Reviewed: https://review.openstack.org/264377
Committed:
https://git.openstack.org/cgit/openstack/glance/commit/?id=2752fd6e161944f5875e4f4d0b4cdf4e178d05cd
Submitter: Jenkins
Branch: master
commit 2752fd6e161944f5875e4f4d0b4cdf4e178d05cd
Author: Brianna Poulos <brianna.pou...@jhuapl.edu>
Date: Wed Jan 6 17:16:33 2016 -0500
Catch UnsupportedAlgorithm exceptions
For signature verification, only SHA-2 family hash algorithms are
used. Some older platforms, with an older version of openssl (older
than 1.0.1) do not support SHA-2 hashes.
This patch skips the signature verification unit tests that require
SHA-2 support on systems that do not have SHA-2 support. It also
catches the UnsupportedAlgorithm exception that is generated when a
system that does not have SHA-2 support tries to verify the signature,
providing better feedback to the user.
Change-Id: I11b2366e96d49a5d502d6fccb0b6f620eb6c381d
Closes-Bug: 1522525
** Changed in: glance
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1522525
Title:
test_signature_utils tests fail when openssl is older than 1.0.1
Status in Glance:
Fix Released
Bug description:
In liberty, initial support for image signature verification was added
to glance (see spec at [1] and patch at [2]). In this feature, if
certain signature properties are provided when an image is uploaded,
glance will perform verification on the signature. This includes the
certificate uuid, the hash method, the signature, and the signature
type.
The hash methods supported [3] are only in the SHA-2 family. SHA-1 is
not included, since it is no longer considered secure.
There are some older platforms which do not support SHA-2 hashes,
since they have an older version of openssl (older than 1.0.1). When
the test_signature_utils tests are run on such a platform, exceptions
[4] are generated.
The signature_utils class needs to be updated in order to catch these
UnsupportedAlgorithm exceptions, and notify the user that signature
verification cannot be performed due to an out-of-date openssl
installation.
Note that this issue was brought up during a glance drivers meeting
[5] and a glance meeting [6]. It was also further discussed on the
#openstack-glance IRC channel [7].
[1]
http://specs.openstack.org/openstack/glance-specs/specs/liberty/image-signing-and-verification-support.html
[2] https://review.openstack.org/#/c/183137/
[3]
https://github.com/openstack/glance/blob/master/glance/common/signature_utils.py#L43-L48
[4] http://paste.openstack.org/show/480800/
[5]
http://eavesdrop.openstack.org/meetings/glance/2015/glance.2015-12-03-13.59.html
[6]
http://eavesdrop.openstack.org/meetings/glance_drivers/2015/glance_drivers.2015-12-01-13.59.html
[7]
http://eavesdrop.openstack.org/irclogs/%23openstack-glance/%23openstack-glance.2015-12-03.log.html
-- 17:32 to 17:54
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1522525/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
