Matthew Oliver 2d063cd61f formpost: deprecate sha1 signatures

We've known this would eventually be necessary for a while [1], and
way back in 2017 we started seeing SHA-1 collisions [2].

This patch follows the approach of soft deprecation of SHA1 in tempurl.
It's still a default digest, but we'll start with warning as the
middleware is loaded and exposing any deprecated digests
(if they're still allowed) in /info.

Further, because there is much shared code between formpost and tempurl, this
patch also goes and refactors shared code out into swift.common.digest.
Now that we have a digest, we also move digest related code:
 - get_hmac
 - extract_digest_and_algorithm

[1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
[2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

Change-Id: I581cadd6bc79e623f1dae071025e4d375254c1d9

2022-07-26 10:39:58 +10:00

2.0 KiB

Raw Blame History

Misc

ACLs

swift.common.middleware.acl

Buffered HTTP

swift.common.bufferedhttp

Constraints

swift.common.constraints

Container Sync Realms

swift.common.container_sync_realms

Digest

swift.common.digest

Direct Client

swift.common.direct_client

Exceptions

swift.common.exceptions

Internal Client

swift.common.internal_client

Manager

swift.common.manager

MemCacheD

swift.common.memcached

Middleware Registry

swift.common.registry

Request Helpers

swift.common.request_helpers

Swob

swift.common.swob

Utils

swift.common.utils

WSGI

swift.common.wsgi

Storage Policy

swift.common.storage_policy

2.0 KiB Raw Blame History