Friday, 2015-03-13

« Thursday, 2015-03-12 Index Saturday, 2015-03-14 »
*** dimtruck is now known as zz_dimtruck00:09
*** woodster_ has quit IRC00:20
*** woodster_ has joined #openstack-barbican00:30
*** dave-mccowan has quit IRC00:33
*** dave-mccowan has joined #openstack-barbican00:50
*** bdpayne has quit IRC00:51
*** zz_dimtruck is now known as dimtruck01:09
*** dave-mccowan has quit IRC01:33
openstackgerritMerged openstack/barbican: Add missing alembic migration script for CA tables  https://review.openstack.org/16360701:57
*** xaeth_afk is now known as xaeth02:18
*** xaeth is now known as xaeth_afk02:36
*** tkelsey has joined #openstack-barbican02:46
*** tkelsey has quit IRC02:50
*** bdpayne has joined #openstack-barbican03:05
*** bdpayne has quit IRC03:06
*** gyee has quit IRC03:23
*** dimtruck is now known as zz_dimtruck03:24
*** kebray has joined #openstack-barbican03:24
*** kebray has quit IRC03:28
*** kebray has joined #openstack-barbican03:29
*** xaeth_afk is now known as xaeth03:30
*** xaeth is now known as xaeth_afk03:46
*** zz_dimtruck is now known as dimtruck04:36
*** woodster_ has quit IRC04:40
openstackgerritChelsea Winfree proposed openstack/barbican: Porting more tests to test_secrets  https://review.openstack.org/16407404:55
openstackgerritCharles Neill proposed openstack/barbican: Security tests for Consumer resources  https://review.openstack.org/16407505:00
openstackgerritCharles Neill proposed openstack/barbican: Security tests for Container resources  https://review.openstack.org/16407605:07
*** dimtruck is now known as zz_dimtruck05:28
*** gitorres has joined #openstack-barbican06:48
*** tkelsey has joined #openstack-barbican07:17
*** jamielennox has quit IRC07:31
*** jamielennox has joined #openstack-barbican07:34
*** jamielennox has quit IRC07:39
*** jamielennox|away has joined #openstack-barbican07:55
*** jamielennox|away is now known as jamielennox07:55
*** nickrmc84 has joined #openstack-barbican08:07
*** nickrmc83 has quit IRC08:07
*** chlong has quit IRC08:09
*** openstackgerrit has quit IRC08:21
*** openstackgerrit has joined #openstack-barbican08:21
*** kebray has quit IRC08:56
*** tkelsey has quit IRC09:04
*** tkelsey has joined #openstack-barbican09:11
*** jamielennox has quit IRC10:55
*** jamielennox|away has joined #openstack-barbican11:02
*** jamielennox|away is now known as jamielennox11:02
*** jamielennox has quit IRC11:14
*** jamielennox|away has joined #openstack-barbican11:24
*** jamielennox|away is now known as jamielennox11:24
*** dave-mccowan has joined #openstack-barbican11:32
*** darrenmoffat has quit IRC11:48
*** darrenmoffat has joined #openstack-barbican11:49
*** rellerreller has joined #openstack-barbican12:05
*** chlong has joined #openstack-barbican12:25
openstackgerritMerged openstack/barbican: Remove extra v1 from override uri  https://review.openstack.org/16359513:33
*** dave-mccowan has quit IRC13:42
openstackgerritAde Lee proposed openstack/barbican: Added new repository classes and controller classes for CAs  https://review.openstack.org/14798113:48
*** dave-mccowan has joined #openstack-barbican13:56
*** paul_glass has joined #openstack-barbican14:05
openstackgerritNathan Reller proposed openstack/barbican: Standardized Secret Encoding  https://review.openstack.org/16044414:54
aleedave-mccowan, ping15:02
aleeredrobot, jvrbanac - https://review.openstack.org/147981 has mostly the same stuff as was reviewed at the mid cycle.15:03
aleerellerreller, ping15:09
*** xaeth_afk is now known as xaeth15:09
dave-mccowanalee pong15:11
aleedave-mccowan, hey - we discussed making some changes for validations etc. on the cert api side of things at the midcycle ..15:11
aleedave-mccowan, so - where are we on this effort?15:11
rellerrelleralee pong15:12
aleerellerreller, nm - I figured out what you were doing ..15:12
rellerrelleralee I'm glad you know what I'm doing. Sometimes I don't.15:13
dave-mccowanalee  i haven't done anything yet since validate_subject_dn, but I'd still like too.15:13
aleerellerreller, well I didn't say I knew what I was doing - maybe you know15:14
aleedave-mccowan, ok - I want to try and wrap up as much of the cert api stuff as we can soon.15:14
aleedave-mccowan, let me look at the code and we can discuss what patches need to go in.15:14
aleedave-mccowan, so if I recall correctly, we wanted to not require a container_ref for the stored key case?15:19
aleedave-mccowan, and rather make that a reference to a private key?15:20
openstackgerritAdam Harwell proposed openstack/barbican: Fix functionaltest keystone URL fetch bug for v2  https://review.openstack.org/16421715:22
rm_work^^ fixes the bug I mentioned yesterday, where the functionaltests wouldn't work with v2 auth15:22
rm_workjvrbanac: ^^15:23
dave-mccowanalee my notes say "really need a secret ref validator", under _validate_certificate_container()15:25
aleedave-mccowan, right -- I think the original idea was that I thought I needed the public key - then I realized I needed the private key, so I made it a container ref15:27
aleedave-mccowan, but then I realized I only needed the private key15:27
aleedave-mccowan, well - except that I might need a passphrase too .. hmm15:29
rm_workalee: I believe the decision was made to make no part of a Cert container required15:29
rm_workright? :P15:29
dave-mccowanalee i'll follow your lead15:30
rm_workis that actually done yet? I missed a lot of CRs15:30
aleerm_work, that sounds familiar -- you'll have to bear with me, it was more than a week ago ..15:30
rm_workhehe15:30
aleerm_work, no - I think thats the next CR ..15:30
rm_workah, so they still REQUIRE a cert and a PK right now?15:31
jvrbanacrm_work, awesome thx15:31
aleerm_work, right now it requires a container_ref15:31
*** zz_dimtruck is now known as dimtruck15:31
rm_workalee: I mean, the cert_container requires a cert and PK15:32
aleerm_work, I dont think so15:32
rm_workalee: ah, that was what i was asking15:33
*** david-lyle_afk is now known as david-lyle15:33
rm_workit *used to*15:33
rm_workvia the validator15:33
aleeI'd have to look but I thought we made those optional15:33
rm_workbut I didn't know if the patch to remove that validation went in yet15:33
rm_worki can look15:33
rm_workAH lol15:34
rm_workooor it used to, then there was the validator re-write15:34
rm_workand now it does nothing :P15:34
rm_workdef _validate_certificate_container(self, public_key_ref):15:34
rm_workTODO(alee-3) complete this function15:34
rm_workand a `pass` :P15:35
aleerm_work, maybe you're looking at a different function.  Thast something that I added15:35
rm_workyeah15:35
aleefor the stored key cert case15:35
rm_workhmm, thought this file was where the other validation had been before15:36
rm_workah i see15:36
rm_workjust the wrong class15:37
rm_workyeah ok cert is required, PK/PKP/intermediates optional15:37
rm_workwas the plan to make cert optional as well?15:37
aleerm_work, line?15:37
aleeredrobot, where are the notes deom the midcycle?15:38
rm_work66415:40
rm_workalee: ^^15:40
*** arunkant has joined #openstack-barbican15:43
aleerm_work, when do these validators run?15:46
rm_workon container creation15:46
rm_workI believe15:47
aleerm_work, right - so you want to create certificate containers without the certificate?15:47
rm_workalee: *I* don't15:47
rm_workbut I thought we agreed that we could at the midcycle >_>15:47
rm_workI was actually against making so much stuff optional15:48
openstackgerritMerged openstack/barbican: Upping process-timeout and fixing posargs in tox.ini  https://review.openstack.org/16392615:48
rm_workbut now we're coding super defensively (which is probably the best approach anyway) so it doesn't matter15:48
aleedoes anyone remember who wants this?15:48
alee(and why)15:48
aleedave-mccowan, so it seems like we have two options here ..15:49
aleedave-mccowan, for the stored key cert issuance case, we can either require a contaiiner_ref to a RSA container (which contains public_key, private_key and optionally passphrase)15:51
aleedave-mccowan, or we can require a reference to a secret for the private key (and optionally passphrase) directly15:52
aleedave-mccowan, before I had said reference to a certificate container - which is incorrect - the certificate container is the result of the cert issuance operation15:53
openstackgerritKaitlin Farr proposed openstack/barbican: Test functionality of generated asymmetric keys  https://review.openstack.org/16242515:55
aleedave-mccowan, my inclination is to require a container_ref because 1) thats what the container was originally designed to do (2) we have some kind of assurance that the data in the container is valid keys15:55
aleeespecially of the container has been generated by asking barbican to generate the keys15:57
aleeand we can always add a validator for rsa containers later to check that public_key/private_key/passphrase are related15:58
aleeand contain valid data15:58
aleein case someone wants to create their own container.15:58
aleelike rm_work might15:58
alee(of course rm_work is just going to go ahead and create the cert container directly)15:59
*** igueths has joined #openstack-barbican16:01
aleedave-mccowan, ?16:01
*** igueths has quit IRC16:03
aleejvrbanac, ping16:04
jvrbanacalee, pong16:08
aleejvrbanac, I was looking for the functional tests - and seeing if there was anything there for certs.  (which there isn't)16:09
aleejvrbanac, seems like we need something there now ..16:09
jvrbanacalee, yeah. I noticed that.16:10
aleejvrbanac, https://review.openstack.org/#/c/147981/ in case you're looking for code to review :)16:10
aleejvrbanac, its what we discussed at the midcycle -- only with newer spiffier tests16:11
jvrbanacalee, awesome I'll try to take a look here in a bit.16:11
jvrbanacalee, today is a bit crazy16:11
aleejvrbanac, thanks16:11
alee(it always is)16:11
redrobotalee https://etherpad.openstack.org/p/barbican-kilo-sprint16:15
*** woodster_ has joined #openstack-barbican16:16
redrobotalee can I get a quick workflow on https://review.openstack.org/#/c/161466/416:20
aleeredrobot, done -- I'll trade you for a review of https://review.openstack.org/147981  :)16:22
aleewoodster_, you around?16:23
*** jkf has joined #openstack-barbican16:24
redrobotalee sounds good16:27
*** gitorres has quit IRC16:36
*** kebray has joined #openstack-barbican16:38
aleedave-mccowan, ping?16:55
*** xaeth is now known as xaeth_afk17:04
dave-mccowanalee pong17:06
aleedave-mccowan, sorry - in another meeting. when done we can discuss what needs to be done for cert api17:11
openstackgerritMerged openstack/python-barbicanclient: Use functional_test.conf for devstack gate  https://review.openstack.org/16146617:13
aleedave-mccowan, there?17:18
dave-mccowanalee yes, i'm back17:19
aleedave-mccowan, so there are a bunch of things that need to be done for cert api17:19
aleehere is my list ..17:19
aleedave-mccowan, http://www.fpaste.org/197681/26720614/17:20
aleedave-mccowan, you can choose to work on whichever ones you like.17:20
aleedave-mccowan, I think I will work on #1 today17:20
aleethat way we can test everything from end-to-end17:21
aleeand have a target for things that both work and should not work17:21
aleedave-mccowan, I think originally, you were going to work on #217:21
aleeand #317:22
alee#4 needs to be done with/by woodster17:23
alee#5,6 will be done by me17:23
dave-mccowani got #7 :-)17:23
aleedave-mccowan, I need to think about whether we need to actually do any work for #7 :)17:24
dave-mccowanalee I'll start with #2 today17:24
aleeok great -- I think most of the checks in there should be pretty straightforward17:24
aleethe hard part is determining if the user has access to the secrets17:25
aleegiven that we're doing the whole acl thing.17:25
aleefor now, though, lets assume that having access means that the secret is in the same project as the user - and we can revisit later when the acl thing lands17:26
aleedave-mccowan, does that all make sense?17:27
*** bdpayne has joined #openstack-barbican17:31
*** kfarr has joined #openstack-barbican17:32
*** xaeth_afk is now known as xaeth17:33
dave-mccowanalee yes. i'm looking at the code now.  i'll come back ASAP with any questions.  other than your list, the rest of the certificate API code has been merged and can be driven by unit test?17:33
aleeyup17:33
*** rellerreller has quit IRC17:34
aleedave-mccowan, when you do 2 , there will be validator tests that can be un-skipped (and updated_17:34
dave-mccowanalee did something change w.r.t. oslo_log recently?17:38
*** tkelsey has quit IRC17:41
aleedave-mccowan, yeah17:42
aleedave-mccowan, you probably need to do a tox -r to recreate your environment17:43
openstackgerritChelsea Winfree proposed openstack/barbican: Porting more tests to test_secrets  https://review.openstack.org/16407417:49
dave-mccowanalee, yep, thanks!17:50
openstackgerritChelsea Winfree proposed openstack/barbican: Third round of refactoring secrets tests  https://review.openstack.org/16428618:05
openstackgerritSteve Heyman proposed openstack/barbican: Add ability to run secrets paging tests in parallel  https://review.openstack.org/14113818:09
openstackgerritPaul Kehrer proposed openstack/barbican: add another missing status code check in functional tests  https://review.openstack.org/16428818:10
openstackgerritJohn Vrbanac proposed openstack/barbican: Making sure we allow all content-types for delete calls  https://review.openstack.org/16396818:14
openstackgerritJohn Vrbanac proposed openstack/barbican: Making sure we allow all content-types for delete calls  https://review.openstack.org/16396818:16
*** woodster_ has quit IRC18:20
openstackgerritChelsea Winfree proposed openstack/barbican: Porting more tests to test_secrets  https://review.openstack.org/16407418:31
openstackgerritJuan Antonio Osorio Robles proposed openstack/python-barbicanclient: Enable usage of 'payload' path to fetch decrypted secrets  https://review.openstack.org/16164318:38
*** kebray has quit IRC18:40
*** igueths has joined #openstack-barbican18:42
iguethsHi all.18:42
*** kebray has joined #openstack-barbican18:52
*** kebray has quit IRC19:01
*** xaeth is now known as xaeth_afk19:01
*** kebray has joined #openstack-barbican19:05
openstackgerritThomas Dinkjian proposed openstack/python-barbicanclient: Second set of negative secrets tests.  https://review.openstack.org/16355619:08
*** jaosorior has joined #openstack-barbican19:10
redrobotwelcome back jamielennox19:20
redrobotderp19:20
redroboti mean19:20
redrobotwelcome back jaosorior19:20
jaosoriorredrobot: thanks man!19:21
redrobotjaosorior how was the vacation?19:21
jaosoriorit was brilliant19:21
jaosoriordecadent19:21
jaosorioryet brilliant :P19:21
jaosoriorgot back today19:21
elmikowhere did you go?19:21
jaosoriorand now I have a pretty annoying flu19:21
jaosoriorbut didn't get sick while on the trip, so fuck yeh :P19:21
jaosoriorI was in Madrid for a week19:21
*** xaeth_afk is now known as xaeth19:21
elmikooooh, nice =)19:22
jaosoriorbarely made it back to the airport today. it was a pretty crazy trip19:22
elmikosometimes those are the best though19:23
jaosoriorand food is so awesome there19:24
jaosoriordamn19:24
elmikoonly thing i know about spanish food is tapas, paella, and sangria =)19:26
elmikonot sure if that's a madrid thing though19:26
*** atiwari has joined #openstack-barbican19:27
jaosoriorwell, they do have those, but they have a lot broader cuisine19:27
jaosoriorsuch as a stew made out of a bull's tail, and fried calamari tapas19:28
jaosoriorgood stuff!19:28
elmikonice19:28
iguethsWb jaosorior19:32
jaosoriorigueths: thanks mr.!19:33
openstackgerritMerged openstack/barbican: Fix functionaltest keystone URL fetch bug for v2  https://review.openstack.org/16421719:34
*** rellerreller has joined #openstack-barbican19:36
chellygelrellerreller, you are too nice :P19:56
chellygelrellerreller, i'll fix the nits, they are good observations19:56
rellerrelleralee You want to check out the content types patch now? Doug gave +2, so you might want to take a look since you have the Dogtag SecretStore.19:57
aleerellerreller, yup -on my list of crs to review today :/19:57
aleetoday is cr -review day19:57
rellerrellerchellygel I don't want to be too pedantic. I try to keep it positive.19:58
rellerrelleralee me too19:59
aleerellerreller, feel free to look at https://review.openstack.org/#/c/147981/ then :)20:00
rellerrelleralee I'm on it20:00
openstackgerritKaitlin Farr proposed openstack/barbican: Add asymmetric key support to KMIP plugin  https://review.openstack.org/16398920:04
*** kfarr has quit IRC20:06
*** kgriffs|afk is now known as kgriffs20:09
openstackgerritArun Kant proposed openstack/barbican: Adding per secret ACL support with db layer changes only (Part 1)  https://review.openstack.org/16433420:18
openstackgerritArun Kant proposed openstack/barbican: Adding per secret ACL support with controller layer changes (Part 2)  https://review.openstack.org/16433520:19
openstackgerritDouglas Mendizábal proposed openstack/python-barbicanclient: Don't use tempest log  https://review.openstack.org/16433620:21
openstackgerritArun Kant proposed openstack/barbican: Adding per secret ACL support with policy layer changes (Part 3)  https://review.openstack.org/16433720:25
arunkantwoodster_, alee, redrobot: I have splitted per secret policy change in three patches. Is it in revieweable state now?20:31
openstackgerritChelsea Winfree proposed openstack/barbican: Porting more tests to test_secrets  https://review.openstack.org/16407420:31
aleearunkant, sounds good - I'll get on it soon -  prob mon morning20:32
openstackgerritMerged openstack/python-barbicanclient: Deprecate setting the payload type and encoding  https://review.openstack.org/16277720:33
chellygelrellerreller, fixed, try again and check me :D20:33
chellygelalso, would love the reviews for those 2 crs before monday20:34
rellerrellerchellygel I'm on it. What are the other 2 CRs?20:35
chellygeloh there are just 2 of the secret refactors, no more20:35
chellygelhttps://review.openstack.org/#/c/164074/ and https://review.openstack.org/#/c/164286/ rellerreller20:35
chellygelscratch that on the 2nd link i need to flip around the asserts on that cr too, forgot about that20:36
chellygelderp.20:36
*** kgriffs is now known as kgriffs|afk20:38
elmikorellerreller: you know, i had wondered about the order of those values to assertEqual, but i didn't want to rock the boat ;)20:41
rellerrellerelmiko the boat was rocked by redrobot. He pointed it out in my code, so I did the same to the code reviews I did.20:42
rellerrellerI guess it's ok for him to rock the boat since he is the PTL.20:43
rellerrellerI do like it. I looked up in the documentation the preferred order, but I could not find anything. I'm glad we're being consistent now.20:43
elmikoagreed =)20:46
elmikoit looked odd to me refactoring the containers tests because we do it the other way in sahara (the normal way)20:46
openstackgerritMichael McCune proposed openstack/barbican: Moving containers tests to separate module  https://review.openstack.org/16250420:48
*** dave-mccowan has quit IRC21:02
openstackgerritChelsea Winfree proposed openstack/barbican: Third round of refactoring secrets tests  https://review.openstack.org/16428621:04
openstackgerritChelsea Winfree proposed openstack/barbican: Third round of refactoring secrets tests  https://review.openstack.org/16428621:05
chellygelsorry for spam21:05
chellygel:(21:05
chellygelbut it should be done now!21:05
chellygel\o/ plz gimme some reviews when you can21:05
elmikothat's the spam of *progress* !21:06
chellygel^21:06
chellygelhow i feel right now: http://4.bp.blogspot.com/-vhxulNpk5aY/VCRN3AzZp7I/AAAAAAABdVU/8W342aVHzUc/s1600/tumblr_mlpy1k2aD61sonquko1_500.gif21:07
elmikohehe21:07
elmikoi hate to be the kryptonite in the punchbowl, but you missed an assertEqual =(21:07
chellygelfuuuuuu lol21:08
chellygelline num?21:08
elmikoi know the feels21:08
elmiko350 & 35221:08
elmikoer 35121:08
*** kgriffs|afk is now known as kgriffs21:09
elmikootherwise lgtm21:09
chellygeli seez it21:09
openstackgerritChelsea Winfree proposed openstack/barbican: Porting more tests to test_secrets  https://review.openstack.org/16407421:10
openstackgerritChelsea Winfree proposed openstack/barbican: Third round of refactoring secrets tests  https://review.openstack.org/16428621:10
chellygelokay, no but really this time21:11
rm_workwhat, done already?!21:11
* rm_work demands more progress21:11
chellygelhow about that for quick delivery 8)21:11
chellygeltuturu~21:11
elmikochellygel: nice21:12
elmikoalthough you did deny me that sweet sweet -1 stat ;)21:13
elmikohow thorough do we want to get with this assertEqual stuff?21:14
elmikochellygel: 49,50,108,206,258,300 could also be swapped21:17
*** tkelsey has joined #openstack-barbican21:18
*** igueths has quit IRC21:19
*** tkelsey has quit IRC21:22
*** paul_glass has quit IRC21:39
*** dave-mccowan has joined #openstack-barbican21:48
aleerellerreller, you there?21:54
rellerrelleralee here21:54
aleerellerreller, so just tryint to understand your patch21:54
aleerellerreller, lets look at translations.py21:54
rellerrellerOK21:54
aleethats pretty much the meat of it ..21:55
aleeso -- secrets can come in in various formats21:55
aleeif plaintext , then they are base 64 encoded and sent to the plugin21:56
aleeand on the way back, I see the reverse encoding is done in the normalize_afetr_decryption function21:57
rellerrellerTrue21:57
aleenow - if binary and containing PEM headers , then this is passed as <pem header> + base64 encoded payload + <pem footer> to lugin21:59
aleeon the way back ..21:59
rellerrellerAll private, public, and certificate types are base64 encoded with PEM headers before being sent to secret store and are expected to be returned from secret store in that format.22:00
aleesure .. we'll ignore encrypted private keys for the moment22:01
rellerrellerThat is if in binary format then convert and send to secret store. If already in PEM format then pass through.22:01
aleeright -- I see that .. what happens on the way back?22:02
rellerrellerThe secret store receives a get call. That returns the data in base64 encoding. If secret is private, public, or certificate then includes PEM headers.22:02
rellerrellerThe secret API calls resources to get secret. That is what calls secret store get call.22:03
rellerrellerThen resources calls denormalize. That converts all data to its binary format.22:03
aleestripping off all PEM headers?22:03
rellerrellerAll data returned from Secrets API is in binary format, except for plaintext, which is utf-8.22:04
rellerrellerStripping off PEM headers and returning in DER format22:04
*** xaeth is now known as xaeth_afk22:05
rellerrellerThe API says that all secrets are returned in binary format.22:05
rellerrellerI had to abide by that. I was hoping for an Accepts-Encoding or something like that, but we do not have support for that at the moment.22:06
aleerellerreller, this maybe a silly question but why are we adding PEM headers before storage in the secret store to begin with -- if we just plan to remove them later?22:06
rellerrelleralee That is not silly. I actually wondered the same thing.22:07
rellerrellerWhat surprised me was that all secrets are returned in binary format. I only found that out at the end.22:08
aleerellerreller, yeah - that surprises me too22:09
rellerrellerIf I would have known that then I would have stored everything in binary format and transferred everything in binary format.22:09
aleebut if we have that restriction, then I'm not sure I see the point of all this messing around with PEM headers22:09
aleeyeah22:10
rellerrellerI still think it is useful. I would like to support PEM and DER retrieval in the future.22:10
rellerrellerSo I don't think it is a total loss. I'm just building for the future :)22:10
aleerellerreller, lets talk about encrypted private keys22:12
rellerrellerI feel like the most common use case will be for users to give us public keys in PEM format and retrieve them in PEM format, that is after we enable support for PEM format on retrieval22:12
rellerrellerTransport wrapped or passphrase encrypted?22:12
aleepassphrase22:12
aleerellerreller, even if we supported returning PEM, there is no reason to send the data to the secret store in PEM format.22:14
aleerellerreller, just a sec .. need to turn on tv for munchkins22:14
rellerrellerok22:15
aleerellerreller, so I see two formats for passphrase encrypted private keys ..22:17
rellerrellerI'm expecting PKCS822:17
rellerrellerThat is also what the store_crypto plugin is using22:18
aleeok - so thats going to have headers like -- -----BEGIN ENCRYPTED PRIVATE KEY-----22:19
aleerellerreller, how is your code goign to be modified to handle this?22:19
rellerrellerIt will at least say BEGIN PRIVATE KEY22:19
aleeeh?22:19
aleeBEGIN ENCRYPTED ... ? right?22:20
rellerrellerSo from our point of view it does not really matter. Both are PKCS8.22:20
rellerrellerAll I'm going to do is tell KMIP to store it. The same with store_crypto. I assume similar for you.22:20
rellerrellerThat is the problem I had with the PEM headers. You can have headers like BEGIN PRIVATE KEY, BEGIN PRIVATE RSA KEY, BEGIN PRIVATE ENCRYPTED KEY. In the end it does not matter. It's a private key.22:21
rellerrellerIf you want to know what it really is then you have to parse the PKCS8 structure.22:22
rellerrellerI should note that all those headers I listed are acceptable. For instance openssl just has BEGIN PRIVATE KEY. It does not include the RSA algorithm.22:23
aleerellerreller, so the way the code is now, if someone sends in something to be stored and it has a head ("BEGIN ENCRYPTED .." etc) it will be sent tot he plugin and stored as is.22:23
aleerellerreller, and when retrieved, we strip the header off anyways22:24
rellerrelleralee are you proposing that we store everything in binary format?22:25
aleerellerreller, I was going to say it matters if someone sends in something without a header and we need to add one to send to the store, and we may append the wong one.22:25
rellerrellerI mean pass everything to secret store in binary format.22:25
aleerellerreller, but it doesn't matter, because we strip the pem header off anywyas22:25
aleerellerreller, I see no reason to add pem headers if we are going to strip them off22:26
aleewe can pass everything to secret store as binary and simply it all.22:26
rellerrelleralee I agree, but we have said for a long time now that everything will be passed to secret store in base64 encoding.22:27
rellerrellerAnd I already wrote all of this code :(22:27
aleewell I guess we can base64 encode everything -- just not add pem headers22:27
aleeand anything generated by the plugin will be DER encoded22:28
rellerrellerWhat don't you like about the headers?22:28
rellerrellerand anything generated by the plugin will be DER encoded?22:28
aleeok - so the question I has was this ..22:29
aleelets say someone sends us an encrypted private key with a header -- we keep the header and store the base 64 encoded contents.22:30
openstackgerritMerged openstack/barbican: add another missing status code check in functional tests  https://review.openstack.org/16428822:30
aleethats fine.22:30
*** dimtruck is now known as zz_dimtruck22:30
aleelets say someone sends the same encrypted key as binary with no headers22:30
aleeas it is right now - we have to add a header -- which in this case will be PRIVATE_KEY22:31
aleeand which would be wrong.22:31
rellerrellerI don't think it is wrong. It is a private key.22:31
rellerrellerI have not seen any specs that detail the PEM headers.22:32
rellerrellerIt really seems like a convenience for people.22:32
aleeyeah - but isn't the point to eventually return the keys with pem headers -- and therefore actually use whats stored in the secret store22:33
rellerrellerLike I said some libraries include RSA PRIVATE KEY. It is not wrong to omit the RSA and just say PRIVATE KEY.22:33
aleerellerreller, ok - so the encrypted part is not required22:33
aleeok -- we'll keep it as is for now - and add headers etc.22:34
*** igueths has joined #openstack-barbican22:34
rellerrelleralee I think that is good, and not just because I don't want to change my code.22:34
aleeI agree that eventually we'll want to return secrets in actual pem format22:35
rellerrelleralee one benefit of base64 is that we do not have Python's binary different representations in Py2 and Py3.22:35
aleeyup22:35
rellerrellerI think returning in PEM format should be easy. We just need to specify encoding in get call.22:36
rellerrellerApparently Accept-Encoding is not the right header.22:36
aleerellerreller, need to go eat dinner.  I had some minor nits otherwise. I just wanted to make sure I understood correctly that we were just throwing away the headers on retrieval.22:37
rellerrellerI have been looking through RFCs to find out how to specify this in a request. I'm not familiar with that stuff, so I'm hoping someone else knows.22:37
rellerrelleralee np22:37
rellerrellerMy wife has been calling me for dinner for 10 minutes now :)22:37
aleerellerreller, I'l finish up the review later tonight ..22:37
rellerrelleralee Enjoy your dinner.22:37
aleeme too .. later -- have a good weekend22:37
aleeyou too22:37
rellerrellerThanks! You too.22:38
*** rellerreller has quit IRC22:46
*** jkf has quit IRC22:48
*** ametts has quit IRC22:53
*** igueths has quit IRC23:03
*** kebray has quit IRC23:04
*** tkelsey has joined #openstack-barbican23:19
*** tkelsey has quit IRC23:23
*** david-lyle is now known as david-lyle_afk23:29
*** zz_dimtruck is now known as dimtruck23:32
*** jaosorior has quit IRC23:32
*** bdpayne has quit IRC23:41
*** bdpayne has joined #openstack-barbican23:41
*** dimtruck is now known as zz_dimtruck23:42
*** dave-mccowan has quit IRC23:54
« Thursday, 2015-03-12 Index Saturday, 2015-03-14 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!