Add config file including all options

Nitrokey · Jan 9, 2024 · b952f0e · b952f0e
1 parent 58d8b5f
commit b952f0e
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 6 deletions.
diff --git a/p11nethsm.example.conf b/p11nethsm.example.conf
@@ -0,0 +1,46 @@
+# Set this option to true to enable the compatibility option for the C_SetAttributeValue() function.
+# This allows the applications using the Java Sun PKCS11 module (like EJBCA) to generate keys.
+# When using this, the names given to the keys will be ignored and the keys will have random names.
+# Under the hood it will store in memory the name given to the key when calling C_SetAttributeValue(). When a certificate is uploaded it will check if the name was previously passed to C_SetAttributeValue() and translate it to the real name on the NetHSM.
+enable_set_attribute_value: false
+
+# You can set the log file location here.
+# If no value is set the module will output to stderr.
+# If a value is set it will output to the file.
+log_file: /tmp/p11nethsm.log
+# Optional log level, acceptable  values are Trace, Debug, Info, Warn and Error
+log_level: Debug
+
+# Each "slot" represents a NetHSM server
+slots:
+  - label: LocalHSM                        # Name your NetHSM however you want
+    description: Local HSM (docker)        # Optional description
+
+    # Users connecting to the NetHSM server
+    operator:
+      username: "operator"
+      # If the password starts with `env:`, it will obtain the password from an environment variable:
+      # password: "env:LOCALHSMPASS"
+      password: "localpass"
+    administrator:
+      username: "admin"
+
+    # List the NetHSM instances
+    instances:
+      - url: "https://keyfender:8443/api/v1"   # URL to reach the server
+        # By default, the certificate of the HSM will be validated using the system's root certificate authority.
+        # When the NetHSM uses a self-signed certificate, it can be verified against an allowed list of sha256 fingerprint of the NetHSM's certificate:
+        sha256_fingerprints:
+          - "31:92:8E:A4:5E:16:5C:A7:33:44:E8:E9:8E:64:C4:AE:7B:2A:57:E5:77:43:49:F3:69:C9:8F:C4:2F:3A:3B:6E"
+        # Alternatively certificate checks can be skipped entirely with danger_insecure_cert option.
+        # This should be avoided if possible and certainly not used with a productive NetHSM.
+        # danger_insecure_cert: true
+    # Configure the network retry mechanism. If absent, no retries are attempted on a network error
+    retries:
+      # The number of retries after a network error
+      count: 3
+      # The delay between retries, in integer seconds
+      delay_seconds: 1
+    # Configurable timeout for network operations. If a network operation takes more than, `timeout_seconds`, consider it failed. If `retries` is configured, it will be retried.
+    # Defaults to infinite
+    timeout_seconds: 10
diff --git a/pkcs11/src/config/config_file.rs b/pkcs11/src/config/config_file.rs
@@ -54,7 +54,7 @@ pub fn read_configuration() -> Result<P11Config, ConfigError> {
     Ok(config)
 }
 
-#[derive(Debug, Clone, Serialize, Deserialize)]
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 pub enum LogLevel {
     Trace,
     Debug,
@@ -76,7 +76,7 @@ impl From<&LogLevel> for log::LevelFilter {
 }
 
 // representation of the config file to parse
-#[derive(Debug, Clone, Serialize, Deserialize, Merge, Default)]
+#[derive(Debug, Clone, Serialize, Deserialize, Merge, Default, PartialEq)]
 pub struct P11Config {
     #[merge(strategy = merge::bool::overwrite_false)]
     #[serde(default)]
@@ -87,13 +87,13 @@ pub struct P11Config {
     pub slots: Vec<SlotConfig>,
 }
 
-#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq)]
 pub struct RetryConfig {
     pub count: u32,
     pub delay_seconds: u64,
 }
 
-#[derive(Debug, Clone, Serialize, Deserialize)]
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 pub struct InstanceConfig {
     pub url: String,
     #[serde(default)]
@@ -102,7 +102,7 @@ pub struct InstanceConfig {
     pub sha256_fingerprints: Vec<String>,
 }
 
-#[derive(Debug, Clone, Serialize, Deserialize)]
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 pub struct SlotConfig {
     pub label: String,
     pub operator: Option<UserConfig>,
@@ -116,7 +116,7 @@ pub struct SlotConfig {
 }
 
 // An user
-#[derive(Debug, Clone, Serialize, Deserialize)]
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
 pub struct UserConfig {
     pub username: String,
     #[serde(deserialize_with = "deserialize_password", default)]
@@ -252,4 +252,33 @@ password: ""
         assert_eq!(config.username, "test");
         assert_eq!(config.password, None);
     }
+
+    #[test]
+    fn test_deserialize_full_example_config() {
+        let config = include_str!("../../../p11nethsm.example.conf");
+        assert_eq!(P11Config {
+            enable_set_attribute_value: false,
+            log_file: Some("/tmp/p11nethsm.log".into()),
+            log_level: Some(LogLevel::Debug),
+            slots: vec![SlotConfig {
+                label: "LocalHSM".into(),
+                description: Some("Local HSM (docker)".into()),
+                operator: Some(UserConfig {
+                    username: "operator".into(),
+                    password: Some("localpass".into())
+                }),
+                administrator: Some(UserConfig {
+                    username: "admin".into(),
+                    password: None
+                }),
+                instances: vec![InstanceConfig {
+                    url: "https://keyfender:8443/api/v1".into(),
+                    danger_insecure_cert: false,
+                    sha256_fingerprints: vec!["31:92:8E:A4:5E:16:5C:A7:33:44:E8:E9:8E:64:C4:AE:7B:2A:57:E5:77:43:49:F3:69:C9:8F:C4:2F:3A:3B:6E".into()],
+                }],
+                retries: Some(RetryConfig { count: 3, delay_seconds: 1 }),
+                timeout_seconds: Some(10),
+            }]
+        }, serde_yaml::from_str(config).unwrap());
+    }
 }