yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1174499] Re: Keystone token hashing is MD5

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Diane Fleming <dfleming@xxxxxxxxxxxxx>
Date: Sat, 30 May 2015 22:23:00 -0000
Reply-to: Bug 1174499 <1174499@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Not clear what needs to change in the API docs.

** Changed in: openstack-api-site
       Status: Confirmed => Won't Fix

** Changed in: openstack-api-site
       Status: Won't Fix => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1174499

Title:
  Keystone token hashing is MD5

Status in Django OpenStack Auth:
  Fix Released
Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Identity (Keystone):
  Fix Released
Status in OpenStack API documentation site:
  Incomplete
Status in Python client library for Keystone:
  Fix Released

Bug description:
  https://github.com/openstack/python-
  keystoneclient/blob/master/keystoneclient/common/cms.py

  def cms_hash_token(token_id):
      """
  return: for ans1_token, returns the hash of the passed in token
  otherwise, returns what it was passed in.
  """
      if token_id is None:
          return None
      if is_ans1_token(token_id):
          hasher = hashlib.md5()
          hasher.update(token_id)
          return hasher.hexdigest()
      else:
          return token_id

  
  MD5 is a deprecated mechanism, it should be replaces with at least SHA1, if not SHA256.
  Keystone should be able to support multiple Hash types, and the auth_token middleware should query Keystone to find out which type is in use.

To manage notifications about this bug go to:
https://bugs.launchpad.net/django-openstack-auth/+bug/1174499/+subscriptions