[Yahoo-eng-team] [Bug 1522525] Re: test_signature_utils tests fail when openssl is older than 1.0.1

[Brianna Poulos]

Note that since nova also has signature_utils (as well as
test_signature_utils) this same fix should be applied to nova.

** Also affects: nova
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1522525

Title:
  test_signature_utils tests fail when openssl is older than 1.0.1

Status in Glance:
  Fix Released
Status in OpenStack Compute (nova):
  New

Bug description:
  In liberty, initial support for image signature verification was added
  to glance (see spec at [1] and patch at [2]).  In this feature, if
  certain signature properties are provided when an image is uploaded,
  glance will perform verification on the signature.  This includes the
  certificate uuid, the hash method, the signature, and the signature
  type.

  The hash methods supported [3] are only in the SHA-2 family.  SHA-1 is
  not included, since it is no longer considered secure.

  There are some older platforms which do not support SHA-2 hashes,
  since they have an older version of openssl (older than 1.0.1).  When
  the test_signature_utils tests are run on such a platform, exceptions
  [4] are generated.

  The signature_utils class needs to be updated in order to catch these
  UnsupportedAlgorithm exceptions, and notify the user that signature
  verification cannot be performed due to an out-of-date openssl
  installation.

  Note that this issue was brought up during a glance drivers meeting
  [5] and a glance meeting [6].  It was also further discussed on the
  #openstack-glance IRC channel [7].

  [1] 
http://specs.openstack.org/openstack/glance-specs/specs/liberty/image-signing-and-verification-support.html
  [2] https://review.openstack.org/#/c/183137/
  [3] 
https://github.com/openstack/glance/blob/master/glance/common/signature_utils.py#L43-L48
  [4] http://paste.openstack.org/show/480800/
  [5] 
http://eavesdrop.openstack.org/meetings/glance/2015/glance.2015-12-03-13.59.html
  [6] 
http://eavesdrop.openstack.org/meetings/glance_drivers/2015/glance_drivers.2015-12-01-13.59.html
  [7] 
http://eavesdrop.openstack.org/irclogs/%23openstack-glance/%23openstack-glance.2015-12-03.log.html
 -- 17:32 to 17:54

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1522525/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp