From abd65a1e5097a14a537b6c09cf5db66ab7c4e08e Mon Sep 17 00:00:00 2001 From: Josephine Seifert Date: Thu, 21 Jun 2018 10:57:25 +0200 Subject: [PATCH] Adding support for 512-Bit-Secret-Creation when using xts-mode By default barbican checks only the algorithm and the bit_length when creating a new secret. The xts-mode cuts the key in half for aes, so for using aes-256 with xts, you have to use a 512 bit key, but barbican allows only a maximum of 256 bit. For this reason, it was necessary to add a check for the mode within the _is_algorithm_supported method of the class SimpleCryptoPlugin. When mode xts is set, it now checks, if the half of the key-length is in the list of supported bit-length. So when using xts-mode, 512 bit keys are now supported, but 64 bit keys are not because they would result in a 32 bit aes key, which would be too short. Maybe there are other modes too, which change the effective key-length, so the new length_factor was added, to make it easier to add other modes like xts too. In the future their could be a list of supported modes together with its key changing factor. Change-Id: I4dc552587391ad2245ee2fdfa20ce178da2efbe0 Story: 2002612 --- barbican/plugin/crypto/simple_crypto.py | 23 ++++++++++++++----- ...gth-in-simple-crypto-95936a2d830035cc.yaml | 9 ++++++++ 2 files changed, 26 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/allow-aes-xts-512-bitlength-in-simple-crypto-95936a2d830035cc.yaml diff --git a/barbican/plugin/crypto/simple_crypto.py b/barbican/plugin/crypto/simple_crypto.py index e36bfbb61..59e7a42f1 100644 --- a/barbican/plugin/crypto/simple_crypto.py +++ b/barbican/plugin/crypto/simple_crypto.py @@ -192,10 +192,12 @@ class SimpleCryptoPlugin(c.CryptoPluginBase): if type_enum == c.PluginSupportTypes.SYMMETRIC_KEY_GENERATION: return self._is_algorithm_supported(algorithm, - bit_length) + bit_length, + mode) elif type_enum == c.PluginSupportTypes.ASYMMETRIC_KEY_GENERATION: return self._is_algorithm_supported(algorithm, - bit_length) + bit_length, + mode) else: return False @@ -217,14 +219,23 @@ class SimpleCryptoPlugin(c.CryptoPluginBase): return algorithm - def _is_algorithm_supported(self, algorithm=None, bit_length=None): + def _is_algorithm_supported(self, algorithm=None, + bit_length=None, mode=None): """check if algorithm and bit_length combination is supported.""" if algorithm is None or bit_length is None: return False - if (algorithm.lower() in - c.PluginSupportTypes.SYMMETRIC_ALGORITHMS and bit_length in - c.PluginSupportTypes.SYMMETRIC_KEY_LENGTHS): + length_factor = 1 + + # xts-mode cuts the effective key for the algorithm in half, + # so the bit_length must be the double of the supported length. + # in the future there should be a validation of supported modes too. + if mode is not None and mode.lower() == "xts": + length_factor = 2 + + if (algorithm.lower() in c.PluginSupportTypes.SYMMETRIC_ALGORITHMS + and bit_length/length_factor + in c.PluginSupportTypes.SYMMETRIC_KEY_LENGTHS): return True elif (algorithm.lower() in c.PluginSupportTypes.ASYMMETRIC_ALGORITHMS and bit_length in c.PluginSupportTypes.ASYMMETRIC_KEY_LENGTHS): diff --git a/releasenotes/notes/allow-aes-xts-512-bitlength-in-simple-crypto-95936a2d830035cc.yaml b/releasenotes/notes/allow-aes-xts-512-bitlength-in-simple-crypto-95936a2d830035cc.yaml new file mode 100644 index 000000000..1fa862f2d --- /dev/null +++ b/releasenotes/notes/allow-aes-xts-512-bitlength-in-simple-crypto-95936a2d830035cc.yaml @@ -0,0 +1,9 @@ +--- +fixes: + - | + By default barbican checks only the algorithm and the bit_length when + creating a new secret. The xts-mode cuts the key in half for aes, so for + using aes-256 with xts, you have to use a 512 bit key, but barbican allows + only a maximum of 256 bit. A check for the mode within the + _is_algorithm_supported method of the class SimpleCryptoPlugin was added + to allow 512 bit keys for aes-xts in this plugin.