From dae066a4ae6d5cfa902062baa60dec3bf964e975 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Fri, 5 Oct 2018 19:13:08 +0000
Subject: [PATCH] Add HSM related parameters

Added HSM related parameters to pkcs11 plugin manifest.

Change-Id: I08fafe1bc7bce02ad8eda6c4edd7a437d240d999
Co-Authored-By: Douglas Mendizabal <dmendiza@redhat.com>
---
 manifests/plugins/p11_crypto.pp               | 57 ++++++++++++++-----
 .../add-hsm-parameters-dd1d97ebc6034292.yaml  |  5 ++
 .../barbican_plugins_p11_crypto_spec.rb       | 26 ++++++---
 3 files changed, 68 insertions(+), 20 deletions(-)
 create mode 100644 releasenotes/notes/add-hsm-parameters-dd1d97ebc6034292.yaml

diff --git a/manifests/plugins/p11_crypto.pp b/manifests/plugins/p11_crypto.pp
index afc23ac7..289f9553 100644
--- a/manifests/plugins/p11_crypto.pp
+++ b/manifests/plugins/p11_crypto.pp
@@ -33,22 +33,49 @@
 #   Required if p11_crypto_plugin is enabled.
 #   Defaults to undef
 #
+# [*p11_crypto_plugin_encryption_mechanism*]
+#   (optional) PKCS#11 Mechanism used for encryption
+#   Defaults to $::os_service_default
+#
+# [*p11_crypto_plugin_hmac_key_type*]
+#   (optional) PKCS#11 Key Type for key used in HMAC
+#   operations.
+#   Defaults to $::os_service_default
+#
+# [*p11_crypto_plugin_hmac_keygen_mechanism*]
+#   (optional) PKCS#11 Mechanism used to generate HMAC Key
+#   Defaults to $::os_service_default
+#
+# [*p11_crypto_plugin_aes_gcm_generate_iv*]
+#   (optional) When using the CKM_AES_GCM mechanism, this option
+#   specifies whether the IV should be generated by Barbican.
+#   Setting this to false will defer IV generation to the HSM
+#   which is not standard but is required for some HSMs.
+#   Defaults to $::os_service_default
+#
 # [*global_default*]
 #   (optional) set plugin as global default
 #   Defaults to false
 #
 class barbican::plugins::p11_crypto (
-  $p11_crypto_plugin_library_path = $::os_service_default,
-  $p11_crypto_plugin_login        = undef,
-  $p11_crypto_plugin_mkek_label   = undef,
-  $p11_crypto_plugin_mkek_length  = undef,
-  $p11_crypto_plugin_hmac_label   = undef,
-  $p11_crypto_plugin_slot_id      = undef,
-  $global_default                 = false,
+  $p11_crypto_plugin_library_path          = undef,
+  $p11_crypto_plugin_login                 = undef,
+  $p11_crypto_plugin_mkek_label            = undef,
+  $p11_crypto_plugin_mkek_length           = undef,
+  $p11_crypto_plugin_hmac_label            = undef,
+  $p11_crypto_plugin_slot_id               = undef,
+  $p11_crypto_plugin_encryption_mechanism  = $::os_service_default,
+  $p11_crypto_plugin_hmac_key_type         = $::os_service_default,
+  $p11_crypto_plugin_hmac_keygen_mechanism = $::os_service_default,
+  $p11_crypto_plugin_aes_gcm_generate_iv   = $::os_service_default,
+  $global_default                          = false,
 ) {
 
   include ::barbican::deps
 
+  if $p11_crypto_plugin_library_path == undef {
+      fail('p11_crypto_plugin_library_path must be defined')
+  }
   if $p11_crypto_plugin_login == undef {
       fail('p11_crypto_plugin_login must be defined')
   }
@@ -66,12 +93,16 @@ class barbican::plugins::p11_crypto (
   }
 
   barbican_config {
-    'p11_crypto_plugin/library_path': value => $p11_crypto_plugin_library_path;
-    'p11_crypto_plugin/login':        value => $p11_crypto_plugin_login;
-    'p11_crypto_plugin/mkek_label':   value => $p11_crypto_plugin_mkek_label;
-    'p11_crypto_plugin/mkek_length':  value => $p11_crypto_plugin_mkek_length;
-    'p11_crypto_plugin/hmac_label':   value => $p11_crypto_plugin_hmac_label;
-    'p11_crypto_plugin/slot_id':      value => $p11_crypto_plugin_slot_id;
+    'p11_crypto_plugin/library_path':          value => $p11_crypto_plugin_library_path;
+    'p11_crypto_plugin/login':                 value => $p11_crypto_plugin_login;
+    'p11_crypto_plugin/mkek_label':            value => $p11_crypto_plugin_mkek_label;
+    'p11_crypto_plugin/mkek_length':           value => $p11_crypto_plugin_mkek_length;
+    'p11_crypto_plugin/hmac_label':            value => $p11_crypto_plugin_hmac_label;
+    'p11_crypto_plugin/slot_id':               value => $p11_crypto_plugin_slot_id;
+    'p11_crypto_plugin/encryption_mechanism':  value => $p11_crypto_plugin_encryption_mechanism;
+    'p11_crypto_plugin/hmac_key_type':         value => $p11_crypto_plugin_hmac_key_type;
+    'p11_crypto_plugin/hmac_keygen_mechanism': value => $p11_crypto_plugin_hmac_keygen_mechanism;
+    'p11_crypto_plugin/aes_gcm_generate_iv':   value => $p11_crypto_plugin_aes_gcm_generate_iv;
   }
 
   barbican_config {
diff --git a/releasenotes/notes/add-hsm-parameters-dd1d97ebc6034292.yaml b/releasenotes/notes/add-hsm-parameters-dd1d97ebc6034292.yaml
new file mode 100644
index 00000000..28ea774d
--- /dev/null
+++ b/releasenotes/notes/add-hsm-parameters-dd1d97ebc6034292.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add parameters for the PKCS#11 plugin to allow integration of the ATOS
+    and Thales HSMs.
diff --git a/spec/classes/barbican_plugins_p11_crypto_spec.rb b/spec/classes/barbican_plugins_p11_crypto_spec.rb
index c5bc4466..9c21b8f6 100644
--- a/spec/classes/barbican_plugins_p11_crypto_spec.rb
+++ b/spec/classes/barbican_plugins_p11_crypto_spec.rb
@@ -25,13 +25,17 @@ describe 'barbican::plugins::p11_crypto' do
     describe 'with pk11 plugin' do
       let :params do
         {
-          :p11_crypto_plugin_login        => 'p11_user',
-          :p11_crypto_plugin_mkek_label   => 'mkek_label',
-          :p11_crypto_plugin_mkek_length  => 32,
-          :p11_crypto_plugin_hmac_label   => 'hmac_label',
-          :p11_crypto_plugin_slot_id      => 1,
-          :p11_crypto_plugin_library_path => '/usr/lib/libCryptoki2_64.so',
-          :global_default                 => true,
+          :p11_crypto_plugin_login                     => 'p11_user',
+          :p11_crypto_plugin_mkek_label                => 'mkek_label',
+          :p11_crypto_plugin_mkek_length               => 32,
+          :p11_crypto_plugin_hmac_label                => 'hmac_label',
+          :p11_crypto_plugin_slot_id                   => 1,
+          :p11_crypto_plugin_library_path              => '/usr/lib/libCryptoki2_64.so',
+          :p11_crypto_plugin_encryption_mechanism      => 'CKM_AES_CBC',
+          :p11_crypto_plugin_hmac_key_type             => 'CKK_AES',
+          :p11_crypto_plugin_hmac_keygen_mechanism     => 'CKM_AES_KEY_GEN',
+          :p11_crypto_plugin_aes_gcm_generate_iv       => false,
+          :global_default                              => true,
         }
       end
 
@@ -48,6 +52,14 @@ describe 'barbican::plugins::p11_crypto' do
           .with_value(params[:p11_crypto_plugin_slot_id])
         is_expected.to contain_barbican_config('p11_crypto_plugin/library_path') \
           .with_value(params[:p11_crypto_plugin_library_path])
+        is_expected.to contain_barbican_config('p11_crypto_plugin/encryption_mechanism') \
+          .with_value(params[:p11_crypto_plugin_encryption_mechanism])
+        is_expected.to contain_barbican_config('p11_crypto_plugin/hmac_key_type') \
+          .with_value(params[:p11_crypto_plugin_hmac_key_type])
+        is_expected.to contain_barbican_config('p11_crypto_plugin/hmac_keygen_mechanism') \
+          .with_value(params[:p11_crypto_plugin_hmac_keygen_mechanism])
+        is_expected.to contain_barbican_config('p11_crypto_plugin/aes_gcm_generate_iv') \
+          .with_value(params[:p11_crypto_plugin_aes_gcm_generate_iv])
         is_expected.to contain_barbican_config(
           'secretstore:pkcs11/secret_store_plugin') \
           .with_value('store_crypto')