Skip to content

Latest commit

 

History

History
139 lines (78 loc) · 6.9 KB

README.md

File metadata and controls

139 lines (78 loc) · 6.9 KB

VISS - WEB CLIENT

Web client developed for @nicslabdev by @josesnchz used to interact with nicslabdev/automotive-viss2. nicslabdev/automotive-viss2 is a repository that implements authorization, authentification and other security concepts to w3c/automotive-viss2 repository.

This repository is included as a submodule in the automotive-viss2 and the WebClient is served by the vissv2server, in the same port that it accepts WebSocket requests. To use the WebClient

The Web Application started using GoLang WASM and JavaScript. At the moment, the WebApplication is fully written in vanilla JavaScript and HTML, allowing huge compatibility with most browsers.

Crypto Signature, generation and import of keys, along with Key Storage is supported using WebCrypto API and IndexedDB.

The future configuration API for AGT Server and AT Server (still on implementation phase) will be here.

Prerequisites and building

A basic file server based in GoLang is provided, that is compiled and runs in the background after running the script provided.

TLS is supported and It is mandatory its use outside of the localhost environment. Server key and certificate must be stored in .tls/serv_key.key and .tls/cert.pem WebCrypto API will not work if a non-secure context is being used. The used browser must support WebCrytography and IndexedDB. Most modern browsers support both APIs.

A script is provided to automatically build the server provided and run the webserver. After using the script, the client can be accessed visiting the port :8008 by default.
To use the script provided, it is mandatory to install screen, which allows to run the server in the background.

# get screen
$ sudo apt install screen

# compile files and start the webserver
$ ./startme.sh -run

# start the webserver using tls in an specific port 
$ ./startme.sh -runHTTPS -p 443

# stop the webserver
$ ./startme.sh -stop

The purposes and the VISS data tree is imported by the WebClient using these two files:

specs/purposelist.json

specs/vsspathlist.json

Purpose list is generated by the ecosystem manager, and it is used by the AT Server to provide Access Tokens depending on the AGT claims.

VSS Path list is generated by the VISSv2 server at startup, and it contains the data tree of the system.

Both of them are imported from the nicslabdev/automotive-viss2 repository.

New files can be generated following the rules specified in that repository.

Launching and Linking Backend

The WebClient can either be served by the vissv2 server to be used with it or by a WebServer deployed remotely to use with whichever implementation of VISS protocol.

The web client is pre-configured to be used with the automotive-vissv2 implementation launched locally, since all the ports assigned to each of the components are the one defined in that repository and the URL to use them is localhost.

In case the WebClient is used with other implementation of the VISS protocol or the URL used to access the Servers is different, it must be setted in the main page of the client the first time it is accessed. This will save the setted URL and port in the Local Storage of the Browser.

In case the default port and URL want to be changed, the main.html file must be edited.

Client System Architecture

This project can be used to test the authentication, authorization and data access flow described in VISSv2 protocol.

AGT, AT and VISSv2 requests are therefore supported.

MAIN PAGE

The client holds a keypair, which is used to sign the Proofs of Possession made to each of the servers.

Two types of keys are supported at the moment: RSA 2048 bits and Elliptic Curve P-256. These can be generated by the system or imported from a file.

As told before, keys are imported and managed using WebCrypto API, private keys are marked as non-exportable, allowing to Store and Use them in a secure environment.

AGT-REQUEST

The client is able to make an AGT Request modifying all claims at its will. Those requests that do not follow the specification will be refused.

The POP generated in case of use of a private key to sign a POP will be shown, along with the received token and the request body.

Those can be pretty-printed or shown as raw data.

Received tokens can be saved associated with the ID provided.

AT-REQUEST

The client uses one of the tokens obtained from the AGT server to attest its authorization to access the data.

The purposes supported are defined in the purposelist.json file, as described above.

The signature (if used) to generate the pop can be overriden or not, along with the claims on it.

Received tokens can be saved.

VISSv2 REQUEST

The client uses (or not) one of the tokens provided from the AT server to access data.

HTTP and WS is supported, although some methods are not implemented.

The data requested is selected after parsing the vsspathlist.json file, as descrived above.

VISSv2 AUTO REQUEST

The page allows the client to identify itself using a set of roles. The WebApplication will then ask for the AGT and AT in case those are needed. Then a VISS Request is issued to get the data. Info about which data can be accessed is given to the user prior to requesting. This page allows to easily retrieve data from the server without having to iterate all the pages to get the tokens prior the request.

Management Interface

A basic interface to communicate with the Access Grant Token Server and the Access Token Server to modify the policies followed by each one of them is in phase of development.

Considerations

The client is written in Vanilla JS. Despite that, Web Crypto API and Indexed DB API are used in order to generate cryptographic keys and securely store those keys and the tokens obtained.

The support of both APIs in different browsers can be checked here: Web Crypto and Indexed DB. Depending on the browser implementation, Web Crypto requires a Secure Origin to be executed. Because of this, a SSL connection might be needed in order to use the client. Local use does not require SSL certificates since localhost is considered a Secure Origin by browsers.

If the Web Client is deployed independently from the VISS Server, CORS policies must be correctly configured in the VISS Server in order to allow the Web Client to make requests from a different origin.

More information

Slides used to show the WebClient can be found in these links: