KeyManager.create_key length parameter is ambiguous
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| castellan |
Fix Released
|
High
|
Moisés Guimarães de Medeiros | ||
Bug Description
The length parameter in KeyManager.
Because of this, there is a mismatch in the way that BarbicanKeyManager and VaultKeyManager handle them.
BarbicanKeyManager assumes the value is bits, but VaultKeyManager assumes the value is in bytes. This, in turn, could result in unexpected behavior in applications using Castellan, since they would not have any knowledge at runtime about which backend is running and whether Castellan will return bits or bytes when asked to generate keys.
For example, consider the following:
keymgr = key_manager.
keymgr.
Which currently generates a 256 bit AES key when Barbican is configured, but generates a 2048 bit AES key when Vault is configured.
| description: | updated |
| description: | updated |
| description: | updated |
| Changed in castellan: | |
| assignee: | nobody → Moisés Guimarães de Medeiros (moguimar) |
| importance: | Undecided → High |
| status: | New → In Progress |
| OpenStack Infra (hudson-openstack) wrote Fix merged to castellan (master) | #1 |
| Changed in castellan: | |
| status: | In Progress → Fix Released |
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/castellan 1.2.1 | #2 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 9ecd30081aafbd4
Author: Moisés Guimarães de Medeiros <email address hidden>
Date: Fri Feb 22 13:49:50 2019 +0100
Fix length usage in VaultKeyManager
Previous code was considering length as bytes, but the API contract
considers the length param to be bits so that the considering `km`
as a VaultKeyManager, the call `km.create_key(ctx, 'AES', 256)` should
generate a 256 bit AES key and not a 2048 bit AES key instead.
Closes-Bug: #1817248
Change-Id: I5815cb74394e18
Signed-off-by: Moisés Guimarães de Medeiros <email address hidden>