Add more types to the orders resource

Registered by John Wood

Barbican's orders resource is used to generate secrets on behalf of clients. Currently (as of Icehouse M2) only symmetric key secrets can be generated. This blueprint addresses how the orders resources could be modified to generate other useful secret types, such as asymmetric key-pairs.

This blueprint grew out of discussions from Barbican contributors, including on this etherpad page:

There are three main types of secret information that could be generated by Barbican via the orders resource:
1) symmetric:
    a) Symmetric encryption keys: AES, 3DES, Camillia, RC4
    b) Other types of keys: HMAC, byte stream

2) 'asymmetric':
    a) RSA, DSA, EC
    b) Can include public and private keys, and a passphrase

3) 'certificate':
    a) Can include quite a bit of information, depending on (for example) if a CSR is supplied or has to be generated by Barbican

For each of these types, this gist page ( provides JSON schema examples of changes proposed to the orders resource API. Only the 'type' attribute would be required, with the 'meta' attribute containing information needed to generate the specified type.

Blueprint information

Douglas Mendizábal
John Wood
Arvind Tiwari
Series goal:
Accepted for juno
Milestone target:
milestone icon 2014.2
Started by
Douglas Mendizábal
Completed by
Douglas Mendizábal

Related branches



Q1 - Is the end product is "container" for above 3 type?
Q1.1 If yes then we need to make some change in container model.
A1 [hgedikli] Container should be used only for Asymmetric type. For key we should generate secret.

Q2 - Can we split "key" type to "symmetric" and "API-key" so there will be symmetric, asymmetric, api-key and cert. The region I want this in there because that will help us to define better search on type.

Q3 - Are you OK with phase approach for impl?
phase 1 - Support for all type except "Cert"
phase 2- Support for "Cert"
A3 [hgedikli] Sounds good to me.

Please let me know so that I can start the imple and API docs.

Gerrit topic:,topic:bp/api-orders-add-more-types,n,z

Addressed by:
    Extend crypto plugin to support more key type

Gerrit topic:,topic:bp/phase,n,z

Gerrit topic:,topic:api-orders-add-more-types,n,z

Addressed by:
    Add more type in order post

Addressed by:
    Keystore API change proposal*Not2MergeJust4Review*

Addressed by:
    Add proposed certificate order *Not2MergeJust4Review*

Addressed by:
    Adding 3 new columns Type, Meta and container_id to Orders

Addressed by:
    bug fix 1336995-DateTime type only accepts Python

Addressed by:
    Reorganize code to use store crypto plug-in

Addressed by:
    Add asymmtric order validator


Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.


No subscribers.