diff --git a/glance/common/signature_utils.py b/glance/common/signature_utils.py index b925d433cf..502092a04b 100644 --- a/glance/common/signature_utils.py +++ b/glance/common/signature_utils.py @@ -15,7 +15,7 @@ """Support signature verification.""" -import base64 +import binascii from castellan import key_manager from cryptography import exceptions as crypto_exception @@ -25,7 +25,9 @@ from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives import hashes from cryptography import x509 from oslo_log import log as logging +from oslo_serialization import base64 from oslo_utils import encodeutils +import six from glance.common import exception from glance import i18n @@ -112,6 +114,9 @@ def verify_signature(context, checksum_hash, image_properties): 'Required image properties for signature verification do not' ' exist. Cannot verify signature.') + if isinstance(checksum_hash, six.text_type): + checksum_hash = checksum_hash.encode('utf-8') + signature = get_signature(image_properties[SIGNATURE]) hash_method = get_hash_method(image_properties[HASH_METHOD]) signature_key_type = get_signature_key_type( @@ -179,8 +184,8 @@ def get_signature(signature_data): :raises: SignatureVerificationError if the signature data is malformatted """ try: - signature = base64.b64decode(signature_data) - except TypeError: + signature = base64.decode_as_bytes(signature_data) + except (TypeError, binascii.Error): raise exception.SignatureVerificationError( 'The signature data was not properly encoded using base64') diff --git a/glance/tests/unit/common/test_signature_utils.py b/glance/tests/unit/common/test_signature_utils.py index 1d04ab069a..cd9356ec0b 100644 --- a/glance/tests/unit/common/test_signature_utils.py +++ b/glance/tests/unit/common/test_signature_utils.py @@ -119,9 +119,9 @@ class TestSignatureUtils(test_utils.BaseTestCase): @mock.patch('glance.common.signature_utils.get_public_key') def test_verify_signature_PSS(self, mock_get_pub_key): - checksum_hash = '224626ae19824466f2a7f39ab7b80f7f' + checksum_hash = b'224626ae19824466f2a7f39ab7b80f7f' mock_get_pub_key.return_value = TEST_PRIVATE_KEY.public_key() - for hash_name, hash_alg in signature_utils.HASH_METHODS.iteritems(): + for hash_name, hash_alg in signature_utils.HASH_METHODS.items(): signer = TEST_PRIVATE_KEY.signer( padding.PSS( mgf=padding.MGF1(hash_alg), @@ -143,10 +143,10 @@ class TestSignatureUtils(test_utils.BaseTestCase): @mock.patch('glance.common.signature_utils.get_public_key') def test_verify_signature_custom_PSS_salt(self, mock_get_pub_key): - checksum_hash = '224626ae19824466f2a7f39ab7b80f7f' + checksum_hash = b'224626ae19824466f2a7f39ab7b80f7f' mock_get_pub_key.return_value = TEST_PRIVATE_KEY.public_key() custom_salt_length = 32 - for hash_name, hash_alg in signature_utils.HASH_METHODS.iteritems(): + for hash_name, hash_alg in signature_utils.HASH_METHODS.items(): signer = TEST_PRIVATE_KEY.signer( padding.PSS( mgf=padding.MGF1(hash_alg), @@ -269,7 +269,7 @@ class TestSignatureUtils(test_utils.BaseTestCase): None, checksum_hash, image_properties) def test_get_signature(self): - signature = 'A' * 256 + signature = b'A' * 256 data = base64.b64encode(signature) self.assertEqual(signature, signature_utils.get_signature(data)) diff --git a/tox.ini b/tox.ini index 9e8de8c499..9ce9a242dc 100644 --- a/tox.ini +++ b/tox.ini @@ -41,6 +41,7 @@ commands = glance.tests.unit.common.test_rpc \ glance.tests.unit.common.test_scripts \ glance.tests.unit.common.test_semver \ + glance.tests.unit.common.test_signature_utils \ glance.tests.unit.common.test_swift_store_utils \ glance.tests.unit.common.test_utils \ glance.tests.unit.common.test_wsgi \