Reviewed: https://review.openstack.org/114654 Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=eb54dfa3f7ef89502e723d4ade41d8930ffb48d5 Submitter: Jenkins Branch: master commit eb54dfa3f7ef89502e723d4ade41d8930ffb48d5 Author: Adam Young <ayoung at redhat.com> Date: Fri Aug 15 16:37:32 2014 -0400 Hash for PKIZ Only PKI (asn1) based tokens were checked for format and hashed Closes-Bug: 1355125 SecurityImpact Change-Id: Iefedde7f168e2ff1870905041fa95301934452e5 ** Changed in: python-keystoneclient Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1355125 Title: keystonemiddleware appears not to hash PKIZ tokens Status in OpenStack Identity (Keystone) Middleware: Fix Released Status in Python client library for Keystone: Fix Committed Bug description: It looks like Keystone hashes only PKI tokens [1] and test test_verify_signed_token_raises_exception_for_revoked_pkiz_token [2] does not take hashing into account (and checks only already hashed data and not hashing itself) And that should make token revocation for PKIZ tokens broken. [1] https://github.com/openstack/keystonemiddleware/blob/c9036a00ef3f7c4b9475799d5b713db7a2d94961/keystonemiddleware/auth_token.py#L1399 [2] https://github.com/openstack/keystonemiddleware/blob/c9036a00ef3f7c4b9475799d5b713db7a2d94961/keystonemiddleware/tests/test_auth_token_middleware.py#L741 To manage notifications about this bug go to: https://bugs.launchpad.net/keystonemiddleware/+bug/1355125/+subscriptions