[barbican] Simple Crypto Plugin kek issue

Ammad Syed syedammad83 at gmail.com
Fri Oct 29 08:01:44 UTC 2021


Hi,

I have installed barbican and using it with openstack magnum. When I am
using the default kek describe in document below, works fine and magnum
cluster creation goes successful.

https://docs.openstack.org/barbican/latest/install/barbican-backend.html

But when I generate a new kek with below command.

python3 -c "from cryptography.fernet import Fernet ; key =
Fernet.generate_key(); print(key)"


and put it in barbican.conf, the magnum cluster failed to create and I see
below logs in barbican.

2021-10-29 12:53:28.932 568554 INFO barbican.plugin.crypto.simple_crypto
[req-aaac01e9-82af-421b-b85a-ff998d904972 ad702ac807f44c73a32a9b7a795b693c
d782069f335041138f0cb141fde9933f - default default] Software Only Crypto
initialized
2021-10-29 12:53:28.932 568554 DEBUG barbican.model.repositories
[req-aaac01e9-82af-421b-b85a-ff998d904972 ad702ac807f44c73a32a9b7a795b693c
d782069f335041138f0cb141fde9933f - default default] Getting session...
get_session
/usr/lib/python3/dist-packages/barbican/model/repositories.py:364
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
[req-aaac01e9-82af-421b-b85a-ff998d904972 ad702ac807f44c73a32a9b7a795b693c
d782069f335041138f0cb141fde9933f - default default] Secret creation failure
seen - please contact site administrator.: cryptography.fernet.InvalidToken
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers Traceback
(most recent call last):
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
"/usr/lib/python3/dist-packages/cryptography/fernet.py", line 113, in
_verify_signature
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
h.verify(data[-32:])
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
"/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/hmac.py",
line 70, in verify
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
ctx.verify(signature)
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
"/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/hmac.py",
line 76, in verify
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     raise
InvalidSignature("Signature did not match digest.")
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
cryptography.exceptions.InvalidSignature: Signature did not match digest.
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers During
handling of the above exception, another exception occurred:
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers Traceback
(most recent call last):
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
"/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line
102, in handler
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     return
fn(inst, *args, **kwargs)
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
"/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line
88, in enforcer
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     return
fn(inst, *args, **kwargs)
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
"/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line
150, in content_types_enforcer
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     return
fn(inst, *args, **kwargs)
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
"/usr/lib/python3/dist-packages/barbican/api/controllers/secrets.py", line
456, in on_post
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
new_secret, transport_key_model = plugin.store_secret(
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
"/usr/lib/python3/dist-packages/barbican/plugin/resources.py", line 108, in
store_secret
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
secret_metadata = _store_secret_using_plugin(store_plugin, secret_dto,
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
"/usr/lib/python3/dist-packages/barbican/plugin/resources.py", line 279, in
_store_secret_using_plugin
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
secret_metadata = store_plugin.store_secret(secret_dto, context)
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
"/usr/lib/python3/dist-packages/barbican/plugin/store_crypto.py", line 96,
in store_secret
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
response_dto = encrypting_plugin.encrypt(
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
"/usr/lib/python3/dist-packages/barbican/plugin/crypto/simple_crypto.py",
line 76, in encrypt
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     kek =
self._get_kek(kek_meta_dto)
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
"/usr/lib/python3/dist-packages/barbican/plugin/crypto/simple_crypto.py",
line 73, in _get_kek
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     return
encryptor.decrypt(kek_meta_dto.plugin_meta)
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
"/usr/lib/python3/dist-packages/cryptography/fernet.py", line 76, in decrypt
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     return
self._decrypt_data(data, timestamp, ttl, int(time.time()))
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
"/usr/lib/python3/dist-packages/cryptography/fernet.py", line 125, in
_decrypt_data
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
self._verify_signature(data)
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers   File
"/usr/lib/python3/dist-packages/cryptography/fernet.py", line 115, in
_verify_signature
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers     raise
InvalidToken
2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers
cryptography.fernet.InvalidToken

Any advise how to fix it ?

- Ammad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20211029/6cf0b5a9/attachment.htm>


More information about the openstack-discuss mailing list