Fernet tokens contain a version identifier that is not integrity verified

Bug #1427485 reported by Dolph Mathews on 2015-03-03
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Morgan Fainberg

Bug Description

Fernet tokens all start with a plaintext string of either "F00" or "F01" indicating either "version 0" (normal unscoped and scoped tokens) or "version 1" (trust-based tokens). That versioning lies outside of the integrity-verified portion of the token, and is thus susceptible to manipulation by end users.

With only two token versions, this doesn't present any issues that I'm aware of, but to harden ourselves against the future, we should move that versioning information into the integrity-verified portion of the message. Otherwise, we carry of risk of future implementations inadvertently introducing privilege escalation vulnerabilities, a means for end users to disable authorization checks by supplying older versions, etc, etc.

In addition, the format prefix was originally intended to make it easier for remote clients (keystonemiddleware.auth_token) to parse apart and validate tokens without going back to talk to Keystone. Since that's not the plan here (Fernet tokens must be validated with Keystone, since that's the only place where the encryption keys are accessible), the entire format prefix ("F00" / "F01") can be dropped, as long as Keystone can still validate the tokens it's issuing.

Dolph Mathews (dolph) on 2015-03-03
tags: added: fernet
summary: - Fernet tokens contain non-integrity verified version identifier
+ Fernet tokens contain a version identifier that is not integrity
+ verified

Fix proposed to branch: master
Review: https://review.openstack.org/162031

Changed in keystone:
status: New → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/162196

Change abandoned by Dolph Mathews (<email address hidden>) on branch: master
Review: https://review.openstack.org/162196
Reason: landing discrete changes instead

Changed in keystone:
assignee: Dolph Mathews (dolph) → Lance Bragstad (lbragstad)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Dolph Mathews (dolph)
Changed in keystone:
assignee: Dolph Mathews (dolph) → Jorge Munoz (jorge-munoz)
Changed in keystone:
assignee: Jorge Munoz (jorge-munoz) → Dolph Mathews (dolph)
Changed in keystone:
assignee: Dolph Mathews (dolph) → Morgan Fainberg (mdrnstm)

Reviewed: https://review.openstack.org/162031
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a9fa7e315dbc8e881f4d5c793d75cb24e1fc2499
Submitter: Jenkins
Branch: master

commit a9fa7e315dbc8e881f4d5c793d75cb24e1fc2499
Author: Dolph Mathews <email address hidden>
Date: Thu Mar 5 22:01:53 2015 +0000

    Drop Fernet token prefixes & add domain-scoped Fernet tokens

    - Move the payload version (part of the plaintext token prefix) into the
      integrity verified portion of the token (the payload). This also drops
      the 'F', which doesn't serve a purpose with Fernet tokens as it does
      with token formats that can be validated offline (PKI, PKIZ). This
      requires a bunch of refactoring to move the responsibility of
      decrypting, unpacking, and disassembling the payload contents to the
      caller (the Provider).

    - Add a domain-scoped payload format, identical to that for
      project-scoped tokens, just with a different version number. Better
      functional tests revealed that tests intended to exercise
      domain-scoped Fernet tokens, which didn't exist, should not have been

    - Remove remaining functional tests from the unit test suite
      (test_fernet_provider), and ensure that same coverage exists in the
      actual functional test suite (test_v3_auth). Several of the unit tests
      required heavy refactoring due to the refactoring required to support
      the first item above, so it was easier just to dump those tests in
      favor of better functional test coverage, which are agnostic to the
      implementation details.

    Change-Id: I141f2707a391d46d9607710b30155b76de2f88f0
    Closes-Bug: 1427485
    Closes-Bug: 1428949

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2015-03-19
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-04-30
Changed in keystone:
milestone: kilo-3 → 2015.1.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers