2

I remember looking at <keygen> and the one thing I never understood is how to save the results to the client browser? From my understanding it sends you a public key and I should sign something and send it back to the client.

However, what do I send back? Do i sign a certificate and how do I tell the browser to install it so it can use it the next time the user visits the site? I didn't understand how to tell it to do that part and the examples seem to forget me everytime i visit the page.

Charles
  • 50,943
  • 13
  • 104
  • 142

1 Answers1

0

Perhaps I misunderstood your question but the <keygen> element is purposefully built such that with every new form submission a new public/private key-pair is generated. The private key is stored within the local keystore and the public key is submitted as (AFAIK) a Base64 encoded string.

This form element is useful for CAs signing client's certificates using appropriate signing algorithms. Take for example SSL certificates which require some background information as well as a RSA public/private key. In that case, instead of getting users to use a offline tool to generate the certificate request by themselves, you can make the whole system a web interface in which all the relevant data is placed in a form for the user to enter. In this case the certificate "request" can simply be constructed on the server's end, saving the client a lot of hassle.

The returned data will depend on what you are doing with the key. If you are signing a client's certificate then you will return the signed client's certificate based on their provided information. Naturally, if you are doing anything else with this key you can choose what you want to return.

Please note, the <keygen> element is not used for establishing any sort of secure channel between you (the server) and the client. The easiest way to think about this is that the <keygen> element simply behaves like a long textarea where the client types (or rather copies) their public key for processing by a certificate issuer, only the whole key generation has been automated. As for a SSL certificate, the return data could very well be the raw signed certificate file itself or a textbox containing the certificate data in a nice and fancy webpage, but thats entirely up to you.

Read more about signing a certificate here.

initramfs
  • 8,275
  • 2
  • 36
  • 58
  • 2
    I still don't understand what should be done. How do I use the 'local keystore'? –  Feb 08 '14 at 18:42
  • @acidzombie24 What exactly are you trying to do? – initramfs Feb 08 '14 at 18:46
  • Use it. AFAIK it sends me a public key and it has a private key but HOW do I use the public key? The examples I seen online just displays the public key but doesnt say how to use it. I saw something say I should sign something and send it to the client but I dont know what it had in mind and I dont know how it would access the private key in the local keystore. How would I go about on making a user choose a username and create a key for its password then display the username everytime the user comes to the page –  Feb 08 '14 at 18:48
  • @acidzombie24 The keygen element is a very specific element used in quite a narrow field. If you don't know anything about certificate signing or think you would offer those services, the keygen element has no use for you. The username/password thing you proposed would never make use of the keygen element. If you want to know more, I suggest you read up on SSL certificates. You'll see how this "certificate" requires a public key provided by the client during creation and how the keygen element fits in nicely in this very specific case. – initramfs Feb 08 '14 at 18:55
  • I know what SSL certs are. In this WebID video i'm still watching http://webid.info/ it says the key is signed and sent back at the 4 min mark. I don't know WHAT MIME to send to tell the browser this is a cert. I also don't remember my openssl flags and I have no idea how to tell it the userid I want (I see a user id field in the video). I just don't see any examples on how it actually works just explanations of how conceptually it should work. The URL in the video doesnt work so I can't try their example. AFAIK theres no complete example where i can log into a website w/o password as the vid –  Feb 08 '14 at 19:01
  • @acidzombie24 This is getting more into the actual implementation of the certificates rather than the keygen element itself but anyway. The signed certificate is a text file. It is simply a string of text normally placed in a file with extension of .crt/.pem. Some CAs choose to just send the certificate in a big textarea for the user to copy whereas some CAs create the certificate file (just a text file with the certificate data in it) and send it to the user as a binary file. N.B: There are many standards to certificate storage, I listed the simpler more common one (Base64 encoded text file). – initramfs Feb 08 '14 at 19:06
  • I'm still pretty confused when the client does a POST request with the public key do I ONLY send a cert back? What about a redirect URL? It shows I can choose a cert to send to the site so I guess it doesn't send a cert everytime. I have no idea how to prompt the client to choose the cert to use. Like my question says is there an actual working example that remembers me? because from all the examples I seen as far as I know no browsers can actually remember a user/use this. I'm very disappointed the example used in the video does not seem to exist –  Feb 08 '14 at 19:24
  • @acidzombie24 The keygen element is a field that generates a specified public key. That is all. No return response is specified or needed. For all I know you could redirect the user to youtube if you want, that would not be in breach of any protocol. Process it like any other form element, its not special or anything. I am utterly confused about this whole "choosing a certificate" and "remember me" you are talking about. If you want to clarify that, I suppose you can do it in chat as this comment stream is getting long and a bit off topic. – initramfs Feb 08 '14 at 20:12
  • Maybe I should ask you what is the USE of keygen? Apparently there is nothing I can do with it. The WebID video I linked has an example of using it to sign into websites without a password but like i said the example site is not working/no longer up and nothing has any working examples. Why would anyone ever want to send a public key if theres no way to authenticate it in future visits? Not a single example shows how to do this (except for the site shown in the video who isn't up) –  Feb 08 '14 at 20:21
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/47097/discussion-between-cpu-terminator-and-acidzombie24) – initramfs Feb 08 '14 at 20:22