Reviewed: https://review.openstack.org/117371 Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=84c9ccaed34d83b7e97a4890561b1b218d99b1ba Submitter: Jenkins Branch: master commit 84c9ccaed34d83b7e97a4890561b1b218d99b1ba Author: Brant Knudson <bknudson at us.ibm.com> Date: Wed Aug 27 17:50:19 2014 -0500 Change cms_sign_data to use sha256 message digest cms_sign_data was not passing the md parameter to openssl, so it was using the default digest of sha1. Some security standards require a SHA2 algorithm for the digest. This if for security hardening. SecurityImpact Change-Id: Iff063149e1f12df69bbf9015222d09d798980872 Closes-Bug: #1362343 ** Changed in: python-keystoneclient Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1362343 Title: weak digest algorithm for PKI Status in OpenStack Identity (Keystone): In Progress Status in Python client library for Keystone: Fix Committed Bug description: The digest algorithm for PKI tokens is the openssl default of sha1. This is a weak algorithm and some security standards require a stronger algorithm such as sha256. Keystone should make the token digest hash algorithm configurable so that deployments can use a stronger algorithm. Also, the default could be stronger. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1362343/+subscriptions