← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #14238

[Bug 1317302] [NEW] pki_setup shouldn't be required to check revocations

  Thread PreviousDate PreviousThread Next 
Public bug reported:


With the fix for bug 1312858 , auth_token can validate UUID tokens or hashed PKI tokens against the revocation list. But in order to use this in a setting where only UUID tokens are being used, the server still needs to have pki_setup run. We should be able to check UUID tokens against the revocation list even when pki_setup hasn't been done.

The reason pki_setup has to be done is that the revocation list is
signed using CMS. The auth_token middleware only accepts the signed
format for the revocation list.

The proposed solution is to change the auth_token middleware to also
accept a revocation list that's not signed. If it's not signed, then the
PKI certificates aren't required.

The keystone server will be changed to allow configuring it such that
the revocation list will be sent as an unencrypted JSON object that the
auth_token middleware can now accept.

** Affects: keystone
     Importance: Undecided
     Assignee: Brant Knudson (blk-u)
         Status: In Progress

** Affects: python-keystoneclient
     Importance: Undecided
     Assignee: Brant Knudson (blk-u)
         Status: In Progress

** Changed in: keystone
     Assignee: (unassigned) => Brant Knudson (blk-u)

** Also affects: python-keystoneclient
   Importance: Undecided
       Status: New

** Changed in: python-keystoneclient
     Assignee: (unassigned) => Brant Knudson (blk-u)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1317302

Title:
  pki_setup shouldn't be required to check revocations

Status in OpenStack Identity (Keystone):
  In Progress
Status in Python client library for Keystone:
  In Progress

Bug description:
  
  With the fix for bug 1312858 , auth_token can validate UUID tokens or hashed PKI tokens against the revocation list. But in order to use this in a setting where only UUID tokens are being used, the server still needs to have pki_setup run. We should be able to check UUID tokens against the revocation list even when pki_setup hasn't been done.

  The reason pki_setup has to be done is that the revocation list is
  signed using CMS. The auth_token middleware only accepts the signed
  format for the revocation list.

  The proposed solution is to change the auth_token middleware to also
  accept a revocation list that's not signed. If it's not signed, then
  the PKI certificates aren't required.

  The keystone server will be changed to allow configuring it such that
  the revocation list will be sent as an unencrypted JSON object that
  the auth_token middleware can now accept.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1317302/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next