Merge "Adding support for 512-Bit-Secret-Creation when using xts-mode"

2018-08-01 15:07:04 +00:00 · 2018-08-01 15:07:04 +00:00 · 08ca2287dd
commit 08ca2287dd
parent 3141c87fbd abd65a1e50
2 changed files with 26 additions and 6 deletions
--- a/barbican/plugin/crypto/simple_crypto.py
+++ b/barbican/plugin/crypto/simple_crypto.py
@ -192,10 +192,12 @@ class SimpleCryptoPlugin(c.CryptoPluginBase):

        if type_enum == c.PluginSupportTypes.SYMMETRIC_KEY_GENERATION:
            return self._is_algorithm_supported(algorithm,
-                                                bit_length)
+                                                bit_length,
+                                                mode)
        elif type_enum == c.PluginSupportTypes.ASYMMETRIC_KEY_GENERATION:
            return self._is_algorithm_supported(algorithm,
-                                                bit_length)
+                                                bit_length,
+                                                mode)
        else:
            return False

@ -217,14 +219,23 @@ class SimpleCryptoPlugin(c.CryptoPluginBase):

        return algorithm

-    def _is_algorithm_supported(self, algorithm=None, bit_length=None):
+    def _is_algorithm_supported(self, algorithm=None,
+                                bit_length=None, mode=None):
        """check if algorithm and bit_length combination is supported."""
        if algorithm is None or bit_length is None:
            return False

-        if (algorithm.lower() in
-                c.PluginSupportTypes.SYMMETRIC_ALGORITHMS and bit_length in
-                c.PluginSupportTypes.SYMMETRIC_KEY_LENGTHS):
+        length_factor = 1
+
+        # xts-mode cuts the effective key for the algorithm in half,
+        # so the bit_length must be the double of the supported length.
+        # in the future there should be a validation of supported modes too.
+        if mode is not None and mode.lower() == "xts":
+            length_factor = 2
+
+        if (algorithm.lower() in c.PluginSupportTypes.SYMMETRIC_ALGORITHMS
+            and bit_length/length_factor
+                in c.PluginSupportTypes.SYMMETRIC_KEY_LENGTHS):
            return True
        elif (algorithm.lower() in c.PluginSupportTypes.ASYMMETRIC_ALGORITHMS
              and bit_length in c.PluginSupportTypes.ASYMMETRIC_KEY_LENGTHS):
--- a/releasenotes/notes/allow-aes-xts-512-bitlength-in-simple-crypto-95936a2d830035cc.yaml
+++ b/releasenotes/notes/allow-aes-xts-512-bitlength-in-simple-crypto-95936a2d830035cc.yaml
@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    By default barbican checks only the algorithm and the bit_length when
+    creating a new secret. The xts-mode cuts the key in half for aes, so for
+    using aes-256 with xts, you have to use a 512 bit key, but barbican allows
+    only a maximum of 256 bit. A check for the mode within the
+    _is_algorithm_supported method of the class SimpleCryptoPlugin was added
+    to allow 512 bit keys for aes-xts in this plugin.