Add support for always_set_cka_sensitive parameter
Some time ago BarbicanPkcs11AlwaysSetCkaSensitive option was added to tripleo-heat-templates. change: If3fa975e8243dfe30ef67ec81db891943a94a9d5 At the same time, it looks like relevant change was not added to puppet-barbican project. This patch adds missing parameter to barbican::plugins::p11_crypto class. Backport note: This backport includes the subsequent commit[1] which added a unit test case for the new parameter. [1]d7e27eb854
Partial-bug: #1916386 Change-Id: Idf9dc70cd68d4e594119efcd2a3c3a0e56621c96 (cherry picked from commit27b1cc2735
) (cherry picked from commitb44996d6c2
)
This commit is contained in:
parent
d9e6c9757c
commit
e2efcba0b9
|
@ -70,6 +70,11 @@
|
|||
# the PKCS#11 client library.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*p11_crypto_plugin_always_set_cka_sensitive*]
|
||||
# (optional) Always set CKA_SENSITIVE when generating keys.
|
||||
# In some HSMs extractable keys cannot be marked sensitive.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*global_default*]
|
||||
# (optional) set plugin as global default
|
||||
# Defaults to false
|
||||
|
@ -89,6 +94,7 @@ class barbican::plugins::p11_crypto (
|
|||
$p11_crypto_plugin_hmac_keygen_mechanism = $::os_service_default,
|
||||
$p11_crypto_plugin_aes_gcm_generate_iv = $::os_service_default,
|
||||
$p11_crypto_plugin_os_locking_ok = $::os_service_default,
|
||||
$p11_crypto_plugin_always_set_cka_sensitive = $::os_service_default,
|
||||
$global_default = false,
|
||||
) {
|
||||
|
||||
|
@ -125,6 +131,7 @@ class barbican::plugins::p11_crypto (
|
|||
'p11_crypto_plugin/hmac_keygen_mechanism': value => $p11_crypto_plugin_hmac_keygen_mechanism;
|
||||
'p11_crypto_plugin/aes_gcm_generate_iv': value => $p11_crypto_plugin_aes_gcm_generate_iv;
|
||||
'p11_crypto_plugin/os_locking_ok': value => $p11_crypto_plugin_os_locking_ok;
|
||||
'p11_crypto_plugin/always_set_cka_sensitive': value => $p11_crypto_plugin_always_set_cka_sensitive;
|
||||
}
|
||||
|
||||
barbican_config {
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
features:
|
||||
- |
|
||||
Support for the ``[p11_crypto_plugin] always_set_cka_sensitive`` parameter
|
||||
has been added.
|
||||
|
|
@ -39,6 +39,7 @@ describe 'barbican::plugins::p11_crypto' do
|
|||
:p11_crypto_plugin_hmac_keygen_mechanism => 'CKM_AES_KEY_GEN',
|
||||
:p11_crypto_plugin_aes_gcm_generate_iv => false,
|
||||
:p11_crypto_plugin_os_locking_ok => false,
|
||||
:p11_crypto_plugin_always_set_cka_sensitive => true,
|
||||
:global_default => true,
|
||||
}
|
||||
end
|
||||
|
@ -72,6 +73,8 @@ describe 'barbican::plugins::p11_crypto' do
|
|||
.with_value(params[:p11_crypto_plugin_aes_gcm_generate_iv])
|
||||
is_expected.to contain_barbican_config('p11_crypto_plugin/os_locking_ok') \
|
||||
.with_value(params[:p11_crypto_plugin_os_locking_ok])
|
||||
is_expected.to contain_barbican_config('p11_crypto_plugin/always_set_cka_sensitive') \
|
||||
.with_value(params[:p11_crypto_plugin_always_set_cka_sensitive])
|
||||
is_expected.to contain_barbican_config(
|
||||
'secretstore:pkcs11/secret_store_plugin') \
|
||||
.with_value('store_crypto')
|
||||
|
|
Loading…
Reference in New Issue