Open Stack

Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/178926

Log:
commit e522a5a6e2de26c27c61fb1e86ce15388f3eaca0
Author: jfwood <john.wood at rackspace.com>
Date:   Wed Apr 29 23:32:50 2015 -0500

    Add Crypto/HSM MKEK Rotation Support
    
    Currently Barbican has no means to migrate secrets encrypted with a
    crypto/HSM-style plugin to a new master key encryption key (MKEK) and
    its associated wrapped project KEKs. This blueprint proposes adding a
    new Barbican service process that supports completing the rotation of
    secrets to a new master key encryption key (MKEK) and a new wrapped
    project KEK. This process would be started after deployers, out of
    band: (1) generate new MKEK and HMAC signing keys with a binding to new
    labels, and then (2) replicate these keys to other HSMs that may be in
    the high availability (HA) group, and then (3) update Barbican's config
    file to reference these new labels, and finally (4) restart the
    Barbican nodes. The proposed process would then migrate secrets from
    encryption via the old keys to encryption via the new ones.
    
    Change-Id: Iccdfca4f309c50b7507f0a0992bec561045784f0
    Implements: blueprint add-crypto-mkek-rotation-support
    SecurityImpact: Rotates and migrates secrets to new KEKs.
    DocImpact: Add information on running KEK migration process.