Change cms_sign_data to use sha256 message digest

cms_sign_data was not passing the md parameter to openssl, so it was using the default digest of sha1. Some security standards require a SHA2 algorithm for the digest. This if for security hardening. SecurityImpact Change-Id: Iff063149e1f12df69bbf9015222d09d798980872 Closes-Bug: #1362343
author: Brant Knudson <bknudson@us.ibm.com> 2014-08-27 17:50:19 -0500
committer: Brant Knudson <bknudson@us.ibm.com> 2014-09-24 10:55:51 -0500
commit: 84c9ccaed34d83b7e97a4890561b1b218d99b1ba (patch)
tree: a2890ab90a3801dfb6a840f72cbb2bdd731a7f1c
parent: 7684d956476254d4a297e62d5a3debe27c461d7c (diff)
download: python-keystoneclient-84c9ccaed34d83b7e97a4890561b1b218d99b1ba.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/keystoneclient/common/cms.py b/keystoneclient/common/cms.py
index 85fa307..1c343f6 100644
--- a/keystoneclient/common/cms.py
+++ b/keystoneclient/common/cms.py
@@ -332,7 +332,8 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name,
                                 '-inkey', signing_key_file_name,
                                 '-outform', 'PEM',
                                 '-nosmimecap', '-nodetach',
-                                '-nocerts', '-noattr'],
+                                '-nocerts', '-noattr',
+                                '-md', 'sha256', ],
                                stdin=subprocess.PIPE,
                                stdout=subprocess.PIPE,
                                stderr=subprocess.PIPE)
author	Brant Knudson <bknudson@us.ibm.com>	2014-08-27 17:50:19 -0500
committer	Brant Knudson <bknudson@us.ibm.com>	2014-09-24 10:55:51 -0500
commit	84c9ccaed34d83b7e97a4890561b1b218d99b1ba (patch)
tree	a2890ab90a3801dfb6a840f72cbb2bdd731a7f1c
parent	7684d956476254d4a297e62d5a3debe27c461d7c (diff)
download	python-keystoneclient-84c9ccaed34d83b7e97a4890561b1b218d99b1ba.tar.gz