Enabling FIPS mode on SafeNet HSM causes 500 error on encrypt
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Barbican |
Fix Released
|
Undecided
|
John McKenzie |
Bug Description
When using a FIPS 140-2 compliant firmware on a SafeNet Luna HSM, the pkcs11 module fails during encrypt operations, resulting in a CKR_MECHANISM_
This error is produced due to the pkcs11 module generating a random IV and using it for the encrypt operation. FIPS 140-2 requires that the IV be generated by the HSM on device, not generated on the client and passed into the HSM (like the module currently behaves).
The fix for this issue is to not generate the IV and let the HSM device handle that. This will work with FIPS 140-2 enabled or not and should actually produce a small performance increase for encrypt operations.
https:/
-----
POST /v1/secrets HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 67
Content-Type: application/json
Host: XXX
User-Agent: HTTPie/0.9.2
X-Auth-Token: XXX
{
"payload": "my-secret-here",
"payload_
}
HTTP/1.1 500 Server Error
Content-Length: 131
Content-Type: application/json; charset=UTF-8
Date: Mon, 25 Jul 2016 18:05:43 GMT
Date: Mon, 25 Jul 2016 18:05:45 GMT
Server: Jetty(9.
x-trans-id: XXX
{
"code": 500,
"description": "Secret creation failure seen - please contact site administrator.",
"title": "Internal Server Error"
}
-----
WARNING barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
ERROR barbican.
INFO barbican.
Changed in barbican: | |
assignee: | nobody → John McKenzie (jmckind) |
description: | updated |
summary: |
- Enabling FIPS mode on SafeNet HSM causes 500 with - CKR_MECHANISM_PARAM_INVALID error on encrypt + Enabling FIPS mode on SafeNet HSM causes 500 error on encrypt |
description: | updated |
Fix proposed to branch: master /review. openstack. org/347434
Review: https:/