Ecosyste.ms: Repos
An open API service providing repository metadata for many open source software ecosystems.
GitHub / mtfarber / t_miner_test
Dummy Repo to test the T-Miner Action
JSON API: https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mtfarber%2Ft_miner_test
Fork of jonathanli15/t_miner_test
Stars: 0
Forks: 0
Open Issues: 1
License: None
Language: C
Repo Size: 115 KB
Dependencies:
612
Created: over 1 year ago
Updated: over 1 year ago
Last pushed: over 1 year ago
Last synced: about 1 year ago
Files
Loading...
Readme
Loading...
Dependencies
- HTTPauthenticationrequestsMUSTNOTberespondedtoiftheserverhasnotbeenauthenticatedasspecifiedinSection3.3.1oriftheoptionalcertificate-lessauthenticationisusedasspecifiedinSection3.3.3. *
- IftheESTclientapplicationdoesnotspecifyeitheranExplicitTAdatabaseoranImplicitTAdatabase ,thentheinitialTLSserverauthenticationandauthorizationwillfail.TheclientMAYprovisionallycontinuetheTLShandshaketocompletionforthepurposesofaccessingthe
- ItispossiblethattheclientwasnotconfiguredwithanImplicitTAdatabasethatallowsabootstrapinstallationoftheExplicitTAdatabaseasdescribedin4.1.3.ThissectiondescribesanalternatemethodbywhichminimallyconfiguredESTclientscanpopulatetheirExplicitTAdatabase. *
- REQUIREMENT32 *
- TheESTclientusesthe *
- ESTclientsrequesttheESTCATAdatabaseinformationoftheCA *
- REQUIREMENT33 *
- TheESTserverSHOULDNOTrequireclientauthenticationorauthorizationtoreplytothisrequest. *
- TheclientMUSTauthenticatetheESTserver ,asspecifiedinSection3.3.1ifcertificate
- Afterout-of-bandvalidationoccurs ,alltheothercertificatesMUSTbevalidatedusingnormal
- AsuccessfulresponseMUSTbeacerts-onlyCMCSimplePKIResponse ,asdefinedin
- Ifsuccessful ,theserverresponseMUSThaveanHTTP200responsecode.AnyotherresponsecodeindicatesanerrorandtheclientMUSTaborttheprotocol.
- REQUIREMENT34 *
- TheESTclientMUSTstoretheextractedESTCAcertificateasanExplicitTAdatabaseentryforsubsequentESTserverauthentication.TheESTclientSHOULDdisableuseofImplicitTAdatabaseentriesforthisESTservernowthatanExplicitTAdatabaseentryisavailable.IftheclientdisablestheImplic ,andiftheESTservercertificatewasverifiedusinganImplicitTAdatabaseentry,thentheclientMUSTincludethe
- TheESTclientSHOULDalsomaketheCACertificateresponseinformationavailabletotheend-entitysoftwareforusewhenvalidatingpeercertificates. *
- TheESTserverMUSTincludethecurrentrootCAcertificateintheresponse.TheESTserverMUSTincludeanyadditionalcertificatestheclientwouldneedtobuildachainfromanESTCA-issuedcertificatetothecurrentESTCATA.Forexample ,iftheESTCAisasubordinateCA,thenalltheappropriatesubordinateCAcertificatesnecessarytobuildachaintotherootESTCAareincludedintheresponse.
- TheESTserverSHOULDincludethethree *
- ESTclientsrequestacertificatefromtheESTserverwithanHTTPSPOSTusingtheoperationpathvalueof *
- ItisRECOMMENDEDthataclientobtainthecurrentCAcertificates ,asdescribedinSection4.1,beforeperformingcertificaterequestfunctions.ThisensuresthattheclientwillbeabletovalidatetheESTservercertificate.TheclientMUSTauthenticatetheESTserverasspecifiedinSection3.3.1ifcertificate
- REQUIREMENT35 *
- TheserverMAYacceptacertificaterequestformanualauthorizationcheckingbyanadministrator. *
- TheserverMUSTauthenticatetheclientasspecifiedinSection3.3.2ifcertificate-basedauthenticationisusedorSection3.3.3iftheoptionalcertificate-lessauthenticationisused.TheserverMUSTverifyclientauthorizationasspecifiedinSection3.7.TheESTserverMUSTcheckthetls-uniq ,asdescribedinSection3.5,ifoneissubmittedbytheclient.
- IftheESTclientauthenticatedusingapreviouslyinstalledcertificateissuedbyathird-partyCA *
- REQUIREMENT36 *
- TheCertificationSigningRequest *
- TheESTclientMAYrequestadditionalcertificatesevenwhenusinganexistingcertificateintheTLSclientauthentication.Forexample ,theclientcanuseanexistingcertificateforTLSclientauthenticationwhenrequestingacertificatethatcannotbeusedforTLSclientauthentication.
- TheHTTPcontent-typeof *
- Acertificaterequestemploysthesameformatasthe *
- ESTclientsrenew *
- IftheSubjectPublicKeyInfointhecertificationrequestisthesameasthecurrentclientcertificate ,thentheESTserverrenewstheclientcertificate.Ifthepublickeyinformationinthecertificationrequestisdifferentthanthecurrentclientcertificate,thentheESTserverrekeystheclientcertificate.
- REQUIREMENT37 *
- AsuccessfulresponseMUSTbeacerts-onlyCMCSimplePKIResponse ,asdefinedin
- IftheclientclosestheTLSconnectionswhilewaitingfortheRetry-Aftertimetoexpire ,thentheclientinitiatesanewTLSconnectionandperformsallapplicablesecuritychecks.IftheclienthasalreadygeneratedaCSRthatincludeslinkingidentityandPOPinformation
- Iftheenrollmentissuccessful ,theserverresponseMUSTcontainanHTTP200responsecodewithacontent
- IftheserverrespondswithanHTTP 202,thisindicatesthattherequesthasbeenacceptedforprocessingbutthataresponseisnotyetavailable.TheserverMUSTincludeaRetry
- REQUIREMENT38 *
- TheESTclientMAYalsomakethecertificateresponse ,andassociatedprivatekey,availabletoend
- TheserverMUSTanswerwithasuitable4xxor5xxHTTP errorcodewhenaproblemoccurs.ASimplePKIResponsewithanHTTPcontent
requirements/RQ4.txt
pypi
- Clientauthenticationisnotrequiredforthisexchange ,soitistriviallysupportedbytheESTserver.
- Forbootstrapping ,theESTclientcanrelyuponmanualauthenticationperformedbytheend
- REQUIREMENT4 *
- TheESTclientauthenticatesandverifiestheauthorizationscopeoftheESTserverwhenrequestingthecurrentCAcertificate *
- TheESTclientcanrequestacopyofthecurrentESTCAcertificate *
- TheclientcanleverageapreviouslydistributedtrustanchorspecifictotheESTserver.ThisallowstheESTclienttouseanexisting ,potentiallyolder,CAcertificatetorequestacurrentCAcertificate.
- TheclientcanleveragethebindingofasharedcredentialtoaspecificESTserverwithacertificate-lessTLSciphersuite. *
- ThroughoutthisdocumentweassumetheESTCAhasacertificatethatisusedbytheclienttoverifysignedobjectsissuedbytheCA ,e.g.,certificatesandcertificaterevocationlists
- VerifyingtheESTserver *
- AllotherreturncodesarehandledasspecifiedinSection4.2.3orHTTP .Forexample,aclientinterpretsanHTTP404or501responsetoindicatethatthisserviceisnotimplemented.
- Iftheenrollmentissuccessful ,theserverresponseMUSTincludeanHTTP200responsecodewithacontent
- REQUIREMENT41 *
- Whenrejectingarequest ,theserverMUSTspecifyeitheranHTTP4xxerrororanHTTP5xxerror.ACMCresponsewiththecontent
- AclientMUSTauthenticateanESTserver ,asspecifiedinSection3.3.1ifcertificate
- AnESTclientmayrequestaprivatekeyandassociatedcertificatefromanESTserverusinganHTTPSPOSTwithanoperationpathvalueof *
- CiphersuitesthathaveaNULLconfidentialityalgorithmMUSTNOTbeusedastheywilldisclosethecontentsofanunprotectedprivatekey. *
- Properrandomnumberandkeygeneration isaserverimplementationresponsibility,andserverarchivingofgeneratedkeysisdeterminedbyCApolicy.ThekeypairandcertificatearetransferredovertheTLSsession.TheciphersuiteusedtoreturntheprivatekeyandcertificateMUSTofferconfidentialitycommensuratewiththeprivatekeybeingdeliveredtotheclient.
- REQUIREMENT42 *
- TheESTclientMAYrequestadditionalcertificatesevenwhenusinganexistingcertificateintheTLSclientauthentication.Forexample ,theclientcanuseanexistingcertificateforTLSclientauthenticationwhenrequestingacertificatethatcannotbeusedforTLSclientauthentication.
- TheESTserverMUSTauthenticatetheclient ,asspecifiedinSection3.3.2ifcertificate
- AsymmetricDecryptKeyIdentifier *
- Iftheserverdoesnothaveapublickeymatchingtheidentifierspecifiedbytheclient ,therequestMUSTbeterminatedandanerrorreturnedtotheclient.DistributionofthekeyspecifiedbytheAsymmetricDecryptKeyIdentifiertothekeygeneratorandtheclientisoutsidethescopeofthisdocument.IfthekeyidentifiedisboundtoanX.509certificate,thenthekeyMUSTeitherexplicitlysupportkeyTransportorkeyAgreementoritsuseMUSTbeunrestricted.
- REQUIREMENT45 *
- Theasymmetric-decrypt-key-identifierattributevalueshaveASN.1typeAsymmetricDecryptKeyIdentifier *
- Tospecifyanasymmetricencryptionkeytobeusedtoencrypttheserver-generatedprivatekey ,theclientMUSTincludeanAsymmetricDecryptKeyIdentifierattribute.TheAsymmetricDecryptKeyIdentifierattributeisdefinedas
- id-aa-asymmDecryptKeyIDOBJECTIDENTIFIER *
- Ifadditionalencryptionisbeingemployed ,theprivatekeyisplacedinsideofaCMSSignedData.TheSignedDataissignedbythepartythatgeneratedtheprivatekey,whichmayormaynotbetheESTserverortheESTCA.TheSignedDataisfurtherprotectedbyplacingitinsideofaCMSEnvelopedData,asdescribedinSection4of
- Ifadditionalencryptionisnotbeingemployed ,theprivatekeydataMUSTbeplacedinan
- Iftheclientspecifiedanasymmetricencryptionkeysuitableforkeyagreementoperationstoprotecttheserver-generatedprivatekey ,theEnvelopedDatacontentisencryptedusingarandomlygeneratedsymmetricencryptionkey.ThecryptographicstrengthofthesymmetricencryptionkeySHOULDbeequivalenttotheclient
- Iftheclientspecifiedanasymmetricencryptionkeysuitableforkeytransportoperationstoprotecttheserver-generatedprivatekey ,theEnvelopedDatacontentisencryptedusingarandomlygeneratedsymmetricencryptionkey.ThecryptographicstrengthofthesymmetricencryptionkeySHOULDbeequivalenttotheclient
- Iftheclientspecifiedasymmetricencryptionkeytoprotecttheserver-generatedprivatekey ,theEnvelopedDatacontentisencryptedusingthesecretkeyidentifiedintherequest.TheEnvelopedDataRecipientInfofieldMUSTindicatethekey
- Iftherequestissuccessful ,theserverresponseMUSThaveanHTTP200responsecodewithacontent
- Inallthreeadditionalencryptioncases ,theEnvelopedDataisreturnedintheresponseasan
- REQUIREMENT46 *
- Thecertificatedatapartisan *
- TheformatinwhichtheprivatekeydatapartisreturnedisdependentonwhethertheprivatekeyisbeingreturnedwithadditionalencryptionontopofthatprovidedbyTLS. *
- Whenrejectingarequest ,theserverMUSTspecifyeitheranHTTP4xxerrororanHTTP5xxerror.Ifthecontent
- CApolicymayallowinclusionofclient-providedattributesincertificatesthatitissues ,andsomeoftheseattributesmaydescribeinformationthatisnotavailabletotheCA.Inaddition,aCAmaydesiretocertifyacertaintypeofpublickeyandaclientmaynothaveaprioriknowledgeofthatfact.Therefore,clientsSHOULDrequestalistofexpectedattributesthatarerequired,ordesired,bytheCAinanenrollmentrequestorifdictatedbylocalpolicy.
- REQUIREMENT47 *
- RequestingCSRattributesisoptional ,butclientsareadvisedthatCAsmayrefuseenrollmentrequeststhatarenotencodedaccordingtotheCA
- TheESTserverSHOULDNOTrequireclientauthenticationorauthorizationtoreplytothisrequest. *
- 0201310706052b81040022301606092a864886f70d01 *
- 03 *
- 090e310906072b06010101011606082a8648ce3d0403 *
- 304106092a864886f70d010907301206072a8648ce3d *
- AnESTserverincludeszeroormoreOIDsorattributes thatitrequeststheclienttouseinthecertificationrequest.TheclientMUSTignoreanyOIDorattributeitdoesnotrecognize.WhentheserverencodesCSRAttributesasanemptySEQUENCE,itmeansthattheserverhasnospecificadditionalinformationitdesiresinaclientcertificationrequest
- AttrOrOID *
- Attribute *
- BgcrBgEBAQEWBggqhkjOPQQDAw ==
- CsrAttrs *
- Forexample ,ifaCArequestsaclienttosubmitacertificationrequestcontainingthechallengePassword
- IflocallyconfiguredpolicyforanauthenticatedESTclientindicatesaCSRAttributesResponseistobeprovided ,theserverresponseMUSTincludeanHTTP200responsecode.AnHTTPresponsecodeof204or404indicatesthataCSRAttributesResponseisnotavailable.Regardlessoftheresponsecode,theESTserverandCAMAYrejectanysubsequentenrollmentrequestsforanyreason,e.g.,incompleteCSRattributesintherequest.
- IftheCArequiresaparticularcryptosystemoruseofaparticularsignaturescheme *
- MEEGCSqGSIb3DQEJBzASBgcqhkjOPQIBMQcGBSuBBAAiMBYGCSqGSIb3DQEJDjEJ *
- OID *
- REQUIREMENT49 *
- ResponsestoattributerequestmessagesMUSTbeencodedasthecontent-typeof *
- ThesequenceisDistinguishedEncodingRules *
- ThestructureoftheCSRAttributesResponseSHOULD ,tothegreatestextentpossible,reflectthestructureoftheCSRitisrequesting.Requeststouseaparticularsignaturescheme
- andencodesthemintoanASN.1SEQUENCEtoproduce *
- andthenbase64encodestheresultingASN.1SEQUENCEtoproduce *
- value =macAddress
- value =secp384r1
requirements/RQ5.txt
pypi
- AfterauthenticatinganESTserverandverifyingthatitisauthorizedtoprovideservicestotheclient ,anESTclientcanacquireacertificateforitselfbysubmittinganenrollmentrequesttothatserver.
- Certificate-lessTLS *
- HTTP-basedwithausername *
- REQUIREMENT5 *
- TLSwithapreviouslyinstalledcertificate *
- TLSwithapreviouslyissuedclientcertificate *
- TheESTserverauthenticatesandauthorizestheESTclientasspecifiedinSections3.3.2 ,3.3.3,and3.7.Themethodsdescribedinthenormativetextthatarediscussedinthisoverviewinclude
- Additionalinformation *
- Applicationswhichusethismediatype *
- Author *
- Changecontroller *
- Clientsrequestalistofattributesthatserverswishtobein *
- DanHarkins <dharkins
- Encodingconsiderations *
- Fileextension *
- IANAhasregisteredthefollowing *
- IANAhasupdatedthe *
- IANAupdatedthewell-knownURIregistrywiththefollowingfilled-intemplatefrom .
- Intendedusage *
- Interoperabilityconsiderations *
- Magicnumber *
- Optionalparameters *
- Person *
- Publishedspecification *
- REQUIREMENT50 *
- Requiredparameters *
- Restrictionsonusage *
- Section4.4.1.2definesanOIDthathasbeenregisteredinanarcdelegatedbytheIANAtothePKIXworkinggroup. *
- SecurityConsiderations *
- Subtypename *
- Theapplication *
- ThemediasubtypeforCSRattributesinaCSRAttributesResponseisapplication *
- Transport *
- Typename *
- URIsuffix *
- certificationrequests.Therequest *
- inaTLS-protectedtunnel. *
- ASN.1encodingrules *
- AsdescribedinCMC ,Section6.7of
- Certificate-lessTLSciphersuitesthatmaintainsecurityandperformthemutualauthenticationnecessaryforenrollmenthavethefollowingproperties *
- REQUIREMENT51 *
- RegardingtheCSRattributesthattheCAmaylistforinclusioninanenrollmentrequest ,therearenorealinherentsecurityissueswiththecontentbeingconveyed,butanadversarywhoisabletointerposeherselfintotheconversationcouldexcludeattributesthataservermaywant,includeattributesthataservermaynotwant,andrendermeaninglessotherattributesthataservermaywant.
- SupportforBasicauthentication ,asspecifiedinHTTP
- TLSciphersuitesthatinclude *
- Theserver-sidekeygenerationmethodallowskeystobetransportedovertheTLSconnectiontotheclientwithoutanyapplication-layerprotection.Thedistributionofprivatekeymaterialisinherentlyrisky.PrivatekeydistributionusestheencryptionmodeofthenegotiatedTLSciphersuite.Key orasspecifiedin
- Usingacertificate-lessciphersuitethatdoesnothavethepropertieslistedabovewouldrendertheresultsofenrollmentvoidandpotentiallyresultincertificatesbeingissuedtounauthenticatedand *
- WhenaclientusestheImplicitTAdatabaseforcertificatevalidation *
- Whenusingacertificate-lessTLSciphersuite ,thesharedsecretusedforauthenticationandauthorizationcannotbesharedwithanentitythatisnotapartytotheexchange
- anyadvantageanadversarygainsisthroughinteractionandnotcomputation. *
- itispossibletoperformcountermeasures ,suchasexponentialbackoffafteracertainnumberoffailedattempts,tofrustraterepeatedactiveattacks.
- theonlyinformationleakedbyanactiveattackiswhetherornotasingleguessofthesecretiscorrect. *
- 2008. *
- 2010. *
- 2011. *
- 2585 ,May1999.
- 3986 ,January2005.
- 6838 ,January2013.
- Authentication *
- Bodies *
- DistinguishedEncodingRules *
- Encodings *
- Extension *
- ExtensionDefinitions *
- Extensions *
- Housley ,R.,andW.Polk,
- InfrastructureCertificateandCertificateRevocationList *
- InfrastructureOperationalProtocols *
- Leach ,P.,Luotonen,A.,andL.Stewart,
- MailExtensions *
- ManagementProtocol *
- Masinter ,L.,Leach,P.,andT.Berners
- November2000. *
- ProtectFirmwarePackages *
- REQUIREMENT52 *
- RFC2617 ,June1999.
- RFC2633 ,June1999.
- RFC5652 ,September2009.
- RequestSyntaxSpecificationVersion1.7 *
- RequirementLevels *
- RequirementsforSecurity *
- ResourceIdentifier *
- Rules *
- Security *
- Server-SideState *
- Specification *
- SpecificationsandRegistrationProcedures *
- TransferProtocol--HTTP *
- UniformResourceIdentifiers *
- Updates *
- VerificationofDomain-BasedApplicationServiceIdentity *
- basicnotation *
- forTLS *
- overCMS *
- withinInternetPublicKeyInfrastructureUsingX.509 *
- August2010. *
- Authentication *
- CertificateManagementoverCMS *
- ClassesandAttributeTypesVersion2.0 *
- HashStandard *
- InformationService *
- NationalInstituteofStandardsandTechnology ,
- November2000. *
- REQUIREMENT53 *
- StandardPublication180-4 ,March2012,
- findstds *
- fips180-4 *
- sp800-57_part1_rev3_general.pdf >.
- 2QD *
- 2w8YtRqx8IZoFhcoLkpBDfgLLwhoztzbYvOVKQMidjBlkBEVNR5MWdrs7F *
- 3c *
- 4DwQNJdCXyUf *
- 7ocDCzlkJGbSrELYKOQqX2DI7gJpOENo6EKtr3MZXPljSh3 *
- 9ISlI94oumcRz3uBG1Yg7z83hdDfasmdfbp8gOSNFQIDAQABo0IwQDAPBgNVHRMB *
- 9S12DMpo0GOA1e4Ge3ud5YPOTR *
- 9dCP0rJpA9UYXXhWvFQzd5ZWpms4wUYt1j3gqqd36KorJIAuPigVng13yKytxM7c *
- AAOCAQ8AMIIBCgKCAQEAwDqpiHopaICubpRqbpEN7LqTIqWELFIA9qDDheHIKuyO *
- ADAbMRkwFwYDVQQDExBlc3RFeGFtcGxlQ0EgTndOMB4XDTEzMDUwOTAzNTMzMloX *
- AaNCMEAwDwYDVR0TAQH *
- Accept *
- Af8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBACPnQPu5WReUGuCMS0nBOGa2tXh6 *
- Af8EBTADAQH *
- BAQDAgSwMB0GA1UdDgQWBBQITTKxMqATXrfc4ffpCIbt6Gsz0jAfBgNVHSMEGDAW *
- BINBsJozdbXlijrWxL1CSv8f4GwpUFk3CgZjibt *
- CATysbaINEPr4MemqML4tDpR *
- CgKCAQEAnn3rZ3rMJHwf7MD9K4mubxHAvtdnrsQf5OfgtMhRIL4aePNhAdgPyj8C *
- Content-Length *
- Content-Transfer-Encoding *
- Content-Type *
- DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ5962d6zCR8H *
- DTE0MDUwOTAzNTMzMlowGzEZMBcGA1UEAxMQZXN0RXhhbXBsZUNBIE53TjCCASIw *
- DpJXGLiLwfJ9C *
- DuringtheinitialTLShandshake ,theclientcanignoretheoptionalserver
- EGVzdEV4YW1wbGVDQSBPd08wHhcNMTMwNTA5MDM1MzMxWhcNMTQwNTA5MDM1MzMx *
- EGsRkw1 *
- EZMNf6lCpE2fDwhfFRZWH6plKKrGkU8mW4yCOCfmOv4xBvqe0K3lvc3M *
- GET *
- GM *
- GcRBgL *
- GzEZMBcGA1UEAxMQZXN0RXhhbXBsZUNBIE93TjCCASIwDQYJKoZIhvcNAQEBBQAD *
- HQYDVR0OBBYEFLHEaeZbowSn2Jejizu *
- HTTP *
- HW *
- Host *
- Inresponse ,theserverprovidesthecurrentCAcertificates
- KADCxXkh5rM1IqMui7FvBKLWYGdy9sjEf90wAkBjHBe *
- KY1SWzEG23bUxXlvcbUMgANDGj5r6z *
- MIIB66ADAgECAgEBMA0GCSqGSIb3DQEBBQUAMBsxGTAXBgNVBAMTEGVzdEV4YW1w *
- MIIMOQYJKoZIhvcNAQcCoIIMKjCCDCYCAQExADALBgkqhkiG9w0BBwGgggwMMIIC *
- NS8jBbw5XradppgcpAAv *
- NkLruwbQ *
- OcluerwEpbz6GvE7CpXl2jrTBZSqBsFelq0iz4kk9 *
- PLUMt5EzYSRd2P3rEdrEoDojzYCLaAgE8rG2iDRD6 *
- R52zoL6nMPzpbKeZi2M0eEBVF8sDueA9Hjo6woLjgJqV0 *
- REQUIREMENT55 *
- SBMGCpLBuwoJcGcAfuSW8IWK9g *
- SL *
- Status *
- Thefollowingisanexampleofavalid *
- User-Agent *
- VQQDExBlc3RFeGFtcGxlQ0EgTndPMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB *
- VmxQnh0aux3aEnEyRGAhGalHp0RaKdgPRzUaGtipJTNBkSV5S4kD4yDCPHMNbBu *
- WjAbMRkwFwYDVQQDExBlc3RFeGFtcGxlQ0EgT3dPMIIBIjANBgkqhkiG9w0BAQEF *
- X0pu6aPmm *
- XJJjMIIDAzCCAeugAwIBAgIBAjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBl *
- Y6TqZMjKPipLxzEFxp0E27DAL9alrfUtdgzKaNBjgNXuBnt7neWDzk0f6uj74zed *
- Z67EH *
- arIyQjwwDgYDVR0PAQH *
- bGVDQSBPd08wHhcNMTMwNTA5MDM1MzMyWhcNMTQwNTA5MDM1MzMyWjAbMRkwFwYD *
- btGltriRVixPWrvt *
- c3RFeGFtcGxlQ0EgTndOMB4XDTEzMDUwOTAzNTMzMloXDTE0MDUwOTAzNTMzMlow *
- c43kZ7369MeEZzCCAvswggHjoAMCAQICCQDprp3DmjOyETANBgkqhkiG9w0BAQUF *
- cL3XDbSwr30j2EQyaTV *
- gBSxxGnmW6MEp9iXo4s7v7lqsjJCPDANBgkqhkiG9w0BAQUFAAOCAQEALhDaE6Mp *
- ggEPADCCAQoCggEBAMA6qYh6KWiArm6Uam6RDey6kyKlhCxSAPagw4XhyCrsjh1v *
- iZ2 *
- jM0MAGNDEW *
- lB0sN524D1XAgz8ZKvWrkh *
- loxOgD3UTV *
- oBNet9zh9 *
- pSPeKLpnEc97gRtWIO8 *
- sxWzCz *
- uZP4mS3J1qEfDePam *
- x6ie *
- zkDEhmd00Ak02aPsi4wRHLFgttUf9HdEHAuTkAESPTU43DiptjkfHhtBMfsFrCkd *
- Accept *
- CSqGSIb3DQEJBzAsBgOINwIxJQYDiDcDBgOINwQTGVBhcnNlIFNFVCBhcyAyLjk5 *
- Content-Length *
- Content-Transfer-Encoding *
- Content-Type *
- GET *
- HTTP *
- Host *
- Inresponse ,theserverprovidessuggestedattributesthatareappropriatefortheauthenticatedclient.Inthisexample,theESTserveralsoincludestwoexampleattributesthattheclientwouldignoreunlesstheattributetypeisknowntotheclient
- MHwGBysGAQEBARYwIgYDiDcBMRsTGVBhcnNlIFNFVCBhcyAyLjk5OS4xIGRhdGEG *
- OS4yIGRhdGEGCSskAwMCCAEBCwYJYIZIAWUDBAIC *
- REQUIREMENT56 *
- SL *
- Status *
- Thefollowingisanexampleofavalid *
- TheinitialTLShandshakeisidenticaltotheenrollmentexamplehandshake.TheHTTPGETrequest *
- User-Agent *
- 4lY8fbET4tt7juJg6ixb95 *
- 5thsuj276FGL1vPu0dRfGQfx4WWa9uAHBgz6tW37CepZsrUKe *
- 6mx6pr2pTJ82JavhTEIIt *
- A1UEAxMUZGVtb3N0ZXA0IDEzNjgxNDEzNTIwggEiMA0GCSqGSIb3DQEBAQUAA4IB *
- AAGgITAfBgkqhkiG9w0BCQcxEhMQK3JyQ2lyLzcrRVl1NTBUNDANBgkqhkiG9w0B *
- AQUFAAOCAQEARBv0AJeXaHpl1MFIdzWqoi1dOCf6U *
- Accept *
- Authorization *
- AwIEsDAdBgNVHQ4EFgQU *
- BzCCAe *
- Content-Length *
- Content-Transfer-Encoding *
- Content-Type *
- DuringtheinitialTLShandshake ,theclientcanignoretheoptionalserver
- Duringthisexchange ,theESTclientusesanout
- DwAwggEKAoIBAQClNp *
- HTTP *
- Host *
- InthesubsequentHTTPPOST ,theusername
- J9SkUxTYcy1Rw0k3VXfxWwy *
- MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQClNp *
- MIIChTCCAW0CAQAwHzEdMBsGA1UEAxMUZGVtb3N0ZXA0IDEzNjgxNDEzNTIwggEi *
- MIIDOAYJKoZIhvcNAQcCoIIDKTCCAyUCAQExADALBgkqhkiG9w0BBwGgggMLMIID *
- MLR5Krmah3Ik31jmYCSvwTnv6mx6pr2pTJ82JavhTEIIt *
- POST *
- PyMFcM15E9gtUVee5C62bVwuk *
- QlZfOPhaLWen0e2BLNJI0vsC2Fa *
- Qry8YdcBZ *
- R4POrT2xz8ChADEA *
- REQUIREMENT57 *
- Status *
- TYwMzg3 *
- TheESTserverusestheusername *
- Thefollowingisanexampleofavalid *
- VUS *
- WWW-Authenticate *
- XSQffVv *
- ZIXQIxc0eVtMCatnRr3dnZRCAxGjwbqoB3eKt29 *
- b16db20f75f22 *
- cGxlQ0EgTndOMB4XDTEzMDUwOTIzMTU1M1oXDTE0MDUwOTIzMTU1M1owHzEdMBsG *
- cHGBQDQHVTFVjHccdUjAXicrtbsVhU5o1lPv7f4lEApv3SBQmJcaq5O832BzHw7n *
- eFYJpQKz9ddD5e5OzUeCm103ZIXQIxc0eVtMCatnRr3dnZRCAxGjwbqoB3eKt29 *
- hEoDanN7TzC94skfS3VV *
- nonce =
- o1gv4CWxh1I8aRaTXdpOHORvN0SMXdcrlCys2vrtOl *
- rEs9Mlh2CjA *
- rwnqSRjOquzkAkD31BE961KZCxeYGrhxaR4PAgMBAAGjUjBQMA4GA1UdDwEB *
- scRp5lujBKfYl6OLO7 *
- tDEVAgBIEYM *
- wXM830A1O *
- 1O9qT0GyYJ6sxAyKiGTOxk6jMddDoQAxAA ==
- 4MGvRTpmzU *
- 4ZJsOUSVpUmqUogFsM7SOQ6XI4dl *
- 5QJxh7O8JHVlPHo4YIxXtAYSutcbbTN5TXWFCWSrWDJ *
- 9bLbpqBkbVS1udYl3k0tS7V8IblG *
- A1UEAxMhc2VydmVyc2lkZSBrZXkgZ2VuZXJhdGVkIHJlc3BvbnNlMIIBIjANBgkq *
- A4IBAQBHhLmRAKrnTapqqBObDM9IQDQPuwW *
- Accept *
- BFYCFINi2qKMqiJYswkhYxZ1BLz *
- BecausetheDecryptKeyIdentifierattributeisnotincludedinthisrequest ,theresponsedoesnotincludeadditionalencryptionbeyondtheTLSsession.TheESTserverresponseis
- BiCDjLBQ7xRQCWtlcK9WCA5 *
- Content-Length *
- Content-Transfer-Encoding *
- Content-Type *
- E7pn3JMN6pjIxsHnF4pKi8qvoTSVVjaCEwUe8Q *
- Expect *
- FDCCAfygAwIBAgIBFjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBlc3RFeGFt *
- FGq93yOhAgMBAAECggEBALQ5az *
- GaNDTfRTUL6AXr7kmMsKVFOJ0JjZExUCVMZtGiqhB6UCgYEA639OtdWLZCzyZFMe *
- GaS798ofxIF0Pl0Dr6 *
- HTTP *
- Host *
- IKK2px5idad4Pb6 *
- IQdNRxldk7DFvpA85Yn1stumoGRtVLW51iXeTS1LtXwhuUb *
- JFJ7XFNeDP656s2DmxSCci *
- KBYm0hFVZZtxfM *
- L4n *
- MB8GA1UdIwQYMBaAFLHEaeZbowSn2Jejizu *
- MIICwTCCAakCAQAwWzE *
- MIIDRQYJKoZIhvcNAQcCoIIDNjCCAzICAQExADALBgkqhkiG9w0BBwGgggMYMIID *
- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDPwKtwJ7TjMgA *
- POST *
- Poj64V909ryql0foP1hU4Yq5y8 *
- Q4nbgsGLwPp1ZQZ *
- REQUIREMENT58 *
- RPigH3kfI6sCgYAPqsCJyFMlrvfRRNZdQewi4VnPsEPF4 *
- RUun *
- SF02n9Sovh93eoJ5latSbfeYUkLtB8L *
- Status *
- Thefollowingisanexampleofavalid *
- TheinitialTLShandshakeisidenticaltotheenrollmentexamplehandshake.AnexampleHTTPPOSTedmessageis *
- Thisistheepilogue.Itisalsotobeignored. *
- Thisisthepreamble.Itistobeignored ,thoughitisahandyplaceforestServertoincludeanexplanatorynote,includingcontactorsupportinformation.
- To87har2v1Sw9mskI4GhhI6tmVh13pUADmejd5awoaIxChRqvd8joQIDAQABo1Iw *
- UDAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0OBBYEFKeZixu9F *
- VOGKucvP2zj *
- XjjXHsL40WuDG6tMPN9vcT8tE3ruor608MKSHFX *
- Y3rxPlnJVyFmR8Mf2TBOjzuFqva *
- ZXQgU046MTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvE1 *
- bnQgaW4gZGVtbyBzdGVwIDEyIDEzNjgxNDE5NTUxGTAXBgNVBAUTEFBJRDpXaWRn *
- cGxlQ0EgTndOMB4XDTEzMDUwOTIzMjU1NloXDTE0MDUwOTIzMjU1NlowLDEqMCgG *
- cjANBgkqhkiG9w0BAQUFAAOCAQEAR *
- eG8rHtqKlSjnBn4yoYFm70Dhe7QtbZelcaAoPCH6CUHj2St5B8ZHWDtREQKBgHNp *
- f--estServerExampleBoundary *
- fX2 *
- fYHUDi45xBoroy0hBwrnTKRxppua4UK75FUH5PPJfR6cCvw5stRkzIevTZHhozkX *
- ftAvazJ3laQbAgMBAAGgITAfBgkqhkiG9w0BCQcxEhMQZEZzQVhtSm5qb2tCdER2 *
- gvp2RJSnMroPCe6RgTU9E2fmI9rin *
- hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz8CrcCe04zIAPj6I *
- mC2TWFHuGoG6XEdMDLa0a9hOfDLvMEPNK8pOp5C *
- p7VlRddoz0VAtrU2dxnEb4cWD8Gerg8uNvp8OG84gH *
- pM7PYH *
- rD5tQOOJU *
- rf4xqpIkiJMmkaOeoXA8PFniX0 *
- s8Yie1tcfVQrjQutqr34 *
- sSIkt5rhz7wYbCqCFR5Aphe *
- srbcqc7DcPXP6Lw42sx96h4jVWWqHVo3DfwFBdUb1LH2cnVXQjgDUHdNdpl01cf *
- veHhCdgOExPw *
- vylUd9HCerzgYaA7rixieQ0sxTvtxhL6PXlM2NEBFQbV16hPFL6 *
- wER *
- zkiNrf *
requirements/RQ6.txt
pypi
- IftheESTclienthasapreviouslyinstalledcertificateissuedbyathird-partyCA ,thiscertificatecanbeusedtoauthenticatetheclient
- REQUIREMENT6 *
requirements/RQ7.txt
pypi
requirements/RQ8.txt
pypi
requirements/RQ9.txt
pypi
requirements.txt
pypi
- Cython ==0.29.14
- PLTable ==1.0.2
- Pillow ==9.2.0
- PyYAML ==6.0
- Pygments ==2.13.0
- asttokens ==2.0.8
- astunparse ==1.6.3
- backcall ==0.2.0
- boltons ==21.0.0
- colorama ==0.4.6
- contourpy ==1.0.5
- cvxopt ==1.3.0
- cycler ==0.11.0
- debtcollector ==2.5.0
- decorator ==5.1.1
- dit ==1.5
- ds4se ==0.2.1
- execnb ==0.1.4
- executing ==1.1.1
- fastcore ==1.5.27
- fonttools ==4.38.0
- gensim ==3.8.3
- ghapi ==1.0.3
- ipython ==8.5.0
- jedi ==0.18.1
- joblib ==1.2.0
- kiwisolver ==1.4.4
- lattices ==0.3.5
- matplotlib ==3.6.0
- matplotlib-inline ==0.1.6
- nbdev ==2.3.7
- networkx ==2.8.7
- numpy ==1.23.3
- packaging ==21.3
- pandas ==1.0.5
- parso ==0.8.3
- pickleshare ==0.7.5
- prompt-toolkit ==3.0.31
- pure-eval ==0.2.2
- pycddlib ==2.1.6
- pyemd ==0.5.1
- pyparsing ==3.0.9
- pypoman ==0.5.4
- python-dateutil ==2.8.2
- pytz ==2022.5
- scikit-learn ==0.23.1
- scipy ==1.5.0
- sentencepiece ==0.1.97
- six ==1.16.0
- sklearn ==0.0
- smart-open ==6.2.0
- stack-data ==0.5.1
- threadpoolctl ==3.1.0
- traitlets ==5.5.0
- watchdog ==2.1.9
- wcwidth ==0.2.5
- wrapt ==1.14.1
.github/workflows/commit_log.yml
actions
- actions/checkout v3 composite
- actions/upload-artifact v3 composite
- actions/checkout v3 composite
- actions/setup-python v4 composite
- actions/upload-artifact v3 composite
- tj-actions/changed-files v33 composite
requirements/RQ1.txt
pypi
- FullPKIRequest messagescanbetransportedviaESTusingtheFullCMCRequestfunction.ThisaffordsaccesstofunctionsnotprovidedbytheSimpleEnrollmentfunctions.FullPKIRequestmessagesaredefinedinSections3.2and4.2of
- REQUIREMENT11 *
- CMC *
- Certificatesandtheircorrespondinguses *
- Duringprotocolexchanges ,differentcertificatescanbeused.Thefollowingtableprovidesaninformativeoverview.End
- ESTLayering *
- Figure2 *
- Figure2providesanexpansionofFigure1 ,describinghowthelayersareused.Eachaspectisdescribedinmoredetailinthesectionsthatfollow.
- Figure3 *
- Figure4 *
- Proof-of-possession *
- Protocolsanduses *
- REQUIREMENT13 *
- SpecifyingHTTPSasthesecuretransportforenrollmentmessagesintroducestwo *
- TheTLSlayercertificateexchangeprovidesamethodforauthorizingclientenrollmentrequestsusingexistingcertificates.SuchcertificatesmayhavebeenissuedbytheCA *
- TheTLSlayerprovidesintegrityandconfidentialityduringtransport.Theproof-of-identityissuppliedbyTLShandshakeauthenticationandoptionallyalsobytheHTTPlayerheaders.Themessagetypeandcontrol *
- ThisdocumentalsodefinestransportforCMC thatcomplieswiththeCMCTransportProtocols
- Trustanchordatabasesandtheircorrespondinguses *
- DetailsoftheESTclientapplicationconfigurationareoutofscopeoftheprotocoldiscussionbutarenecessaryforunderstandingtheprerequisitesofinitiatingprotocoloperations.TheESTclientisRECOMMENDEDtobeconfiguredwithTAdatabasesforSection3.3.1orwithasecretkeyforSection3. ,a
- REQUIREMENT14 *
- TheESTclientMUSTbecapableofgeneratingandparsingSimplePKImessages *
- HTTP1.1 andabovesupportpersistentconnections.AsdescribedinSection8.1ofRFC2616,persistentconnectionsmaybeusedtoreducenetworkandprocessingloadsassociatedwithmultipleHTTPrequests.ESTdoesnotrequireorprecludepersistentHTTPconnections.
- HTTPisusedtotransferESTmessages.URIsaredefinedforhandlingeachmediatype *
- REQUIREMENT15 *
- HTTPredirections *
- REQUIREMENT16 *
- TheHTTPStatusvalueisusedtocommunicatesuccessorfailureofanESTfunction.HTTPauthenticationisusedbyaclientwhenrequestedbytheserver. *
- ThemediatypesspecifiedintheHTTPContent-TypeheaderindicatewhichESTmessageisbeingtransferred.MediatypesusedbyESTarespecifiedinSection3.2.4. *
- AnESTserverMAYprovideserviceformultipleCAsasindicatedbyanOPTIONALadditionalpathsegmentbetweentheregisteredapplicationnameandtheoperationpath.Toavoidconflict ,theCAlabelMUSTNOTbethesameasanydefinedoperationpathsegment.TheESTserverMUSTprovideservicesregardlessofwhethertheadditionalpathsegmentispresent.ThefollowingarethreeexamplevalidURIs
- AnESTservercanprovideadditionalservicesusingotherURIs. *
- Figure5 *
- GET *
- Inthisspecification ,thedistinctionbetweenenrollandrenew
- Likewise ,torequestanewcertificateinthisexamplescheme,theESTclientwouldusethefollowingrequest
- OperationsandtheircorrespondingURIs *
- POST *
- REQUIREMENT17 *
- Theoperationpath *
- Theuseofdistinctoperationpathssimplifiesimplementationforserversthatdonotperformclientauthenticationwhendistributing *
- AclientMAYsettheusernametotheemptystring *
- HTTPBasicandDigestauthenticationMUSTonlybeperformedoverTLS1.1 orlaterversions.NULLandanonciphersuitesMUSTNOTbeusedbecausetheydonotprovideconfidentialityorsupportmutualcertificate
- REQUIREMENT18 *
- ServersthatwishtouseBasicandDigestauthenticationrejecttheHTTPrequestusingtheHTTP-definedWWW-Authenticateresponse-header *
- SupportforHTTP-basedclientauthenticationhassecurityramificationsasdiscussedinSection6.TheclientMUSTNOTrespondtotheserver *
- TheESTserverMAYrequestHTTP-basedclientauthentication.ThisrequestcanbeinadditiontosuccessfulTLSclientauthentication *
- Figure6 *
- Forconsistencywith ,eachdistinctESTmessagetypeusesanHTTPContent
- REQUIREMENT19 *
- TheESTmessagesandtheircorrespondingmediatypesforeachoperationare *
- ThisdocumentusesexistingmediatypesforthemessagesasspecifiedbyFTPandHTTP ,application
requirements/RQ2.txt
pypi
- Certificate-LessTLS *
- ESTCA *
- ExplicitTrustAnchor *
- ImplicitTrustAnchor *
- InadditiontothetermsdefinedintheterminologysectionofCMC ,thefollowingtermsaredefinedforclarity
- ItisassumedthatthereaderisfamiliarwiththetermsandconceptsdescribedinPublicKeyCryptographyStandard *
- REQUIREMENT2 *
- Thekeywords *
- Third-PartyTrustAnchor *
- HTTPS specifieshowHTTPmessagesarecarriedoverTLS.HTTPSMUSTbeused.TLS1.1
- REQUIREMENT20 *
- TLSchannel-bindinginformationcanbeinsertedintoacertificaterequest ,asdetailedinSection3.5,inordertoprovidetheESTserverwithassurancethattheauthenticatedTLSclienthasaccesstotheprivatekeyforthecertificatebeingrequested.TheESTserverMUSTimplementSection3.5.
- TLSprovidesauthentication ,whichinturnenablesauthorizationdecisions.TheESTserverandESTclientareresponsibleforensuringthatanacceptableciphersuiteisnegotiatedandthatmutualauthenticationhasbeenperformed.TLSauthenticationismostcommonlyenabledwiththeuseofcertificates
- CertificatevalidationMUSTbeperformedasper .TheESTservercertificateMUSTconformtothe
- Ifcertificatevalidationfails ,theclientMAYfollowtheprocedureoutlinedinSection4.1.1forBootstrapDistributionofCAcertificates.
- REQUIREMENT21 *
- TLSserverauthenticationwithcertificatesMUSTbesupported. *
- TheESTclientauthenticatestheESTserverasdefinedfortheciphersuitenegotiated.Thefollowingtextprovidesdetailsassumingacertificate-basedciphersuite ,suchastheTLS1.1
- TheclientvalidatestheTLSservercertificateusingtheESTclientExplicitand ,ifenabled,ImplicitTAdatabase
- CertificatevalidationMUSTbeperformedasper .TheESTclientcertificateMUSTconformtothe
- Generally ,theclientwilluseanexistingcertificateforreneworrekeyoperations.Ifthecertificatetoberenewedorrekeyedisappropriateforthenegotiatedciphersuite,thentheclientMUSTuseitfortheTLShandshake,otherwisetheclientSHOULDuseanalternatecertificatethatissuitablefortheciphersuiteandcontainsthesamesubjectidentityinformation.Whenrequestinganenrolloperation,theclientMAYuseaclientcertificateissuedbyathirdpartytoauthenticateitself.
- IfaclientdoesnotsupportTLSclientauthentication ,thenitMUSTsupportHTTP
- REQUIREMENT22 *
- TLSclientauthenticationistheRECOMMENDEDmethodforidentifyingESTclients.HTTP-basedclientauthentication *
- TheESTserverMUSTperformauthorizationchecksasspecifiedinSection3.7. *
- TheESTserverauthenticatestheESTclientasdefinedfortheciphersuitenegotiated.Thefollowingtextprovidesdetailsassumingacertificate-basedciphersuitesuchastheTLS1.1 mandatoryciphersuite
- TheservervalidatestheTLSclientcertificateusingtheESTserverExplicitand ,ifenabled,ImplicitTAdatabase
- Certificate-lessTLSciphersuitesprovideawaytoperformmutualauthenticationinsituationswhereneithertheclientnorserverhavecertificates ,donotdesiretousecertificates,ordonothavethetrustanchorsnecessarytoverifyacertificate.TheclientandserverMAYnegotiateacertificate
- REQUIREMENT23 *
- Successfulauthenticationusingacertificate-lessciphersuiteprovesknowledgeofapre-sharedsecretthatimplicitlyauthorizesapeerintheexchange. *
- Whenusingcertificate-lessmutualauthenticationinTLSforenrollment ,theciphersuiteMUSTbebasedonaprotocolthatisresistanttodictionaryattackandMUSTbebasedonazeroknowledgeprotocol.TransportLayerSecurity
- IftheESTservermakesuseofaback-endinfrastructureforprocessing ,itisRECOMMENDEDthattheresultsofthisverificationbecommunicated.
- Linkingidentityandproof-of-possessionprovestotheserverthattheauthenticatedTLSclienthaspossessionoftheprivatekeyassociatedwiththecertificationrequest ,andthattheclientwasabletosignthecertificationrequestaftertheTLSsessionwasestablished.Thisisanalternativetothe
- REQUIREMENT25 *
- Serverpolicywilldeterminewhetherclientsarerequiredtousethemechanismspecifiedinthissection.Thisspecificationprovidesamethodoflinkingidentityandproof-of-possessionbyincludinginformationspecifictothecurrentauthenticatedTLSsessionwithinthesignedcertificationre *
- TheclientgeneratingtheCSRobtainsthetls-uniquevaluefromtheTLSsubsystemasdescribedinChannelBindingsforTLS .TheESTclientoperationsbetweenobtainingthetls
- Thetls-uniquevalueisbase64encodedasspecifiedinSection4of ,andtheresultingstringisplacedinthecertificationrequestchallenge
- Whenperformingrenegotiation ,TLS
- Whenrejectingrequests ,theESTserverresponseisasdescribedforallenrollresponses
- REQUIREMENT26 *
- TheESTclientauthorizationmethoddependsonwhichmethodwasusedtoauthenticatetheserver.WhentheExplicitTAdatabaseisusedtoauthenticatetheESTserver ,thenSection3.6.1applies.WhentheImplicitTAdatabaseisusedtoauthenticatetheESTserver,thenSection3.6.2applies.Successfulauthenticationusingacertificate
- TheclientMAYperformbootstrappingasspecifiedinSection4.1.1evenifthesechecksfail. *
- TheclientMUSTcheckESTserverauthorizationbeforeacceptinganyserverresponsesorrespondingtoHTTPauthenticationrequests. *
- REQUIREMENT27 *
- WhentheESTclientExplicitTAdatabaseisusedtovalidatetheESTservercertificate ,theclientMUSTcheckeithertheconfiguredURIorthemostrecentHTTPredirectionURIagainsttheserver
- REQUIREMENT28 *
- WhentheESTclientImplicitTAdatabaseisusedtovalidatetheESTservercertificate ,theclientMUSTchecktheconfiguredURIandeachHTTPredirectionURIaccordingtotherulesspecifiedin