Glance

Ensure digital signatures in Glance are a minimum of SHA2

Bug #1288545 reported by Feilong Wang
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Glance
Fix Released
Medium
Feilong Wang
Glance 2015.1.0 "kilo"

Bug Description

It would be great to enhance Glance to use minimum of SHA2 to do digital signature for FIPS compliance.

In FIPS(FEDERAL INFORMATION PROCESSING STANDARDS) says the SHA-1 is not suitable for general-purpose digital signature applications (as specified in FIPS 186-3) that require 112 bits of security. In the case of digital signatures, SHA-1 does not provide the 112 bits of collision resistance needed to achieve the security strength.

NOTE: This fix may impact the upgrade.

See original description
Feilong Wang (flwang)
Changed in glance:
importance: Undecided → Low
assignee: nobody → Fei Long Wang (flwang)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/80178

Changed in glance:
status: New → In Progress
Feilong Wang (flwang)
Changed in glance:
importance: Low → Medium
Nikhil Komawar (nikhil-komawar)
Changed in glance:
milestone: none → kilo-2
Feilong Wang (flwang)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/80178
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=82194e0c422966422f7a4e2157125c7ad8fbc5b5
Submitter: Jenkins
Branch: master

commit 82194e0c422966422f7a4e2157125c7ad8fbc5b5
Author: Fei Long Wang <email address hidden>
Date: Thu Jan 22 14:22:09 2015 +1300

    Make digest algorithm configurable

    It would be great to enhance Glance to use minimum of SHA2
    to do digital signature for FIPS compliance. Since in
    FIPS(FEDERAL INFORMATION PROCESSING STANDARDS) says the
    SHA-1 is not suitable for general-purpose digital signature
    applications (as specified in FIPS 186-3) that require 112
    bits of security. In the case of digital signatures, SHA-1
    does not provide the 112 bits of collision resistance needed
    to achieve the security strength.

    Now we're using hardcode 'sha1'. So this patch will make it
    configurable firstly and set the default value as sha1 in
    Kilo for smooth upgrade, which will be changed with sha256
    in next release(L).

    DocImpact
    UpgradeImapact
    SecurityImpact

    Closes-Bug: #1288545

    Change-Id: I9236cc85f4e9881ac1aa35d69bc6761a59c1b6c8

Changed in glance:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in glance:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in glance:
milestone: kilo-2 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.