openstack/python-keystoneclient
Code Issues Proposed changes

Change cms_sign_data to use sha256 message digest

Browse Source 
cms_sign_data was not passing the md parameter to openssl, so it was
using the default digest of sha1. Some security standards require a
SHA2 algorithm for the digest.

This if for security hardening.

SecurityImpact

Change-Id: Iff063149e1f12df69bbf9015222d09d798980872
Closes-Bug: #1362343
This commit is contained in:
Brant Knudson
2014-08-27 17:50:19 -05:00
parent 7684d95647
commit 84c9ccaed3
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
keystoneclient/common/cms.py
View File

@@ -332,7 +332,8 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name,
'-inkey', signing_key_file_name, '-inkey', signing_key_file_name,
'-outform', 'PEM', '-outform', 'PEM',
'-nosmimecap', '-nodetach', '-nosmimecap', '-nodetach',
'-nocerts', '-noattr'], '-nocerts', '-noattr',
'-md', 'sha256', ],
stdin=subprocess.PIPE, stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stdout=subprocess.PIPE,
stderr=subprocess.PIPE) stderr=subprocess.PIPE)