Comment 26 for bug 1490804
Revision history for this message
| Adam Young (ayoung) wrote Re: PKI Token Revocation Bypass | #26 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
The following patch detects modifications of the Token.
I am not certain, however, that this is exhaustive; there might be ways to modify the document such that it is still valid, but has a different hash.
We can lock down what is accepted as a token format: additional checks could confirm that the certs are stripped (adding them will still fail validation anyways) or any other cosmetic changes that could change the document.
We might be able to get away with a stop gap like this, and then migrate people to Fernet or change how PKI tokens are hashed.