CREDITS.md

Credits, Notes, and Reference

Server Headers and Config

• NGINX + PHP Demo
• NGINX http_ssl_module
• Relevant NGINX http_ssl_module methods and corresponding headers:
  • ssl_client_verify, X-Client-Verify, SSL_CLIENT_VERIFY
  • ssl_client_s_dn, X-Client-S-Dn, Subject
  • ssl_client_i_dn, X-Client-I-Dn, Issuer
  • ssl_client_serial, X-Client-Serial, Serial Number
  • ssl_client_fingerprint, X-Client-Fingerprint
  • SSL_CLIENT_CERT
  • ssl_client_raw_cert
• SSL Script Rails, OpenSSL::SSL::VERIFY_NONE
• Mini tutorial for configuring client-side SSL certificates

Smart Cards

• A Case for Native Smart Card Support in Browsers - "Now, signature is one thing, identification (TLS client auth) is another. Allegedly, things should work there – PKCS#11 is a standard that should allow TLS client auth to happen with a smart card. Reality is – it doesn’t. You often need a vendor-specific PKCS#11 library. OpenSC, which is a cool tool that works with many smart cards, only works with Firefox and Safari"

OpenSC

• OpenSC - Using Smart Cards with Applications
• Installing OpenSC PKCS#11 Module in Firefox, Step by Step

Install opensc:

brew install opensc

Detect if a card-reader is present:

opensc-tool -n

pkcs15-tool --list-public-keys

pkcs15-tool --read-public-key 1

pkcs15-tool --read-certificate 1 | openssl x509 -noout -text

OpenSSL

• Ruby OpenSSL::X509::Certificate

Web E-Id

• Web E-Id
• hwcrypto.js
• hwcrypto.js API
• hwcrypto.js Demo
• Web eID Browser Extension
• web-eid.js

Web Crypto API

• Web Authentication W3 Working Draft
• Web Cryptography API W3 Recommendation
• Browser Support for Web Crypto
• Security Analysis of the W3C Web Cryptography API (NIST 2016)
• What’s wrong with in-browser cryptography? (2013) - "If ample precautions are taken (which includes a large laundry list of things like TLS, CSP, CORS, proper HTTP headers, JS strict mode, and more), this can allow for the successful development of cryptographic applications"
• Web Cryptography API Examples

Cloudflare CFFSL

• Introducing TLS with Client Authentication
• cfssl - "command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates"

Max.Gov

• MAX.gov Login - "Users with a working PIV or CAC card can associate their card with an existing MAX account. This provides 2-factor authentication that is more secure than a User ID and Password for accessing sensitive-but-unclassified (SBU) content setup to require MAX Secure+. To associate your PIV or CAC card you will need your MAX UserID and a working password. (Thereafter you will be able to login to MAX using just your PIV or CAC card and its built-in PIN number.)"

Sinatra

• Sinatra Docs
• Identity OIDC Sinatra Client

NGINX

• NGINX Beginner's Guide

brew install nginx

######################################################################## 100.0%
==> Pouring nginx-1.13.9.sierra.bottle.tar.gz
==> Caveats
Docroot is: /usr/local/var/www

The default port has been set in /usr/local/etc/nginx/nginx.conf to 8080 so that
nginx can run without sudo.

nginx will load all files in /usr/local/etc/nginx/servers/.

To have launchd start nginx now and restart at login:
  brew services start nginx
Or, if you don't want/need a background service you can just run:
  nginx
==> Summary
🍺  /usr/local/Cellar/nginx/1.13.9: 23 files, 1.4MB

Running NGINX Locally

• Installing and configuring NGINX on Mac OS w/ homebrew:
  • circa 2012
  • circa 2015

Inspect the configuration file:

atom /usr/local/etc/nginx/nginx.conf

Start the server to test the installation:

brew services start nginx # then visit http://localhost:8080/ to find a welcome message

Stop the server, then make adjustments to the config file:

brew services stop nginx

NGINX And Ruby/Rack

• How HTTP Headers Get Passed from NGINX to Ruby App
• How to Deploy Rack App w/ NGINX - Passenger, Thin, Unicorn, etc.
• How to make Sinatra work over HTTPS / SSL

Passenger

• Deploying a Ruby application on Passenger + Nginx
• Quickstart: Ruby + Phusion Passenger
• Passenger Ruby Bundle Support
• Ruby debugging console on Passenger + Nginx

Thin

• Thin (identity-idp uses this in development)
• Can I enable SSL in Sinatra with Thin?
• Deploying Sinatra on DigitalOcean with Nginx and Thin

Unicorn

• Sinatra Proxied to Unicorn

Puma

• Puma
• Puma with Sinatra
• Build API Prototype in Sinatra in 6 Steps

Rack

• Web Server vs. App Server

Cloud.gov

• Setting up cloud.gov
• Your first cloud.gov deploy
• VCAP_SERVICES
• Deploying to Cloud.gov

Installing Cloud Foundry:

brew tap cloudfoundry/tap
brew install cf-cli

Logging in:

cf login -a api.fr.cloud.gov --sso

Verify target space:

cf target

Deploy from any branch (git-unaware):

cf push card-reader-web-client # then visit https://card-reader-web-client.app.cloud.gov/

Checking logs:

cf logs card-reader-web-client --recent

Cloud Foundry

• Cloud Foundry Nginx Buildpack (deprecated)
• Cloud Foundry Staticile Buildpack (supersedes Nginx Buildpack)
• Staticfile Docs - will detect an nginx.conf in the application's root directory

Assets and Design

• Card Icon Source

Icons made by Kirill Kazachek from www.flaticon.com licensed under Creative Commons BY 3.0

Twitter Bootstrap

• Navbars
• Tables