[openstack-dev] [all][dev][python] constructing a deterministic representation of a python data structure

Amrith Kumar amrith at tesora.com
Thu Nov 3 20:50:01 UTC 2016


Josh,

I have the key management part figured out and in actuality I will be
signing the messages. 

But step 1 is getting a deterministic representation and step 2 is hashing.
Step 3 would be signing.

So, steps 2 and 3 are all set; just need step 1 :) And I'm marveling at the
link that Morgan provided, it may have what I need.

-amrith

-----Original Message-----
From: Joshua Harlow [mailto:harlowja at fastmail.com] 
Sent: Thursday, November 3, 2016 4:31 PM
To: OpenStack Development Mailing List (not for usage questions)
<openstack-dev at lists.openstack.org>
Subject: Re: [openstack-dev] [all][dev][python] constructing a deterministic
representation of a python data structure

I wouldn't recommend this (the basic hash) if you actually want to do any
kind of validation that the contents weren't altered. Is that the purpose?
Or are you trying to ensure bits aren't flipped?

If u want some level of validation that the message wasn't tampered with u
probably at least want https://docs.python.org/2/library/hmac.html and then
you need to start figuring out what to do about key distribution &
management and rotation :-/

Amrith Kumar wrote:
> Gordon,
>
> You can see a very quick-and-dirty prototype of the kind of thing I'm 
> looking to do in Trove at 
> https://gist.github.com/amrith/6a89ff478f81c2910e84325923eddebe
>
> Uncommenting line 51 would simulate a bad hash.
>
> I'd be happy to propose something similar in oslo.messaging if you 
> think that would pass muster there.
>
> -amrith
>
> -----Original Message-----
> From: gordon chung [mailto:gord at live.ca]
> Sent: Thursday, November 3, 2016 3:09 PM
> To: openstack-dev at lists.openstack.org
> Subject: Re: [openstack-dev] [all][dev][python] constructing a 
> deterministic representation of a python data structure
>
>
>
> On 03/11/16 02:24 PM, Amrith Kumar wrote:
>
>> So, just before calling call() or cast(), I could compute the hash 
>> and stuff it into the dictionary that is being sent over, and I can 
>> do the same on the receiving side. But since I cannot guarantee that 
>> the representation on the receiving side is necessarily identical to 
>> the representation on the sending side, I have issues computing the hash.
>>
>>
>
> based on description, you're trying to sign the messages? there was 
> some effort done in oslo.messaging[1]
>
> we do something similar in Ceilometer to sign IPC messages[2]. it does 
> add overhead though.
>
> [1] https://review.openstack.org/#/c/205330/
> [2]
> https://github.com/openstack/ceilometer/blob/ffc9ee99c10ede988769907fd
> b0594a
> 512c890cd/ceilometer/publisher/utils.py#L43-L58
>
> cheers,
> --
> gord
>
> ______________________________________________________________________
> ____ OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: 
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> ______________________________________________________________________
> ____ OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: 
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4805 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161103/e6e385e6/attachment.bin>


More information about the OpenStack-dev mailing list