[openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM

Asha Seshagiri asha.seshagiri at gmail.com
Sun Jul 19 01:47:27 UTC 2015 

Hi All ,

I have configured Barbican to integrate with SafeNet  HSM.
Installed safenet client libraries , registered the barbican machine to
point to HSM server  and also assigned HSM partition.

The following were the changes done in barbican.conf file


# ================= Secret Store Plugin ===================
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto

# ================= Crypto plugin ===================
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = p11_crypto

[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = '/usr/lib/libCryptoki2_64.so'
# Password to login to PKCS11 session
login = 'test123'
# Label to identify master KEK in the HSM (must not be the same as HMAC
label)
mkek_label = 'an_mkek'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'my_hmac_label'
# HSM Slot id (Should correspond to a configured PKCS11 slot). Default: 1
slot_id = 1

Unable to store the secret when Barbican was integrated with HSM.

[root at HSM-Client crypto]# curl -X POST -H 'content-type:application/json'
-H 'X-Project-Id:12345' -d '{"payload": "my-secret-here",
"payload_content_type": "text/plain"}' http://localhost:9311/v1/secrets
*{"code": 500, "description": "Secret creation failure seen - please
contact site administrator.", "title": "Internal Server
Error"}[root at HSM-Client crypto]#*


Please find the logs below :

2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
[req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen
creating plugin: 'p11_crypto'
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils Traceback
(most recent call last):
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
"/root/barbican/barbican/plugin/util/utils.py", line 42, in
instantiate_plugins
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
plugin_instance = ext.plugin(*invoke_args, **invoke_kwargs)
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
"/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 70, in __init__
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
conf.p11_crypto_plugin.hmac_label)
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
"/root/barbican/barbican/plugin/crypto/pkcs11.py", line 344, in
cache_mkek_and_hmac
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
self.get_mkek(self.current_mkek_label, session)
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
"/root/barbican/barbican/plugin/crypto/pkcs11.py", line 426, in get_mkek
2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils     raise
P11CryptoKeyHandleException()
*2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
P11CryptoKeyHandleException: No key handle was found*
*2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils*
*2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
[req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Secret creation
failure seen - please contact site administrator.*


(I am not sure why we are geting CryptoPluginNotFound: Crypto plugin not
found. Exception since the changes is able to hit the p11_crypto.py code)

2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers Traceback
(most recent call last):
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
"/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     return
fn(inst, *args, **kwargs)
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
"/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     return
fn(inst, *args, **kwargs)
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
"/root/barbican/barbican/api/controllers/__init__.py", line 146, in
content_types_enforcer
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     return
fn(inst, *args, **kwargs)
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
"/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
transport_key_id=data.get('transport_key_id'))
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
"/root/barbican/barbican/plugin/resources.py", line 104, in store_secret
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
secret_model, project_model)
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
"/root/barbican/barbican/plugin/resources.py", line 267, in
_store_secret_using_plugin
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
secret_metadata = store_plugin.store_secret(secret_dto, context)
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
"/root/barbican/barbican/plugin/store_crypto.py", line 77, in store_secret
2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
crypto.PluginSupportTypes.ENCRYPT_DECRYPT
*2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
"/root/barbican/barbican/plugin/crypto/manager.py", line 80, in
get_plugin_store_generate*
*2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     raise
crypto.CryptoPluginNotFound()*
*2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
CryptoPluginNotFound: Crypto plugin not found.*

Had chance to go though the code as to why are we geting the exception
: *P11CryptoKeyHandleException:
No key handle was found .*
*It is because *returned_count[0] == 0 .It needs to be 0 in order for the
mkek to be created .From what I understand is that by default all the ffi
variables would have the value 0 . I am not sure why the check
returned_count[0] == 1: has been put .

if returned_count[0] == 1: key = object_handle_ptr[0] rv = self
.lib.C_FindObjectsFinal(session) self.check_error(rv) if returned_count[0]
== 1: return key elif returned_count[0] == 0: return None
*Need Help .Any help would highly be appreciated .It is very critical for
us to integrate with Barbican*
*Also would like to know if any one has integrated Barbican with HSM.*

-- 
*Thanks and Regards,*
*Asha Seshagiri*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150718/c4c82eb4/attachment.html>

More information about the OpenStack-dev mailing list