[openstack-dev] Barbican : Retrieval of the secret in text/plain format generated from Barbican order resource

Nathan Reller nathan.s.reller at gmail.com
Mon Jun 8 13:37:51 UTC 2015


Asha,

When you say you want your key in ASCII does that also mean putting
the bytes in hex or base64 format? Isn't ASCII only 7 bits?

-Nate

On Mon, Jun 8, 2015 at 1:17 AM, Asha Seshagiri <asha.seshagiri at gmail.com> wrote:
> Thanks John for your response.
> I am aware that application/octet-stream works for the retrieval of secret .
> We are utilizing the key generated from Barbican in our AES encryption
> algorithm . Hence we  wanted the response in text/plain format from Barbican
> since AES encryption algorithm would need the key of ASCII format which
> should be either 16,24 or 32 bytes.
>
> The AES encyption algorithms would not accept the binary format and even if
> binary  is converted into ascii , encoding is failing for few of the keys
> because some characters exceeeds the range of ASCII and for some keys  after
> encoding length exceeds 32 bytes  which is the maximum length for doing AES
> encryption.
>
> Would like to know the reason behind Barbican not supporting the retrieval
> of the secret in text/plain format generated from the order resource in
> plain/text format.
>
> Thanks and Regards,
> Asha Seshagiri
>
> On Sun, Jun 7, 2015 at 11:43 PM, John Wood <john.wood at rackspace.com> wrote:
>>
>> Hello Asha,
>>
>> The AES type key should require an application/octet-stream Accept header
>> to retrieve the secret as it is a binary type. Please replace ‘text/plain’
>> with ‘application/octet-stream’ in your curl calls below.
>>
>> Thanks,
>> John
>>
>>
>> From: Asha Seshagiri <asha.seshagiri at gmail.com>
>> Date: Friday, June 5, 2015 at 2:42 PM
>> To: openstack-dev <openstack-dev at lists.openstack.org>
>> Cc: Douglas Mendizabal <douglas.mendizabal at RACKSPACE.COM>, John Wood
>> <john.wood at rackspace.com>, "Reller, Nathan S." <Nathan.Reller at jhuapl.edu>,
>> Adam Harwell <adam.harwell at RACKSPACE.COM>, Paul Kehrer
>> <paul.kehrer at RACKSPACE.COM>
>> Subject: Re: Barbican : Retrieval of the secret in text/plain format
>> generated from Barbican order resource
>>
>> Hi All ,
>>
>> I am currently working on use cases for database and file Encryption.It is
>> really important for us to know since my Encryption use case would be using
>> the key generated by Barbican through order resource as the key.
>> The encyption algorithms would not accept the binary format and even if
>> converted into ascii , encoding is failing for few of the keys because some
>> characters exceeeds the range of ASCII and for some key  after encoding
>> length exceeds 32 bytes  which is the maximum length for doing AES
>> encryption.
>> It would be great if  someone could respond to the query ,since it would
>> block my further investigations on Encryption usecases using Babrican
>>
>> Thanks and Regards,
>> Asha Seshagiri
>>
>>
>> On Wed, Jun 3, 2015 at 3:51 PM, Asha Seshagiri <asha.seshagiri at gmail.com>
>> wrote:
>>>
>>> Hi All,
>>>
>>> Unable to retrieve the secret in text/plain format  generated from
>>> Barbican order resource
>>>
>>> Please find the curl command and responses for
>>>
>>> Order creation with payload content type as text/plain :
>>>
>>> [root at barbican-automation ~]# curl -X POST -H
>>> 'content-type:application/json' -H
>>> "X-Auth-Token:9b211b06669249bb89665df068828ee8" \
>>> > -d '{"type" : "key", "meta": {"name": "secretname2","algorithm": "aes",
>>> > "bit_length":256,  "mode": "cbc", "payload_content_type": "text/plain"}}'
>>> > -k https://169.53.235.102:9311/v1/orders
>>>
>>> {"order_ref":
>>> "https://169.53.235.102:9311/v1/orders/727113f9-fcda-4366-9f85-93b15edd4680"}
>>>
>>> Retrieval of the order by ORDER ID in order to get to know the secret
>>> generated by Barbican
>>>
>>> [root at barbican-automation ~]# curl -H 'Accept: application/json' -H
>>> "X-Auth-Token:9b211b06669249bb89665df068828ee8" \
>>> > -k
>>> > https://169.53.235.102:9311/v1/orders/727113f9-fcda-4366-9f85-93b15edd4680
>>> {"status": "ACTIVE", "sub_status": "Unknown", "updated":
>>> "2015-06-03T19:08:13", "created": "2015-06-03T19:08:12", "order_ref":
>>> "https://169.53.235.102:9311/v1/orders/727113f9-fcda-4366-9f85-93b15edd4680",
>>> "secret_ref":
>>> "https://169.53.235.102:9311/v1/secrets/5c25525d-a162-4b0b-9954-90c4ce426c4e",
>>> "creator_id": "cedd848a8a9e410196793c601c03b99a", "meta": {"name":
>>> "secretname2", "algorithm": "aes", "payload_content_type": "text/plain",
>>> "mode": "cbc", "bit_length": 256, "expiration": null}, "sub_status_message":
>>> "Unknown", "type": "key"}[root at barbican-automation ~]#
>>>
>>>
>>> Retrieval of the secret failing with the content type text/plain
>>>
>>> [root at barbican-automation ~]# curl -H 'Accept:text/plain' -H
>>> "X-Auth-Token:9b211b06669249bb89665df068828ee8" -k
>>> https://169.53.235.102:9311/v1/secrets/5c25525d-a162-4b0b-9954-90c4ce426c4e/payload
>>> {"code": 500, "description": "Secret payload retrieval failure seen -
>>> please contact site administrator.", "title": "Internal Server Error"}
>>>
>>> I would like to know wheather this is a bug from Barbican side  since
>>> Barbican allows creation of the order resource with text/plain as the
>>> payload_content type but the retrieval of the secret payload with the
>>> content type text/plain is not allowed.
>>>
>>> Any help would highly be appreciated.
>>> --
>>> Thanks and Regards,
>>> Asha Seshagiri
>>
>>
>>
>>
>> --
>> Thanks and Regards,
>> Asha Seshagiri
>
>
>
>
> --
> Thanks and Regards,
> Asha Seshagiri
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



More information about the OpenStack-dev mailing list