Add support for always_set_cka_sensitive parameter

Some time ago BarbicanPkcs11AlwaysSetCkaSensitive option was
added to tripleo-heat-templates. change:
If3fa975e8243dfe30ef67ec81db891943a94a9d5

At the same time, it looks like relevant change was not added
to puppet-barbican project. This patch adds missing parameter
to barbican::plugins::p11_crypto class.

Partial-bug: #1916386
Change-Id: Idf9dc70cd68d4e594119efcd2a3c3a0e56621c96
This commit is contained in:
Alexey Stupnikov 2021-03-21 14:12:27 +01:00
parent a89b6a97ee
commit 27b1cc2735
1 changed files with 31 additions and 24 deletions

View File

@ -57,6 +57,11 @@
# the PKCS#11 client library.
# Defaults to $::os_service_default
#
# [*p11_crypto_plugin_always_set_cka_sensitive*]
# (optional) Always set CKA_SENSITIVE when generating keys.
# In some HSMs extractable keys cannot be marked sensitive.
# Defaults to $::os_service_default
#
# [*global_default*]
# (optional) set plugin as global default
# Defaults to false
@ -81,6 +86,7 @@ class barbican::plugins::p11_crypto (
$p11_crypto_plugin_hmac_keygen_mechanism = $::os_service_default,
$p11_crypto_plugin_aes_gcm_generate_iv = $::os_service_default,
$p11_crypto_plugin_os_locking_ok = $::os_service_default,
$p11_crypto_plugin_always_set_cka_sensitive = $::os_service_default,
$global_default = false,
# DEPRECATED PARAMETERS
$p11_crypto_plugin_token_label = undef,
@ -111,6 +117,7 @@ Use the p11_crypto_plugin_token_labels parameter instead')
'p11_crypto_plugin/hmac_keygen_mechanism': value => $p11_crypto_plugin_hmac_keygen_mechanism;
'p11_crypto_plugin/aes_gcm_generate_iv': value => $p11_crypto_plugin_aes_gcm_generate_iv;
'p11_crypto_plugin/os_locking_ok': value => $p11_crypto_plugin_os_locking_ok;
'p11_crypto_plugin/always_set_cka_sensitive': value => $p11_crypto_plugin_always_set_cka_sensitive;
}
barbican_config {