diff --git a/barbican/plugin/crypto/simple_crypto.py b/barbican/plugin/crypto/simple_crypto.py index e36bfbb61..59e7a42f1 100644 --- a/barbican/plugin/crypto/simple_crypto.py +++ b/barbican/plugin/crypto/simple_crypto.py @@ -192,10 +192,12 @@ class SimpleCryptoPlugin(c.CryptoPluginBase): if type_enum == c.PluginSupportTypes.SYMMETRIC_KEY_GENERATION: return self._is_algorithm_supported(algorithm, - bit_length) + bit_length, + mode) elif type_enum == c.PluginSupportTypes.ASYMMETRIC_KEY_GENERATION: return self._is_algorithm_supported(algorithm, - bit_length) + bit_length, + mode) else: return False @@ -217,14 +219,23 @@ class SimpleCryptoPlugin(c.CryptoPluginBase): return algorithm - def _is_algorithm_supported(self, algorithm=None, bit_length=None): + def _is_algorithm_supported(self, algorithm=None, + bit_length=None, mode=None): """check if algorithm and bit_length combination is supported.""" if algorithm is None or bit_length is None: return False - if (algorithm.lower() in - c.PluginSupportTypes.SYMMETRIC_ALGORITHMS and bit_length in - c.PluginSupportTypes.SYMMETRIC_KEY_LENGTHS): + length_factor = 1 + + # xts-mode cuts the effective key for the algorithm in half, + # so the bit_length must be the double of the supported length. + # in the future there should be a validation of supported modes too. + if mode is not None and mode.lower() == "xts": + length_factor = 2 + + if (algorithm.lower() in c.PluginSupportTypes.SYMMETRIC_ALGORITHMS + and bit_length/length_factor + in c.PluginSupportTypes.SYMMETRIC_KEY_LENGTHS): return True elif (algorithm.lower() in c.PluginSupportTypes.ASYMMETRIC_ALGORITHMS and bit_length in c.PluginSupportTypes.ASYMMETRIC_KEY_LENGTHS): diff --git a/releasenotes/notes/allow-aes-xts-512-bitlength-in-simple-crypto-95936a2d830035cc.yaml b/releasenotes/notes/allow-aes-xts-512-bitlength-in-simple-crypto-95936a2d830035cc.yaml new file mode 100644 index 000000000..1fa862f2d --- /dev/null +++ b/releasenotes/notes/allow-aes-xts-512-bitlength-in-simple-crypto-95936a2d830035cc.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + By default barbican checks only the algorithm and the bit_length when + creating a new secret. The xts-mode cuts the key in half for aes, so for + using aes-256 with xts, you have to use a 512 bit key, but barbican allows + only a maximum of 256 bit. A check for the mode within the + _is_algorithm_supported method of the class SimpleCryptoPlugin was added + to allow 512 bit keys for aes-xts in this plugin.