bug 1069945: generate certs for the tests in one place

and doc how to install signing certificate from an external CA

Change-Id: I92feb8eaeea617211ee7132480ac7a63bf0a1bf1

doc/source/configuration.rst

@@ -111,6 +111,85 @@ The values that specify where to read the certificates are under the
 * ``valid_days`` - Default is ``3650``
 * ``ca_password``  - Password required to read the ca_file. Default is None
 
+Signing Certificate Issued by External CA
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+You may use a signing certificate issued by an external CA instead of generated
+by keystone-manage. However, certificate issued by external CA must satisfy
+the following conditions:
+
+* all certificate and key files must be in Privacy Enhanced Mail (PEM) format
+* private key files must not be protected by a password
+
+When using signing certificate issued by an external CA, you do not need to
+specify ``key_size``, ``valid_days``, and ``ca_password`` as they will be
+ignored.
+
+The basic workflow for using a signing certificate issed by an external CA involves:
+
+1. `Request Signing Certificate from External CA`_
+2. convert certificate and private key to PEM if needed
+3. `Install External Signing Certificate`_
+
+
+Request Signing Certificate from External CA
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+One way to request a signing certificate from an external CA is to first
+generate a PKCS #10 Certificate Request Syntax (CRS) using OpenSSL CLI.
+
+First create a certificate request configuration file (e.g. ``cert_req.conf``)::
+
+    [ req ]
+    default_bits            = 1024
+    default_keyfile         = keystonekey.pem
+    default_md              = sha1
+
+    prompt                  = no
+    distinguished_name      = distinguished_name
+
+    [ distinguished_name ]
+    countryName             = US
+    stateOrProvinceName     = CA
+    localityName            = Sunnyvale
+    organizationName        = OpenStack
+    organizationalUnitName  = Keystone
+    commonName              = Keystone Signing
+    emailAddress            = keystone@openstack.org
+
+Then generate a CRS with OpenSSL CLI. **Do not encrypt the generated private
+key. Must use the -nodes option.**
+
+For example::
+
+    openssl req -newkey rsa:1024 -keyout signing_key.pem -keyform PEM -out signing_cert_req.pem -outform PEM -config cert_req.conf -nodes
+
+
+If everything is successfully, you should end up with ``signing_cert_req.pem``
+and ``signing_key.pem``. Send ``signing_cert_req.pem`` to your CA to request a token signing certificate and make sure to ask the certificate to be in PEM format. Also, make sure your trusted CA certificate chain is also in PEM format.
+
+
+Install External Signing Certificate
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Assuming you have the following already:
+
+* ``signing_cert.pem`` - (Keystone token) signing certificate in PEM format
+* ``signing_key.pem`` - corresponding (non-encrypted) private key in PEM format
+* ``cacert.pem`` - trust CA certificate chain in PEM format
+
+Copy the above to your certificate directory. For example::
+
+    mkdir -p /etc/keystone/ssl/certs
+    cp signing_cert.pem /etc/keystone/ssl/certs/
+    cp signing_key.pem /etc/keystone/ssl/certs/
+    cp cacert.pem /etc/keystone/ssl/certs/
+    chmod -R 700 /etc/keystone/ssl/certs
+
+**Make sure the certificate directory is root-protected.**
+
+If your certificate directory path is different from the default ``/etc/keystone/ssl/certs``, make sure it is reflected in the ``[signing]`` section of the
+configuration file.
 
 
 Service Catalog
@@ -229,16 +308,16 @@ SSL
 Keystone may be configured to support 2-way SSL out-of-the-box.  The x509
 certificates used by Keystone must be obtained externally and configured for use
 with Keystone as described in this section.  However, a set of sample certficates
-is provided in the examples/ssl directory with the Keystone distribution for testing.
+is provided in the examples/pki/certs and examples/pki/private directories with the Keystone distribution for testing.
 Here is the description of each of them and their purpose:
 
 Types of certificates
 ^^^^^^^^^^^^^^^^^^^^^
 
-ca.pem
+cacert.pem
     Certificate Authority chain to validate against.
 
-keystone.pem
+ssl_cert.pem
     Public certificate for Keystone server.
 
 middleware.pem
@@ -247,7 +326,7 @@ middleware.pem
 cakey.pem
     Private key for the CA.
 
-keystonekey.pem
+ssl_key.pem
     Private key for the Keystone server.
 
 Note that you may choose whatever names you want for these certificates, or combine

examples/pki/certs/cacert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC0TCCAjqgAwIBAgIJANsHKV73HYOwMA0GCSqGSIb3DQEBBQUAMIGeMQowCAYD
+VQQFEwE1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55
+dmFsZTESMBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTElMCMG
+CSqGSIb3DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxMLU2Vs
+ZiBTaWduZWQwIBcNMTIxMTA1MTgxODI0WhgPMjA3MTA0MzAxODE4MjRaMIGeMQow
+CAYDVQQFEwE1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1
+bm55dmFsZTESMBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTEl
+MCMGCSqGSIb3DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxML
+U2VsZiBTaWduZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALzI17ExCaqd
+r7xY2Q5CBZ1bW1lsrXxS8eNJRdQtskDuQVAluY03/OGZd8HQYiiY/ci2tYy7BNIC
+bh5GaO95eqTDykJR3liOYE/tHbY6puQlj2ZivmhlSd2d5d7lF0/H28RQsLu9VktM
+uw6q9DpDm35jfrr8LgSeA3MdVqcS/4OhAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMB
+Af8wDQYJKoZIhvcNAQEFBQADgYEAjSQND7i1dNZtLKpWgX+JqMr3BdVlM15mFeVr
+C26ZspZjZVY5okdozO9gU3xcwRe4Cg30sKFOe6EBQKpkTZucFOXwBtD3h6dWJrdD
+c+m/CL/rs0GatDavbaIT2vv405SQUQooCdVh72LYel+4/a6xmRd7fQx3iEXN9QYj
+vmHJUcA=
+-----END CERTIFICATE-----

examples/pki/certs/middleware.pem

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIICoTCCAgoCARAwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK
+EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr
+ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x
+MjExMDUxODE4MjRaGA8yMDcxMDQzMDE4MTgyNFowgZAxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh
+Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv
+cGVuc3RhY2sub3JnMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBANRG3ZkIJ+NaY9smirkZ+Lzf1Ka18xOvc2kizemUMeAchs9h
+lP0Kpm8EBHal1vgzSuXncP8gyQ6nMZUw5NhFMZ1kLSfzoB/hCyTlIp/4VZbCAtn4
+3zlTUSgQQMH+6I4k4sZDOiIAE7yvzEMa71RkqBzduuFoeuhBm5oqmRa8kac5AgMB
+AAEwDQYJKoZIhvcNAQEFBQADgYEAJLnmyYiBDNdykLeh3+HXCOExUt49/OzomB6c
+6NWq3j7efYBfh6zCgyowx/v0hEVcxYBunTfXgOGunjx0u5X13PuLRO7Qxv6Crdy6
+st0mZ0itCsp58uGz5n+ZVhG//NiweTKw9M12Mejs0L/JGtf5gPBCFkVvrl8ffwRG
+060Ep/k=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBANRG3ZkIJ+NaY9sm
+irkZ+Lzf1Ka18xOvc2kizemUMeAchs9hlP0Kpm8EBHal1vgzSuXncP8gyQ6nMZUw
+5NhFMZ1kLSfzoB/hCyTlIp/4VZbCAtn43zlTUSgQQMH+6I4k4sZDOiIAE7yvzEMa
+71RkqBzduuFoeuhBm5oqmRa8kac5AgMBAAECgYBngOI94tcoKQO1cJaFaJ964Jyc
+aO1L9OmOIvVJ5gNnpiEpbwgpVY8PZGMUwwoNXV0wumfDTmYaafVoLD35IcvtcS3D
+Tmsm+zC3ZQYzbQrIkQrtXE+y4bMwtscOTd61YDFQE++0omg3qckVu8IYSdFtTb9D
+SjSsWMnYoDmGrBqCHQJBAP2jq2I5fMPSR3LY5FdejwhyUcqs6AKyJD0BDJzIhdV6
+d0InWWss/atR4sMnOX7WKIo1m4+X+0+T2F69kj9hge8CQQDWQKTvbvlDugiziwNc
+FRl+yC7YTJ34toRFI4xbszKL3vgk4KDgfSQeoPp9KeHXmjgTfXIOwSVI83QBoL1d
+LHFXAkEAglD9VVJEEDiSDSfy6hDjXGugKon8CqaMh+tqF4PPf4eUjqC5CJ/tFYDV
+CX+1wr01xw0UCAsGTDSiDstHwNjQcQJAAkF3+xVeBnqE8O77wBJwzEbrR1e3KhEx
+31B6f9SpKZPVZP4Ac5ydrrzfJkY0nIKBKKNfegxKijQV+pZop/x5zQJASGTmKcW2
+WKj4P8PiolVlWH2ZTARSschff5wDV6nBneb5zWNgpPORrSRPl9yrYrgqk4vvjLh5
+rUiR/G65ZjmbnA==
+-----END PRIVATE KEY-----

examples/pki/certs/signing_cert.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICoDCCAgkCAREwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK
+EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr
+ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x
+MjExMDUxODE4MjRaGA8yMDcxMDQzMDE4MTgyNFowgY8xCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh
+Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv
+cGVuc3RhY2sub3JnMREwDwYDVQQDEwhLZXlzdG9uZTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEA0GemENJ+fs5OaT8k4uA7ETRDA/oX/tUKCVAfxfYveHAdQqEK
+DcUbthdXTnhkBnv0OZIpxBPxwREZSZK2I/hekPrBILZ4USzozFCgudXA43QMkBlc
+uQ+VOI2/q5H4z2knxaexsBjPeIX7D9NowtTYFlOgSqCix8xWIcNW1x1En1cCAwEA
+ATANBgkqhkiG9w0BAQUFAAOBgQA/EpklfmPBW7rEoxvocRDk63gDvQ1HxhQItQDF
+9ALWdSwLtL8c3/TQzGgoKZ8+a+p7RnNEsmzNOWHTaWHL91GcRrAEhXwBtu4G/dLu
+sXguhHj9UfT+6ivFbvDF2JK9rPpKhSqTVWVnkY5JQKinDX1wFRHLQB/SVHysT+zt
+nkZ7wg==
+-----END CERTIFICATE-----

examples/pki/certs/ssl_cert.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICoTCCAgoCARAwDQYJKoZIhvcNAQEFBQAwgZ4xCjAIBgNVBAUTATUxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQK
+EwlPcGVuU3RhY2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZr
+ZXlzdG9uZUBvcGVuc3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZDAgFw0x
+MjExMDUxODE4MjRaGA8yMDcxMDQzMDE4MTgyNFowgZAxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3Rh
+Y2sxETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBv
+cGVuc3RhY2sub3JnMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEB
+BQADgY0AMIGJAoGBANRG3ZkIJ+NaY9smirkZ+Lzf1Ka18xOvc2kizemUMeAchs9h
+lP0Kpm8EBHal1vgzSuXncP8gyQ6nMZUw5NhFMZ1kLSfzoB/hCyTlIp/4VZbCAtn4
+3zlTUSgQQMH+6I4k4sZDOiIAE7yvzEMa71RkqBzduuFoeuhBm5oqmRa8kac5AgMB
+AAEwDQYJKoZIhvcNAQEFBQADgYEAJLnmyYiBDNdykLeh3+HXCOExUt49/OzomB6c
+6NWq3j7efYBfh6zCgyowx/v0hEVcxYBunTfXgOGunjx0u5X13PuLRO7Qxv6Crdy6
+st0mZ0itCsp58uGz5n+ZVhG//NiweTKw9M12Mejs0L/JGtf5gPBCFkVvrl8ffwRG
+060Ep/k=
+-----END CERTIFICATE-----

examples/pki/cms/auth_token_revoked.pem

@@ -1,5 +1,5 @@
 -----BEGIN CMS-----
-MIIHAwYJKoZIhvcNAQcCoIIG9DCCBvACAQExCTAHBgUrDgMCGjCCBeQGCSqGSIb3
+MIIHVgYJKoZIhvcNAQcCoIIHRzCCB0MCAQExCTAHBgUrDgMCGjCCBeQGCSqGSIb3
 DQEHAaCCBdUEggXReyJhY2Nlc3MiOiB7InNlcnZpY2VDYXRhbG9nIjogW3siZW5k
 cG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2L3Yx
 LzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwgInJlZ2lvbiI6ICJy
@@ -31,10 +31,12 @@ ImlkIjogInRlbmFudF9pZDEifX0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJyZXZv
 a2VkX3VzZXJuYW1lMSIsICJyb2xlc19saW5rcyI6IFsicm9sZTEiLCJyb2xlMiJd
 LCAiaWQiOiAicmV2b2tlZF91c2VyX2lkMSIsICJyb2xlcyI6IFt7Im5hbWUiOiAi
 cm9sZTEifSwgeyJuYW1lIjogInJvbGUyIn1dLCAibmFtZSI6ICJyZXZva2VkX3Vz
-ZXJuYW1lMSJ9fX0NCjGB9zCB9AIBATBUME8xFTATBgNVBAoTDFJlZCBIYXQsIElu
-YzERMA8GA1UEBxMIV2VzdGZvcmQxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxCzAJ
-BgNVBAYTAlVTAgEBMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIGAXstA+yZ5N/cS
-+i7Mmlhi585cckvwSVAGj9huPTpqBItpbO44+U3yUojEwcghomtpygI/wzUa8Z40
-UW/L3nGlATlOG833zhGvLKrp76GIitYMgk1e0OEmzGXeAWLnQZFev8ooMPs9rwYW
-MgEdAfDMWWqX+Tb7exdboLpRUiCQx1c=
+ZXJuYW1lMSJ9fX0NCjGCAUkwggFFAgEBMIGkMIGeMQowCAYDVQQFEwE1MQswCQYD
+VQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55dmFsZTESMBAGA1UE
+ChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTElMCMGCSqGSIb3DQEJARYW
+a2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxMLU2VsZiBTaWduZWQCAREw
+BwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEgYDMKg2xebd6Ua2gxnNZBIHtDsRmfsGK
+tfD8k03XWWDnjrKqKtYC1BKFJAhYCGgVH8a+jhM4ye8BjUZ7F42AYdnI2CrdvDGX
+ULTe3iAW4WFrhvWB8KP2lllitY3fpbj+GyDwLqcMFALlWzYVioCzN00+MeCG8pUB
+vdK6NKiV9sCZjg==
 -----END CMS-----

examples/pki/cms/auth_token_scoped.pem

@@ -1,5 +1,5 @@
 -----BEGIN CMS-----
-MIIG7QYJKoZIhvcNAQcCoIIG3jCCBtoCAQExCTAHBgUrDgMCGjCCBc4GCSqGSIb3
+MIIHQAYJKoZIhvcNAQcCoIIHMTCCBy0CAQExCTAHBgUrDgMCGjCCBc4GCSqGSIb3
 DQEHAaCCBb8EggW7eyJhY2Nlc3MiOiB7InNlcnZpY2VDYXRhbG9nIjogW3siZW5k
 cG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzEyNy4wLjAuMTo4Nzc2L3Yx
 LzY0YjZmM2ZiY2M1MzQzNWU4YTYwZmNmODliYjY2MTdhIiwgInJlZ2lvbiI6ICJy
@@ -30,11 +30,12 @@ ZSwgImRlc2NyaXB0aW9uIjogbnVsbCwgIm5hbWUiOiAidGVuYW50X25hbWUxIiwg
 ImlkIjogInRlbmFudF9pZDEifX0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJ1c2Vy
 X25hbWUxIiwgInJvbGVzX2xpbmtzIjogWyJyb2xlMSIsInJvbGUyIl0sICJpZCI6
 ICJ1c2VyX2lkMSIsICJyb2xlcyI6IFt7Im5hbWUiOiAicm9sZTEifSwgeyJuYW1l
-IjogInJvbGUyIn1dLCAibmFtZSI6ICJ1c2VyX25hbWUxIn19fQ0KMYH3MIH0AgEB
-MFQwTzEVMBMGA1UEChMMUmVkIEhhdCwgSW5jMREwDwYDVQQHEwhXZXN0Zm9yZDEW
-MBQGA1UECBMNTWFzc2FjaHVzZXR0czELMAkGA1UEBhMCVVMCAQEwBwYFKw4DAhow
-DQYJKoZIhvcNAQEBBQAEgYAD6hPEpc/0wHe3rYDBFec52h7gxdbrTNEN7jmwdFto
-xw0QnucmCREh9IUikJ2ob0c0uUC6cmNPajD9aFkGWhvNswNH2W2BYzUiC3CHM7U0
-7nsIe3OOatqyUAyoQUhHZnIAx1tOgdPBVflnrtdIV1vkdqxednlJZ52Hxob2PP3h
-xg==
+IjogInJvbGUyIn1dLCAibmFtZSI6ICJ1c2VyX25hbWUxIn19fQ0KMYIBSTCCAUUC
+AQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTES
+MBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3RhY2sxETAPBgNVBAsT
+CEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBvcGVuc3RhY2sub3Jn
+MRQwEgYDVQQDEwtTZWxmIFNpZ25lZAIBETAHBgUrDgMCGjANBgkqhkiG9w0BAQEF
+AASBgEWUF++cnK20YBvO8kcIsVkCsg3M+oVAHGleCQZr8ho2yvgQ06hlPYl95Ih6
++wIHsUlO1EUxCmNBAdydGDzuonWvkHMN/KMv/PW4EbiuawpvqYYLxqRg3ADjIMNl
+fxcgEbY34WAe3dYs2IAGiN70jFbqTr3ltxWHRTeeAqeltio9
 -----END CMS-----

examples/pki/cms/auth_token_unscoped.pem

@@ -0,0 +1,17 @@
+-----BEGIN CMS-----
+MIICpwYJKoZIhvcNAQcCoIICmDCCApQCAQExCTAHBgUrDgMCGjCCATUGCSqGSIb3
+DQEHAaCCASYEggEieyJhY2Nlc3MiOiB7InRva2VuIjogeyJleHBpcmVzIjogIjIw
+MTItMDgtMTdUMTU6MzU6MzRaIiwgImlkIjogIjAxZTAzMmM5OTZlZjQ0MDZiMTQ0
+MzM1OTE1YTQxZTc5In0sICJzZXJ2aWNlQ2F0YWxvZyI6IHt9LCAidXNlciI6IHsi
+dXNlcm5hbWUiOiAidXNlcl9uYW1lMSIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQi
+OiAiYzljODllM2JlM2VlNDUzZmJmMDBjNzk2NmY2ZDNmYmQiLCAicm9sZXMiOiBb
+eyduYW1lJzogJ3JvbGUxJ30seyduYW1lJzogJ3JvbGUyJ30sXSwgIm5hbWUiOiAi
+dXNlcl9uYW1lMSJ9fX0xggFJMIIBRQIBATCBpDCBnjEKMAgGA1UEBRMBNTELMAkG
+A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxEjAQBgNV
+BAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUxJTAjBgkqhkiG9w0BCQEW
+FmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMTC1NlbGYgU2lnbmVkAgER
+MAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIGAvJ19wdrQi3umLzaUAt1Ju9Vrr0m9
+vvMEACRBGSiJB8J3R0VaSOqMb6QQYUhddrcaBX70roTA0W0fwU5vNShcTC/zvHSH
+uj8FpotvJLj0YiVzzhpYzKXN6vqBIryhKm5SE6MXBmRULuyPSpIGgLCYlAIaOwdD
+5s96C9aQukos8sU=
+-----END CMS-----

examples/pki/cms/revocation_list.pem

@@ -0,0 +1,12 @@
+-----BEGIN CMS-----
+MIIB2QYJKoZIhvcNAQcCoIIByjCCAcYCAQExCTAHBgUrDgMCGjBpBgkqhkiG9w0B
+BwGgXARaeyJyZXZva2VkIjpbeyJpZCI6IjdhY2ZjZmRhZjZhMTRhZWJlOTdjNjFj
+NTk0N2JjNGQzIiwiZXhwaXJlcyI6IjIwMTItMDgtMTRUMTc6NTg6NDhaIn1dfQ0K
+MYIBSTCCAUUCAQEwgaQwgZ4xCjAIBgNVBAUTATUxCzAJBgNVBAYTAlVTMQswCQYD
+VQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMRIwEAYDVQQKEwlPcGVuU3RhY2sx
+ETAPBgNVBAsTCEtleXN0b25lMSUwIwYJKoZIhvcNAQkBFhZrZXlzdG9uZUBvcGVu
+c3RhY2sub3JnMRQwEgYDVQQDEwtTZWxmIFNpZ25lZAIBETAHBgUrDgMCGjANBgkq
+hkiG9w0BAQEFAASBgK0KiADUUObQfhVE/zfyqQI/ROjRODXonVwAJE3WydMHHdXa
+TwY/wVTaK0PwvrM/uIph6KOxwH4QelP3V1zRh0SJKERHK1ftJ8xCSxQ4zFwtFzG4
+JTiPDhQcSi1swrUqy6WfVthCJKrLuTnqCP4bTE4bC8DNzMNvilRylNxSQK4g
+-----END CMS-----

examples/pki/gen_pki.sh

@@ -20,6 +20,7 @@ DIR=`dirname "$0"`
 CURRENT_DIR=`cd "$DIR" && pwd`
 CERTS_DIR=$CURRENT_DIR/certs
 PRIVATE_DIR=$CURRENT_DIR/private
+CMS_DIR=$CURRENT_DIR/cms
 
 
 function rm_old {
@@ -63,7 +64,7 @@ basicConstraints        = critical,CA:true
 ' > ca.conf
 }
 
-function generate_req_conf {
+function generate_ssl_req_conf {
   echo '
 [ req ]
 default_bits            = 1024
@@ -81,7 +82,28 @@ organizationName        = OpenStack
 organizationalUnitName  = Keystone
 commonName              = localhost
 emailAddress            = keystone@openstack.org
-' > req.conf
+' > ssl_req.conf
+}
+
+function generate_cms_signing_req_conf {
+  echo '
+[ req ]
+default_bits            = 1024
+default_keyfile         = keystonekey.pem
+default_md              = sha1
+
+prompt                  = no
+distinguished_name      = distinguished_name
+
+[ distinguished_name ]
+countryName             = US
+stateOrProvinceName     = CA
+localityName            = Sunnyvale
+organizationName        = OpenStack
+organizationalUnitName  = Keystone
+commonName              = Keystone
+emailAddress            = keystone@openstack.org
+' > cms_signing_req.conf
 }
 
 function generate_signing_conf {
@@ -94,7 +116,7 @@ dir             = .
 database        = $dir/index.txt
 new_certs_dir   = $dir/newcerts
 
-certificate     = $dir/certs/ca.pem
+certificate     = $dir/certs/cacert.pem
 serial          = $dir/serial
 private_key     = $dir/private/cakey.pem
 
@@ -104,8 +126,6 @@ default_md              = sha1
 
 policy                  = policy_any
 
-x509_extensions         = ca_extensions
-
 [ policy_any ]
 countryName             = supplied
 stateOrProvinceName     = supplied
@@ -114,9 +134,6 @@ organizationName        = supplied
 organizationalUnitName  = supplied
 emailAddress            = supplied
 commonName              = supplied
-
-[ ca_extensions ]
-basicConstraints        = critical,CA:true
 ' > signing.conf
 }
 
@@ -140,40 +157,66 @@ function check_error {
 
 function generate_ca {
   echo 'Generating New CA Certificate ...'
-  openssl req -x509 -newkey rsa:1024 -days 21360 -out $CERTS_DIR/ca.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes
+  openssl req -x509 -newkey rsa:1024 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes
   check_error $?
 }
 
-function cert_req {
-  echo 'Generating Certificate Request ...'
-  generate_req_conf
-  openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/keystonekey.pem -keyform PEM -out req.pem -outform PEM -config req.conf -nodes
+function ssl_cert_req {
+  echo 'Generating SSL Certificate Request ...'
+  generate_ssl_req_conf
+  openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes
   check_error $?
   #openssl req -in req.pem -text -noout
 }
 
-
-function issue_cert {
-  echo 'Issuing SSL Certificate ...'
-  generate_signing_conf
-  openssl ca -in req.pem -config signing.conf -batch
+function cms_signing_cert_req {
+  echo 'Generating CMS Signing Certificate Request ...'
+  generate_cms_signing_req_conf
+  openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes
   check_error $?
-  openssl x509 -in $CURRENT_DIR/newcerts/10.pem -out $CERTS_DIR/keystone.pem
+  #openssl req -in req.pem -text -noout
+}
+
+function issue_certs {
+  generate_signing_conf
+  echo 'Issuing SSL Certificate ...'
+  openssl ca -in ssl_req.pem -config signing.conf -batch
+  check_error $?
+  openssl x509 -in $CURRENT_DIR/newcerts/10.pem -out $CERTS_DIR/ssl_cert.pem
+  check_error $?
+  echo 'Issuing CMS Signing Certificate ...'
+  openssl ca -in cms_signing_req.pem -config signing.conf -batch
+  check_error $?
+  openssl x509 -in $CURRENT_DIR/newcerts/11.pem -out $CERTS_DIR/signing_cert.pem
   check_error $?
 }
 
 function create_middleware_cert {
-  cp $CERTS_DIR/keystone.pem $CERTS_DIR/middleware.pem
-  cat $PRIVATE_DIR/keystonekey.pem >> $CERTS_DIR/middleware.pem
+  cp $CERTS_DIR/ssl_cert.pem $CERTS_DIR/middleware.pem
+  cat $PRIVATE_DIR/ssl_key.pem >> $CERTS_DIR/middleware.pem
 }
 
+function check_openssl {
+  echo 'Checking openssl availability ...'
+  which openssl
+  check_error $?
+}
 
-echo $CURRENT_DIR
+function gen_sample_cms {
+  for json_file in "${CMS_DIR}/auth_token_revoked.json" "${CMS_DIR}/auth_token_unscoped.json" "${CMS_DIR}/auth_token_scoped.json" "${CMS_DIR}/revocation_list.json"
+  do
+    openssl cms -sign -in $json_file -nosmimecap -signer $CERTS_DIR/signing_cert.pem -inkey $PRIVATE_DIR/signing_key.pem -outform PEM -nodetach -nocerts -noattr -out ${json_file/.json/.pem}
+  done
+}
+
+check_openssl
 rm_old
 cleanup
 setup
 generate_ca
-cert_req
-issue_cert
+ssl_cert_req
+cms_signing_cert_req
+issue_certs
 create_middleware_cert
+gen_sample_cms
 cleanup

examples/pki/private/cakey.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALzI17ExCaqdr7xY
+2Q5CBZ1bW1lsrXxS8eNJRdQtskDuQVAluY03/OGZd8HQYiiY/ci2tYy7BNICbh5G
+aO95eqTDykJR3liOYE/tHbY6puQlj2ZivmhlSd2d5d7lF0/H28RQsLu9VktMuw6q
+9DpDm35jfrr8LgSeA3MdVqcS/4OhAgMBAAECgYEAjY9xJd5mqDicCXj6MhXRzgAu
+TK0QnhQ4a72LDiLB8qx171qKe9mK18RTp9LReC3Yx8Qx+PhYEf5egnc7wq7uBgsk
+wAE7bPXBPRoxFxDHtZDRASAhWxX0gkfyO3uIy88HIiQlu51v1O4mSVyNpOZFnY2b
+ygLw8lg4AUJibSwE+50CQQDjWKluxXnifqoCn18BeT0FokBmV6ZLnRvHaroJP73O
+kPDINiBRPxDpX1cQpQ4hXkjSRM9RrUa4Z6hAEmAUGcoPAkEA1JP7omqY6bRH+tmE
+fM503jP5YiGNPB2UJRDPTXnbylII+pwf+hP0aW+2hnjm0cTAJ2yBNd9UnclLBsFO
+yABHTwJBAJIvp7s3tfkjE3TeP7v11nwx6ZElWSQT4RHomblqyET0RC+pRjyX/eri
+SFzGlYB1XQQABQNzFR9sX+7bIfaq4pcCQCHs1/zMnEi3z8D109IDNN19V/BUQHD2
+m3zq2NqZdv0r6GjuX6AObTQicvO0+clCaBQimeBaGuvvgvy5/vOmL7sCQQDgFxy/
+Yn5c6/jZDf2Vd/Jdk9tdV7147nC/A93c08BIWhD+jgPe/eIYMch61y7VczXizlb7
+M/BPhTX0/4yrL5Pg
+-----END PRIVATE KEY-----

examples/pki/private/signing_key.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANBnphDSfn7OTmk/
+JOLgOxE0QwP6F/7VCglQH8X2L3hwHUKhCg3FG7YXV054ZAZ79DmSKcQT8cERGUmS
+tiP4XpD6wSC2eFEs6MxQoLnVwON0DJAZXLkPlTiNv6uR+M9pJ8WnsbAYz3iF+w/T
+aMLU2BZToEqgosfMViHDVtcdRJ9XAgMBAAECgYAqcJEO5+6+oACzyhoW4ZblwADN
+tIZibLvofZqa07GDE0HCKc1EVJl6EXLEFhw4fdGUT8GVnoIi0PqXUvsohBGtkmpM
+Ee+Yj5ii7VEL75Z5zzJZ50CM7vI0AqZ2WMIITjgsrMKdBh0tHolTCqenqv1t2/OZ
+dwAgPG1C90VsPgLW4QJBAOvuCwOZwAOlIygeSYfl9/aQuIQzP5yIQbv95Z+jeyii
+ly29FrPqhZvU4+hS7xUnT8X1d5XemsQTScoE/lF3LEkCQQDiIi5crENMdYX60ax7
+/6U25Ej0XyQ3Gt8ryYDoPIaeWSlRV5TQnYfY9CdQqJmTyBWYHNBOhjHupNX4AgWJ
+8y6fAkEAlYNZP4LkCGtSiE4JUzINnhfAlybTHSPMZJJWPoCfv/Sp0baO+J2a5lJX
+zBcipEkxaMZSbouPkMqYbIoVkRLw4QJAD8y5looGrbnsYYjy1zsWbQ5oNoLLQfpj
+q2iJ1DAea8PpCiDnaegHzNXKRW1yRYwOTjF9MG9Z38WumYRypJ/UGwJBAJShOlyg
+AA3ob9ajlJ3/NMNbIrVbDuG1c14HVHarnF9nrf8wmjACXP/rjFZo9tVAbQjG6kXH
+41oYgyhOVRYT578=
+-----END PRIVATE KEY-----

examples/pki/private/ssl_key.pem

@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBANRG3ZkIJ+NaY9sm
+irkZ+Lzf1Ka18xOvc2kizemUMeAchs9hlP0Kpm8EBHal1vgzSuXncP8gyQ6nMZUw
+5NhFMZ1kLSfzoB/hCyTlIp/4VZbCAtn43zlTUSgQQMH+6I4k4sZDOiIAE7yvzEMa
+71RkqBzduuFoeuhBm5oqmRa8kac5AgMBAAECgYBngOI94tcoKQO1cJaFaJ964Jyc
+aO1L9OmOIvVJ5gNnpiEpbwgpVY8PZGMUwwoNXV0wumfDTmYaafVoLD35IcvtcS3D
+Tmsm+zC3ZQYzbQrIkQrtXE+y4bMwtscOTd61YDFQE++0omg3qckVu8IYSdFtTb9D
+SjSsWMnYoDmGrBqCHQJBAP2jq2I5fMPSR3LY5FdejwhyUcqs6AKyJD0BDJzIhdV6
+d0InWWss/atR4sMnOX7WKIo1m4+X+0+T2F69kj9hge8CQQDWQKTvbvlDugiziwNc
+FRl+yC7YTJ34toRFI4xbszKL3vgk4KDgfSQeoPp9KeHXmjgTfXIOwSVI83QBoL1d
+LHFXAkEAglD9VVJEEDiSDSfy6hDjXGugKon8CqaMh+tqF4PPf4eUjqC5CJ/tFYDV
+CX+1wr01xw0UCAsGTDSiDstHwNjQcQJAAkF3+xVeBnqE8O77wBJwzEbrR1e3KhEx
+31B6f9SpKZPVZP4Ac5ydrrzfJkY0nIKBKKNfegxKijQV+pZop/x5zQJASGTmKcW2
+WKj4P8PiolVlWH2ZTARSschff5wDV6nBneb5zWNgpPORrSRPl9yrYrgqk4vvjLh5
+rUiR/G65ZjmbnA==
+-----END PRIVATE KEY-----

examples/ssl/certs/ca.pem

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIC0TCCAjqgAwIBAgIJAMyVAS1JB/DRMA0GCSqGSIb3DQEBBQUAMIGeMQowCAYD
-VQQFEwE1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1bm55
-dmFsZTESMBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTElMCMG
-CSqGSIb3DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxMLU2Vs
-ZiBTaWduZWQwIBcNMTIxMDIyMTk0OTA0WhgPMjA3MTA0MTYxOTQ5MDRaMIGeMQow
-CAYDVQQFEwE1MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVN1
-bm55dmFsZTESMBAGA1UEChMJT3BlblN0YWNrMREwDwYDVQQLEwhLZXlzdG9uZTEl
-MCMGCSqGSIb3DQEJARYWa2V5c3RvbmVAb3BlbnN0YWNrLm9yZzEUMBIGA1UEAxML
-U2VsZiBTaWduZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANKsTxsxbBGA
-GzglqerOOnNw76g/U/ltb6RugEnfD3nBOBGT3zXW+8i0XVzCPdYsIjaltDIGZ66N
-86QXSLOgxccYN+uHo2/ADvcc5HzH6Wi8mkzlYA+ZEx4JZZQPlaoN52/Tib487nn4
-3oldwbI9cvfpp0kzDHWx3HVil1fT6WwDAgMBAAGjEzARMA8GA1UdEwEB/wQFMAMB
-Af8wDQYJKoZIhvcNAQEFBQADgYEAK9reLm4pW0AKGhXFvn0D1fRl/5Wxp/cZ3MM2
-IHSAelTx7bp67VeBGw+SrVdVUM9K6pqmJemA+IWGXHcRE6WPEQYUI0Bs9R6MdwOt
-ws665r9WWExDztdXELsqacg/olcDiyHi0CAXPxWh/KRYSBfO3wNjOvvGTuedpnIU
-MQOy2UI=
------END CERTIFICATE-----

examples/ssl/certs/keystone.pem

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICuzCCAiSgAwIBAgIBEDANBgkqhkiG9w0BAQUFADCBnjEKMAgGA1UEBRMBNTEL
-MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxEjAQ
-BgNVBAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUxJTAjBgkqhkiG9w0B
-CQEWFmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMTC1NlbGYgU2lnbmVk
-MCAXDTEyMTAyMjE5NDkwNFoYDzIwNzEwNDE2MTk0OTA0WjCBkDELMAkGA1UEBhMC
-VVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxEjAQBgNVBAoTCU9w
-ZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUxJTAjBgkqhkiG9w0BCQEWFmtleXN0
-b25lQG9wZW5zdGFjay5vcmcxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG
-9w0BAQEFAAOBjQAwgYkCgYEA0g+31KD6C4nVJKjl5jm5RS2UyZBqGvCFxvyKkTAs
-VK9RnVl2R9J/1p3eUP7zwdait/g+FQTlsRQQoH6Ybf9oPZpJFeotvZXH/D5a7I+t
-U8m1qLrJqd61wNad3JaubcqAa6r+wj1A7y1ZLvnzZBhZwQBXYYy3cLqTP6cTqS2u
-ezECAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAD
-pZbC4E22H6C8phw9qryctY+jIG50QHJz0iJHf27IbIOELYK4VKtCkbaiOcQwMKtA
-L0SGotIM5Z6VN+72pUJUGM8EhaGYmZpfyF/+E3JSo1r41mneqdjfYy6wpnnhMlk9
-I6COsjgq6xvnlqMdS5LR24wDIK/Ftd0dx5CrmmuYog==
------END CERTIFICATE-----

examples/ssl/certs/middleware.pem

@@ -1,33 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICuzCCAiSgAwIBAgIBEDANBgkqhkiG9w0BAQUFADCBnjEKMAgGA1UEBRMBNTEL
-MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxEjAQ
-BgNVBAoTCU9wZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUxJTAjBgkqhkiG9w0B
-CQEWFmtleXN0b25lQG9wZW5zdGFjay5vcmcxFDASBgNVBAMTC1NlbGYgU2lnbmVk
-MCAXDTEyMTAyMjE5NDkwNFoYDzIwNzEwNDE2MTk0OTA0WjCBkDELMAkGA1UEBhMC
-VVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxEjAQBgNVBAoTCU9w
-ZW5TdGFjazERMA8GA1UECxMIS2V5c3RvbmUxJTAjBgkqhkiG9w0BCQEWFmtleXN0
-b25lQG9wZW5zdGFjay5vcmcxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG
-9w0BAQEFAAOBjQAwgYkCgYEA0g+31KD6C4nVJKjl5jm5RS2UyZBqGvCFxvyKkTAs
-VK9RnVl2R9J/1p3eUP7zwdait/g+FQTlsRQQoH6Ybf9oPZpJFeotvZXH/D5a7I+t
-U8m1qLrJqd61wNad3JaubcqAa6r+wj1A7y1ZLvnzZBhZwQBXYYy3cLqTP6cTqS2u
-ezECAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAD
-pZbC4E22H6C8phw9qryctY+jIG50QHJz0iJHf27IbIOELYK4VKtCkbaiOcQwMKtA
-L0SGotIM5Z6VN+72pUJUGM8EhaGYmZpfyF/+E3JSo1r41mneqdjfYy6wpnnhMlk9
-I6COsjgq6xvnlqMdS5LR24wDIK/Ftd0dx5CrmmuYog==
------END CERTIFICATE-----
------BEGIN PRIVATE KEY-----
-MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANIPt9Sg+guJ1SSo
-5eY5uUUtlMmQahrwhcb8ipEwLFSvUZ1ZdkfSf9ad3lD+88HWorf4PhUE5bEUEKB+
-mG3/aD2aSRXqLb2Vx/w+WuyPrVPJtai6yanetcDWndyWrm3KgGuq/sI9QO8tWS75
-82QYWcEAV2GMt3C6kz+nE6ktrnsxAgMBAAECgYEAqcmioO7srN7ftR3/lTMbGVta
-ZAGigdvfhZMivW/epSSAJ1rkS/FM+z/nLjik9gxywZiZNYwbzCGXvuIUevRyX8Ei
-PVTggVqK449NpW+K0aFe1D9MTn1A6axznwa1/STgAr80Q/9v8L6Pqy37AfxEBdej
-ly0wZ/OMB4r6LN5hGPECQQD04EncRtsqQ5E+1pfl625vXAowjcv84ZRewhN772Ub
-/vwNiL/K5JHgKixnMfQyDbltRVk09i2tIBSywVVNI+TTAkEA25qP+llyxNgwLsZ6
-S3WwBJOL4BR7HNlhAM/rO1BiWBwkwAKbh7PWEb0pXM/H5c3TrCe1VPQ2fNXCl164
-M8BtawJBAOdYru8pEg4P370aSE+z6ZXTwty0WjADfoU3nejM9x1H/SFcPLaW0yqR
-LXohO6++P5z4k5rxqZ2SXXu0I77JVnkCQAIcbEHl1jqaMWxhsA9FpFmG6ZNP3xcZ
-59rQJNy/GxLpwliuLbySN/6XqOwhezR0VBKVlyKn7lYo3+QAnxiwQt0CQQCEQ3sJ
-lAREj2ZkImKRAFZj2uxK4cz0+wkRx6pWHyy8hil19LkaWBKbC0U6kaoUyCsDgM1O
-L70bXSvi52tgTzr6
------END PRIVATE KEY-----

examples/ssl/private/cakey.pem

@@ -1,16 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANKsTxsxbBGAGzgl
-qerOOnNw76g/U/ltb6RugEnfD3nBOBGT3zXW+8i0XVzCPdYsIjaltDIGZ66N86QX
-SLOgxccYN+uHo2/ADvcc5HzH6Wi8mkzlYA+ZEx4JZZQPlaoN52/Tib487nn43old
-wbI9cvfpp0kzDHWx3HVil1fT6WwDAgMBAAECgYBY/FNFpzCAi93zb2VAOu/RhyiT
-pnwv5Ru9Fre1fDSrNwQZ2J31veMIObcd0SYRav7gmklsv+vXfTomW3dn+EbRNwjb
-HhhyX0fWoIBl95Z9pGgEAKCqm6ooJXcNSDAoJB573IO24dB0Trvp2BTvm8AdHN6d
-AIrQkOZbUZKRYCP6oQJBAPtwzF3pYGS4L/phohJRJnWwKd9vMOgJztwu9TWlISMn
-Mkld8ur4obRwpTpusDiIJMOLOS3b1UKk/Usy5TObbisCQQDWfkP19g5S1DeRRdnX
-Fhx7WnB6QS+D2BgB2SLOpNQeRj4RHsKhqi1t6cn8KVb7gWjOvPVgLB85wV8fa6u8
-DeWJAkBk9+XJLGcd6uyxQbWAX3/vMH+QDql39EBSILUtBpNo91t1JLnga1kcCUQA
-U+SFvv3sXCLo7GcV7QUdxmFNuPOjAkEAkt2+Fwo14I0ixzv23wlq0yOn5G4B5Nrw
-BUPyS2AdReV+1iYjyqJFnP75qMl9n5SKeRR1Rzau4tL/GPqWiptRUQJBAKoh+W92
-IrMHKlMt8yUh7BgYzImrAo+gI+r5Mqewn8G75t2kRf/JcdM6i7fwAPSuTaV/sfA/
-FYJ+N9ZGfFSBAJM=
------END PRIVATE KEY-----

examples/ssl/private/keystonekey.pem

@@ -1,16 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANIPt9Sg+guJ1SSo
-5eY5uUUtlMmQahrwhcb8ipEwLFSvUZ1ZdkfSf9ad3lD+88HWorf4PhUE5bEUEKB+
-mG3/aD2aSRXqLb2Vx/w+WuyPrVPJtai6yanetcDWndyWrm3KgGuq/sI9QO8tWS75
-82QYWcEAV2GMt3C6kz+nE6ktrnsxAgMBAAECgYEAqcmioO7srN7ftR3/lTMbGVta
-ZAGigdvfhZMivW/epSSAJ1rkS/FM+z/nLjik9gxywZiZNYwbzCGXvuIUevRyX8Ei
-PVTggVqK449NpW+K0aFe1D9MTn1A6axznwa1/STgAr80Q/9v8L6Pqy37AfxEBdej
-ly0wZ/OMB4r6LN5hGPECQQD04EncRtsqQ5E+1pfl625vXAowjcv84ZRewhN772Ub
-/vwNiL/K5JHgKixnMfQyDbltRVk09i2tIBSywVVNI+TTAkEA25qP+llyxNgwLsZ6
-S3WwBJOL4BR7HNlhAM/rO1BiWBwkwAKbh7PWEb0pXM/H5c3TrCe1VPQ2fNXCl164
-M8BtawJBAOdYru8pEg4P370aSE+z6ZXTwty0WjADfoU3nejM9x1H/SFcPLaW0yqR
-LXohO6++P5z4k5rxqZ2SXXu0I77JVnkCQAIcbEHl1jqaMWxhsA9FpFmG6ZNP3xcZ
-59rQJNy/GxLpwliuLbySN/6XqOwhezR0VBKVlyKn7lYo3+QAnxiwQt0CQQCEQ3sJ
-lAREj2ZkImKRAFZj2uxK4cz0+wkRx6pWHyy8hil19LkaWBKbC0U6kaoUyCsDgM1O
-L70bXSvi52tgTzr6
------END PRIVATE KEY-----

tests/signing/Makefile

@@ -1,34 +0,0 @@
-# vim: tabstop=4 shiftwidth=4 softtabstop=4
-
-# Copyright 2012 Red Hat,. Inc
-
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-
-
-.SUFFIXES:  .json .pem
-
-SOURCES=auth_token_unscoped.json auth_token_scoped.json revocation_list.json
-SIGNED=$(SOURCES:.json=.pem)
-TARGETS=$(SIGNED)
-
-all: $(TARGETS)
-clean:
-	rm -f $(TARGETS) *~
-
-.json.pem :
-	openssl cms  -sign -in $<  -nosmimecap  -signer signing_cert.pem -inkey private_key.pem -outform PEM -nodetach -nocerts  -noattr -out $@
-
-
-

tests/signing/README

@@ -1,11 +0,0 @@
-The commands to create the various pem files for the signed tokens and
-revocation list were generated by the associated make file.
-
-The hashed value in the revocation list was generated using the revoked token using
-the following python code
-
-from keystone.common import cms,utils
-f=open("tests/signing/auth_token_revoked.pem","r")
-r=f.read()
-utils.hash_signed_token(cms.cms_to_token(r))
-f.close()

tests/signing/auth_token_unscoped.pem

@@ -1,14 +0,0 @@
------BEGIN CMS-----
-MIICLwYJKoZIhvcNAQcCoIICIDCCAhwCAQExCTAHBgUrDgMCGjCCARAGCSqGSIb3
-DQEHAaCCAQEEgf57ImFjY2VzcyI6IHsidG9rZW4iOiB7ImV4cGlyZXMiOiAiMjAx
-Mi0wOC0xN1QxNTozNTozNFoiLCAiaWQiOiAiMDFlMDMyYzk5NmVmNDQwNmIxNDQz
-MzU5MTVhNDFlNzkifSwgInNlcnZpY2VDYXRhbG9nIjoge30sICJ1c2VyIjogeyJ1
-c2VybmFtZSI6ICJ1c2VyX25hbWUxIiwgInJvbGVzX2xpbmtzIjogW10sICJpZCI6
-ICJjOWM4OWUzYmUzZWU0NTNmYmYwMGM3OTY2ZjZkM2ZiZCIsICJyb2xlcyI6IFtd
-LCAibmFtZSI6ICJ1c2VyX25hbWUxIn19fTGB9zCB9AIBATBUME8xFTATBgNVBAoT
-DFJlZCBIYXQsIEluYzERMA8GA1UEBxMIV2VzdGZvcmQxFjAUBgNVBAgTDU1hc3Nh
-Y2h1c2V0dHMxCzAJBgNVBAYTAlVTAgEBMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA
-BIGAisEcxeNzNYbZPuWEEL+0SRAHjfaSFuhDHAAZ67P6LkoSN8IAio+2fqH2d1Ix
-qfUYBW/cVEYdEZ3itbR0KdDucemHFpows+eZVUe6nsV7hgMqXBmfrKyEC4PBuIoI
-/nofrwbV/R88v1jAIyrB3IbPUydXDK79lThL47rcGCeOuwI=
------END CMS-----

tests/signing/cacert.pem

@@ -1,18 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICzjCCAjegAwIBAgIJAMwBikmrmZ0sMA0GCSqGSIb3DQEBBAUAME8xFTATBgNV
-BAoTDFJlZCBIYXQsIEluYzERMA8GA1UEBxMIV2VzdGZvcmQxFjAUBgNVBAgTDU1h
-c3NhY2h1c2V0dHMxCzAJBgNVBAYTAlVTMB4XDTEyMDUxODE5MzQ1MVoXDTIyMDUx
-NjE5MzQ1MVowTzEVMBMGA1UEChMMUmVkIEhhdCwgSW5jMREwDwYDVQQHEwhXZXN0
-Zm9yZDEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czELMAkGA1UEBhMCVVMwgZ8wDQYJ
-KoZIhvcNAQEBBQADgY0AMIGJAoGBAORnyPRzimWPxIeTJ3DEedU5hzRjzfDC8ZHP
-ZgmB81V5VUiPTB72uNf8Wh6p0mhBMSmVkmvWJNjdrGWXU/SmtVd9EFLRyLwUt9kk
-3fjEHBl7HXLc1kAwaBsmA6LGDHvxQ34zXB2hvqd5x3BwPGnzN5XUEHjIjQncLkhi
-86BqaTkhAgMBAAGjgbEwga4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUv20jLjrl
-MDv+KyKSjzuEmagGCekwfwYDVR0jBHgwdoAUv20jLjrlMDv+KyKSjzuEmagGCemh
-U6RRME8xFTATBgNVBAoTDFJlZCBIYXQsIEluYzERMA8GA1UEBxMIV2VzdGZvcmQx
-FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxCzAJBgNVBAYTAlVTggkAzAGKSauZnSww
-DQYJKoZIhvcNAQEEBQADgYEAYLM3oI2qawJpyNODliOkwRvlSsotF/2pn5EU85I5
-vGewZxrgwwy2DbK6w8EECcarOjRJwz1ZYyi8ZpATipbLTX2JtmSwiye6YjhJyU4f
-yp7jtnalLlpoDigHHWjc1jzoKDQTk7g1F/XzUBTG5rcEB24IzLXgr7vt2TU+7/nq
-KbY=
------END CERTIFICATE-----

tests/signing/private_key.pem

@@ -1,16 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKaTKHl5YfzfWUkV
-QS5O6UoBLQ+Sh/tHjXpKhsSmFXkKD4nFQiIf2X1HGdQkKFY258pVvWbVNb82LT4k
-F7r+tElQh4zzPO2f633hPs+GrrvzyDwXIKU2Y0/7aAy9mcPpHEK0ACnn0vYzF5Ax
-1FhqHmXpeNpxla4dxK1wPFNIwWgdAgMBAAECgYBTNwjtRnpxPZL5M6kQXVOmKNg+
-A1Hzcld3VGvnKaFoimIgzW6wZYDdWPvKQxXznBJHvnWUPcdP8ty/QoCoZj3h5ABA
-PaaJjsMDYzP5XzvFi1X0bWu5DZbrd5aCqCJV7qiHrAg6kfOzzqGgQULrh/LJh0nn
-1ZIDzx4o7RM9nreOAQJBANJxRNgh3msy4K72dipHewSX0ZBg0TlophfqXYuBauK0
-twIiqOtZwNmBM+bO8sYOqki/eagbzihEjcomVP+THCECQQDKor5ZKxRLPGW5t0B4
-ix85mbIHo7jkbVjcwEFEwnIZ5uLj0KD3G31UqmrocXuzJmWhwryWmwx0+BHMlhTq
-Nyx9AkEAmVZRTI75KvEqiDIrjckB2SnqWCJDsWoQRDLQMJt/T2tQQi0RGlQO0i1z
-rQU0Hp6G83UZZyXDhNHW4uolWwhNIQJAU3UT0MXdZd9KRmMjOoKSKbcTi/HyhKJE
-pybHuvoa5HAjopCauyunQuetgG6889wsn6ME6UKSrto8+nYVxyFSQQJALJ6x4AxJ
-IJJiR9lHIGQKw2SD1cty1FkSxHWcSc3CMTy3COrchI6o4wSJ/jMIRT95c09Ir5bT
-Mgus0nrjlXFl7w==
------END PRIVATE KEY-----

tests/signing/revocation_list.pem

@@ -1,11 +0,0 @@
------BEGIN CMS-----
-MIIBhgYJKoZIhvcNAQcCoIIBdzCCAXMCAQExCTAHBgUrDgMCGjBpBgkqhkiG9w0B
-BwGgXARaeyJyZXZva2VkIjpbeyJpZCI6IjdhY2ZjZmRhZjZhMTRhZWJlOTdjNjFj
-NTk0N2JjNGQzIiwiZXhwaXJlcyI6IjIwMTItMDgtMTRUMTc6NTg6NDhaIn1dfQ0K
-MYH3MIH0AgEBMFQwTzEVMBMGA1UEChMMUmVkIEhhdCwgSW5jMREwDwYDVQQHEwhX
-ZXN0Zm9yZDEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czELMAkGA1UEBhMCVVMCAQEw
-BwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEgYCVDgl1puOfsn2BNliKnHNsSucYI3xn
-aJvZ8UM2hg+TGgshMPhNjo1/p1VBqwyIb0+AAUnFj7fikCNE6dypvT+xX/vUgGnv
-4EJ2cqG/0PFB/8B6Tz3FSsFMhXUIRnXKKxLxMCkge1b072BapJ1FJm8sXSem5ecO
-adoOjW3kjFJk/A==
------END CMS-----

tests/signing/signing_cert.pem

@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICCzCCAXQCAQEwDQYJKoZIhvcNAQEEBQAwTzEVMBMGA1UEChMMUmVkIEhhdCwg
-SW5jMREwDwYDVQQHEwhXZXN0Zm9yZDEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEL
-MAkGA1UEBhMCVVMwHhcNMTIwNTE4MTk0MTQyWhcNMTMwNTE4MTk0MTQyWjBNMQsw
-CQYDVQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEVMBMGA1UEChMMUmVk
-IEhhdCwgSW5jMQ8wDQYDVQQDEwZheW91bmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
-MIGJAoGBAKaTKHl5YfzfWUkVQS5O6UoBLQ+Sh/tHjXpKhsSmFXkKD4nFQiIf2X1H
-GdQkKFY258pVvWbVNb82LT4kF7r+tElQh4zzPO2f633hPs+GrrvzyDwXIKU2Y0/7
-aAy9mcPpHEK0ACnn0vYzF5Ax1FhqHmXpeNpxla4dxK1wPFNIwWgdAgMBAAEwDQYJ
-KoZIhvcNAQEEBQADgYEA1Nr9B+iTLLzlMc+8dsyJpDEzVPACVkElhVDojODfOW3p
-MD0rINb+icprJVp+zBOR0MDYtGyBFUNGLFE3z2i5gWKu/63Ge3wfC0KBLFs6UQEd
-82MQS3pBEub+4SM7XkhKajx12YgkX0ntEpNCAkm/YdGW4af5xlkViJ3cBpqWwuk=
------END CERTIFICATE-----

tests/test_auth_token_middleware.py

@@ -30,6 +30,13 @@ from keystone.openstack.common import timeutils
 from keystone import test
 
 
+CERTDIR = test.rootdir("examples/pki/certs")
+KEYDIR = test.rootdir("examples/pki/private")
+CMSDIR = test.rootdir("examples/pki/cms")
+SIGNING_CERT = os.path.join(CERTDIR, 'signing_cert.pem')
+SIGNING_KEY = os.path.join(KEYDIR, 'signing_key.pem')
+CA = os.path.join(CERTDIR, 'ca.pem')
+
 REVOCATION_LIST = None
 REVOKED_TOKEN = None
 REVOKED_TOKEN_HASH = None
@@ -145,7 +152,7 @@ TOKEN_RESPONSES = {
 # in the signing subdirectory.  In order to keep the values consistent between
 # the tests and the signed documents, we read them in for use in the tests.
 def setUpModule(self):
-    signing_path = os.path.join(os.path.dirname(__file__), 'signing')
+    signing_path = CMSDIR
     with open(os.path.join(signing_path, 'auth_token_scoped.pem')) as f:
         self.SIGNED_TOKEN_SCOPED = cms.cms_to_token(f.read())
     with open(os.path.join(signing_path, 'auth_token_unscoped.pem')) as f:
@@ -314,7 +321,7 @@ class BaseAuthTokenMiddlewareTest(test.TestCase):
             'auth_host': 'keystone.example.com',
             'auth_port': 1234,
             'auth_admin_prefix': '/testadmin',
-            'signing_dir': 'signing',
+            'signing_dir': CERTDIR,
         }
 
         self.middleware = auth_token.AuthProtocol(FakeApp(expected_env), conf)

tests/test_overrides.conf

@@ -9,6 +9,6 @@ driver = keystone.catalog.backends.templated.TemplatedCatalog
 template_file = default_catalog.templates
 
 [signing]
-certfile = signing/signing_cert.pem
-keyfile = signing/private_key.pem
-ca_certs = signing/cacert.pem
+certfile = ../examples/pki/certs/signing_cert.pem
+keyfile = ../examples/pki/private/signing_key.pem
+ca_certs = ../examples/pki/certs/cacert.pem

tests/test_ssl.py

@@ -25,11 +25,11 @@ from keystone import test
 
 CONF = config.CONF
 
-CERTDIR = test.rootdir("examples/ssl/certs")
-KEYDIR = test.rootdir("examples/ssl/private")
-CERT = os.path.join(CERTDIR, 'keystone.pem')
-KEY = os.path.join(KEYDIR, 'keystonekey.pem')
-CA = os.path.join(CERTDIR, 'ca.pem')
+CERTDIR = test.rootdir("examples/pki/certs")
+KEYDIR = test.rootdir("examples/pki/private")
+CERT = os.path.join(CERTDIR, 'ssl_cert.pem')
+KEY = os.path.join(KEYDIR, 'ssl_key.pem')
+CA = os.path.join(CERTDIR, 'cacert.pem')
 CLIENT = os.path.join(CERTDIR, 'middleware.pem')