Hi John , One quick question :
When barbican is integrated with HSM , we send the order request to generate symmetric key . The request would goes to HSM and would generate the symmetic key which is a secret.Then the secret is wrapped with the KEKs and then sent to Barbican. The key requested through the order resource is never persisted in HSM. Please correct me if I am wrong. Thanks and Regards, Asha Seshagiri On Tue, Jul 21, 2015 at 3:04 PM, Asha Seshagiri <[email protected]> wrote: > Hi John , > > Thanks for providing the solution . > Its a bug in Barbican code , it works without passing the length . > I would raise the bug and fix it . > > root@HSM-Client bin]# python pkcs11-key-generation --library-path > '/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 mkek > --label 'an_mkek' > Verified label ! > MKEK successfully generated! > > [root@HSM-Client bin]# python pkcs11-key-generation --library-path > '/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 hmac > --label 'my_hmac_label' > HMAC successfully generated! > > Thanks and Regards, > Asha Seshagiri > > On Mon, Jul 20, 2015 at 2:05 PM, John Vrbanac <[email protected]> > wrote: > >> Hmm... This error is usually because one of the parameters is >> an incorrect type. I'm wondering if the length is coming through as a >> string instead of an integer. As the length defaults to 32, try not >> specifying the length parameter. If that works, we need to report a defect >> to make sure that it's properly converted to an integer. >> >> >> John Vrbanac >> ------------------------------ >> *From:* Asha Seshagiri <[email protected]> >> *Sent:* Monday, July 20, 2015 10:30 AM >> >> *To:* OpenStack Development Mailing List (not for usage questions) >> *Cc:* Reller, Nathan S. >> *Subject:* Re: [openstack-dev] Barbican : Unable to store the secret >> when Barbican was Integrated with SafeNet HSM >> >> Hi John , >> >> Thanks a lot John for your response. >> I tried executing the script with the following options before , but >> it seems it did not work .Hence tried with the curly baraces . >> >> Please find other options below : >> >> [root@HSM-Client bin]# python pkcs11-key-generation --library-path >> '/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 mkek >> --length 32 --label 'an_mkek' >> HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID >> [root@HSM-Client bin]# python pkcs11-key-generation --library-path >> /usr/lib/libCryptoki2_64.so --passphrase test123 --slot-id 1 mkek >> --length 32 --label an_mkek >> HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID >> >> >> Would be of great help if l could the syntax for running the script >> >> Thanks and Regards, >> Asha Seshagiri >> >> On Sun, Jul 19, 2015 at 6:25 PM, John Vrbanac <[email protected] >> > wrote: >> >>> Don't include the curly brackets on the script arguments. The >>> documentation is just using them to indicate that those are placeholders >>> for real values. >>> >>> >>> John Vrbanac >>> ------------------------------ >>> *From:* Asha Seshagiri <[email protected]> >>> *Sent:* Sunday, July 19, 2015 2:15 PM >>> *To:* OpenStack Development Mailing List (not for usage questions) >>> *Cc:* Reller, Nathan S. >>> *Subject:* Re: [openstack-dev] Barbican : Unable to store the secret >>> when Barbican was Integrated with SafeNet HSM >>> >>> Hi John , >>> >>> Thanks for pointing me to the right script. >>> I appreciate your help . >>> >>> I tried running the script with the following command : >>> >>> [root@HSM-Client bin]# python pkcs11-key-generation --library-path >>> {/usr/lib/libCryptoki2_64.so} --passphrase {test123} --slot-id 1 mkek >>> --length 32 --label 'an_mkek' >>> Traceback (most recent call last): >>> File "pkcs11-key-generation", line 120, in <module> >>> main() >>> File "pkcs11-key-generation", line 115, in main >>> kg = KeyGenerator() >>> File "pkcs11-key-generation", line 38, in __init__ >>> ffi=ffi >>> File "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 315, in >>> __init__ >>> self.lib = self.ffi.dlopen(library_path) >>> File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 127, in >>> dlopen >>> lib, function_cache = _make_ffi_library(self, name, flags) >>> File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 572, in >>> _make_ffi_library >>> backendlib = _load_backend_lib(backend, libname, flags) >>> File "/usr/lib64/python2.7/site-packages/cffi/api.py", line 561, in >>> _load_backend_lib >>> return backend.load_library(name, flags) >>> *OSError: cannot load library {/usr/lib/libCryptoki2_64.so}: >>> {/usr/lib/libCryptoki2_64.so}: cannot open shared object file: No such file >>> or directory* >>> >>> *Unable to run the script since the library libCryptoki2_64.so cannot be >>> opened.* >>> >>> Tried the following solution : >>> >>> - vi /etc/ld.so.conf >>> - Added both the paths of ld.so.conf in the /etc/ld.so.conf file >>> got from the command find / -name libCryptoki2_64.so >>> - /usr/safenet/lunaclient/lib/libCryptoki2_64.so >>> - /usr/lib/libCryptoki2_64.so >>> - sudo ldconfig >>> - ldconfig -p >>> >>> But the above solution failed and am geting the same error. >>> >>> Any help would highly be apprecited. >>> Thanks in advance! >>> >>> Thanks and Regards, >>> Asha Seshagiri >>> >>> On Sat, Jul 18, 2015 at 11:12 PM, John Vrbanac < >>> [email protected]> wrote: >>> >>>> Asha, >>>> >>>> It looks like you don't have your mkek label correctly configured. Make >>>> sure that the mkek_label and hmac_label values in your config correctly >>>> reflect the keys that you've generated on your HSM. >>>> >>>> The plugin will cache the key handle to the mkek and hmac when the >>>> plugin starts, so if it cannot find them, it'll fail to load the plugin >>>> altogether. >>>> >>>> >>>> If you need help generating your mkek and hmac, refer to >>>> http://docs.openstack.org/developer/barbican/api/quickstart/pkcs11keygeneration.html >>>> for instructions on how to create them using a script. >>>> >>>> >>>> As far as who uses HSMs, I know we (Rackspace) use them with Barbican. >>>> >>>> >>>> John Vrbanac >>>> ------------------------------ >>>> *From:* Asha Seshagiri <[email protected]> >>>> *Sent:* Saturday, July 18, 2015 8:47 PM >>>> *To:* openstack-dev >>>> *Cc:* Reller, Nathan S. >>>> *Subject:* [openstack-dev] Barbican : Unable to store the secret when >>>> Barbican was Integrated with SafeNet HSM >>>> >>>> Hi All , >>>> >>>> I have configured Barbican to integrate with SafeNet HSM. >>>> Installed safenet client libraries , registered the barbican machine to >>>> point to HSM server and also assigned HSM partition. >>>> >>>> The following were the changes done in barbican.conf file >>>> >>>> >>>> # ================= Secret Store Plugin =================== >>>> [secretstore] >>>> namespace = barbican.secretstore.plugin >>>> enabled_secretstore_plugins = store_crypto >>>> >>>> # ================= Crypto plugin =================== >>>> [crypto] >>>> namespace = barbican.crypto.plugin >>>> enabled_crypto_plugins = p11_crypto >>>> >>>> [p11_crypto_plugin] >>>> # Path to vendor PKCS11 library >>>> library_path = '/usr/lib/libCryptoki2_64.so' >>>> # Password to login to PKCS11 session >>>> login = 'test123' >>>> # Label to identify master KEK in the HSM (must not be the same as HMAC >>>> label) >>>> mkek_label = 'an_mkek' >>>> # Length in bytes of master KEK >>>> mkek_length = 32 >>>> # Label to identify HMAC key in the HSM (must not be the same as MKEK >>>> label) >>>> hmac_label = 'my_hmac_label' >>>> # HSM Slot id (Should correspond to a configured PKCS11 slot). >>>> Default: 1 >>>> slot_id = 1 >>>> >>>> Unable to store the secret when Barbican was integrated with HSM. >>>> >>>> [root@HSM-Client crypto]# curl -X POST -H >>>> 'content-type:application/json' -H 'X-Project-Id:12345' -d '{"payload": >>>> "my-secret-here", "payload_content_type": "text/plain"}' >>>> http://localhost:9311/v1/secrets >>>> *{"code": 500, "description": "Secret creation failure seen - please >>>> contact site administrator.", "title": "Internal Server >>>> Error"}[root@HSM-Client crypto]#* >>>> >>>> >>>> Please find the logs below : >>>> >>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils >>>> [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Problem seen >>>> creating plugin: 'p11_crypto' >>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils >>>> Traceback (most recent call last): >>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File >>>> "/root/barbican/barbican/plugin/util/utils.py", line 42, in >>>> instantiate_plugins >>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils >>>> plugin_instance = ext.plugin(*invoke_args, **invoke_kwargs) >>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File >>>> "/root/barbican/barbican/plugin/crypto/p11_crypto.py", line 70, in __init__ >>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils >>>> conf.p11_crypto_plugin.hmac_label) >>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File >>>> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 344, in >>>> cache_mkek_and_hmac >>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils >>>> self.get_mkek(self.current_mkek_label, session) >>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils File >>>> "/root/barbican/barbican/plugin/crypto/pkcs11.py", line 426, in get_mkek >>>> 2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils >>>> raise P11CryptoKeyHandleException() >>>> *2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils >>>> P11CryptoKeyHandleException: No key handle was found* >>>> *2015-07-18 17:15:32.642 29838 ERROR barbican.plugin.util.utils* >>>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers >>>> [req-354affce-b3d6-41fd-b050-5e5c604004eb - 12345 - - -] Secret creation >>>> failure seen - please contact site administrator.* >>>> >>>> >>>> (I am not sure why we are geting CryptoPluginNotFound: Crypto plugin >>>> not found. Exception since the changes is able to hit the p11_crypto.py >>>> code) >>>> >>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers >>>> Traceback (most recent call last): >>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>>> "/root/barbican/barbican/api/controllers/__init__.py", line 104, in handler >>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return >>>> fn(inst, *args, **kwargs) >>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>>> "/root/barbican/barbican/api/controllers/__init__.py", line 90, in enforcer >>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return >>>> fn(inst, *args, **kwargs) >>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>>> "/root/barbican/barbican/api/controllers/__init__.py", line 146, in >>>> content_types_enforcer >>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers return >>>> fn(inst, *args, **kwargs) >>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>>> "/root/barbican/barbican/api/controllers/secrets.py", line 329, in on_post >>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers >>>> transport_key_id=data.get('transport_key_id')) >>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>>> "/root/barbican/barbican/plugin/resources.py", line 104, in store_secret >>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers >>>> secret_model, project_model) >>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>>> "/root/barbican/barbican/plugin/resources.py", line 267, in >>>> _store_secret_using_plugin >>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers >>>> secret_metadata = store_plugin.store_secret(secret_dto, context) >>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>>> "/root/barbican/barbican/plugin/store_crypto.py", line 77, in store_secret >>>> 2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers >>>> crypto.PluginSupportTypes.ENCRYPT_DECRYPT >>>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers File >>>> "/root/barbican/barbican/plugin/crypto/manager.py", line 80, in >>>> get_plugin_store_generate* >>>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers raise >>>> crypto.CryptoPluginNotFound()* >>>> *2015-07-18 17:15:32.643 29838 ERROR barbican.api.controllers >>>> CryptoPluginNotFound: Crypto plugin not found.* >>>> >>>> Had chance to go though the code as to why are we geting the >>>> exception : *P11CryptoKeyHandleException: No key handle was found .* >>>> *It is because *returned_count[0] == 0 .It needs to be 0 in order for >>>> the mkek to be created .From what I understand is that by default all the >>>> ffi variables would have the value 0 . I am not sure why the check >>>> returned_count[0] == 1: has been put . >>>> >>>> if returned_count[0] == 1: >>>> key = object_handle_ptr[0] rv = self >>>> .lib.C_FindObjectsFinal(session) self.check_error(rv) if >>>> returned_count[0] == 1: >>>> return key elif returned_count[0] == 0: return None >>>> *Need Help .Any help would highly be appreciated .It is very critical >>>> for us to integrate with Barbican* >>>> *Also would like to know if any one has integrated Barbican with HSM.* >>>> >>>> -- >>>> *Thanks and Regards,* >>>> *Asha Seshagiri* >>>> >>>> >>>> __________________________________________________________________________ >>>> OpenStack Development Mailing List (not for usage questions) >>>> Unsubscribe: >>>> [email protected]?subject:unsubscribe >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>>> >>> >>> >>> -- >>> *Thanks and Regards,* >>> *Asha Seshagiri* >>> >>> >>> __________________________________________________________________________ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: >>> [email protected]?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >> >> >> -- >> *Thanks and Regards,* >> *Asha Seshagiri* >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> [email protected]?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > > -- > *Thanks and Regards,* > *Asha Seshagiri* > -- *Thanks and Regards,* *Asha Seshagiri*
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
