[openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM
Asha Seshagiri
asha.seshagiri at gmail.com
Tue Jul 21 20:04:59 UTC 2015
Hi John ,
Thanks for providing the solution .
Its a bug in Barbican code , it works without passing the length .
I would raise the bug and fix it .
root at HSM-Client bin]# python pkcs11-key-generation --library-path
'/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 mkek
--label 'an_mkek'
Verified label !
MKEK successfully generated!
[root at HSM-Client bin]# python pkcs11-key-generation --library-path
'/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 hmac
--label 'my_hmac_label'
HMAC successfully generated!
Thanks and Regards,
Asha Seshagiri
On Mon, Jul 20, 2015 at 2:05 PM, John Vrbanac <john.vrbanac at rackspace.com>
wrote:
> Hmm... This error is usually because one of the parameters is
> an incorrect type. I'm wondering if the length is coming through as a
> string instead of an integer. As the length defaults to 32, try not
> specifying the length parameter. If that works, we need to report a defect
> to make sure that it's properly converted to an integer.
>
>
> John Vrbanac
> ------------------------------
> *From:* Asha Seshagiri <asha.seshagiri at gmail.com>
> *Sent:* Monday, July 20, 2015 10:30 AM
>
> *To:* OpenStack Development Mailing List (not for usage questions)
> *Cc:* Reller, Nathan S.
> *Subject:* Re: [openstack-dev] Barbican : Unable to store the secret when
> Barbican was Integrated with SafeNet HSM
>
> Hi John ,
>
> Thanks a lot John for your response.
> I tried executing the script with the following options before , but
> it seems it did not work .Hence tried with the curly baraces .
>
> Please find other options below :
>
> [root at HSM-Client bin]# python pkcs11-key-generation --library-path
> '/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 mkek
> --length 32 --label 'an_mkek'
> HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID
> [root at HSM-Client bin]# python pkcs11-key-generation --library-path
> /usr/lib/libCryptoki2_64.so --passphrase test123 --slot-id 1 mkek
> --length 32 --label an_mkek
> HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID
>
>
> Would be of great help if l could the syntax for running the script
>
> Thanks and Regards,
> Asha Seshagiri
>
> On Sun, Jul 19, 2015 at 6:25 PM, John Vrbanac <john.vrbanac at rackspace.com>
> wrote:
>
>> Don't include the curly brackets on the script arguments. The
>> documentation is just using them to indicate that those are placeholders
>> for real values.
>>
>>
>> John Vrbanac
>> ------------------------------
>> *From:* Asha Seshagiri <asha.seshagiri at gmail.com>
>> *Sent:* Sunday, July 19, 2015 2:15 PM
>> *To:* OpenStack Development Mailing List (not for usage questions)
>> *Cc:* Reller, Nathan S.
>> *Subject:* Re: [openstack-dev] Barbican : Unable to store the secret
>> when Barbican was Integrated with SafeNet HSM
>>
>> Hi John ,
>>
>> Thanks for pointing me to the right script.
>> I appreciate your help .
>>
>> I tried running the script with the following command :
>>
>> [root at HSM-Client bin]# python pkcs11-key-generation --library-path
>> {/usr/lib/libCryptoki2_64.so} --passphrase {test123} --slot-id 1 mkek
>> --length 32 --label 'an_mkek'
>> Traceback (most recent call last):
>> File "pkcs11-key-generation", line 120, in <module>
>> main()
>> File "pkcs11-key-generation", line 115, in main
>> kg = KeyGenerator()
>> File "pkcs11-key-generation", line 38, in __init__
>> ffi=ffi
>> File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 315, in
>> __init__
>> self.lib = self.ffi.dlopen(library_path)
>> File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 127, in
>> dlopen
>> lib, function_cache = _make_ffi_library(self, name, flags)
>> File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 572, in
>> _make_ffi_library
>> backendlib = _load_backend_lib(backend, libname, flags)
>> File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 561, in
>> _load_backend_lib
>> return backend.load_library(name, flags)
>> *OSError: cannot load library {/usr/lib/libCryptoki2_64.so}:
>> {/usr/lib/libCryptoki2_64.so}: cannot open shared object file: No such file
>> or directory*
>>
>> *Unable to run the script since the library libCryptoki2_64.so cannot be
>> opened.*
>>
>> Tried the following solution :
>>
>> - vi /etc/ld.so.conf
>> - Added both the paths of ld.so.conf in the /etc/ld.so.conf file got
>> from the command find / -name libCryptoki2_64.so
>> - /usr/safenet/lunaclient/lib/libCryptoki2_64.so
>> - /usr/lib/libCryptoki2_64.so
>> - sudo ldconfig
>> - ldconfig -p
>>
>> But the above solution failed and am geting the same error.
>>
>> Any help would highly be apprecited.
>> Thanks in advance!
>>
>> Thanks and Regards,
>> Asha Seshagiri
>>
>> On Sat, Jul 18, 2015 at 11:12 PM, John Vrbanac <
>> john.vrbanac at rackspace.com> wrote:
>>
>>> Asha,
>>>
>>> It looks like you don't have your mkek label correctly configured. Make
>>> sure that the mkek_label and hmac_label values in your config correctly
>>> reflect the keys that you've generated on your HSM.
>>>
>>> The plugin will cache the key handle to the mkek and hmac when the
>>> plugin starts, so if it cannot find them, it'll fail to load the plugin
>>> altogether.
>>>
>>>
>>> If you need help generating your mkek and hmac, refer to
>>> http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html
>>> for instructions on how to create them using a script.
>>>
>>>
>>> As far as who uses HSMs, I know we (Rackspace) use them with Barbican.
>>>
>>>
>>> John Vrbanac
>>> ------------------------------
>>> *From:* Asha Seshagiri <asha.seshagiri at gmail.com>
>>> *Sent:* Saturday, July 18, 2015 8:47 PM
>>> *To:* openstack-dev
>>> *Cc:* Reller, Nathan S.
>>> *Subject:* [openstack-dev] Barbican : Unable to store the secret when
>>> Barbican was Integrated with SafeNet HSM
>>>
>>> Hi All ,
>>>
>>> I have configured Barbican to integrate with SafeNet HSM.
>>> Installed safenet client libraries , registered the barbican machine to
>>> point to HSM server and also assigned HSM partition.
>>>
>>> The following were the changes done in barbican.conf file
>>>
>>>
>>> # ================= Secret Store Plugin ===================
>>> [secretstore]
>>> namespace = barbican.secretstore.plugin
>>> enabled_secretstore_plugins = store_crypto
>>>
>>> # ================= Crypto plugin ===================
>>> [crypto]
>>> namespace = barbican.crypto.plugin
>>> enabled_crypto_plugins = p11_crypto
>>>
>>> [p11_crypto_plugin]
>>> # Path to vendor PKCS11 library
>>> library_path = '/usr/lib/libCryptoki2_64.so'
>>> # Password to login to PKCS11 session
>>> login = 'test123'
>>> # Label to identify master KEK in the HSM (must not be the same as HMAC
>>> label)
>>> mkek_label = 'an_mkek'
>>> # Length in bytes of master KEK
>>> mkek_length = 32
>>> # Label to identify HMAC key in the HSM (must not be the same as MKEK
>>> label)
>>> hmac_label = 'my_hmac_label'
>>> # HSM Slot id (Should correspond to a configured PKCS11 slot).
>>> Default: 1
>>> slot_id = 1
>>>
>>> Unable to store the secret when Barbican was integrated with HSM.
>>>
>>> [root at HSM-Client crypto]# curl -X POST -H
>>> 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload":
>>> "my-secret-here", "payload_content_type": "text/plain"}'
>>> http://localhost:9311/v1/secrets
>>> *{"code": 500, "description": "Secret creation failure seen - please
>>> contact site administrator.", "title": "Internal Server
>>> Error"}[root at HSM-Client crypto]#*
>>>
>>>
>>> Please find the logs below :
>>>
>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>>> [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen
>>> creating plugin: 'p11_crypto'
>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils Traceback
>>> (most recent call last):
>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File
>>> "/root/barbican/barbican/plugin/util/utils.py", line 42, in
>>> instantiate_plugins
>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>>> plugin_instance = ext.plugin(*invoke_args, **invoke_kwargs)
>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File
>>> "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 70, in __init__
>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>>> conf.p11_crypto_plugin.hmac_label)
>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File
>>> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 344, in
>>> cache_mkek_and_hmac
>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>>> self.get_mkek(self.current_mkek_label, session)
>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File
>>> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 426, in get_mkek
>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils raise
>>> P11CryptoKeyHandleException()
>>> *2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>>> P11CryptoKeyHandleException: No key handle was found*
>>> *2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils*
>>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>>> [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Secret creation
>>> failure seen - please contact site administrator.*
>>>
>>>
>>> (I am not sure why we are geting CryptoPluginNotFound: Crypto plugin
>>> not found. Exception since the changes is able to hit the p11_crypto.py
>>> code)
>>>
>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers Traceback
>>> (most recent call last):
>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>>> "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler
>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return
>>> fn(inst, *args, **kwargs)
>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>>> "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer
>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return
>>> fn(inst, *args, **kwargs)
>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>>> "/root/barbican/barbican/api/controllers/__init__.py", line 146, in
>>> content_types_enforcer
>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return
>>> fn(inst, *args, **kwargs)
>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>>> "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post
>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>>> transport_key_id=data.get('transport_key_id'))
>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>>> "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret
>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>>> secret_model, project_model)
>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>>> "/root/barbican/barbican/plugin/resources.py", line 267, in
>>> _store_secret_using_plugin
>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>>> secret_metadata = store_plugin.store_secret(secret_dto, context)
>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>>> "/root/barbican/barbican/plugin/store_crypto.py", line 77, in store_secret
>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>>> crypto.PluginSupportTypes.ENCRYPT_DECRYPT
>>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File
>>> "/root/barbican/barbican/plugin/crypto/manager.py", line 80, in
>>> get_plugin_store_generate*
>>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers raise
>>> crypto.CryptoPluginNotFound()*
>>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>>> CryptoPluginNotFound: Crypto plugin not found.*
>>>
>>> Had chance to go though the code as to why are we geting the exception
>>> : *P11CryptoKeyHandleException: No key handle was found .*
>>> *It is because *returned_count[0] == 0 .It needs to be 0 in order for
>>> the mkek to be created .From what I understand is that by default all the
>>> ffi variables would have the value 0 . I am not sure why the check
>>> returned_count[0] == 1: has been put .
>>>
>>> if returned_count[0] == 1:
>>> key = object_handle_ptr[0] rv = self
>>> .lib.C_FindObjectsFinal(session) self.check_error(rv) if
>>> returned_count[0] == 1:
>>> return key elif returned_count[0] == 0: return None
>>> *Need Help .Any help would highly be appreciated .It is very critical
>>> for us to integrate with Barbican*
>>> *Also would like to know if any one has integrated Barbican with HSM.*
>>>
>>> --
>>> *Thanks and Regards,*
>>> *Asha Seshagiri*
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>>
>> --
>> *Thanks and Regards,*
>> *Asha Seshagiri*
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> *Thanks and Regards,*
> *Asha Seshagiri*
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
*Thanks and Regards,*
*Asha Seshagiri*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150721/7a270c48/attachment.html>
More information about the OpenStack-dev
mailing list