ad879a1fbc
This change adds support for certificate validation, including certificate inspection utilities. Validating a certificate requires the certificate UUID of the certificate to validate, a set of UUIDs corresponding to the set of trusted certificates needed to validate the certificate, and a user context for authentication to the key manager. A new certificate verification context is included that is used to store the set of trusted certificates once they are loaded from the key manager. This context is used to validate the signing certificate, verifying that the certificate belongs to a valid certificate chain rooted in the set of trusted certificates. All new certificate utility code is added in a new module named certificate_utils. For more information on this work, see the spec: https://review.openstack.org/#/c/488541/ SecurityImpact DocImpact Change-Id: I8d7f43fb4c0573ac3681147eac213b369bbbcb3b Implements: blueprint nova-validate-certificates
cursive
Cursive implements OpenStack-specific validation of digital signatures.
As OpenStack continues to mature, robust security controls become increasingly critical. The cursive project contains code extracted from various OpenStack projects for verifying digital signatures. Additional capabilities will be added to this project in support of various security features.
- Free software: Apache license
- Source: http://git.openstack.org/cgit/openstack/cursive
- Bugs: http://bugs.launchpad.net/cursive
Features
- TODO