From: Pritha Srivastava <prsrivas@redhat.com>
Date: Fri, 25 Jul 2025 08:47:52 +0000 (+0530)
Subject: rgw/sts: changes for using new AES256KRB5 cryptohandler
X-Git-Tag: testing/wip-pdonnell-testing-20260126.152838~15
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=9adabf3a2b3e9caa7b92fb52c1d4896952a1e33b;p=ceph-ci.git

rgw/sts: changes for using new AES256KRB5 cryptohandler
for encrypting/decrypting session tokens.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
(cherry picked from commit 2a20d43fb4b3fc04ea03b911da71d600ba0d6837)
---

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 38c6e22dc38..1432b3d7795 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -7143,20 +7143,29 @@ rgw::auth::s3::STSEngine::get_session_token(const DoutPrefixProvider* dpp, const
     return -EINVAL;
   }
 
-  auto cryptohandler = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
-  if (! cryptohandler) {
-    return -EINVAL;
-  }
   string secret_s = cct->_conf->rgw_sts_key;
   if (secret_s.empty()) {
     ldpp_dout(dpp, 1) << "ERROR: rgw sts key not set" << dendl;
     return -EINVAL;
   }
+
+  auto cryptohandler = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES256KRB5);
+  if (! cryptohandler) {
+    return -EINVAL;
+  }
   buffer::ptr secret(secret_s.c_str(), secret_s.length());
   int ret = 0;
   if (ret = cryptohandler->validate_secret(secret); ret < 0) {
-    ldpp_dout(dpp, 0) << "ERROR: Invalid secret key" << dendl;
-    return -EINVAL;
+    ldpp_dout(dpp, 0) << "Invalid AES256KRB5 secret key, trying AES key validation" << dendl;
+    //Fallback to old style AES
+    cryptohandler = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
+    if (! cryptohandler) {
+      return -EINVAL;
+    }
+    if (ret = cryptohandler->validate_secret(secret); ret < 0) {
+      ldpp_dout(dpp, 0) << "Invalid AES secret key" << dendl;
+      return -EINVAL;
+    }
   }
   string error;
   std::unique_ptr<CryptoKeyHandler> keyhandler(cryptohandler->get_key_handler(secret, error));
diff --git a/src/rgw/rgw_sts.cc b/src/rgw/rgw_sts.cc
index 4186f2caf14..a4621f3368a 100644
--- a/src/rgw/rgw_sts.cc
+++ b/src/rgw/rgw_sts.cc
@@ -72,9 +72,9 @@ int Credentials::generateCredentials(const DoutPrefixProvider *dpp,
   expiration = ceph::to_iso_8601(exp);
 
   //Session Token - Encrypt using AES
-  auto cryptohandler = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES);
+  auto cryptohandler = cct->get_crypto_manager()->get_handler(CEPH_CRYPTO_AES256KRB5);
   if (! cryptohandler) {
-    ldpp_dout(dpp, 0) << "ERROR: No AES crypto handler found !" << dendl;
+    ldpp_dout(dpp, 0) << "ERROR: No AES256KRB5 crypto handler found !" << dendl;
     return -EINVAL;
   }
   string secret_s = cct->_conf->rgw_sts_key;
@@ -86,7 +86,7 @@ int Credentials::generateCredentials(const DoutPrefixProvider *dpp,
   buffer::ptr secret(secret_s.c_str(), secret_s.length());
   int ret = 0;
   if (ret = cryptohandler->validate_secret(secret); ret < 0) {
-    ldpp_dout(dpp, 0) << "ERROR: Invalid rgw sts key, please ensure it is an alphanumeric key of length 16" << dendl;
+    ldpp_dout(dpp, 0) << "ERROR: Invalid rgw sts key, please ensure it is an alphanumeric key of minimum length 32" << dendl;
     return ret;
   }
   string error;