keystonemiddleware appears not to hash PKIZ tokens

Bug #1355125 reported by Kirill Zaborsky
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
keystonemiddleware
Fix Released
Critical
Brant Knudson
python-keystoneclient
Fix Released
Critical
Adam Young
python-keystonemiddleware (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

It looks like Keystone hashes only PKI tokens [1] and test test_verify_signed_token_raises_exception_for_revoked_pkiz_token [2] does not take hashing into account (and checks only already hashed data and not hashing itself)
And that should make token revocation for PKIZ tokens broken.

[1] https://github.com/openstack/keystonemiddleware/blob/c9036a00ef3f7c4b9475799d5b713db7a2d94961/keystonemiddleware/auth_token.py#L1399
[2] https://github.com/openstack/keystonemiddleware/blob/c9036a00ef3f7c4b9475799d5b713db7a2d94961/keystonemiddleware/tests/test_auth_token_middleware.py#L741

Tags: pki security
description: updated
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Critical
Changed in keystonemiddleware:
importance: Undecided → Critical
Changed in keystone:
status: New → Triaged
Changed in keystonemiddleware:
status: New → Triaged
Changed in keystone:
milestone: none → juno-3
tags: added: pki
Adam Young (ayoung)
Changed in keystonemiddleware:
assignee: nobody → Adam Young (ayoung)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystonemiddleware (master)

Fix proposed to branch: master
Review: https://review.openstack.org/114646

Changed in keystonemiddleware:
assignee: Adam Young (ayoung) → Morgan Fainberg (mdrnstm)
status: Triaged → In Progress
Dolph Mathews (dolph)
tags: added: security
Changed in keystonemiddleware:
assignee: Morgan Fainberg (mdrnstm) → Adam Young (ayoung)
Adam Young (ayoung)
no longer affects: keystone
Changed in python-keystoneclient:
assignee: nobody → Adam Young (ayoung)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/114654

Changed in python-keystoneclient:
status: New → In Progress
Changed in keystonemiddleware:
assignee: Adam Young (ayoung) → Brant Knudson (blk-u)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystonemiddleware (master)

Reviewed: https://review.openstack.org/114646
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=fc53b9eedad1fea325f651a6861a82616b715a27
Submitter: Jenkins
Branch: master

commit fc53b9eedad1fea325f651a6861a82616b715a27
Author: Adam Young <email address hidden>
Date: Fri Aug 15 16:13:59 2014 -0400

    Hash for PKIZ

    Only PKI (asn1) based tokens were checked for format and hashed

    Closes-Bug: 1355125

    SecurityImpact

    Change-Id: I24cb09edd9a6c9e99e48042a623c7818321f2ead

Changed in keystonemiddleware:
status: In Progress → Fix Committed
Dolph Mathews (dolph)
Changed in keystonemiddleware:
milestone: none → 1.2.0
milestone: 1.2.0 → 1.1.1
Dolph Mathews (dolph)
Changed in keystonemiddleware:
status: Fix Committed → Fix Released
Dolph Mathews (dolph)
Changed in python-keystoneclient:
importance: Undecided → Critical
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/114654
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=eb54dfa3f7ef89502e723d4ade41d8930ffb48d5
Submitter: Jenkins
Branch: master

commit eb54dfa3f7ef89502e723d4ade41d8930ffb48d5
Author: Adam Young <email address hidden>
Date: Fri Aug 15 16:37:32 2014 -0400

    Hash for PKIZ

    Only PKI (asn1) based tokens were checked for format and hashed

    Closes-Bug: 1355125

    SecurityImpact

    Change-Id: Iefedde7f168e2ff1870905041fa95301934452e5

Changed in python-keystoneclient:
status: In Progress → Fix Committed
David Stanek (dstanek)
Changed in python-keystoneclient:
milestone: none → 0.11.0
Dolph Mathews (dolph)
Changed in python-keystoneclient:
status: Fix Committed → Fix Released
Revision history for this message
Sam Morrison (sorrison) wrote :

Ubuntu trusty/juno is affected by this too

It has version 1.0.0-1~cloud0

Chuck Short (zulcss)
Changed in python-keystonemiddleware (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.