Skip to content

Multi admin example

Jump to bottom
Fraser Scott edited this page Mar 19, 2015 · 11 revisions

Overview

Inviting an admin is a 4 step process

  1. Alice creates an invite for Bob
  2. Bob creates his admin entity and secures it using the invite key
  3. Alice verifies Bob's entity and encrypts the Org for Bob's entity, and the Org's public keys using the invite key
  4. Bob verifies and decrypts the Org's public keys and can now use the Org

In summary, the commands run are

alice@precise64:~/test-org$ pki.io admin invite bob
bob@precise64:~/test-org$ pki.io admin new bob --invite-id 52a3758d43daec04b9f404f15d8d21b8 --invite-key c868390c3cc04f4f9d57ad904cccce11
alice@precise64:~/test-org$ pki.io admin run
bob@precise64:~/test-org$ pki.io admin complete bob --invite-id 52a3758d43daec04b9f404f15d8d21b8 --invite-key c868390c3cc04f4f9d57ad904cccce11

This example page uses git to share data between Alice and Bob.

Setting up the Org

Initialize the shared git repo

alice@precise64:~$ cd /data/git
alice@precise64:/data/git$ mkdir test-org
alice@precise64:/data/git$ chown -R alice:git test-org
alice@precise64:/data/git$ chmod -R g+s test-org
alice@precise64:/data/git$ cd test-org
alice@precise64:/data/git/test-org$ git --bare init
Initialized empty Git repository in /data/git/test-org/

Initialize the pki.io Org

alice@precise64:/data/git/test-org$ cd
alice@precise64:~$ pki.io init test-org
Creating Admin entity
Generating admin keys
Creating Org entity
Generating Org keys
Saving local admin
Saving public admin
Creating org index
Saving org public entity to home
alice@precise64:~$ cd test-org

Initialize local git

alice@precise64:~/test-org$ git init
Initialized empty Git repository in /home/alice/test-org/.git/
alice@precise64:~/test-org$ git remote add origin file:///data/git/test-org/

Let's take a look at what we've got so far...

alice@precise64:~/test-org$ tree
.
|-- api
|   `-- v0
|       |-- 0148dafacac60901bcfa22b0edf78e45
|       |   `-- private
|       |       |-- 0148dafacac60901bcfa22b0edf78e45
|       |       `-- cbf2c26dd189a8a14c21de61f34de526
|       `-- 362e29729c7880e93d709dde37e7502e
|           `-- public
|               `-- 362e29729c7880e93d709dde37e7502e
`-- org.conf

6 directories, 4 files

alice@precise64:~/test-org$ cat org.conf
name = "test-org"
id = "0148dafacac60901bcfa22b0edf78e45"
index = "cbf2c26dd189a8a14c21de61f34de526"

Commit the new files

alice@precise64:~/test-org$ git add .
alice@precise64:~/test-org$ git commit -am 'first commit'
[master (root-commit) e56a672] first commit
 4 files changed, 6 insertions(+)
 create mode 100644 api/v0/0148dafacac60901bcfa22b0edf78e45/private/0148dafacac60901bcfa22b0edf78e45
 create mode 100644 api/v0/0148dafacac60901bcfa22b0edf78e45/private/cbf2c26dd189a8a14c21de61f34de526
 create mode 100644 api/v0/362e29729c7880e93d709dde37e7502e/public/362e29729c7880e93d709dde37e7502e
 create mode 100644 org.conf

And push to the central repo

alice@precise64:~/test-org$ git push origin master
Counting objects: 12, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (9/9), done.
Writing objects: 100% (12/12), 3.49 KiB, done.
Total 12 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (12/12), done.
To file:///data/git/test-org/
 * [new branch]      master -> master

Create a pairing key and CA

First the pairing key

alice@precise64:~/test-org$ pki.io pairing-key new --tags web
Loading admin app
Loading admin entity
Loading org entity
Creating the key
Pairing ID: 16774d35ba1bb843d4fc10af8d17d023
Pairing key: c49b7b05fbfe597a48f99109f86262a5
Saving key to index

Now the CA

alice@precise64:~/test-org$ pki.io ca new web-ca --tags web
Loading admin app
Loading admin entity
Loading org entity
Saving CA
Updating index

Commit the pairing key and CA

alice@precise64:~/test-org$ git add .
alice@precise64:~/test-org$ git commit -m 'web pairing key and ca'
[master 66c5ce7] web pairing key and ca
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 api/v0/0148dafacac60901bcfa22b0edf78e45/private/113036365040189421093472070122636709641
 rewrite api/v0/0148dafacac60901bcfa22b0edf78e45/private/cbf2c26dd189a8a14c21de61f34de526 (82%)

Push to shared repo

alice@precise64:~/test-org$ git push origin master
Counting objects: 14, done.
Delta compression using up to 2 threads.
...
   e56a672..66c5ce7  master -> master

Inviting Bob

Create an invite for Bob

alice@precise64:~/test-org$ pki.io admin invite bob
Loading admin app
Loading admin entity
Loading org entity
Invite ID: 52a3758d43daec04b9f404f15d8d21b8
Invite key: c868390c3cc04f4f9d57ad904cccce11
Creating the key
Saving key to index

And commit the files

alice@precise64:~/test-org$ git add .
alice@precise64:~/test-org$ git commit -m 'inviting bob'
[master 8d48bd1] inviting bob
 1 file changed, 1 insertion(+), 1 deletion(-)
 rewrite api/v0/0148dafacac60901bcfa22b0edf78e45/private/cbf2c26dd189a8a14c21de61f34de526 (85%)

Push to the shared repo

alice@precise64:~/test-org$ git push origin master
Counting objects: 13, done.
...
   66c5ce7..8d48bd1  master -> master

Alice gives bob the invite id and key

Using a trusted channel, Alice shared the invite id and key with Bob.

Bob gets the repo files

bob@precise64:~$ git clone /data/git/test-org/
Cloning into 'test-org'...
done.
bob@precise64:~$ cd test-org

Then Bob creates his admin user

bob@precise64:~/test-org$ pki.io admin new bob --invite-id 52a3758d43daec04b9f404f15d8d21b8 --invite-key c868390c3cc04f4f9d57ad904cccce11
Creating Admin entity
Generating admin keys
Saving local admin
Saving public admin
Encrypting node for org
Pushing container to org

Let's see what we've got so far...

bob@precise64:~/test-org$ tree
.
|-- api
|   `-- v0
|       |-- 0148dafacac60901bcfa22b0edf78e45
|       |   |-- incoming
|       |   |   `-- invite
|       |   |       `-- 550a0410-f35f-3ed1-efb3-fb9374acc4af
|       |   `-- private
|       |       |-- 0148dafacac60901bcfa22b0edf78e45
|       |       |-- 113036365040189421093472070122636709641
|       |       `-- cbf2c26dd189a8a14c21de61f34de526
|       |-- 362e29729c7880e93d709dde37e7502e
|       |   `-- public
|       |       `-- 362e29729c7880e93d709dde37e7502e
|       `-- 5fd70847aa5c5355b4f670aa2fa1a441
|           `-- public
|               `-- 5fd70847aa5c5355b4f670aa2fa1a441
`-- org.conf

Bob commits and shares the changes

First commit

bob@precise64:~/test-org$ git add .
bob@precise64:~/test-org$ git commit -m 'accepting invite'
[master c7db60c] accepting invite
 2 files changed, 2 insertions(+)
 create mode 100644 api/v0/0148dafacac60901bcfa22b0edf78e45/incoming/invite/550a0410-f35f-3ed1-efb3-fb9374acc4af
 create mode 100644 api/v0/5fd70847aa5c5355b4f670aa2fa1a441/public/5fd70847aa5c5355b4f670aa2fa1a441

Then push

bob@precise64:~/test-org$ git push origin master
Counting objects: 15, done.
...
To /data/git/test-org/
   8d48bd1..c7db60c  master -> master

Alice processes Bobs new user

First she gets the changes

alice@precise64:~/test-org$ git pull origin master
remote: Counting objects: 15, done.
...
 create mode 100644 api/v0/0148dafacac60901bcfa22b0edf78e45/incoming/invite/550a0410-f35f-3ed1-efb3-fb9374acc4af
 create mode 100644 api/v0/5fd70847aa5c5355b4f670aa2fa1a441/public/5fd70847aa5c5355b4f670aa2fa1a441

Processes any outstanding invites

alice@precise64:~/test-org$ pki.io admin run
Loading admin app
Loading admin entity
Loading org entity
Processing invites
Found 1 invites to process
Reading invite key: 52a3758d43daec04b9f404f15d8d21b8
Verifying and decrypting admin invite
Found 0 invites to process

Commits the changes

alice@precise64:~/test-org$ git add -A .
alice@precise64:~/test-org$ git commit -m 'processing admin bob'
[master f9228a6] processing admin bob
...
 create mode 100644 api/v0/5fd70847aa5c5355b4f670aa2fa1a441/incoming/invite/550a055f-08fd-312a-8a1b-d806d0f041a0

And pushes

alice@precise64:~/test-org$ git push origin master
Counting objects: 19, done.
...
   c7db60c..f9228a6  master -> master

Bob completes the invite

First gets the changes

bob@precise64:~/test-org$ git pull
remote: Counting objects: 19, done.
...

Completes the invite

bob@precise64:~/test-org$ pki.io admin complete bob --invite-id 52a3758d43daec04b9f404f15d8d21b8 --invite-key c868390c3cc04f4f9d57ad904cccce11
Loading admin entity
Saving org public entity to home

Commits

bob@precise64:~/test-org$ git commit -m 'completing bob'
[master 4545c79] completing bob
 1 file changed, 1 deletion(-)
 delete mode 100644 api/v0/5fd70847aa5c5355b4f670aa2fa1a441/incoming/invite/550a055f-08fd-312a-8a1b-d806d0f041a0

And pushes

bob@precise64:~/test-org$ git push origin master
...
To /data/git/test-org/
   f9228a6..4545c79  master -> master

Alice does something interesting

Gets the changes

alice@precise64:~/test-org$ git pull origin master
...
 delete mode 100644 api/v0/5fd70847aa5c5355b4f670aa2fa1a441/incoming/invite/550a055f-08fd-312a-8a1b-d806d0f041a0

Alice creates a new node

alice@precise64:~/test-org$ pki.io node new server1 --pairing-id 16774d35ba1bb843d4fc10af8d17d023 --pairing-key c49b7b05fbfe597a48f99109f86262a5
Loading admin app
Loading admin entity
Loading org entity
Creating new node
Generating node keys
Encrypting node for org
Pushing container to org
Switching to node context
Creating node index
Creating node config
Creating CSRs
Generating CSRs
Creating new CSR
Saving local CSR
Pushing public CSR
...
Saving node index

Alice shares the changes

alice@precise64:~/test-org$ git add .
alice@precise64:~/test-org$ git commit -m 'adding server1'
[master 70dff9f] adding server1
...
alice@precise64:~/test-org$ git push origin master
Counting objects: 35, done.
   4545c79..5f7f99c  master -> master

Bob does something interesting

Get the changes

bob@precise64:~/test-org$ git pull origin master
remote: Counting objects: 35, done.
...

Processes Org jobs

bob@precise64:~/test-org$ pki.io org run
Loading admin app
Loading admin entity
Loading org entity
Registering nodes
Found 1 nodes to register
Reading pairing key: 16774d35ba1bb843d4fc10af8d17d023
Verifying and decrypting node registration
Adding node to index
Encrypting and signing node for Org
Looking for CAs for tag web
Found CA 113036365040189421093472070122636709641
Getting CSR for node
Getting CA
Creating certificate
Tagging cert
Signing cert
Pushing certificate to node
Found 0 nodes to register

Processes node jobs

bob@precise64:~/test-org$ pki.io node run --name server1
Loading admin app
Loading admin entity
Loading org entity
Loading node app
Loading node index
Processing certs
Found 1 certs to process
Found 0 certs to process
Saving node index

Shares the changes

bob@precise64:~/test-org$ git add -A .
bob@precise64:~/test-org$ git commit -m 'processing server1'
[master 0d2f98a] processing server1
... 
bob@precise64:~/test-org$ git push origin master
Counting objects: 25, done.
...
5f7f99c..0d2f98a  master -> master

Alice finishes up

Gets the changes

alice@precise64:~/test-org$ git pull origin master
...
 * branch            master     -> FETCH_HEAD

Alice looks at the node Bob processed

alice@precise64:~/test-org$ pki.io node show --name server1
Loading admin app
Loading admin entity
Loading org entity
Loading node app
Loading node index
Node name: server1
Node ID: f7be50f890caecd978a4cb53545e99dc
Public Signing Key:
-----BEGIN ECDSA PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYVewIwvc5oPWiYU7X/92PvkDLqjT
Xt4jv6RGlvTKFJyyqHjbijapx2BPz93xP+2bdPKpjXdUmKj4pbakdq4LfQ==
-----END ECDSA PUBLIC KEY-----

Public Encryption Key:
-----BEGIN ECDSA PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZvmQ362C1utDZw46Wn+fSa6j+DtJ
nxhGAdruQrNEJZjZAdMYPDLjZCZSXy+lwh70KgtxiBmJcHNC9vMjwrlQRA==
-----END ECDSA PUBLIC KEY-----

Certificate tags:
map[web:[a0a37756eafcb513b71d38f4846f3a56]]

And exports the certificates

alice@precise64:~/test-org$ pki.io node cert --name server1 --tags web --export server1.tar.gz
Loading admin app
Loading admin entity
Loading org entity
Loading node app
Loading node index
Getting certs for tag: web
Exporting

Finally, Alice takes a look at the export

alice@precise64:~/test-org$ tar -ztvf server1.tar.gz
-rw-r--r-- 0/0             579 2015-03-18 23:21 server1-cert.pem
-rw------- 0/0             233 2015-03-18 23:21 server1-key.pem
Clone this wiki locally