Tuesday, 2015-05-12

openstackgerrit John Vrbanac proposed openstack/barbican: Adding config option for specifying HSM slot  https://review.openstack.org/182128
openstackgerrit Merged openstack/barbican: Port the Architecture, Dataflow, and Project Strucure docs  https://review.openstack.org/132304
aleeSheena_, you're trying to break my mbox02:45
SheenaGWas it really that big?  Ohhhh maybe it's because I didn't strip animations out of the second one03:05
SheenaGI'm sorry03:05
SheenaGMy brain honestly is melting from looking at slide decks03:05
rm_youaugh i still haven't really had a chance to look at it <_<03:07
rm_youSheenaG: I will get to it... I promise...03:07
rm_youHopefully, err, before the runthrough03:07
SheenaGrm_you: I'm working on making the Barbican Use Case one into something more interesting looking right now03:11
SheenaGalee and woodster_ have seen what leaving me alone with a deck looks like, don't ask them or you'll get scared03:12
SheenaGrm_you: as long as you can do the run-through Wednesday, we can make corrections and/or updates right after and do another run-through maybe on Sunday when everyone gets in03:12
SheenaGrm_you: like a really lame pow-wow around some alcohol and a computer screen03:12
rm_yousounds good to me03:13
rm_youwell, other than I will be in WA and not BC03:13
rm_youdriving up every day, don't have a hotel there03:13
rm_youso actually sunday night would be a stretch for me :P03:14
SheenaGYou can VC in, but the alcohol is mandatory03:15
rm_youcan do03:16
openstackgerrit OpenStack Proposal Bot proposed openstack/barbican: Imported Translations from Transifex  https://review.openstack.org/181714
*** woodster_ has joined #openstack-barbican11:29
openstackgerrit Merged openstack/castellan: Drop use of 'oslo' namespace package  https://review.openstack.org/178245
openstackgerrit Merged openstack/castellan: Removing SymmetricKey docs from key module  https://review.openstack.org/178843
openstackgerrit Merged openstack/barbican: Imported Translations from Transifex  https://review.openstack.org/181714
openstackgerrit OpenStack Proposal Bot proposed openstack/barbican: Updated from global requirements  https://review.openstack.org/182322
hockeynutanyone else having issues with pypy gate job?  Fails with error: /home/jenkins/workspace/gate-python-barbicanclient-pypy/.tox/pypy/site-packages/pip-1.5.4.dist-info/METADATA: No such file or directory14:49
hockeynutI did a few recheck nobug but it still persists14:50
*** igueths has joined #openstack-barbican14:50
reaperhulkhockeynut: that's a discussion on the mailing list14:50
hockeynutthanks reaperhulk - will head over there (seems I'm not getting them in outlook mac client)14:51
reaperhulkthey're considering removing the gate job, which I think is a real shame since that's not really the right fix, but whatever14:51
hockeynut"doc, it hurts when I do this..."14:52
*** SheenaG has quit IRC15:10
thervehockeynut, There is an easy workaround in tox.ini if you want to bother15:24
hockeynuttherve I would be interested to see15:24
thervehockeynut, https://review.openstack.org/#/c/181851/15:25
hockeynutshould we follow suit?  seems better than removing the job completely15:26
therveWell, the job is not removed and probably non voting already, but maybe15:27
openstackgerrit Steve Heyman proposed openstack/python-barbicanclient: Create behaviors for secrets  https://review.openstack.org/179609
openstackgerrit Merged openstack/python-barbicanclient: Pass in keystone version and correct v2 URL to CLI  https://review.openstack.org/182024
siloshey rellerreller, I have a question. Is it possible to hook up multiple KMIP plugins to a single barbican? My gut says no.16:45
*** rellerreller has quit IRC16:45
aleedave-mccowan, responded to your comment16:49
*** silos has left #openstack-barbican16:49
dave-mccowanalee, ok. can you add a couple lines to a unit test to show that the returned string concatenation can be parsed by one of the crypto libraries?  i just remember the issues we had during the kilo.rc1 time frame when the generated PEM was not valid PEM.16:58
aleedave-mccowan, yeah - I plan to add to a functional test to confirm that we get valid results back for even a cert16:59
aleedave-mccowan, this was not caught because we never checked that we could get the cert itself back.17:00
aleewe just checked that we got a cert container17:00
aleedave-mccowan, do we have test code to validate correct PEM-ness?17:01
aleedave-mccowan, I assume it would just be to do a load ..17:01
dave-mccowanalee, yes.  i'll find an example.  but, yea... just load without exception.17:01
dave-mccowanalee here's a pem certificate validator: https://github.com/openstack/barbican/blob/master/functionaltests/api/v1/functional/test_rsa.py#L15517:12
aleedave-mccowan, cool thanks17:15
*** kfarr has joined #openstack-barbican17:21
dave-mccowanalee wouldn't a typical certificate chain have 2 or 3 or more certificates concatenated?  (e.g. server.crt, subordinate-ca.crt, root-ca.crt)   is this what's in cert.pkcs7_cert_chain ?17:21
aleedave-mccowan, its pkcs7 - which is an asn1 structure (ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-7.asc) that can be converted into a series of certs17:28
aleedave-mccowan, http://www.openssl.org/docs/apps/pkcs7.html17:29
aleedave-mccowan, see notes for relevant headers17:29
openstackgerrit Arun Kant proposed openstack/barbican: Removed per ACL operations and added support for PUT method.  https://review.openstack.org/180888
dave-mccowanalee if it's a chain of two certs then i think the correct PEM format is <header> cert 1 <footer> <header> cert 2 <footer>17:31
aleedave-mccowan, no -- its pkcs717:31
aleedave-mccowan, which is its own format17:31
dave-mccowanalee if barbican-core is expecting a "standard PEM", do we need a PKCS7 to PEM converter?17:54
aleedave-mccowan, well actually, we have never explictly defined what barbican-core expects for intermediates as far as I know.17:56
aleedave-mccowan,  the usual standard for this kind of thing is pkcs7.17:56
aleedave-mccowan,  given that dogtag is the first to actually provide this - I'd like to push for that :)17:57
aleebut we should take an action item to explicitly decide this at the summit17:57
aleewoodster_, redrobot ^^17:57
*** alee is now known as alee_food17:59
dave-mccowanalee i just read the snake oil CA code, and it looks like it is not pkcs7.   i agree, we should explicitly decide, document, and make consistent.17:59
*** alee_food is now known as alee18:29
*** silos has left #openstack-barbican18:58
openstackgerrit Kaitlin Farr proposed openstack/castellan: Add Barbican key manager  https://review.openstack.org/171918
*** SheenaG has joined #openstack-barbican19:44
openstackgerrit Ade Lee proposed openstack/barbican: Base64 encode the cert returned from the Dogtag plugin  https://review.openstack.org/181786
aleedave-mccowan, woodster_ redrobot - new patch posted20:26
*** kebray has joined #openstack-barbican21:01
*** gyee has joined #openstack-barbican21:01
openstackgerrit Nathan Reller proposed openstack/barbican: Added pkcs1_only Configuration to KMIP  https://review.openstack.org/182461
*** alee has joined #openstack-barbican22:23
