[openstack-dev] Barbican : Unable to store the secret when Barbican was Integrated with SafeNet HSM

Asha Seshagiri asha.seshagiri at gmail.com
Tue Jul 21 22:52:34 UTC 2015


Hi John ,

One quick question :

When barbican is integrated with HSM , we send the order request to
generate symmetric key .
The request would goes to HSM and would generate the symmetic key which is
a secret.Then the secret is  wrapped with the KEKs and then sent to
Barbican.

The key requested through the order resource is never persisted in HSM.

Please correct me if I am wrong.

Thanks and  Regards,
Asha Seshagiri




On Tue, Jul 21, 2015 at 3:04 PM, Asha Seshagiri <asha.seshagiri at gmail.com>
wrote:

> Hi John ,
>
> Thanks for providing the solution .
> Its a bug in Barbican code , it works without passing the length .
> I would raise the bug and fix it .
>
> root at HSM-Client bin]# python pkcs11-key-generation --library-path
> '/usr/lib/libCryptoki2_64.so'  --passphrase 'test123' --slot-id  1 mkek
> --label 'an_mkek'
> Verified label !
> MKEK successfully generated!
>
> [root at HSM-Client bin]# python pkcs11-key-generation --library-path
> '/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 hmac
> --label 'my_hmac_label'
> HMAC successfully generated!
>
> Thanks and Regards,
> Asha Seshagiri
>
> On Mon, Jul 20, 2015 at 2:05 PM, John Vrbanac <john.vrbanac at rackspace.com>
> wrote:
>
>>  Hmm... This error is usually because one of the parameters is
>> an incorrect type. I'm wondering if the length is coming through as a
>> string instead of an integer. As the length defaults to 32, try not
>> specifying the length parameter. If that works, we need to report a defect
>> to make sure that it's properly converted to an integer.
>>
>>
>>     John Vrbanac
>>      ------------------------------
>> *From:* Asha Seshagiri <asha.seshagiri at gmail.com>
>> *Sent:* Monday, July 20, 2015 10:30 AM
>>
>> *To:* OpenStack Development Mailing List (not for usage questions)
>> *Cc:* Reller, Nathan S.
>> *Subject:* Re: [openstack-dev] Barbican : Unable to store the secret
>> when Barbican was Integrated with SafeNet HSM
>>
>>   Hi  John ,
>>
>>  Thanks a lot John for your response.
>>  I tried   executing the script with the following options  before , but
>> it seems it did not work .Hence tried with the curly baraces .
>>
>>  Please find other options below :
>>
>> [root at HSM-Client bin]# python pkcs11-key-generation --library-path
>> '/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 mkek
>> --length 32 --label 'an_mkek'
>> HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID
>> [root at HSM-Client bin]# python pkcs11-key-generation --library-path
>> /usr/lib/libCryptoki2_64.so  --passphrase test123  --slot-id 1  mkek
>> --length 32 --label an_mkek
>> HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID
>>
>>
>>  Would be of great help if l could the syntax for running the script
>>
>>  Thanks and Regards,
>>  Asha  Seshagiri
>>
>> On Sun, Jul 19, 2015 at 6:25 PM, John Vrbanac <john.vrbanac at rackspace.com
>> > wrote:
>>
>>>  Don't include the curly brackets on the script arguments. The
>>> documentation is just using them to indicate that those are placeholders
>>> for real values.
>>>
>>>
>>>     John Vrbanac
>>>      ------------------------------
>>> *From:* Asha Seshagiri <asha.seshagiri at gmail.com>
>>> *Sent:* Sunday, July 19, 2015 2:15 PM
>>> *To:* OpenStack Development Mailing List (not for usage questions)
>>> *Cc:* Reller, Nathan S.
>>> *Subject:* Re: [openstack-dev] Barbican : Unable to store the secret
>>> when Barbican was Integrated with SafeNet HSM
>>>
>>>    Hi John ,
>>>
>>>  Thanks  for pointing me to the right script.
>>> I appreciate your help .
>>>
>>>  I tried running the script with the following command :
>>>
>>>  [root at HSM-Client bin]# python pkcs11-key-generation --library-path
>>> {/usr/lib/libCryptoki2_64.so} --passphrase {test123} --slot-id 1  mkek
>>> --length 32 --label 'an_mkek'
>>> Traceback (most recent call last):
>>>   File "pkcs11-key-generation", line 120, in <module>
>>>     main()
>>>   File "pkcs11-key-generation", line 115, in main
>>>     kg = KeyGenerator()
>>>   File "pkcs11-key-generation", line 38, in __init__
>>>     ffi=ffi
>>>   File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 315, in
>>> __init__
>>>     self.lib = self.ffi.dlopen(library_path)
>>>   File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 127, in
>>> dlopen
>>>     lib, function_cache = _make_ffi_library(self, name, flags)
>>>   File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 572, in
>>> _make_ffi_library
>>>     backendlib = _load_backend_lib(backend, libname, flags)
>>>   File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 561, in
>>> _load_backend_lib
>>>     return backend.load_library(name, flags)
>>> *OSError: cannot load library {/usr/lib/libCryptoki2_64.so}:
>>> {/usr/lib/libCryptoki2_64.so}: cannot open shared object file: No such file
>>> or directory*
>>>
>>> *Unable to run the script since the library libCryptoki2_64.so cannot be
>>> opened.*
>>>
>>>  Tried the following solution  :
>>>
>>>    -  vi /etc/ld.so.conf
>>>    - Added both the paths of ld.so.conf in the  /etc/ld.so.conf file
>>>    got  from the command find / -name libCryptoki2_64.so
>>>     - /usr/safenet/lunaclient/lib/libCryptoki2_64.so
>>>       - /usr/lib/libCryptoki2_64.so
>>>    - sudo ldconfig
>>>    - ldconfig -p
>>>
>>> But the above solution failed and am geting the same error.
>>>
>>>  Any help would highly be apprecited.
>>> Thanks in advance!
>>>
>>>  Thanks and Regards,
>>> Asha Seshagiri
>>>
>>> On Sat, Jul 18, 2015 at 11:12 PM, John Vrbanac <
>>> john.vrbanac at rackspace.com> wrote:
>>>
>>>>  Asha,
>>>>
>>>> It looks like you don't have your mkek label correctly configured. Make
>>>> sure that the mkek_label and hmac_label values in your config correctly
>>>> reflect the keys that you've generated on your HSM.
>>>>
>>>> The plugin will cache the key handle to the mkek and hmac when the
>>>> plugin starts, so if it cannot find them, it'll fail to load the plugin
>>>> altogether.
>>>>
>>>>
>>>>  If you need help generating your mkek and hmac, refer to
>>>> http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html
>>>> for instructions on how to create them using a script.
>>>>
>>>>
>>>>  As far as who uses HSMs, I know we (Rackspace) use them with Barbican.
>>>>
>>>>
>>>>     John Vrbanac
>>>>      ------------------------------
>>>> *From:* Asha Seshagiri <asha.seshagiri at gmail.com>
>>>> *Sent:* Saturday, July 18, 2015 8:47 PM
>>>> *To:* openstack-dev
>>>> *Cc:* Reller, Nathan S.
>>>> *Subject:* [openstack-dev] Barbican : Unable to store the secret when
>>>> Barbican was Integrated with SafeNet HSM
>>>>
>>>>    Hi All ,
>>>>
>>>>  I have configured Barbican to integrate with SafeNet  HSM.
>>>> Installed safenet client libraries , registered the barbican machine to
>>>> point to HSM server  and also assigned HSM partition.
>>>>
>>>>  The following were the changes done in barbican.conf file
>>>>
>>>>
>>>>  # ================= Secret Store Plugin ===================
>>>> [secretstore]
>>>> namespace = barbican.secretstore.plugin
>>>> enabled_secretstore_plugins = store_crypto
>>>>
>>>>  # ================= Crypto plugin ===================
>>>> [crypto]
>>>> namespace = barbican.crypto.plugin
>>>> enabled_crypto_plugins = p11_crypto
>>>>
>>>>  [p11_crypto_plugin]
>>>> # Path to vendor PKCS11 library
>>>> library_path = '/usr/lib/libCryptoki2_64.so'
>>>> # Password to login to PKCS11 session
>>>> login = 'test123'
>>>> # Label to identify master KEK in the HSM (must not be the same as HMAC
>>>> label)
>>>> mkek_label = 'an_mkek'
>>>> # Length in bytes of master KEK
>>>>  mkek_length = 32
>>>> # Label to identify HMAC key in the HSM (must not be the same as MKEK
>>>> label)
>>>> hmac_label = 'my_hmac_label'
>>>>   # HSM Slot id (Should correspond to a configured PKCS11 slot).
>>>> Default: 1
>>>> slot_id = 1
>>>>
>>>>  Unable to store the secret when Barbican was integrated with HSM.
>>>>
>>>>  [root at HSM-Client crypto]# curl -X POST -H
>>>> 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload":
>>>> "my-secret-here", "payload_content_type": "text/plain"}'
>>>> http://localhost:9311/v1/secrets
>>>> *{"code": 500, "description": "Secret creation failure seen - please
>>>> contact site administrator.", "title": "Internal Server
>>>> Error"}[root at HSM-Client crypto]#*
>>>>
>>>>
>>>> Please find the logs below :
>>>>
>>>>  2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>>>> [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen
>>>> creating plugin: 'p11_crypto'
>>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>>>> Traceback (most recent call last):
>>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
>>>> "/root/barbican/barbican/plugin/util/utils.py", line 42, in
>>>> instantiate_plugins
>>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>>>> plugin_instance = ext.plugin(*invoke_args, **invoke_kwargs)
>>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
>>>> "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 70, in __init__
>>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>>>> conf.p11_crypto_plugin.hmac_label)
>>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
>>>> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 344, in
>>>> cache_mkek_and_hmac
>>>>  2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>>>> self.get_mkek(self.current_mkek_label, session)
>>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils   File
>>>> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 426, in get_mkek
>>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>>>> raise P11CryptoKeyHandleException()
>>>> *2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils
>>>> P11CryptoKeyHandleException: No key handle was found*
>>>> *2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils*
>>>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>>>> [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Secret creation
>>>> failure seen - please contact site administrator.*
>>>>
>>>>
>>>>  (I am not sure why we are geting CryptoPluginNotFound: Crypto plugin
>>>> not found. Exception since the changes is able to hit the p11_crypto.py
>>>> code)
>>>>
>>>>  2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>>>> Traceback (most recent call last):
>>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>>>> "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler
>>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     return
>>>> fn(inst, *args, **kwargs)
>>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>>>> "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer
>>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     return
>>>> fn(inst, *args, **kwargs)
>>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>>>> "/root/barbican/barbican/api/controllers/__init__.py", line 146, in
>>>> content_types_enforcer
>>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     return
>>>> fn(inst, *args, **kwargs)
>>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>>>> "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post
>>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>>>> transport_key_id=data.get('transport_key_id'))
>>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>>>> "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret
>>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>>>> secret_model, project_model)
>>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>>>> "/root/barbican/barbican/plugin/resources.py", line 267, in
>>>> _store_secret_using_plugin
>>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>>>> secret_metadata = store_plugin.store_secret(secret_dto, context)
>>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>>>> "/root/barbican/barbican/plugin/store_crypto.py", line 77, in store_secret
>>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>>>> crypto.PluginSupportTypes.ENCRYPT_DECRYPT
>>>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers   File
>>>> "/root/barbican/barbican/plugin/crypto/manager.py", line 80, in
>>>> get_plugin_store_generate*
>>>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers     raise
>>>> crypto.CryptoPluginNotFound()*
>>>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers
>>>> CryptoPluginNotFound: Crypto plugin not found.*
>>>>
>>>>  Had chance to go though the code as to why are we geting the
>>>> exception : *P11CryptoKeyHandleException: No key handle was found .*
>>>> *It is because *returned_count[0] == 0 .It needs to be 0 in order for
>>>> the mkek to be created .From what I understand is that by default all the
>>>> ffi variables would have the value 0 . I am not sure why the check
>>>> returned_count[0] == 1: has been put .
>>>>
>>>>    if returned_count[0] == 1:
>>>>    key = object_handle_ptr[0]   rv = self
>>>> .lib.C_FindObjectsFinal(session)   self.check_error(rv)   if
>>>> returned_count[0] == 1:
>>>>    return key   elif returned_count[0] == 0:   return None
>>>> *Need Help .Any help would highly be appreciated .It is very critical
>>>> for us to integrate with Barbican*
>>>> *Also would like to know if any one has integrated Barbican with HSM.*
>>>>
>>>>  --
>>>>  *Thanks and Regards,*
>>>> *Asha Seshagiri*
>>>>
>>>>
>>>> __________________________________________________________________________
>>>> OpenStack Development Mailing List (not for usage questions)
>>>> Unsubscribe:
>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>
>>>
>>>  --
>>>  *Thanks and Regards,*
>>> *Asha Seshagiri*
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>>
>> --
>>  *Thanks and Regards,*
>> *Asha Seshagiri*
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> *Thanks and Regards,*
> *Asha Seshagiri*
>



-- 
*Thanks and Regards,*
*Asha Seshagiri*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150721/90535773/attachment.html>


More information about the OpenStack-dev mailing list