Barbican

Unable to input a length in the pkcs11-key-generation python script that generates MKEK

Bug #1480735 reported by asha
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Barbican
Fix Released
Medium
Fernando Diaz
Barbican mitaka-1 "m1"

Bug Description

 PKCS11-key-generation is a python script that is used for generating MKEK and HMAC.
The issue is seen while generating MKEK which takes the length of MKEK as one of the argument. The script generates "Invalid Attribute Value " as the response when the length of the argument is passed as integer (In this case , it is 32).

For Ex :# python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 mkek --length 32 --label 'an_mkek'
HSM returned response code: 0x13L CKR_ATTRIBUTE_VALUE_INVALID.

This is because the length of the argument is coming as String instead of an integer .The length argument needs to be converted into proper integer in order run the script sucessfully

WorkAround : The length argument defaults to 32 integer value .Hence when the length argument is not passed to the script , the value of the length arugment defaults to 32 and the script generates the MKEK values successfully

For Ex : # python pkcs11-key-generation --library-path '/usr/lib/libCryptoki2_64.so' --passphrase 'test123' --slot-id 1 mkek --label 'an_mkek'
Verified label !
MKEK successfully generated!

asha (asha-seshagiri)
Changed in barbican:
assignee: nobody → asha (asha-seshagiri)
Revision history for this message
Fernando Diaz (diazjf) wrote :

stack@stack-VirtualBox:/opt/stack/barbican/bin$ sudo python pkcs11-key-generation.py --library-path /usr/local/lib/softhsm/libsofthsm2.so --passphrase mypassword --slot-id 1 mkek --length 32 --label 'primarymkek1'
No handlers could be found for logger "oslo_config.cfg"
HSM returned response code: 0xd0L CKR_TEMPLATE_INCOMPLETE

stack@stack-VirtualBox:/opt/stack/barbican/bin$ sudo python pkcs11-key-generation.py --library-path /usr/local/lib/softhsm/libsofthsm2.so --passphrase mypassword --slot-id 1 mkek --label 'primarymkek1'
No handlers could be found for logger "oslo_config.cfg"
MKEK successfully generated!
stack@stack-VirtualBox:/opt/stack/barbican/bin$

Changed in barbican:
status: New → Confirmed
Fernando Diaz (diazjf)
Changed in barbican:
assignee: asha (asha-seshagiri) → Fernando Diaz (diazjf)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.openstack.org/247929

Changed in barbican:
status: Confirmed → In Progress
Fernando Diaz (diazjf)
summary: - Unable to run pkcs11-key-generation python script that generates MKEK
+ Unable to input a length in the pkcs11-key-generation python script that
+ generates MKEK
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to barbican (master)

Reviewed: https://review.openstack.org/247929
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=03ee791407b81ad8bd11d9e4ea72ca14caa4907e
Submitter: Jenkins
Branch: master

commit 03ee791407b81ad8bd11d9e4ea72ca14caa4907e
Author: Fernando Diaz <email address hidden>
Date: Thu Nov 19 23:56:51 2015 -0600

    Allow length to be passed in MKEK Creation

    Allows length argument to be passed in MKEK Creation. There is
    a bug where it fails, therefore the user can only have the
    default 32 value.

    Change-Id: I0cfd8d5690fd781419ece79bbb0337a2fe8fef49
    Closes-Bug: #1480735

Changed in barbican:
status: In Progress → Fix Committed
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/barbican 2.0.0.0b1

This issue was fixed in the openstack/barbican 2.0.0.0b1 development milestone.

Changed in barbican:
status: Fix Committed → Fix Released
Douglas Mendizábal (dougmendizabal)
Changed in barbican:
milestone: none → mitaka-1
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.