Setting up Public-Key Authentication

The steps for logging in with a public key via REST API are described in this recipe.

 

Step 1: Create Challenge

Step 2: Decrypt challenge

Step 3: XOR

Step 4: Encrypt answer

Step 5: Answer the challenge

 

NOTE   This assumes you have already registered a public key with the server. Instructions below if you have not.

 

Register public key

1.Create an RSA key pair. Construct a PEM certificate.

2.Login to server using username and password

3.Upload public key by posting to /users/{specifiedUser}/certificates with the certificate, where {specifiedUser} is the user you wish to use in the login process

 

Step 1: Create Challenge

To create a challenge, POST to /api/login/challenge with your username and your public key.

Example:
----------------Request----------------
URL:
POST:/auth/login/challenge
Headers:
{'Content-Type': 'application/vnd.safenetinc.lunasa+json;version=3'}
Payload:
{"username": "admin", "certificate": "-----BEGIN CERTIFICATE-----\nMDV/9........rOongA8/\n-----END CERTIFICATE-----\n"}
----------------Result----------------
Code:
200
Headers:
{'access-control-allow-origin': '*', 'encoding': 'base64', 'content-type': 'application/json', 'content-length': '1747', 'access-control-allow-credentials': 'true'}
Data:
{"nonce": "NTdhNGVjZGQtYjhiNy00N2I5LWFmNDAtMGViYjM3MWJjMjJk", "challenge": "Hcaja20ca3wux...........jSQbmi3ISvf3tyFO7lKg==", "certificate": "-----BEGIN CERTIFICATE-----\nMIIDfTC........T/AalB7Qu+i\n-----END CERTIFICATE-----\n"}
 

Step 2: Decrypt challenge

To continue with the login process, decode the challenge parameter with base64, then decrypt using the client private key.

Step 3: XOR

To get the answer to the challenge, xor the decoded&decrypted challenge with the base64 decoded nonce.

Step 4: Encrypt answer

To get the final challenge response, encrypt the answer with the server public key using the server certificate.

Step 5: Answer the challenge

To answer the challenge, POST to /auth/login/basic with the base64 encoded&encrypted challenge response.

Example:
----------------Request----------------
URL:
post:/auth/login/basic
Headers:
Payload:
{"challengeResponse": "d8RjtdS+3YjdhfU......m14YxkRAkKH8p+Wt3ZQ=="}
----------------Result----------------
Code:
204
Headers:
{'content-length': '0', 'encoding': 'base64', 'set-cookie': 'SESSION_ID=15492cf6-3c10-410e-9335-e2e9d5ce53e0; path=/; HttpOnly', 'access-control-allow-credentials': 'true', 'access-control-allow-origin': '*', 'content-type': 'application/json'}
Data:
""
 


Customer Support Portal

SafeNet Luna Network HSM 7.2 Product Documentation  25 November 2019  Copyright 2001-2019 Thales. All rights reserved.