From b7da1f771c746658530fdb2f29543338bb10752d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20Gr=C3=A4b?= Date: Fri, 8 Feb 2019 11:13:11 +0100 Subject: [PATCH] Made HMAC Key Wrap mechanism configurable Introduced the parameter 'hmac_keywrap_mechanism' in group '[p11_crypto_plugin]' in Barbican config. The default value, which were hard coded before, is 'CKM_SHA256_HMAC'. This defines the machanism used to compute the HMAC from an wrapped PKEK. However with Utimaco HSMs this leads to an CKR_MECHANISM_INVALID error. Therefore for Utimaco HSMs 'hmac_keywrap_mechanism' has to be changed to 'CKM_AES_MAC'. Change-Id: I53537a96bc4b2acb30be5fa85e10bac89917851f Story: 2004833 Task: 29027 --- barbican/cmd/barbican_manage.py | 37 ++++++++++++++----- barbican/plugin/crypto/p11_crypto.py | 4 ++ barbican/plugin/crypto/pkcs11.py | 18 +++++++-- .../tests/plugin/crypto/test_p11_crypto.py | 2 + barbican/tests/plugin/crypto/test_pkcs11.py | 4 +- .../fix-story-2004833-2b420688a82c3328.yaml | 9 +++++ 6 files changed, 61 insertions(+), 13 deletions(-) create mode 100644 releasenotes/notes/fix-story-2004833-2b420688a82c3328.yaml diff --git a/barbican/cmd/barbican_manage.py b/barbican/cmd/barbican_manage.py index d1572c997..6ccfdf1cd 100644 --- a/barbican/cmd/barbican_manage.py +++ b/barbican/cmd/barbican_manage.py @@ -184,9 +184,14 @@ class HSMCommands(object): help='Password to login to PKCS11 session') @args('--label', '-L', metavar='