able to validate a Fernet token with garbage at the end (cryptography limitation)

Bug #1459483 reported by Matt Fischer on 2015-05-28
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Unassigned

Bug Description

I am able to verify Fernet tokens that contain garbage at the end, not so with UUID tokens.

For example.

UUID:

curl -H "X-Auth-Token:84db9247b27d4fe6bd0a09b7b39281e2" http://localhost:35357/v2.0/tokens/84db9247b27d4fe6bd0a09b7b39281e2

Works

curl -H "X-Auth-Token:84db9247b27d4fe6bd0a09b7b39281e2" http://localhost:35357/v2.0/tokens/84db9247b27d4fe6bd0a09b7b39281e2-GARBAGE
{"error": {"message": "Could not find token: 84db9247b27d4fe6bd0a09b7b39281e2-GARBAGE", "code": 404, "title": "Not Found"}}

Fernet on the other hand happily validates it even with garbage and even inserts -GARBAGE into the ID.

curl -H "X-Auth-Token:gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8%3D" http://localhostt:35357/v2.0/tokens/gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8%3D

        "token": {
            "audit_ids": [
                "WlVgiNv2RmOGaDa_4PpGGg"
            ],
            "expires": "2015-05-28T03:59:32.000000Z",
            "id": "gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8=",
            "issued_at": "2015-05-28T01:59:32.000000Z",
            "tenant": {
                "description": "Cloud Infra: Admin Tenant",
                "enabled": true,
                "id": "4764ba822ecb43e582794b875751924c",
                "name": "admin",
                "parent_id": null
            }
        },

curl -H "X-Auth-Token:gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8%3D" http://localhostt:35357/v2.0/tokens/gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8%3D-GARBAGE

        "token": {
            "audit_ids": [
                "WlVgiNv2RmOGaDa_4PpGGg"
            ],
            "expires": "2015-05-28T03:59:32.000000Z",
            "id": "gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8=-GARBAGE",
            "issued_at": "2015-05-28T01:59:32.000000Z",
            "tenant": {
                "description": "Cloud Infra: Admin Tenant",
                "enabled": true,
                "id": "4764ba822ecb43e582794b875751924c",
                "name": "admin",
                "parent_id": null
            }
        },

Matt Fischer (mfisch) on 2015-05-28
summary: - able to verify a Fernet token with garbage at the end
+ able to validate a Fernet token with garbage at the end
Dolph Mathews (dolph) on 2015-05-28
tags: added: fernet

Is there supposed to be a "-GARBAGE" appended at the end of the third curl request's path? (Or is there supposed to be a fourth curl example? There's two incomplete JSON responses at the end of the bug description that differ only in the presence of "-GARBAGE" in the returned token->id.)

Changed in keystone:
status: New → Incomplete
Matt Fischer (mfisch) wrote :

Sorry, fixed.

description: updated
Dolph Mathews (dolph) wrote :

Reproduced, and filed an upstream bug against pypi/cryptography:

  https://github.com/pyca/cryptography/issues/1994

We'll have to wait for a fix to be released in cryptography in order to close this issue.

Changed in keystone:
status: Incomplete → Confirmed
importance: Undecided → Medium
Dolph Mathews (dolph) wrote :

I'm also marking this as Medium because I'm unsure of any negative impact (much less a security impact) beyond passing the same invalid token back to the client in the JSON response (... which can still be validated successfully).

Changed in keystone:
assignee: nobody → Ron De Rose (ronald-de-rose)
Changed in keystone:
assignee: Ron De Rose (ronald-de-rose) → nobody
Changed in keystone:
status: Confirmed → Invalid
status: Invalid → Confirmed
Steve Martinelli (stevemar) wrote :

Looks like the cryptography issue is still open

summary: - able to validate a Fernet token with garbage at the end
+ able to validate a Fernet token with garbage at the end (cryptography
+ limitation)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers