Merge "Added Barbican option BarbicanPkcs11AlwaysSetCkaSensitive"

This commit is contained in:
Zuul 2019-01-17 22:25:43 +00:00 committed by Gerrit Code Review
commit 733a7f4ee9
6 changed files with 18 additions and 1 deletions

@ -95,6 +95,10 @@ parameters:
description: Cryptoki Mechanism used to generate Master HMAC Key description: Cryptoki Mechanism used to generate Master HMAC Key
type: string type: string
default: 'CKM_AES_KEY_GEN' default: 'CKM_AES_KEY_GEN'
BarbicanPkcs11AlwaysSetCkaSensitive:
description: Always set CKA_SENSITIVE=CK_TRUE
type: boolean
default: true
ThalesHSMNetworkName: ThalesHSMNetworkName:
description: The network that the HSM is listening on. description: The network that the HSM is listening on.
type: string type: string

@ -17,6 +17,7 @@ parameter_defaults:
BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0' BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0'
BarbicanPkcs11CryptoATOSEnabled: true BarbicanPkcs11CryptoATOSEnabled: true
BarbicanPkcs11CryptoEnabled: true BarbicanPkcs11CryptoEnabled: true
BarbicanPkcs11AlwaysSetCkaSensitive: false
ATOSVars: ATOSVars:
atos_client_working_dir: /tmp/atos_client_install atos_client_working_dir: /tmp/atos_client_install
# atos_client_iso_location: # atos_client_iso_location:

@ -18,6 +18,7 @@ parameter_defaults:
BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0' BarbicanPkcs11CryptoHMACLabel: 'barbican_hmac_0'
BarbicanPkcs11CryptoThalesEnabled: true BarbicanPkcs11CryptoThalesEnabled: true
BarbicanPkcs11CryptoEnabled: true BarbicanPkcs11CryptoEnabled: true
BarbicanPkcs11AlwaysSetCkaSensitive: false
ThalesVars: ThalesVars:
thales_client_working_dir: /tmp/thales_client_install thales_client_working_dir: /tmp/thales_client_install
# thales_client_tarball_location: URI where the CipherTools tarball can be downloaded. # thales_client_tarball_location: URI where the CipherTools tarball can be downloaded.

@ -12,6 +12,7 @@ parameter_defaults:
# BarbicanPkcs11CryptoSlotId: Slot Id for the HSM # BarbicanPkcs11CryptoSlotId: Slot Id for the HSM
# BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
BarbicanPkcs11CryptoEnabled: true BarbicanPkcs11CryptoEnabled: true
BarbicanPkcs11AlwaysSetCkaSensitive: true
resource_registry: resource_registry:
OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../puppet/services/barbican-backend-pkcs11-crypto.yaml

@ -72,6 +72,10 @@ parameters:
description: Generate IVs for CKM_AES_GCM encryption mechanism description: Generate IVs for CKM_AES_GCM encryption mechanism
type: boolean type: boolean
default: true default: true
BarbicanPkcs11AlwaysSetCkaSensitive:
description: Always set CKA_SENSITIVE=CK_TRUE
type: boolean
default: true
BarbicanPkcs11CryptoGlobalDefault: BarbicanPkcs11CryptoGlobalDefault:
description: Whether this plugin is the global default plugin description: Whether this plugin is the global default plugin
type: boolean type: boolean
@ -93,4 +97,5 @@ outputs:
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType} barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_key_type: {get_param: BarbicanPkcs11CryptoHMACKeyType}
barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism} barbican::plugins::p11_crypto::p11_crypto_plugin_hmac_keygen_mechanism: {get_param: BarbicanPkcs11CryptoHMACKeygenMechanism}
barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV} barbican::plugins::p11_crypto::p11_crypto_plugin_aes_gcm_generate_iv: {get_param: BarbicanPkcs11CryptoAESGCMGenerateIV}
barbican::plugins::p11_crypto::p11_crypto_plugin_always_set_cka_sensitive: {get_param: BarbicanPkcs11AlwaysSetCkaSensitive}
barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault} barbican::plugins::p11_crypto::global_default: {get_param: BarbicanPkcs11CryptoGlobalDefault}

@ -0,0 +1,5 @@
---
features:
- |
Added a new Barbican option `BarbicanPkcs11AlwaysSetCkaSensitive`. The
default value is `true`.