powered by Jive Software

Any plan for certificate authentication?

Is there any plan to add certificate based authentication to Wildfire?

Juan,

Gato has been making a bunch of improvements to certificate handling for the next release so we’‘re closer to being able to handle this feature. We’'ll have external SASL for s2s connections at least. Do you know any clients that support cert authentication? That would allow testing when it comes time to support the feature.

Regards,

Matt

We are developing an application that uses X.509 certificates for authentication and authorization. This application embeds an XMPP client based on Smack, so we have added our own X.509 based authentication to Smack and Wildfire.

In the Smack side we have added a new constructor to the “XMPPConnection” class that takes two additional arguments for the key managers and trust managers to use when the TLS connection is being negotiated. We use then this new constructor with our own key managers and trust managers. We have also added a new “SASLExternalMechanism” class that simple sends the username as authentication text.

In the Wildfire side we added a parameter to enable/disable the requirement for client certificates and several additional changes in order to implement PKIX certificate validation (using the “certpath” API inside JDK 1.5).

This works for us, but my concern is how standards compliant this is, as didn’'t found any documentation about SASL EXTERNAL implementation in XMPP.

Sounds cool. Where can the Wildfire changes be downloaded from?

I’‘m not sure if what you’‘ve done is the standard way of handling SASL EXTERNAL, but I think it’‘s something we’'ll be researching soon.

Regards,

Matt

You can download a file containing the patches and other things from the following URL:

http://www.medictyon.com/public/wildfire-certificate-authentication.tgz

A few comments about this patches:

  1. They are made against version 2.4.0 of Wildfire and version 2.1.0 of Smack.

  2. A new system property “xmpp.socket.ssl.verifyClient” has been added. The possible values are “none”, “optional” and “require”. You can set this value using the “Client Connection Security” section of the admin console: select “Custom” and then change the value of “Verify certificates”.

  3. Certificate validation will probably require that the username is derived from the certificate itself.

We have implemented this creating a new “ExternalAuthProvider” with a new “authenticate” method that takes the certificate chain as parameter and returns the user name (or null if the user name provided by the user should be used).

We have also implemented a “DefaultExternalAuthProvider” that extracts the user name directly from the “UID” component of the subject of the user certificate. This works for us but will not probably work for others.

  1. The self signed certificates generated with “keytool” do not fulfill the requirements of the PKIX validation algorithm (RFC 3280). If you want to test the patch use the “truststore” inside the downloaded file (the password of the keystore is “changeit”).

  2. In order to test you will need a patched version of Smack and a test application. Find them inside the downloaded file.

Regards,

Juan A. Hernández.