22db04bb6b
The auth_token middleware always hashed PKI Tokens with MD5. This change makes it so that PKI tokens can be hashed with SHA256 or any other algorithm supported by hashlib.new(). This is for security hardening. auth_token has a new config option 'hash_algorithms' that is set to the list of algorithms that will be used for hashing PKI tokens. This will typically be set to a single hash algorithm which must match the hash algorithm set in Keystone. Otherwise the tokens in the revocation list will not match, leading to revoked tokens being still usable. During a transition from one algorithm to another, 'hash_algorithms' is set to both the new algorithm and the old algorithm. Both of the hash algorithms will be used to match against the revocation list and cache. Once the tokens using the old algorithm have expired the old algorithm can be removed from the list. 'hash_algorithms' defaults to ['md5'] for backwards compatibility. DocImpact SecurityImpact Closes-Bug: #1174499 Change-Id: Ie524125dc5f6f1076bfd47db3a414b178e4dac80
61 KiB
61 KiB