Hi John , Thanks for providing the solution . Its a bug in Barbican code , it works without passing the length . I would raise the bug and fix it .
root@HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 mkek --label 'an_mkek' Verified label ! MKEK successfully generated! [root@HSM-Client bin]# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 hmac --label 'my_hmac_label' HMAC successfully generated! Thanks and Regards, Asha Seshagiri On Mon, Jul 20, 2015 at 2:05 PM, John Vrbanac <[email protected]> wrote: > Hmm... This error is usually because one of the parameters is > an incorrect type. I'm wondering if the length is coming through as a > string instead of an integer. As the length defaults to 32, try not > specifying the length parameter. If that works, we need to report a defect > to make sure that it's properly converted to an integer. > > > John Vrbanac > ------------------------------ > *From:* Asha Seshagiri <[email protected]> > *Sent:* Monday, July 20, 2015 10:30 AM > > *To:* OpenStack Development Mailing List (not for usage questions) > *Cc:* Reller, Nathan S. > *Subject:* Re: [openstack-dev] Barbican : Unable to store the secret when > Barbican was Integrated with SafeNet HSM > > Hi John , > > Thanks a lot John for your response. > I tried executing the script with the following options before , but > it seems it did not work .Hence tried with the curly baraces . > > Please find other options below : > > [root@HSM-Client bin]# python pkcs11-key-generation --library-path > '/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 mkek > --length 32 --label 'an_mkek' > HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID > [root@HSM-Client bin]# python pkcs11-key-generation --library-path > /usr/lib/libCryptoki2_64.so --passphrase test123 --slot-id 1 mkek > --length 32 --label an_mkek > HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID > > > Would be of great help if l could the syntax for running the script > > Thanks and Regards, > Asha Seshagiri > > On Sun, Jul 19, 2015 at 6:25 PM, John Vrbanac <[email protected]> > wrote: > >> Don't include the curly brackets on the script arguments. The >> documentation is just using them to indicate that those are placeholders >> for real values. >> >> >> John Vrbanac >> ------------------------------ >> *From:* Asha Seshagiri <[email protected]> >> *Sent:* Sunday, July 19, 2015 2:15 PM >> *To:* OpenStack Development Mailing List (not for usage questions) >> *Cc:* Reller, Nathan S. >> *Subject:* Re: [openstack-dev] Barbican : Unable to store the secret >> when Barbican was Integrated with SafeNet HSM >> >> Hi John , >> >> Thanks for pointing me to the right script. >> I appreciate your help . >> >> I tried running the script with the following command : >> >> [root@HSM-Client bin]# python pkcs11-key-generation --library-path >> {/usr/lib/libCryptoki2_64.so} --passphrase {test123} --slot-id 1 mkek >> --length 32 --label 'an_mkek' >> Traceback (most recent call last): >> File "pkcs11-key-generation", line 120, in <module> >> main() >> File "pkcs11-key-generation", line 115, in main >> kg = KeyGenerator() >> File "pkcs11-key-generation", line 38, in __init__ >> ffi=ffi >> File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 315, in >> __init__ >> self.lib = self.ffi.dlopen(library_path) >> File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 127, in >> dlopen >> lib, function_cache = _make_ffi_library(self, name, flags) >> File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 572, in >> _make_ffi_library >> backendlib = _load_backend_lib(backend, libname, flags) >> File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 561, in >> _load_backend_lib >> return backend.load_library(name, flags) >> *OSError: cannot load library {/usr/lib/libCryptoki2_64.so}: >> {/usr/lib/libCryptoki2_64.so}: cannot open shared object file: No such file >> or directory* >> >> *Unable to run the script since the library libCryptoki2_64.so cannot be >> opened.* >> >> Tried the following solution : >> >> - vi /etc/ld.so.conf >> - Added both the paths of ld.so.conf in the /etc/ld.so.conf file got >> from the command find / -name libCryptoki2_64.so >> - /usr/safenet/lunaclient/lib/libCryptoki2_64.so >> - /usr/lib/libCryptoki2_64.so >> - sudo ldconfig >> - ldconfig -p >> >> But the above solution failed and am geting the same error. >> >> Any help would highly be apprecited. >> Thanks in advance! >> >> Thanks and Regards, >> Asha Seshagiri >> >> On Sat, Jul 18, 2015 at 11:12 PM, John Vrbanac < >> [email protected]> wrote: >> >>> Asha, >>> >>> It looks like you don't have your mkek label correctly configured. Make >>> sure that the mkek_label and hmac_label values in your config correctly >>> reflect the keys that you've generated on your HSM. >>> >>> The plugin will cache the key handle to the mkek and hmac when the >>> plugin starts, so if it cannot find them, it'll fail to load the plugin >>> altogether. >>> >>> >>> If you need help generating your mkek and hmac, refer to >>> http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html >>> for instructions on how to create them using a script. >>> >>> >>> As far as who uses HSMs, I know we (Rackspace) use them with Barbican. >>> >>> >>> John Vrbanac >>> ------------------------------ >>> *From:* Asha Seshagiri <[email protected]> >>> *Sent:* Saturday, July 18, 2015 8:47 PM >>> *To:* openstack-dev >>> *Cc:* Reller, Nathan S. >>> *Subject:* [openstack-dev] Barbican : Unable to store the secret when >>> Barbican was Integrated with SafeNet HSM >>> >>> Hi All , >>> >>> I have configured Barbican to integrate with SafeNet HSM. >>> Installed safenet client libraries , registered the barbican machine to >>> point to HSM server and also assigned HSM partition. >>> >>> The following were the changes done in barbican.conf file >>> >>> >>> # ================= Secret Store Plugin =================== >>> [secretstore] >>> namespace = barbican.secretstore.plugin >>> enabled_secretstore_plugins = store_crypto >>> >>> # ================= Crypto plugin =================== >>> [crypto] >>> namespace = barbican.crypto.plugin >>> enabled_crypto_plugins = p11_crypto >>> >>> [p11_crypto_plugin] >>> # Path to vendor PKCS11 library >>> library_path = '/usr/lib/libCryptoki2_64.so' >>> # Password to login to PKCS11 session >>> login = 'test123' >>> # Label to identify master KEK in the HSM (must not be the same as HMAC >>> label) >>> mkek_label = 'an_mkek' >>> # Length in bytes of master KEK >>> mkek_length = 32 >>> # Label to identify HMAC key in the HSM (must not be the same as MKEK >>> label) >>> hmac_label = 'my_hmac_label' >>> # HSM Slot id (Should correspond to a configured PKCS11 slot). >>> Default: 1 >>> slot_id = 1 >>> >>> Unable to store the secret when Barbican was integrated with HSM. >>> >>> [root@HSM-Client crypto]# curl -X POST -H >>> 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": >>> "my-secret-here", "payload_content_type": "text/plain"}' >>> http://localhost:9311/v1/secrets >>> *{"code": 500, "description": "Secret creation failure seen - please >>> contact site administrator.", "title": "Internal Server >>> Error"}[root@HSM-Client crypto]#* >>> >>> >>> Please find the logs below : >>> >>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils >>> [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen >>> creating plugin: 'p11_crypto' >>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils Traceback >>> (most recent call last): >>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File >>> "/root/barbican/barbican/plugin/util/utils.py", line 42, in >>> instantiate_plugins >>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils >>> plugin_instance = ext.plugin(*invoke_args, **invoke_kwargs) >>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File >>> "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 70, in __init__ >>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils >>> conf.p11_crypto_plugin.hmac_label) >>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File >>> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 344, in >>> cache_mkek_and_hmac >>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils >>> self.get_mkek(self.current_mkek_label, session) >>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File >>> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 426, in get_mkek >>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils raise >>> P11CryptoKeyHandleException() >>> *2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils >>> P11CryptoKeyHandleException: No key handle was found* >>> *2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils* >>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers >>> [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Secret creation >>> failure seen - please contact site administrator.* >>> >>> >>> (I am not sure why we are geting CryptoPluginNotFound: Crypto plugin >>> not found. Exception since the changes is able to hit the p11_crypto.py >>> code) >>> >>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers Traceback >>> (most recent call last): >>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>> "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler >>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return >>> fn(inst, *args, **kwargs) >>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>> "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer >>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return >>> fn(inst, *args, **kwargs) >>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>> "/root/barbican/barbican/api/controllers/__init__.py", line 146, in >>> content_types_enforcer >>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return >>> fn(inst, *args, **kwargs) >>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>> "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post >>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers >>> transport_key_id=data.get('transport_key_id')) >>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>> "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret >>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers >>> secret_model, project_model) >>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>> "/root/barbican/barbican/plugin/resources.py", line 267, in >>> _store_secret_using_plugin >>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers >>> secret_metadata = store_plugin.store_secret(secret_dto, context) >>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>> "/root/barbican/barbican/plugin/store_crypto.py", line 77, in store_secret >>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers >>> crypto.PluginSupportTypes.ENCRYPT_DECRYPT >>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>> "/root/barbican/barbican/plugin/crypto/manager.py", line 80, in >>> get_plugin_store_generate* >>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers raise >>> crypto.CryptoPluginNotFound()* >>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers >>> CryptoPluginNotFound: Crypto plugin not found.* >>> >>> Had chance to go though the code as to why are we geting the exception >>> : *P11CryptoKeyHandleException: No key handle was found .* >>> *It is because *returned_count[0] == 0 .It needs to be 0 in order for >>> the mkek to be created .From what I understand is that by default all the >>> ffi variables would have the value 0 . I am not sure why the check >>> returned_count[0] == 1: has been put . >>> >>> if returned_count[0] == 1: >>> key = object_handle_ptr[0] rv = self >>> .lib.C_FindObjectsFinal(session) self.check_error(rv) if >>> returned_count[0] == 1: >>> return key elif returned_count[0] == 0: return None >>> *Need Help .Any help would highly be appreciated .It is very critical >>> for us to integrate with Barbican* >>> *Also would like to know if any one has integrated Barbican with HSM.* >>> >>> -- >>> *Thanks and Regards,* >>> *Asha Seshagiri* >>> >>> >>> __________________________________________________________________________ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: >>> [email protected]?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >> >> >> -- >> *Thanks and Regards,* >> *Asha Seshagiri* >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> [email protected]?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > > -- > *Thanks and Regards,* > *Asha Seshagiri* > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- *Thanks and Regards,* *Asha Seshagiri*
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
