Hi Rajesh

May I ask why we need single line representation of PEM format?
For CLI, we will use file_name as same as nova keypair-add.
We won't specify PEM on the URL.




2014-01-27 Rajesh Mohan <rajesh.mli...@gmail.com>:
> Thanks John.
>
> My initial approach is similar to Keystone's. This is mainly to unblock me
> from making progress on the driver. Nachi is doing the API part. I will
> discuss with him to explore other options.
>
> Can you send us the link to your review?
>
> Thanks,
> -Rajesh Mohan
>
>
>
>
> On Mon, Jan 27, 2014 at 6:00 AM, John Dennis <jden...@redhat.com> wrote:
>>
>> On 01/26/2014 05:36 PM, rajesh_moh...@dell.com wrote:
>> > I am working on SSL VPN BP.
>> >
>> > CA certificate is one of the resources. We decided to use PEM formatted
>> > certificates. It is multi-line string
>> >
>> >   1 -----BEGIN CERTIFICATE-----
>> >   2 MIID3TCCA0agAwIBAgIJAKRWnul3NJnrMA0GCSqGSIb3DQEBBQUAMIGmMQswCQYD
>> >  <snip>
>> >  21 0vO728pEcn6QtOpU7ZjEv8JLKRHwyq8kwd8gKMflWZRng4R2dj3cdd24oYJxn5HW
>> >  22 atXnq+N9H9dFgMfw5NNefwJrZ3zAE6mu0bAIoXVsKT2S
>> >  23 -----END CERTIFICATE-----
>> >
>> > Is there a standard way to represent this as single line string? Maybe
>> > there is some other project that passes certificates on command line/url.
>> >
>> > I am looking for some accepted way to represent PEM formatted file on
>> > command line.
>> >
>> > I am thinking of concatenating all lines into single string and
>> > rebuilding the file when configuration file is generated.Will we hit any 
>> > CLI
>> > size limitations if we pass long strings.
>>
>> In general PEM formatted certificates and other X509 binary data objects
>> should be exchanged in the original PEM format for interoperabilty
>> purposes. For command line tools it's best to pass PEM objects via a
>> filename.
>>
>> However, having said that there is at least one place in Openstack which
>> passes PEM data via a HTTP header and/or URL, it's the Keystone token id
>> which is a binary CMS object normally exchanged in PEM format. Keystone
>> strips the PEM header and footer, strips line endings and modifies one
>> of the base64 alphabet characters which was incompatible with HTTP and
>> URL encoding. However what keystone was doing was not correct and in
>> fact did not follow an existing RFC (e.g. URL safe base64).
>>
>> I fixed these problems and in the process wrote two small Python modules
>> base64utils and pemutils to do PEM transformations correctly (plus
>> general utilities for working with base64 and PEM data). These were
>> submitted to both keystone and oslo, Oslo on the assumption they should
>> be general purpose utilities available to all of openstack. I believe
>> these have languished in review purgatory, because I was pulled off to
>> work on other issues I haven't had the time to babysit the review.
>>
>>
>> --
>> John
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev@lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to