OpenStack Identity (keystone)

  1. Bug #1490804
  2. Comment #55

Comment 55 for bug 1490804

Revision history for this message
Brant Knudson (blk-u) wrote : Re: PKI Token Revocation Bypass

Looks like you can get the fields out of the token using -cmsout:

  openssl cms -cmsout -inform PEM -nosmimecap -nodetach -nocerts -noattr -print < data

Using that output, we could validate that eContentType is 1.2.840.113549.1.7.1 and algorithm is 1.2.840.113549.1.1.1:

< eContentType: undefined (1.2.70.72.113549.1.7.1)
---
> eContentType: pkcs7-data (1.2.840.113549.1.7.1)

< algorithm: undefined (1.1.840.113549.1.1.1)
---
> algorithm: rsaEncryption (1.2.840.113549.1.1.1)

There might be other fields that we have to validate also, although it must be harder to manipulate those.

Then there's also the issue of the padding which I didn't look into.

So I think it's possible to fix this but is it worth it?