Juju Charm - Barbican
Go to file
Corey Bryant 29a892693e Pin tox to < 4.0.0
Tox 4.0.0 was recently released and it has several breaking changes.
We pin to < 4.0.0 here. We are planning to move forward only on the
master charm branches.

Tox is also pinned to < 4.0.0 for stable branches in upstream
openstack-zuul-jobs as well as in zosci-config. However, the
requires= section in the charm's tox.ini file ends up installing
tox>4, wiping out the zuul-pinned tox<4 that was already installed
installed. This patch fixes that.

Related-Bug: #2002788
Change-Id: I92d2a05c5bab3d57c3c90cc7a3b7b679d0d21f1e
2023-01-13 15:09:21 -05:00
src Ensure upgrades are executed 2022-10-05 14:23:39 +00:00
unit_tests Ensure upgrades are executed 2022-10-05 14:23:39 +00:00
.gitignore Migrate charm charmhub for stable/wallaby 2022-06-17 15:07:06 +01:00
.gitreview Migrate charm charmhub for stable/wallaby 2022-06-17 15:07:06 +01:00
.stestr.conf Add support for pluggable secrets backend 2018-10-22 07:36:39 +02:00
.zuul.yaml Migrate charm charmhub for stable/wallaby 2022-06-17 15:07:06 +01:00
build-requirements.txt Migrate charm charmhub for stable/wallaby 2022-06-17 15:07:06 +01:00
charmcraft.yaml Migrate charm charmhub for stable/wallaby 2022-06-17 15:07:06 +01:00
LICENSE Add barbican-hsm-plugin interface support 2016-07-12 12:35:51 +00:00
metadata.yaml Migrate charm charmhub for stable/wallaby 2022-06-17 15:07:06 +01:00
osci.yaml Migrate charm charmhub for stable/wallaby 2022-06-17 15:07:06 +01:00
pip.sh Add xena bundles 2021-09-21 13:58:47 +01:00
README.md Keystone v2 and v3 manual and amulet/bundle testing 2016-08-09 16:49:09 +00:00
rebuild Add xena bundles 2021-09-21 13:58:47 +01:00
rename.sh Migrate charm charmhub for stable/wallaby 2022-06-17 15:07:06 +01:00
requirements.txt Migrate charm charmhub for stable/wallaby 2022-06-17 15:07:06 +01:00
setup.sh Render paste ini properly and other fixes 2015-12-11 13:43:03 +00:00
test-requirements.txt Migrate charm charmhub for stable/wallaby 2022-06-17 15:07:06 +01:00
tox.ini Pin tox to < 4.0.0 2023-01-13 15:09:21 -05:00

Barbican Source Charm

THIS CHARM IS FOR EXPERIMENTAL USE AT PRESENT.

This repository is for the reactive, layered, Barbican source charm. From the wiki 'Barbican is a REST API designed for the secure storage, provisioning and management of secrets such as passwords, encryption keys and X.509 Certificates. It is aimed at being useful for all environments, including large ephemeral Clouds.'

Barbican can be used without an HSM for test purposes.

Plugins

The Barbican charm currently supports the following plugins:

  • charm-barbican-softhsm

However, due to an odd quirk of interelating software issues, barbican + SoftHSM2 + OpenSSL < 1.0.2h is not functionaly due to a missing feature in OpenSSL (EVP_aes_128_wrap_pad specifically).

Thus the plugin interface is currently provided to show how to interface an HSM to the barbican charm.

Creating the primary MKEK and primary HMAC

Barbican (can use|uses) a Master Key Encryption Key (MKEK) scheme to wrap other keys so that in the course of issuing new encryption keys, it does not exhaust the storage capacity of an HSM.

See KMIP MKEK Model Plugin for more details.

Barbican itself can generate the MKEK and HMAC keys and store them in the associated HSM through the use of two actions 'generate-mkek' and 'generate-hmac'.

The names of the keys are stored in the configuration for the service as 'mkek-label' and 'hmac-label'. These default to 'primarymkek' and 'primaryhmac' respectively.

Note that these keys are not recoverable from the HSM. If the HSM has already been configured with these keys then these actions would overwrite the existing key. So only use them for the initial implementation or to change the MKEK and HMAC keys in the HSM.

Use of actions

For juju 1.x:

juju action do generate-mkek

For juju 2.x:

juju run-action generate-mkek

Note that, depending on the HSM, it may only be possible to do this ONCE as the HSM may reject setting up the keys more than once.

Developer Notes

The Barbican charm has to be able to set [crypto] and [xxx_plugin] sections in the barbican-api.conf file. This data comes via the barbican-hsm interface from a charm (probably a subordinate) that provides the interface.

On the barbican-hsm interface the data is provided in the plugin_data() method of the interface (or if it is adapted) in the plugin_data property.

The theory of operation for the crypto plugin is that a local library that supports the PKCS#11 interface that Barbican can talk to locally.

Note(AJK): it is not clear yet how a clustered Barbican can be created with a single HSM backend. It's likely to be a separate piece of hardward with a local library that talks to it.

In order for Barbican to be configured for the example softhsm2 library, the configuration file needs to include the entries:

[crypto]
enabled_crypto_plugins = p11_crypto

[p11_crypto_plugin]
library_path = '/usr/lib/libCryptoki2_64.so'
login = 'catt'
mkek_label = 'primarymkek'
mkek_length = 32
hmac_label = 'primaryhmac' slot_id = <slot_id>

Note that the /var/lib/softhsm/tokens directory HAS to exist as otherwise the softhsm2-util command won't work.