Last active
August 29, 2015 14:18
-
-
Save dmendiza/01330df317630aa84457 to your computer and use it in GitHub Desktop.
symmetric Use Cases
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Use Case 1: | |
| # Generate and store a random symmetric key for use in AES-256-CBC encryption using POST+PUT | |
| # User Format: A file containing random bytes. | |
| # Transfer Format: None - File does not need to be encoded for transfer. | |
| # Content-Type: application/octet-stream | |
| # Note that the content-type (media-type? [1]) is used in the PUT as "Content-Type: application/octet-stream" | |
| # and again when retrieving the file in the GET as "Accept: application/octet-stream" | |
| # Expected Format from Barbican: Identical file with the same random bytes | |
| # Create an encryption_key file with 256 bits of random data | |
| dd bs=32 count=1 if=/dev/urandom of=encryption_key | |
| # Submit metadata-only POST | |
| curl -vv -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/json' \ | |
| -H 'Content-Type: application/json' \ | |
| -d '{"name": "AES Encryption Key", | |
| "secret_type": "symmetric", | |
| "algorithm": "AES", | |
| "bit_length": 256, | |
| "mode": "CBC"}' \ | |
| http://localhost:9311/v1/secrets | python -m json.tool | |
| # Response | |
| { | |
| "secret_ref": "http://localhost:9311/v1/secrets/92066b0b-3d21-4af6-b7a2-27d2a89819bf" | |
| } | |
| # GET metadata | |
| curl -vv -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/json' \ | |
| http://localhost:9311/v1/secrets/92066b0b-3d21-4af6-b7a2-27d2a89819bf | | |
| python -m json.tool | |
| # Response | |
| # Note that content_types is currently missing (should be null?). | |
| # This is how you know that the secret does not have a payload yet. | |
| { | |
| "algorithm": "AES", | |
| "bit_length": 256, | |
| "created": "2015-04-09T18:18:43.549064", | |
| "creator_id": "3a7e3d2421384f56a8fb6cf082a8efab", | |
| "expiration": null, | |
| "mode": "CBC", | |
| "name": "AES Encryption Key", | |
| "secret_ref": "http://localhost:9311/v1/secrets/92066b0b-3d21-4af6-b7a2-27d2a89819bf", | |
| "secret_type": "symmetric", | |
| "status": "ACTIVE", | |
| "updated": "2015-04-09T18:18:43.549064" | |
| } | |
| # Submit payload via PUT | |
| # Note that the request uses "Content-Type: application/octet-stream" to describe the secret | |
| curl -vv -X PUT -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/json' \ | |
| -H 'Content-Type: application/octet-stream' \ | |
| --data-binary @encryption_key \ | |
| http://localhost:9311/v1/secrets/92066b0b-3d21-4af6-b7a2-27d2a89819bf | |
| # Response | |
| 204 No Content | |
| # GET metadata | |
| curl -vv -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/json' \ | |
| http://localhost:9311/v1/secrets/92066b0b-3d21-4af6-b7a2-27d2a89819bf | | |
| python -m json.tool | |
| # Response | |
| # Note that this time content_types lists "application/octet-stream" | |
| # because that is what the user provided in the PUT | |
| { | |
| "algorithm": "AES", | |
| "bit_length": 256, | |
| "content_types": { | |
| "default": "application/octet-stream" | |
| }, | |
| "created": "2015-04-09T18:18:43.549064", | |
| "creator_id": "3a7e3d2421384f56a8fb6cf082a8efab", | |
| "expiration": null, | |
| "mode": "CBC", | |
| "name": "AES Encryption Key", | |
| "secret_ref": "http://localhost:9311/v1/secrets/92066b0b-3d21-4af6-b7a2-27d2a89819bf", | |
| "secret_type": "symmetric", | |
| "status": "ACTIVE", | |
| "updated": "2015-04-09T20:09:35.463665" | |
| } | |
| # Retrieve secret | |
| # Note that the default content-type is used in the Accept header. In fact, if | |
| # the Accept header is something that is not listed in the content_types in the | |
| # metadata, then barbican will respond with 406 - Not Acceptable. | |
| curl -vv -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/octet-stream' \ | |
| -o retrieved_key \ | |
| http://localhost:9311/v1/secrets/92066b0b-3d21-4af6-b7a2-27d2a89819bf/payload | |
| # Response | |
| 200 OK | |
| # The retrieved file should be identical to the initial file | |
| diff encryption_key retrieved_key # shows no differences. | |
| [1] http://www.iana.org/assignments/media-types/media-types.xhtml |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Use Case 2: | |
| # Generate and store a random symmetric key for use in AES-256-CBC encryption using single POST | |
| # User Format: A file containing random bytes. | |
| # Transfer Format: base64 encoding of the file | |
| # Content-Type: application/octet-stream | |
| # Expected Format from Barbican: Identical file with the same random bytes. | |
| # Create an encryption_key file with 256 bits of random data | |
| dd bs=32 count=1 if=/dev/urandom of=encryption_key | |
| # Encode the contents of the encryption_key using base64 encoding for transfer | |
| KEY_BASE64=$(base64 < encryption_key) | |
| # Submit the encoded blob inside the JSON for the POST request | |
| # Note that the payload_content_type is still application/octet-stream as in the PUT | |
| # in Use Case 1. | |
| # Note also that the payload_content_encoding is base64 to indicate that a transfer | |
| # encoding was used. (Perhaps payload_content_encoding is misleading, | |
| # and payload_transfer_encoding would be better?) | |
| curl -vv -H "X-Auth-Token: $TOKEN" -H 'Accept: application/json' \ | |
| -H 'Content-Type: application/json' \ | |
| -d '{"name": "AES encryption key", | |
| "secret_type": "symmetric", | |
| "payload": "'"$KEY_BASE64"'", | |
| "payload_content_type": "application/octet-stream", | |
| "payload_content_encoding": "base64", | |
| "algorithm": "AES", | |
| "bit_length": 256, | |
| "mode": "CBC"}' \ | |
| http://localhost:9311/v1/secrets | python -m json.tool | |
| # Response | |
| { | |
| "secret_ref": "http://localhost:9311/v1/secrets/a8cb503d-4282-4ef6-8651-706d757d5109" | |
| } | |
| # GET metadata | |
| curl -vv -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/json' \ | |
| http://localhost:9311/v1/secrets/a8cb503d-4282-4ef6-8651-706d757d5109 | | |
| python -m json.tool | |
| # Response | |
| # Note that content_types only lists application/octet-stream just like in Use Case 1. | |
| # Note also that base64 was only used for transfer, so there is no mention | |
| # of it in the metadata. | |
| { | |
| "algorithm": "AES", | |
| "bit_length": 256, | |
| "content_types": { | |
| "default": "application/octet-stream" | |
| }, | |
| "created": "2015-04-09T20:20:39.302767", | |
| "creator_id": "3a7e3d2421384f56a8fb6cf082a8efab", | |
| "expiration": null, | |
| "mode": "CBC", | |
| "name": "AES encryption key", | |
| "secret_ref": "http://localhost:9311/v1/secrets/a8cb503d-4282-4ef6-8651-706d757d5109", | |
| "secret_type": "symmetric", | |
| "status": "ACTIVE", | |
| "updated": "2015-04-09T20:20:39.305426" | |
| } | |
| # Retrieve secret | |
| # Note that the default content-type is used in the Accept header. | |
| curl -vv -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/octet-stream' \ | |
| -o retrieved_key \ | |
| http://localhost:9311/v1/secrets/a8cb503d-4282-4ef6-8651-706d757d5109 | |
| # Response | |
| 200 OK | |
| # The retrieved file should be identical to the initial file | |
| diff encryption_key retrieved_key # shows no differences. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment