OpenStack Identity (keystone)

able to validate a Fernet token with garbage at the end (cryptography limitation)

Bug #1459483 reported by Matt Fischer
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Confirmed
Medium
Unassigned

Bug Description

I am able to verify Fernet tokens that contain garbage at the end, not so with UUID tokens.

For example.

UUID:

curl -H "X-Auth-Token:84db9247b27d4fe6bd0a09b7b39281e2" http://localhost:35357/v2.0/tokens/84db9247b27d4fe6bd0a09b7b39281e2

Works

curl -H "X-Auth-Token:84db9247b27d4fe6bd0a09b7b39281e2" http://localhost:35357/v2.0/tokens/84db9247b27d4fe6bd0a09b7b39281e2-GARBAGE
{"error": {"message": "Could not find token: 84db9247b27d4fe6bd0a09b7b39281e2-GARBAGE", "code": 404, "title": "Not Found"}}

Fernet on the other hand happily validates it even with garbage and even inserts -GARBAGE into the ID.

curl -H "X-Auth-Token:gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8%3D" http://localhostt:35357/v2.0/tokens/gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8%3D

        "token": {
            "audit_ids": [
                "WlVgiNv2RmOGaDa_4PpGGg"
            ],
            "expires": "2015-05-28T03:59:32.000000Z",
            "id": "gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8=",
            "issued_at": "2015-05-28T01:59:32.000000Z",
            "tenant": {
                "description": "Cloud Infra: Admin Tenant",
                "enabled": true,
                "id": "4764ba822ecb43e582794b875751924c",
                "name": "admin",
                "parent_id": null
            }
        },

curl -H "X-Auth-Token:gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8%3D" http://localhostt:35357/v2.0/tokens/gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8%3D-GARBAGE

        "token": {
            "audit_ids": [
                "WlVgiNv2RmOGaDa_4PpGGg"
            ],
            "expires": "2015-05-28T03:59:32.000000Z",
            "id": "gAAAAABVZnaEJuVPaQwW5y84w1sZt9TvxJk4Cgh8dmeISr68a7yVnl0hIpOAJ8YWluXJwym96xauaj0M737GZLzwhiF44u5JJXIjSiqQFtH3bQDrlBS-TmIAgkHcy0TsCBioof-Rzu4NbuSqkzjD5BJSRJnRqI2Sg-G-kTbRdblC5JBuyJjdMj8=-GARBAGE",
            "issued_at": "2015-05-28T01:59:32.000000Z",
            "tenant": {
                "description": "Cloud Infra: Admin Tenant",
                "enabled": true,
                "id": "4764ba822ecb43e582794b875751924c",
                "name": "admin",
                "parent_id": null
            }
        },

See original description
Tags: fernet
Matt Fischer (mfisch)
summary: - able to verify a Fernet token with garbage at the end
+ able to validate a Fernet token with garbage at the end
Dolph Mathews (dolph)
tags: added: fernet
Revision history for this message
Dolph Mathews (dolph) wrote : Re: able to validate a Fernet token with garbage at the end

Is there supposed to be a "-GARBAGE" appended at the end of the third curl request's path? (Or is there supposed to be a fourth curl example? There's two incomplete JSON responses at the end of the bug description that differ only in the presence of "-GARBAGE" in the returned token->id.)

Changed in keystone:
status: New → Incomplete
Revision history for this message
Matt Fischer (mfisch) wrote :

Sorry, fixed.

description: updated
Revision history for this message
Dolph Mathews (dolph) wrote :

Reproduced, and filed an upstream bug against pypi/cryptography:

  https://github.com/pyca/cryptography/issues/1994

We'll have to wait for a fix to be released in cryptography in order to close this issue.

Changed in keystone:
status: Incomplete → Confirmed
importance: Undecided → Medium
Revision history for this message
Dolph Mathews (dolph) wrote :

I'm also marking this as Medium because I'm unsure of any negative impact (much less a security impact) beyond passing the same invalid token back to the client in the JSON response (... which can still be validated successfully).

Ron De Rose (ronald-de-rose)
Changed in keystone:
assignee: nobody → Ron De Rose (ronald-de-rose)
Ron De Rose (ronald-de-rose)
Changed in keystone:
assignee: Ron De Rose (ronald-de-rose) → nobody
Ryosuke Mizuno (r-mizuno)
Changed in keystone:
status: Confirmed → Invalid
status: Invalid → Confirmed
Revision history for this message
Steve Martinelli (stevemar) wrote :

Looks like the cryptography issue is still open

summary: - able to validate a Fernet token with garbage at the end
+ able to validate a Fernet token with garbage at the end (cryptography
+ limitation)
Revision history for this message
David Wilde (dave-wilde) wrote :

Cryptography issue defered to a fernet spec [0]

[0]: https://github.com/fernet/spec/pull/11

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.