keystoneclient.common package

keystoneclient.common package


keystoneclient.common.cms module

Certificate signing functions.

Call set_subprocess() with the subprocess module. Either Python’s subprocess or can be used.

If set_subprocess() is not called, this module will pick Python’s subprocess or based on if os module is patched by eventlet.

class keystoneclient.common.cms.OpensslCmsExitStatus

Bases: object

keystoneclient.common.cms.cms_hash_token(token_id, mode='md5')

Hash PKI tokens.

return: for asn1 or pkiz tokens, returns the hash of the passed in token

otherwise, returns what it was passed in.

keystoneclient.common.cms.cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, outform='PEM', message_digest='sha256')

Use OpenSSL to sign a document.

Produces a Base64 encoding of a DER formatted CMS Document

  • data_to_sign – data to sign

  • signing_cert_file_name – path to the X509 certificate containing the public key associated with the private key used to sign the data

  • signing_key_file_name – path to the private key used to sign the data

  • outform – Format for the signed document PKIZ_CMS_FORM or PKI_ASN1_FORM

  • message_digest – Digest algorithm to use when signing or resigning

keystoneclient.common.cms.cms_sign_text(data_to_sign, signing_cert_file_name, signing_key_file_name, message_digest='sha256')
keystoneclient.common.cms.cms_sign_token(text, signing_cert_file_name, signing_key_file_name, message_digest='sha256')

Convert a CMS-signed token in PEM format to a custom URL-safe format.

The conversion consists of replacing ‘/’ char in the PEM-formatted token with the ‘-‘ char and doing other such textual replacements to make the result marshallable via HTTP. The return value can thus be used as the value of a HTTP header such as “X-Auth-Token”.

This ad-hoc conversion is an unfortunate oversight since the returned value now does not conform to any of the standard variants of base64 encoding. It would have been better to use base64url encoding (either on the PEM formatted text or, perhaps even better, on the inner CMS-signed binary value without any PEM formatting). In any case, the same conversion is done in reverse in the other direction (for token verification), so there are no correctness issues here. Note that the non-standard encoding of the token will be preserved so as to not break backward compatibility.

The conversion issue is detailed by the code author in a blog post at

keystoneclient.common.cms.cms_verify(formatted, signing_cert_file_name, ca_file_name, inform='PEM')

Verify the signature of the contents IAW CMS syntax.



This function is deprecated as of the 1.7.0 release in favor of is_asn1_token() and may be removed in the 2.0.0 release.


Determine if a token appears to be PKI-based.

thx to ayoung for sorting this out.

base64 decoded hex representation of MII is 3082:

In [3]: binascii.hexlify(base64.b64decode('MII='))
Out[3]: '3082'


pg4:  For tags from 0 to 30 the first octet is the identfier
pg10: Hex 30 means sequence, followed by the length of that sequence.
pg5:  Second octet is the length octet
      first bit indicates short or long form, next 7 bits encode the
      number of subsequent octets that make up the content length octets
      as an unsigned binary int

      82 = 10000010 (first bit indicates long form)
      0000010 = 2 octets of content length
      so read the next 2 octets to get the length of the content.

In the case of a very large content length there could be a requirement to have more than 2 octets to designate the content length, therefore requiring us to check for MIM, MIQ, etc.

In [4]: base64.b64encode(binascii.a2b_hex('3083'))
Out[4]: 'MIM='
In [5]: base64.b64encode(binascii.a2b_hex('3084'))
Out[5]: 'MIQ='
Checking for MI would become invalid at 16 octets of content length
10010000 = 90
In [6]: base64.b64encode(binascii.a2b_hex('3090'))
Out[6]: 'MJA='
Checking for just M is insufficient

But we will only check for MII: Max length of the content using 2 octets is 3FFF or 16383.

It’s not practical to support a token of this length or greater in http therefore, we will check for MII only and ignore the case of larger tokens


Determine if a token is PKIZ.

Checks if the string has the prefix that indicates it is a Crypto Message Syntax, Z compressed token.

keystoneclient.common.cms.pkiz_sign(text, signing_cert_file_name, signing_key_file_name, compression_level=6, message_digest='sha256')
keystoneclient.common.cms.pkiz_verify(signed_text, signing_cert_file_name, ca_file_name)

Set subprocess module to use.

The subprocess could be if using eventlet, or Python’s subprocess otherwise.


Convert a custom formatted token to a PEM-formatted token.

See documentation for cms_to_token() for details on the custom formatting.

keystoneclient.common.cms.verify_token(token, signing_cert_file_name, ca_file_name)

Module contents

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.