But that's not important right now ...
The key ( apologies for the pun ) thing is that the service exposes a series of actions via a REST API that is protected by TLS 1.2, to which we authenticate via a personal certificate.
This particular certificate is actually a PEM ( Privacy Enhanced Mail ) Base64-encoded DER file: -
dave.pem
which contains the personal certificate AND its private key: -
-----BEGIN CERTIFICATE-----
MIICojCCAYoCAQEwDQYJKoZIhvcNAQEEBQAwFzEVMBMGA1UEAwwMNTFiY2VlZmY5
N2M1MB4XDTE5MTAxMzA3NDIzNFoXDTIwMTAxMjA3NDIzNFowFzEVMBMGA1UEAwwM
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDfzS4kSVhgDxOq
FB1+WdBb8Dvc5OmxzruZ4H0B2Li9O/Bz1U/nUEj8iS6lF8LvUgUmD9zCY9lZALwz
H9MXazlc49asA5BEa7hyaHZ84b0ThkkJKr2TOoZncEFRPKoLpm0Zp39UGWg6PDt7
...
-----END PRIVATE KEY-----
Using that certificate, we can authenticate to the REST endpoint, such as this example: -
curl -k https://192.168.1.24:443/image --cert dave.pem
{"root_ssh_enabled":false,"status":"initialized"}
So far, so good.
We then wanted to perform a series of security tests against the same endpoint, using a product called AppScan Standard ( this used to be an IBM Rational offering, and has been recently transitioned to HCL ).
This DOES support client authentication BUT doesn't support a PEM file.
Therefore, we needed to convert the PEM file into a different format, Public-Key Cryptography Standards (PKCS), as either a .p12 or .pfx file.
This is nice n' easy using the Swiss Army knife of security - openssl - as per this: -
openssl pkcs12 -export -out dave.p12 -in dave.pem
and then validate it via cURL: -
curl -k https://192.168.1.24:443/image --cert-type p12 --cert dave.p12
{"root_ssh_enabled":false,"status":"initialized"}
So now we're good to go .....
No comments:
Post a Comment