Last active
August 29, 2015 14:18
-
-
Save dmendiza/51bb1e4a5ac8205e409f to your computer and use it in GitHub Desktop.
public Use Cases
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Use Case 1 | |
| # Generate and store the public key of an RSA 2048 keypair using POST+PUT | |
| # User Format: openssl default public key PEM. (aka SubjectPublicKeyInfo inside a PEM file with header/footer) | |
| # Transfer Format: None - File does not need to be encoded for transfer | |
| # Content-Type: application/octet-stream | |
| # Expected Format from Barbican: Identical PEM file | |
| # Create the RSA keypair | |
| openssl genrsa -out private.pem 2048 | |
| # Extract the public key | |
| openssl rsa -in private.pem -out public.pem -pubout | |
| # Submit a metadata-only POST | |
| curl -vv -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/json' \ | |
| -H 'Content-Type: application/json' \ | |
| -d '{"name": "RSA Public Key", | |
| "secret_type": "public", | |
| "algorithm": "RSA"}' \ | |
| http://localhost:9311/v1/secrets | python -m json.tool | |
| # Response | |
| { | |
| "secret_ref": "http://localhost:9311/v1/secrets/3c9c2973-7c39-48ee-9e01-899de2f4dafb" | |
| } | |
| # GET metadata | |
| curl -vv -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/json' \ | |
| http://localhost:9311/v1/secrets/3c9c2973-7c39-48ee-9e01-899de2f4dafb | | |
| python -m json.tool | |
| # Response | |
| # Note that content_types is missing. It means the secret has no payload. | |
| { | |
| "algorithm": "RSA", | |
| "bit_length": null, | |
| "created": "2015-04-09T20:37:42.764788", | |
| "creator_id": "3a7e3d2421384f56a8fb6cf082a8efab", | |
| "expiration": null, | |
| "mode": null, | |
| "name": "RSA Public Key", | |
| "secret_ref": "http://localhost:9311/v1/secrets/3c9c2973-7c39-48ee-9e01-899de2f4dafb", | |
| "secret_type": "public", | |
| "status": "ACTIVE", | |
| "updated": "2015-04-09T20:37:42.764788" | |
| } | |
| # Submit payload via PUT | |
| # Note that the request uses "Content-Type: application/octet-stream" to describe the | |
| # public key in PEM format. | |
| curl -vv -X PUT -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/json' \ | |
| -H 'Content-Type: application/octet-stream' \ | |
| --data-binary @public.pem \ | |
| http://localhost:9311/v1/secrets/3c9c2973-7c39-48ee-9e01-899de2f4dafb | |
| # Response | |
| 204 - No Content | |
| # GET metadata | |
| curl -vv -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/json' \ | |
| http://localhost:9311/v1/secrets/3c9c2973-7c39-48ee-9e01-899de2f4dafb | | |
| python -m json.tool | |
| # Response | |
| # Note that this time content_types lists "application/octet-stream" | |
| # because that is what the user provided in the PUT | |
| { | |
| "algorithm": "RSA", | |
| "bit_length": null, | |
| "content_types": { | |
| "default": "application/octet-stream" | |
| }, | |
| "created": "2015-04-09T20:37:42.764788", | |
| "creator_id": "3a7e3d2421384f56a8fb6cf082a8efab", | |
| "expiration": null, | |
| "mode": null, | |
| "name": "RSA Public Key", | |
| "secret_ref": "http://localhost:9311/v1/secrets/3c9c2973-7c39-48ee-9e01-899de2f4dafb", | |
| "secret_type": "public", | |
| "status": "ACTIVE", | |
| "updated": "2015-04-09T20:39:47.583588" | |
| } | |
| # Retrieve payload | |
| # Note that the default content-type is used in the Accept header. | |
| curl -vv -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/octet-stream' \ | |
| -o retrieved_public.pem \ | |
| http://localhost:9311/v1/secrets/3c9c2973-7c39-48ee-9e01-899de2f4dafb/payload | |
| # Response | |
| 200 OK | |
| # The retrieved PEM file should be identical to the original PEM file | |
| diff public.pem retrieved_public.pem # shows no difference |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Use Case 2 | |
| # Generate and store the public key of an RSA 2048 keypair using a single POST request. | |
| # User Format: openssl default public key PEM | |
| # Transfer Format: base64 encoding of the file | |
| # Content-Type: application/octetstream | |
| # Expected Format from Barbican: Identical PEM file | |
| # Create the RSA keypair | |
| openssl genrsa -out private.pem 2048 | |
| # Extract the public key | |
| openssl rsa -in private.pem -out public.pem -pubout | |
| # Base64 encode the contents of the public key for transfer | |
| PUB_BASE64=$(base64 < public.pem) | |
| # Submit encoded string inside JSON request in a single POST | |
| # payload_content_encoding is set to base64 since we encoded | |
| # the contents of the file | |
| curl -vv -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/json' \ | |
| -H 'Content-Type: application/json' \ | |
| -d '{"name": "RSA Public Key", | |
| "secret_type": "public", | |
| "payload": "'"$PUB_BASE64"'", | |
| "payload_content_type": "application/octet-stream", | |
| "payload_content_encoding": "base64", | |
| "algorithm": "RSA"}' \ | |
| http://localhost:9311/v1/secrets | python -m json.tool | |
| # Response is currently 400 - bad request. | |
| # Expected response: | |
| { | |
| "algorithm": "RSA", | |
| "bit_length": null, | |
| "content_types": { | |
| "default": "application/octet-stream" | |
| }, | |
| "created": "2015-04-09T20:37:42.764788", | |
| "creator_id": "3a7e3d2421384f56a8fb6cf082a8efab", | |
| "expiration": null, | |
| "mode": null, | |
| "name": "RSA Public Key", | |
| "secret_ref": "http://localhost:9311/v1/secrets/3c9c2973-7c39-48ee-9e01-899de2f4dafb", | |
| "secret_type": "public", | |
| "status": "ACTIVE", | |
| "updated": "2015-04-09T20:39:47.583588" | |
| } | |
| # From this point forward it's the same workflow as Use Case 1. | |
| # So we can retrieve the payload | |
| curl -vv -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/octet-stream' \ | |
| -o retrieved_public.pem \ | |
| http://localhost:9311/v1/secrets/3c9c2973-7c39-48ee-9e01-899de2f4dafb/payload | |
| # And the retrieved PEM file should be identical to the original PEM file | |
| diff public.pem retrieved_public.pem # shows no difference |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Use Case 3 (Liberty use case?): | |
| # Generate and store the public key of an RSA 2048 keypair using POST+PUT with custom media types. | |
| # User Format: openssl default public key PEM or RSA Public Key format | |
| # Transfer Format: base64 encoding of the file | |
| # Media-Types: application/subjectpublickeyinfo+der, application/subjectpublickeyinfo+pem, | |
| # application/rsapublickey+pem | |
| # Public key formats don't seem to have a standard media-type [1]. I thought about | |
| # using the "x-" prefix, but there's an RFC out that deprecates them now. [2] | |
| # I'm open to suggestions. | |
| # | |
| # Expected Format from Barbican: The format requested by the "Accept" header | |
| # Create the RSA keypair | |
| openssl genrsa -out private.pem 2048 | |
| # Submit a metadata-only POST | |
| curl -vv -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/json' \ | |
| -H 'Content-Type: application/json' \ | |
| -d '{"name": "RSA Public Key", | |
| "secret_type": "public", | |
| "algorithm": "RSA"}' \ | |
| http://localhost:9311/v1/secrets | python -m json.tool | |
| # Send the PUT request with the appropriate media type | |
| # For file format details see [3]. | |
| # Case 3.1 - default openssl public key format - application/subjectpublickeyinfo+pem | |
| # This is the default format of the SubjectPublicKeyInfo part of an X.509 certificate | |
| # using a PEM format with the headers: | |
| # -----BEGIN PUBLIC KEY----- | |
| # -----END PUBLIC KEY----- | |
| openssl rsa -in private.pem -out public.pem -pubout | |
| curl -vv -X PUT -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/json' \ | |
| -H 'Content-Type: application/subjectpublickeyinfo+pem' \ | |
| --data-binary @public.pem \ | |
| http://localhost:9311/v1/secrets/92066b0b-3d21-4af6-b7a2-27d2a89819bf | |
| # Case 3.2 - SubjectPublicKeyInfo in DER format - application/subjectpublickeyinfo+der | |
| # The content of this file is in bytes (not ascii) | |
| openssl rsa -in private.pem -outform DER -out public.der -pubout | |
| curl -vv -X PUT -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/json' \ | |
| -H 'Content-Type: application/subjectpublickeyinfo+der' \ | |
| --data-binary @public.der \ | |
| http://localhost:9311/v1/secrets/92066b0b-3d21-4af6-b7a2-27d2a89819bf | |
| # Case 3.3 - RSAPublicKey format - application/rsapublickey+pem | |
| # This format uses the headers: | |
| # -----BEGIN RSA PUBLIC KEY----- | |
| # -----END RSA PUBLIC KEY----- | |
| openssl rsa -in private.pem -RSAPublicKey_out -out public_rsa.pem | |
| curl -vv -X PUT -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/json' \ | |
| -H 'Content-Type: application/rsapublickey+pem' \ | |
| --data-binary @public_rsa.pem \ | |
| http://localhost:9311/v1/secrets/92066b0b-3d21-4af6-b7a2-27d2a89819bf | |
| # Case 3.4 - RSAPublicKey DER - application/rsapublickey+der | |
| openssl rsa -in private.pem -outform DER -RSAPublicKey_out -out public_rsa.der | |
| curl -vv -X PUT -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/json' \ | |
| -H 'Content-Type: application/rsapublickey+der' \ | |
| --data-binary @public_rsa.der \ | |
| http://localhost:9311/v1/secrets/92066b0b-3d21-4af6-b7a2-27d2a89819bf | |
| # The metadata GET for all four cases would look like this: | |
| { | |
| "algorithm": "RSA", | |
| "bit_length": null, | |
| "content_types": { | |
| "default": "application/subjectpublickeyinfo+pem", | |
| "pem": "application/subjectpublickeyinfo+pem", | |
| "der": "application/subjectpublickeyinfo+der", | |
| "rsa-pem": "application/rsapublickey+pem", | |
| "rsa-der": "application/rsapublickey+der" | |
| }, | |
| "created": "2015-04-09T20:37:42.764788", | |
| "creator_id": "3a7e3d2421384f56a8fb6cf082a8efab", | |
| "expiration": null, | |
| "mode": null, | |
| "name": "RSA Public Key", | |
| "secret_ref": "http://localhost:9311/v1/secrets/3c9c2973-7c39-48ee-9e01-899de2f4dafb", | |
| "secret_type": "public", | |
| "status": "ACTIVE", | |
| "updated": "2015-04-09T20:39:47.583588" | |
| } | |
| # The GET for the payload would return the format based on | |
| # what the Accept header specifies. For example: | |
| curl -vv -H "X-Auth-Token: $TOKEN" \ | |
| -H 'Accept: application/rsapublickey+pem' \ | |
| -o retrieved_public_rsa.pem \ | |
| http://localhost:9311/v1/secrets/3c9c2973-7c39-48ee-9e01-899de2f4dafb/payload | |
| [1] http://www.iana.org/assignments/media-types/media-types.xhtml | |
| [2] https://tools.ietf.org/html/rfc6648 | |
| [3] https://www.openssl.org/docs/apps/rsa.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment