Thursday, 2015-04-02

« Wednesday, 2015-04-01 Index Friday, 2015-04-03 »
*** everjeje has quit IRC00:16
*** crc32 has quit IRC01:25
dave-mccowanalee ping01:47
*** kebray has quit IRC01:58
*** tkelsey has joined #openstack-barbican02:30
*** tkelsey has quit IRC02:34
openstackgerritDave McCowan proposed openstack/barbican: Add Functional Test for Private Key Secret Type  https://review.openstack.org/16997402:41
*** crc32 has joined #openstack-barbican02:56
*** rm_work|away is now known as rm_work03:31
*** jamielennox is now known as jamielennox|away03:51
*** woodster_ has quit IRC04:00
*** tkelsey has joined #openstack-barbican04:31
*** rm_work is now known as rm_work|away04:32
*** woodster_ has joined #openstack-barbican04:35
*** tkelsey has quit IRC04:35
openstackgerritArun Kant proposed openstack/barbican: Adding ACL db model changes (Part 1)  https://review.openstack.org/16433405:42
openstackgerritArun Kant proposed openstack/barbican: Adding ACL db repository changes (Part 2)  https://review.openstack.org/16771205:42
openstackgerritArun Kant proposed openstack/barbican: Adding Secret ACL controller layer changes (Part 3)  https://review.openstack.org/16433505:43
openstackgerritArun Kant proposed openstack/barbican: Adding Container ACL controller layer changes (Part 4)  https://review.openstack.org/16520505:43
openstackgerritArun Kant proposed openstack/barbican: Adding policy layer changes for ACL support (Part 5)  https://review.openstack.org/16520705:43
*** Nirupama has joined #openstack-barbican05:57
openstackgerritDave McCowan proposed openstack/barbican: Implement validators and tests for stored key certificate orders  https://review.openstack.org/16729106:00
*** dave-mccowan has quit IRC06:08
*** crc32 has quit IRC06:28
*** woodster_ has quit IRC06:40
*** tkelsey has joined #openstack-barbican06:41
*** tkelsey has quit IRC06:42
*** rm_work|away is now known as rm_work06:51
*** chlong has quit IRC06:55
*** darrenmoffat has quit IRC10:14
*** darrenmoffat has joined #openstack-barbican10:15
*** jaosorior has joined #openstack-barbican10:19
*** alee has quit IRC12:11
*** woodster_ has joined #openstack-barbican12:27
*** dave-mccowan has joined #openstack-barbican12:28
*** chlong has joined #openstack-barbican13:01
*** Nirupama has quit IRC13:05
*** joesavak has joined #openstack-barbican13:15
*** alee has joined #openstack-barbican13:31
*** zigo_ is now known as zigo13:41
*** zz_dimtruck is now known as dimtruck13:46
*** chlong has quit IRC13:47
*** everjeje has joined #openstack-barbican13:55
dave-mccowanalee good morning13:57
aleedave-mccowan, morning13:59
dave-mccowanalee i wrote a new function test, that's really a bug report.  https://review.openstack.org/169974  This test fails for me.  I think if it worked, then your tests would also work.  i think it might also fail on openssl 1.0+ too.14:01
aleedave-mccowan, looking14:02
aleedave-mccowan, so -- the secret that is returned -- is it pem format?14:04
aleedave-mccowan, or binary?14:04
dave-mccowanPEM, including header/footer and newlines every 80 chars or so.14:04
aleedave-mccowan, does it load?14:05
aleedave-mccowan, (I guess that as the test fails, the secret is not the same)14:05
*** paul_glass has joined #openstack-barbican14:06
dave-mccowanalee, first call to load_privatekey() works, second call to load_privatekey() fails.  assertEquals() also fails.14:06
aleedave-mccowan, I'm curious what would happen if you used pycrypto and pkcs8 format to generate the key14:07
dave-mccowanalee, i'm curious if load() works on openssl 1.0+.   it seems that it's a "feature" that load() works with a mangled key, vs. a bug when it fails.14:07
aleedave-mccowan, I'll try it out and let you know shortly14:07
aleedave-mccowan, but try out the pkcs8 thing -- I'm curious if that works because we use pkcs8 to store in the plugin14:08
aleeso those should be the same14:09
dave-mccowanalee, quick question on my validators CR:  I used mock in test_validators.  is that no-no? (i'm fixing up the last couple lines of missed coverage now)14:09
aleedave-mccowan, depends on what you are mocking14:10
aleeif its a repo, then thats frowned upon.14:10
aleedave-mccowan, that said - its a unit test14:10
aleeso having enormous amounts of setup --especially for validators does not make a lot of sense.14:11
dave-mccowanalee, yea, it's a repo. <frown>  but, functional tests have complete coverage.14:11
aleedave-mccowan, yeah - but functional tests are not counted in coverage14:11
dave-mccowanalee, i'm doing it the right way in test_orders now, to get missing coverage.  so, i should be able to port it over to test_validators pretty easily.14:13
dave-mccowanalee, if i get coverage through test_orders.py, will that "count" for coverage in validators.py?14:15
aleedave-mccowan, sure. as long as some coverage happens in the unit tests anywhere, its fine.14:16
*** ametts has joined #openstack-barbican14:18
*** jorge_munoz has quit IRC14:23
*** kebray has joined #openstack-barbican14:31
*** xaeth_afk is now known as xaeth14:49
*** kebray has quit IRC15:02
dave-mccowanalee, store_secrets.py doesn't like plain base64 encoded DER.  it looks for PEM headers/footers and raises SecretPayloadDecodingError() when it can't find them.15:15
aleedave-mccowan, ok -- I'm tracing through the code right now and trying to put together a test outside of barbican that can be done.15:16
aleeie. something that does all the things we do to a secret, and sees which operation fails on openssl 0.9.815:17
reaperhulkIt's going to be DER loading of PKCS8 without password15:19
*** kebray has joined #openstack-barbican15:21
openstackgerritMerged openstack/barbican: Security tests for Container resources  https://review.openstack.org/16487515:28
woodster_Can folks review this CR? https://review.openstack.org/#/c/168039/  Not merging this will cause problems for production deployments of workers.15:31
woodster_Likewise, this CR provides proper migration of the retry table: https://review.openstack.org/#/c/169946/15:31
aleedave-mccowan, I'm wondering if your test is valid in https://review.openstack.org/#/c/169974/15:34
aleedave-mccowan, specifically, you are sending in "payload_content_encoding" = base6415:35
aleebut thats not true because you're sending in pem which has base64 stuff with headers and footers.15:36
dave-mccowanalee i agree on the semantics.  so we don't support PEM? is that a design flaw?15:37
openstackgerritDave McCowan proposed openstack/barbican: Add Functional Tests for Private Key Secret Type  https://review.openstack.org/16997415:37
aleedave-mccowan, I'm reading through the code to see what should be in there15:38
aleedave-mccowan, specifically normalize_before_encryption()15:38
aleedave-mccowan, actually I'll take that back -- base64 is correct15:39
dave-mccowanalee, ^^ there's my second tests using pycrypto.  the secret store like this format which is PEM-like, but test still fails.15:39
openstackgerritMerged openstack/barbican: Adding ACL db model changes (Part 1)  https://review.openstack.org/16433415:40
*** arunkant_ has joined #openstack-barbican15:42
aleedave-mccowan, looks like we basically send the secret unchanged to be stored in the plugin with the settings you have15:45
aleeie. with pem headers and all.15:46
aleedave-mccowan, now the return trip ..15:46
aleedave-mccowan, on the return trip , we strip off the pem headers and pass back binary15:51
aleedave-mccowan, so I'm a little confused when you say that what you get back is PEM with header and footer?15:54
aleedave-mccowan, I think you need to use the function _to_pem()15:55
aleeon get_resp.content15:56
*** tkelsey has joined #openstack-barbican15:57
openstackgerritMerged openstack/barbican: Create snakeoil certificate plugin  https://review.openstack.org/14057516:00
arunkant_alee, thanks for all the reviews. Provided comment on your question on part 2. Please check if its looks okay.16:02
aleearunkant, replied16:04
dave-mccowanalee, lunch time.  i'll look again in a bit.16:05
aleearunkant, looks good -- now we just need the other cores to approve ..16:05
aleedave-mccowan, ok16:06
aleewoodster_, jvrbanac , hockeynut , redrobot ^^ that means ya'll   :)16:06
hockeynutalee still a Texan at heart I see :-)16:06
aleehockeynut, I was totally shocked when I first moved to Texas and I was grading someones grammar test, and they specified the second person plural pronoun as "you all".16:08
aleehockeynut, and then it became second nature16:08
hockeynutit took me about 20 minutes before I started y'alling everyone (since I'm really a NYer)16:10
aleehockeynut, rolls off the tongue a little easier than "youse guys"16:10
hockeynutoh yes16:12
hockeynutso has anyone noticed that if you type LGTM in the review it automatically sets workflow to +1 ?16:12
arunkant_alee, thanks.16:14
aleearunkant, np - thanks for taking this on :)16:14
openstackgerritMerged openstack/barbican: Updating Orders functional tests to new naming convention  https://review.openstack.org/16848516:23
*** insequent is now known as insequent|class16:25
*** insequent|class is now known as insequent16:25
*** lisaclark_ has joined #openstack-barbican16:36
*** kebray has quit IRC16:39
*** chadlung has joined #openstack-barbican16:43
openstackgerritMerged openstack/barbican: Adding ACL db repository changes (Part 2)  https://review.openstack.org/16771217:13
*** jkf has joined #openstack-barbican17:21
*** chadlung has quit IRC17:27
dave-mccowanalee ping17:38
*** kebray has joined #openstack-barbican17:42
*** jaosorior has quit IRC17:52
*** kebray has quit IRC17:54
*** kebray has joined #openstack-barbican17:54
*** chadlung has joined #openstack-barbican17:55
aleedave-mccowan, pong17:58
dave-mccowanalee, have you got the pkcs8 thing figured out?17:59
*** tkelsey has quit IRC18:00
aleedave-mccowan, not just yet - just got back from lunch18:00
dave-mccowanalee, for my private key tests, you think they are "user error"?  the caller to get() should expect the response content to be binary?18:02
aleedave-mccowan, yes18:03
aleedave-mccowan, you need to take the data returned, base64 encode it, add the headers and then try the import18:03
aleedave-mccowan, or alternatively try to import it in ASN1 mode.  though that did not seem to be working18:04
alee(at least in openssl 0.9.818:04
aleedave-mccowan, I'll testing out some new code in generate_csr based on all of this18:05
dave-mccowanalee ok.  if i get those to work in the functional test, then we just do the same thing in generate_csr()18:05
aleedebugging right now18:05
dave-mccowanalee did you get 0.9.8 installed?18:05
aleeno -- I'm just getting it to work on my system first18:06
aleedave-mccowan, I'm trying this --18:06
aleepkey = crypto.load_privatekey(18:06
alee        crypto.FILETYPE_PEM,18:06
alee        tr.to_pem(secret_store.SecretType.PRIVATE, private_key, False),18:06
alee        passphrase)18:06
aleebut so far, its not working ..  still debugging though ..18:07
dave-mccowanalee confirmed that stored==retrieved for the pycrypto test case after i b64 encode and wrap the binary result18:11
*** joesavak has quit IRC18:17
aleedave-mccowan, so the load_key works?18:17
aleedave-mccowan, load_privatekey()18:17
aleedave-mccowan, can you paste the code you used?18:18
dave-mccowanalee, same asn.1 parsing error. before and after storing/retrieving18:18
aleedave-mccowan, eh ?  stored = retrieved , but load succeeds before and fails after?18:19
dave-mccowanno, for pycrypto case, load_key fails both times.  OpenSSL doesn't like the looks-kinda-like-PEM or the sorta-like-DER formats.18:20
aleeoh, interesting .. what about non-pycrypto case?18:25
*** joesavak has joined #openstack-barbican18:27
*** tkelsey has joined #openstack-barbican18:29
*** tkelsey has quit IRC18:34
dave-mccowanalee ok, just got the openssl private key to run with stored == retrieved.  to do that i had to strip the '\n's.18:34
dave-mccowanalee but, without the '\n's, openssl can't load_privatekey()18:35
aleedave-mccowan, ok - I think I'm zeroing in on the problem -- and yeah -its with the \n's.18:37
aleedave-mccowan, the function is_pem_payload() and get_pem_components() doesn't deal with \n correctly I think18:38
dave-mccowanalee, i think it's a design flaw in treating (and requiring) payload as base64, when it's really not.18:40
aleedave-mccowan, sorta -- we strip the headers -- whats inside is base6418:41
dave-mccowanalee base64 + newlines18:41
dave-mccowanalee and newlines are significant to openssl18:42
aleedave-mccowan, right -- trying to fix the functions now18:42
openstackgerritMerged openstack/barbican: Adding Secret ACL controller layer changes (Part 3)  https://review.openstack.org/16433518:49
*** chadlung has quit IRC19:02
*** chadlung has joined #openstack-barbican19:04
*** chadlung has quit IRC19:05
*** chadlung has joined #openstack-barbican19:11
*** chadlung has quit IRC19:16
aleedave-mccowan, so - I think the problem may be partly in the base64 encoding and decoding.19:21
aleedave-mccowan, what I see is that when we base64 encode and then decode, the newlines disappear19:21
*** joesavak has quit IRC19:22
alee(decode and then encode)19:22
aleewoodster_, reaperhulk - seen this before?19:23
aleewoodster_, reaperhulk - so in storing and retrieving secrets, we do some base64 encoding and decoding.  It looks like when we do this newlines are removed.19:24
reaperhulkwith the base64 module or what?19:25
aleeyup19:25
reaperhulkyeah that isn't surprising19:25
reaperhulkthat module ignores them on input and doesn't put any in output19:25
aleeis there an alternative module we can use instead?19:25
reaperhulkthere may be a flag to have it preserve, but what's the scenario where you need it preserved?19:26
aleereaperhulk, well openssl seems to care about newlines.19:26
aleewhen doing load_privatekey() for instance19:26
aleereaperhulk, this is the problem we discussed yesterday19:27
dave-mccowanalee, reaperhulk i think root is secret store wants base64-only.  and PEM format is not base64-only.  so, how to store a private key?19:28
aleedave-mccowan, thats not a problem19:28
aleedave-mccowan, what happens is on storage we store the PEM as is - with headers19:29
aleeits when we return that interesting stuff happens19:29
aleedave-mccowan, because we specify that the content-type is base64 encoded to begin with, no transformations are done when the secret is stored.19:30
aleethe only thing we do is validate that the content sans pem headers is valid base 6419:31
*** joesavak has joined #openstack-barbican19:31
aleebut when we return the secret  - we always return binary19:31
aleeand we do this by calling base64.decode()19:32
*** igueths has joined #openstack-barbican19:32
aleereaperhulk, dave-mccowan - not sure if the newlines are removed when we do the decode() or when we re-encode later.19:34
dave-mccowanalee seems like using base64 on an openssl format is brute-force.  can we use openssl to load_privatekey(PEM) and then dump_privatekey(ASN1)?19:35
aleereaperhulk, dave-mccowan - knowing all this I can work around the problem in the case I am coding (stored key case) by adding a flag to simply not do any encoding/decoding19:36
aleein fact thats what I'll do.19:36
reaperhulkit sounds like there's some issues with the way this is being normalized19:36
reaperhulkWork around it as necessary for now I guess but redrobot has agreed to take a closer look at what's going on here because this doesn't sound right to me19:36
aleebut I'm worried about folks who retrieve the key and try to do things to it themselves19:36
aleeie. call load_privatekey()19:37
*** kebray has quit IRC19:38
redrobotYeah... I had originally commented on rellerreller's cr that I want to take a deeper look at the base64 payload_content_encoding behaviors.  There are some inconsistecies (like the fact that we're removing the ----BEGIN WHATEVER--- delimiters before base64 decoding.19:38
rm_workthat essentially converts it from PEM to DER doesn't it? :P19:39
aleeredrobot, yeah we need to get rellerreller to look into this when he gets back19:39
reaperhulkrm_work: yeah it basically makes it base64 encoded DER with line breaks every 72 chars19:39
reaperhulkwhich is not great19:39
rm_worklol, whelp19:39
reaperhulkPEM, while it is base64, should really be treated as an opaque block19:39
redrobotalee I'm going to see if I can get a high priority task here to look into it, so we don't have to wait until rellerreller comes back19:39
redrobotreaperhulk agreed19:39
aleeredrobot, ok good.   In the meantime I'll work around it for the stored-key-case19:40
*** crc32 has joined #openstack-barbican19:43
*** jorge_munoz has joined #openstack-barbican20:03
aleedave-mccowan, I found a couple of bugs in the way things are converted to der -- that might resolve your test case.20:08
aleedave-mccowan, we can try out your test case when I upload my latest CR20:08
alee(likely later today)20:09
dave-mccowanalee great!  and fix all the stored key test cases too, i hope! :-)20:10
aleedave-mccowan, thats the hope ..20:11
*** kebray has joined #openstack-barbican20:19
*** chadlung has joined #openstack-barbican20:23
*** kebray has quit IRC20:24
*** kebray has joined #openstack-barbican20:27
*** kebray has quit IRC20:36
*** kebray has joined #openstack-barbican20:42
*** kebray has quit IRC20:42
*** kebray has joined #openstack-barbican20:49
*** atiwari1 has joined #openstack-barbican20:55
*** atiwari2 has quit IRC20:57
*** xaeth is now known as xaeth_afk21:08
*** joesavak has quit IRC21:10
*** atiwari2 has joined #openstack-barbican21:10
*** atiwari1 has quit IRC21:13
*** alee has quit IRC21:19
*** chellygel has quit IRC21:34
*** dimtruck has quit IRC21:34
*** lisaclark_ has quit IRC21:35
*** everjeje has quit IRC21:35
*** dougwig has quit IRC21:35
*** hockeynut has quit IRC21:35
*** jillysciarilly has quit IRC21:35
*** morganfainberg has quit IRC21:37
*** rm_work has quit IRC21:37
*** morganfainberg has joined #openstack-barbican21:37
*** tdink has quit IRC21:38
*** erw has quit IRC21:38
*** lbragstad has quit IRC21:38
*** chellygel has joined #openstack-barbican21:38
*** jvrbanac has quit IRC21:38
*** Sheena_ has quit IRC21:38
*** tdink has joined #openstack-barbican21:39
*** lbragstad has joined #openstack-barbican21:39
*** hockeynut has joined #openstack-barbican21:39
*** jillysciarilly has joined #openstack-barbican21:40
*** zz_dimtruck has joined #openstack-barbican21:40
*** jvrbanac has joined #openstack-barbican21:40
*** Sheena_ has joined #openstack-barbican21:40
*** atiwari1 has joined #openstack-barbican21:40
*** zz_dimtruck is now known as dimtruck21:40
*** rm_work has joined #openstack-barbican21:41
*** rm_work has quit IRC21:41
*** rm_work has joined #openstack-barbican21:41
*** atiwari2 has quit IRC21:42
*** atiwari2 has joined #openstack-barbican21:43
*** dougwig has joined #openstack-barbican21:45
*** erw has joined #openstack-barbican21:45
*** atiwari1 has quit IRC21:46
*** lisaclark_ has joined #openstack-barbican21:47
*** everjeje has joined #openstack-barbican21:47
openstackgerritDave McCowan proposed openstack/barbican: Implement validators and tests for stored key certificate orders  https://review.openstack.org/16729122:08
*** igueths has quit IRC22:11
*** crc32 has quit IRC22:20
*** chadlung has quit IRC22:29
*** chadlung has joined #openstack-barbican22:33
*** chadlung has quit IRC22:38
*** paul_glass has quit IRC22:46
woodster_dave-mccowan: I'm curious are you and alee trying to use the new secrets types with your certificate logic?22:53
dave-mccowanwoodster_ we're using the private_key type inside a container for a stored-key certificate request.22:54
dave-mccowanwoodster_ does that answer your question?  i haven't been around long enough to know what is "new" :-)22:55
*** everjeje has quit IRC22:56
*** kebray has quit IRC23:13
*** chadlung has joined #openstack-barbican23:35
*** chadlung has quit IRC23:39
*** arunkant_ has quit IRC23:58
« Wednesday, 2015-04-01 Index Friday, 2015-04-03 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!