Merge "Fix Safenet HSM regression in PKCS#11"

2019-01-16 16:36:02 +00:00 · 2019-01-16 16:36:02 +00:00 · 2c9a4b33bc
commit 2c9a4b33bc
parent 34ac14dc0e fdfeb7362b
3 changed files with 15 additions and 2 deletions
--- a/barbican/plugin/crypto/p11_crypto.py
+++ b/barbican/plugin/crypto/p11_crypto.py
@ -81,6 +81,10 @@ p11_crypto_plugin_opts = [
    cfg.BoolOpt('aes_gcm_generate_iv',
                help=u._('Generate IVs for CKM_AES_GCM mechanism.'),
                default=True, deprecated_name='generate_iv'),
+    cfg.BoolOpt('always_set_cka_sensitive',
+                help=u._('Always set CKA_SENSITIVE=CK_TRUE including '
+                         'CKA_EXTRACTABLE=CK_TRUE keys.'),
+                default=True),
 ]
 CONF.register_group(p11_crypto_plugin_group)
 CONF.register_opts(p11_crypto_plugin_opts, group=p11_crypto_plugin_group)
@ -302,6 +306,7 @@ class P11CryptoPlugin(plugin.CryptoPluginBase):
            ffi=ffi,
            seed_random_buffer=seed_random_buffer,
            generate_iv=plugin_conf.aes_gcm_generate_iv,
+            always_set_cka_sensitive=plugin_conf.always_set_cka_sensitive,
        )

    def _reinitialize_pkcs11(self):
--- a/barbican/plugin/crypto/pkcs11.py
+++ b/barbican/plugin/crypto/pkcs11.py
@ -356,7 +356,7 @@ class PKCS11(object):
                 encryption_mechanism=None,
                 ffi=None, algorithm=None,
                 seed_random_buffer=None,
-                 generate_iv=None):
+                 generate_iv=None, always_set_cka_sensitive=None):
        if algorithm:
            LOG.warning("WARNING: Using deprecated 'algorithm' argument.")
            encryption_mechanism = encryption_mechanism or algorithm
@ -385,6 +385,7 @@ class PKCS11(object):
        self.noncesize = 12
        self.gcmtagsize = 16
        self.generate_iv = generate_iv
+        self.always_set_cka_sensitive = always_set_cka_sensitive

        # Validate configuration and RNG
        session = self.get_session()
@ -583,7 +584,7 @@ class PKCS11(object):
        token = master_key
        extractable = not master_key
        # in some HSMs extractable keys cannot be marked sensitive
-        sensitive = not extractable
+        sensitive = self.always_set_cka_sensitive or not extractable

        ck_attributes = [
            Attribute(CKA_CLASS, CKO_SECRET_KEY),
--- a/releasenotes/notes/fix-story-2004734-977dbeda6b547f85.yaml
+++ b/releasenotes/notes/fix-story-2004734-977dbeda6b547f85.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixed Story #2004734:  Added a new option `always_set_cka_sensitive` to
+    fix a regression that affected Safenet HSMs.  The option defaults to `True`
+    as required by Safenet HSMs.  Other HSMs may require it be set to `False`.
+