1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
// Copyright 2021 Contributors to the Parsec project.
// SPDX-License-Identifier: Apache-2.0
//! Object management functions
use crate::context::Function;
use crate::error::{Result, Rv, RvError};
use crate::object::{Attribute, AttributeInfo, AttributeType, ObjectHandle};
use crate::session::Session;
use cryptoki_sys::*;
use std::collections::HashMap;
use std::convert::TryInto;
// Search 10 elements at a time
const MAX_OBJECT_COUNT: usize = 10;
impl Session {
/// Search for session objects matching a template
pub fn find_objects(&self, template: &[Attribute]) -> Result<Vec<ObjectHandle>> {
let mut template: Vec<CK_ATTRIBUTE> = template.iter().map(|attr| attr.into()).collect();
unsafe {
Rv::from(get_pkcs11!(self.client(), C_FindObjectsInit)(
self.handle(),
template.as_mut_ptr(),
template.len().try_into()?,
))
.into_result(Function::FindObjectsInit)?;
}
let mut object_handles = [0; MAX_OBJECT_COUNT];
let mut object_count = 0;
let mut objects = Vec::new();
unsafe {
Rv::from(get_pkcs11!(self.client(), C_FindObjects)(
self.handle(),
object_handles.as_mut_ptr() as CK_OBJECT_HANDLE_PTR,
MAX_OBJECT_COUNT.try_into()?,
&mut object_count,
))
.into_result(Function::FindObjects)?;
}
while object_count > 0 {
objects.extend_from_slice(&object_handles[..object_count.try_into()?]);
unsafe {
Rv::from(get_pkcs11!(self.client(), C_FindObjects)(
self.handle(),
object_handles.as_mut_ptr() as CK_OBJECT_HANDLE_PTR,
MAX_OBJECT_COUNT.try_into()?,
&mut object_count,
))
.into_result(Function::FindObjects)?;
}
}
unsafe {
Rv::from(get_pkcs11!(self.client(), C_FindObjectsFinal)(
self.handle(),
))
.into_result(Function::FindObjectsFinal)?;
}
let objects = objects.into_iter().map(ObjectHandle::new).collect();
Ok(objects)
}
/// Create a new object
pub fn create_object(&self, template: &[Attribute]) -> Result<ObjectHandle> {
let mut template: Vec<CK_ATTRIBUTE> = template.iter().map(|attr| attr.into()).collect();
let mut object_handle = 0;
unsafe {
Rv::from(get_pkcs11!(self.client(), C_CreateObject)(
self.handle(),
template.as_mut_ptr(),
template.len().try_into()?,
&mut object_handle as CK_OBJECT_HANDLE_PTR,
))
.into_result(Function::CreateObject)?;
}
Ok(ObjectHandle::new(object_handle))
}
/// Destroy an object
pub fn destroy_object(&self, object: ObjectHandle) -> Result<()> {
unsafe {
Rv::from(get_pkcs11!(self.client(), C_DestroyObject)(
self.handle(),
object.handle(),
))
.into_result(Function::DestroyObject)
}
}
/// Get the attribute info of an object: if the attribute is present and its size.
///
/// # Arguments
///
/// * `object` - The [ObjectHandle] used to reference the object
/// * `attributes` - The list of attributes to get the information of
///
/// # Returns
///
/// This function will return a Vector of [AttributeInfo] enums that will either contain
/// the size of the requested attribute, [AttributeInfo::TypeInvalid] if the attribute is not a
/// valid type for the object, or [AttributeInfo::Sensitive] if the requested attribute is
/// sensitive and will not be returned to the user.
///
/// The list of returned attributes is 1-to-1 matched with the provided vector of attribute
/// types. If you wish, you may create a hash table simply by:
///
/// ```no_run
/// use cryptoki::context::Pkcs11;
/// use cryptoki::context::CInitializeArgs;
/// use cryptoki::object::AttributeType;
/// use cryptoki::session::UserType;
/// use cryptoki::types::AuthPin;
/// use std::collections::HashMap;
/// use std::env;
///
/// let mut pkcs11 = Pkcs11::new(
/// env::var("PKCS11_SOFTHSM2_MODULE")
/// .unwrap_or_else(|_| "/usr/local/lib/softhsm/libsofthsm2.so".to_string()),
/// )
/// .unwrap();
///
/// pkcs11.initialize(CInitializeArgs::OsThreads).unwrap();
/// let slot = pkcs11.get_slots_with_token().unwrap().remove(0);
///
/// let session = pkcs11.open_ro_session(slot).unwrap();
/// session.login(UserType::User, Some(&AuthPin::new("fedcba".into())));
///
/// let empty_attrib= vec![];
/// if let Some(object) = session.find_objects(&empty_attrib).unwrap().get(0) {
/// let attribute_types = vec![
/// AttributeType::Token,
/// AttributeType::Private,
/// AttributeType::Modulus,
/// AttributeType::KeyType,
/// AttributeType::Verify,];
///
/// let attribute_info = session.get_attribute_info(*object, &attribute_types).unwrap();
///
/// let hash = attribute_types
/// .iter()
/// .zip(attribute_info.iter())
/// .collect::<HashMap<_, _>>();
/// }
/// ```
///
/// Alternatively, you can call [Session::get_attribute_info_map], found below.
pub fn get_attribute_info(
&self,
object: ObjectHandle,
attributes: &[AttributeType],
) -> Result<Vec<AttributeInfo>> {
let mut results = Vec::new();
for attrib in attributes.iter() {
let mut template: Vec<CK_ATTRIBUTE> = vec![CK_ATTRIBUTE {
type_: (*attrib).into(),
pValue: std::ptr::null_mut(),
ulValueLen: 0,
}];
match unsafe {
Rv::from(get_pkcs11!(self.client(), C_GetAttributeValue)(
self.handle(),
object.handle(),
template.as_mut_ptr(),
template.len().try_into()?,
))
} {
Rv::Ok => {
results.push(AttributeInfo::Available(template[0].ulValueLen.try_into()?))
}
Rv::Error(RvError::AttributeSensitive) => results.push(AttributeInfo::Sensitive),
Rv::Error(RvError::AttributeTypeInvalid) => {
results.push(AttributeInfo::TypeInvalid)
}
rv => rv.into_result(Function::GetAttributeValue)?,
}
}
Ok(results)
}
/// Get the attribute info of an object: if the attribute is present and its size.
///
/// # Arguments
///
/// * `object` - The [ObjectHandle] used to reference the object
/// * `attributes` - The list of attributes to get the information of
///
/// # Returns
///
/// This function will return a HashMap of [AttributeType] and [AttributeInfo] enums that will
/// either contain the size of the requested attribute, [AttributeInfo::TypeInvalid] if the
/// attribute is not a valid type for the object, or [AttributeInfo::Sensitive] if the requested
/// attribute is sensitive and will not be returned to the user.
pub fn get_attribute_info_map(
&self,
object: ObjectHandle,
attributes: Vec<AttributeType>,
) -> Result<HashMap<AttributeType, AttributeInfo>> {
let attrib_info = self.get_attribute_info(object, attributes.as_slice())?;
Ok(attributes
.iter()
.cloned()
.zip(attrib_info.iter().cloned())
.collect::<HashMap<_, _>>())
}
/// Get the attributes values of an object.
/// Ignore the unavailable one. One has to call the get_attribute_info method to check which
/// ones are unavailable.
pub fn get_attributes(
&self,
object: ObjectHandle,
attributes: &[AttributeType],
) -> Result<Vec<Attribute>> {
let attrs_info = self.get_attribute_info(object, attributes)?;
// Allocating a chunk of memory where to put the attributes value.
let attrs_memory: Vec<(AttributeType, Vec<u8>)> = attrs_info
.iter()
.zip(attributes.iter())
.filter_map(|(attr_info, attr_type)| {
if let AttributeInfo::Available(size) = attr_info {
Some((*attr_type, vec![0; *size]))
} else {
None
}
})
.collect();
let mut template: Vec<CK_ATTRIBUTE> = attrs_memory
.iter()
.map(|(attr_type, memory)| {
Ok(CK_ATTRIBUTE {
type_: (*attr_type).into(),
pValue: memory.as_ptr() as *mut std::ffi::c_void,
ulValueLen: memory.len().try_into()?,
})
})
.collect::<Result<Vec<CK_ATTRIBUTE>>>()?;
// This should only return OK as all attributes asked should be
// available. Concurrency problem?
unsafe {
Rv::from(get_pkcs11!(self.client(), C_GetAttributeValue)(
self.handle(),
object.handle(),
template.as_mut_ptr(),
template.len().try_into()?,
))
.into_result(Function::GetAttributeValue)?;
}
// Convert from CK_ATTRIBUTE to Attribute
template.into_iter().map(|attr| attr.try_into()).collect()
}
/// Sets the attributes of an object
pub fn update_attributes(&self, object: ObjectHandle, template: &[Attribute]) -> Result<()> {
let mut template: Vec<CK_ATTRIBUTE> = template.iter().map(|attr| attr.into()).collect();
unsafe {
Rv::from(get_pkcs11!(self.client(), C_SetAttributeValue)(
self.handle(),
object.handle(),
template.as_mut_ptr(),
template.len().try_into()?,
))
.into_result(Function::SetAttributeValue)?;
}
Ok(())
}
}