openstack
/
keystone-specs
Code Issues Proposed changes
keystone-specs/api/v3/identity-api-v3-os-simple-c...

8.5 KiB
Raw Blame History

OpenStack Identity API v3 OS-SIMPLE-CERT Extension

When using Public Key Infrastructure (PKI) tokens with the identity service, users must have access to the signing certificate and the certificate authority's (CA) certificate for the token issuer in order to validate tokens. This extension provides a simple means of retrieving these certificates from an identity service.

API Resources

Certificates

The identity server uses X.509 certificates to cryptographically sign issued tokens. Certificates are a public resource and can be shared. Typically when validating a certificate we would only require the issuing certificate authority's certificate however PKI tokens are distributed without including the original signing certificate in the message so this must be retrievable as well.

Certificates are provided in the Private Enchanced Mail (PEM) file format. Certificates in PEM files can be represented with or without the certificate data (examples shown). The represented certificate is for informative purposes and the only required information is presented between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags.

API

Retrieve CA certificate chain

GET /OS-SIMPLE-CERT/ca

Relationship: http://docs.openstack.org/api/openstack-identity/3/ext/OS-SIMPLE-CERT/1.0/rel/ca_certificate

Fetches the certificate chain used to authenticate signed tokens.

It is possible that a chain of certificates (more than one) is returned. In this case the chain should be used when validating a token.

Status: 200 OK
Content-Type: application/x-pem-file

-----BEGIN CERTIFICATE-----
MIIDgTCCAmmgAwIBAgIJAJpWjfJuWL+oMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNV
BAYTAlVTMQ4wDAYDVQQIDAVVbnNldDEOMAwGA1UEBwwFVW5zZXQxDjAMBgNVBAoM
BVVuc2V0MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wHhcNMTMxMjA5MDEzMDUw
WhcNMjMxMjA3MDEzMDUwWjBXMQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVW5zZXQx
DjAMBgNVBAcMBVVuc2V0MQ4wDAYDVQQKDAVVbnNldDEYMBYGA1UEAwwPd3d3LmV4
YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxzQwzCPN
3zMsUX6GwNcS9n/dJq4gzddClFB7ZgfVKOwdEVx/XX9w8wflFWq+JqqMA81ZtLFP
w0fKJFISMSVH7TXPRp096cC41Nv5dCt0kfVChyUUKUGiEzvUU8WagU7uWE4Rj+6d
CQvdbot0/5eDFJL90cj+Ck5dn/lqBxLSnHjTLLqHscpD+qOc6XL4JxCM1SOkS1LL
aRPLksqyKZwz8R86yR/9FnIREGO52VDje0hYUwLw0TzurSi1QHuBB/aZ2aC7A79G
YBBMo79amu8Oc4x+VzOxtY1hlrxYb1oV7SAcZgmPQKo8uwl47yqd5Ya85HC3AsVY
HSGYjsHrTS8QlQIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTkjsL2
BVqZImdt+VxEo+9b7fymQzAfBgNVHSMEGDAWgBTkjsL2BVqZImdt+VxEo+9b7fym
QzANBgkqhkiG9w0BAQUFAAOCAQEAC7y75ST8tOFp6VOhTTdjGxGU+FJhKNikYCfw
TL5bzjSpmzBXcy5ep+klxVtLyU0KJeuAwep9g6bPlYQP44vshsZEIH4EV5b9Ztzh
FnKfd0jeP0GLhQiQYDkvpNAu/uMbT4+/3jhM3mJoslDZDl7x7MF4FQU0N7fzRj/Y
/XNzA6DWllQs62Up5WcqQJes0NeTKXyLoDH9Mf1W7hLHWLxr5bY3xD2MdrdDTtp1
KxPZVcFaBpI+hVHfi5jhLXBK0I8jgHqQLxjhp8TfIy6U4m4KpdlOvET2R55Lttrs
SFP+fy+e3IO9wMXmQKQJdj3ArieW0hkmz9xTYIRm5vS494gi6Q==
-----END CERTIFICATE-----

Retrieve signing certificates

GET /OS-SIMPLE-CERT/certificates

Relationship: http://docs.openstack.org/api/openstack-identity/3/ext/OS-SIMPLE-CERT/1.0/rel/certificates

Fetches the certificates containing the public key for the private key that has been used to sign tokens.

In an environment with multiple token signers this call will return all valid certificates.

Status: 200 OK
Content-Type: application/x-pem-file

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Unset, L=Unset, O=Unset, CN=www.example.com
        Validity
            Not Before: Dec  9 01:30:50 2013 GMT
            Not After : Dec  7 01:30:50 2023 GMT
        Subject: C=US, ST=Unset, O=Unset, CN=www.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:da:a1:9a:00:3f:52:16:63:87:f7:7c:fb:27:ef:
                    04:7b:b3:f8:59:e3:d1:79:cc:22:af:f2:02:5c:d7:
                    0f:e8:53:bd:5c:db:a4:93:98:62:25:ad:c9:6e:60:
                    37:98:29:c6:e7:0b:3d:b6:64:f6:ad:58:96:e3:87:
                    af:2a:a4:17:ef:31:3c:60:ef:97:27:db:5e:83:95:
                    5b:4f:d6:4b:e8:34:c9:ff:d9:79:bc:f6:7c:db:dc:
                    d4:91:1b:3d:61:53:54:95:7e:1d:71:dd:9d:cb:39:
                    e3:ba:ed:39:f4:27:48:60:1b:8d:82:c8:65:e5:a1:
                    30:ff:83:bc:84:e8:35:3a:a5:c2:27:7c:84:15:1b:
                    91:27:34:44:9d:af:b1:cb:14:54:e0:52:d3:ce:b4:
                    03:b7:4c:63:f7:aa:3f:1d:aa:17:ac:2b:81:ec:ad:
                    e5:30:ac:fa:08:25:00:50:dc:0c:1c:bd:6c:38:eb:
                    30:55:5a:e0:ca:11:a8:57:a5:db:65:78:5b:58:76:
                    f4:01:52:87:4f:d5:a1:80:77:66:8a:2c:d8:77:92:
                    11:49:b6:00:fd:28:85:80:23:d7:87:8a:50:15:7d:
                    07:2a:6f:44:dc:83:cf:f1:67:5e:8a:9c:b7:2a:2e:
                    f3:e9:4d:9a:33:9d:e5:1d:7d:3a:9b:ce:80:f4:78:
                    d7:55
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                D5:50:6E:6A:AA:8E:21:36:44:28:D4:AB:E4:D3:01:09:D7:BC:CB:73
            X509v3 Authority Key Identifier:
                keyid:E4:8E:C2:F6:05:5A:99:22:67:6D:F9:5C:44:A3:EF:5B:ED:FC:A6:43

    Signature Algorithm: sha1WithRSAEncryption
         80:60:ef:84:25:e9:02:ea:1e:da:70:fe:0b:b6:15:69:27:15:
         0a:8e:5e:69:7b:b3:af:91:0e:78:08:37:98:56:be:eb:60:af:
         7e:6b:e3:62:eb:dc:86:9f:9b:20:81:32:75:05:32:c9:f7:7b:
         2b:32:00:10:83:07:a0:e2:f4:81:63:5e:50:e7:5b:00:67:a6:
         19:54:ea:31:9a:02:a8:f1:fa:92:5b:e1:13:23:a1:28:5c:8e:
         64:03:22:16:02:d2:a5:52:aa:34:39:ab:70:0c:46:77:53:5b:
         07:71:41:0a:0b:a8:76:2c:45:e6:38:3b:aa:ee:dc:ca:8b:2f:
         85:18:57:0a:e3:cf:3d:cc:a8:46:5a:4b:42:14:e8:66:10:8a:
         91:79:c1:2e:27:5f:b1:60:5a:d1:5e:d5:98:c7:11:fe:da:89:
         ee:7b:24:e4:19:7a:5f:56:ba:63:70:31:01:87:8d:7a:90:88:
         14:4f:a1:23:46:0e:3b:df:33:01:98:53:71:d6:f4:25:37:52:
         ff:43:b8:60:03:65:29:98:45:a8:da:62:a3:be:66:bf:59:68:
         2c:50:3d:de:36:e9:75:8a:d3:69:a2:74:3c:80:c1:fe:cf:53:
         4f:46:28:fe:f9:b0:a9:6a:db:2a:30:9a:e7:b5:c0:cc:0b:d6:
         39:b8:6b:ee
-----BEGIN CERTIFICATE-----
MIIDZjCCAk6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJVUzEO
MAwGA1UECAwFVW5zZXQxDjAMBgNVBAcMBVVuc2V0MQ4wDAYDVQQKDAVVbnNldDEY
MBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMB4XDTEzMTIwOTAxMzA1MFoXDTIzMTIw
NzAxMzA1MFowRzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4wDAYDVQQK
DAVVbnNldDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA2qGaAD9SFmOH93z7J+8Ee7P4WePRecwir/ICXNcP
6FO9XNukk5hiJa3JbmA3mCnG5ws9tmT2rViW44evKqQX7zE8YO+XJ9teg5VbT9ZL
6DTJ/9l5vPZ829zUkRs9YVNUlX4dcd2dyznjuu059CdIYBuNgshl5aEw/4O8hOg1
OqXCJ3yEFRuRJzREna+xyxRU4FLTzrQDt0xj96o/HaoXrCuB7K3lMKz6CCUAUNwM
HL1sOOswVVrgyhGoV6XbZXhbWHb0AVKHT9WhgHdmiizYd5IRSbYA/SiFgCPXh4pQ
FX0HKm9E3IPP8Wdeipy3Ki7z6U2aM53lHX06m86A9HjXVQIDAQABo00wSzAJBgNV
HRMEAjAAMB0GA1UdDgQWBBTVUG5qqo4hNkQo1Kvk0wEJ17zLczAfBgNVHSMEGDAW
gBTkjsL2BVqZImdt+VxEo+9b7fymQzANBgkqhkiG9w0BAQUFAAOCAQEAgGDvhCXp
Auoe2nD+C7YVaScVCo5eaXuzr5EOeAg3mFa+62CvfmvjYuvchp+bIIEydQUyyfd7
KzIAEIMHoOL0gWNeUOdbAGemGVTqMZoCqPH6klvhEyOhKFyOZAMiFgLSpVKqNDmr
cAxGd1NbB3FBCguodixF5jg7qu7cyosvhRhXCuPPPcyoRlpLQhToZhCKkXnBLidf
sWBa0V7VmMcR/tqJ7nsk5Bl6X1a6Y3AxAYeNepCIFE+hI0YOO98zAZhTcdb0JTdS
/0O4YANlKZhFqNpio75mv1loLFA93jbpdYrTaaJ0PIDB/s9TT0Yo/vmwqWrbKjCa
57XAzAvWObhr7g==
-----END CERTIFICATE-----

HTTP Status Codes

The following codes are used to indicate success of failure conditions.

200 OK

Certificates are successfully found and returned.

403 Forbidden

There are no certificates to be returned. This will typically indicate that keystone is using UUID tokens and therefore there are no certificates available.

500 Internal Server Error

An Error was produced on the server. A typical example is that the server is configured to use PKI tokens but is misconfigured and the certificates were unable to be found.