We have seen regression on PKCS11 plugin when deployment moved from mitaka release to newton release.
Following error is generated during encrypt operation with PKCS11 plugin backend. This functionality was working with mitaka code base and start happening with newton release onwards.
The error appears to be related to this change https://review.openstack.org/#/c/347434/ which was added to address bug : https://bugs.launchpad.net/barbican/+bug/1606591 . As per comments, IV generation was made *optional* but there is no supporting logic to enable/disable IV generation. Currently code has been modified expecting that HSM will always generate IV which was not the behavior in mitaka release and that's why existing deployment fails when try to upgrade to newer release.
As per following error stack trace, error is same as previous bug mentioned but now difference is that its happening with HSM which does not have FIPS enabled. We should support both configuration via some configuration flag.
(sqlalchemy.engine.base.Engine): 2017-04-20 16:52:06,351 INFO base _execute_context SELECT kek_data.id AS kek_data_id, kek_data.created_at AS kek_data_created_at, kek_data.updated_at AS kek_data_updated_at, kek_data.deleted_at AS kek_data_deleted_at, kek_data.deleted AS kek_data_deleted, kek_data.status AS kek_data_status, kek_data.plugin_name AS kek_data_plugin_name, kek_data.kek_label AS kek_data_kek_label, kek_data.project_id AS kek_data_project_id, kek_data.active AS kek_data_active, kek_data.bind_completed AS kek_data_bind_completed, kek_data.algorithm AS kek_data_algorithm, kek_data.bit_length AS kek_data_bit_length, kek_data.mode AS kek_data_mode, kek_data.plugin_meta AS kek_data_plugin_meta
FROM kek_data
WHERE kek_data.active = true AND kek_data.deleted = false AND kek_data.project_id = %s AND kek_data.plugin_name = %s
(sqlalchemy.engine.base.Engine): 2017-04-20 16:52:06,351 INFO base _execute_context ('e0371c1c-b571-428b-852e-0ec388a20dae', 'barbican.plugin.crypto.p11_crypto.P11CryptoPlugin')
(sqlalchemy.engine.base.Engine): 2017-04-20 16:52:06,356 INFO base _execute_context INSERT INTO kek_data (id, created_at, updated_at, deleted_at, deleted, status, plugin_name, kek_label, project_id, active, bind_completed, algorithm, bit_length, mode, plugin_meta) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)
(sqlalchemy.engine.base.Engine): 2017-04-20 16:52:06,357 INFO base _execute_context ('2735b579-272d-498b-913b-6772e3b68830', datetime.datetime(2017, 4, 20, 16, 52, 6, 353947), datetime.datetime(2017, 4, 20, 16, 52, 6, 353947), None, 0, 'ACTIVE', 'barbican.plugin.crypto.p11_crypto.P11CryptoPlugin', 'project-7a818536ce464d7f966d4b3d1e31a54f-key-ce4f5e49-b1be-4ae8-825f-55b49ba632e1', 'e0371c1c-b571-428b-852e-0ec388a20dae', 1, 0, None, None, None, None)
(sqlalchemy.engine.base.Engine): 2017-04-20 16:52:13,807 INFO base _execute_context UPDATE kek_data SET updated_at=%s, bind_completed=%s, algorithm=%s, bit_length=%s, mode=%s, plugin_meta=%s WHERE kek_data.id = %s
(sqlalchemy.engine.base.Engine): 2017-04-20 16:52:13,807 INFO base _execute_context (datetime.datetime(2017, 4, 20, 16, 52, 13, 805428), 1, 'AES', 256, 'CBC', '{"mkek_label":"hlm_barbican_qa_pkcs_mkek_april20","hmac_label":"hlm_barbican_qa_pkcs_hmac_april20","wrapped_key":"6ebLRwhIJ4cIZHYTNvcFaqE3tfpYuyuZ7LSe0wOFrbN77AfPjEDUMxH2AWHVSYlU","hmac":"IXxWSjATx5gae2V+sVdfm4iNV3p4ik8ecVvnawVr+Eo=","iv":"Sox3M0hl0hjpZJPNhoMmEg=="}', '2735b579-272d-498b-913b-6772e3b68830')
(barbican.plugin.crypto.p11_crypto): 2017-04-20 16:52:14,792 WARNING p11_crypto _call_pkcs11 Reinitializing PKCS#11 library: HSM returned response code: 0x71L CKR_MECHANISM_PARAM_INVALID
(barbican.api.controllers): 2017-04-20 16:52:24,160 ERROR __init__ handler Secret creation failure seen - please contact site administrator.
Traceback (most recent call last):
File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/api/controllers/__init__.py", line 103, in handler
return fn(inst, *args, **kwargs)
File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/api/controllers/__init__.py", line 89, in enforcer
return fn(inst, *args, **kwargs)
File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/api/controllers/__init__.py", line 155, in content_types_enforcer
return fn(inst, *args, **kwargs)
File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/api/controllers/secrets.py", line 433, in on_post
transport_key_id=data.get('transport_key_id'))
File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/plugin/resources.py", line 109, in store_secret
secret_model, project_model)
File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/plugin/resources.py", line 279, in _store_secret_using_plugin
secret_metadata = store_plugin.store_secret(secret_dto, context)
File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/plugin/store_crypto.py", line 97, in store_secret
encrypt_dto, kek_meta_dto, context.project_model.external_id
File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/plugin/crypto/p11_crypto.py", line 115, in encrypt
project_id)
File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/plugin/crypto/p11_crypto.py", line 150, in _call_pkcs11
return func(*args, **kwargs)
File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/plugin/crypto/p11_crypto.py", line 157, in _encrypt
kek, encrypt_dto.unencrypted, session
File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/plugin/crypto/pkcs11.py", line 402, in encrypt
self._check_error(rv)
File "/opt/stack/service/barbican-api/venv/lib/python2.7/site-packages/barbican/plugin/crypto/pkcs11.py", line 576, in _check_error
"HSM returned response code: {code}").format(code=hex_code))
P11CryptoPluginException: HSM returned response code: 0x71L CKR_MECHANISM_PARAM_INVALID
(sqlalchemy.engine.base.Engine): 2017-04-20 16:52:24,163 INFO base _rollback_impl ROLLBACK
(barbican.api.middleware.context): 2017-04-20 16:52:24,170 INFO context process_response Processed request: 500 Internal Server Error - POST https://192.168.245.5:9311/v1/secrets/
Show more
Does this need to be backported to Ocata and Newton?