[Openstack-security] [Bug 1355125] Re: keystonemiddleware appears not to hash PKIZ tokens

Sam Morrison 1355125 at bugs.launchpad.net
Mon Jun 29 03:24:46 UTC 2015 

Ubuntu trusty/juno is affected by this too

It has version 1.0.0-1~cloud0

** Also affects: python-keystonemiddleware (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1355125

Title:
  keystonemiddleware appears not to hash PKIZ tokens

Status in OpenStack Identity  (Keystone) Middleware:
  Fix Released
Status in Python client library for Keystone:
  Fix Released
Status in python-keystonemiddleware package in Ubuntu:
  New

Bug description:
  It looks like Keystone hashes only PKI tokens [1] and test test_verify_signed_token_raises_exception_for_revoked_pkiz_token [2] does not take hashing into account (and checks only already hashed data and not hashing itself)
  And that should make token revocation for PKIZ tokens broken.

  
  [1] https://github.com/openstack/keystonemiddleware/blob/c9036a00ef3f7c4b9475799d5b713db7a2d94961/keystonemiddleware/auth_token.py#L1399
  [2] https://github.com/openstack/keystonemiddleware/blob/c9036a00ef3f7c4b9475799d5b713db7a2d94961/keystonemiddleware/tests/test_auth_token_middleware.py#L741

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystonemiddleware/+bug/1355125/+subscriptions

More information about the Openstack-security mailing list