yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1507456] [NEW] default setting of certificate for SAML signing doesn't work

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dave Chen <wei.d.chen@xxxxxxxxx>
Date: Mon, 19 Oct 2015 06:16:01 -0000
Reply-to: Bug 1507456 <1507456@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Currently, the default setting is
'/etc/keystone/ssl/certs/signing_cert.pem' which is the public key
certificate which contains,

- Signature Algorithm
- Public Key
- Signature Algorithm
- Subject

etc.

But sigver.read_cert_from_file expects the certificate's content
holds plain certificate information, which means it 's start from
-----BEGIN CERTIFICATE-----
or
-----BEGIN PUBLIC KEY-----

and end with

-----END CERTIFICATE-----
or
-----END PUBLIC KEY-----

So, the default setting will not work for SAML signing.

** Affects: keystone
     Importance: Undecided
         Status: New

** Description changed:

  Currently, the default setting is
  '/etc/keystone/ssl/certs/signing_cert.pem' which is the public key
  certificate which contains,
  
  - Signature Algorithm
  - Public Key
  - Signature Algorithm
  - Subject
  
+ etc.
+ 
  But sigver.read_cert_from_file expects the certificate's content
- holds plain certificate information, which means it 's start from 
+ holds plain certificate information, which means it 's start from
  -----BEGIN CERTIFICATE-----
  or
  -----BEGIN PUBLIC KEY-----
  
  and end with
  
  -----END CERTIFICATE-----
  or
- -----END PUBLIC KEY----- 
+ -----END PUBLIC KEY-----
  
  So, the default setting will not work for SAML signing.

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1507456

Title:
  default setting of certificate for SAML signing doesn't work

Status in Keystone:
  New

Bug description:
  Currently, the default setting is
  '/etc/keystone/ssl/certs/signing_cert.pem' which is the public key
  certificate which contains,

  - Signature Algorithm
  - Public Key
  - Signature Algorithm
  - Subject

  etc.

  But sigver.read_cert_from_file expects the certificate's content
  holds plain certificate information, which means it 's start from
  -----BEGIN CERTIFICATE-----
  or
  -----BEGIN PUBLIC KEY-----

  and end with

  -----END CERTIFICATE-----
  or
  -----END PUBLIC KEY-----

  So, the default setting will not work for SAML signing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1507456/+subscriptions

Follow ups

[Bug 1507456] Re: default setting of certificate for SAML signing doesn't work
From: Dave Chen, 2016-09-22