Barbican

p11_crypto plugin fails to decrypt secret payloads containing certificates

Bug #1535935 reported by John McKenzie
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Barbican
Fix Released
Critical
John McKenzie
Barbican mitaka-2 "m2"

Bug Description

Several functional tests are failing when Barbican is configured to use the recently updated p11_crypto module. The tests all pass when the old p11_crypto plugin is put back in place.

An example of the tox output (some output has been removed for clarity):

{0} functionaltests.api.v1.functional.test_rsa.RSATestCase.test_rsa_store_and_get_certificate_secret [3.042279s] ... FAILED

==============================
Failed 1 tests - output below:
==============================

functionaltests.api.v1.functional.test_rsa.RSATestCase.test_rsa_store_and_get_certificate_secret

Captured pythonlogging:
~~~~~~~~~~~~~~~~~~~~~~~
    2016-01-18 16:34:37,054 21866 INFO [requests.packages.urllib3.connectionpool] Starting new HTTPS connection (1): barbican_ref
    2016-01-18 16:34:37,870 21866 DEBUG [requests.packages.urllib3.connectionpool] "POST /v1/secrets HTTP/1.1" 201 109
    2016-01-18 16:34:37,872 21866 INFO [functionaltests.common.client] Request (user=barbican-admin) (RSATestCase:test_rsa_store_and_get_certificate_secret)
     201 POST https://barbican_ref/v1/secrets
    Request Headers: {'Content-Type': 'application/json', 'Connection': 'keep-alive', 'Accept': 'application/json', 'X-Auth-Token': u'AACBlgbKj75km-DQTfF_0eUcEQ7BUgB_r7plXOXJraN5bYqY9PZfA1qKhrOgRwa_uU3owwMx1Jepo9PZGLabtF28VTRyWc6swpNpCnqrQFSxTpzO0MJ17Mwjfwd4BTOjCCI0FCWqbZ4bqg', 'Content-Length': '1628', 'Accept-Encoding': 'gzip, deflate', 'X-Project-Id': u'802958', 'User-Agent': 'python-requests/2.9.1'}
    Request Body: {"secret_type": "certificate", "payload": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvekNDQWVlZ0F3SUJBZ0lKQU9McVhLSjlxOS9uTUEwR0NTcUdTSWIzRFFFQkN3VUFNQll4RkRBU0JnTlYKQkFNTUMyVjRZVzF3YkdVdVkyOXRNQjRYRFRFMU1EUXhNVEF5TVRVeU9Wb1hEVEU0TURFd05UQXlNVFV5T1ZvdwpGakVVTUJJR0ExVUVBd3dMWlhoaGJYQnNaUzVqYjIwd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3CmdnRUtBb0lCQVFDemEyVm9EWG1CVU1td2pGdTlGNk1NNXEvQVoxV2puV0EyWU5kTnkyMzdUckdOL25vYkREdjgKRkJCcFVQbUhOWjA0SDFMeXhGY1A4UmVGcmNJWHBpZnNSZXUybEFXYXFSUHhvdnU1Q3VBaGZlY0t2K1JoakxWTApKMEkrTVpJYjcyUk9LcGZaVG1iN2RobEZnR0QzdmtDNTFCQ2ZoR1ZXMzV3NTJPWS8yM3g1TWVPNHl2eDVteVBjCmNueE1WUTQyS3VEcnpLcWpCbFNqbUJuY3BHWXgwSmdDVCtzeUZtSHNsOHJPa3FDUFBGTG8yNFlRbis0L3ByMUEKWXdhWkFiTVRsOXpvTHRFUWo2c3hTY3VIY1M5ZThuaXB0RHhsc2JMUWdxR1ZhR2RFMTE3c3RDOTVRSDdVdklUYgp1WXpkalp3QkZjMVNnejhHWi8yaExTc0h1akppSVFjdkFnTUJBQUdqVURCT01CMEdBMVVkRGdRV0JCU1VxMkEwCmIyWG8rc0t2bUtnTjhXcThsNmo4MmpBZkJnTlZIU01FR0RBV2dCU1VxMkEwYjJYbytzS3ZtS2dOOFdxOGw2ajgKMmpBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJqaXVxaGx6TlZPVkxySERReQpHcjBmVEFDRkpkRFJFbnVoWnA0ZDkxKytEbU1DVCtiY1RHMCtHQ3AzcmZGT3VFV3BKTExMUGRTT25Jc25pYnNPCnN5S1BYdUJCWDVrbWRZSW9qYmRqVVRTd25oY3g5SlRBZktTbXhYV1NDMHJuS0NlZkFmNDRNbTZmcXZvVHlUYmUKR1NRUDZuSHpjN2VMYUsvZWZjck12WWRjdCtUZVRrSGpxUjhMdTRwalp2UmRVUWFkUUhoRHlOK09OS2RLRDlUcgpqdmZQaW0wYjdBcTg4NVBqU042UW80WjlIWFI2K25LK2JUejlIeVVBVE1mREdOUXQwTDN2eWZWeGJOT3hrQ0JjCllJNGhGdEdma096ZDZCN3Iyc1kxd0dLZFRMSGt1VDRtNC85QS9TT3p2bkgrZXBuSnFJUzlqdysxaVJqOHhjREEKNlBOVAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==", "payload_content_encoding": "base64", "payload_content_type": "application/octet-stream", "name": "mycertificate"}
    Response: {"secret_ref": "https://BARBICAN_ENDPOINT/v1/secrets/1657d270-6446-46de-a92c-db51740375e6"}
    2016-01-18 16:34:37,873 21866 INFO [requests.packages.urllib3.connectionpool] Starting new HTTPS connection (1): BARBICAN_ENDPOINT
    2016-01-18 16:34:38,744 21866 DEBUG [requests.packages.urllib3.connectionpool] "GET /v1/secrets/1657d270-6446-46de-a92c-db51740375e6/payload HTTP/1.1" 500 140
    2016-01-18 16:34:38,746 21866 INFO [functionaltests.common.client] Request (user=barbican-admin) (RSATestCase:test_rsa_store_and_get_certificate_secret)
     500 GET https://BARBICAN_ENDPOINT/v1/secrets/1657d270-6446-46de-a92c-db51740375e6/payload
    Request Headers: {'Content-Type': 'application/json', 'Connection': 'keep-alive', 'Accept': 'application/octet-stream', 'User-Agent': 'python-requests/2.9.1', 'X-Project-Id': u'802958', 'X-Auth-Token': u'AACBlgbKj75km-DQTfF_0eUcEQ7BUgB_r7plXOXJraN5bYqY9PZfA1qKhrOgRwa_uU3owwMx1Jepo9PZGLabtF28VTRyWc6swpNpCnqrQFSxTpzO0MJ17Mwjfwd4BTOjCCI0FCWqbZ4bqg'}
    Request Body: None
    Response: {"code": 500, "description": "Secret payload retrieval failure seen - please contact site administrator.", "title": "Internal Server Error"}
    2016-01-18 16:34:38,749 21866 INFO [requests.packages.urllib3.connectionpool] Starting new HTTPS connection (1): BARBICAN_ENDPOINT
    2016-01-18 16:34:39,234 21866 DEBUG [requests.packages.urllib3.connectionpool] "DELETE /v1/secrets/1657d270-6446-46de-a92c-db51740375e6 HTTP/1.1" 204 0
    2016-01-18 16:34:39,236 21866 INFO [functionaltests.common.client] Request (user=barbican-admin) (RSATestCase:tearDown)
     204 DELETE https://BARBICAN_ENDPOINT/v1/secrets/1657d270-6446-46de-a92c-db51740375e6
    Request Headers: {'Content-Type': 'application/json', 'Connection': 'keep-alive', 'Accept': 'application/json', 'X-Auth-Token': u'AACBlgbKj75km-DQTfF_0eUcEQ7BUgB_r7plXOXJraN5bYqY9PZfA1qKhrOgRwa_uU3owwMx1Jepo9PZGLabtF28VTRyWc6swpNpCnqrQFSxTpzO0MJ17Mwjfwd4BTOjCCI0FCWqbZ4bqg', 'Content-Length': '0', 'Accept-Encoding': 'gzip, deflate', 'X-Project-Id': u'802958', 'User-Agent': 'python-requests/2.9.1'}
    Request Body: None
    Response:
    2016-01-18 16:34:39,236 21866 INFO [functionaltests.api.v1.functional.test_rsa:RSATestCase] Finished: test_rsa_store_and_get_certificate_secret

The Barbican log output:

2016-01-18 21:35:15.305 15 INFO barbican.api.controllers.secrets [req-08df6427-a6cd-425c-a42f-21a731f2a327 da6c092657d64fbf99425dc1eef7e0e4 802958 - - -] Created a secret for project: 802958
2016-01-18 21:35:15.312 15 INFO barbican.api.middleware.context [req-08df6427-a6cd-425c-a42f-21a731f2a327 da6c092657d64fbf99425dc1eef7e0e4 802958 - - -] Processed request: 201 Created - POST http://barbican:9311/v1/secrets
172.17.0.3 - - [18/Jan/2016:21:35:15 +0000] "POST /v1/secrets HTTP/1.1" 201 109 "-" "python-requests/2.9.1"

2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers [req-af80365c-bec7-46bc-a037-4699bc84f00b da6c092657d64fbf99425dc1eef7e0e4 802958 - - -] Secret payload retrieval failure seen - please contact site administrator.
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers Traceback (most recent call last):
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/api/controllers/__init__.py", line 104, in handler
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/api/controllers/__init__.py", line 90, in enforcer
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers return fn(inst, *args, **kwargs)
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/api/controllers/secrets.py", line 168, in payload
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers **kwargs
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/api/controllers/secrets.py", line 146, in _on_get_secret_payload
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers transport_key)
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/plugin/resources.py", line 129, in get_secret
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers retrieve_plugin, secret_metadata, secret_model, project_model)
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/plugin/resources.py", line 311, in _get_secret
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers context)
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/plugin/store_crypto.py", line 135, in get_secret
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers context.project_model.external_id)
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/plugin/crypto/p11_crypto.py", line 139, in decrypt
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers kek, iv, decrypt_dto.encrypted, session
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/plugin/crypto/pkcs11.py", line 427, in decrypt
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers self._check_error(rv)
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers File "/usr/lib/python2.7/site-packages/barbican/plugin/crypto/pkcs11.py", line 560, in _check_error
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers code=ERROR_CODES.get(value, 'CKR_????')))
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers P11CryptoPluginException: HSM returned response code: 0x150L CKR_BUFFER_TOO_SMALL
2016-01-18 21:35:16.152 15 ERROR barbican.api.controllers
2016-01-18 21:35:16.171 15 INFO barbican.api.middleware.context [req-af80365c-bec7-46bc-a037-4699bc84f00b da6c092657d64fbf99425dc1eef7e0e4 802958 - - -] Processed request: 500 Internal Server Error - GET http://barbican:9311/v1/secrets/1657d270-6446-46de-a92c-db51740375e6/payload
172.17.0.3 - - [18/Jan/2016:21:35:16 +0000] "GET /v1/secrets/1657d270-6446-46de-a92c-db51740375e6/payload HTTP/1.1" 500 140 "-" "-"

2016-01-18 21:35:16.669 15 INFO barbican.api.controllers.secrets [req-33030742-1133-4776-a21f-a5e068dbe090 da6c092657d64fbf99425dc1eef7e0e4 802958 - - -] Deleted secret for project: 802958
2016-01-18 21:35:16.676 15 INFO barbican.api.middleware.context [req-33030742-1133-4776-a21f-a5e068dbe090 da6c092657d64fbf99425dc1eef7e0e4 802958 - - -] Processed request: 204 No Content - DELETE http://barbican:9311/v1/secrets/1657d270-6446-46de-a92c-db51740375e6
172.17.0.3 - - [18/Jan/2016:21:35:16 +0000] "DELETE /v1/secrets/1657d270-6446-46de-a92c-db51740375e6 HTTP/1.1" 204 - "-" "-"

John McKenzie (jmckind)
summary: - pkcs11 plugin fails to decrypt secret payloads containing certificates
+ p11_crypto plugin fails to decrypt secret payloads containing
+ certificates
John McKenzie (jmckind)
Changed in barbican:
assignee: nobody → John McKenzie (jmckind)
Douglas Mendizábal (dougmendizabal)
Changed in barbican:
status: New → Triaged
importance: Undecided → Critical
milestone: none → mitaka-2
Revision history for this message
Douglas Mendizábal (dougmendizabal) wrote :

https://review.openstack.org/#/c/269913/

Changed in barbican:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to barbican (master)

Reviewed: https://review.openstack.org/269913
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=7ccd7c4bac5f8269b564047a9e2c43939b0ba613
Submitter: Jenkins
Branch: master

commit 7ccd7c4bac5f8269b564047a9e2c43939b0ba613
Author: John McKenzie <email address hidden>
Date: Tue Jan 19 17:13:23 2016 -0600

    Fix buffer size for decrypt operations.

    This change adjusts the size of the buffer for decrypted data to prevent the
    "0x150L CKR_BUFFER_TOO_SMALL" error from the HSM when attempting to decrypt
    2048 bit certificate payloads.

    Change-Id: I8c4021b5c143f734ea2eb0cea13e7a58fe8f9852
    Closes-Bug: 1535935

Changed in barbican:
status: In Progress → Fix Released
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/barbican 2.0.0.0b2

This issue was fixed in the openstack/barbican 2.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.