On-disk encryption is borken with Python 3
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
High
|
Unassigned |
Bug Description
When activating keymaster encryption, we get this if using Python 3:
Oct 11 11:46:00 s1-swiftproxy-3 proxy-server: get_keys(): from callback: key: expected bytes or bytearray, but got 'str':
Traceback (most recent call last):
File "/usr/lib/
keys = fetch_crypto_
File "/usr/lib/
path, secret_
File "/usr/lib/
digestmod=
File "/usr/lib/
return HMAC(key, msg, digestmod)
File "/usr/lib/
raise TypeError("key: expected bytes or bytearray, but got %r" % type(key).__name__)
TypeError: key: expected bytes or bytearray, but got 'str' (txn: tx2b59918356794
The fix is trivial:
- return hmac.new( key, wsgi_to_
+ return hmac.new( bytes(key, 'latin-1'), wsgi_to_
after this, encryption just works. Let me open the PR...
From IRC, this was the Barbican keymaster, which explains why we hadn't caught this earlier.
I finally got an instance up and running and... it just worked. I wonder if maybe it's because I requested a payload- content- type of application/ octet-stream when I ran `openstack secret order create`. What were you using? Should be able to find out with `openstack secret get` -- on my machine, that gives me something like
+------ ------- --+---- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---+ ------- --+---- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---+ hostname: 9311/v1/ secrets/ de423521- 8a7b-491c- be39-74f040e308 27 | 11T23:27: 12.985712+ 00:00 | octet-stream' } | ------- --+---- ------- ------- ------- ------- ------- ------- ------- ------- ------- ---+
| Field | Value |
+------
| Secret href | http://
| Name | swift_root_secret |
| Created | 2019-10-
| Status | ACTIVE |
| Content types | {'default': 'application/
| Algorithm | aes |
| Bit length | 256 |
| Secret type | symmetric |
| Mode | ctr |
| Expiration | None |
+------
And for completeness, I've got a handful of follow-up questions: barbicanclient is installed? What version of castellan?
- Is this on upload, download, container listing? Probably, all three.
- What version of python-