← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #16192

[Bug 1329608] [NEW] Object storage temp URL uses SHA1

  Thread PreviousDate PreviousThread Next 
Public bug reported:

It appears glance uses SHA1 for hashing:
https://review.openstack.org/#/c/81391/28/ironic/common/glance_service/v2/image_service.py:

    # Encode to UTF-8
    try:
            sig = hmac.new(key.encode(),
            hmac_body.encode(),
            hashlib.sha1).hexdigest()
    except UnicodeDecodeError:
            raise exc.InvalidParameterValue(_('Could not convert '
                    'swift temporary URL arguments '
                   'to Unicode for url.'))

The choice is hard coded and cannot be changed. SHA1 could cause
problems for folks operating in US Federal and US Financial, where SHA2
should be used. I believe its a governance issue and there's not much
security related substance to it.

According to Josh Gachnang:

    "I don't believe either is configurable without a new
    tempurl middleware implemented in Swift (unfortunately).
    This code is almost exactly copied from here:
    http://docs.openstack.org/trunk/config-reference/content/object-storage-tempurl.html";

This is a similar report to
https://bugs.launchpad.net/keystone/+bug/1174499.

** Affects: glance
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1329608

Title:
  Object storage temp URL uses SHA1

Status in OpenStack Image Registry and Delivery Service (Glance):
  New

Bug description:
  It appears glance uses SHA1 for hashing:
  https://review.openstack.org/#/c/81391/28/ironic/common/glance_service/v2/image_service.py:

      # Encode to UTF-8
      try:
              sig = hmac.new(key.encode(),
              hmac_body.encode(),
              hashlib.sha1).hexdigest()
      except UnicodeDecodeError:
              raise exc.InvalidParameterValue(_('Could not convert '
                      'swift temporary URL arguments '
                     'to Unicode for url.'))

  The choice is hard coded and cannot be changed. SHA1 could cause
  problems for folks operating in US Federal and US Financial, where
  SHA2 should be used. I believe its a governance issue and there's not
  much security related substance to it.

  According to Josh Gachnang:

      "I don't believe either is configurable without a new
      tempurl middleware implemented in Swift (unfortunately).
      This code is almost exactly copied from here:
      http://docs.openstack.org/trunk/config-reference/content/object-storage-tempurl.html";

  This is a similar report to
  https://bugs.launchpad.net/keystone/+bug/1174499.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1329608/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next