yahoo-eng-team team mailing list archive

[Abu Shohel Ahmed <1288693@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

PKI token should be validated only using Cert and Revocation list.
There is no need for any user to fetch/validate the PKI token by making
a GET call. Currently, PKI token, similar to UUID token, can be
validated/fetched by making a GET call

v2.0/tokens/​{tokenId}​

Here tokenId can be the whole PKI token or md5 hash of the token.

This opens the possibility that a custom service can start using this
approach for PKI token validation rather than PKI sign verification
using cert.

This could potentially open possible attack  by an malicious  service
(insider attacker with service role) to fetch PKI token for user by
guessing or exploiting the weakness of MD5 token_id

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1288693

Title:
  PKI token is possible to validate via GET call

Status in OpenStack Identity (Keystone):
  New

Bug description:
  PKI token should be validated only using Cert and Revocation list.
  There is no need for any user to fetch/validate the PKI token by
  making a GET call. Currently, PKI token, similar to UUID token, can be
  validated/fetched by making a GET call

  v2.0/tokens/​{tokenId}​

  Here tokenId can be the whole PKI token or md5 hash of the token.

  This opens the possibility that a custom service can start using this
  approach for PKI token validation rather than PKI sign verification
  using cert.

  This could potentially open possible attack  by an malicious  service
  (insider attacker with service role) to fetch PKI token for user by
  guessing or exploiting the weakness of MD5 token_id

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1288693/+subscriptions