From 9ecd30081aafbd45d4d40fc927aad1a6e18aaa6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es=20de=20Medeiros?=
 <moguimar@redhat.com>
Date: Fri, 22 Feb 2019 13:49:50 +0100
Subject: [PATCH] Fix length usage in VaultKeyManager.create_key.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Previous code was considering length as bytes, but the API contract
considers the length param to be bits so that the considering `km`
as a VaultKeyManager, the call `km.create_key(ctx, 'AES', 256)` should
generate a 256 bit AES key and not a 2048 bit AES key instead.

Closes-Bug: #1817248
Change-Id: I5815cb74394e18b6058f4c5cf69b656d7cc2c43b
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
---
 castellan/key_manager/vault_key_manager.py             |  9 +++++++--
 .../notes/fix-vault-create-key-b4340a3067cbd93c.yaml   | 10 ++++++++++
 2 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/fix-vault-create-key-b4340a3067cbd93c.yaml

diff --git a/castellan/key_manager/vault_key_manager.py b/castellan/key_manager/vault_key_manager.py
index 1eb38360..ec198258 100644
--- a/castellan/key_manager/vault_key_manager.py
+++ b/castellan/key_manager/vault_key_manager.py
@@ -298,13 +298,18 @@ class VaultKeyManager(key_manager.KeyManager):
             msg = _("User is not authorized to use key manager.")
             raise exception.Forbidden(msg)
 
+        if length % 8:
+            msg = _("Length must be multiple of 8.")
+            raise ValueError(msg)
+
         key_id = uuid.uuid4().hex
-        key_value = os.urandom(length or 32)
+        key_value = os.urandom((length or 256) // 8)
         key = sym_key.SymmetricKey(algorithm,
-                                   length or 32,
+                                   length or 256,
                                    key_value,
                                    key_id,
                                    name or int(time.time()))
+
         return self._store_key_value(key_id, key)
 
     def store(self, context, key_value, **kwargs):
diff --git a/releasenotes/notes/fix-vault-create-key-b4340a3067cbd93c.yaml b/releasenotes/notes/fix-vault-create-key-b4340a3067cbd93c.yaml
new file mode 100644
index 00000000..246ac26e
--- /dev/null
+++ b/releasenotes/notes/fix-vault-create-key-b4340a3067cbd93c.yaml
@@ -0,0 +1,10 @@
+---
+fixes:
+  - |
+    Fixed VaultKeyManager.create_key() to consider the `length` param as bits
+    instead of bytes for the key length. This was causing a discrepancy between
+    keys generated by the HashiCorp Vault backend and the OpenStack Barbican
+    backend. Considering `km` as an instance of a key manager, the following
+    code `km.create_key(ctx, "AES", 256)` was generating a 256 bit AES key when
+    Barbican is configured as the backend, but generating a 2048 bit AES key
+    when Vault was configured as the backend.