Add HSM related parameters
Added HSM related parameters to pkcs11 plugin manifest. Change-Id: I08fafe1bc7bce02ad8eda6c4edd7a437d240d999 Co-Authored-By: Douglas Mendizabal <dmendiza@redhat.com>
This commit is contained in:
parent
fbf25382ba
commit
dae066a4ae
|
@ -33,22 +33,49 @@
|
||||||
# Required if p11_crypto_plugin is enabled.
|
# Required if p11_crypto_plugin is enabled.
|
||||||
# Defaults to undef
|
# Defaults to undef
|
||||||
#
|
#
|
||||||
|
# [*p11_crypto_plugin_encryption_mechanism*]
|
||||||
|
# (optional) PKCS#11 Mechanism used for encryption
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
|
# [*p11_crypto_plugin_hmac_key_type*]
|
||||||
|
# (optional) PKCS#11 Key Type for key used in HMAC
|
||||||
|
# operations.
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
|
# [*p11_crypto_plugin_hmac_keygen_mechanism*]
|
||||||
|
# (optional) PKCS#11 Mechanism used to generate HMAC Key
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
|
# [*p11_crypto_plugin_aes_gcm_generate_iv*]
|
||||||
|
# (optional) When using the CKM_AES_GCM mechanism, this option
|
||||||
|
# specifies whether the IV should be generated by Barbican.
|
||||||
|
# Setting this to false will defer IV generation to the HSM
|
||||||
|
# which is not standard but is required for some HSMs.
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
# [*global_default*]
|
# [*global_default*]
|
||||||
# (optional) set plugin as global default
|
# (optional) set plugin as global default
|
||||||
# Defaults to false
|
# Defaults to false
|
||||||
#
|
#
|
||||||
class barbican::plugins::p11_crypto (
|
class barbican::plugins::p11_crypto (
|
||||||
$p11_crypto_plugin_library_path = $::os_service_default,
|
$p11_crypto_plugin_library_path = undef,
|
||||||
$p11_crypto_plugin_login = undef,
|
$p11_crypto_plugin_login = undef,
|
||||||
$p11_crypto_plugin_mkek_label = undef,
|
$p11_crypto_plugin_mkek_label = undef,
|
||||||
$p11_crypto_plugin_mkek_length = undef,
|
$p11_crypto_plugin_mkek_length = undef,
|
||||||
$p11_crypto_plugin_hmac_label = undef,
|
$p11_crypto_plugin_hmac_label = undef,
|
||||||
$p11_crypto_plugin_slot_id = undef,
|
$p11_crypto_plugin_slot_id = undef,
|
||||||
$global_default = false,
|
$p11_crypto_plugin_encryption_mechanism = $::os_service_default,
|
||||||
|
$p11_crypto_plugin_hmac_key_type = $::os_service_default,
|
||||||
|
$p11_crypto_plugin_hmac_keygen_mechanism = $::os_service_default,
|
||||||
|
$p11_crypto_plugin_aes_gcm_generate_iv = $::os_service_default,
|
||||||
|
$global_default = false,
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include ::barbican::deps
|
include ::barbican::deps
|
||||||
|
|
||||||
|
if $p11_crypto_plugin_library_path == undef {
|
||||||
|
fail('p11_crypto_plugin_library_path must be defined')
|
||||||
|
}
|
||||||
if $p11_crypto_plugin_login == undef {
|
if $p11_crypto_plugin_login == undef {
|
||||||
fail('p11_crypto_plugin_login must be defined')
|
fail('p11_crypto_plugin_login must be defined')
|
||||||
}
|
}
|
||||||
|
@ -66,12 +93,16 @@ class barbican::plugins::p11_crypto (
|
||||||
}
|
}
|
||||||
|
|
||||||
barbican_config {
|
barbican_config {
|
||||||
'p11_crypto_plugin/library_path': value => $p11_crypto_plugin_library_path;
|
'p11_crypto_plugin/library_path': value => $p11_crypto_plugin_library_path;
|
||||||
'p11_crypto_plugin/login': value => $p11_crypto_plugin_login;
|
'p11_crypto_plugin/login': value => $p11_crypto_plugin_login;
|
||||||
'p11_crypto_plugin/mkek_label': value => $p11_crypto_plugin_mkek_label;
|
'p11_crypto_plugin/mkek_label': value => $p11_crypto_plugin_mkek_label;
|
||||||
'p11_crypto_plugin/mkek_length': value => $p11_crypto_plugin_mkek_length;
|
'p11_crypto_plugin/mkek_length': value => $p11_crypto_plugin_mkek_length;
|
||||||
'p11_crypto_plugin/hmac_label': value => $p11_crypto_plugin_hmac_label;
|
'p11_crypto_plugin/hmac_label': value => $p11_crypto_plugin_hmac_label;
|
||||||
'p11_crypto_plugin/slot_id': value => $p11_crypto_plugin_slot_id;
|
'p11_crypto_plugin/slot_id': value => $p11_crypto_plugin_slot_id;
|
||||||
|
'p11_crypto_plugin/encryption_mechanism': value => $p11_crypto_plugin_encryption_mechanism;
|
||||||
|
'p11_crypto_plugin/hmac_key_type': value => $p11_crypto_plugin_hmac_key_type;
|
||||||
|
'p11_crypto_plugin/hmac_keygen_mechanism': value => $p11_crypto_plugin_hmac_keygen_mechanism;
|
||||||
|
'p11_crypto_plugin/aes_gcm_generate_iv': value => $p11_crypto_plugin_aes_gcm_generate_iv;
|
||||||
}
|
}
|
||||||
|
|
||||||
barbican_config {
|
barbican_config {
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Add parameters for the PKCS#11 plugin to allow integration of the ATOS
|
||||||
|
and Thales HSMs.
|
|
@ -25,13 +25,17 @@ describe 'barbican::plugins::p11_crypto' do
|
||||||
describe 'with pk11 plugin' do
|
describe 'with pk11 plugin' do
|
||||||
let :params do
|
let :params do
|
||||||
{
|
{
|
||||||
:p11_crypto_plugin_login => 'p11_user',
|
:p11_crypto_plugin_login => 'p11_user',
|
||||||
:p11_crypto_plugin_mkek_label => 'mkek_label',
|
:p11_crypto_plugin_mkek_label => 'mkek_label',
|
||||||
:p11_crypto_plugin_mkek_length => 32,
|
:p11_crypto_plugin_mkek_length => 32,
|
||||||
:p11_crypto_plugin_hmac_label => 'hmac_label',
|
:p11_crypto_plugin_hmac_label => 'hmac_label',
|
||||||
:p11_crypto_plugin_slot_id => 1,
|
:p11_crypto_plugin_slot_id => 1,
|
||||||
:p11_crypto_plugin_library_path => '/usr/lib/libCryptoki2_64.so',
|
:p11_crypto_plugin_library_path => '/usr/lib/libCryptoki2_64.so',
|
||||||
:global_default => true,
|
:p11_crypto_plugin_encryption_mechanism => 'CKM_AES_CBC',
|
||||||
|
:p11_crypto_plugin_hmac_key_type => 'CKK_AES',
|
||||||
|
:p11_crypto_plugin_hmac_keygen_mechanism => 'CKM_AES_KEY_GEN',
|
||||||
|
:p11_crypto_plugin_aes_gcm_generate_iv => false,
|
||||||
|
:global_default => true,
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -48,6 +52,14 @@ describe 'barbican::plugins::p11_crypto' do
|
||||||
.with_value(params[:p11_crypto_plugin_slot_id])
|
.with_value(params[:p11_crypto_plugin_slot_id])
|
||||||
is_expected.to contain_barbican_config('p11_crypto_plugin/library_path') \
|
is_expected.to contain_barbican_config('p11_crypto_plugin/library_path') \
|
||||||
.with_value(params[:p11_crypto_plugin_library_path])
|
.with_value(params[:p11_crypto_plugin_library_path])
|
||||||
|
is_expected.to contain_barbican_config('p11_crypto_plugin/encryption_mechanism') \
|
||||||
|
.with_value(params[:p11_crypto_plugin_encryption_mechanism])
|
||||||
|
is_expected.to contain_barbican_config('p11_crypto_plugin/hmac_key_type') \
|
||||||
|
.with_value(params[:p11_crypto_plugin_hmac_key_type])
|
||||||
|
is_expected.to contain_barbican_config('p11_crypto_plugin/hmac_keygen_mechanism') \
|
||||||
|
.with_value(params[:p11_crypto_plugin_hmac_keygen_mechanism])
|
||||||
|
is_expected.to contain_barbican_config('p11_crypto_plugin/aes_gcm_generate_iv') \
|
||||||
|
.with_value(params[:p11_crypto_plugin_aes_gcm_generate_iv])
|
||||||
is_expected.to contain_barbican_config(
|
is_expected.to contain_barbican_config(
|
||||||
'secretstore:pkcs11/secret_store_plugin') \
|
'secretstore:pkcs11/secret_store_plugin') \
|
||||||
.with_value('store_crypto')
|
.with_value('store_crypto')
|
||||||
|
|
Loading…
Reference in New Issue