OpenStack Keystone Charm

Security checklist should ensure that PKI tokens aren't used with an insecure hashing algorithm

Bug #1820813 reported by Chris MacNaughton
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Keystone Charm
Fix Released
Undecided
Chris MacNaughton
OpenStack Keystone Charm 19.04

Bug Description

The charm should configure the token hashing algorithm to use SHA256 per the OpenStack Security Guide[1] and then validate it with the action.

[1]: https://docs.openstack.org/security-guide/identity/checklist.html#check-identity-04-does-identity-use-strong-hashing-algorithms-for-pki-tokens

See original description
Revision history for this message
Frode Nordahl (fnordahl) wrote :

Support for PKI tokens was removed from the charms in the 18.08 release. Would not the fact that we do not support PKI tokens give us a green light for that bullet?

Changed in charm-keystone:
status: New → Incomplete
Revision history for this message
Chris MacNaughton (chris.macnaughton) wrote :

Indeed, I created this bug as a tracking bug to target for the security guide - as the charm does have an action to assert that it is setup correctly. Somewhat annoyingly, it didn't link from Gerrit - https://review.openstack.org/#/c/644513/

summary: - Charm should configure token hashing algorithm
+ Security checklist should ensure that PKI tokens aren't used with an
+ insecure hashing algorithm
description: updated
Changed in charm-keystone:
status: Incomplete → In Progress
assignee: nobody → Chris MacNaughton (chris.macnaughton)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-keystone (master)

Reviewed: https://review.openstack.org/644513
Committed: https://git.openstack.org/cgit/openstack/charm-keystone/commit/?id=165e875e59cf66742e22e2360adf80e703c44b4a
Submitter: Zuul
Branch: master

commit 165e875e59cf66742e22e2360adf80e703c44b4a
Author: Chris MacNaughton <email address hidden>
Date: Tue Mar 19 09:49:07 2019 +0100

    Correct token hashing check

    When using the PKI token provider, it is necessary to
    ensure that a secure hashing algorithm is used. The
    charms never configure a PKI provider but the checklist
    action is still a valid runtime check.

    Change-Id: If0869124e4fcf7af68f636b9e4d3027c83407a4f
    Closes-Bug: 1820813
    Func-Test-PR: https://github.com/openstack-charmers/zaza/pull/200

Changed in charm-keystone:
status: In Progress → Fix Committed
James Page (james-page)
Changed in charm-keystone:
milestone: none → 19.04
David Ames (thedac)
Changed in charm-keystone:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.