oxicrypto-adapter-pkcs11 0.1.0

OxiCrypto adapter for PKCS#11 HSMs via cryptoki
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

//! PKCS#11 provider: initialize a cryptoki context and open an authenticated session.

use cryptoki::{
    context::{CInitializeArgs, CInitializeFlags, Pkcs11},
    session::{Session, UserType},
    slot::Slot,
    types::AuthPin,
};
use oxicrypto_core::CryptoError;
use std::path::Path;
use std::sync::Mutex;

/// Error type for PKCS#11 operations.
#[derive(Debug)]
pub enum PkcsError {
    /// Failed to load the PKCS#11 module or initialize the library.
    Init(String),
    /// Failed to open a session or perform a session operation.
    Session(String),
    /// The requested cryptographic operation failed.
    Operation(String),
    /// Mutex was poisoned (internal session lock failure).
    LockPoisoned,
}

impl core::fmt::Display for PkcsError {
    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        match self {
            PkcsError::Init(msg) => write!(f, "PKCS#11 init error: {msg}"),
            PkcsError::Session(msg) => write!(f, "PKCS#11 session error: {msg}"),
            PkcsError::Operation(msg) => write!(f, "PKCS#11 operation error: {msg}"),
            PkcsError::LockPoisoned => write!(f, "PKCS#11 session mutex was poisoned"),
        }
    }
}

impl std::error::Error for PkcsError {}

impl From<PkcsError> for CryptoError {
    fn from(_e: PkcsError) -> Self {
        CryptoError::Internal("pkcs11 error (see PkcsError for details)")
    }
}

/// A live, authenticated PKCS#11 provider session.
///
/// Wraps a `cryptoki::session::Session` inside a `Mutex` so that the
/// provider can implement `Send + Sync` (required by `oxicrypto_core`
/// traits).  The PKCS#11 C API is not inherently thread-safe at the session
/// level; the `Mutex` serialises concurrent access.
///
/// Construct via [`Pkcs11Provider::new`].
#[derive(Debug)]
pub struct Pkcs11Provider {
    /// The authenticated session, wrapped in a Mutex for Sync safety.
    pub(crate) session: Mutex<Session>,
}

impl Pkcs11Provider {
    /// Initialize a new PKCS#11 provider.
    ///
    /// 1. Loads the dynamic library at `module_path`.
    /// 2. Calls `C_Initialize`.
    /// 3. Opens an R/W session on `slot`.
    /// 4. Logs in as `User` with `pin`.
    ///
    /// # Errors
    /// Returns `PkcsError` if any step fails.
    pub fn new(module_path: &Path, slot: Slot, pin: &str) -> Result<Self, PkcsError> {
        let ctx = Pkcs11::new(module_path).map_err(|e| PkcsError::Init(e.to_string()))?;

        ctx.initialize(CInitializeArgs::new(CInitializeFlags::OS_LOCKING_OK))
            .map_err(|e| PkcsError::Init(e.to_string()))?;

        let session = ctx
            .open_rw_session(slot)
            .map_err(|e| PkcsError::Session(e.to_string()))?;

        let auth_pin = AuthPin::new(pin.to_string().into_boxed_str());
        session
            .login(UserType::User, Some(&auth_pin))
            .map_err(|e| PkcsError::Session(e.to_string()))?;

        Ok(Self {
            session: Mutex::new(session),
        })
    }

    /// Execute a closure with exclusive access to the underlying `Session`.
    ///
    /// This is the primary way for `sign`, `sym`, etc. to perform PKCS#11
    /// operations without exposing the mutex directly.
    pub fn with_session<F, T>(&self, f: F) -> Result<T, PkcsError>
    where
        F: FnOnce(&Session) -> Result<T, cryptoki::error::Error>,
    {
        let guard = self.session.lock().map_err(|_| PkcsError::LockPoisoned)?;
        f(&guard).map_err(|e| PkcsError::Operation(e.to_string()))
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::path::PathBuf;

    /// Verify that the `PkcsError` Display impl is sane.
    #[test]
    fn pkcs_error_display() {
        let e = PkcsError::Init("test init error".to_string());
        let s = e.to_string();
        assert!(s.contains("init"), "expected 'init' in: {s}");
    }

    /// Verify `PkcsError` converts to `CryptoError::Internal`.
    #[test]
    fn pkcs_error_to_crypto_error() {
        let e = PkcsError::Operation("op failed".to_string());
        let ce: CryptoError = e.into();
        assert!(
            matches!(ce, CryptoError::Internal(_)),
            "expected CryptoError::Internal"
        );
    }

    /// Verify that creating a provider with a non-existent module path returns an error
    /// without panicking. No HSM required.
    #[test]
    fn nonexistent_module_returns_error() {
        let nonexistent = PathBuf::from("/nonexistent/path/to/pkcs11.so");
        // Slot 0 is just a placeholder — we never get far enough to need it.
        let slot = Slot::try_from(0u64).expect("slot 0");
        let result = Pkcs11Provider::new(&nonexistent, slot, "1234");
        assert!(result.is_err(), "expected error for nonexistent module");
    }

    /// Verify PkcsError::LockPoisoned displays correctly.
    #[test]
    fn pkcs_error_lock_poisoned_display() {
        let e = PkcsError::LockPoisoned;
        let s = e.to_string();
        assert!(s.contains("poisoned"), "expected 'poisoned' in: {s}");
    }
}