yahoo-eng-team team mailing list archive

[OpenStack Infra <1522525@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/264377
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=2752fd6e161944f5875e4f4d0b4cdf4e178d05cd
Submitter: Jenkins
Branch:    master

commit 2752fd6e161944f5875e4f4d0b4cdf4e178d05cd
Author: Brianna Poulos <Brianna.Poulos@xxxxxxxxxx>
Date:   Wed Jan 6 17:16:33 2016 -0500

    Catch UnsupportedAlgorithm exceptions
    
    For signature verification, only SHA-2 family hash algorithms are
    used.  Some older platforms, with an older version of openssl (older
    than 1.0.1) do not support SHA-2 hashes.
    
    This patch skips the signature verification unit tests that require
    SHA-2 support on systems that do not have SHA-2 support.  It also
    catches the UnsupportedAlgorithm exception that is generated when a
    system that does not have SHA-2 support tries to verify the signature,
    providing better feedback to the user.
    
    Change-Id: I11b2366e96d49a5d502d6fccb0b6f620eb6c381d
    Closes-Bug: 1522525


** Changed in: glance
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1522525

Title:
  test_signature_utils tests fail when openssl is older than 1.0.1

Status in Glance:
  Fix Released

Bug description:
  In liberty, initial support for image signature verification was added
  to glance (see spec at [1] and patch at [2]).  In this feature, if
  certain signature properties are provided when an image is uploaded,
  glance will perform verification on the signature.  This includes the
  certificate uuid, the hash method, the signature, and the signature
  type.

  The hash methods supported [3] are only in the SHA-2 family.  SHA-1 is
  not included, since it is no longer considered secure.

  There are some older platforms which do not support SHA-2 hashes,
  since they have an older version of openssl (older than 1.0.1).  When
  the test_signature_utils tests are run on such a platform, exceptions
  [4] are generated.

  The signature_utils class needs to be updated in order to catch these
  UnsupportedAlgorithm exceptions, and notify the user that signature
  verification cannot be performed due to an out-of-date openssl
  installation.

  Note that this issue was brought up during a glance drivers meeting
  [5] and a glance meeting [6].  It was also further discussed on the
  #openstack-glance IRC channel [7].

  [1] http://specs.openstack.org/openstack/glance-specs/specs/liberty/image-signing-and-verification-support.html
  [2] https://review.openstack.org/#/c/183137/
  [3] https://github.com/openstack/glance/blob/master/glance/common/signature_utils.py#L43-L48
  [4] http://paste.openstack.org/show/480800/
  [5] http://eavesdrop.openstack.org/meetings/glance/2015/glance.2015-12-03-13.59.html
  [6] http://eavesdrop.openstack.org/meetings/glance_drivers/2015/glance_drivers.2015-12-01-13.59.html
  [7] http://eavesdrop.openstack.org/irclogs/%23openstack-glance/%23openstack-glance.2015-12-03.log.html -- 17:32 to 17:54

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1522525/+subscriptions