12:02:53 <xek> #startmeeting barbican
12:02:53 <opendevmeet> Meeting started Tue Mar  7 12:02:53 2023 UTC and is due to finish in 60 minutes.  The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot.
12:02:53 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
12:02:53 <opendevmeet> The meeting name has been set to 'barbican'
12:03:01 <dmendiza[m]> 🙋‍♂️
12:03:09 <Luzi> o/
12:03:22 <xek> dmendiza, Luzi, o/
12:04:06 <xek> #topic Roll Call
12:04:13 <xek> Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung
12:04:18 <xek> As usual our agenda can be found here:
12:04:27 <xek> #link https://etherpad.openstack.org/p/barbican-weekly-meeting
12:05:04 <xek> We have just the usual topics today
12:05:23 <xek> #topic Review Past Meeting Action Items
12:06:06 <xek> #link https://meetings.opendev.org/meetings/barbican/2023/barbican.2023-02-28-12.01.html
12:06:23 <xek> Look into why Zed release notes is broken https://docs.openstack.org/releasenotes/barbican/zed.html
12:06:32 <xek> mharley took a look at it last week
12:06:49 <xek> Turns out, we just didn't have any release notes for Zed
12:07:11 <xek> It was the same case for Antelope (for the barbican project)
12:07:48 <xek> So mharley ceated new reviews to add a few relevant release notes
12:08:26 <xek> They were merged today
12:08:57 <xek> #topic Liaison Updates
12:10:50 <xek> #link https://governance.openstack.org/election/
12:10:55 <xek> TC Election and PTL Election end in 1d 11h 34m
12:11:37 <xek> Luzi, dmendiza, do you have any updates to add?
12:12:31 <Luzi> nothing from my side
12:12:59 <dmendiza[m]> Nothing here either
12:13:01 <xek> Ack, thanks!
12:13:07 <xek> Let's go to the next topic
12:13:34 <xek> #topic Open Discussion
12:14:22 <rajiv_> hi, i have mailed you guys my query, sub : Query on Multiple backend Secret Order creation
12:14:36 <rajiv_> did anyone get a chance to read the mail ?
12:15:19 <xek> rajiv_, I did, but I don't have any experience with this part of barbican
12:15:32 <dmendiza[m]> link to the ML?
12:16:01 <xek> dmendiza it was a private message, alee forwarded it to you afaik
12:16:13 <rajiv_> i also created a ticket with Thales but they closed the ticket saying its an application issue, we enabled cklog on the HSM device but found nothing from barbican
12:16:39 <xek> "Query on Multiple backend Secret Order creation"
12:16:39 <rajiv_> yes, Ade added you to the mail chain
12:16:43 <rajiv_> yes
12:17:27 * dmendiza[m] looks through the mountain of email
12:17:37 <dmendiza[m]> rajiv_: I'd recommend sending it to the mailing list next time openstack-discuss@lists.openstack.org
12:18:07 <rajiv_> ack, it was only 4 mails in the thread, including 2 follow-ups
12:18:49 <rajiv_> long story short : my production barbican backend is using Thales A790, when we try to create an asymmetric secret order we get :
12:18:55 <rajiv_> ERROR barbican.tasks.resources barbican.plugin.crypto.base.CryptoPluginUnsupportedOperation: Could not find an enabled crypto plugin backend that supports the requested operation: store or generate a secret of type ASYMMETRIC_KEY_GENERATION with algorithm rsa, bit length 1024, and mode None
12:18:55 <dmendiza[m]> >  I think there was an option to select the secret store before creation ? or is this deprecated ?
12:19:09 <dmendiza[m]> There is an API to set the preferred secret store per-project
12:19:29 <rajiv_> my last mail (today) shared the selection of store : https://review.opendev.org/c/openstack/barbican/+/341803/13/doc/source/api/reference/store_backends.rst#261
12:19:43 <rajiv_> is this selection allowed in prod as well ? it works fine.
12:19:55 <dmendiza[m]> #link https://docs.openstack.org/barbican/zed/api/reference/store_backends.html
12:19:56 <rajiv_> i want to understand if there are any known side-effects, etc
12:22:08 <rajiv_> dmendiza[m]: is this fine enabling secret store per project in prod ? are there any known issues ?
12:22:20 <dmendiza[m]> It's a fully supported feature
12:22:35 <dmendiza[m]> So, yes, you can use it in prod
12:22:49 <dmendiza[m]> > generate a secret of type ASYMMETRIC_KEY_GENERATION with algorithm rsa, bit length 1024, and mode None
12:22:56 <dmendiza[m]> try again with mode=CBC
12:23:23 <dmendiza[m]> oh whoops, never mind
12:23:25 <dmendiza[m]> don't do that
12:23:32 * dmendiza[m] is still waiting for coffee to kick in
12:23:37 <rajiv_> thanks for your confirmation, would this be a workaround for the above error message or the actual functionality to proceed.
12:23:49 <rajiv_> :)
12:23:56 <dmendiza[m]> > ASYMMETRIC_KEY_GENERATION
12:23:56 <dmendiza[m]> This has not been implemented for PKCS#11 (used for HSMs)
12:24:13 <dmendiza[m]> #link https://opendev.org/openstack/barbican/src/branch/master/barbican/plugin/crypto/p11_crypto.py#L193-L194
12:24:37 <rajiv_> ah ok, hence the above error message
12:25:01 <dmendiza[m]> Yeah, so if the user's project is set to use the HSM backend, then they won't be able to generate asymmetric keys
12:25:12 <dmendiza[m]> You'd have to set the backend to SimpleCrypto
12:25:57 <dmendiza[m]> or you can help us implement that part of PKCS#11 backend 😄
12:26:13 <xek> dmendiza, thanks for taking a look at this :)
12:26:13 <rajiv_> sure, asymmetric certs is deprecated. keys works fine
12:26:21 <rajiv_> :)
12:26:43 <xek> rajiv_, if you think the documentation is lacking, maybe you can propose some changes
12:27:21 <xek> I'll happily review those
12:27:43 <rajiv_> xek: sure, is there docu on how to do it ? i would like to raise few PR's. In my prod, HSM integration on FIPS mode also works, until firmware 7.4.0
12:28:36 <xek> rajiv_, the documentation is in the project tree of either barbican or python-barbicanclient
12:28:43 <xek> in doc/source/
12:29:30 <rajiv_> roger that
12:30:07 <xek> Ok, let's go to the last topic
12:30:31 <xek> #topic Bug Review
12:31:29 <xek> There is one new bug
12:31:32 <xek> link https://storyboard.openstack.org/#!/story/2010625
12:31:32 <xek> ======================================================
12:31:45 <xek> #link https://storyboard.openstack.org/#!/story/2010625
12:33:43 <xek> The main issue seems to be the accumulating non-deleted entries in orders table
12:33:53 <xek> when using castellan
12:34:34 <dmendiza[m]> Yeah, reading through the bug report
12:35:14 <xek> dmendiza, maybe we can sync later to decide if one of the proposed weys to get around this is how we want to proceed
12:35:20 <xek> *ways
12:35:34 <dmendiza[m]> Looks like they've started a thread on openstack-discuss as well:
12:35:35 <dmendiza[m]> #link https://lists.openstack.org/pipermail/openstack-discuss/2023-March/032585.html
12:36:06 <xek> Ok, I guess we can continue the discussion there
12:36:11 <dmendiza[m]> Grzegorz Grasza: yeah, let's get ade_lee 's opinion too
12:37:28 <xek> Ok, that completes the list of topics for today
12:37:46 <xek> See y'all next week!
12:38:06 <dmendiza[m]> Thanks, Grzegorz Grasza !
12:38:12 <xek> #endmeeting