a .cnf similar to the one in https://modules.prosody.im/mod_client_certs.html to generate the CSR

  52. Zash

    Does the client cert get sent encrypted yet?

  53. defanor

    GnuTLS's certtool is handy for that too: `certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem` and answering a few questions to generate a CA certificate, then `certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem` to generate a client certificate signed with it, if you're okay with setting `certificate_match = "email"` for

  54. defanor

    Prosody's ccert.

  55. lovetox

    but it says --load-privkey ca-key.pem

  56. lovetox

    so i need first to generate that or?

  57. Zash

    mod_auth_ccert works with CA-issued client certificates, not self-signed, so yes, you need a CA

  58. Zash

    also no password auth at all iirc

  59. pep.

    ca-key.pem is probably easily generated with `openssl genrsa -out ca-key.pem 2048 or 4096`

  60. pep.

    Or other key types

  61. defanor

    Indeed, or `certtool --generate-privkey --outfile ca-key.pem`

  62. defanor

    (Likewise with key.pem.)

  63. lovetox

    ok, i went with mathieui link and seems to work fine thanks for all the suggestions

  64. lovetox

    ok last thing can somebody help with that

  65. lovetox

    it is encapsulated as an id-on-xmppAddr Object Identifier ("xmppAddr"), i.e., a subjectAltName entry of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr"

  66. lovetox

    so i need to add this to the openssl req?

  67. lovetox

    but how exactly, sounds lot more complicated than it probably is

  68. Zash

    lovetox: https://modules.prosody.im/mod_client_certs.html#generating-your-certificate

  69. Zash

    That has example conf

  70. Zash

    Just gotta figure out how to do that in a CA scenario instead of self-signed

  71. lovetox


  72. lovetox

    hm interesting, so the server should bind the jid thats in the cert

  73. lovetox

    so if the client selects another cert he has suddenly a different jid in the client

  74. lovetox

    seems troublesome

  75. Zash

    lovetox: If you're using CA-issued certs then the CA would be responsible for checks checking that the certificate identity matches.

  76. lovetox

    matches a account on the server

  77. lovetox

    i think from a client point of view

  78. Zash

    Doesnt't strictly have to be the JID in the cert, as long as the server can match it with a local account.

  79. lovetox

    and what this means for the UI if the user can just change the jid with selecting another cert

  80. Zash

    Assuming here the CA issues them multiple certs

  81. Zash

    Having multiple accounts would mean multiple certs. No different from having multiple accounts with different passwords.

  82. lovetox

    yes, but that means i should only allow the user to set the cert in the account creation workflow in the client

  83. lovetox

    and not as a kind of setting within the account to chnage the cert

  84. lovetox

    or if, then only if the new cert matches the jid of the old

  85. Zash

    You'd need some way to replace it when the cert expires and gets renewed

  86. lovetox

    ok so i have to have that check

  87. lovetox

    if he selects one with another jid, i tell him go to account creation wizard and add another account

  88. lovetox

    is this something companys use?

  89. Zash

    Don't know for sure, but that seems likely.

  90. lovetox

    and on the pros are listed user has to type no password

  91. lovetox

    are such certs issued usually without password?

  92. Zash

    They might need to unlock the private key somehow

  93. flow

    hopefully they do

  94. lovetox

    so no password is the standard

  95. lovetox

    but i have to expect one that needs a password

  96. flow

    you wouldn't want your private ssh key unprotected on disk either

  97. lovetox

    but the argument is, you issue per device certs than

  98. lovetox

    but the argument is, you issue per device certs then

  99. lovetox

    and if you lose the cert you deactivate it

  100. flow

    right, but hopefully the per device cert is also protected on the device

  101. Zash

    you'd revoke it or someuch

  102. flow

    and be it android's full device encryption

  103. lovetox

    just saying if the user has a password for the cert, then why not just use that password to login into the account

  104. lovetox

    why the hassle with the certs

  105. flow

    so in any scenario, "no password" shouldn't true, it just depends on when and how often you enter the password

  106. flow

    lovetox, well 1. per device tokens 2. stronger couplying with the TLS layer

  107. flow

    lovetox, well 1. per device tokens 2. stronger coupling with the TLS layer

  108. flow

    and on (modern) android devices, the private key would be protected by the device's hardware-backed keystore

  109. flow

    which, one may argue, provides better security

  110. lovetox

    The XEP allows to add no xmpp addr into the cert

  111. lovetox

    not sure i can impl that

  112. lovetox

    hm but even with cert i still have to bind the jid

  113. lovetox

    hm no we can only bind a resource

  114. lovetox

    not the full jid

  115. lovetox

    so i have to check if the server returned bound the jid i expected

  116. lovetox


  117. flow

    lovetox, that is *always* the case

  118. jonas’

    I *think* there’s been cases in the past where the server bound you to a different JID than your SASL username + domain

  119. lovetox

    i dont know how clients deal with that, if i read the rfcs it seems the client should not expect any specific JID

  120. flow

    lovetox, from a protocol POV the SASL username and your JID are unrelated

  121. lovetox

    yeah ..

  122. flow

    lovetox, why do clients have to deal with it?

  123. lovetox

    im not sure this was taken into account in all parts of the code

  124. flow

    in smack, when we need to persist data related to a JID, we only create the persistent store after the connection was authenticated at least once

  125. lovetox

    in Gajim i have a account name, and its not the JID

  126. lovetox

    so thats good

  127. lovetox

    data are mostly stored under that account name

  128. lovetox

    but i just have to look through the codebase if somewhere i depend on the JID beeing always bound to the same account

  129. lovetox

    at least gajim has anonymous login support, and with anonymous you get a different jid on every connect

  130. lovetox

    so if that works it looks at least good

  131. lovetox

    but for example with omemo i publish keys to my pep node which is linked to the JID

  132. lovetox

    so it would make no sense to save the omemo related keys and data under an Account Name that is not tied to a JID

  133. lovetox

    but i know i fucked up when i named the database file for omemo after the JID

  134. lovetox

    probably JIDs can have chars that are not supported as filename

  135. Zash

    Filenames on Linux tend to be opaque binary data with the only restrictions that they can't contain '/' or '\0'

  136. Zash

    Windows and Mac will have opinions tho

  137. jonas’

    plus length restrictinos

  138. Ge0rG

    Luckily python has solved the filename to unicode string mapping in an easy and compatible way.

  139. Ge0rG walks himself out

  140. Zash

    The Mercurial developers would like a word

  141. jonas’

    Ge0rG, IIRC we figured out that was true

  142. jonas’

    (for a recent enough python 3)

  143. Ge0rG

    jonas’: yes, but only by applying a very sophisticated hack

  144. Ge0rG

    where you do a bijective mapping of all non-utf8 byte sequences into a reserved unicode block, or somesuch

  145. Zash

    what the

  146. Ge0rG

    Zash: https://www.python.org/dev/peps/pep-0540/

  147. Ge0rG

    or rather, https://www.python.org/dev/peps/pep-0383/

  148. jonas’

    into a unicode block reserved for this purpose