Merge "Fix Safenet HSM regression in PKCS#11"

This commit is contained in:
Zuul 2019-01-16 16:36:02 +00:00 committed by Gerrit Code Review
commit 2c9a4b33bc
3 changed files with 15 additions and 2 deletions

View File

@ -81,6 +81,10 @@ p11_crypto_plugin_opts = [
cfg.BoolOpt('aes_gcm_generate_iv',
help=u._('Generate IVs for CKM_AES_GCM mechanism.'),
default=True, deprecated_name='generate_iv'),
cfg.BoolOpt('always_set_cka_sensitive',
help=u._('Always set CKA_SENSITIVE=CK_TRUE including '
'CKA_EXTRACTABLE=CK_TRUE keys.'),
default=True),
]
CONF.register_group(p11_crypto_plugin_group)
CONF.register_opts(p11_crypto_plugin_opts, group=p11_crypto_plugin_group)
@ -302,6 +306,7 @@ class P11CryptoPlugin(plugin.CryptoPluginBase):
ffi=ffi,
seed_random_buffer=seed_random_buffer,
generate_iv=plugin_conf.aes_gcm_generate_iv,
always_set_cka_sensitive=plugin_conf.always_set_cka_sensitive,
)
def _reinitialize_pkcs11(self):

View File

@ -356,7 +356,7 @@ class PKCS11(object):
encryption_mechanism=None,
ffi=None, algorithm=None,
seed_random_buffer=None,
generate_iv=None):
generate_iv=None, always_set_cka_sensitive=None):
if algorithm:
LOG.warning("WARNING: Using deprecated 'algorithm' argument.")
encryption_mechanism = encryption_mechanism or algorithm
@ -385,6 +385,7 @@ class PKCS11(object):
self.noncesize = 12
self.gcmtagsize = 16
self.generate_iv = generate_iv
self.always_set_cka_sensitive = always_set_cka_sensitive
# Validate configuration and RNG
session = self.get_session()
@ -583,7 +584,7 @@ class PKCS11(object):
token = master_key
extractable = not master_key
# in some HSMs extractable keys cannot be marked sensitive
sensitive = not extractable
sensitive = self.always_set_cka_sensitive or not extractable
ck_attributes = [
Attribute(CKA_CLASS, CKO_SECRET_KEY),

View File

@ -0,0 +1,7 @@
---
fixes:
- |
Fixed Story #2004734: Added a new option `always_set_cka_sensitive` to
fix a regression that affected Safenet HSMs. The option defaults to `True`
as required by Safenet HSMs. Other HSMs may require it be set to `False`.