Skip to content

Commit

Permalink
Make PKCS11 support more generic
Browse files Browse the repository at this point in the history 
Modify the PKCS11 support to make it more generic and hopefully
make it easier to then support different HSM configurations.

Updated the PKCS11 functional tests.
Fix tls-e kuttl tests
  • Loading branch information
@vakwetu
vakwetu committed Jan 23, 2025
1 parent a09e481 commit 772d803
Show file tree
Hide file tree
Showing 35 changed files with 758 additions and 1,413 deletions.
111 changes: 12 additions & 99 deletions api/bases/barbican.openstack.org_barbicanapis.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -296,6 +296,9 @@ spec:
description: PasswordSelectors - Selectors to identify the ServiceUser
password from the Secret
properties:
pkcs11pin:
default: PKCS11Pin
type: string
service:
default: BarbicanPassword
description: Service - Selector to get the barbican service user
Expand All @@ -306,114 +309,24 @@ spec:
type: string
type: object
pkcs11:
description: BarbicanPKCS11Template - Includes all common HSM properties
description: BarbicanPKCS11Template - Includes common HSM properties
properties:
AESGCMGenerateIV:
default: true
description: Generate IVs for CKM_AES_GCM mechanism
type: boolean
HMACKeyType:
default: CKK_GENERIC_SECRET
description: HMAC Key Type
type: string
HMACKeygenMechanism:
default: CKM_GENERIC_SECRET_KEY_GEN
description: HMAC Keygen Mechanism
type: string
HMACLabel:
description: Label to identify HMAC key in the HSM (must not be
the same as MKEK label)
type: string
HMACMechanism:
default: CKM_SHA256_HMAC
description: HMAC Mechanism. This replaces hsm_keywrap_mechanism
type: string
MKEKLabel:
description: Label to identify master KEK in the HSM (must not
be the same as HMAC label)
type: string
MKEKLength:
default: 32
description: Length in bytes of master KEK
type: integer
OSLockingOK:
default: false
description: Set os_locking_ok
type: boolean
alwaysSetCKASensitive:
default: true
description: Always set cka_sensitive
type: boolean
certificatesMountPoint:
description: The mounting point where the certificates will be
copied to (e.g., /usr/local/luna/config/certs).
type: string
certificatesSecret:
description: The OpenShift secret that stores the HSM certificates.
type: string
clientAddress:
description: The IP address of the client connecting to the HSM
(X.Y.Z.K)
type: string
encryptionMechanism:
default: CKM_AES_GCM
description: Secret encryption mechanism
type: string
keyWrapGenerateIV:
default: true
description: Generate IVs for the key wrap mechanism
type: boolean
keyWrapMechanism:
default: CKM_AES_KEY_WRAP_KWP
description: Key wrap mechanism
clientDataPath:
default: /etc/hsm-client
description: Location to which kolla will copy the data in ClientDataSecret.
type: string
libraryPath:
description: Path to vendor's PKCS11 library
clientDataSecret:
description: |-
The OpenShift secret that stores the HSM client data.
These will be mounted to /var/lib/config-data/hsm
type: string
loggingLevel:
default: 4
description: Level of logging, where 0 means "no logging" and
7 means "debug".
maximum: 7
minimum: 0
type: integer
loginSecret:
description: OpenShift secret that stores the password to login
to the PKCS11 session
type: string
serverAddress:
description: The HSM's IPv4 address (X.Y.Z.K)
type: string
slotId:
description: |-
One of TokenSerialNumber, TokenLabels or SlotId must
be defined. SlotId is used if none of the others is defined
type: string
tokenLabels:
description: |-
Token labels used to identify the token to be used.
One of TokenSerialNumber, TokenLabels or SlotId must
be specified. TokenLabels takes priority over SlotId.
This can be a comma separated string of labels
type: string
tokenSerialNumber:
description: |-
Token serial number used to identify the token to be used.
One of TokenSerialNumber, TokenLabels or SlotId must
be defined. TokenSerialNumber takes priority over
TokenLabels and SlotId
type: string
type:
description: 'A string containing the HSM type (currently supported:
"luna").'
type: string
required:
- HMACLabel
- MKEKLabel
- libraryPath
- clientDataSecret
- loginSecret
- serverAddress
- type
type: object
rabbitMqClusterName:
default: rabbitmq
Expand Down
111 changes: 12 additions & 99 deletions api/bases/barbican.openstack.org_barbicankeystonelisteners.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,9 @@ spec:
description: PasswordSelectors - Selectors to identify the ServiceUser
password from the Secret
properties:
pkcs11pin:
default: PKCS11Pin
type: string
service:
default: BarbicanPassword
description: Service - Selector to get the barbican service user
Expand All @@ -140,114 +143,24 @@ spec:
type: string
type: object
pkcs11:
description: BarbicanPKCS11Template - Includes all common HSM properties
description: BarbicanPKCS11Template - Includes common HSM properties
properties:
AESGCMGenerateIV:
default: true
description: Generate IVs for CKM_AES_GCM mechanism
type: boolean
HMACKeyType:
default: CKK_GENERIC_SECRET
description: HMAC Key Type
type: string
HMACKeygenMechanism:
default: CKM_GENERIC_SECRET_KEY_GEN
description: HMAC Keygen Mechanism
type: string
HMACLabel:
description: Label to identify HMAC key in the HSM (must not be
the same as MKEK label)
type: string
HMACMechanism:
default: CKM_SHA256_HMAC
description: HMAC Mechanism. This replaces hsm_keywrap_mechanism
type: string
MKEKLabel:
description: Label to identify master KEK in the HSM (must not
be the same as HMAC label)
type: string
MKEKLength:
default: 32
description: Length in bytes of master KEK
type: integer
OSLockingOK:
default: false
description: Set os_locking_ok
type: boolean
alwaysSetCKASensitive:
default: true
description: Always set cka_sensitive
type: boolean
certificatesMountPoint:
description: The mounting point where the certificates will be
copied to (e.g., /usr/local/luna/config/certs).
type: string
certificatesSecret:
description: The OpenShift secret that stores the HSM certificates.
type: string
clientAddress:
description: The IP address of the client connecting to the HSM
(X.Y.Z.K)
type: string
encryptionMechanism:
default: CKM_AES_GCM
description: Secret encryption mechanism
type: string
keyWrapGenerateIV:
default: true
description: Generate IVs for the key wrap mechanism
type: boolean
keyWrapMechanism:
default: CKM_AES_KEY_WRAP_KWP
description: Key wrap mechanism
clientDataPath:
default: /etc/hsm-client
description: Location to which kolla will copy the data in ClientDataSecret.
type: string
libraryPath:
description: Path to vendor's PKCS11 library
clientDataSecret:
description: |-
The OpenShift secret that stores the HSM client data.
These will be mounted to /var/lib/config-data/hsm
type: string
loggingLevel:
default: 4
description: Level of logging, where 0 means "no logging" and
7 means "debug".
maximum: 7
minimum: 0
type: integer
loginSecret:
description: OpenShift secret that stores the password to login
to the PKCS11 session
type: string
serverAddress:
description: The HSM's IPv4 address (X.Y.Z.K)
type: string
slotId:
description: |-
One of TokenSerialNumber, TokenLabels or SlotId must
be defined. SlotId is used if none of the others is defined
type: string
tokenLabels:
description: |-
Token labels used to identify the token to be used.
One of TokenSerialNumber, TokenLabels or SlotId must
be specified. TokenLabels takes priority over SlotId.
This can be a comma separated string of labels
type: string
tokenSerialNumber:
description: |-
Token serial number used to identify the token to be used.
One of TokenSerialNumber, TokenLabels or SlotId must
be defined. TokenSerialNumber takes priority over
TokenLabels and SlotId
type: string
type:
description: 'A string containing the HSM type (currently supported:
"luna").'
type: string
required:
- HMACLabel
- MKEKLabel
- libraryPath
- clientDataSecret
- loginSecret
- serverAddress
- type
type: object
rabbitMqClusterName:
default: rabbitmq
Expand Down
Loading

0 comments on commit 772d803

Please sign in to comment.