Change cms_sign_data to use sha256 message digest

cms_sign_data was not passing the md parameter to openssl, so it was using the default digest of sha1. Some security standards require a SHA2 algorithm for the digest. This if for security hardening. SecurityImpact Change-Id: Iff063149e1f12df69bbf9015222d09d798980872 Closes-Bug: #1362343
2014-08-27 17:50:19 -05:00 · 2014-08-27 17:50:19 -05:00 · 84c9ccaed3
parent 7684d95647
commit 84c9ccaed3
1 changed files with 2 additions and 1 deletions
--- a/keystoneclient/common/cms.py
+++ b/keystoneclient/common/cms.py
@ -332,7 +332,8 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name,
                                '-inkey', signing_key_file_name,
                                '-outform', 'PEM',
                                '-nosmimecap', '-nodetach',
-                                '-nocerts', '-noattr'],
+                                '-nocerts', '-noattr',
+                                '-md', 'sha256', ],
                               stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE)