Merge "Add new options to PKCS#11 backend"

2021-03-16 14:44:47 +00:00 · 2021-03-16 14:44:47 +00:00 · 1815e11384
commit 1815e11384
parent 4197096cbd 8685ed4a4c
3 changed files with 25 additions and 0 deletions
--- a/manifests/plugins/p11_crypto.pp
+++ b/manifests/plugins/p11_crypto.pp
@ -27,6 +27,11 @@
 #   (optional) Label to identify PKCS#11 token
 #   Defaults to $::os_service_default
 #
+# [*p11_crypto_plugin_token_labels*]
+#   (optional) List of comma-separated labels to identify
+#   PKCS#11 tokens to be used.
+#   Defaults to $::os_service_default
+#
 # [*p11_crypto_plugin_slot_id*]
 #   (optional) HSM Slot id
 #   Defaults to $::os_service_default
@ -51,6 +56,11 @@
 #   which is not standard but is required for some HSMs.
 #   Defaults to $::os_service_default
 #
+# [*p11_crypto_plugin_os_locking_ok*]
+#   (optional) Enable CKF_OS_LOCKING_OK flag when initializing
+#   the PKCS#11 client library.
+#   Defaults to $::os_service_default
+#
 # [*global_default*]
 #   (optional) set plugin as global default
 #   Defaults to false
@ -63,11 +73,13 @@ class barbican::plugins::p11_crypto (
  $p11_crypto_plugin_hmac_label,
  $p11_crypto_plugin_token_serial_number   = $::os_service_default,
  $p11_crypto_plugin_token_label           = $::os_service_default,
+  $p11_crypto_plugin_token_labels          = $::os_service_default,
  $p11_crypto_plugin_slot_id               = $::os_service_default,
  $p11_crypto_plugin_encryption_mechanism  = $::os_service_default,
  $p11_crypto_plugin_hmac_key_type         = $::os_service_default,
  $p11_crypto_plugin_hmac_keygen_mechanism = $::os_service_default,
  $p11_crypto_plugin_aes_gcm_generate_iv   = $::os_service_default,
+  $p11_crypto_plugin_os_locking_ok         = $::os_service_default,
  $global_default                          = false,
 ) {

@ -81,11 +93,13 @@ class barbican::plugins::p11_crypto (
    'p11_crypto_plugin/hmac_label':            value => $p11_crypto_plugin_hmac_label;
    'p11_crypto_plugin/token_serial_number':   value => $p11_crypto_plugin_token_serial_number;
    'p11_crypto_plugin/token_label':           value => $p11_crypto_plugin_token_label;
+    'p11_crypto_plugin/token_labels':          value => $p11_crypto_plugin_token_labels;
    'p11_crypto_plugin/slot_id':               value => $p11_crypto_plugin_slot_id;
    'p11_crypto_plugin/encryption_mechanism':  value => $p11_crypto_plugin_encryption_mechanism;
    'p11_crypto_plugin/hmac_key_type':         value => $p11_crypto_plugin_hmac_key_type;
    'p11_crypto_plugin/hmac_keygen_mechanism': value => $p11_crypto_plugin_hmac_keygen_mechanism;
    'p11_crypto_plugin/aes_gcm_generate_iv':   value => $p11_crypto_plugin_aes_gcm_generate_iv;
+    'p11_crypto_plugin/os_locking_ok':         value => $p11_crypto_plugin_os_locking_ok;
  }

  barbican_config {
--- a/releasenotes/notes/add-pkcs11-options-dd38e8f087888595.yaml
+++ b/releasenotes/notes/add-pkcs11-options-dd38e8f087888595.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Added support for a couple of new options for the PKCS#11 backend:
+    ``[p11_crypto]\token_labels`` and ``[p11_crypto]\os_locking_ok``.
--- a/spec/classes/barbican_plugins_p11_crypto_spec.rb
+++ b/spec/classes/barbican_plugins_p11_crypto_spec.rb
@ -31,12 +31,14 @@ describe 'barbican::plugins::p11_crypto' do
          :p11_crypto_plugin_hmac_label                => 'hmac_label',
          :p11_crypto_plugin_token_serial_number       => 'token_serial',
          :p11_crypto_plugin_token_label               => 'token_label',
+          :p11_crypto_plugin_token_labels              => 'token_label1,token_label2',
          :p11_crypto_plugin_slot_id                   => 1,
          :p11_crypto_plugin_library_path              => '/usr/lib/libCryptoki2_64.so',
          :p11_crypto_plugin_encryption_mechanism      => 'CKM_AES_CBC',
          :p11_crypto_plugin_hmac_key_type             => 'CKK_AES',
          :p11_crypto_plugin_hmac_keygen_mechanism     => 'CKM_AES_KEY_GEN',
          :p11_crypto_plugin_aes_gcm_generate_iv       => false,
+          :p11_crypto_plugin_os_locking_ok             => false,
          :global_default                              => true,
        }
      end
@ -54,6 +56,8 @@ describe 'barbican::plugins::p11_crypto' do
          .with_value(params[:p11_crypto_plugin_token_serial_number])
        is_expected.to contain_barbican_config('p11_crypto_plugin/token_label') \
          .with_value(params[:p11_crypto_plugin_token_label])
+        is_expected.to contain_barbican_config('p11_crypto_plugin/token_labels') \
+          .with_value(params[:p11_crypto_plugin_token_labels])
        is_expected.to contain_barbican_config('p11_crypto_plugin/slot_id') \
          .with_value(params[:p11_crypto_plugin_slot_id])
        is_expected.to contain_barbican_config('p11_crypto_plugin/library_path') \
@ -66,6 +70,8 @@ describe 'barbican::plugins::p11_crypto' do
          .with_value(params[:p11_crypto_plugin_hmac_keygen_mechanism])
        is_expected.to contain_barbican_config('p11_crypto_plugin/aes_gcm_generate_iv') \
          .with_value(params[:p11_crypto_plugin_aes_gcm_generate_iv])
+        is_expected.to contain_barbican_config('p11_crypto_plugin/os_locking_ok') \
+          .with_value(params[:p11_crypto_plugin_os_locking_ok])
        is_expected.to contain_barbican_config(
          'secretstore:pkcs11/secret_store_plugin') \
          .with_value('store_crypto')