Browse Source

Add new options to PKCS#11 backend

This patch adds support for a couple of new new options in the
PCKS#11 backends.  Namely 'token_labels' and 'os_locking_ok'.

Change-Id: Iba7013dd6e1b1e4650b25cd4dd8dc1f355ceb538
(cherry picked from commit 8685ed4a4c)
(cherry picked from commit 46a343434b)
(cherry picked from commit d9e6c9757c)
changes/24/782124/1
Douglas Mendizábal 2 months ago
parent
commit
f3ecb1f8f2
3 changed files with 25 additions and 0 deletions
  1. +14
    -0
      manifests/plugins/p11_crypto.pp
  2. +5
    -0
      releasenotes/notes/add-pkcs11-options-dd38e8f087888595.yaml
  3. +6
    -0
      spec/classes/barbican_plugins_p11_crypto_spec.rb

+ 14
- 0
manifests/plugins/p11_crypto.pp View File

@ -36,6 +36,11 @@
# (optional) Label to identify PKCS#11 token
# Defaults to $::os_service_default
#
# [*p11_crypto_plugin_token_labels*]
# (optional) List of comma-separated labels to identify
# PKCS#11 tokens to be used.
# Defaults to $::os_service_default
#
# [*p11_crypto_plugin_slot_id*]
# (optional) HSM Slot id
# Defaults to $::os_service_default
@ -60,6 +65,11 @@
# which is not standard but is required for some HSMs.
# Defaults to $::os_service_default
#
# [*p11_crypto_plugin_os_locking_ok*]
# (optional) Enable CKF_OS_LOCKING_OK flag when initializing
# the PKCS#11 client library.
# Defaults to $::os_service_default
#
# [*global_default*]
# (optional) set plugin as global default
# Defaults to false
@ -72,11 +82,13 @@ class barbican::plugins::p11_crypto (
$p11_crypto_plugin_hmac_label = undef,
$p11_crypto_plugin_token_serial_number = $::os_service_default,
$p11_crypto_plugin_token_label = $::os_service_default,
$p11_crypto_plugin_token_labels = $::os_service_default,
$p11_crypto_plugin_slot_id = $::os_service_default,
$p11_crypto_plugin_encryption_mechanism = $::os_service_default,
$p11_crypto_plugin_hmac_key_type = $::os_service_default,
$p11_crypto_plugin_hmac_keygen_mechanism = $::os_service_default,
$p11_crypto_plugin_aes_gcm_generate_iv = $::os_service_default,
$p11_crypto_plugin_os_locking_ok = $::os_service_default,
$global_default = false,
) {
@ -106,11 +118,13 @@ class barbican::plugins::p11_crypto (
'p11_crypto_plugin/hmac_label': value => $p11_crypto_plugin_hmac_label;
'p11_crypto_plugin/token_serial_number': value => $p11_crypto_plugin_token_serial_number;
'p11_crypto_plugin/token_label': value => $p11_crypto_plugin_token_label;
'p11_crypto_plugin/token_labels': value => $p11_crypto_plugin_token_labels;
'p11_crypto_plugin/slot_id': value => $p11_crypto_plugin_slot_id;
'p11_crypto_plugin/encryption_mechanism': value => $p11_crypto_plugin_encryption_mechanism;
'p11_crypto_plugin/hmac_key_type': value => $p11_crypto_plugin_hmac_key_type;
'p11_crypto_plugin/hmac_keygen_mechanism': value => $p11_crypto_plugin_hmac_keygen_mechanism;
'p11_crypto_plugin/aes_gcm_generate_iv': value => $p11_crypto_plugin_aes_gcm_generate_iv;
'p11_crypto_plugin/os_locking_ok': value => $p11_crypto_plugin_os_locking_ok;
}
barbican_config {


+ 5
- 0
releasenotes/notes/add-pkcs11-options-dd38e8f087888595.yaml View File

@ -0,0 +1,5 @@
---
features:
- |
Added support for a couple of new options for the PKCS#11 backend:
``[p11_crypto]\token_labels`` and ``[p11_crypto]\os_locking_ok``.

+ 6
- 0
spec/classes/barbican_plugins_p11_crypto_spec.rb View File

@ -31,12 +31,14 @@ describe 'barbican::plugins::p11_crypto' do
:p11_crypto_plugin_hmac_label => 'hmac_label',
:p11_crypto_plugin_token_serial_number => 'token_serial',
:p11_crypto_plugin_token_label => 'token_label',
:p11_crypto_plugin_token_labels => 'token_label1,token_label2',
:p11_crypto_plugin_slot_id => 1,
:p11_crypto_plugin_library_path => '/usr/lib/libCryptoki2_64.so',
:p11_crypto_plugin_encryption_mechanism => 'CKM_AES_CBC',
:p11_crypto_plugin_hmac_key_type => 'CKK_AES',
:p11_crypto_plugin_hmac_keygen_mechanism => 'CKM_AES_KEY_GEN',
:p11_crypto_plugin_aes_gcm_generate_iv => false,
:p11_crypto_plugin_os_locking_ok => false,
:global_default => true,
}
end
@ -54,6 +56,8 @@ describe 'barbican::plugins::p11_crypto' do
.with_value(params[:p11_crypto_plugin_token_serial_number])
is_expected.to contain_barbican_config('p11_crypto_plugin/token_label') \
.with_value(params[:p11_crypto_plugin_token_label])
is_expected.to contain_barbican_config('p11_crypto_plugin/token_labels') \
.with_value(params[:p11_crypto_plugin_token_labels])
is_expected.to contain_barbican_config('p11_crypto_plugin/slot_id') \
.with_value(params[:p11_crypto_plugin_slot_id])
is_expected.to contain_barbican_config('p11_crypto_plugin/library_path') \
@ -66,6 +70,8 @@ describe 'barbican::plugins::p11_crypto' do
.with_value(params[:p11_crypto_plugin_hmac_keygen_mechanism])
is_expected.to contain_barbican_config('p11_crypto_plugin/aes_gcm_generate_iv') \
.with_value(params[:p11_crypto_plugin_aes_gcm_generate_iv])
is_expected.to contain_barbican_config('p11_crypto_plugin/os_locking_ok') \
.with_value(params[:p11_crypto_plugin_os_locking_ok])
is_expected.to contain_barbican_config(
'secretstore:pkcs11/secret_store_plugin') \
.with_value('store_crypto')


Loading…
Cancel
Save