From 1feb969eee9f3b823928df60dec3a33db90b9f4f Mon Sep 17 00:00:00 2001
From: Adam Young <ayoung@redhat.com>
Date: Thu, 3 Sep 2015 02:19:35 -0400
Subject: [PATCH] hash the data in the token

Change-Id: I8716487ffae055039d7b216054348afb6ea18256
---
 keystoneclient/common/cms.py | 34 +++++++++++++++++++++++++++++++---
 requirements.txt             |  2 ++
 2 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/keystoneclient/common/cms.py b/keystoneclient/common/cms.py
index 1bd0f41..a67e469 100644
--- a/keystoneclient/common/cms.py
+++ b/keystoneclient/common/cms.py
@@ -27,6 +27,8 @@ import textwrap
 import zlib
 
 from debtcollector import removals
+from pyasn1.codec.der import decoder
+from pyasn1_modules import rfc2315
 import six
 
 from keystoneclient import exceptions
@@ -412,10 +414,36 @@ def cms_hash_token(token_id, mode='md5'):
     if token_id is None:
         return None
     if is_asn1_token(token_id) or is_pkiz(token_id):
+        if is_asn1_token(token_id):
+            substrate = token_id.replace('-', '/')
+        else:
+            token_body = pkiz_uncompress(token_id)
+            start_delim = '-----BEGIN CMS-----'
+            end_delim = '-----END CMS-----\n'
+            substrate = token_body.strip()
+            substrate = substrate.replace(start_delim, '')
+            substrate = substrate.replace(end_delim, '')
+
+        substrate = base64.urlsafe_b64decode(substrate)
+        contentInfo, rest = decoder.decode(substrate,
+                                           asn1Spec=rfc2315.ContentInfo())
+        contentType = contentInfo.getComponentByName('contentType')
+        contentInfoMap = {
+            (1, 2, 840, 113549, 1, 7, 2): rfc2315.SignedData(),
+            (1, 2, 840, 113549, 1, 7, 1): rfc2315.Data(),
+        }
+
+        content, _ = decoder.decode(
+            contentInfo.getComponentByName('content'),
+            asn1Spec=contentInfoMap[contentType])
+
+        token_data = content.getComponentByName(
+            'contentInfo').getComponentByName('content').asOctets()
         hasher = hashlib.new(mode)
-        if isinstance(token_id, six.text_type):
-            token_id = token_id.encode('utf-8')
-        hasher.update(token_id)
+
+        if isinstance(token_data, six.text_type):
+            token_data = token_data.encode('utf-8')
+        hasher.update(token_data)
         return hasher.hexdigest()
     else:
         return token_id
diff --git a/requirements.txt b/requirements.txt
index b846bb3..371b2fd 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -14,6 +14,8 @@ oslo.i18n>=1.5.0 # Apache-2.0
 oslo.serialization>=1.4.0 # Apache-2.0
 oslo.utils>=2.0.0 # Apache-2.0
 PrettyTable<0.8,>=0.7
+pyasn1
+pasn1-modules
 requests>=2.5.2
 six>=1.9.0
 stevedore>=1.5.0 # Apache-2.0
-- 
2.4.3