cryptoki 0.12.0

Rust-native wrapper around the PKCS #11 API
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

// Copyright 2025 Contributors to the Parsec project.
// SPDX-License-Identifier: Apache-2.0
//! Encapsulating/decapsulating data

use crate::context::Function;
use crate::error::{Result, Rv};
use crate::mechanism::Mechanism;
use crate::object::{Attribute, ObjectHandle};
use crate::session::Session;
use cryptoki_sys::*;
use std::convert::TryInto;

impl Session {
    /// Encapsulate key
    pub fn encapsulate_key(
        &self,
        mechanism: &Mechanism,
        publickey: ObjectHandle,
        template: &[Attribute],
    ) -> Result<(Vec<u8>, ObjectHandle)> {
        let mut mechanism: CK_MECHANISM = mechanism.into();
        let mut template: Vec<CK_ATTRIBUTE> = template.iter().map(|attr| attr.into()).collect();
        let mut encapsulated_len = 0;
        let mut handle = 0;

        // Get the output buffer length
        unsafe {
            Rv::from(get_pkcs11!(self.client(), C_EncapsulateKey)(
                self.handle(),
                &mut mechanism as CK_MECHANISM_PTR,
                publickey.handle(),
                template.as_mut_ptr(),
                template.len().try_into()?,
                std::ptr::null_mut(),
                &mut encapsulated_len,
                &mut handle,
            ))
            .into_result(Function::EncapsulateKey)?;
        }

        let mut encapsulated = vec![0; encapsulated_len.try_into()?];

        unsafe {
            Rv::from(get_pkcs11!(self.client(), C_EncapsulateKey)(
                self.handle(),
                &mut mechanism as CK_MECHANISM_PTR,
                publickey.handle(),
                template.as_mut_ptr(),
                template.len().try_into()?,
                encapsulated.as_mut_ptr(),
                &mut encapsulated_len,
                &mut handle,
            ))
            .into_result(Function::EncapsulateKey)?;
        }

        encapsulated.truncate(encapsulated_len.try_into()?);

        Ok((encapsulated, ObjectHandle::new(handle)))
    }

    /// Decapsulate key
    pub fn decapsulate_key(
        &self,
        mechanism: &Mechanism,
        privatekey: ObjectHandle,
        template: &[Attribute],
        ciphertext: &[u8],
    ) -> Result<ObjectHandle> {
        let mut mechanism: CK_MECHANISM = mechanism.into();
        let mut template: Vec<CK_ATTRIBUTE> = template.iter().map(|attr| attr.into()).collect();
        let mut handle = 0;

        unsafe {
            Rv::from(get_pkcs11!(self.client(), C_DecapsulateKey)(
                self.handle(),
                &mut mechanism as CK_MECHANISM_PTR,
                privatekey.handle(),
                template.as_mut_ptr(),
                template.len().try_into()?,
                ciphertext.as_ptr() as *mut u8,
                ciphertext.len().try_into()?,
                &mut handle,
            ))
            .into_result(Function::DecapsulateKey)?;
        }

        Ok(ObjectHandle::new(handle))
    }
}