openstack/barbican
Code Issues Proposed changes

Merge "Adding support for 512-Bit-Secret-Creation when using xts-mode"

Browse Source
This commit is contained in:
Zuul 2018-08-01 15:07:04 +00:00 committed by Gerrit Code Review
commit 08ca2287dd
2 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
barbican/plugin/crypto/simple_crypto.py
View File

@ -192,10 +192,12 @@ class SimpleCryptoPlugin(c.CryptoPluginBase):
if type_enum == c.PluginSupportTypes.SYMMETRIC_KEY_GENERATION: if type_enum == c.PluginSupportTypes.SYMMETRIC_KEY_GENERATION:
return self._is_algorithm_supported(algorithm, return self._is_algorithm_supported(algorithm,
bit_length) bit_length,
mode)
elif type_enum == c.PluginSupportTypes.ASYMMETRIC_KEY_GENERATION: elif type_enum == c.PluginSupportTypes.ASYMMETRIC_KEY_GENERATION:
return self._is_algorithm_supported(algorithm, return self._is_algorithm_supported(algorithm,
bit_length) bit_length,
mode)
else: else:
return False return False
@ -217,14 +219,23 @@ class SimpleCryptoPlugin(c.CryptoPluginBase):
return algorithm return algorithm
def _is_algorithm_supported(self, algorithm=None, bit_length=None): def _is_algorithm_supported(self, algorithm=None,
bit_length=None, mode=None):
"""check if algorithm and bit_length combination is supported.""" """check if algorithm and bit_length combination is supported."""
if algorithm is None or bit_length is None: if algorithm is None or bit_length is None:
return False return False
if (algorithm.lower() in length_factor = 1
c.PluginSupportTypes.SYMMETRIC_ALGORITHMS and bit_length in
c.PluginSupportTypes.SYMMETRIC_KEY_LENGTHS): # xts-mode cuts the effective key for the algorithm in half,
# so the bit_length must be the double of the supported length.
# in the future there should be a validation of supported modes too.
if mode is not None and mode.lower() == "xts":
length_factor = 2
if (algorithm.lower() in c.PluginSupportTypes.SYMMETRIC_ALGORITHMS
and bit_length/length_factor
in c.PluginSupportTypes.SYMMETRIC_KEY_LENGTHS):
return True return True
elif (algorithm.lower() in c.PluginSupportTypes.ASYMMETRIC_ALGORITHMS elif (algorithm.lower() in c.PluginSupportTypes.ASYMMETRIC_ALGORITHMS
and bit_length in c.PluginSupportTypes.ASYMMETRIC_KEY_LENGTHS): and bit_length in c.PluginSupportTypes.ASYMMETRIC_KEY_LENGTHS):

9
releasenotes/notes/allow-aes-xts-512-bitlength-in-simple-crypto-95936a2d830035cc.yaml Normal file
View File

@ -0,0 +1,9 @@
---
fixes:
- |
By default barbican checks only the algorithm and the bit_length when
creating a new secret. The xts-mode cuts the key in half for aes, so for
using aes-256 with xts, you have to use a 512 bit key, but barbican allows
only a maximum of 256 bit. A check for the mode within the
_is_algorithm_supported method of the class SimpleCryptoPlugin was added
to allow 512 bit keys for aes-xts in this plugin.