diff options
author | Brant Knudson <bknudson@us.ibm.com> | 2014-08-27 17:50:19 -0500 |
---|---|---|
committer | Brant Knudson <bknudson@us.ibm.com> | 2014-09-24 10:55:51 -0500 |
commit | 84c9ccaed34d83b7e97a4890561b1b218d99b1ba (patch) | |
tree | a2890ab90a3801dfb6a840f72cbb2bdd731a7f1c | |
parent | 7684d956476254d4a297e62d5a3debe27c461d7c (diff) | |
download | python-keystoneclient-84c9ccaed34d83b7e97a4890561b1b218d99b1ba.tar.gz |
Change cms_sign_data to use sha256 message digest
cms_sign_data was not passing the md parameter to openssl, so it was
using the default digest of sha1. Some security standards require a
SHA2 algorithm for the digest.
This if for security hardening.
SecurityImpact
Change-Id: Iff063149e1f12df69bbf9015222d09d798980872
Closes-Bug: #1362343
-rw-r--r-- | keystoneclient/common/cms.py | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/keystoneclient/common/cms.py b/keystoneclient/common/cms.py index 85fa307..1c343f6 100644 --- a/keystoneclient/common/cms.py +++ b/keystoneclient/common/cms.py @@ -332,7 +332,8 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, '-inkey', signing_key_file_name, '-outform', 'PEM', '-nosmimecap', '-nodetach', - '-nocerts', '-noattr'], + '-nocerts', '-noattr', + '-md', 'sha256', ], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |