The keystoneclient.common.cms Module

keystoneclient.common.cms.cms_hash_token(token_id)

return: for ans1_token, returns the hash of the passed in token otherwise, returns what it was passed in.

keystoneclient.common.cms.cms_sign_text(text, signing_cert_file_name, signing_key_file_name)

Uses OpenSSL to sign a document Produces a Base64 encoding of a DER formatted CMS Document http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax

keystoneclient.common.cms.cms_sign_token(text, signing_cert_file_name, signing_key_file_name)
keystoneclient.common.cms.cms_to_token(cms_text)
keystoneclient.common.cms.cms_verify(formatted, signing_cert_file_name, ca_file_name)

verifies the signature of the contents IAW CMS syntax

keystoneclient.common.cms.is_ans1_token(token)

thx to ayoung for sorting this out.

base64 decoded hex representation of MII is 3082 In [3]: binascii.hexlify(base64.b64decode(‘MII=’)) Out[3]: ‘3082’

re: http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf

pg4: For tags from 0 to 30 the first octet is the identfier pg10: Hex 30 means sequence, followed by the length of that sequence. pg5: Second octet is the length octet

first bit indicates short or long form, next 7 bits encode the number of subsequent octets that make up the content length octets as an unsigned binary int

82 = 10000010 (first bit indicates long form) 0000010 = 2 octets of content length so read the next 2 octets to get the length of the content.

In the case of a very large content length there could be a requirement to have more than 2 octets to designate the content length, therefore requiring us to check for MIM, MIQ, etc. In [4]: base64.b64encode(binascii.a2b_hex(‘3083’)) Out[4]: ‘MIM=’ In [5]: base64.b64encode(binascii.a2b_hex(‘3084’)) Out[5]: ‘MIQ=’ Checking for MI would become invalid at 16 octets of content length 10010000 = 90 In [6]: base64.b64encode(binascii.a2b_hex(‘3090’)) Out[6]: ‘MJA=’ Checking for just M is insufficient

But we will only check for MII: Max length of the content using 2 octets is 7FFF or 32767 It’s not practical to support a token of this length or greater in http therefore, we will check for MII only and ignore the case of larger tokens

keystoneclient.common.cms.token_to_cms(signed_text)
keystoneclient.common.cms.verify_token(token, signing_cert_file_name, ca_file_name)

Previous topic

The keystoneclient.client Module

Next topic

The keystoneclient.contrib.bootstrap.shell Module

This Page