Passing decoded certficates in HTTP header

Sorry - also should say that I have tried this without the b64decode and the certificate is sent in PEM format.

 

 

When trying the above i get an error in log - while executing "X509::whole [b64decode [SSL::cert 0]]"

The syntax of the command should be:

[X509::whole [SSL::cert 0]]

Without the X509 command, [SSL::cert 0] produces the binary representation of the certificate (in DER encoding). You don't want to send binary data in an HTTP header. The X509::whole command produces a PEM encoding of that certificate, which is base64 with additional header/footer data. It also has line breaks in it, so your best bet for getting it sent in a header is to either base64 encode it again, or simply base64 encode the [SSL::cert 0]:

[b64encode [SSL::cert 0]]

Then at the over VIP just decode to get to the binary certificate:

[b64decode [HTTP::header "X509Certificate"]]

** with appropriate error checking - invalid data will bomb the b64decde command.

Can you try setting a variable containing the cert data and then using that for the decode operation?

 

 

What's the actual error message?

 

Too late! Thanks Kevin.

 

Thanks Kevin

 

I have tried [X509::whole [SSL::cert 0]] but that (as you say) produces the PEM encoded version.

 

I want to send it as Base64 DECODED though.

 

I would like to avoid creating another IRULE for the other VIP as this is used for LOTS of othr applications and I am not sure the impact that doing this would have on the other applications.

 

Well, if I'm understanding you, you want to send the binary certificate between VIPs? A certificate can be either DER or PEM encoded. [SSL::cert 0] produces the DER, and [X509::whole [SSL::cert 0]] produces the PEM. I would not recommend sending the DER version in an HTTP header, and the PEM version is laced with line breaks.

 

 

In any case, you'd need something on the other VIP to receive the HTTP header and do something with it. How are you using the value in the application behind the second VIP?

I believe certificate needs to look like this:

Certificate:
   Data:
       Version: 1 (0x0)
       Serial Number: 7829 (0x1e95)
       Signature Algorithm: md5WithRSAEncryption
       Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc,
               OU=Certification Services Division,
               CN=Thawte Server CA/emailAddress=server-certs@thawte.com
       Validity   
           Not Before: Jul  9 16:04:02 1998 GMT
           Not After : Jul  9 16:04:02 1999 GMT
       Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala,
                OU=FreeSoft, CN=www.freesoft.org/emailAddress=baccala@freesoft.org
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (1024 bit)
               Modulus (1024 bit):
                   00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb:
                   33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1:
                   66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66:
                   70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17:
                   16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b:
                   c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77:
                   8f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3:
                   d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8:
                   e8:35:1c:9e:27:52:7e:41:8f
               Exponent: 65537 (0x10001)
   Signature Algorithm: md5WithRSAEncryption
       93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d:
       92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92:
       ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67:
       d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72:
       0d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1:
       5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7:
       8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22:
       68:9f

We do not need to do anything on other VIP - there is an pplication that modifies cert.

We do not need to do anything else with it.

That's an OpenSSL representation of a certificate and NOT what it really looks like. A certificate is either binary (DER ASN.1 encoded) or PEM (a base64 encoding of the DER). So you have a few options:

 

 

1. Recreate this structure (or some portions of it) using the various X509 commands.You probably still want to encode it somehow to pass into the HTTP header.

 

 

2. Pull out just the pieces you need and pass as HTTP headers

Couldn't you just base64 encode the cert on the first VS and decode it on the second? I think it would corrupt the HTTP headers if you tried to insert the cert unencoded.

 

 

Aaron

I would like to avoid creating another IRULE for the other VIP as this is used for LOTS of othr applications and I am not sure the impact that doing this would have on the other applications.

 

 

If you remove any pre-existing instances of a custom header name and then insert the base64 encoded copy of the cert in that header name, it would be fairly cheap resource-wise to look for that header on a second VS. You could then only base64 decode the header value if it's present.

 

 

Aaron

Guys thanks.

 

 

I am making progress....they are trying to replicate a WebSphere plugin. Here is a trace of what it does:

 

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestCreate: Creating the request object

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htresponse: htresponseCreate: Creating the response object

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htresponse: htresponseInit: initializing the response object

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htresponse: htresponseInit: done initializing the response object

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetMethod: Setting the method |GET|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetURL: Setting the url |/intermediaryaccess/servlet/IntermediaryAuthenticationServlet|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetURL: Setting the query string |RequestID=AUTHENTICATION_CERTIFICATE_LOGON&action=init

 

ial&branding=&source=SLAC&urlParamTargetPage=https%3A%2F%2Fwpssyst1.advisertest.com%2Fadviser%2Fsecure%2Fadviserzone%2FServices%2FgotoSecureService%3Fid%3DdoLogin|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: mod_was_ap20_http: cb_get_headers: In the get headers callback

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Accept| to value |image/gif, image/x-xbitmap, image/

 

jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, application/xaml+xml, application/x-ms-

 

xbap, application/x-ms-application, */*|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Referer| to value |https://syst.advisertest.com/inte

 

rmediaryaccess/servlet/IntermediaryAuthenticationServlet|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Accept-Language| to value |en-gb|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |UA-CPU| to value |x86|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Accept-Encoding| to value |gzip, deflate|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |User-Agent| to value |Mozilla/4.0 (compatible; MSIE

 

7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Host| to value |syst-cert.advisertest.com|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Cookie| to value |SBANavCookie=114_8_-38_-61_24_-108

 

_104_-57_27_89_103_-67_51_-18_52_-4_79_9_29_-61_102_-73_-88_-105_-47_-81_65_6_73_-30_47_83_-19_18_-52_76_-26_-23_54_-57_-10_-15_5_22_-125_50_126_74_0_-58_-56_98_-23_-

 

1_-97_104_-95_13_101_-48_-38_72_-87_17_-109_-39_-96_-62_-58_44_59_; SBAAuthCookie=-11

 

9_75_126_-110_-125_50_-75_95_-112_-102_-5_-64_-40_121_27_28_; autheticationMethodCookie=Y|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Connection| to value |Keep-Alive|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |Cache-Control| to value |no-cache|

 

 

This next header WSCC is the certificate:

 

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSCC| to value |MIIG7zCCBNegAwIBAgIQEZV1hgfaH00918h

 

mISp9hzANBgkqhkiG9w0BAQ0FADBYMQswCQYDVQQGEwJHQjErMCkGA1UEChMiT3JpZ28gU2VjdXJlIEludGVybmV0IFNlcnZpY2VzIEx0ZDEcMBoGA1UEAxMTT3JpZ28gUm9vdCBDQSAtIEcyTTAeFw0xMjA4MzAwMDAwM

 

 

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSCS| to value |RC4-MD5|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSIS| to value |true|

 

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSSC| to value |https|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSPR| to value |HTTP/1.1|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSRA| to value |172.31.104.161|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSRH| to value |172.31.104.161|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSSN| to value |syst-cert.advisertest.com|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSSP| to value |443|

 

[Fri Nov 16 17:47:05 2012] 000da02a 00000809 - TRACE: lib_htrequest: htrequestSetHeader: Setting the header name |$WSSI| to value |AA2gKnwJoT4xajzq6d7FmSizqiRYWFhYUKZ

 

 

 

So now I need to check with application guys to see eactly which of the header fields are required....

 

 

You can see that certificate is encoded and I have tried setting the variable as $WSCC rather than X509Certificate:

 

 

e.g. HTTP::header insert \$WSCC [X509::whole [SSL::cert 0]]