Barbican

public type secret creation fails with 400

Bug #1441866 reported by Douglas Mendizábal
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Barbican
Fix Released
Critical
Douglas Mendizábal
Barbican 2015.1.0 "kilo"

Bug Description

When attempting to store a Public RSA Key using a "public" secret type in a one POST request, the operation incorrectly fails with a 400 - bad request response.

Steps to recreate:

# Create the RSA keypair
openssl genrsa -out private.pem 2048

# Extract the public key
openssl rsa -in private.pem -out public.pem -pubout

# Base64 encode the contents of the public key
PUB_BASE64=$(base64 < public.pem)

# Send the encoded blob to barbican in a single POST request
curl -vv -H "X-Auth-Token: $TOKEN" \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{"name": "RSA Public Key",
     "secret_type": "public",
     "payload": "'"$PUB_BASE64"'",
     "payload_content_type": "application/octet-stream",
     "payload_content_encoding": "base64",
     "algorithm": "RSA"}' \
http://localhost:9311/v1/secrets | python -m json.tool

Expected response:

200 OK - { "secret_ref": "<some_ref>"}

Actual response:

400 - Bad Request

Douglas Mendizábal (dougmendizabal)
Changed in barbican:
milestone: none → kilo-rc1
importance: Undecided → Critical
Juan Antonio Osorio Robles (juan-osorio-robles)
Changed in barbican:
assignee: nobody → Juan Antonio Osorio Robles (juan-osorio-robles)
Juan Antonio Osorio Robles (juan-osorio-robles)
Changed in barbican:
assignee: Juan Antonio Osorio Robles (juan-osorio-robles) → nobody
Douglas Mendizábal (dougmendizabal)
Changed in barbican:
status: New → Confirmed
Douglas Mendizábal (dougmendizabal)
Changed in barbican:
assignee: nobody → Douglas Mendizábal (dougmendizabal)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.openstack.org/173396

Changed in barbican:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to barbican (master)

Reviewed: https://review.openstack.org/173396
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=829c7dc6e151584dc61a00b5f9007b3f7a196dce
Submitter: Jenkins
Branch: master

commit 829c7dc6e151584dc61a00b5f9007b3f7a196dce
Author: Douglas Mendizábal <email address hidden>
Date: Tue Apr 14 01:43:06 2015 -0500

    Fix base64 decoding of payloads in one-step POST

    Fix the way that normalization was handling base64 encoding in a
    one-step POST secret creation.

    Previous to this CR, PEM payloads in a one-step POST with
    payload_content_encoding="base64" were being converted to DER form,
    which was inconsistent with the way content-encoding works with other
    secret types.

    This CR requires that PEM payloads be base64 encoded in their entirety
    to be included in a one-step POST.

    This also means that when a PEM payload is passed to the secret_store it
    will be base64 encoded in its entirety, so secret stores that need to
    use DER forms need to make the conversion internally in the plugin.
    I will add the changes for the KMIP secret store in a follow-up CR.

    Barbican core also expects PEM formatted payloads that have been base64
    encoded back from the secret_store during a get, so those changes are
    made as well.

    Fixes-Bug: #1441866
    Change-Id: Ifbe021729a14f18fddd05991f6f96e49fbcf5c01
    Co-Authored-By: Dave McCowan <email address hidden>

Changed in barbican:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in barbican:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in barbican:
milestone: kilo-rc1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.