Adding support for 512-Bit-Secret-Creation when using xts-mode

By default barbican checks only the algorithm and the bit_length when
creating a new secret. The xts-mode cuts the key in half for aes, so
for using aes-256 with xts, you have to use a 512 bit key, but
barbican allows only a maximum of 256 bit.
For this reason, it was necessary to add a check for the mode within
the _is_algorithm_supported method of the class SimpleCryptoPlugin.
When mode xts is set, it now checks, if the half of the key-length is
in the list of supported bit-length. So when using xts-mode, 512 bit
keys are now supported, but 64 bit keys are not because they would
result in a 32 bit aes key, which would be too short. Maybe there are
other modes too, which change the effective key-length, so the new
length_factor was added, to make it easier to add other modes like xts
too.
In the future their could be a list of supported modes together with
its key changing factor.

Change-Id: I4dc552587391ad2245ee2fdfa20ce178da2efbe0
Story: 2002612
This commit is contained in:
Josephine Seifert 2018-06-21 10:57:25 +02:00
parent 0477799ea7
commit abd65a1e50
2 changed files with 26 additions and 6 deletions

View File

@ -192,10 +192,12 @@ class SimpleCryptoPlugin(c.CryptoPluginBase):
if type_enum == c.PluginSupportTypes.SYMMETRIC_KEY_GENERATION:
return self._is_algorithm_supported(algorithm,
bit_length)
bit_length,
mode)
elif type_enum == c.PluginSupportTypes.ASYMMETRIC_KEY_GENERATION:
return self._is_algorithm_supported(algorithm,
bit_length)
bit_length,
mode)
else:
return False
@ -217,14 +219,23 @@ class SimpleCryptoPlugin(c.CryptoPluginBase):
return algorithm
def _is_algorithm_supported(self, algorithm=None, bit_length=None):
def _is_algorithm_supported(self, algorithm=None,
bit_length=None, mode=None):
"""check if algorithm and bit_length combination is supported."""
if algorithm is None or bit_length is None:
return False
if (algorithm.lower() in
c.PluginSupportTypes.SYMMETRIC_ALGORITHMS and bit_length in
c.PluginSupportTypes.SYMMETRIC_KEY_LENGTHS):
length_factor = 1
# xts-mode cuts the effective key for the algorithm in half,
# so the bit_length must be the double of the supported length.
# in the future there should be a validation of supported modes too.
if mode is not None and mode.lower() == "xts":
length_factor = 2
if (algorithm.lower() in c.PluginSupportTypes.SYMMETRIC_ALGORITHMS
and bit_length/length_factor
in c.PluginSupportTypes.SYMMETRIC_KEY_LENGTHS):
return True
elif (algorithm.lower() in c.PluginSupportTypes.ASYMMETRIC_ALGORITHMS
and bit_length in c.PluginSupportTypes.ASYMMETRIC_KEY_LENGTHS):

View File

@ -0,0 +1,9 @@
---
fixes:
- |
By default barbican checks only the algorithm and the bit_length when
creating a new secret. The xts-mode cuts the key in half for aes, so for
using aes-256 with xts, you have to use a 512 bit key, but barbican allows
only a maximum of 256 bit. A check for the mode within the
_is_algorithm_supported method of the class SimpleCryptoPlugin was added
to allow 512 bit keys for aes-xts in this plugin.