OpenStack Security Advisory

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #1566416
Comment #8

Comment 8 for bug 1566416

Revision history for this message

Tim Burke (1-tim-z) wrote on 2016-04-12:

For v2 signatures, there's a date field included in the signature [1], which should be either a HTTP-date or timestamp from the Expires query param.

There's also in-progress work to add support for v4 signatures; nothing has landed in swift3 yet, but keystone knows how to compute them. For v4 signatures, the request date should appear in ISO8601 format on the second line of the string-to-sign [2].

In both cases, swift3 checks (or will check) it [3], but keystone just computes the expected signature and compares [4].

[1] https://github.com/openstack/swift3/blob/v1.10/swift3/request.py#L360-L363
[2] http://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
[3] https://github.com/openstack/swift3/blob/v1.10/swift3/request.py#L189-L222
[4] https://github.com/openstack/keystone/blob/9.0.0/keystone/contrib/s3/core.py#L70