pax_global_header 0000666 0000000 0000000 00000000064 14133751451 0014516 g ustar 00root root 0000000 0000000 52 comment=e07425329eee5b3f3986872fcc079e86fb42f337
caucase-e07425329eee5b3f3986872fcc079e86fb42f337-doc/ 0000775 0000000 0000000 00000000000 14133751451 0020565 5 ustar 00root root 0000000 0000000 caucase-e07425329eee5b3f3986872fcc079e86fb42f337-doc/doc/ 0000775 0000000 0000000 00000000000 14133751451 0021332 5 ustar 00root root 0000000 0000000 caucase-e07425329eee5b3f3986872fcc079e86fb42f337-doc/doc/P-SLAPOS.Certificate.Authority.Overview.svg0000664 0000000 0000000 00000024544 14133751451 0031277 0 ustar 00root root 0000000 0000000
P-SLAPOS.Certificate.Authority.Plantuml.Sequence.Diagram.Signing.Request.txt 0000664 0000000 0000000 00000005246 14133751451 0037362 0 ustar 00root root 0000000 0000000 caucase-e07425329eee5b3f3986872fcc079e86fb42f337-doc/doc @startuml
title Automated Certificate Authority Service
actor service
actor user
actor libssl
autonumber
== Signing Request Submission ==
service -> caucased : PUT /csr with the CSR as body
alt CSR passes format check
caucased --> service : Request identifier
else CSR format invalid
caucased --> service : Error
end
Note over service : See "Certificate Retrieval"
== Certificate Production ==
Note over user : See "Signing Request Submission"
user -> caucased : GET /csr
caucased --> user : List of pending signing requests with their identifiers
user -> caucased : GET /csr/
caucased --> user : CSR
alt user agrees to produce a signed certificate from the signing request
user -> caucased : PUT /crt/
alt CSR was still pending
caucased --> user : Success
else CSR not pending (deleted or already signed)
caucased --> user : Not found
end
else user refuses to sign the request
user -> caucased : DELETE with the signing request identifier
caucased --> user : Ok
end
== Certificate Retrieval ==
loop Until certificate obtained or request rejected
service -> caucased : GET /crt/
alt CRT exists
caucased --> service : Certificate content
else CRT does not exist
caucased --> service : Not found
opt service checks if the CSR was rejected
service -> caucased : GET /csr/
alt CSR still pending
caucased --> service : Signing request content
else CSR rejected
caucased --> service : Not found
end
end
end
end
== Certificate Renewal ==
service -> caucased : PUT /crt/renew with the still-valid CRT and a CRL with the new public key
alt CRT is still valid (validity period, not revoked)
caucased --> service : New certificate content
else CRT invalid
caucased --> service : Error
end
== Certificate Revocation ==
service -> caucased : PUT /crt/revoke with the CRT, order signed with its private key
alt CRT is valid and parameters consistent
caucased --> service : CRT revoked
else CRT is invalid or parameters inconsistent
caucased --> service : Error
end
== Certificate Revocation without access to private key ==
user -> caucased : PUT /crt/revoke with the CRT
alt CRT is valid
caucased --> user : CRT revoked
else CRT is invalid
caucased --> user : Error
end
== Certificate Revocation without access to private key or the certificate ==
user -> caucased : PUT /crt/revoke with the serial to revoke
alt Serial is not revoked yet
caucased --> user : CRT revoked
else Serials is already revoked
caucased --> user : Error
end
== Certificate Validity Check ==
libssl -> caucased : GET /crl
caucased --> libssl : CRL content
@enduml
P-SLAPOS.Certificate.Authority.Swagger.API.Specification-en-001.yml 0000664 0000000 0000000 00000014263 14133751451 0035075 0 ustar 00root root 0000000 0000000 caucase-e07425329eee5b3f3986872fcc079e86fb42f337-doc/doc swagger: '2.0'
info:
title: caucase
description: Certificate Authority for Users, Certificate Authority for SErvices
version: 0.2.0
contact:
name: Vincent Pelletier (Nexedi)
url: 'http://www.nexedi.com'
email: vincent@nexedi.com
basePath: /
schemes:
- http
- https
consumes:
- application/json
produces:
- application/json
- application/pkix-cert
- application/pkix-crl
- application/pkcs10
- application/x-x509-ca-cert
tags:
- name: auth
description: https client authentication required
paths:
/csr:
get:
summary: List pending certificate signing requests
operationId: getPendingCertificateRequestList
tags:
- auth
produces:
- application/json
responses:
'200':
description: OK - CSR list returned
'404':
$ref: '#/responses/404'
put:
summary: Request a new certificate signature
operationId: createCertificateSigningRequest
consumes:
- application/pkcs10
parameters:
- $ref: '#/parameters/csr'
responses:
'201':
description: Created - Signing request was accepted
headers:
Location:
description: URL of created resource
type: string
'507':
$ref: '#/responses/507'
/csr/{crt-id}:
delete:
summary: Reject a pending certificate signing request
operationId: deletePendingCertificateRequest
tags:
- auth
parameters:
- $ref: '#/parameters/crt-id'
responses:
'204':
description: No Content - CSR was successfuly rejected
'404':
$ref: '#/responses/404'
get:
summary: Retrieve a pending certificate signing request
operationId: getCertificateSigningRequest
produces:
- application/pkcs10
parameters:
- $ref: '#/parameters/crt-id'
responses:
'200':
description: OK - CSR retrieved
'400':
$ref: '#/responses/400'
'404':
$ref: '#/responses/404'
/crt/{crt-id}:
put:
summary: Accept pending certificate signing request
operationId: createCertificate
tags:
- auth
parameters:
- $ref: '#/parameters/crt-id'
responses:
'204':
description: No Content - CSR was successfuly signed
'404':
$ref: '#/responses/404'
get:
summary: Retrieve a signed certificate
operationId: getCertificate
produces:
- application/pkix-cert
parameters:
- $ref: '#/parameters/crt-id'
responses:
'200':
description: OK - CRT retrieved
'404':
$ref: '#/responses/404'
/crt/ca.crt.pem:
get:
summary: Retrieve current CA certificate
operationId: getCACertificate
produces:
- application/x-x509-ca-cert
responses:
'200':
description: OK - CA CRT retrieved
/crt/ca.crt.json:
get:
summary: Retrieve current CA certificate trust chain
description: Response schema is described separately.
operationId: getCACertificateChain
produces:
- application/json
responses:
'200':
description: OK - CA CRT chain retrieved
/crt/revoke:
put:
summary: Revoke a certificate
description: Signed operation payload schema is described separately.
operationId: revokeCertificate
consumes:
- application/json
parameters:
- $ref: '#/parameters/signed-operation'
responses:
'204':
description: No Content - certificate revoked
/crt/renew:
put:
summary: Renew a certificate
description: Signed operation payload schema is described separately.
operationId: renewCertificate
consumes:
- application/json
parameters:
- $ref: '#/parameters/signed-operation'
responses:
'200':
description: OK - Renewed certificate retrieved
/crl:
get:
summary: Retrieve the list (as concatenated PEM-encoded chunks) of latest certificate revocation list for all authority keys
operationId: getCertificateRevocationListList
produces:
- application/pkix-crl
responses:
'200':
description: OK - CRL retrieved
/crl/{authority-key-id}:
get:
summary: Retrieve latest certificate revocation list for given authority key
operationId: getCertificateRevocationList
parameters:
- $ref: '#/parameters/authority-key-id'
produces:
- application/pkix-crl
responses:
'200':
description: OK - CRL retrieved
definitions:
csr:
type: string
description: application/pkcs10 data
signed-operation:
type: object
required:
- signature
- payload
- digest
properties:
digest:
type: string
description: Digest method name used to generate the signature (like "sha256", "sha512", etc)
signature:
type: string
description: Base64-encoded signature generated by concatenating payload, digest and the space character (0x20), in this order.
payload:
type: string
description: Operation parameters. This is a json-encoded value whose structure depends on the operation.
parameters:
crt-id:
name: crt-id
in: path
description: Opaque certificate signing request identifier
required: true
type: string
csr:
name: csr
in: body
description: x509 Certificate Signing Request
required: true
schema:
$ref: '#/definitions/csr'
signed-operation:
name: signed-operation
in: body
description: An operation, signed with requester's private key
schema:
$ref: '#/definitions/signed-operation'
authority-key-id:
name: authority-key-id
in: path
description: decimal representation of an authority key identifier
required: true
type: string
responses:
'400':
description: Bad Request - you probably provided wrong parameters
'404':
description: Not Found - Requested resource does not exist, or you did not provide required transport-level credentials (x509 cert over https)
'507':
description: Insufficient Storage