Fix length usage in VaultKeyManager.create_key.

Previous code was considering length as bytes, but the API contract
considers the length param to be bits so that the considering `km`
as a VaultKeyManager, the call `km.create_key(ctx, 'AES', 256)` should
generate a 256 bit AES key and not a 2048 bit AES key instead.

Closes-Bug: #1817248
Change-Id: I5815cb74394e18b6058f4c5cf69b656d7cc2c43b
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>

castellan/key_manager/vault_key_manager.py

@@ -298,13 +298,18 @@ class VaultKeyManager(key_manager.KeyManager):
             msg = _("User is not authorized to use key manager.")
             raise exception.Forbidden(msg)
 
+        if length % 8:
+            msg = _("Length must be multiple of 8.")
+            raise ValueError(msg)
+
         key_id = uuid.uuid4().hex
-        key_value = os.urandom(length or 32)
+        key_value = os.urandom((length or 256) // 8)
         key = sym_key.SymmetricKey(algorithm,
-                                   length or 32,
+                                   length or 256,
                                    key_value,
                                    key_id,
                                    name or int(time.time()))
+
         return self._store_key_value(key_id, key)
 
     def store(self, context, key_value, **kwargs):

releasenotes/notes/fix-vault-create-key-b4340a3067cbd93c.yaml

@@ -0,0 +1,10 @@
+---
+fixes:
+  - |
+    Fixed VaultKeyManager.create_key() to consider the `length` param as bits
+    instead of bytes for the key length. This was causing a discrepancy between
+    keys generated by the HashiCorp Vault backend and the OpenStack Barbican
+    backend. Considering `km` as an instance of a key manager, the following
+    code `km.create_key(ctx, "AES", 256)` was generating a 256 bit AES key when
+    Barbican is configured as the backend, but generating a 2048 bit AES key
+    when Vault was configured as the backend.