common Package

cms Module

Certificate signing functions.

Call set_subprocess() with the subprocess module. Either Python’s subprocess or eventlet.green.subprocess can be used.

If set_subprocess() is not called, this module will pick Python’s subprocess or eventlet.green.subprocess based on if os module is patched by eventlet.

keystoneclient.common.cms.cms_hash_token(token_id, mode='md5')

Hash PKI tokens.

return: for asn1_token, returns the hash of the passed in token
otherwise, returns what it was passed in.
keystoneclient.common.cms.cms_sign_text(text, signing_cert_file_name, signing_key_file_name)

Uses OpenSSL to sign a document.

Produces a Base64 encoding of a DER formatted CMS Document http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax

keystoneclient.common.cms.cms_sign_token(text, signing_cert_file_name, signing_key_file_name)
keystoneclient.common.cms.cms_to_token(cms_text)
keystoneclient.common.cms.cms_verify(formatted, signing_cert_file_name, ca_file_name)

Verifies the signature of the contents IAW CMS syntax.

Raises :subprocess.CalledProcessError
Raises :CertificateConfigError if certificate is not configured properly.
keystoneclient.common.cms.is_ans1_token(token)

Deprecated. Use is_asn1_token() instead.

keystoneclient.common.cms.is_asn1_token(token)

Determine if a token appears to be PKI-based.

thx to ayoung for sorting this out.

base64 decoded hex representation of MII is 3082:

In [3]: binascii.hexlify(base64.b64decode('MII='))
Out[3]: '3082'

re: http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf

pg4:  For tags from 0 to 30 the first octet is the identfier
pg10: Hex 30 means sequence, followed by the length of that sequence.
pg5:  Second octet is the length octet
      first bit indicates short or long form, next 7 bits encode the
      number of subsequent octets that make up the content length octets
      as an unsigned binary int

      82 = 10000010 (first bit indicates long form)
      0000010 = 2 octets of content length
      so read the next 2 octets to get the length of the content.

In the case of a very large content length there could be a requirement to have more than 2 octets to designate the content length, therefore requiring us to check for MIM, MIQ, etc.

In [4]: base64.b64encode(binascii.a2b_hex('3083'))
Out[4]: 'MIM='
In [5]: base64.b64encode(binascii.a2b_hex('3084'))
Out[5]: 'MIQ='
Checking for MI would become invalid at 16 octets of content length
10010000 = 90
In [6]: base64.b64encode(binascii.a2b_hex('3090'))
Out[6]: 'MJA='
Checking for just M is insufficient

But we will only check for MII: Max length of the content using 2 octets is 7FFF or 32767.

It’s not practical to support a token of this length or greater in http therefore, we will check for MII only and ignore the case of larger tokens

keystoneclient.common.cms.set_subprocess(_subprocess=None)

Set subprocess module to use. The subprocess could be eventlet.green.subprocess if using eventlet, or Python’s subprocess otherwise.

keystoneclient.common.cms.token_to_cms(signed_text)
keystoneclient.common.cms.verify_token(token, signing_cert_file_name, ca_file_name)

Table Of Contents

Previous topic

identity Package

Next topic

contrib Package

This Page