openstack/barbican
Code Issues Proposed changes

Use system locks in pkcs11 library

Browse Source 
This patch adds a new option to the PKCS#11 backend: `os_locking_ok`.
When set to true, the flag CKF_OS_LOCKING_OK is passed to the
C_Initialize function for the client library.

Change-Id: Iaa2a82718cb75e291a0b81b896bd136c29fa6fa0
This commit is contained in:
Douglas Mendizábal 2021-01-29 16:30:42 -06:00
parent 5ff7b4ca14
commit b5b350b4ce
3 changed files with 46 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
barbican/plugin/crypto/p11_crypto.py
View File

@ -97,6 +97,10 @@ p11_crypto_plugin_opts = [
help=u._('Always set CKA_SENSITIVE=CK_TRUE including ' help=u._('Always set CKA_SENSITIVE=CK_TRUE including '
'CKA_EXTRACTABLE=CK_TRUE keys.'), 'CKA_EXTRACTABLE=CK_TRUE keys.'),
default=True), default=True),
cfg.BoolOpt('os_locking_ok',
help=u._('Enable CKF_OS_LOCKING_OK flag when initializing the '
'PKCS#11 client library.'),
default=False),
] ]
CONF.register_group(p11_crypto_plugin_group) CONF.register_group(p11_crypto_plugin_group)
CONF.register_opts(p11_crypto_plugin_opts, group=p11_crypto_plugin_group) CONF.register_opts(p11_crypto_plugin_opts, group=p11_crypto_plugin_group)
@ -326,7 +330,8 @@ class P11CryptoPlugin(plugin.CryptoPluginBase):
always_set_cka_sensitive=plugin_conf.always_set_cka_sensitive, always_set_cka_sensitive=plugin_conf.always_set_cka_sensitive,
hmac_keywrap_mechanism=plugin_conf.hmac_keywrap_mechanism, hmac_keywrap_mechanism=plugin_conf.hmac_keywrap_mechanism,
token_serial_number=plugin_conf.token_serial_number, token_serial_number=plugin_conf.token_serial_number,
token_label=plugin_conf.token_label token_label=plugin_conf.token_label,
os_locking_ok=plugin_conf.os_locking_ok
) )
def _reinitialize_pkcs11(self): def _reinitialize_pkcs11(self):

38
barbican/plugin/crypto/pkcs11.py
View File

@ -34,6 +34,7 @@ CKR_OK = 0
CK_TRUE = 1 CK_TRUE = 1
CKF_RW_SESSION = (1 << 1) CKF_RW_SESSION = (1 << 1)
CKF_SERIAL_SESSION = (1 << 2) CKF_SERIAL_SESSION = (1 << 2)
CKF_OS_LOCKING_OK = 0x02
CKU_SO = 0 CKU_SO = 0
CKU_USER = 1 CKU_USER = 1
@ -279,6 +280,8 @@ def build_ffi():
typedef unsigned long CK_STATE; typedef unsigned long CK_STATE;
typedef unsigned long CK_USER_TYPE; typedef unsigned long CK_USER_TYPE;
typedef unsigned char * CK_UTF8CHAR_PTR; typedef unsigned char * CK_UTF8CHAR_PTR;
typedef void * CK_VOID_PTR;
typedef CK_VOID_PTR * CK_VOID_PTR_PTR;
typedef ... *CK_NOTIFY; typedef ... *CK_NOTIFY;
typedef unsigned long ck_attribute_type_t; typedef unsigned long ck_attribute_type_t;
@ -290,6 +293,20 @@ def build_ffi():
typedef struct ck_attribute CK_ATTRIBUTE; typedef struct ck_attribute CK_ATTRIBUTE;
typedef CK_ATTRIBUTE *CK_ATTRIBUTE_PTR; typedef CK_ATTRIBUTE *CK_ATTRIBUTE_PTR;
typedef CK_RV (*CK_CREATEMUTEX)(CK_VOID_PTR_PTR);
typedef CK_RV (*CK_DESTROYMUTEX)(CK_VOID_PTR);
typedef CK_RV (*CK_LOCKMUTEX)(CK_VOID_PTR);
typedef CK_RV (*CK_UNLOCKMUTEX)(CK_VOID_PTR);
typedef struct CK_C_INITIALIZE_ARGS {
CK_CREATEMUTEX CreateMutex;
CK_DESTROYMUTEX DestroyMutex;
CK_LOCKMUTEX LockMutex;
CK_UNLOCKMUTEX UnlockMutex;
CK_FLAGS flags;
CK_VOID_PTR pReserved;
} CK_C_INITIALIZE_ARGS;
typedef unsigned long ck_mechanism_type_t; typedef unsigned long ck_mechanism_type_t;
struct ck_mechanism { struct ck_mechanism {
ck_mechanism_type_t mechanism; ck_mechanism_type_t mechanism;
@ -415,7 +432,8 @@ class PKCS11(object):
generate_iv=None, always_set_cka_sensitive=None, generate_iv=None, always_set_cka_sensitive=None,
hmac_keywrap_mechanism='CKM_SHA256_HMAC', hmac_keywrap_mechanism='CKM_SHA256_HMAC',
token_serial_number=None, token_serial_number=None,
token_label=None): token_label=None,
os_locking_ok=False):
if algorithm: if algorithm:
LOG.warning("WARNING: Using deprecated 'algorithm' argument.") LOG.warning("WARNING: Using deprecated 'algorithm' argument.")
encryption_mechanism = encryption_mechanism or algorithm encryption_mechanism = encryption_mechanism or algorithm
@ -433,7 +451,14 @@ class PKCS11(object):
self.ffi = ffi or build_ffi() self.ffi = ffi or build_ffi()
self.lib = self.ffi.dlopen(library_path) self.lib = self.ffi.dlopen(library_path)
rv = self.lib.C_Initialize(self.ffi.NULL)
if os_locking_ok:
init_arg_pt = self.ffi.new("CK_C_INITIALIZE_ARGS *")
init_arg_pt.flags = CKF_OS_LOCKING_OK
else:
init_arg_pt = self.ffi.NULL
rv = self.lib.C_Initialize(init_arg_pt)
self._check_error(rv) self._check_error(rv)
# Session options # Session options
@ -479,13 +504,18 @@ class PKCS11(object):
token_info_ptr = self.ffi.new("CK_TOKEN_INFO_PTR") token_info_ptr = self.ffi.new("CK_TOKEN_INFO_PTR")
rv = self.lib.C_GetTokenInfo(id, token_info_ptr) rv = self.lib.C_GetTokenInfo(id, token_info_ptr)
self._check_error(rv) self._check_error(rv)
tokens.append(Token( token = Token(
id, id,
self.ffi.string(token_info_ptr.label).decode("UTF-8").strip(), self.ffi.string(token_info_ptr.label).decode("UTF-8").strip(),
self.ffi.string( self.ffi.string(
token_info_ptr.serialNumber token_info_ptr.serialNumber
).decode("UTF-8").strip() ).decode("UTF-8").strip()
)) )
LOG.debug("Slot %s: label: %s sn: %s",
token.slot_id,
token.label,
token.serial_number)
tokens.append(token)
# Matching serial number gets highest priority # Matching serial number gets highest priority
if token_serial_number: if token_serial_number:

6
releasenotes/notes/add-os-locking-ok-option-d0cfc5883355632a.yaml Normal file
View File

@ -0,0 +1,6 @@
---
features:
- |
Added a new boolean option to the PKCS#11 backend: `os_locking_ok`. When
set to True, the flag CKF_OS_LOCKING_OK will be passed to the C_Initialize
function. The new option defaults to False.