dce0c69220
The signing_dir directive defined in barbican-api-paste.ini explicitly stores Keystone's signing certificates in a known /tmp directory. This could be exploited by populating the directory with bogus certificates, potentially allowing a malicious user to generate valid tokens. Added comment explaining signing_dir, and a reasonable (commented) default. Change-Id: I15fda6863e888e3881694ab47a836eee2fb578ee Closes-Bug: #1446406