OpenStack Identity (keystone)

Fernet tokens contain a version identifier that is not integrity verified

Bug #1427485 reported by Dolph Mathews on 2015-03-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Morgan Fainberg	OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

Fernet tokens all start with a plaintext string of either "F00" or "F01" indicating either "version 0" (normal unscoped and scoped tokens) or "version 1" (trust-based tokens). That versioning lies outside of the integrity-verified portion of the token, and is thus susceptible to manipulation by end users.

With only two token versions, this doesn't present any issues that I'm aware of, but to harden ourselves against the future, we should move that versioning information into the integrity-verified portion of the message. Otherwise, we carry of risk of future implementations inadvertently introducing privilege escalation vulnerabilities, a means for end users to disable authorization checks by supplying older versions, etc, etc.

In addition, the format prefix was originally intended to make it easier for remote clients (keystonemiddleware.auth_token) to parse apart and validate tokens without going back to talk to Keystone. Since that's not the plan here (Fernet tokens must be validated with Keystone, since that's the only place where the encryption keys are accessible), the entire format prefix ("F00" / "F01") can be dropped, as long as Keystone can still validate the tokens it's issuing.

Tags:

Dolph Mathews (dolph) on 2015-03-03

tags:	added: fernet
summary:	- Fernet tokens contain non-integrity verified version identifier + Fernet tokens contain a version identifier that is not integrity + verified

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-06: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/162031

Changed in keystone:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-06:

Fix proposed to branch: master
Review: https://review.openstack.org/162196

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-06: Change abandoned on keystone (master)

Change abandoned by Dolph Mathews (<email address hidden>) on branch: master
Review: https://review.openstack.org/162196
Reason: landing discrete changes instead

OpenStack Infra (hudson-openstack) on 2015-03-09

Changed in keystone:
assignee:	Dolph Mathews (dolph) → Lance Bragstad (lbragstad)

OpenStack Infra (hudson-openstack) on 2015-03-10

Changed in keystone:
assignee:	Lance Bragstad (lbragstad) → Dolph Mathews (dolph)

OpenStack Infra (hudson-openstack) on 2015-03-10

Changed in keystone:
assignee:	Dolph Mathews (dolph) → Jorge Munoz (jorge-munoz)

OpenStack Infra (hudson-openstack) on 2015-03-11

Changed in keystone:
assignee:	Jorge Munoz (jorge-munoz) → Dolph Mathews (dolph)

OpenStack Infra (hudson-openstack) on 2015-03-12

Changed in keystone:
assignee:	Dolph Mathews (dolph) → Morgan Fainberg (mdrnstm)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-13: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/162031
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a9fa7e315dbc8e881f4d5c793d75cb24e1fc2499
Submitter: Jenkins
Branch: master

commit a9fa7e315dbc8e881f4d5c793d75cb24e1fc2499
Author: Dolph Mathews <email address hidden>
Date: Thu Mar 5 22:01:53 2015 +0000

Drop Fernet token prefixes & add domain-scoped Fernet tokens

    - Move the payload version (part of the plaintext token prefix) into the
      integrity verified portion of the token (the payload). This also drops
      the 'F', which doesn't serve a purpose with Fernet tokens as it does
      with token formats that can be validated offline (PKI, PKIZ). This
      requires a bunch of refactoring to move the responsibility of
      decrypting, unpacking, and disassembling the payload contents to the
      caller (the Provider).

    - Add a domain-scoped payload format, identical to that for
      project-scoped tokens, just with a different version number. Better
      functional tests revealed that tests intended to exercise
      domain-scoped Fernet tokens, which didn't exist, should not have been
      passing.

    - Remove remaining functional tests from the unit test suite
      (test_fernet_provider), and ensure that same coverage exists in the
      actual functional test suite (test_v3_auth). Several of the unit tests
      required heavy refactoring due to the refactoring required to support
      the first item above, so it was easier just to dump those tests in
      favor of better functional test coverage, which are agnostic to the
      implementation details.

    Change-Id: I141f2707a391d46d9607710b30155b76de2f88f0
    Closes-Bug: 1427485
    Closes-Bug: 1428949

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.