From ca57ef5436e20e90cf6cd6853efe3c89a9afd986 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Fri, 29 Mar 2024 16:49:24 +0900
Subject: [PATCH] Use explicit default instead of implicit fallback

[p11_crypto_plugin] mkek_length has no default but the logic uses
implicit default value (32) internally.

Change-Id: I8743457aab9f0ce4982fcb9255dc86050b791308
---
 barbican/cmd/barbican_manage.py         | 2 +-
 barbican/plugin/crypto/p11_crypto.py    | 2 ++
 doc/source/install/barbican-backend.rst | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/barbican/cmd/barbican_manage.py b/barbican/cmd/barbican_manage.py
index cd1e432fa..295435ddb 100644
--- a/barbican/cmd/barbican_manage.py
+++ b/barbican/cmd/barbican_manage.py
@@ -225,7 +225,7 @@ class HSMCommands(object):
             label = conf.p11_crypto_plugin.mkek_label or 'primarymkek'
         self._verify_label_does_not_exist(self._CKK_AES, label, self.session)
         if length is None:
-            length = conf.p11_crypto_plugin.mkek_length or 32
+            length = conf.p11_crypto_plugin.mkek_length
         if type(length) is not int:
             length = int(length)
         self.pkcs11.generate_key(self._CKK_AES, length, CKM_AES_KEY_GEN,
diff --git a/barbican/plugin/crypto/p11_crypto.py b/barbican/plugin/crypto/p11_crypto.py
index 11ee3c29b..19b3ef1b0 100644
--- a/barbican/plugin/crypto/p11_crypto.py
+++ b/barbican/plugin/crypto/p11_crypto.py
@@ -51,6 +51,8 @@ p11_crypto_plugin_opts = [
     cfg.StrOpt('mkek_label',
                help=u._('Master KEK label (as stored in the HSM)')),
     cfg.IntOpt('mkek_length',
+               default=32,
+               min=1,
                help=u._('Master KEK length in bytes.')),
     cfg.StrOpt('hmac_label',
                help=u._('Master HMAC Key label (as stored in the HSM)')),
diff --git a/doc/source/install/barbican-backend.rst b/doc/source/install/barbican-backend.rst
index 4fc737d48..8120d260c 100644
--- a/doc/source/install/barbican-backend.rst
+++ b/doc/source/install/barbican-backend.rst
@@ -387,7 +387,7 @@ The PKCS#11 plugin configuration looks like:
         mkek_label = 'my_mkek'
 
         # Master KEK length in bytes. (integer value)
-        #mkek_length = <None>
+        #mkek_length = 32
 
         # Master HMAC Key label (as stored in the HSM) (string value)
         hmac_label = 'my_hmac_key'