Compressed Signature and Validation

Allows for a new form of document signature.

pkiz_sign will take data and encode it in a string that starts with
the substring  "PKIZ_".  This prefix indicates that the data has been:
1) Signed via PKI in Crypto Message Syntax (CMS) in binary (DER) format
2) Compressed using zlib (comparable to gzip)
3) urlsafe-base64 decoded

This process is reversed to validate the data.

middleware/auth_token.py will be capable of validating Keystone
tokens that are marshalled in the new format.  The current existing
"PKI" tokens will continue to be identified with "MII", issued by
default, and validated as well.  It will require corresponding changes
on the Keystone server to issue the new token format.

A separate script for generating the sample
data used in the unit tests,
examples/pki/gen_cmsz.py,
also serves as an example of how to
call the API from Python code.

Some of the sample data for the old tests had to be regenerated. A
stray comma in one of the JSON files made for non-parsing JSON.

Blueprint: compress-tokens
Closes-Bug: #1255321

Change-Id: Ia9a66ba3742da0bcd58c4c096b28cc8a66ad6569

1 files changed, 8 insertions, 0 deletions

diff --git a/keystoneclient/exceptions.py b/keystoneclient/exceptions.py
index 4572af9..31f25cb 100644
--- a/keystoneclient/exceptions.py
+++ b/keystoneclient/exceptions.py
@@ -37,6 +37,14 @@ class CertificateConfigError(Exception):
         super(CertificateConfigError, self).__init__(msg)
 
 
+class CMSError(Exception):
+    """Error reading the certificate"""
+    def __init__(self, output):
+        self.output = output
+        msg = ("Unable to sign or verify data.")
+        super(CMSError, self).__init__(msg)
+
+
 class EmptyCatalog(EndpointNotFound):
     """The service catalog is empty."""
     pass