Version 4 (modified by Aaron Helsinger, 13 years ago) (diff)


GENI Credentials

Credentials are used to authorize actions (where certificates authenticate and URNs identify). They specify the permissions of the Owner relative to a Target object.

A credential provides the credential's owner with permissions on a target object (identified by a URN). For instance, with a 'slice credential,' the user is given rights to allocate and remove resources from a slice. The credential format that the GENI AM API uses is adapted from ProtoGENI's credential format described at: The only differences between the two formats is that the GENI credential allows for different privileges (those from other control frameworks such as Planet Lab's SFA). Also note that the value of can_delegate on privileges is an xsd:boolean, meaning it should be one of 1, 0, true, or false.

In the API, method calls take a list of Credentials. The semantics of that list are not specified. The reference GCF implementation treats each credential as a separate option: if any ONE credential grants the subject ALL required privileges on the specified target, then allow the operation. An alternative implementation could accumulate privileges from each otherwise valid credential to determine total permissions.

GENI Credentials are signed XML containing:

  • Owner GID, which is a PEM format X509 certificate, containing the owner's URN in the Subject Alt Name field. See GeniApiCertificates.
  • Owner URN to identify the owner (entity whose permissions are being specified). For information on URNs, see GeniApiIdentifiers.
  • Target GID
  • Target URN
  • Expiration date
  • List of privileges (string names)
  • Signature of the issuer of the credential. The issuer should be an authority over the Target's namespace. See GeniApiIdentifiers.

Credential Format

The schema is available at

<?xml version="1.0"?>
        <credential xml:id="ref0">
                <owner_gid>certificate here</owner_gid>
                <target_gid>certificate here</target_gid>

                signature information here      

Type Type can be one of 'privilege', 'ticket', and 'capability'. The GENI AM API is only concerned with privilege credentials.

Serial This is a value specified by the issuer, and can be any string.

Owner GID The X509 certificate of the owner of the credential (who the credential is being made for). The certificate should be in PEM format, and can be chained.

Owner URN The URN of the owner.

Target GID The X509 certificate of the target of the credential. The certificate should be in PEM format, and can be chained.

Target URN The URN of the target. The signer of the credential should either have the same URN as the target (this is a difference from ProtoGENI) or should be an authority over the target URN's namespace (see identifiers).

UUID This is unused.

Expires ISO 8601 date and time of when the credential becomes invalid. If no timezone is specified, times are assumed to be in UTC.

Privileges The privileges are the rights that are assigned to the owner of the credential on the target resource. The SFA-derived control frameworks use different permission names, but they have similar semantic meaning. If a privilege can be delegated, then that means the owner of the credential can delegate that permission to another entity. Currently, the only credentials used in the GENI API are slice credentials and user credentials. Privileges have not yet been agreed upon between the control frameworks. Currently, SFA assigns ['refresh', 'resolve', and 'info'] rights to user credentials. Slice credentials have "slice" rights. ProtoGENI defaults to the "*" privilege which means that the owner has rights to all methods associated with that credential type (user or slice). See for more information on ProtoGENI privileges.

can_delegate Privileges can be delegated. Every privilege gets a sub-element can_delegate. The value is an xsd:boolean, meaning it should be one of 1, 0, true, or false.

Signatures The preceding XML is signed using the XML Signature specification (see SFA and ProtoGENI use the xmlsec1 binary to sign credentials. For more information on using xmlsec1, please see the bottom of this page. If a credential is delegated, then the owner creating the new (delegated) credential signs the new credential and the original signature and the new signature are placed in the <Signatures> section. For more information on delegation please see:

Parent If the credential is a delegated credential then the original credential is placed within its parent tag.

Credential Validation

Please see for credential verification and validation details.

Development Experience


The xmlsec1 binary (installed as part of the xmlsec library) will take an XML file that has a signature template appended to it and an xml:id attribute, and sign the portion of the XML document designated by the same xml:id using the provided key. The signature is placed within the appended signature template. Discussion of installation and usage is provided below

On fedora 8, yum install xmlsec1 xmlsec1-openssl-devel xmlsec1-devel

If you get errors about unimplemented features when you run 'xmlsec1 --encrypt blah' instead of errors about unable to find file blah, then you need to install more libraries until it's happy.

The signature template is the following (replace "ref0" with the xml:id if your XML section that is signed):

<Signature xml:id="Sig_ref0" xmlns="">                                                        
      <CanonicalizationMethod Algorithm=""/>                                   
      <SignatureMethod Algorithm=""/>                                               
      <Reference URI="#ref0">                                                                                                   
        <Transform Algorithm="" />                                       
      <DigestMethod Algorithm=""/>                                                      
    <SignatureValue />                                                                                                        
      <KeyValue />                                                                                                            

This is a command to sign and verify an XML file with a signature appendage

xmlsec1 sign --node-id "Sig_ref1" --privkey-pem ~/.sfi/jkarlin.pkey,~/.sfi/jkarlin.cert template.xml > signed_template.xml
xmlsec1 verify --node-id "Sig_ref1" --trusted-pem intermediate_ca_cert --trusted-pem root_ca_cert signed.xml

It seems that you can't chain the certificates passed to trusted-pem, it chokes on it. Instead you have to list each cert individually.

Attachments (1)

Download all attachments as: .zip