openstack/barbican
Code Issues Proposed changes

Fix Safenet HSM regression in PKCS#11

Browse Source 
This patch adds a new option `always_set_cka_sensitive`
to fix a regression that broke Safenet HSM compatibility.

Change-Id: I158c4c5be75fca73b7e33eec912d3347622e3fa6
Story: 2004734
Task: 28787
This commit is contained in:
Douglas Mendizábal 2019-01-08 13:32:08 -06:00
parent af35f4e475
commit fdfeb7362b
3 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
barbican/plugin/crypto/p11_crypto.py
View File

@ -81,6 +81,10 @@ p11_crypto_plugin_opts = [
cfg.BoolOpt('aes_gcm_generate_iv', cfg.BoolOpt('aes_gcm_generate_iv',
help=u._('Generate IVs for CKM_AES_GCM mechanism.'), help=u._('Generate IVs for CKM_AES_GCM mechanism.'),
default=True, deprecated_name='generate_iv'), default=True, deprecated_name='generate_iv'),
cfg.BoolOpt('always_set_cka_sensitive',
help=u._('Always set CKA_SENSITIVE=CK_TRUE including '
'CKA_EXTRACTABLE=CK_TRUE keys.'),
default=True),
] ]
CONF.register_group(p11_crypto_plugin_group) CONF.register_group(p11_crypto_plugin_group)
CONF.register_opts(p11_crypto_plugin_opts, group=p11_crypto_plugin_group) CONF.register_opts(p11_crypto_plugin_opts, group=p11_crypto_plugin_group)
@ -302,6 +306,7 @@ class P11CryptoPlugin(plugin.CryptoPluginBase):
ffi=ffi, ffi=ffi,
seed_random_buffer=seed_random_buffer, seed_random_buffer=seed_random_buffer,
generate_iv=plugin_conf.aes_gcm_generate_iv, generate_iv=plugin_conf.aes_gcm_generate_iv,
always_set_cka_sensitive=plugin_conf.always_set_cka_sensitive,
) )
def _reinitialize_pkcs11(self): def _reinitialize_pkcs11(self):

5
barbican/plugin/crypto/pkcs11.py
View File

@ -356,7 +356,7 @@ class PKCS11(object):
encryption_mechanism=None, encryption_mechanism=None,
ffi=None, algorithm=None, ffi=None, algorithm=None,
seed_random_buffer=None, seed_random_buffer=None,
generate_iv=None): generate_iv=None, always_set_cka_sensitive=None):
if algorithm: if algorithm:
LOG.warning("WARNING: Using deprecated 'algorithm' argument.") LOG.warning("WARNING: Using deprecated 'algorithm' argument.")
encryption_mechanism = encryption_mechanism or algorithm encryption_mechanism = encryption_mechanism or algorithm
@ -385,6 +385,7 @@ class PKCS11(object):
self.noncesize = 12 self.noncesize = 12
self.gcmtagsize = 16 self.gcmtagsize = 16
self.generate_iv = generate_iv self.generate_iv = generate_iv
self.always_set_cka_sensitive = always_set_cka_sensitive
# Validate configuration and RNG # Validate configuration and RNG
session = self.get_session() session = self.get_session()
@ -583,7 +584,7 @@ class PKCS11(object):
token = master_key token = master_key
extractable = not master_key extractable = not master_key
# in some HSMs extractable keys cannot be marked sensitive # in some HSMs extractable keys cannot be marked sensitive
sensitive = not extractable sensitive = self.always_set_cka_sensitive or not extractable
ck_attributes = [ ck_attributes = [
Attribute(CKA_CLASS, CKO_SECRET_KEY), Attribute(CKA_CLASS, CKO_SECRET_KEY),

7
releasenotes/notes/fix-story-2004734-977dbeda6b547f85.yaml Normal file
View File

@ -0,0 +1,7 @@
---
fixes:
- |
Fixed Story #2004734: Added a new option `always_set_cka_sensitive` to
fix a regression that affected Safenet HSMs. The option defaults to `True`
as required by Safenet HSMs. Other HSMs may require it be set to `False`.