William Tay has a very interesting technical blog and has solved the riddle of how to take a public key pair that he produced in a Microsoft environoment, and export it to PEM so it can by used by PHP. I didn't have this particular problem, because I created my site's key using OpenSSL in the first place. However, I've spent many hours with the OpenSSL utility trying – so far unsuccessfully – to go the other way (PEM to pfx). It shouldn't matter which platform you create your key on – if you have a mix of platforms you want to be able to take the key in both directions. Anyway, for those who have William's problem, here's how he dealt with it:
I believe some hardcore Windows CardSpace fanatics out there may have tried out Kim Cameron's IdentityBlog Cardspace demo on php. The tutorials can code samples can be found via his blog here. As of this time, I dont think he has updated it to work with the WinFX July CTP drop.
If you had played with those php samples, you will realize that nothing much has changed for the WinFX July CTP drop, we are still using the same version of WS-Trust and WS-Security Specifications specifications. While WS-Security has been pretty much baked, as the advanced WS-* specifications reach a better level of maturity and acceptance, it won't change as frequently anymore.
The only change to take note is the OBJECT element in the html page. The way claims are presented on a html page is now space-delimited and not comma-delimited as it was before.
I have been showing the php demos in my presentations around the Asia-Pacific circuits for some time now. One of the questions I frequently get asked is how do we get the RSA private key of the https site (Relying party) we are using to authenticate our users. While Kim has shown some briefs snippets of his php code here (It is fairly obvious why the entire Private Key cannot be disclosed here),
// Cardspace_demoprocessing.php
// Put your own PEM private key here and
// use the right password (for the demo
// we don't use MySql to store this stufffunction get_settings($key)
{
if ($key == “infocard_key”) {$retVal = “—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9266952B733BFBE0Z4WmpirV4dXvYjNmfSN99Iu4iYzUWa4/CPZG0NParYSVHMOhb4lsS6iISjgniGG9
zhA862KDwsYUjgoyAIXfJAd5Z3hXiyJYdkygF/DUgeQFcwQjsWmkguq27EDHW6nS
.
.
.
3GkQxPLzTMFZYm7haU3WH+QYnNxz2bG0esUmB/YECXDCqFTbrUm/DUPd4YiI2HiL
+j40vRpPzY6ngd1QNOfd5jkin7sjW1YlsEsRPV8OzEJvNmBZF274Cw==
—–END RSA PRIVATE KEY—–“;}
else if ($key == “infocard_opener”){
$retVal = “xY8O< |aBB"; } else { $retVal = NULL; } return($retVal); } he did not show how he got that RSA Key. There are, of course, a few ways to get that key. But since we are on the subject of Open-source and php being the flavour of the day, I thought why not show the readers how to get it using another popular utility out there called “OpenSSL“. I am using version 0.9.8b the OpenSSL binaries/executables.Once that is all downloaded, installed and setup – I used this command to retreive the RSA Private Key into a PEM file:
Openssl pkcs12 -in Softwaremaker.NET.Pte.Ltd_300607_SSLCert.pfx -out cert.pem -nodes
You will, of course, replace the “Softwaremaker.NET.Pte.Ltd_300607_SSLCert.pfx” with your own site's SSL digital certificate. The -nodes flag just tells the output not to have a passphase lock on the resulting PEM file. Of course, you can if you want to if you are afraid of others being able to view your site's Private Key from the php code file. The output cert.pem will contain the output:
Bag Attributes
1.3.6.1.4.1.311.17.2:
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
friendlyName: 1a9c651d1153bf0e58ac3ff34c9fce1f_615cbd1c-54d4-4ea0-b0d4-5c14115c3abb
Key Attributes
X509v3 Key Usage: 10
—–BEGIN RSA PRIVATE KEY—–
MIICXgIBAAKBgQDElLoxJcOzWT0jHT6uvdDHpDBnZLa4AE/gznjcKuSIT880MAmL
ADVIoDP/0MPDucexjWCtJ33msRCmi2TOQ86dPhyc/kfrmpTnjG+Kwi7tR5x07rAM
…
XLj+knD7VxrZvE/CBJP5PgjuvqfcbiSGf4R8dVB/nVm6tw==
—–END RSA PRIVATE KEY—–
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: Default Web Site
subject=/C=SG/ST=Singapore/L=Singapore/O=Softwaremaker.NET Pte Ltd/OU=Software Development and Architecture Research Unit/CN=swmvm2k3
issuer=/CN=Softwaremaker.NET Pte Ltd
—–BEGIN CERTIFICATE—–
MIIE1DCCA7ygAwIBAgIKYVFrDgABAAAACDANBgkqhkiG9w0BAQUFADAkMSIwIAYD
VQQDExlTb2Z0d2FyZW1ha2VyLk5FVCBQdGUgTHRkMB4XDTA2MDYzMDAyMjkyNFoX
…
Gl+c093/wY1RT9FhAyK0vpP/H9rFzyrCZbuyL69tWkTI1DGTuZHW5g==
—–END CERTIFICATE—–
Once you got the above output, you just have to replace the “—–BEGIN RSA PRIVATE KEY—–…” until the “—–END RSA PRIVATE KEY—–“ with your own in the php code file (Cardspace_demoprocessing.php).Hope this helps someone out there.
Yeah. It's true that I was unclear, when writing my demo PHP code, how to best store and retrieve secret keys in a LAMP environment. In Windows, I would use the system-provided routines for protecting and accessing secret keys, but I don't know the equivalents one would use in LAMP.
I ended up just storing my keys in mySql (the code William shows above is a simplification to make the issues as easy to understand as possible) – but I'd appreciate hearing from someone who knows the proper way to do this.
I'm not aware of a standard way to do it (like MS DPAPI). Maybe Ben can chime in?
I did want to comment that putting your keys in code seems like poor practice–any attack that leads to view source leads to key comprimise. Put the keys in files in a directory outside of the web root, readable only by the uid of the webserver. (Or in a database, but that leads to SQL injection concerns..)