OpenStack Compute (nova)

API: sha256 should be used to fingerprint for x509 keypair

Bug #1504598 reported by Matthew Edmonds
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Confirmed
Low
Unassigned

Bug Description

Liberty is using sha1 to calculate the fingerprint returned by os-keypairs REST API calls when the key type is x509. Unlike ssh, there is no standard hash algorithm that should necessarily be used for X.509, which makes it necessary to clarify what hash was used. There is also concern in simply documenting that this is sha1 and moving on... SHA-1 is known to be flawed and everyone is moving away from it. E.g. in Mozilla you will now see both SHA-1 and SHA-256 fingerprints when you view a certificate, and they will eventually stop showing SHA-1. The nova API should be thinking forward and
1. allow the admin to configure one or more algorithms to use for x.509 fingerprints (as noted, browsers will generally display at least 2).
2. be clear in what hash algorithms are used, both in documentation and (for client's sake) in the response.

Found in Liberty.

Tags: api
Markus Zoeller (markus_z) (mzoeller)
tags: added: api
Mark Doffman (mjdoffma)
Changed in nova:
status: New → Confirmed
Revision history for this message
Mark Doffman (mjdoffma) wrote :

Crypto is currently using MD5 for ssh key fingerprint and sha1 for x509 fingerprints. I can't find this documented anywhere, it probably should be. As stated in the bug, would it be best to document the hash algorithm used in the fingerprint field?

Adding more fingerprint types to the keypairs is a possibility in the future. I'm not sure how urgent it is though, given that sha-1 is still in use for fingerprints.

Revision history for this message
Matthew Edmonds (edmondsw) wrote :

looking further, it seems that X.509 key pairs may not actually be supported? api/openstack/compute/keypairs.py hardcodes the type to be KEYPAIR_TYPE_SSH, and doesn't seem to let a user specify X.509. Maybe what I was looking at was dead code, and the fix here is just to remove it?

Got this on IRC:

<edmondsw> objects/keypair.py appears to support x509 keypairs (KEYPAIR_TYPE_X509) but the api implementation appears to only support ssh... can anyone explain that mismatch?
<edmondsw> mriedem ^
<superdan> we did revert something related to that at some point
<edmondsw> api/openstack/compute/keypairs.py actually hardcodes the type to be KEYPAIR_TYPE_SSH
<mriedem> there was a microversion for x509 keypairs
<mriedem> claudiub: ^

Sean Dague (sdague)
Changed in nova:
importance: Undecided → Low
summary: - sha1 fingerprint for x509 keypair
+ API: sha256 should be used to fingerprint for x509 keypair
mrthegreat (mrthegreat)
Changed in nova:
assignee: nobody → mrthegreat (mrthegreat)
status: Confirmed → In Progress
Revision history for this message
mrthegreat (mrthegreat) wrote :

So at least it should be defined by user if SHA1 or SHA256 will be used, or let's remove SHA1 due it is flawed?

Revision history for this message
Markus Zoeller (markus_z) (mzoeller) wrote :

@mrthegreat: Are you still working on this?

mrthegreat (mrthegreat)
Changed in nova:
assignee: mrthegreat (mrthegreat) → nobody
Revision history for this message
Augustina Ragwitz (auggy) wrote :

I thought this had been Triaged but it looks like it wasn't, so setting the status back to confirmed.

Changed in nova:
status: In Progress → Triaged
status: Triaged → Confirmed
Revision history for this message
Sean Dague (sdague) wrote :

Automatically discovered version liberty in description. If this is incorrect, please update the description to include 'nova version: ...'

tags: added: openstack-version.liberty
Revision history for this message
Andrey Volkov (avolkov) wrote :

Not only liberty affected. sha1 for x.509 and md5 for ssh is still used in master.

tags: removed: openstack-version.liberty
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.