Heiko
@hko@floss.social  ·  activity timestamp 2 weeks ago

Analogously, we can inspect a modern v6 OpenPGP certificate, which uses up-to-date formats from the very recent RFC 9580.

We'll make a fresh example v6 certificate to look at with the "rsop" tool:

$ rsop generate-key --profile rfc9580 "" | rsop extract-cert > alice_v6.cert

And then look into it with:

$ rpgp status alice_v6.cert

🧵 3/5

A terminal session that shows the following commands and output: $ rsop generate-key --profile rfc9580 "<alice@example.org>" | rsop extract-cert > alice_v6.cert $ rpgp status alice_v6.cert 🔐 Ed25519 v6 82d496f62a2419443eb2b9be73159edd0fbdddaf9860db2cdb1164ad16ce918e ⏱️ Created 2025-08-24 22:16:36 UTC ✅ Active (no expiration) 🏴 Key flags: Certify, Sign 🔑 X25519 v6 513694cc5bb335f0d5c991defbd94ddc7e6e4ce3025b0d489cf67301ec9d3093 ⏱️ Created 2025-08-24 22:16:36 UTC ✅ Active (no expiration) 🏴 Key flags: Encrypt 🪪 ID "<alice@example.org>" (primary) ✅ Active (no expiration)
A terminal session that shows the following commands and output: $ rsop generate-key --profile rfc9580 "<alice@example.org>" | rsop extract-cert > alice_v6.cert $ rpgp status alice_v6.cert 🔐 Ed25519 v6 82d496f62a2419443eb2b9be73159edd0fbdddaf9860db2cdb1164ad16ce918e ⏱️ Created 2025-08-24 22:16:36 UTC ✅ Active (no expiration) 🏴 Key flags: Certify, Sign 🔑 X25519 v6 513694cc5bb335f0d5c991defbd94ddc7e6e4ce3025b0d489cf67301ec9d3093 ⏱️ Created 2025-08-24 22:16:36 UTC ✅ Active (no expiration) 🏴 Key flags: Encrypt 🪪 ID "<alice@example.org>" (primary) ✅ Active (no expiration)
A terminal session that shows the following commands and output: $ rsop generate-key --profile rfc9580 "<alice@example.org>" | rsop extract-cert > alice_v6.cert $ rpgp status alice_v6.cert 🔐 Ed25519 v6 82d496f62a2419443eb2b9be73159edd0fbdddaf9860db2cdb1164ad16ce918e ⏱️ Created 2025-08-24 22:16:36 UTC ✅ Active (no expiration) 🏴 Key flags: Certify, Sign 🔑 X25519 v6 513694cc5bb335f0d5c991defbd94ddc7e6e4ce3025b0d489cf67301ec9d3093 ⏱️ Created 2025-08-24 22:16:36 UTC ✅ Active (no expiration) 🏴 Key flags: Encrypt 🪪 ID "<alice@example.org>" (primary) ✅ Active (no expiration)
Heiko
@hko@floss.social replied  ·  activity timestamp 2 weeks ago

We can also ask the "rpgp" CLI tool to emit the same certificate status information in #JSON format:

$ rpgp status --json alice_v6.cert

Please be aware that the rpgp JSON output format is in a very early stage, and may be subject to change!

(At some point I will commit to not changing the JSON format on a whim, but that point is not right now.)

🧵 4/5

A terminal session that shows the following command and output: $ rpgp status --json alice_v6.cert { "primary": { "fingerprint": "9a47c697b8dfa657ad8d2bc31df18da8924a281f2f589600352f7bac05f61a81", "version": 6, "created": "2025-08-24T22:26:06Z", "algorithm": "Ed25519", "status": { "valid": {} }, "key_flags": [ "Certify", "Sign" ] }, "subkeys": [ { "fingerprint": "7e1a88fc27cfbb94ab1e088f32bfc3551bc88b4044a02f8ff685a0b14ad8ff9c", "version": 6, "created": "2025-08-24T22:26:06Z", "algorithm": "X25519", "status": { "valid": {} }, "key_flags": [ "Encrypt" ] } ], "user_ids": [ { "id": "<alice@example.org>", "primary": true, "status": { "valid": {} } } ] }
A terminal session that shows the following command and output: $ rpgp status --json alice_v6.cert { "primary": { "fingerprint": "9a47c697b8dfa657ad8d2bc31df18da8924a281f2f589600352f7bac05f61a81", "version": 6, "created": "2025-08-24T22:26:06Z", "algorithm": "Ed25519", "status": { "valid": {} }, "key_flags": [ "Certify", "Sign" ] }, "subkeys": [ { "fingerprint": "7e1a88fc27cfbb94ab1e088f32bfc3551bc88b4044a02f8ff685a0b14ad8ff9c", "version": 6, "created": "2025-08-24T22:26:06Z", "algorithm": "X25519", "status": { "valid": {} }, "key_flags": [ "Encrypt" ] } ], "user_ids": [ { "id": "<alice@example.org>", "primary": true, "status": { "valid": {} } } ] }
A terminal session that shows the following command and output: $ rpgp status --json alice_v6.cert { "primary": { "fingerprint": "9a47c697b8dfa657ad8d2bc31df18da8924a281f2f589600352f7bac05f61a81", "version": 6, "created": "2025-08-24T22:26:06Z", "algorithm": "Ed25519", "status": { "valid": {} }, "key_flags": [ "Certify", "Sign" ] }, "subkeys": [ { "fingerprint": "7e1a88fc27cfbb94ab1e088f32bfc3551bc88b4044a02f8ff685a0b14ad8ff9c", "version": 6, "created": "2025-08-24T22:26:06Z", "algorithm": "X25519", "status": { "valid": {} }, "key_flags": [ "Encrypt" ] } ], "user_ids": [ { "id": "<alice@example.org>", "primary": true, "status": { "valid": {} } } ] }
Felix Palmen :freebsd: :c64:
@zirias@mastodon.bsd.cafe  ·  activity timestamp 4 months ago

Seems a first step is almost done, adding #JSON support to my #poser lib. This could be the foundation for #JWT support in #swad. 😎

Need to do more thorough testing I guess, but at least the two example documents from #rfc8259 work fine ... the test tool does a full #deserialization / #serialization roundtrip (with specific internal representations of the data types supported by JSON).

edit: Look at the "Longitude" value of the second object in the second example 😏 I only noticed myself right now, but of course that's the desired behavior.
Felix Palmen :freebsd: :c64:
@zirias@mastodon.bsd.cafe replied  ·  activity timestamp 4 months ago

First step towards implementing #JWT in #swad done, just committed a good 1000 LOC and now my #poser lib can do #JSON 😎
https://github.com/Zirias/poser/commit/7f1772e85c869d544f8a12099ed6545e163dc163
Felix Palmen :freebsd: :c64:
@zirias@mastodon.bsd.cafe  ·  activity timestamp 4 months ago

Hopefully, there will be another release of #swad soon!

Looking at my test results again, performance should be okay at least for moderately busy sites ... the 1000 requests per second I observed included actual logins, and I didn't even test whether it would also handle more (it probably would), the only issue was with resolving remote names (with that, around 30% of these requests failed because the thread pool was clogged with jobs all waiting for some DNS response), and the recommendation would be: just disable that feature if your site is a busy one.

But I'm really unhappy with RAM usage going up so much. Almost 100MiB resident set after seeing 1000 unique clients all attempting a login is a lot after all.

So, I'll try to move swad to a session-less design. It can't be fully stateless, a rate limiter will be needed, but maybe I can optimize a bit on that.

But the sessions could be replaced. They're currently used for two things:

* Store actual auth information. This could be stored in signed JWTs (json web tokens) on the client instead. I'm already starting to add JSON support to my poser lib 😉

* Store the random challenge for the #anubis-like proof-of-work checker. Could do the same as anubis here: Derive the challenge from request metadata instead, including a timestamp.

Will be quite some work, but could be doable.
Felix Palmen :freebsd: :c64:
@zirias@mastodon.bsd.cafe replied  ·  activity timestamp 4 months ago

Seems a first step is almost done, adding #JSON support to my #poser lib. This could be the foundation for #JWT support in #swad. 😎

Need to do more thorough testing I guess, but at least the two example documents from #rfc8259 work fine ... the test tool does a full #deserialization / #serialization roundtrip (with specific internal representations of the data types supported by JSON).

edit: Look at the "Longitude" value of the second object in the second example 😏 I only noticed myself right now, but of course that's the desired behavior.