Fix ops flag mask master #4649
Fix ops flag mask master #4649
Conversation
Default operation flags does not work for some HSM so a new mechanism is introduced to allow a custom flag list. The certificate generate in the hsm can be customised in pkispawn config file with `pki_<cert>_opsFlagMask` where `<cert> is one between: - audit_signing - sslserver - subsystem - ca_signing - ocsp_signing - storage - transport - ocsp_signing The value is a comma sepated list of flags (case insensitive) which can be: encrypt, decrypt, sign, sign_recover, verify, verify_recover, wrap, unwrap AND derive. The same flags can be used with the command `pki nss-key-create` where the new flag `--ops-flag-mask` is added. The value is the a csv as above.
Add the second parameter to pkispawn in other to customise the key par generation in HSM. The new config parameter is `pki_<cert>_opsFlag`. The `<cert>` is the id as defined for the parameter `pki_<cert>_opsFlagMask` and they have the same values
| @@ -86,6 +86,14 @@ public void createOptions() { | |||
| option.setArgName("boolean"); | |||
| options.addOption(option); | |||
|
|
|||
| option = new Option(null, "ops-flag", true, "Custom flags for key usage (empty for HSM default)"); | |||
There was a problem hiding this comment.
Just thinking, would --op-flags / op-flags-mask be more appropriate since these options contains a list of flags?
It's probably not necessary to mention (empty for HSM default) since the list will be empty by default for all types of tokens, not just HSM.
There was a problem hiding this comment.
Not sure about the wording but your clarification seems reasonable so I'll update.
| -D pki_ca_signing_opsFlag=sign \ | ||
| -D pki_ca_signing_opsFlagMask=sign \ |
There was a problem hiding this comment.
I'm not too familiar with how the flag & mask work in NSS, but does this mean the mask should ultimately disable the sign operation in NSS so the installation should fail too? Or does opsFlagMask simply remove the values from opsFlag (in that case the mask might not be that useful since the user can just specify the correct opsFlag without the masked value in the first place)?
There was a problem hiding this comment.
opsFlagMask is applied to the flags identified by NSS, then the opsFlag are added to the remaining operation. This test show that the opsFlag are added to the resulting list. (I will change all opsFlag* is opFlags*)
There was a problem hiding this comment.
OK, does it mean the opsFlag param overrides opsFlagMask? Does it work that way too with --keyOpFlagsOn and --keyOpFlagsOff in certutil? We probably should document this behavior.
| and their value is a comma separated list of the following flags: encrypt, decrypt, sign, | ||
| sign_recover, verify, verify_recover, wrap, unwrap and derive. The first parameter add flags to |
There was a problem hiding this comment.
I'd suggest adding back quotes for the actual values that can be specified in these params, e.g. encrypt, decrypt.
The option are renamed to be more coherent with their meaning as: - op-flags - op-flags-mask
fmarco76
force-pushed
the
FixOpsFlagMask_master
branch
from
35fe02f to
0d4c905
Compare
|
|
@edewata Thanks! I have updated the code following your comments. |
@edewata this PR add two flags
pki_*_opsFlagandpki_*_opsFlagMask. These have been introduced in branch v10.13 with PRs #4643, #4645 and #4647 but the code in master is too different for cherry-picking so I have written from scratch and added test and doc.