Barbican笔记

杂记

记录一下最近研究barbican组件的个人理解。

barbican主要是密钥管理的。存储(store secret)的时候有各种文件格式(text\plain),获取的时候根据它是证书,私钥进行PEM格式化。

{'text/plain': 'text/plain',
'text/plain;charset=utf-8': 'text/plain',
'text/plain; charset=utf-8': 'text/plain',
'application/octet-stream': 'application/octet-stream',
'application/pkcs8': 'application/pkcs8',
'application/aes': 'application/aes'}

tips:ocatavia可以对证书pkcs12格式化(当然也是封装的接口),一般情况下,获取的证书默认进行pkcs12格式化的,同时也兼容了barbican原生的证书格式化。包括监听器绑定证书的方式也同lbv2不一样,并没有采用容器的方式(实际pkcs12也可以看着是容器)。

barbican后端支持多种存储,所以官网提供了多个插件:

[secretstore]
enable_multiple_secret_stores = True
stores_lookup_suffix = software, kmip, pkcs11, dogtag
[secretstore:software]
secret_store_plugin = store_crypto
crypto_plugin = simple_crypto
[secretstore:kmip]
secret_store_plugin = kmip_plugin
global_default = True
[secretstore:dogtag]
secret_store_plugin = dogtag_plugin
[secretstore:pkcs11]
secret_store_plugin = store_crypto
crypto_plugin = p11_crypto

目前barbican自身代码,限定了pkcs8,pkcs11,x509等格式的支持程度。
lbv2支持的私钥是pkcs8(??????)证书是x509,octvia在代码里增加了pkcs12的代码文件,并新增/certificate/manager/barbican.py可实现barbican对pkcs12的支持,所以私钥和证书都可以支持pkcs12
https://developer.openstack.org/api-guide/key-manager/containers.html#certificate-containers
https://docs.openstack.org/releasenotes/octavia/queens.html

Users can now use a reference to a single PKCS12 bundle as their default_tls_container_ref instead of a Barbican container with individual secret objects. PKCS12 supports bundling a private key, certificate, and intermediates. Private keys can no longer be passphrase protected when using PKCS12 bundles. No configuration change is necessary to enable this feature. Users may simply begin using this. Any use of the old style containers will be detected and automatically fall back to using the old Barbican driver.
Certificate bundles can now be stored in any backend Castellan supports, and can be retrieved via a Castellan driver, even if Barbican is not deployed.

创建证书容器的body如下:

{          
"type": "certificate",
"status": "ACTIVE",
"name": "Example.com Certificates",
"consumers": [],
"container_ref": "https://{barbican_host}/v1/containers/{uuid}",
"secret_refs": [
{
"name": "certificate",
"secret_ref": "https://{barbican_host}/v1/secrets/{uuid}"
},
{
"name": "private_key",
"secret_ref": "https://{barbican_host}/v1/secrets/{uuid}"
},
{
"name": "private_key_passphrase",
"secret_ref": "https://{barbican_host}/v1/secrets/{uuid}"
},
{
"name": "intermediates",
"secret_ref": "https://{barbican_host}/v1/secrets/{uuid}"
}
],
"created": "2015-03-30T21:10:45.417835",
"updated": "2015-03-30T21:10:45.417835"
}

证书容器是用来存储证书相关的密钥,需要指定以下几种type,其中certificate是必须指定,其余的均是可选的。

A certificate container is used for storing the following secrets that are relevant to certificates:
certificate
private_key (optional)
private_key_passphrase (optional)
intermediates (optional)
The payload for the secret referenced as the “certificate” is expected to be a PEM formatted x509 certificate.
The payload for the secret referenced as the “intermediates” is expected to be a PEM formatted PKCS7 certificate chain.

参考

http://www.iceyao.com.cn/2017/11/19/Neutron-lbaas%E4%BB%A3%E7%90%86https%E5%AE%9E%E8%B7%B5/
https://docs.openstack.org/barbican/latest/install/barbican-backend.html
https://docs.openstack.org/barbican/latest/configuration/plugin_backends.html
https://developer.openstack.org/api-guide/key-manager/containers.html#certificate-containers
https://docs.openstack.org/releasenotes/octavia/queens.html
个人分析,欢迎指正,若转载请注明出处!