nmav pushed to caml-crush (master). "Added pkcs11proxyd-softhsm-ctl"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Apr 2 11:01:40 UTC 2015
>From 686feaf9cdc10dddbd6852c15f8af25e14719d55 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Thu, 2 Apr 2015 09:42:21 +0200
Subject: Added pkcs11proxyd-softhsm-ctl
diff --git a/caml-crush.spec b/caml-crush.spec
index c1c8e3f..7469e0e 100644
--- a/caml-crush.spec
+++ b/caml-crush.spec
@@ -2,7 +2,7 @@
Name: caml-crush
Version: 1.0.4
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: PKCS#11 filtering proxy
# The pkcs11proxyd server is under CeCILL, while the rest of the libraries are
@@ -22,6 +22,9 @@ Source8: pkcs11.conf
Source9: softhsm.module
Source10: pkcs11proxyd-softhsm.conf
Source11: README.fedora
+Source12: filter-softhsm-locked.conf
+Source13: pkcs11proxyd-softhsm-ctl
+Source14: pkcs11proxyd-softhsm-ctl.8.txt
Patch1: caml-crush-libname-file.patch
Patch2: caml-crush-avoid-exit.patch
Patch3: caml-crush-better-msgs.patch
@@ -38,6 +41,8 @@ BuildRequires: ocaml-ocamlnet-devel
BuildRequires: ocaml-config-file-devel
BuildRequires: sed
BuildRequires: p11-kit-devel
+BuildRequires: asciidoc
+BuildRequires: libxslt
%package softhsm
@@ -66,13 +71,18 @@ This software is a PKCS#11 proxy to softhsm allowing to store private keys
in an isolated environment in the system.
%prep
-%setup -q -n caml-crush-%{version}
+%setup -q -n %{name}-%{version}
%patch1 -p1 -b .libname
%patch2 -p1 -b .exit
%patch3 -p1 -b .msgs
%patch4 -p1 -b .cflags
sed -i 's|%LIBDIR%|'%{_libdir}'|g' %{SOURCE1}
+sed -i 's|%LIBDIR%|'%{_libdir}'|g' %{SOURCE12}
+
+cp %{SOURCE14} pkcs11proxyd-softhsm-ctl.8.txt
+asciidoc.py -v -d manpage -b docbook pkcs11proxyd-softhsm-ctl.8.txt
+xsltproc --nonet -o pkcs11proxyd-softhsm-ctl.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl pkcs11proxyd-softhsm-ctl.8.xml
%build
sh autogen.sh
@@ -106,16 +116,19 @@ exit 0
cp -a %{SOURCE11} README.fedora
mkdir -p %{buildroot}%{_sysconfdir}/pkcs11proxyd
mkdir -p %{buildroot}%{_sbindir}
+mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_unitdir}
mkdir -p %{buildroot}%{_libdir}/pkcs11
mkdir -p %{buildroot}%{_datadir}/p11-kit/modules
mkdir -p %{buildroot}%{_sharedstatedir}/pkcs11proxyd/.config/pkcs11/modules
+mkdir -p %{buildroot}%{_mandir}/man8
install -p -m 755 src/pkcs11proxyd/pkcs11proxyd %{buildroot}%{_sbindir}
install -p -m 755 src/client-lib/libp11clientsofthsm.so %{buildroot}%{_libdir}/pkcs11/
install -p -m 755 src/client-lib/libp11client.so %{buildroot}%{_libdir}/pkcs11/
install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pkcs11proxyd
+install -p -m 644 %{SOURCE12} %{buildroot}%{_sharedstatedir}/pkcs11proxyd
install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pkcs11proxyd
-install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pkcs11proxyd/filter-softhsm.conf
+install -p -m 644 %{SOURCE1} %{buildroot}%{_sharedstatedir}/pkcs11proxyd/filter-softhsm-unlocked.conf
install -p -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pkcs11proxyd/pkcs11proxyd-softhsm.conf
install -p -m 644 %{SOURCE3} %{buildroot}%{_unitdir}/pkcs11proxyd-softhsm.service
install -p -m 644 %{SOURCE4} %{buildroot}/%{_datadir}/p11-kit/modules/
@@ -123,6 +136,9 @@ install -p -m 644 %{SOURCE5} %{buildroot}/%{_sharedstatedir}/pkcs11proxyd
install -p -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/
install -p -m 644 %{SOURCE8} %{buildroot}%{_sharedstatedir}/pkcs11proxyd/.config/pkcs11/
install -p -m 644 %{SOURCE9} %{buildroot}%{_sharedstatedir}/pkcs11proxyd/.config/pkcs11/modules
+install -p -m 755 %{SOURCE13} %{buildroot}%{_bindir}/
+install -p -m 644 pkcs11proxyd-softhsm-ctl.8 %{buildroot}%{_mandir}/man8
+ln -s %{_sharedstatedir}/pkcs11proxyd/filter-softhsm-unlocked.conf %{buildroot}%{_sysconfdir}/pkcs11proxyd/filter-softhsm.conf
%files
%doc README.md ISSUES.md README.fedora
@@ -133,16 +149,18 @@ install -p -m 644 %{SOURCE9} %{buildroot}%{_sharedstatedir}/pkcs11proxyd/.config
%dir %{_sysconfdir}/pkcs11proxyd
%config(noreplace) %{_sysconfdir}/pkcs11proxyd/filter.conf
%config(noreplace) %{_sysconfdir}/pkcs11proxyd/pkcs11proxyd.conf
+%config(noreplace) %{_sysconfdir}/pkcs11proxyd/filter-softhsm.conf
%files softhsm
%{_sbindir}/pkcs11proxyd-init
+%{_bindir}/pkcs11proxyd-softhsm-ctl
%{_libdir}/pkcs11/libp11clientsofthsm.so
%{_unitdir}/pkcs11proxyd-softhsm.service
%{_datadir}/p11-kit/modules/pkcs11proxyd-softhsm.module
-%{_sysconfdir}/pkcs11proxyd/filter-softhsm.conf
%{_sysconfdir}/pkcs11proxyd/pkcs11proxyd-softhsm.conf
+%{_mandir}/man8/pkcs11proxyd-softhsm-ctl.8.gz
%defattr(-,pkcs11proxyd,pkcs11proxyd)
%dir %{_sharedstatedir}/pkcs11proxyd
@@ -152,9 +170,13 @@ install -p -m 644 %{SOURCE9} %{buildroot}%{_sharedstatedir}/pkcs11proxyd/.config
%{_sharedstatedir}/pkcs11proxyd/.config/pkcs11/modules/softhsm.module
%{_sharedstatedir}/pkcs11proxyd/.config/pkcs11/pkcs11.conf
%{_sharedstatedir}/pkcs11proxyd/softhsm.conf
-
+%{_sharedstatedir}/pkcs11proxyd/filter-softhsm-locked.conf
+%{_sharedstatedir}/pkcs11proxyd/filter-softhsm-unlocked.conf
%changelog
+* Thu Apr 2 2015 Nikos Mavrogiannopoulos <nmav at redhat.com> - 1.0.4-6
+- Added pkcs11proxyd-softhsm-ctl
+
* Wed Apr 1 2015 Nikos Mavrogiannopoulos <nmav at redhat.com> - 1.0.4-5
- Removed default upstream filters and added documentation
diff --git a/filter-softhsm-locked.conf b/filter-softhsm-locked.conf
new file mode 100644
index 0000000..cb01309
--- /dev/null
+++ b/filter-softhsm-locked.conf
@@ -0,0 +1,169 @@
+(* debug = integer between 0 and 3
+ 0 = merely no log at all, except critical errors and printing the debug
+ level itself
+ 1 = level 0 + positive filtering matches (i.e. when the filter detects
+ something to block)
+ 2 = level 1 + negative filtering matches (i.e. when the filter detects
+ that it must not block something)
+ 3 = level 2 + print all the fetched configuration variables in the filter
+ configuration file (modules aliasing, filtered labels, filtered ids,
+ ...)
+*)
+debug = 0
+
+(* modules = [(a1, b1), (a2, b2) ...] is a list of couples of strings (a, b)
+ with 'a' being an alias, and 'b' being a PATH to the aliased
+ PKCS#11 module
+*)
+modules = [("softhsm", "%LIBDIR%/softhsm/libsofthsm.so")]
+
+(* log_subchannel = string representing the filter log subchannel in the server *)
+log_subchannel = filter
+
+(* forbidden_mechanisms = [(a1, b1), (a2, b2) ...] is a list of couples where
+ 'a' is a regular expression string representing modules and 'b' is a list
+ of PKCS#11 mechanisms with the PKCS#11 definition syntax (CKM_RSA_X_509 for
+ instance)
+*)
+(* forbidden_mechanisms = [("sof.*", [CKM_RSA_X_509]), ("opencrypto.*", [])] *)
+
+(* allowed_labels = [(a1, b1), (a2, b2) ...] is a list of couples where 'a1',
+ 'a2', ... are regular expression strings representing module names, and
+ 'b1', 'b2', ... are regular expressions representing labels
+
+ example: allowed_labels = [("opencryptoki", ["not_filtered_.*", "test"])]
+ Here, only objects with CKA_LABEL such as "not_filtered_.*" and "test" are
+ usable for the "opencryptoki" alias.
+
+ default: NO filtering, uncomment and configure below to filter objects
+*)
+(*
+allowed_labels = [("opencryptoki", ["not_filtered_.*", "test"])]
+*)
+
+(* allowed_ids = [(a1, b1), (a2, b2) ...] is a list of couples where 'a1',
+ 'a2', ... are regular expression strings representing module names, and
+ 'b1', 'b2', ... are regular expressions representing ids
+
+ example: allowed_ids = [("softhsm", [".*"])]
+ Here, this rule allows all CKA_ID to be used for the "softhsm" alias.
+
+ default: NO filtering, uncomment and configure below to filter objects
+*)
+(*
+allowed_ids = [("softhsm", [".*"])]
+*)
+
+(* forbidden_functions = [(a1, b1), (a2, b2) ...] is a list of couples where
+ 'a1', 'a2', ... are regular expression strings representing module names,
+ and 'b1', 'b2', ... are lists of PKCS#11 functions with the PKCS#11 naming
+ convention (C_Login, C_Logout ...)
+
+ default OFF, uncomment and configure below to enable;
+*)
+(* In a softhsm key wrapping makes no sense and it can be used to recover keys
+ so it is disabled *)
+forbidden_functions = [("soft.*", [C_WrapKey, C_UnwrapKey, C_GenerateKey, C_GenerateKeyPair, C_CreateObject, C_CopyObject, C_DestroyObject])]
+
+(* enforce_ro_sessions = [(a1, b1), (a2, b2) ...] is a list of couples where
+ 'a' is a regular expression string representing module names, and 'b1',
+ 'b2', ... are booleans that can take 'true', 'false', 'yes' and 'no' as
+ possible values
+
+ default OFF, uncomment and configure below to enable;
+*)
+(*
+enforce_ro_sessions = [(".*", no)]
+*)
+
+(* forbid_admin_operations = [(a1, b1), (a2, b2) ...] is a list of couples
+ where 'a' is a regular expression string representing module names, and
+ 'b1', 'b2', ... are booleans that can take 'true', 'false', 'yes' and 'no'
+ as possible values
+
+ default OFF, uncomment and configure below to enable;
+*)
+(*
+forbid_admin_operations = [(".*", yes)]
+*)
+
+(* remove_padding_oracles = [(a1, b1), (a2, b2) ...] is a list of couples where
+ 'a' is a regular expression string representing module names, and 'b1',
+ 'b2', ... are a lists of cryptographic operations type that can take as
+ possible values 'wrap', 'unwrap', 'encrypt', 'sign' and 'all' (this last
+ one represents the sum of all the values)
+
+ default OFF, uncomment and configure below to enable;
+*)
+(*
+remove_padding_oracles = [(".*", [wrap, unwrap, encrypt])]
+*)
+
+(* filter_actions = list of couples of [string_regexp x list of couples of
+ [PKCS#11_function x custom_function]]). This option is a way to extend
+ the filter features as the user can provide its own hooks on every PKCS#11
+ function. See FILTER.md for more information.
+
+ default OFF, uncomment and configure below to enable;
+*)
+(* filter_actions = [
+ (".*", [(C_Login, c_Login_hook), (C_Initialize, c_Initialize_hook)]),
+ ("soft.*", [(C_CloseSession, identity)])
+ ]
+*)
+
+(**** Fixing PKCS#11 with patchset 1 *
+ See FILTER.md for a detailed explanation of patchset 1 and 2.
+
+ default ON;
+*)
+filter_actions_post = [ (".*",
+ [
+ (******** This is optional: key usage segregation ******************************)
+ (* (C_Initialize, do_segregate_usage), *)
+ ]
+ )
+ ]
+
+(**** Fixing PKCS#11 with patchset 2 *
+ See FILTER.md for a detailed explanation of patchset 1 and 2.
+
+ default OFF, WARNING patchset 1 and 2 are incompatible, make sure it is not
+ enabled before enabling this one
+*)
+(*
+filter_actions_post = [ (".*",
+ [
+ (******** This is optional: key usage segregation ******************************)
+ (* (C_Initialize, do_segregate_usage), *)
+
+ (******** CryptokiX conflicting attributes patch addendum for existing objects *)
+ (C_EncryptInit, conflicting_attributes_patch_on_existing_objects),
+ (C_DecryptInit, conflicting_attributes_patch_on_existing_objects),
+ (C_SignInit, conflicting_attributes_patch_on_existing_objects),
+ (C_SignRecoverInit, conflicting_attributes_patch_on_existing_objects),
+ (C_VerifyInit, conflicting_attributes_patch_on_existing_objects),
+ (C_VerifyRecoverInit, conflicting_attributes_patch_on_existing_objects),
+ (C_DeriveKey, conflicting_attributes_patch_on_existing_objects),
+ (C_DigestKey, conflicting_attributes_patch_on_existing_objects),
+ (C_WrapKey, conflicting_attributes_patch_on_existing_objects),
+ (C_UnwrapKey, conflicting_attributes_patch_on_existing_objects),
+
+ (******** CryptokiX secure templates patch on key creation and import **********)
+ (C_SetAttributeValue, secure_templates_patch),
+ (C_GenerateKey, secure_templates_patch), (C_GenerateKeyPair, secure_templates_patch),
+ (C_CreateObject, secure_templates_patch), (C_CopyObject, secure_templates_patch),
+ (C_UnwrapKey, secure_templates_patch), (C_DeriveKey, secure_templates_patch),
+
+ (******** Check for value extraction on sensitive/nonextractable keys **********)
+ (C_GetAttributeValue, prevent_sensitive_leak_patch),
+ (C_SetAttributeValue, prevent_sensitive_leak_patch),
+
+ (******** Sanitizing the creation attributes patch *****************************)
+ (C_CreateObject, sanitize_creation_templates_patch), (C_CopyObject, sanitize_creation_templates_patch),
+ (C_GenerateKey, sanitize_creation_templates_patch), (C_GenerateKeyPair, sanitize_creation_templates_patch),
+ (C_DeriveKey, sanitize_creation_templates_patch), (C_UnwrapKey, sanitize_creation_templates_patch)
+ ]
+ )
+ ]
+*)
diff --git a/pkcs11proxyd-softhsm-ctl b/pkcs11proxyd-softhsm-ctl
new file mode 100755
index 0000000..b77ba6d
--- /dev/null
+++ b/pkcs11proxyd-softhsm-ctl
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+case "$1" in
+ "status")
+ grep forbidden_functions /etc/pkcs11proxyd/filter-softhsm.conf|grep C_Create >/dev/null 2>&1
+ if test "$?" = 0;then
+ echo locked
+ else
+ echo unlocked
+ fi
+ ;;
+ "lock")
+ ln -sf /etc/pkcs11proxyd/filter-softhsm-locked.conf /etc/pkcs11proxyd/filter-softhsm.conf
+ systemctl restart pkcs11proxyd-softhsm
+ ;;
+ "unlock")
+ ln -sf /etc/pkcs11proxyd/filter-softhsm-unlocked.conf /etc/pkcs11proxyd/filter-softhsm.conf
+ systemctl restart pkcs11proxyd-softhsm
+ ;;
+ *)
+ echo "$0: [status|lock|unlock]"
+ ;;
+esac
+
+exit 0
diff --git a/pkcs11proxyd-softhsm-ctl.8.txt b/pkcs11proxyd-softhsm-ctl.8.txt
new file mode 100644
index 0000000..c242e6d
--- /dev/null
+++ b/pkcs11proxyd-softhsm-ctl.8.txt
@@ -0,0 +1,52 @@
+////
+Copyright (C) 2015 Red Hat, Inc.
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+////
+
+
+pkcs11proxyd-softhsm-ctl(8)
+===========================
+:doctype: manpage
+:man source: pkcs11proxyd-softhsm-ctl
+
+
+NAME
+----
+pkcs11proxyd-softhsm-ctl - manage the isolated PKCS #11 daemon with softhsm
+
+
+SYNOPSIS
+--------
+*pkcs11proxyd-softhsm-ctl* ['COMMAND']
+
+
+DESCRIPTION
+-----------
+pkcs11proxyd-softhsm-ctl(8) is used to manage the isolated caml-crush daemon
+with softhsm. It can lock the internally used softhsm module and prevent
+all writes and deletions, and also unlock it when new keys need to be
+installed.
+
+COMMANDS
+--------
+*lock*::
+ Locks and reloads the pkcs11proxyd-softhsm daemon.
+
+*unlock*::
+ Unlocks and reloads the pkcs11proxyd-softhsm daemon.
+
+*status*::
+ Prints the current status of the daemon.
+
+AUTHOR
+------
+Written by Nikos Mavrogiannopoulos.
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/caml-crush.git/commit/?h=master&id=686feaf9cdc10dddbd6852c15f8af25e14719d55
More information about the scm-commits
mailing list