PKI and Federated Identity Management Enabling Tools

Over the years, Carillon experts have produced a number of applications and libraries that can be helpful when setting up Public Key Infrastructures and Federated Identity Management solutions. Those were not written with publication and commercialisation in mind, but simply to make our lives easier by automating some recurrent tasks and implementing certain RFC features.

Since we found them useful and thought they could benefit others too, we have decided to make some of those tools available to all as free, open-sourced software, released under the GNU LGPLv2.

While Carillon provides no guarantees with regard to the distributed code, we can provide our customers with complete technical support and modification services.

• Carillon STS - Secure Token Service
  The Carillon STS is a PHP-based Federated Identity Provider (IdP) which is capable of acting as a Secure Token Service compatible with Windows CardSpace and other "infocard" implementations. It has been successfully tested with CardSpace, as well as with Chuck Mortimore's Firefox identity selector plugin.
  
• Pathfinder - X.509 Certificate Validation Daemon
  Pathfinder is a Linux daemon that provides centralized X.509 certificate validation. It is fully RFC5280 compliant, and can process complex trust models, such as bridging and multiple bridge traversal.
  
• Pathfinder for Apache - Client Certificate Validation
  This patch allows the Apache web server to use Pathfinder for verification of client certificates.
  
• Pathfinder for FreeRADIUS - Client Certificate Validation
  This patch allows the FreeRADIUS server to use Pathfinder for verification of client X.509 certificates during authentication requests.
  
• NEW: Pathfinder for xmlsec - XML Security library
  This patch allows the xmlsec1 tool and the libxmlsec1 library to use Pathfinder for validation of X.509 certificates when verifying a digitally signed XML structure.
  
• Pathfinder for Stunnel - Certificate Validation
  This patch allows the Stunnel 4.23 Universal SSL Wrapper to use Pathfinder for verification of X.509 certificates presented by a remote client or server. This makes it even easier to add proper certificate validity checking to applications and servers that may not even already be SSL-aware.
  
• Pathfinder for OpenLDAP - Certificate Validation
  This patch allows the OpenLDAP server to use Pathfinder both for verification of client certificates (for LDAPS) and for verification of certificates fetched by the LDAP Proxy backend.
  
• Extra SSL Info - for Apache HTTPD 2.2.8
  This patch adds some extra SSL_* variables to the apache environment, which we've found useful. In particular, Certificate Policies OIDs, and the email and DNS forms of Subject Alternative Name, are parsed and published for client and server certificates.
  
• Certificate Discovery Service - X.509 encryption certificate retrieval through LDAP
  These patches contain updates to Boeing's LDAP proxy, rendering it compatible with recent versions of OpenLDAP.
  
• Electronic 8130-3 Validator Tool - Validate a digitally signed XML form 8130-3. This tool validates an uploaded file against the ATA Schema from Spec 2000 Chapter 16, and then validates the digital signature on the file. Any problems with the digitally signed electronic 8130-3 are reported. If the validation succeeds, you may view a PDF representation of the 8130-3.
• Carillon Electronic 8130-3 and AEEC 827 SimpleSign - Quick, simple to deploy, centralized solutions for Electronic 8130-3 and 827 software crate management.

Carillon also provides test-level X.509 certificates compliant with the certificate profiles of various aerospace and air transport entities. Please note, however, that while they are technologically identical to production-grade certificates, the Certificte Authority used for their creation has not been audited and is not guaranteed to be secure.

• DSWG-compliant test certificate - Individual
  These can be used by individual people wishing to exchange information with other individuals, or to digitally sign any document or instrument, or to prove their identity for any purpose. Please contact us to obtain the specific certificate generation and retrieval instructions. The following certificates are available, in standard or Elliptic Curve encryption versions:
  • Low Assurance (old Class II) Individual Certificate
  • Medium Assurance (old Class III) Individual Certificate (software)
  • Medium Assurance (old Class III) Individual Certificate (hardware)
  • High Assurance (old Class IV) Individual Certificate (soon to be deprecated)
  
  
• CertiPath-compliant test certificate
  Carillon is able to offer cross-certified CertiPath-compliant test certificates. We also offer Elliptic Curve cryptography versions, although CertiPath does not offer a cross-certification service for these yet. However, as soon as they do, these certificates will be cross-certified at TEST level as well. Please contact us for more details.