replacement of calls to "openssl" with calls to pyOpenSSL

Agree; calling openssl directly has only proven to be a source of debugging difficulty for deployers that I think switching to pyopenssl could help relieve (we'd be able to catch exceptions, provide more relevant error feedback, etc). I'm not aware of any reason why we can't utilize pyopenssl instead.

Hi Dolph,

CMS(Cryptographic Message Syntax) values are generated by ASN.1, BER encoding (http://tools.ietf.org/html/rfc5652). However, pyOpenSSL doesn't provide methods to generate or parse CMS format data.

I'm newbie to this field, but I was very interested with this issue because I thought it would be more efficient to some Python implementation(c extension or pure Python code) instead of CLI calls. So I digged into this problem and found a solution. With the help of pyasn1 and pyasn1_modules library, we can do operations on CMS data in a very convenience way. And I found M2Crypto is a better wrapper of OpenSSL than pyOpenSSL.

I'm not ready to push the code to keystone yet, but created a git repo for someone interesting to review it. https://github.com/jason-ni/keystone_cms

@jason-ni-py: that's an impressive chunk of code! Feel free to push it to keystone and maintain a WIP status in gerrit until you're ready for reviews geared towards merging the code. The earlier you get the community's attention on this the better :)

@jason-ni-py: M2Crypto was dropped from OpenStack long ago, since it seems to be unmaintained (see https://bugs.launchpad.net/nova/+bug/917851 for further details)

PKI Tokens are Deprecated and this is not needed.