Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Storage changes #17

Merged
merged 5 commits into from
Mar 26, 2024
+1,010 −472
Merged

Storage changes #17

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
74fef72
Refactor Storage to make token storage-neutral
simo5 Mar 12, 2024
12e530d
Ensure we flush data when it changes
simo5 Mar 13, 2024
eaad97a
Add convenience targets to Makefile
simo5 Mar 18, 2024
a517627
Add sqlite storage
simo5 Mar 15, 2024
f5e259d
Ensure USER and SO PIN objects are not visible
simo5 Mar 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:
'perl(IPC::Cmd)' 'perl(Pod::Html)' 'perl(Digest::SHA)' \
'perl(Module::Load::Conditional)' 'perl(File::Temp)' \
'perl(Test::Harness)' 'perl(Test::More)' 'perl(Math::BigInt)' \
zlib-devel sed
zlib-devel sed sqlite-devel
simo5 marked this conversation as resolved.
Show resolved Hide resolved

- name: Checkout Repository
uses: actions/checkout@v3
Expand Down
5 changes: 2 additions & 3 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,11 @@
/Cargo.lock
/src/pkcs11/bindings.rs
/src/ossl/bindings.rs
/src/hacl/bindings.rs
/src/fips/bindings.rs
/test.json
*.o
*.a
*.d
*.config
*.swp
/hacl/gcc-compatible/config.h
/*.json
/*.sql
1 change: 1 addition & 0 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ num-bigint = "0.4.4"
num-integer = "0.1.45"
num-traits = "0.2.17"
once_cell = "1.18.0"
rusqlite = "0.31.0"
serde = { version = "1.0.180", features = ["derive"] }
serde_json = "1.0.104"
uuid = { version = "1.4.1", features = ["v4"] }
Expand Down
11 changes: 11 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,14 @@
all:
cargo build

fips:
cargo build --features fips

check:
cargo test

check-fips:
cargo test --features fips

check-format:
@rustfmt --check --color auto src/*.rs src/*/*.rs
Expand Down
3 changes: 2 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
This is an experimental pkcs11 token written in rust
This is a pkcs11 soft token written in rust

# Dependencies

* rustc
* openssl dependencies
* sqlite

# Setup

Expand Down
101 changes: 52 additions & 49 deletions src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -489,8 +489,8 @@ extern "C" fn fn_set_pin(
let vpin: Vec<u8> = bytes_to_vec!(new_pin, new_len);
let vold: Vec<u8> = bytes_to_vec!(old_pin, old_len);

let mut token =
res_or_ret!(rstate.get_token_from_slot_mut(session.get_slot_id()));
let slot_id = session.get_slot_id();
let mut token = res_or_ret!(rstate.get_token_from_slot_mut(slot_id));
token.set_pin(CK_UNAVAILABLE_INFORMATION, &vpin, Some(&vold))
}
extern "C" fn fn_open_session(
Expand Down Expand Up @@ -631,8 +631,8 @@ extern "C" fn fn_create_object(
if !session.is_writable() {
fail_if_cka_token_true!(&*tmpl);
}
let mut token =
res_or_ret!(rstate.get_token_from_slot_mut(session.get_slot_id()));
let slot_id = session.get_slot_id();
let mut token = res_or_ret!(rstate.get_token_from_slot_mut(slot_id));

let oh = match token.create_object(s_handle, tmpl) {
Ok(h) => h,
Expand All @@ -659,12 +659,10 @@ extern "C" fn fn_copy_object(
if !session.is_writable() {
fail_if_cka_token_true!(&*tmpl);
}
let mut token =
res_or_ret!(rstate.get_token_from_slot_mut(session.get_slot_id()));
let slot_id = session.get_slot_id();
let mut token = res_or_ret!(rstate.get_token_from_slot_mut(slot_id));

/* Pull object to check that operation is not prohibited */
/* TODO: return CKR_ACTION_PROHIBITED instead of CKR_USER_NOT_LOGGED_IN ? */
let _ = res_or_ret!(token.get_object_by_handle(o_handle, true));
let oh = res_or_ret!(token.copy_object(s_handle, o_handle, tmpl));

unsafe {
Expand All @@ -675,28 +673,28 @@ extern "C" fn fn_copy_object(
}
extern "C" fn fn_destroy_object(
s_handle: CK_SESSION_HANDLE,
object: CK_OBJECT_HANDLE,
o_handle: CK_OBJECT_HANDLE,
) -> CK_RV {
let rstate = global_rlock!(STATE);
let session = res_or_ret!(rstate.get_session(s_handle));
let mut token =
res_or_ret!(rstate.get_token_from_slot_mut(session.get_slot_id()));
let slot_id = session.get_slot_id();
let mut token = res_or_ret!(rstate.get_token_from_slot_mut(slot_id));
/* TODO: return CKR_ACTION_PROHIBITED instead of CKR_USER_NOT_LOGGED_IN ? */
let obj = res_or_ret!(token.get_object_by_handle(object, true));
let obj = res_or_ret!(token.get_object_by_handle(o_handle));
if obj.is_token() && !session.is_writable() {
return CKR_ACTION_PROHIBITED;
}
ret_to_rv!(token.destroy_object(object))
ret_to_rv!(token.destroy_object(o_handle))
}

extern "C" fn fn_get_object_size(
s_handle: CK_SESSION_HANDLE,
object: CK_OBJECT_HANDLE,
o_handle: CK_OBJECT_HANDLE,
size: CK_ULONG_PTR,
) -> CK_RV {
let rstate = global_rlock!(STATE);
let token = res_or_ret!(rstate.get_token_from_session(s_handle));
let len = res_or_ret!(token.get_object_size(object));
let len = res_or_ret!(token.get_object_size(o_handle));
unsafe {
*size = len as CK_ULONG;
}
Expand All @@ -710,7 +708,7 @@ extern "C" fn fn_get_attribute_value(
count: CK_ULONG,
) -> CK_RV {
let rstate = global_rlock!(STATE);
let token = res_or_ret!(rstate.get_token_from_session(s_handle));
let mut token = res_or_ret!(rstate.get_token_from_session_mut(s_handle));
let mut tmpl: &mut [CK_ATTRIBUTE] =
unsafe { std::slice::from_raw_parts_mut(template, count as usize) };
ret_to_rv!(token.get_object_attrs(o_handle, &mut tmpl))
Expand All @@ -723,9 +721,9 @@ extern "C" fn fn_set_attribute_value(
) -> CK_RV {
let rstate = global_rlock!(STATE);
let session = res_or_ret!(rstate.get_session(s_handle));
let mut token =
res_or_ret!(rstate.get_token_from_slot_mut(session.get_slot_id()));
let obj = res_or_ret!(token.get_object_by_handle(o_handle, true));
let slot_id = session.get_slot_id();
let mut token = res_or_ret!(rstate.get_token_from_slot_mut(slot_id));
let obj = res_or_ret!(token.get_object_by_handle(o_handle));
if obj.is_token() {
if !token.is_logged_in(KRY_UNSPEC) {
return CKR_USER_NOT_LOGGED_IN;
Expand All @@ -745,8 +743,8 @@ extern "C" fn fn_find_objects_init(
) -> CK_RV {
let rstate = global_rlock!(STATE);
let mut session = res_or_ret!(rstate.get_session_mut(s_handle));
let mut token =
res_or_ret!(rstate.get_token_from_slot_mut(session.get_slot_id()));
let slot_id = session.get_slot_id();
let mut token = res_or_ret!(rstate.get_token_from_slot_mut(slot_id));
let tmpl: &[CK_ATTRIBUTE] =
unsafe { std::slice::from_raw_parts(template, count as usize) };
ret_to_rv!(session.new_search_operation(&mut token, tmpl))
Expand Down Expand Up @@ -823,11 +821,12 @@ extern "C" fn fn_encrypt_init(
let mut session = res_or_ret!(rstate.get_session_mut(s_handle));
check_op_empty_or_fail!(session; Encryption; mechanism);
let data: &CK_MECHANISM = unsafe { &*mechanism };
let token = res_or_ret!(rstate.get_token_from_slot(session.get_slot_id()));
let obj = res_or_ret!(token.get_object_by_handle(key, true));
let slot_id = session.get_slot_id();
let mut token = res_or_ret!(rstate.get_token_from_slot_mut(slot_id));
let obj = res_or_ret!(token.get_object_by_handle(key)).clone();
let mech = res_or_ret!(token.get_mech(data.mechanism));
if mech.info().flags & CKF_ENCRYPT == CKF_ENCRYPT {
let operation = res_or_ret!(mech.encryption_new(data, obj));
let operation = res_or_ret!(mech.encryption_new(data, &obj));
session.set_operation(Operation::Encryption(operation));
CKR_OK
} else {
Expand Down Expand Up @@ -936,11 +935,12 @@ extern "C" fn fn_decrypt_init(
let mut session = res_or_ret!(rstate.get_session_mut(s_handle));
check_op_empty_or_fail!(session; Decryption; mechanism);
let data: &CK_MECHANISM = unsafe { &*mechanism };
let token = res_or_ret!(rstate.get_token_from_slot(session.get_slot_id()));
let obj = res_or_ret!(token.get_object_by_handle(key, true));
let slot_id = session.get_slot_id();
let mut token = res_or_ret!(rstate.get_token_from_slot_mut(slot_id));
let obj = res_or_ret!(token.get_object_by_handle(key)).clone();
let mech = res_or_ret!(token.get_mech(data.mechanism));
if mech.info().flags & CKF_DECRYPT == CKF_DECRYPT {
let operation = res_or_ret!(mech.decryption_new(data, obj));
let operation = res_or_ret!(mech.decryption_new(data, &obj));
session.set_operation(Operation::Decryption(operation));
CKR_OK
} else {
Expand Down Expand Up @@ -1133,8 +1133,8 @@ extern "C" fn fn_digest_key(
if operation.finalized() {
return CKR_OPERATION_NOT_INITIALIZED;
}
let token = res_or_ret!(rstate.get_token_from_slot(slot_id));
let obj = res_or_ret!(token.get_object_by_handle(key, true));
let mut token = res_or_ret!(rstate.get_token_from_slot_mut(slot_id));
let obj = res_or_ret!(token.get_object_by_handle(key));
if res_or_ret!(obj.get_attr_as_ulong(CKA_CLASS)) != CKO_SECRET_KEY {
return CKR_KEY_HANDLE_INVALID;
}
Expand Down Expand Up @@ -1193,11 +1193,12 @@ extern "C" fn fn_sign_init(
let mut session = res_or_ret!(rstate.get_session_mut(s_handle));
check_op_empty_or_fail!(session; Sign; mechanism);
let data: &CK_MECHANISM = unsafe { &*mechanism };
let token = res_or_ret!(rstate.get_token_from_slot(session.get_slot_id()));
let obj = res_or_ret!(token.get_object_by_handle(key, true));
let slot_id = session.get_slot_id();
let mut token = res_or_ret!(rstate.get_token_from_slot_mut(slot_id));
let obj = res_or_ret!(token.get_object_by_handle(key)).clone();
let mech = res_or_ret!(token.get_mech(data.mechanism));
if mech.info().flags & CKF_SIGN == CKF_SIGN {
let operation = res_or_ret!(mech.sign_new(data, obj));
let operation = res_or_ret!(mech.sign_new(data, &obj));
session.set_operation(Operation::Sign(operation));
CKR_OK
} else {
Expand Down Expand Up @@ -1333,11 +1334,12 @@ extern "C" fn fn_verify_init(
let mut session = res_or_ret!(rstate.get_session_mut(s_handle));
check_op_empty_or_fail!(session; Verify; mechanism);
let data: &CK_MECHANISM = unsafe { &*mechanism };
let token = res_or_ret!(rstate.get_token_from_slot(session.get_slot_id()));
let obj = res_or_ret!(token.get_object_by_handle(key, true));
let slot_id = session.get_slot_id();
let mut token = res_or_ret!(rstate.get_token_from_slot_mut(slot_id));
let obj = res_or_ret!(token.get_object_by_handle(key)).clone();
let mech = res_or_ret!(token.get_mech(data.mechanism));
if mech.info().flags & CKF_VERIFY == CKF_VERIFY {
let operation = res_or_ret!(mech.verify_new(data, obj));
let operation = res_or_ret!(mech.verify_new(data, &obj));
session.set_operation(Operation::Verify(operation));
CKR_OK
} else {
Expand Down Expand Up @@ -1489,8 +1491,8 @@ extern "C" fn fn_generate_key(
fail_if_cka_token_true!(&*tmpl);
}

let mut token =
res_or_ret!(rstate.get_token_from_slot_mut(session.get_slot_id()));
let slot_id = session.get_slot_id();
let mut token = res_or_ret!(rstate.get_token_from_slot_mut(slot_id));

let mech = res_or_ret!(token.get_mech(data.mechanism));
if mech.info().flags & CKF_GENERATE != CKF_GENERATE {
Expand Down Expand Up @@ -1541,8 +1543,8 @@ extern "C" fn fn_generate_key_pair(
fail_if_cka_token_true!(&*pubtmpl);
}

let mut token =
res_or_ret!(rstate.get_token_from_slot_mut(session.get_slot_id()));
let slot_id = session.get_slot_id();
let mut token = res_or_ret!(rstate.get_token_from_slot_mut(slot_id));

let mech = res_or_ret!(token.get_mech(data.mechanism));
if mech.info().flags & CKF_GENERATE_KEY_PAIR != CKF_GENERATE_KEY_PAIR {
Expand Down Expand Up @@ -1583,14 +1585,15 @@ extern "C" fn fn_wrap_key(
let session = res_or_ret!(rstate.get_session(s_handle));

let ck_mech: &CK_MECHANISM = unsafe { &*mechanism };
let token = res_or_ret!(rstate.get_token_from_slot(session.get_slot_id()));
let kobj = res_or_ret!(token.get_object_by_handle(key, true));
let factory = res_or_ret!(token.get_obj_factory(kobj));
let slot_id = session.get_slot_id();
let mut token = res_or_ret!(rstate.get_token_from_slot_mut(slot_id));
let kobj = res_or_ret!(token.get_object_by_handle(key)).clone();
let wkobj = res_or_ret!(token.get_object_by_handle(wrapping_key)).clone();
let factory = res_or_ret!(token.get_obj_factory(&kobj));
let mech = res_or_ret!(token.get_mech(ck_mech.mechanism));
if mech.info().flags & CKF_WRAP != CKF_WRAP {
return CKR_MECHANISM_INVALID;
}
let wkobj = res_or_ret!(token.get_object_by_handle(wrapping_key, true));

/* key checks */
if !res_or_ret!(wkobj.get_attr_as_bool(CKA_WRAP)) {
Expand All @@ -1606,8 +1609,8 @@ extern "C" fn fn_wrap_key(

ret_to_rv!(mech.wrap_key(
ck_mech,
wkobj,
kobj,
&wkobj,
&kobj,
wrapped_key,
pul_wrapped_key_len,
factory,
Expand All @@ -1634,9 +1637,9 @@ extern "C" fn fn_unwrap_key(
if !session.is_writable() {
fail_if_cka_token_true!(&*tmpl);
}
let mut token =
res_or_ret!(rstate.get_token_from_slot_mut(session.get_slot_id()));
let kobj = res_or_ret!(token.get_object_by_handle(unwrapping_key, true));
let slot_id = session.get_slot_id();
let mut token = res_or_ret!(rstate.get_token_from_slot_mut(slot_id));
let kobj = res_or_ret!(token.get_object_by_handle(unwrapping_key)).clone();
let factory = res_or_ret!(token.get_obj_factory_from_key_template(tmpl));
let data: &[u8] = unsafe {
std::slice::from_raw_parts(wrapped_key, wrapped_key_len as usize)
Expand All @@ -1651,7 +1654,7 @@ extern "C" fn fn_unwrap_key(
return CKR_WRAPPING_KEY_HANDLE_INVALID;
}

let result = mech.unwrap_key(ck_mech, kobj, data, tmpl, factory);
let result = mech.unwrap_key(ck_mech, &kobj, data, tmpl, factory);
match result {
Ok(obj) => {
let kh = res_or_ret!(token.insert_object(s_handle, obj));
Expand Down
Loading
Loading