[openstack-dev] Subject: Re: Barbican : Usage of public_key, private_key and private_key_passphrase under RSA type Container

Asha Seshagiri asha.seshagiri at gmail.com
Wed Mar 18 19:03:26 UTC 2015


Hi Douglas ,

Thanks for your response .
Yeah it's Asha Again :)

I guess Barbican is not validating while  storing the secret references
under private_key and public_key.
ie I am able to store private  secret type under public_key and public
secret type under private_key.
Container resources stores the secret references irrespective of the secret
 types
Please find the example below :

*Command to create the public key *

root at barbican:~# curl -X POST -H 'content-type:application/json' -H
'X-Project-Id:12345' -d '{ "name": "AES key","payload": "public-secret",
"payload_content_ty
                               pe": "text/plain", *"secret_type": "public"*}'
http://localhost:9311/v1/secrets
{"secret_ref": "
http://localhost:9311/v1/secrets/bd1f75e2-8c8d-40a1-8eb5-7c855ee

*Command to create the private key*

curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d
'{ "name": "AES key","payload": "private-secret", "payload_content_type":
"text/plain",* "secret_type": "private"*}' http://localhost:9311/v1/secrets
{"secret_ref": "
http://localhost:9311/v1/secrets/7be75254-4137-4a90-ae4f-1fe43299bfbe
"}root at barbican:~#

root at barbican:~# curl -X POST -H 'content-type:application/json' -H
'X-Project-Id: 12345' -d '{ "name": "container3" ,"type":
"rsa","secret_refs": [ *{ "name": "private_key", "secret_ref":
"http://localhost:9311/v1/secrets/bd1f75e2-8c8d-40a1-8eb5-7c855eed84f9
<http://localhost:9311/v1/secrets/bd1f75e2-8c8d-40a1-8eb5-7c855eed84f9>" }*,
{ *"name": "public_key",
"secret_ref":"http://localhost:9311/v1/secrets/7be75254-4137-4a90-ae4f-1fe43299bfbe
<http://localhost:9311/v1/secrets/7be75254-4137-4a90-ae4f-1fe43299bfbe>"* }
] } ' http://localhost:9311/v1/containers
{"container_ref": "
http://localhost:9311/v1/containers/1005b36f-f6d5-4709-b9ca-030e2df841cc"}

Please correct me if I am wrong.
It would be great if you could help me on this.

Thanks and Regards,
Asha Seshagiri

Hello again Asha,

Yes, the predefined secret names in an RSA container should match up with
secret refs for those actual things.  ?private_key? should point to the
private key of the RSA pair, ?public_key? should point to the matching
public key.

private_key_passphrase is optional, and it is only used for
passphrase-protected keys.  It should point to a secret that has the plain
text passphrase used to unlock the private key.

-Doug

--------------------
Douglas Mendiz?bal
IRC: redrobot
PGP Key: 245C 7B6F 70E9 D8F3 F5D5  0CC9 AD14 1F30 2D58 923C

-- 
*Thanks and Regards,*
*Asha Seshagiri*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150318/ef499ff6/attachment.html>


More information about the OpenStack-dev mailing list