This is by design to account for clients that are not PKI-aware. Until
we drop support for UUID tokens and the corresponding HTTP APIs for
validating tokens, this support should remain.
On the MD5 point specifically, see bug 1174499.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1288693
Title:
PKI token is possible to validate via GET call
Status in OpenStack Identity (Keystone):
Invalid
Bug description:
PKI token should be validated only using Cert and Revocation list.
There is no need for any user to fetch/validate the PKI token by
making a GET call. Currently, PKI token, similar to UUID token, can be
validated/fetched by making a GET call
v2.0/tokens/{tokenId}
Here tokenId can be the whole PKI token or md5 hash of the token.
This opens the possibility that a custom service can start using this
approach for PKI token validation rather than PKI sign verification
using cert.
This could potentially open possible attack by an malicious service
(insider attacker with service role) to fetch PKI token for user by
guessing or exploiting the weakness of MD5 token_id
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1288693/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
