From 8685ed4a4cd3c886a00889bb150fbb3ba2620c8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= Date: Mon, 1 Mar 2021 14:43:41 -0600 Subject: [PATCH] Add new options to PKCS#11 backend This patch adds support for a couple of new new options in the PCKS#11 backends. Namely 'token_labels' and 'os_locking_ok'. Change-Id: Iba7013dd6e1b1e4650b25cd4dd8dc1f355ceb538 --- manifests/plugins/p11_crypto.pp | 14 ++++++++++++++ .../notes/add-pkcs11-options-dd38e8f087888595.yaml | 5 +++++ spec/classes/barbican_plugins_p11_crypto_spec.rb | 6 ++++++ 3 files changed, 25 insertions(+) create mode 100644 releasenotes/notes/add-pkcs11-options-dd38e8f087888595.yaml diff --git a/manifests/plugins/p11_crypto.pp b/manifests/plugins/p11_crypto.pp index 2b71de0b..7a157857 100644 --- a/manifests/plugins/p11_crypto.pp +++ b/manifests/plugins/p11_crypto.pp @@ -27,6 +27,11 @@ # (optional) Label to identify PKCS#11 token # Defaults to $::os_service_default # +# [*p11_crypto_plugin_token_labels*] +# (optional) List of comma-separated labels to identify +# PKCS#11 tokens to be used. +# Defaults to $::os_service_default +# # [*p11_crypto_plugin_slot_id*] # (optional) HSM Slot id # Defaults to $::os_service_default @@ -51,6 +56,11 @@ # which is not standard but is required for some HSMs. # Defaults to $::os_service_default # +# [*p11_crypto_plugin_os_locking_ok*] +# (optional) Enable CKF_OS_LOCKING_OK flag when initializing +# the PKCS#11 client library. +# Defaults to $::os_service_default +# # [*global_default*] # (optional) set plugin as global default # Defaults to false @@ -63,11 +73,13 @@ class barbican::plugins::p11_crypto ( $p11_crypto_plugin_hmac_label, $p11_crypto_plugin_token_serial_number = $::os_service_default, $p11_crypto_plugin_token_label = $::os_service_default, + $p11_crypto_plugin_token_labels = $::os_service_default, $p11_crypto_plugin_slot_id = $::os_service_default, $p11_crypto_plugin_encryption_mechanism = $::os_service_default, $p11_crypto_plugin_hmac_key_type = $::os_service_default, $p11_crypto_plugin_hmac_keygen_mechanism = $::os_service_default, $p11_crypto_plugin_aes_gcm_generate_iv = $::os_service_default, + $p11_crypto_plugin_os_locking_ok = $::os_service_default, $global_default = false, ) { @@ -81,11 +93,13 @@ class barbican::plugins::p11_crypto ( 'p11_crypto_plugin/hmac_label': value => $p11_crypto_plugin_hmac_label; 'p11_crypto_plugin/token_serial_number': value => $p11_crypto_plugin_token_serial_number; 'p11_crypto_plugin/token_label': value => $p11_crypto_plugin_token_label; + 'p11_crypto_plugin/token_labels': value => $p11_crypto_plugin_token_labels; 'p11_crypto_plugin/slot_id': value => $p11_crypto_plugin_slot_id; 'p11_crypto_plugin/encryption_mechanism': value => $p11_crypto_plugin_encryption_mechanism; 'p11_crypto_plugin/hmac_key_type': value => $p11_crypto_plugin_hmac_key_type; 'p11_crypto_plugin/hmac_keygen_mechanism': value => $p11_crypto_plugin_hmac_keygen_mechanism; 'p11_crypto_plugin/aes_gcm_generate_iv': value => $p11_crypto_plugin_aes_gcm_generate_iv; + 'p11_crypto_plugin/os_locking_ok': value => $p11_crypto_plugin_os_locking_ok; } barbican_config { diff --git a/releasenotes/notes/add-pkcs11-options-dd38e8f087888595.yaml b/releasenotes/notes/add-pkcs11-options-dd38e8f087888595.yaml new file mode 100644 index 00000000..4c57336a --- /dev/null +++ b/releasenotes/notes/add-pkcs11-options-dd38e8f087888595.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Added support for a couple of new options for the PKCS#11 backend: + ``[p11_crypto]\token_labels`` and ``[p11_crypto]\os_locking_ok``. diff --git a/spec/classes/barbican_plugins_p11_crypto_spec.rb b/spec/classes/barbican_plugins_p11_crypto_spec.rb index 69a825e3..3b002eeb 100644 --- a/spec/classes/barbican_plugins_p11_crypto_spec.rb +++ b/spec/classes/barbican_plugins_p11_crypto_spec.rb @@ -31,12 +31,14 @@ describe 'barbican::plugins::p11_crypto' do :p11_crypto_plugin_hmac_label => 'hmac_label', :p11_crypto_plugin_token_serial_number => 'token_serial', :p11_crypto_plugin_token_label => 'token_label', + :p11_crypto_plugin_token_labels => 'token_label1,token_label2', :p11_crypto_plugin_slot_id => 1, :p11_crypto_plugin_library_path => '/usr/lib/libCryptoki2_64.so', :p11_crypto_plugin_encryption_mechanism => 'CKM_AES_CBC', :p11_crypto_plugin_hmac_key_type => 'CKK_AES', :p11_crypto_plugin_hmac_keygen_mechanism => 'CKM_AES_KEY_GEN', :p11_crypto_plugin_aes_gcm_generate_iv => false, + :p11_crypto_plugin_os_locking_ok => false, :global_default => true, } end @@ -54,6 +56,8 @@ describe 'barbican::plugins::p11_crypto' do .with_value(params[:p11_crypto_plugin_token_serial_number]) is_expected.to contain_barbican_config('p11_crypto_plugin/token_label') \ .with_value(params[:p11_crypto_plugin_token_label]) + is_expected.to contain_barbican_config('p11_crypto_plugin/token_labels') \ + .with_value(params[:p11_crypto_plugin_token_labels]) is_expected.to contain_barbican_config('p11_crypto_plugin/slot_id') \ .with_value(params[:p11_crypto_plugin_slot_id]) is_expected.to contain_barbican_config('p11_crypto_plugin/library_path') \ @@ -66,6 +70,8 @@ describe 'barbican::plugins::p11_crypto' do .with_value(params[:p11_crypto_plugin_hmac_keygen_mechanism]) is_expected.to contain_barbican_config('p11_crypto_plugin/aes_gcm_generate_iv') \ .with_value(params[:p11_crypto_plugin_aes_gcm_generate_iv]) + is_expected.to contain_barbican_config('p11_crypto_plugin/os_locking_ok') \ + .with_value(params[:p11_crypto_plugin_os_locking_ok]) is_expected.to contain_barbican_config( 'secretstore:pkcs11/secret_store_plugin') \ .with_value('store_crypto')