Add support for always_set_cka_sensitive parameter

Some time ago BarbicanPkcs11AlwaysSetCkaSensitive option was
added to tripleo-heat-templates. change:
If3fa975e8243dfe30ef67ec81db891943a94a9d5

At the same time, it looks like relevant change was not added
to puppet-barbican project. This patch adds missing parameter
to barbican::plugins::p11_crypto class.

Partial-bug: #1916386
Change-Id: Idf9dc70cd68d4e594119efcd2a3c3a0e56621c96
This commit is contained in:
Alexey Stupnikov 2021-03-21 14:12:27 +01:00
parent a89b6a97ee
commit 27b1cc2735

View File

@ -57,6 +57,11 @@
# the PKCS#11 client library. # the PKCS#11 client library.
# Defaults to $::os_service_default # Defaults to $::os_service_default
# #
# [*p11_crypto_plugin_always_set_cka_sensitive*]
# (optional) Always set CKA_SENSITIVE when generating keys.
# In some HSMs extractable keys cannot be marked sensitive.
# Defaults to $::os_service_default
#
# [*global_default*] # [*global_default*]
# (optional) set plugin as global default # (optional) set plugin as global default
# Defaults to false # Defaults to false
@ -73,17 +78,18 @@ class barbican::plugins::p11_crypto (
$p11_crypto_plugin_mkek_label, $p11_crypto_plugin_mkek_label,
$p11_crypto_plugin_mkek_length, $p11_crypto_plugin_mkek_length,
$p11_crypto_plugin_hmac_label, $p11_crypto_plugin_hmac_label,
$p11_crypto_plugin_token_serial_number = $::os_service_default, $p11_crypto_plugin_token_serial_number = $::os_service_default,
$p11_crypto_plugin_token_labels = $::os_service_default, $p11_crypto_plugin_token_labels = $::os_service_default,
$p11_crypto_plugin_slot_id = $::os_service_default, $p11_crypto_plugin_slot_id = $::os_service_default,
$p11_crypto_plugin_encryption_mechanism = $::os_service_default, $p11_crypto_plugin_encryption_mechanism = $::os_service_default,
$p11_crypto_plugin_hmac_key_type = $::os_service_default, $p11_crypto_plugin_hmac_key_type = $::os_service_default,
$p11_crypto_plugin_hmac_keygen_mechanism = $::os_service_default, $p11_crypto_plugin_hmac_keygen_mechanism = $::os_service_default,
$p11_crypto_plugin_aes_gcm_generate_iv = $::os_service_default, $p11_crypto_plugin_aes_gcm_generate_iv = $::os_service_default,
$p11_crypto_plugin_os_locking_ok = $::os_service_default, $p11_crypto_plugin_os_locking_ok = $::os_service_default,
$global_default = false, $p11_crypto_plugin_always_set_cka_sensitive = $::os_service_default,
$global_default = false,
# DEPRECATED PARAMETERS # DEPRECATED PARAMETERS
$p11_crypto_plugin_token_label = undef, $p11_crypto_plugin_token_label = undef,
) { ) {
include barbican::deps include barbican::deps
@ -97,20 +103,21 @@ Use the p11_crypto_plugin_token_labels parameter instead')
} }
barbican_config { barbican_config {
'p11_crypto_plugin/library_path': value => $p11_crypto_plugin_library_path; 'p11_crypto_plugin/library_path': value => $p11_crypto_plugin_library_path;
'p11_crypto_plugin/login': value => $p11_crypto_plugin_login; 'p11_crypto_plugin/login': value => $p11_crypto_plugin_login;
'p11_crypto_plugin/mkek_label': value => $p11_crypto_plugin_mkek_label; 'p11_crypto_plugin/mkek_label': value => $p11_crypto_plugin_mkek_label;
'p11_crypto_plugin/mkek_length': value => $p11_crypto_plugin_mkek_length; 'p11_crypto_plugin/mkek_length': value => $p11_crypto_plugin_mkek_length;
'p11_crypto_plugin/hmac_label': value => $p11_crypto_plugin_hmac_label; 'p11_crypto_plugin/hmac_label': value => $p11_crypto_plugin_hmac_label;
'p11_crypto_plugin/token_serial_number': value => $p11_crypto_plugin_token_serial_number; 'p11_crypto_plugin/token_serial_number': value => $p11_crypto_plugin_token_serial_number;
'p11_crypto_plugin/token_label': value => $p11_crypto_plugin_token_label_real; 'p11_crypto_plugin/token_label': value => $p11_crypto_plugin_token_label_real;
'p11_crypto_plugin/token_labels': value => $p11_crypto_plugin_token_labels; 'p11_crypto_plugin/token_labels': value => $p11_crypto_plugin_token_labels;
'p11_crypto_plugin/slot_id': value => $p11_crypto_plugin_slot_id; 'p11_crypto_plugin/slot_id': value => $p11_crypto_plugin_slot_id;
'p11_crypto_plugin/encryption_mechanism': value => $p11_crypto_plugin_encryption_mechanism; 'p11_crypto_plugin/encryption_mechanism': value => $p11_crypto_plugin_encryption_mechanism;
'p11_crypto_plugin/hmac_key_type': value => $p11_crypto_plugin_hmac_key_type; 'p11_crypto_plugin/hmac_key_type': value => $p11_crypto_plugin_hmac_key_type;
'p11_crypto_plugin/hmac_keygen_mechanism': value => $p11_crypto_plugin_hmac_keygen_mechanism; 'p11_crypto_plugin/hmac_keygen_mechanism': value => $p11_crypto_plugin_hmac_keygen_mechanism;
'p11_crypto_plugin/aes_gcm_generate_iv': value => $p11_crypto_plugin_aes_gcm_generate_iv; 'p11_crypto_plugin/aes_gcm_generate_iv': value => $p11_crypto_plugin_aes_gcm_generate_iv;
'p11_crypto_plugin/os_locking_ok': value => $p11_crypto_plugin_os_locking_ok; 'p11_crypto_plugin/os_locking_ok': value => $p11_crypto_plugin_os_locking_ok;
'p11_crypto_plugin/always_set_cka_sensitive': value => $p11_crypto_plugin_always_set_cka_sensitive;
} }
barbican_config { barbican_config {