diff options
author | Brant Knudson <bknudson@us.ibm.com> | 2014-08-27 17:53:41 -0500 |
---|---|---|
committer | Brant Knudson <bknudson@us.ibm.com> | 2015-01-05 14:47:16 -0600 |
commit | b317e312aadbdbbe8937172bc5d4a7dd2a8d68d9 (patch) | |
tree | 87ae303a96eae189c0b2a36c89f01142204a7b43 /keystoneclient/common | |
parent | 260f54dad7f53cad10b02f562a666c96da176a40 (diff) | |
download | python-keystoneclient-b317e312aadbdbbe8937172bc5d4a7dd2a8d68d9.tar.gz |
token signing support alternative message digest
The functions for creating signed tokens in common.cms always used
sha256 for the message digest. This might be inadequate in the future
so the digest algorithm shouldn't be hard-coded. A parameter is added
to allow choosing a different digest algorithm.
SecurityImpact
Change-Id: Ie19d093d0494443ce4cd880ae1f92dffd5c361ef
Related-Bug: #1362343
Diffstat (limited to 'keystoneclient/common')
-rw-r--r-- | keystoneclient/common/cms.py | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/keystoneclient/common/cms.py b/keystoneclient/common/cms.py index 19390f2..8d8b86b 100644 --- a/keystoneclient/common/cms.py +++ b/keystoneclient/common/cms.py @@ -38,6 +38,7 @@ PKI_ASN1_PREFIX = 'MII' PKIZ_PREFIX = 'PKIZ_' PKIZ_CMS_FORM = 'DER' PKI_ASN1_FORM = 'PEM' +DEFAULT_TOKEN_DIGEST_ALGORITHM = 'sha256' # The openssl cms command exits with these status codes. @@ -198,11 +199,13 @@ def is_pkiz(token_text): def pkiz_sign(text, signing_cert_file_name, signing_key_file_name, - compression_level=6): + compression_level=6, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): signed = cms_sign_data(text, signing_cert_file_name, signing_key_file_name, - PKIZ_CMS_FORM) + PKIZ_CMS_FORM, + message_digest=message_digest) compressed = zlib.compress(signed, compression_level) encoded = PKIZ_PREFIX + base64.urlsafe_b64encode( @@ -297,13 +300,15 @@ def is_ans1_token(token): return is_asn1_token(token) -def cms_sign_text(data_to_sign, signing_cert_file_name, signing_key_file_name): +def cms_sign_text(data_to_sign, signing_cert_file_name, signing_key_file_name, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): return cms_sign_data(data_to_sign, signing_cert_file_name, - signing_key_file_name) + signing_key_file_name, message_digest=message_digest) def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, - outform=PKI_ASN1_FORM): + outform=PKI_ASN1_FORM, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): """Uses OpenSSL to sign a document. Produces a Base64 encoding of a DER formatted CMS Document @@ -316,7 +321,7 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, the data :param outform: Format for the signed document PKIZ_CMS_FORM or PKI_ASN1_FORM - + :param message_digest: Digest algorithm to use when signing or resigning """ _ensure_subprocess() @@ -330,7 +335,7 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, '-outform', 'PEM', '-nosmimecap', '-nodetach', '-nocerts', '-noattr', - '-md', 'sha256', ], + '-md', message_digest, ], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, @@ -353,8 +358,10 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, return output -def cms_sign_token(text, signing_cert_file_name, signing_key_file_name): - output = cms_sign_data(text, signing_cert_file_name, signing_key_file_name) +def cms_sign_token(text, signing_cert_file_name, signing_key_file_name, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): + output = cms_sign_data(text, signing_cert_file_name, signing_key_file_name, + message_digest=message_digest) return cms_to_token(output) |