Reviewed: https://review.openstack.org/114646 Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=fc53b9eedad1fea325f651a6861a82616b715a27 Submitter: Jenkins Branch: master commit fc53b9eedad1fea325f651a6861a82616b715a27 Author: Adam Young <ayoung at redhat.com> Date: Fri Aug 15 16:13:59 2014 -0400 Hash for PKIZ Only PKI (asn1) based tokens were checked for format and hashed Closes-Bug: 1355125 SecurityImpact Change-Id: I24cb09edd9a6c9e99e48042a623c7818321f2ead ** Changed in: keystonemiddleware Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1355125 Title: keystonemiddleware appears not to hash PKIZ tokens Status in OpenStack Identity (Keystone) Middleware: Fix Committed Status in Python client library for Keystone: In Progress Bug description: It looks like Keystone hashes only PKI tokens [1] and test test_verify_signed_token_raises_exception_for_revoked_pkiz_token [2] does not take hashing into account (and checks only already hashed data and not hashing itself) And that should make token revocation for PKIZ tokens broken. [1] https://github.com/openstack/keystonemiddleware/blob/c9036a00ef3f7c4b9475799d5b713db7a2d94961/keystonemiddleware/auth_token.py#L1399 [2] https://github.com/openstack/keystonemiddleware/blob/c9036a00ef3f7c4b9475799d5b713db7a2d94961/keystonemiddleware/tests/test_auth_token_middleware.py#L741 To manage notifications about this bug go to: https://bugs.launchpad.net/keystonemiddleware/+bug/1355125/+subscriptions