cryptoki 0.12.0

Rust-native wrapper around the PKCS #11 API
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

// Copyright 2025 Contributors to the Parsec project.
// SPDX-License-Identifier: Apache-2.0
//! Decrypting messages

use crate::context::Function;
use crate::error::{Result, Rv};
use crate::mechanism::{Mechanism, MessageParam};
use crate::object::ObjectHandle;
use crate::session::Session;
use cryptoki_sys::*;
use std::convert::TryInto;

impl Session {
    /// Prepare a session for one or more Message-based decryption using the same mechanism and key
    pub fn message_decrypt_init(&self, mechanism: &Mechanism, key: ObjectHandle) -> Result<()> {
        let mut mechanism: CK_MECHANISM = mechanism.into();

        unsafe {
            Rv::from(get_pkcs11!(self.client(), C_MessageDecryptInit)(
                self.handle(),
                &mut mechanism as CK_MECHANISM_PTR,
                key.handle(),
            ))
            .into_result(Function::MessageDecryptInit)?;
        }

        Ok(())
    }

    /// Decrypts a message in single part
    pub fn decrypt_message(
        &self,
        param: &MessageParam,
        aad: &[u8],
        encrypted_data: &[u8],
    ) -> Result<Vec<u8>> {
        let mut data_len = 0;
        // Get the output buffer length
        unsafe {
            Rv::from(get_pkcs11!(self.client(), C_DecryptMessage)(
                self.handle(),
                param.as_ptr(),
                param.len(),
                aad.as_ptr() as *mut u8,
                aad.len().try_into()?,
                encrypted_data.as_ptr() as *mut u8,
                encrypted_data.len().try_into()?,
                std::ptr::null_mut(),
                &mut data_len,
            ))
            .into_result(Function::DecryptMessage)?;
        }

        let mut data = vec![0; data_len.try_into()?];

        unsafe {
            Rv::from(get_pkcs11!(self.client(), C_DecryptMessage)(
                self.handle(),
                param.as_ptr(),
                param.len(),
                aad.as_ptr() as *mut u8,
                aad.len().try_into()?,
                encrypted_data.as_ptr() as *mut u8,
                encrypted_data.len().try_into()?,
                data.as_mut_ptr(),
                &mut data_len,
            ))
            .into_result(Function::DecryptMessage)?;
        }

        data.truncate(data_len.try_into()?);

        Ok(data)
    }

    /// Begin multi-part message decryption operation
    pub fn decrypt_message_begin(&self, param: MessageParam, aad: &[u8]) -> Result<()> {
        unsafe {
            Rv::from(get_pkcs11!(self.client(), C_DecryptMessageBegin)(
                self.handle(),
                param.as_ptr(),
                param.len(),
                aad.as_ptr() as *mut u8,
                aad.len().try_into()?,
            ))
            .into_result(Function::DecryptMessageBegin)
        }
    }

    /// Continue mutli-part message decryption operation
    pub fn decrypt_message_next(
        &self,
        param: MessageParam,
        encrypted_data: &[u8],
        end: bool,
    ) -> Result<Vec<u8>> {
        let mut data_len = 0;
        // Get the output buffer length
        unsafe {
            Rv::from(get_pkcs11!(self.client(), C_DecryptMessageNext)(
                self.handle(),
                param.as_ptr(),
                param.len(),
                encrypted_data.as_ptr() as *mut u8,
                encrypted_data.len().try_into()?,
                std::ptr::null_mut(),
                &mut data_len,
                if end { CKF_END_OF_MESSAGE } else { 0 },
            ))
            .into_result(Function::DecryptMessageNext)?;
        }
        let mut data = vec![0; data_len.try_into()?];
        unsafe {
            Rv::from(get_pkcs11!(self.client(), C_DecryptMessageNext)(
                self.handle(),
                param.as_ptr(),
                param.len(),
                encrypted_data.as_ptr() as *mut u8,
                encrypted_data.len().try_into()?,
                data.as_mut_ptr(),
                &mut data_len,
                if end { CKF_END_OF_MESSAGE } else { 0 },
            ))
            .into_result(Function::DecryptMessageNext)?;
        }
        data.truncate(data_len.try_into()?);

        Ok(data)
    }

    /// Finishes Message-based decryption process
    pub fn message_decrypt_final(&self) -> Result<()> {
        unsafe {
            Rv::from(get_pkcs11!(self.client(), C_MessageDecryptFinal)(
                self.handle(),
            ))
            .into_result(Function::MessageDecryptFinal)?;
        }

        Ok(())
    }
}