OpenStack Identity (keystone)

Fernet tokens have redundant creation timestamps

Bug #1428717 reported by Dolph Mathews on 2015-03-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Dolph Mathews	OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

The creation time of a Fernet token is actually encoded into the token twice. One of these should be removed.

In the payload of every fernet token, we insert the creation time as an integer timestamp. That timestamp gets encrypted along with the rest of the payload.

In addition, the Fernet format itself encodes a timestamp outside the payload. See the 64-bit timestamp in the specification:

https://github.com/fernet/spec/blob/master/Spec.md#token-format

The application-controlled timestamp should be removed in favor of parsing the creation timestamp out. It requires some bitwise operations, but this library demonstrates how easy the timestamp is to extract without having the Fernet encryption key:

https://pypi.python.org/pypi/keyless_fernet

Tags:

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-03-06:

https://review.openstack.org/#/c/161897/

Changed in keystone:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-06: Change abandoned on keystone (master)

Change abandoned by Dolph Mathews (<email address hidden>) on branch: master
Review: https://review.openstack.org/162196
Reason: landing discrete changes instead

OpenStack Infra (hudson-openstack) on 2015-03-09

Changed in keystone:
assignee:	Dolph Mathews (dolph) → Lance Bragstad (lbragstad)

OpenStack Infra (hudson-openstack) on 2015-03-10

Changed in keystone:
assignee:	Lance Bragstad (lbragstad) → Dolph Mathews (dolph)

OpenStack Infra (hudson-openstack) on 2015-03-10

Changed in keystone:
assignee:	Dolph Mathews (dolph) → Jorge Munoz (jorge-munoz)

OpenStack Infra (hudson-openstack) on 2015-03-11

Changed in keystone:
assignee:	Jorge Munoz (jorge-munoz) → Dolph Mathews (dolph)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-12: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/161897
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=c83f8920bf59563631673c51acd94ce1134a9852
Submitter: Jenkins
Branch: master

commit c83f8920bf59563631673c51acd94ce1134a9852
Author: Dolph Mathews <email address hidden>
Date: Thu Mar 5 21:12:08 2015 +0000

Remove redundant creation timestamp from fernet tokens

    This removes the creation timestamp from the token's payload in favor of
    extracting the token's creation timestamp from the Fernet token format
    itself.

Change-Id: I170a07adc1fe6418dfaf2c78e1b439339f1c14ed
Closes-Bug: 1428717

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in keystone:
milestone:	none → kilo-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.