http_log_request will print debug info include pki certificate which is unsafety

Bug #1858189 reported by kuangpeiling
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystoneauth
Expired
Undecided
Unassigned

Bug Description

when i use pki token,i find nova debug log include the whole pki certificate info,is this safety?need to modify?

my request is
curl -g -i -X GET https://identity.az1.dc1.domainname.com:443/identity-admin/v3/auth/tokens/OS-PKI/revoked

debug.log such as:
RESP BODY: {"signed": "-----BEGIN CMS-----\nMIIBuwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxfs0QO\n-----END CMS-----\n"}

code session.py:
        if response is not None:
            if not status_code:
                status_code = response.status_code
            if not headers:
                headers = response.headers
            if not text:
                # NOTE(samueldmq): If the response does not provide enough info
                # about the content type to decide whether it is useful and
                # safe to log it or not, just do not log the body. Trying to
                # read the response body anyways may result on reading a long
                # stream of bytes and getting an unexpected MemoryError. See
                # bug 1616105 for further details.
                content_type = response.headers.get('content-type', None)

                # NOTE(lamt): Per [1], the Content-Type header can be of the
                # form Content-Type := type "/" subtype *[";" parameter]
                # [1] https://www.w3.org/Protocols/rfc1341/4_Content-Type.html
                for log_type in _LOG_CONTENT_TYPES:
                    if content_type is not None and content_type.startswith(
                            log_type):
                        text = self._remove_service_catalog(response.text)
                        break
                else:
                    text = ('Omitted, Content-Type is set to %s. Only '
                            '%s responses have their bodies logged.')
                    text = text % (content_type, ', '.join(_LOG_CONTENT_TYPES))
        if json:
            text = self._json.encode(json)

        string_parts = ['RESP:']

        if status_code:
            string_parts.append('[%s]' % status_code)
        if headers:
            for header in six.iteritems(headers):
                string_parts.append('%s: %s' % self._process_header(header))
        if text:
            string_parts.append('\nRESP BODY: %s\n' % text)

Revision history for this message
Colleen Murphy (krinkle) wrote :

The request you are making is the /v3/auth/tokens/OS-PKI/revoked endpoint, whose whole purpose is to list revoked PKI tokens in the body of the response. This is working as designed, especially since those tokens are revoked and can't be used anyway.

Changed in keystoneauth:
status: New → Invalid
Revision history for this message
kuangpeiling (kuangpeiling) wrote :

1. i mean that when the content of this token is recorded in the log, it can be used to guess and crack, so that legal tokens can be cracked in the future, because PKI certificates are used for a long time
2. Expired tokens have appeared before. By modifying the values ​​of certain fields, they can be reused. VDF security testing experts (European team) have found this problem. This question does not know if the keystone community has modified it.

Changed in keystoneauth:
status: Invalid → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for keystoneauth because there has been no activity for 60 days.]

Changed in keystoneauth:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.