Reviewed: https://review.openstack.org/117372 Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=b317e312aadbdbbe8937172bc5d4a7dd2a8d68d9 Submitter: Jenkins Branch: master commit b317e312aadbdbbe8937172bc5d4a7dd2a8d68d9 Author: Brant Knudson <bknudson at us.ibm.com> Date: Wed Aug 27 17:53:41 2014 -0500 token signing support alternative message digest The functions for creating signed tokens in common.cms always used sha256 for the message digest. This might be inadequate in the future so the digest algorithm shouldn't be hard-coded. A parameter is added to allow choosing a different digest algorithm. SecurityImpact Change-Id: Ie19d093d0494443ce4cd880ae1f92dffd5c361ef Related-Bug: #1362343 -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1362343 Title: weak digest algorithm for PKI Status in OpenStack Identity (Keystone): In Progress Status in Python client library for Keystone: Fix Released Bug description: The digest algorithm for PKI tokens is the openssl default of sha1. This is a weak algorithm and some security standards require a stronger algorithm such as sha256. Keystone should make the token digest hash algorithm configurable so that deployments can use a stronger algorithm. Also, the default could be stronger. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1362343/+subscriptions