{ "info": { "author": "Vincent Pelletier", "author_email": "vincent@nexedi.com", "bugtrack_url": null, "classifiers": [ "Environment :: Console", "Environment :: Web Environment", "Intended Audience :: Information Technology", "Intended Audience :: System Administrators", "License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)", "Topic :: Internet :: WWW/HTTP :: WSGI :: Application", "Topic :: Security :: Cryptography", "Topic :: System :: Systems Administration :: Authentication/Directory" ], "description": ".. Note to the editor: beware of implicit inline\n targets aliasing, keep global title different from all commands\n\n=============================================================================\ncaucase - Certificate Authority for Users, Certificate Authority for SErvices\n=============================================================================\n\nOverview\n========\n\nThe goal of caucase is to automate certificate issuance and renewal without\nconstraining how the certificate will be used.\n\nFor example, there is no assumption that the certificate will be used to\nsecure HTTP, nor to serve anything at all: you may need certificates to\nauthenticate users, or sign your mails, or secure an SQL server socket.\n\nAs an unfortunate consequence, it is not possible for caucase to automatically\nvalidate a signing request content against a service (ex: as one could check\nthe certificate for an HTTPS service was requested by someone with the ability\nto make it serve a special file).\n\nThis also means that, while caucase imposes RFC-recommended constraints on many\ncertificate fields and extensions to be worthy of trust, it imposes no\nconstraint at all on subject and alternate subject certificate fields.\n\nTo still allow certificates to be used, caucase uses itself to authenticate\nusers (humans or otherwise) who implement the validation procedure: they tell\ncaucase what certificates to emit. Once done, any certificate can be\nprolonged at a simple request of the key holder while the to-renew\ncertificate is still valid (not expired, not revoked).\n\nBootstrapping the system (creating the first service certificate for\n`caucased`_ to operate on HTTPS, and creating the first user certificate to\ncontrol further certificate issuance) works by caucase automatically signing a\nset number of certificates upon submission.\n\nVocabulary\n==========\n\nCaucase manipulates the following asymmetric cryptography concepts.\n\n- Key pair: A private key and corresponding public key. The public key can be\n derived from the private key, but not the other way around. As a consequence,\n the private key is itself considered to be a key pair.\n\n- Certificate: A certificate is the assurante, by a certificate authority,\n that a given public key and set of attributes belong to an authorised entity.\n Abbreviated cert or crt. A certificate is by definition signed by a CA.\n\n- Certificate Authority: An entry, arbitrarily trusted (but worthy of trust by\n its actions and decision) which can issue certificates. Abbreviated CA.\n\n- Certificate signing request: A document produced by an entity desiring to get\n certified, which they send to a certificate authority. The certificate signing\n request contains the public key and desired set of attributes that the CA\n should pronounce itself on. The CA has all liberty to issue a different set\n of attributes, or to not issue a certificate.\n\n- Certificate revocation list: Lists the certificates which were issued by a CA\n but which should not be trusted anymore. This can happen for a variety of\n reasons: the private key was compromised, or its owning entity should not be\n trusted anymore (ex: entity's permission to access to protected service was\n revoked).\n\n- PEM: A serialisation mechanism commonly used for various cryptographic data\n pieces. It relies on base64 so it is 7-bits-safe (unlike DER), and is very\n commonly supported. Caucase exclusively uses PEM format.\n\nValidity period\n===============\n\nCryptographic keys wear out as are used and as they age.\n\nOf course, they do not bit-rot nor become thinner with use. But each time one\nuses a key and each minute an attacker had access to a public key, fractions\nof the private key bits are inevitably leaked, weakening it overall.\n\nSo keys must be renewed periodically to preserve intended security level. So\nthere is a limited life span to each certificate, including the ones emitted by\ncaucase.\n\nThe unit duration for caucase-emitted certificates is the \"normal\" certificate\nlife span. It default to 93 days from the moment the certificate was signed,\nor about 3 months.\n\nThen the CA certificate has a default life span of 4 \"normal\" certificate\nvalidity periods. As CA renewal happens in caucase without x509-level cross\nsigning (by decision, to avoid relying on intermediate CA support on\ncertificate presenter side and instead rely on more widespread\nmulti-CA-certificate support on verifier side), there is a hard lower bound of\n3 validity periods, under which the CA certificate cannot be reliably renewed\nwithout risking certificate validation issues for emitted \"normal\"\ncertificates. CA certificate renewal is composed of 2 phases:\n\n- Passive distribution phase: current CA certificate has a remaining life span\n of less than 2 \"normal\" certificate life spans: a new CA certificate is\n generated and distributed on-demand (on \"normal\" certificate renewal and\n issuance, on CRL retrieval with caucase tools...), but not used to sign\n anything.\n- Active use phase: new CA certificate is valid for more than one \"normal\"\n certificate life span. This means that all existing certificates which are\n still in active use had to be renewed at least once since the new CA\n certificate exists. This means all the certificate holders had the\n opportunity to learn about the new CA certificate. So the new CA certificate\n starts being used to sign new certificates, and the old CA certificate falls\n out of use as its signed \"normal\" certificates expire.\n\nBy default, all caucase tools will generate a new private key unrelated to the\nprevious one on each certificate renewal.\n\nLastly, there is another limited validity period, although not for the same\nreasons: the list of revoked certificates also has a maximum life span. In\ncaucase, the CRL is re-generated whenever it is requested and:\n\n- there is no previous CRL\n- previous CRL expired\n- any revocation happened since previous CRL was created\n\nCommands\n========\n\nCaucase provides several commands to work with certificates.\n\ncaucase\n+++++++\n\nReference caucase \"one-shot\" client.\n\nThis command is intended to be used for isolated actions:\n\n- listing and signing pending certificate signature requests\n\n- revoking certificates\n\nIt is also able to submit certificate signing requests, retrieve signed\ncertificates, requesting certificate renewals and updating both\nCA certificates and revocation lists, but you may be interested in using\n`caucase-updater`_ for this instead.\n\ncaucase-updater\n+++++++++++++++\n\nReference caucase certificate renewal daemon.\n\nMonitors a key pair, corresponding CA certificate and CRL, and renew them\nbefore expiration.\n\nWhen the key-pair lacks a signed certificate, issues a pre-existing CSR to\ncaucase server and waits for the certificate to be issued.\n\ncaucase-probe\n+++++++++++++\n\nCaucase server availability tester.\n\nPerforms minimal checks to verify a caucase server is available at given URL.\n\ncaucase-rerequest\n+++++++++++++++++\n\nUtility allowing to re-issue a CSR using a locally-generated private key.\n\nIntended to be used in conjunction with `caucase-updater`_ when user cannot\ngenerate the CSR on the system where the certificate is desired (ex: automated\nHTTPS server deployment), where user is not the intended audience for\ncaucase-produced certificate:\n\n- User generates a CSR on their own system, and signs it with any key (it will\n not be needed later\n- User sends the CSR to the system where the certificate is desired\n- User gets caucase-rerequest to run on this CSR, producing a new private key\n and a CSR similar to issued one, but signed with this new private key\n- From then on, caucase-updater can take over\n\nThis way, no private key left their original system, and user could still\nfreely customise certificate extensions.\n\ncaucase-key-id\n++++++++++++++\n\nUtility displaying the identifier of given key, or the identifier of keys\ninvolved in given backup file.\n\nAllows identifying users which hold a private key candidate for restoring a\ncaucased backup (see `Restoration procedure`_).\n\ncaucased\n++++++++\n\nReference caucase server daemon.\n\nThis daemon provides access to both CAU and CAS services over both HTTP and\nHTTPS.\n\nIt handles its own certificate issuance and renewal, so there is no need to use\n`caucase-updater`_ for this service.\n\nCORS\n----\n\ncaucased implements CORS protection: when receiving a cross-origin request,\nit will respond with 401 Unauthorized, with the WWW-Authenticate header set to\na custom scheme (\"cors\") with an \"url\" parameter containing an URI template\nwith one variable field: \"return\" (more on it later).\n\nUpon receiving this response, the application is expected to render the URL\ntemplate and redirect the user to resulting URL. There, the user will be\ninformed of the cross-origin access attempt, and offered the choice to grant or\ndeny access to given origin.\n\nOnce their decision is made, their browser will receive a cookie remembering\nthis decision, and they will be redirected to the URL received in the \"return\"\nfield received upon above-described redirection.\n\nThen, the application should retry the original request, which will be\naccompanied by that cookie.\n\nBackups\n-------\n\nLoosing the CA private key prevents issuing any new certificate trusted by\nservices which trusted the CA. Also, it prevents issuing any new CRL.\nRecovering from such total loss requires starting a new CA and rolling it out\nto all services which used the previous one. This is very time-costly.\n\nSo backups are required.\n\nOn the other hand, if someone gets their hand on the CA private key, they can\nissue certificates for themselves, allowing them to authenticate with services\ntrusting the CA managed by caucase - including caucased itself if they issue a\nuser certificate: they can then revoke existing certificates and cause a lot of\ndamage.\n\nSo backups cannot happen in clear text, they must be encrypted.\n\nBut the danger of encrypted backups is that by definition they become worthless\nif they cannot be decrypted. So as many (trusted) entities as possible should\nbe granted the ability to decrypt the backups.\n\nThe solution proposed by caucased is to encrypt produced backups in a way which\nallows any of the caucase users to decrypt the archive.\n\nAs these users are already entrusted with issuing certificates, this puts\nonly a little more power in their hands than they already have. The little\nextra power they get is that by having unrestricted access to the CA private\nkey they can issue certificates bypassing all caucase restrictions. The\nproposed parade is to only make the backups available to a limited subset of\ncaucase users when there is an actual disaster, and otherwise keep it out of\ntheir reach. This mechanism is not handled by caucase.\n\nAs there are few trusted users, caucase can keep their still-valid certificates\nin its database for the duration of their validity with minimal size cost.\n\nBackup procedure\n----------------\n\nBackups happen periodically as long as caucased is running. See\n`--backup-period` and `--backup-directory`.\n\nAs discussed above, produced files should be kept out of reach of caucase\nusers until a disaster happens.\n\nRestoration procedure\n---------------------\n\nSee `caucased-manage --restore-backup`.\n\nTo restore, one of the trusted users must voluntarily compromise their own\nprivate key, providing it to the administrator in charge of the restoration\nprocedure. Restoration procedure will hence immediately revoke their\ncertificate. They must also provide a CSR generated with a different private\nkey, so that caucase can provide them with a new certificate, so they keep\ntheir access only via different credentials.\n\n- admin identifies the list of keys which can decipher a backup, and broadcasts\n that list to key holders\n\n- key holders manifest themselves\n\n- admin picks a key holder, requests them to provide their existing private key\n and to generate a new key and accompanying CSR\n\n- key holder provide requested items\n\n- admin initiates restoration with `--restore-backup` and provides key holder\n with replacement certificate\n\n- admin starts caucased, service is back online.\n\nBackup file format\n------------------\n\n- 64bits: 'caucase\\0' magic string\n\n- 32bits LE: header length\n\n- header: json-encoded header (see below)\n\n- encrypted byte stream (aka payload)\n\nHeader schema (inspired from s/mime, but s/mime tools available do not\nsupport at least iterative production or iterative generation)::\n\n {\n \"description\": \"Caucase backup header\",\n \"required\": [\"algorithm\", \"key_list\"],\n \"properties\": {\n \"cipher\": {\n \"description\": \"Symetric ciher used for payload\",\n \"required\": [\"name\"],\n \"properties\": {\n \"name\":\n \"enum\": [\"aes256_cbc_pkcs7_hmac_10M_sha256\"],\n \"type\": \"string\"\n },\n \"parameter\": {\n \"description\": \"Name-dependend clear cipher parameter (ex: IV)\",\n \"type\": \"string\"\n }\n }\n \"type\": \"object\"\n },\n \"key_list\": {\n \"description\": \"Content key, encrypted with public keys\",\n \"minItems\": 1,\n \"items\": {\n \"required\": [\"id\", \"cipher\", \"key\"],\n \"properties\": {\n \"id\": {\n \"description\": \"Hex-encoded sha1 hash of the public key\",\n \"type\": \"string\"\n },\n \"cipher\": {\n \"description\": \"Asymetric cipher used for symetric key\",\n \"required\": [\"name\"],\n \"properties\": {\n \"name\": {\n \"enum\": [\"rsa_oaep_sha1_mgf1_sha1\"],\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n }\n \"key\": {\n \"description\": \"Hex-encoded encrypted concatenation of signing and symetric encryption keys\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n\n", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://lab.nexedi.com/nexedi/caucase", "keywords": "certificate authority", "license": "GPLv3+", "maintainer": "", "maintainer_email": "", "name": "caucase", "package_url": "https://pypi.org/project/caucase/", "platform": "", "project_url": "https://pypi.org/project/caucase/", "project_urls": { "Homepage": "https://lab.nexedi.com/nexedi/caucase" }, "release_url": "https://pypi.org/project/caucase/0.9.6/", "requires_dist": null, "requires_python": "", "summary": "Certificate Authority.", "version": "0.9.6" }, "last_serial": 5320768, "releases": { "0.1": [], "0.1.1": [ { "comment_text": "", "digests": { "md5": "3997a0789f2a363b1e797a5ef15b5f0c", "sha256": "af542f9c3b4826d06490ec1df664faea8afad1fb37fd5df0535bf96fc1af0b5c" }, "downloads": -1, "filename": "caucase-0.1.1.tar.gz", "has_sig": false, "md5_digest": "3997a0789f2a363b1e797a5ef15b5f0c", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 38623, "upload_time": "2017-04-27T13:12:33", "url": "https://files.pythonhosted.org/packages/5d/0d/5434f7fee742f8aab365f44b6962202a918aa3907d74f769b13a3f243e13/caucase-0.1.1.tar.gz" } ], "0.1.2": [ { "comment_text": "", "digests": { "md5": "a93f54aed8197d3a3ac6f72c10389984", "sha256": "a2232b6cf2a3951c5dc1a911c40faf44b37d24b25dee9a61abf82890624d8daf" }, "downloads": -1, "filename": "caucase-0.1.2.tar.gz", "has_sig": false, "md5_digest": "a93f54aed8197d3a3ac6f72c10389984", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 39073, "upload_time": "2017-05-12T16:28:28", "url": "https://files.pythonhosted.org/packages/8f/c1/078a32c130e8d46887abe6e56526a3764a5fd5b4ee009b5af006d386d393/caucase-0.1.2.tar.gz" } ], "0.1.3": [ { "comment_text": "", "digests": { "md5": "549a46f925772e25141e5f0c2efa4710", "sha256": "a6da6af0dba8256ecddd98dde7452ed8b0ab060be26f6f3a1440943e7a4a8746" }, "downloads": -1, "filename": "caucase-0.1.3.tar.gz", "has_sig": false, "md5_digest": "549a46f925772e25141e5f0c2efa4710", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 41958, "upload_time": "2017-06-30T15:21:28", "url": "https://files.pythonhosted.org/packages/cc/5a/651dd7645a10303c9453572c942daeaf05bd037bb527dee9e5cb2802a3b4/caucase-0.1.3.tar.gz" } ], "0.1.4": [ { "comment_text": "", "digests": { "md5": "2de84c7057b26e0c6032a2346b71a7cf", "sha256": "4c284f6d64fa3f0a3998c5382125b76646bbd09171e22144d239abdf8f88a4dc" }, "downloads": -1, "filename": "caucase-0.1.4.tar.gz", "has_sig": false, "md5_digest": "2de84c7057b26e0c6032a2346b71a7cf", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 42033, "upload_time": "2017-07-21T13:27:21", "url": "https://files.pythonhosted.org/packages/a8/ba/fb6d0f218a29e163d21d9da752983a8e2e735f3c202bb483cc48a09c69a5/caucase-0.1.4.tar.gz" } ], "0.9.0": [ { "comment_text": "", "digests": { "md5": "9f26d735891fbd483bf45bf6df23f990", "sha256": "db6322ed647a7106846eafaca2c4c4d605af7a5d46dffbbbdc0cfa271328163a" }, "downloads": -1, "filename": "caucase-0.9.0.tar.gz", "has_sig": false, "md5_digest": "9f26d735891fbd483bf45bf6df23f990", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 68445, "upload_time": "2017-08-23T10:07:37", "url": "https://files.pythonhosted.org/packages/c5/e8/7a3b0eebd651321b0976f7f236a34638fad506f0dd43693c9b861e330252/caucase-0.9.0.tar.gz" } ], "0.9.1": [ { "comment_text": "", "digests": { "md5": "18f7e228e16c4e2dd672d5a1dd08a3ba", "sha256": "d83c3981a1c7eb947cf37f776777014f8c9ad1aafd87552fe9769098b0aa2e4c" }, "downloads": -1, "filename": "caucase-0.9.1.tar.gz", "has_sig": false, "md5_digest": "18f7e228e16c4e2dd672d5a1dd08a3ba", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 68518, "upload_time": "2017-10-13T09:52:34", "url": "https://files.pythonhosted.org/packages/60/d5/820edbe45873bfb7ae5d38f7b2e8543b91283f3fb3e29e81946e01101a92/caucase-0.9.1.tar.gz" } ], "0.9.2": [ { "comment_text": "", "digests": { "md5": "bda6775878b916c3cffe742f58208ac7", "sha256": "b91e69dfb48f3cc0589a20cc142440c938845d441367ac61434dda33077e3985" }, "downloads": -1, "filename": "caucase-0.9.2.tar.gz", "has_sig": false, "md5_digest": "bda6775878b916c3cffe742f58208ac7", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 77944, "upload_time": "2017-11-15T11:01:19", "url": "https://files.pythonhosted.org/packages/16/6a/eb08c3eff186cb755a2ffa092423cbef17ecf52b8ad4169a06f6242630e1/caucase-0.9.2.tar.gz" } ], "0.9.3": [ { "comment_text": "", "digests": { "md5": "eff21b012f8c3c51c2f5bb7cf12262fd", "sha256": "391682a7004c48736f620f53d1533bf7bb5df535a0103ed2745b35ef69131262" }, "downloads": -1, "filename": "caucase-0.9.3.tar.gz", "has_sig": false, "md5_digest": "eff21b012f8c3c51c2f5bb7cf12262fd", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 98310, "upload_time": "2018-09-21T06:40:59", "url": "https://files.pythonhosted.org/packages/67/3a/9b53063af39eb00902909982ce99c033fb02b9b2aa50264a520f30489a71/caucase-0.9.3.tar.gz" } ], "0.9.4": [ { "comment_text": "", "digests": { "md5": "0245b34d439e053100a95d9489faaee9", "sha256": "5563e464957b8ef103c779970fce94cbc9ac0d8196997f06e8a798f872f12866" }, "downloads": -1, "filename": "caucase-0.9.4.tar.gz", "has_sig": false, "md5_digest": "0245b34d439e053100a95d9489faaee9", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 112092, "upload_time": "2018-11-14T05:23:25", "url": "https://files.pythonhosted.org/packages/35/bf/3949da168ffa4cf92ea61a7afb45e02a54b33c30f40a7f3249607ff9f268/caucase-0.9.4.tar.gz" } ], "0.9.5": [ { "comment_text": "", "digests": { "md5": "5fbb9cdc599bd6732d23fe51fc81c835", "sha256": "2e674e1d8473b2598f11511b1ab248e0ad5c078d1cd9cf72cb268bf135141746" }, "downloads": -1, "filename": "caucase-0.9.5.tar.gz", "has_sig": false, "md5_digest": "5fbb9cdc599bd6732d23fe51fc81c835", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 114189, "upload_time": "2019-01-24T11:38:27", "url": "https://files.pythonhosted.org/packages/ad/89/8bea1dfaf344dc0d94770723102b2ec6d9d98bdb9c92aad8113afaa5254a/caucase-0.9.5.tar.gz" } ], "0.9.6": [ { "comment_text": "", "digests": { "md5": "dde18ab053818ae6a771eae20fd1ac7b", "sha256": "694cf4b2438fa63795f17775d43b8290c06aa20deaebbcbb3f3f43a720594a80" }, "downloads": -1, "filename": "caucase-0.9.6.tar.gz", "has_sig": false, "md5_digest": "dde18ab053818ae6a771eae20fd1ac7b", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 114662, "upload_time": "2019-05-27T05:19:49", "url": "https://files.pythonhosted.org/packages/69/c2/c357f18f210a6e0ef2ff6a3b1a629bc0c275c8cb1fd34a8c329ee45aef35/caucase-0.9.6.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "dde18ab053818ae6a771eae20fd1ac7b", "sha256": "694cf4b2438fa63795f17775d43b8290c06aa20deaebbcbb3f3f43a720594a80" }, "downloads": -1, "filename": "caucase-0.9.6.tar.gz", "has_sig": false, "md5_digest": "dde18ab053818ae6a771eae20fd1ac7b", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 114662, "upload_time": "2019-05-27T05:19:49", "url": "https://files.pythonhosted.org/packages/69/c2/c357f18f210a6e0ef2ff6a3b1a629bc0c275c8cb1fd34a8c329ee45aef35/caucase-0.9.6.tar.gz" } ] }