Add p11_crypto_plugin token options
This patch adds support for two new options in the p11_crypto_plugin section of the config file. Depends-On: I115cf1a7006a6c85f37c5e50ded13134a3dfd1a3 Change-Id: I84b66d56a0914ea9e10eebb44c99ba2951ddba61
This commit is contained in:
parent
ed44272a2e
commit
432a34e076
|
@ -19,8 +19,17 @@
|
||||||
# [*p11_crypto_plugin_hmac_label*]
|
# [*p11_crypto_plugin_hmac_label*]
|
||||||
# (required) Label to identify master KEK in the HSM
|
# (required) Label to identify master KEK in the HSM
|
||||||
#
|
#
|
||||||
|
# [*p11_crypto_plugin_token_serial_number*]
|
||||||
|
# (optional) Serial number to identify PKCS#11 token
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
|
# [*p11_crypto_plugin_token_label*]
|
||||||
|
# (optional) Label to identify PKCS#11 token
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
# [*p11_crypto_plugin_slot_id*]
|
# [*p11_crypto_plugin_slot_id*]
|
||||||
# (required) HSM Slot id
|
# (optional) HSM Slot id
|
||||||
|
# Defaults to $::os_service_default
|
||||||
#
|
#
|
||||||
# [*p11_crypto_plugin_encryption_mechanism*]
|
# [*p11_crypto_plugin_encryption_mechanism*]
|
||||||
# (optional) PKCS#11 Mechanism used for encryption
|
# (optional) PKCS#11 Mechanism used for encryption
|
||||||
|
@ -52,7 +61,9 @@ class barbican::plugins::p11_crypto (
|
||||||
$p11_crypto_plugin_mkek_label = undef,
|
$p11_crypto_plugin_mkek_label = undef,
|
||||||
$p11_crypto_plugin_mkek_length = undef,
|
$p11_crypto_plugin_mkek_length = undef,
|
||||||
$p11_crypto_plugin_hmac_label = undef,
|
$p11_crypto_plugin_hmac_label = undef,
|
||||||
$p11_crypto_plugin_slot_id = undef,
|
$p11_crypto_plugin_token_serial_number = $::os_service_default,
|
||||||
|
$p11_crypto_plugin_token_label = $::os_service_default,
|
||||||
|
$p11_crypto_plugin_slot_id = $::os_service_default,
|
||||||
$p11_crypto_plugin_encryption_mechanism = $::os_service_default,
|
$p11_crypto_plugin_encryption_mechanism = $::os_service_default,
|
||||||
$p11_crypto_plugin_hmac_key_type = $::os_service_default,
|
$p11_crypto_plugin_hmac_key_type = $::os_service_default,
|
||||||
$p11_crypto_plugin_hmac_keygen_mechanism = $::os_service_default,
|
$p11_crypto_plugin_hmac_keygen_mechanism = $::os_service_default,
|
||||||
|
@ -77,9 +88,6 @@ class barbican::plugins::p11_crypto (
|
||||||
if $p11_crypto_plugin_hmac_label == undef {
|
if $p11_crypto_plugin_hmac_label == undef {
|
||||||
fail('p11_crypto_plugin_hmac_label must be defined')
|
fail('p11_crypto_plugin_hmac_label must be defined')
|
||||||
}
|
}
|
||||||
if $p11_crypto_plugin_slot_id == undef {
|
|
||||||
fail('p11_crypto_plugin_slot_id must be defined')
|
|
||||||
}
|
|
||||||
|
|
||||||
barbican_config {
|
barbican_config {
|
||||||
'p11_crypto_plugin/library_path': value => $p11_crypto_plugin_library_path;
|
'p11_crypto_plugin/library_path': value => $p11_crypto_plugin_library_path;
|
||||||
|
@ -87,6 +95,8 @@ class barbican::plugins::p11_crypto (
|
||||||
'p11_crypto_plugin/mkek_label': value => $p11_crypto_plugin_mkek_label;
|
'p11_crypto_plugin/mkek_label': value => $p11_crypto_plugin_mkek_label;
|
||||||
'p11_crypto_plugin/mkek_length': value => $p11_crypto_plugin_mkek_length;
|
'p11_crypto_plugin/mkek_length': value => $p11_crypto_plugin_mkek_length;
|
||||||
'p11_crypto_plugin/hmac_label': value => $p11_crypto_plugin_hmac_label;
|
'p11_crypto_plugin/hmac_label': value => $p11_crypto_plugin_hmac_label;
|
||||||
|
'p11_crypto_plugin/token_serial_number': value => $p11_crypto_plugin_token_serial_number;
|
||||||
|
'p11_crypto_plugin/token_label': value => $p11_crypto_plugin_token_label;
|
||||||
'p11_crypto_plugin/slot_id': value => $p11_crypto_plugin_slot_id;
|
'p11_crypto_plugin/slot_id': value => $p11_crypto_plugin_slot_id;
|
||||||
'p11_crypto_plugin/encryption_mechanism': value => $p11_crypto_plugin_encryption_mechanism;
|
'p11_crypto_plugin/encryption_mechanism': value => $p11_crypto_plugin_encryption_mechanism;
|
||||||
'p11_crypto_plugin/hmac_key_type': value => $p11_crypto_plugin_hmac_key_type;
|
'p11_crypto_plugin/hmac_key_type': value => $p11_crypto_plugin_hmac_key_type;
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Added support for two new options for Barbican's PKCS#11 backend. The
|
||||||
|
new options are ``[p11_crypto]token_serial_number`` and
|
||||||
|
``[p11_crypto]token_label``.
|
||||||
|
|
||||||
|
- |
|
||||||
|
The ``barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id`` parameter
|
||||||
|
has become an optional parameter instead of a required one.
|
|
@ -29,6 +29,8 @@ describe 'barbican::plugins::p11_crypto' do
|
||||||
:p11_crypto_plugin_mkek_label => 'mkek_label',
|
:p11_crypto_plugin_mkek_label => 'mkek_label',
|
||||||
:p11_crypto_plugin_mkek_length => 32,
|
:p11_crypto_plugin_mkek_length => 32,
|
||||||
:p11_crypto_plugin_hmac_label => 'hmac_label',
|
:p11_crypto_plugin_hmac_label => 'hmac_label',
|
||||||
|
:p11_crypto_plugin_token_serial_number => 'token_serial',
|
||||||
|
:p11_crypto_plugin_token_label => 'token_label',
|
||||||
:p11_crypto_plugin_slot_id => 1,
|
:p11_crypto_plugin_slot_id => 1,
|
||||||
:p11_crypto_plugin_library_path => '/usr/lib/libCryptoki2_64.so',
|
:p11_crypto_plugin_library_path => '/usr/lib/libCryptoki2_64.so',
|
||||||
:p11_crypto_plugin_encryption_mechanism => 'CKM_AES_CBC',
|
:p11_crypto_plugin_encryption_mechanism => 'CKM_AES_CBC',
|
||||||
|
@ -48,6 +50,10 @@ describe 'barbican::plugins::p11_crypto' do
|
||||||
.with_value(params[:p11_crypto_plugin_mkek_length])
|
.with_value(params[:p11_crypto_plugin_mkek_length])
|
||||||
is_expected.to contain_barbican_config('p11_crypto_plugin/hmac_label') \
|
is_expected.to contain_barbican_config('p11_crypto_plugin/hmac_label') \
|
||||||
.with_value(params[:p11_crypto_plugin_hmac_label])
|
.with_value(params[:p11_crypto_plugin_hmac_label])
|
||||||
|
is_expected.to contain_barbican_config('p11_crypto_plugin/token_serial_number') \
|
||||||
|
.with_value(params[:p11_crypto_plugin_token_serial_number])
|
||||||
|
is_expected.to contain_barbican_config('p11_crypto_plugin/token_label') \
|
||||||
|
.with_value(params[:p11_crypto_plugin_token_label])
|
||||||
is_expected.to contain_barbican_config('p11_crypto_plugin/slot_id') \
|
is_expected.to contain_barbican_config('p11_crypto_plugin/slot_id') \
|
||||||
.with_value(params[:p11_crypto_plugin_slot_id])
|
.with_value(params[:p11_crypto_plugin_slot_id])
|
||||||
is_expected.to contain_barbican_config('p11_crypto_plugin/library_path') \
|
is_expected.to contain_barbican_config('p11_crypto_plugin/library_path') \
|
||||||
|
|
Loading…
Reference in New Issue