[Pki-devel] [rhcs-dev-list] latest restful interface doc

Ade Lee alee at redhat.com
Wed Oct 19 01:50:11 UTC 2011 

On Tue, 2011-10-18 at 18:13 -0700, Jack Magne wrote:
> On 10/18/2011 02:44 PM, Ade Lee wrote: 
> > Based on discussions with jmagne and ayoung, here is the latest version.
> > Please feel free to comment!
> > 
> > ayoung will post to wiki.
> > 
> > Ade
> > 
> >   
> Ade: 
> 
> A few questions:
> 
> 1. I see that for the ocsp service we have something like this:
> 
> "GET" 
> "/pki/certificate/ocsp" 
> "Get OCSP response"
> 
> 
> I see that perhaps we are trying to first get to the certificate in
> question and then drill down into the ocsp status of said certificate.
> 
> Question is, is it not true that OCSP responders respond to a common
> format (so any client can connect) as explained here:
> 
> A.1.1 Request
> 
>    HTTP based OCSP requests can use either the GET or the POST method to
>    submit their requests. To enable HTTP caching, small requests (that
>    after encoding are less than 255 bytes), MAY be submitted using GET.
>    If HTTP caching is not important, or the request is greater than 255
>    bytes, the request SHOULD be submitted using POST.  Where privacy is
>    a requirement, OCSP transactions exchanged using HTTP MAY be
>    protected using either TLS/SSL or some other lower layer protocol.
> 
>    An OCSP request using the GET method is constructed as follows:
> 
>    GET {url}/{url-encoding of base-64 encoding of the DER encoding of
>    the OCSPRequest}
> 
>    where {url} may be derived from the value of AuthorityInfoAccess or
>    other local configuration of the OCSP client.
> 
>    An OCSP request using the POST method is constructed as follows: The
>    Content-Type header has the value "application/ocsp-request" while
>    the body of the message is the binary value of the DER encoding of
>    the OCSPRequest.
> 
> I wonder if instead of drilling down to a cert and proceeding, it would make more sense to have a top level url ending with perhaps "ocsp", that is then passed the 
> certificate info in the standard way? I don't know if this is in fact restful.
> 
I was actually thinking of /pki/certificate/ocsp as kind of a top level
request -- that is -- I did not specify /pki/certificate/ocsp/$id.  It
may make it more clear to specify this as /pki/ocsp or some such.  I did
not use /pki/ocsp because that would conflict with the
system /pki/ocsp. 

Its a good point though that the standard expects the OCSP request to be
submitted using POST.  I think we should do that.

> 2. I was curious as to what the following does:
> 
> 
> 
> 
> 
> 
> 
> "PUT" 
> "/pki/certificate" 
> "Add a
> certificate" 
> "None",,, 
> Is this actually for submitting a certificate request? I realize there is a section below dealing with requests.
> Is this perhaps something that is referenced by some other piece of the server itself? Like approving a request would trigger this?
> 
Are you looking at the right version?  In the latest, this is POST-a ..

Actually - I had put this in for completeness but in the interest of
clarity, we should remove it.  This operation - as well as the ones for
DELETE for keys, certs and cert requests should be removed from the doc.

> 3. I notice proceeding below there is a whole section devoted to profiles. I assume the bulk of the requests are agent and adminy type actions in managing profiles. 
> I was just wondering if we have a handle on how to actually USE a profile, that is have the standalone client be able to apply for a certificate using one of these profiles we have?
> 
> 
> Is it absorbed into the act of creating "requests" further down into the API? One of the payload params would be a profile? Or perhaps a portion of the url itself would be
> for the profile used?
> 
Yes -requests are done using profiles.  We may in fact end up doing
something like this : POST /pki/request/${profile_id}  for example.
This would act like a factory URL that would end up generating a request
as /pki/request/0xfeed

The payload would need to include the relevant inputs as specified by
the profile.

The profile URLs that change the profile are agent/admin operations.  It
is possible for a client to GET a list of profiles (/pki/profiles) or
the details (including inputs, outputs and constraints) of a specific
profile (GET /pki/profile/$profile_id ) and craft a request accordingly
and parse the response accordingly.

> 
> . Also in some of the online doco they express the requests with
> possibly some sort of templated param at the end like this: GET
> pki/certificate/{cert_serial_no} or some such. Is this convention kind
> of implied by the API or would it be filled in later?

Its implied - but I think you are looking at the wrong version.  In this
last version, I did explicitly say -- GET /pki/certificate/$id
> 
> Looks like it is shaping up as we continue to discuss.
> 
> thanks,
> jack
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list