[barbican] Simple Crypto Plugin kek issue
Hi,
I have installed barbican and using it with openstack magnum. When I am using the default kek describe in document below, works fine and magnum cluster creation goes successful.
https://docs.openstack.org/barbican/latest/install/barbican-backend.html
But when I generate a new kek with below command.
python3 -c "from cryptography.fernet import Fernet ; key = Fernet.generate_key(); print(key)"
and put it in barbican.conf, the magnum cluster failed to create and I see below logs in barbican.
2021-10-29 12:53:28.932 568554 INFO barbican.plugin.crypto.simple_crypto [req-aaac01e9-82af-421b-b85a-ff998d904972 ad702ac807f44c73a32a9b7a795b693c d782069f335041138f0cb141fde9933f - default default] Software Only Crypto initialized 2021-10-29 12:53:28.932 568554 DEBUG barbican.model.repositories [req-aaac01e9-82af-421b-b85a-ff998d904972 ad702ac807f44c73a32a9b7a795b693c d782069f335041138f0cb141fde9933f - default default] Getting session... get_session /usr/lib/python3/dist-packages/barbican/model/repositories.py:364 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers [req-aaac01e9-82af-421b-b85a-ff998d904972 ad702ac807f44c73a32a9b7a795b693c d782069f335041138f0cb141fde9933f - default default] Secret creation failure seen - please contact site administrator.: cryptography.fernet.InvalidToken 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers Traceback (most recent call last): 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 113, in _verify_signature 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers h.verify(data[-32:]) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/hmac.py", line 70, in verify 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers ctx.verify(signature) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/hmac.py", line 76, in verify 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers raise InvalidSignature("Signature did not match digest.") 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers cryptography.exceptions.InvalidSignature: Signature did not match digest. 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers During handling of the above exception, another exception occurred: 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers Traceback (most recent call last): 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 102, in handler 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 88, in enforcer 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 150, in content_types_enforcer 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/secrets.py", line 456, in on_post 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers new_secret, transport_key_model = plugin.store_secret( 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/resources.py", line 108, in store_secret 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers secret_metadata = _store_secret_using_plugin(store_plugin, secret_dto, 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/resources.py", line 279, in _store_secret_using_plugin 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers secret_metadata = store_plugin.store_secret(secret_dto, context) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/store_crypto.py", line 96, in store_secret 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers response_dto = encrypting_plugin.encrypt( 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/crypto/simple_crypto.py", line 76, in encrypt 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers kek = self._get_kek(kek_meta_dto) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/crypto/simple_crypto.py", line 73, in _get_kek 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers return encryptor.decrypt(kek_meta_dto.plugin_meta) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 76, in decrypt 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers return self._decrypt_data(data, timestamp, ttl, int(time.time())) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 125, in _decrypt_data 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers self._verify_signature(data) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 115, in _verify_signature 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers raise InvalidToken 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers cryptography.fernet.InvalidToken
Any advise how to fix it ?
- Ammad
You should remove old data( project kek) in table kek_data(barbican), and your project kek will issued with your new master kek.
Ammad Syed syedammad83@gmail.com 于2021年10月29日周五 下午4:04写道:
Hi,
I have installed barbican and using it with openstack magnum. When I am using the default kek describe in document below, works fine and magnum cluster creation goes successful.
https://docs.openstack.org/barbican/latest/install/barbican-backend.html
But when I generate a new kek with below command.
python3 -c "from cryptography.fernet import Fernet ; key = Fernet.generate_key(); print(key)"
and put it in barbican.conf, the magnum cluster failed to create and I see below logs in barbican.
2021-10-29 12:53:28.932 568554 INFO barbican.plugin.crypto.simple_crypto [req-aaac01e9-82af-421b-b85a-ff998d904972 ad702ac807f44c73a32a9b7a795b693c d782069f335041138f0cb141fde9933f - default default] Software Only Crypto initialized 2021-10-29 12:53:28.932 568554 DEBUG barbican.model.repositories [req-aaac01e9-82af-421b-b85a-ff998d904972 ad702ac807f44c73a32a9b7a795b693c d782069f335041138f0cb141fde9933f - default default] Getting session... get_session /usr/lib/python3/dist-packages/barbican/model/repositories.py:364 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers [req-aaac01e9-82af-421b-b85a-ff998d904972 ad702ac807f44c73a32a9b7a795b693c d782069f335041138f0cb141fde9933f - default default] Secret creation failure seen - please contact site administrator.: cryptography.fernet.InvalidToken 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers Traceback (most recent call last): 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 113, in _verify_signature 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers h.verify(data[-32:]) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/hmac.py", line 70, in verify 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers ctx.verify(signature) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/hmac.py", line 76, in verify 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers raise InvalidSignature("Signature did not match digest.") 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers cryptography.exceptions.InvalidSignature: Signature did not match digest. 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers During handling of the above exception, another exception occurred: 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers Traceback (most recent call last): 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 102, in handler 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 88, in enforcer 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/__init__.py", line 150, in content_types_enforcer 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers return fn(inst, *args, **kwargs) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/api/controllers/secrets.py", line 456, in on_post 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers new_secret, transport_key_model = plugin.store_secret( 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/resources.py", line 108, in store_secret 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers secret_metadata = _store_secret_using_plugin(store_plugin, secret_dto, 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/resources.py", line 279, in _store_secret_using_plugin 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers secret_metadata = store_plugin.store_secret(secret_dto, context) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/store_crypto.py", line 96, in store_secret 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers response_dto = encrypting_plugin.encrypt( 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/crypto/simple_crypto.py", line 76, in encrypt 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers kek = self._get_kek(kek_meta_dto) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/barbican/plugin/crypto/simple_crypto.py", line 73, in _get_kek 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers return encryptor.decrypt(kek_meta_dto.plugin_meta) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 76, in decrypt 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers return self._decrypt_data(data, timestamp, ttl, int(time.time())) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 125, in _decrypt_data 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers self._verify_signature(data) 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers File "/usr/lib/python3/dist-packages/cryptography/fernet.py", line 115, in _verify_signature 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers raise InvalidToken 2021-10-29 12:53:28.991 568554 ERROR barbican.api.controllers cryptography.fernet.InvalidToken
Any advise how to fix it ?
- Ammad
participants (2)
-
Ammad Syed
-
chengke ji