[barbican] Simple Crypto Plugin kek issue

chengke ji jichengke2011 at gmail.com
Thu Nov 4 06:23:15 UTC 2021


You should remove old data( project kek) in table kek_data(barbican), and
your project kek will issued with your new master kek.

Ammad Syed <syedammad83 at gmail.com> 于2021年10月29日周五 下午4:04写道:

> Hi,
>
> I have installed barbican and using it with openstack magnum. When I am
> using the default kek describe in document below, works fine and magnum
> cluster creation goes successful.
>
> https://docs.openstack.org/barbican/latest/install/barbican-backend.html
>
> But when I generate a new kek with below command.
>
> python3 -c "from cryptography.fernet import Fernet ; key = Fernet.generate_key(); print(key)"
>
>
> and put it in barbican.conf, the magnum cluster failed to create and I see
> below logs in barbican.
>
> 2021-10-29 12:53:28.932 568554 INFO barbican.plugin.crypto.simple_crypto
> [req-aaac01e9-82af-421b-b85a-ff998d904972 ad702ac807f44c73a32a9b7a795b693c
> d782069f335041138f0cb141fde9933f - default default] Software Only Crypto
> initialized
> 2021-10-29 12:53:28.932 568554 DEBUG barbican.model.repositories
> [req-aaac01e9-82af-421b-b85a-ff998d904972 ad702ac807f44c73a32a9b7a795b693c
> d782069f335041138f0cb141fde9933f - default default] Getting session...
> get_session
> /usr/lib/python3/dist-packages/barbican/model/repositories.py:364
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
> [req-aaac01e9-82af-421b-b85a-ff998d904972 ad702ac807f44c73a32a9b7a795b693c
> d782069f335041138f0cb141fde9933f - default default] Secret creation failure
> seen - please contact site administrator.: cryptography.fernet.InvalidToken
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers Traceback
> (most recent call last):
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
> "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 113, in
> _verify_signature
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
> h.verify(data[-32:])
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
> "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/hmac.py",
> line 70, in verify
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
> ctx.verify(signature)
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
> "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/hmac.py",
> line 76, in verify
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     raise
> InvalidSignature("Signature did not match digest.")
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
> cryptography.exceptions.InvalidSignature: Signature did not match digest.
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers During
> handling of the above exception, another exception occurred:
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers Traceback
> (most recent call last):
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
> "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line
> 102, in handler
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     return
> fn(inst, *args, **kwargs)
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
> "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line
> 88, in enforcer
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     return
> fn(inst, *args, **kwargs)
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
> "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line
> 150, in content_types_enforcer
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     return
> fn(inst, *args, **kwargs)
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
> "/usr/lib/python3/dist-packages/barbican/api/controllers/secrets.py", line
> 456, in on_post
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
> new_secret, transport_key_model = plugin.store_secret(
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
> "/usr/lib/python3/dist-packages/barbican/plugin/resources.py", line 108, in
> store_secret
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
> secret_metadata = _store_secret_using_plugin(store_plugin, secret_dto,
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
> "/usr/lib/python3/dist-packages/barbican/plugin/resources.py", line 279, in
> _store_secret_using_plugin
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
> secret_metadata = store_plugin.store_secret(secret_dto, context)
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
> "/usr/lib/python3/dist-packages/barbican/plugin/store_crypto.py", line 96,
> in store_secret
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
> response_dto = encrypting_plugin.encrypt(
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
> "/usr/lib/python3/dist-packages/barbican/plugin/crypto/simple_crypto.py",
> line 76, in encrypt
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     kek =
> self._get_kek(kek_meta_dto)
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
> "/usr/lib/python3/dist-packages/barbican/plugin/crypto/simple_crypto.py",
> line 73, in _get_kek
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     return
> encryptor.decrypt(kek_meta_dto.plugin_meta)
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
> "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 76, in decrypt
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     return
> self._decrypt_data(data, timestamp, ttl, int(time.time()))
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
> "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 125, in
> _decrypt_data
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
> self._verify_signature(data)
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
> "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 115, in
> _verify_signature
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     raise
> InvalidToken
> 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
> cryptography.fernet.InvalidToken
>
> Any advise how to fix it ?
>
> - Ammad
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20211104/57e3167c/attachment-0001.htm>


More information about the openstack-discuss mailing list