Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Normal
Fix Version/s: rhos-18.0 FR 2 (Mar 2025)
Affects Version/s: None
Component/s: openstack-barbican
Labels:
None

Story Points:
2
Epic Link:
Support Luna HSM's within Barbican operator
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Intelligence Requested:
Market:

Sprint:
DFG Security: UC Sprint 102, DFG Security: UC Sprint 103, DFG Security: UC Sprint 104
sprint_count:
3

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

The default backend configuration for Thales Luna Network HSM uses a key-wrapping mechanism that is no longer supported in newer versions of the HSM firmware. This was reported upstream in a Launchpad bug: https://bugs.launchpad.net/barbican/+bug/2036506

Barbican PKCS#11 code needs to be modified so that we can configure a different key wrapping mechanism - the current one is hard-coded. Preferably we should use a NIST approved mechanism. I.e. CKM_WRAPKEY_AES_KWP - https://thalesdocs.com/gphsm/ptk/5.9.1/docs/Content/PTK-C_Program/PTK-C_Mechs/CKM_WRAPKEY_AES_KWP.htm

is cloned by

OSPRH-11019 Create component CI job to test Luna + Barbican

Closed

Assignee:: Douglas Mendizabal

Reporter:: Dave Wilde

Team:: rhos-dfg-security

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2024/10/08 2:20 PM

Updated:: 2025/02/24 3:10 PM

Resolved:: 2025/02/24 3:10 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty

Hide