[Yahoo-eng-team] [Bug 1329608] [NEW] Object storage temp URL uses SHA1

Jeffrey Walton Thu, 12 Jun 2014 21:26:23 -0700

Public bug reported:

It appears glance uses SHA1 for hashing:
https://review.openstack.org/#/c/81391/28/ironic/common/glance_service/v2/image_service.py:


    # Encode to UTF-8
    try:
            sig = hmac.new(key.encode(),
            hmac_body.encode(),
            hashlib.sha1).hexdigest()
    except UnicodeDecodeError:
            raise exc.InvalidParameterValue(_('Could not convert '
                    'swift temporary URL arguments '
                   'to Unicode for url.'))

The choice is hard coded and cannot be changed. SHA1 could cause
problems for folks operating in US Federal and US Financial, where SHA2
should be used. I believe its a governance issue and there's not much
security related substance to it.

According to Josh Gachnang:

    "I don't believe either is configurable without a new
    tempurl middleware implemented in Swift (unfortunately).
    This code is almost exactly copied from here:
    
http://docs.openstack.org/trunk/config-reference/content/object-storage-tempurl.html";

This is a similar report to
https://bugs.launchpad.net/keystone/+bug/1174499.

** Affects: glance
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1329608

Title:
  Object storage temp URL uses SHA1

Status in OpenStack Image Registry and Delivery Service (Glance):
  New

Bug description:
  It appears glance uses SHA1 for hashing:
  
https://review.openstack.org/#/c/81391/28/ironic/common/glance_service/v2/image_service.py:

      # Encode to UTF-8
      try:
              sig = hmac.new(key.encode(),
              hmac_body.encode(),
              hashlib.sha1).hexdigest()
      except UnicodeDecodeError:
              raise exc.InvalidParameterValue(_('Could not convert '
                      'swift temporary URL arguments '
                     'to Unicode for url.'))

  The choice is hard coded and cannot be changed. SHA1 could cause
  problems for folks operating in US Federal and US Financial, where
  SHA2 should be used. I believe its a governance issue and there's not
  much security related substance to it.

  According to Josh Gachnang:

      "I don't believe either is configurable without a new
      tempurl middleware implemented in Swift (unfortunately).
      This code is almost exactly copied from here:
      
http://docs.openstack.org/trunk/config-reference/content/object-storage-tempurl.html";

  This is a similar report to
  https://bugs.launchpad.net/keystone/+bug/1174499.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1329608/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1329608] [NEW] Object storage temp URL uses SHA1

Reply via email to