[openstack-dev] [barbican] Secret store API validation

Kelsey, Timothy John tim.kelsey at hp.com
Mon Nov 17 11:33:19 UTC 2014

Hello Barbican folks,
Recently I was experimenting with the KMIPSecretStore and observed the following behaviour. Issuing the API call:

"curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": "my-secret-here", "payload_content_type": "text/plain", "algorithm": "aes", "bit_length":256}' http://localhost:9311/v1/secrets”<http://localhost:9311/v1/secrets%22>

worked to store a secret in the backend HSM, but upon retrieving the secret I was presented with “mysecrethere”, instead of the expected value “my-secret-here”. This corruption of the secret occurs because internally it is assumed to be encoded as base64 and the base64 decoder drops invalid bytes, in this case the “-“ characters. For more discussion please see the comments on this review: https://review.openstack.org/#/c/133725/

It seems we need to add some validation to the process so I would like to get a discussion going on what we should be validating and where in the pipeline it might fit best. Im happy to code up a patch to make this happen but want to get some input and a consensus on things first.

Tim Kelsey
Cloud Security Engineer
HP Helion

More information about the OpenStack-dev mailing list