OpenStack Identity (keystone)

weak digest algorithm for PKI

Bug #1362343 reported by Brant Knudson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Won't Fix
Wishlist
Brant Knudson
python-keystoneclient
Fix Released
Wishlist
Brant Knudson
python-keystoneclient 0.11.2

Bug Description

The digest algorithm for PKI tokens is the openssl default of sha1. This is a weak algorithm and some security standards require a stronger algorithm such as sha256. Keystone should make the token digest hash algorithm configurable so that deployments can use a stronger algorithm.

Also, the default could be stronger.

Tags: pki security
Brant Knudson (blk-u)
Changed in keystone:
assignee: nobody → Brant Knudson (blk-u)
Changed in python-keystoneclient:
assignee: nobody → Brant Knudson (blk-u)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/117366

Changed in keystone:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/117367

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/117371

Changed in python-keystoneclient:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to python-keystoneclient (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/117372

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/117380

Dolph Mathews (dolph)
tags: added: pki
tags: added: security
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Wishlist
Changed in python-keystoneclient:
importance: Undecided → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/117371
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=84c9ccaed34d83b7e97a4890561b1b218d99b1ba
Submitter: Jenkins
Branch: master

commit 84c9ccaed34d83b7e97a4890561b1b218d99b1ba
Author: Brant Knudson <email address hidden>
Date: Wed Aug 27 17:50:19 2014 -0500

    Change cms_sign_data to use sha256 message digest

    cms_sign_data was not passing the md parameter to openssl, so it was
    using the default digest of sha1. Some security standards require a
    SHA2 algorithm for the digest.

    This if for security hardening.

    SecurityImpact

    Change-Id: Iff063149e1f12df69bbf9015222d09d798980872
    Closes-Bug: #1362343

Changed in python-keystoneclient:
status: In Progress → Fix Committed
Morgan Fainberg (mdrnstm)
Changed in python-keystoneclient:
milestone: none → 0.11.2
Morgan Fainberg (mdrnstm)
Changed in python-keystoneclient:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: master
Review: https://review.openstack.org/117380
Reason: This change is being abandoned because it has a negative score and has not seen an update in > 60 days. Feel free to re-instate this patch (as the author) by using the "restore" button or any member of the core team can re-instate the patch.

Revision history for this message
Dolph Mathews (dolph) wrote :

I'd suggest marking this as Won't Fix in keystone since pki_setup and ssl_setup are only really useful to developers. Production deployments should use real certificates.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Brant Knudson (<email address hidden>) on branch: master
Review: https://review.openstack.org/117366
Reason: Makes sense to tell people to use their own certs instead.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Brant Knudson (<email address hidden>) on branch: master
Review: https://review.openstack.org/117367
Reason: Abandoned parent

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/117372
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=b317e312aadbdbbe8937172bc5d4a7dd2a8d68d9
Submitter: Jenkins
Branch: master

commit b317e312aadbdbbe8937172bc5d4a7dd2a8d68d9
Author: Brant Knudson <email address hidden>
Date: Wed Aug 27 17:53:41 2014 -0500

    token signing support alternative message digest

    The functions for creating signed tokens in common.cms always used
    sha256 for the message digest. This might be inadequate in the future
    so the digest algorithm shouldn't be hard-coded. A parameter is added
    to allow choosing a different digest algorithm.

    SecurityImpact

    Change-Id: Ie19d093d0494443ce4cd880ae1f92dffd5c361ef
    Related-Bug: #1362343

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

PKI Tokens are Deprecated

Changed in keystone:
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.