From b317e312aadbdbbe8937172bc5d4a7dd2a8d68d9 Mon Sep 17 00:00:00 2001 From: Brant Knudson Date: Wed, 27 Aug 2014 17:53:41 -0500 Subject: [PATCH] token signing support alternative message digest The functions for creating signed tokens in common.cms always used sha256 for the message digest. This might be inadequate in the future so the digest algorithm shouldn't be hard-coded. A parameter is added to allow choosing a different digest algorithm. SecurityImpact Change-Id: Ie19d093d0494443ce4cd880ae1f92dffd5c361ef Related-Bug: #1362343 --- keystoneclient/common/cms.py | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/keystoneclient/common/cms.py b/keystoneclient/common/cms.py index 19390f216..8d8b86b0a 100644 --- a/keystoneclient/common/cms.py +++ b/keystoneclient/common/cms.py @@ -38,6 +38,7 @@ PKI_ASN1_PREFIX = 'MII' PKIZ_PREFIX = 'PKIZ_' PKIZ_CMS_FORM = 'DER' PKI_ASN1_FORM = 'PEM' +DEFAULT_TOKEN_DIGEST_ALGORITHM = 'sha256' # The openssl cms command exits with these status codes. @@ -198,11 +199,13 @@ def is_pkiz(token_text): def pkiz_sign(text, signing_cert_file_name, signing_key_file_name, - compression_level=6): + compression_level=6, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): signed = cms_sign_data(text, signing_cert_file_name, signing_key_file_name, - PKIZ_CMS_FORM) + PKIZ_CMS_FORM, + message_digest=message_digest) compressed = zlib.compress(signed, compression_level) encoded = PKIZ_PREFIX + base64.urlsafe_b64encode( @@ -297,13 +300,15 @@ def is_ans1_token(token): return is_asn1_token(token) -def cms_sign_text(data_to_sign, signing_cert_file_name, signing_key_file_name): +def cms_sign_text(data_to_sign, signing_cert_file_name, signing_key_file_name, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): return cms_sign_data(data_to_sign, signing_cert_file_name, - signing_key_file_name) + signing_key_file_name, message_digest=message_digest) def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, - outform=PKI_ASN1_FORM): + outform=PKI_ASN1_FORM, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): """Uses OpenSSL to sign a document. Produces a Base64 encoding of a DER formatted CMS Document @@ -316,7 +321,7 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, the data :param outform: Format for the signed document PKIZ_CMS_FORM or PKI_ASN1_FORM - + :param message_digest: Digest algorithm to use when signing or resigning """ _ensure_subprocess() @@ -330,7 +335,7 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, '-outform', 'PEM', '-nosmimecap', '-nodetach', '-nocerts', '-noattr', - '-md', 'sha256', ], + '-md', message_digest, ], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, @@ -353,8 +358,10 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, return output -def cms_sign_token(text, signing_cert_file_name, signing_key_file_name): - output = cms_sign_data(text, signing_cert_file_name, signing_key_file_name) +def cms_sign_token(text, signing_cert_file_name, signing_key_file_name, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): + output = cms_sign_data(text, signing_cert_file_name, signing_key_file_name, + message_digest=message_digest) return cms_to_token(output)