Hello Barbican folks,
Recently I was experimenting with the KMIPSecretStore and observed the
following behaviour. Issuing the API call:
"curl -X POST -H 'content-type:application/json' -H 'X-Project-Id:12345' -d
'{"payload": "my-secret-here", "payload_content_type": "text/plain",
"algorithm": "aes", "bit_length":256}'
http://localhost:9311/v1/secrets”<http://localhost:9311/v1/secrets%22>
worked to store a secret in the backend HSM, but upon retrieving the secret I
was presented with “mysecrethere”, instead of the expected value
“my-secret-here”. This corruption of the secret occurs because internally it is
assumed to be encoded as base64 and the base64 decoder drops invalid bytes, in
this case the “-“ characters. For more discussion please see the comments on
this review: https://review.openstack.org/#/c/133725/
It seems we need to add some validation to the process so I would like to get a
discussion going on what we should be validating and where in the pipeline it
might fit best. Im happy to code up a patch to make this happen but want to get
some input and a consensus on things first.
--
Tim Kelsey
Cloud Security Engineer
HP Helion
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
