Refactor builtin object creation logic

Introduce a `builtin_create` method to the `ObjectFactory` trait to
standardize the creation of static objects like FIPS indicators,
Profiles, and Mechanisms.

Move the construction logic for these objects from ad-hoc helper
functions (e.g., `insert_fips_validation`) into their respective
factories. This simplifies the token initialization code by using a
generic `insert_builtin_object` helper.

Also rename `internal_object_derive` to `internal_key_derive` and
adjust related key creation helpers to clearer names.

Co-authored-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>

Author: simo5

src/aes.rs

@@ -176,7 +176,7 @@ impl ObjectFactory for AesKeyFactory {
         template: &[CK_ATTRIBUTE],
         origin: &Object,
     ) -> Result<Object> {
-        let obj = self.internal_object_derive(template, origin)?;
+        let obj = self.internal_key_derive(template, origin)?;
 
         let key_len = self.get_key_len(&obj);
         if key_len != 0 {

src/fips/indicators.rs

@@ -3,13 +3,12 @@
 
 use std::sync::LazyLock;
 
-use crate::attribute::Attribute;
+use crate::attribute::{Attribute, CkAttrs};
 use crate::ec::{get_oid_from_obj, oid_to_bits};
 use crate::error::Result;
 use crate::object::*;
 use crate::pkcs11::vendor::KRY_UNSPEC;
 use crate::pkcs11::*;
-use crate::Token;
 
 /// The flag returned in the CKA_VALIDATION_FLAG attribute
 ///
@@ -21,8 +20,19 @@ use crate::Token;
 /// to mark operations. Applications need to get the flag value after
 /// token initialization and use that value thereafter to check against
 /// objects and session CKA_VALIDATION_FLAGS attributes.
+
 pub const KRF_FIPS: CK_ULONG = 1;
 
+/* TODO: These should be generated at build time */
+const VALIDATION_VERSION: [u8; 2] = [3u8, 0u8];
+const VALIDATION_LEVEL: CK_ULONG = 1;
+const MODULE_ID: &str = "Kryoptic FIPS Module - v1";
+const COUNTRY: &str = "US";
+const CERTIFICATE: &str = "Pending";
+const CERTIFICATE_URI: &str = "";
+const VENDOR_URI: &str = "https://github.com/latchset/kryoptic";
+const PROFILE: &str = "";
+
 /// The Validation Object factory
 #[derive(Debug)]
 pub struct ValidationFactory {
@@ -36,7 +46,7 @@ impl ValidationFactory {
             data: ObjectFactoryData::new(CKO_VALIDATION),
         };
 
-        factory.add_common_storage_attrs(false);
+        factory.add_common_object_attrs();
 
         let attributes = factory.data.get_attributes_mut();
 
@@ -92,6 +102,57 @@ impl ValidationFactory {
 }
 
 impl ObjectFactory for ValidationFactory {
+    fn create(&self, _template: &[CK_ATTRIBUTE]) -> Result<Object> {
+        Err(CKR_TEMPLATE_INCOMPLETE)?
+    }
+
+    fn builtin_create(&self, stable_id: CK_ULONG) -> Result<Object> {
+        let mut tmpl = CkAttrs::with_capacity(11);
+        match stable_id {
+            super::FIPS_VALIDATION_OBJ => {
+                tmpl.add_ulong(CKA_VALIDATION_TYPE, &CKV_TYPE_SOFTWARE);
+                tmpl.add_slice(CKA_VALIDATION_VERSION, &VALIDATION_VERSION)?;
+                tmpl.add_ulong(CKA_VALIDATION_LEVEL, &VALIDATION_LEVEL);
+                tmpl.add_slice(CKA_VALIDATION_MODULE_ID, MODULE_ID.as_bytes())?;
+                tmpl.add_ulong(CKA_VALIDATION_FLAG, &KRF_FIPS);
+                tmpl.add_ulong(
+                    CKA_VALIDATION_AUTHORITY_TYPE,
+                    &CKV_AUTHORITY_TYPE_NIST_CMVP,
+                );
+                tmpl.add_slice(CKA_VALIDATION_COUNTRY, COUNTRY.as_bytes())?;
+                tmpl.add_slice(
+                    CKA_VALIDATION_CERTIFICATE_IDENTIFIER,
+                    CERTIFICATE.as_bytes(),
+                )?;
+                tmpl.add_slice(
+                    CKA_VALIDATION_CERTIFICATE_URI,
+                    CERTIFICATE_URI.as_bytes(),
+                )?;
+                tmpl.add_slice(
+                    CKA_VALIDATION_VENDOR_URI,
+                    VENDOR_URI.as_bytes(),
+                )?;
+                tmpl.add_slice(CKA_VALIDATION_PROFILE, PROFILE.as_bytes())?;
+            }
+            _ => return Err(CKR_GENERAL_ERROR)?,
+        }
+        let mut obj = self.internal_object_create(
+            tmpl.as_slice(),
+            OAFlags::empty(),
+            OAFlags::RequiredOnCreate,
+        )?;
+        obj.generate_stable_unique(stable_id);
+        Ok(obj)
+    }
+
+    fn copy(
+        &self,
+        _origin: &Object,
+        _template: &[CK_ATTRIBUTE],
+    ) -> Result<Object> {
+        Err(CKR_TEMPLATE_INCOMPLETE)?
+    }
+
     /// Helper method to get a reference to the ObjectFactoryData
     fn get_data(&self) -> &ObjectFactoryData {
         &self.data
@@ -110,67 +171,6 @@ impl ObjectFactory for ValidationFactory {
 pub(crate) static VALIDATION_FACTORY: LazyLock<Box<dyn ObjectFactory>> =
     LazyLock::new(|| Box::new(ValidationFactory::new()));
 
-/// Synthesize a FIPS CKO_VALIDATION object
-///
-/// This is generally done only once at token initialization
-pub fn insert_fips_validation(token: &mut Token) -> Result<()> {
-    let mut obj = Object::new(CKO_VALIDATION);
-    obj.set_attr(Attribute::from_bool(CKA_TOKEN, false))?;
-    obj.set_attr(Attribute::from_bool(CKA_DESTROYABLE, false))?;
-    obj.set_attr(Attribute::from_bool(CKA_MODIFIABLE, false))?;
-    obj.set_attr(Attribute::from_bool(CKA_PRIVATE, false))?;
-    obj.set_attr(Attribute::from_bool(CKA_SENSITIVE, false))?;
-    obj.set_attr(Attribute::from_ulong(
-        CKA_VALIDATION_TYPE,
-        CKV_TYPE_SOFTWARE,
-    ))?;
-    obj.set_attr(Attribute::from_bytes(
-        CKA_VALIDATION_VERSION,
-        vec![3u8, 0u8],
-    ))?;
-    obj.set_attr(Attribute::from_ulong(CKA_VALIDATION_LEVEL, 1))?;
-    /* TODO: This should be generated at build time */
-    obj.set_attr(Attribute::from_string(
-        CKA_VALIDATION_MODULE_ID,
-        String::from("Kryoptic FIPS Module - v1"),
-    ))?;
-    obj.set_attr(Attribute::from_ulong(CKA_VALIDATION_FLAG, KRF_FIPS))?;
-    obj.set_attr(Attribute::from_ulong(
-        CKA_VALIDATION_AUTHORITY_TYPE,
-        CKV_AUTHORITY_TYPE_NIST_CMVP,
-    ))?;
-
-    /* TODO: The following attributes should all be determined at build time */
-    obj.set_attr(Attribute::from_string(
-        CKA_VALIDATION_COUNTRY,
-        String::from("US"),
-    ))?;
-    obj.set_attr(Attribute::from_string(
-        CKA_VALIDATION_CERTIFICATE_IDENTIFIER,
-        String::from("Pending"),
-    ))?;
-    obj.set_attr(Attribute::from_string(
-        CKA_VALIDATION_CERTIFICATE_URI,
-        String::from(""),
-    ))?;
-    obj.set_attr(Attribute::from_string(
-        CKA_VALIDATION_VENDOR_URI,
-        String::from("https://github.com/latchset/kryoptic"),
-    ))?;
-    obj.set_attr(Attribute::from_string(
-        CKA_VALIDATION_PROFILE,
-        String::from(""),
-    ))?;
-
-    /* generate a unique but stable id */
-    obj.generate_stable_unique(1);
-
-    /* invalid session handle will prevent it from being removed when
-     * session objects are cleared on session closings */
-    let _ = token.insert_object(CK_INVALID_HANDLE, obj)?;
-    Ok(())
-}
-
 /// Helper to convert bits to bytes
 macro_rules! btb {
     ($val:expr) => {

src/fips/mod.rs

@@ -6,13 +6,14 @@ use crate::error::Result;
 use crate::mechanism::Mechanisms;
 use crate::object::{ObjectFactories, ObjectType};
 use crate::pkcs11::*;
-use crate::token::Token;
 
 use ossl::fips;
 
 pub(crate) mod indicators;
 pub(crate) mod kats;
 
+pub const FIPS_VALIDATION_OBJ: CK_ULONG = 1;
+
 /// Sets the FIPS module into the error state
 pub fn set_fips_error_state() {
     fips::set_error_state();
@@ -23,11 +24,6 @@ pub fn check_fips_state_ok() -> bool {
     return fips::check_state_ok();
 }
 
-/// Helper function to set up validation objects at token initialization
-pub fn token_init(token: &mut Token) -> Result<()> {
-    indicators::insert_fips_validation(token)
-}
-
 /// Helper function to register the validation object factory
 pub fn register(_: &mut Mechanisms, ot: &mut ObjectFactories) {
     ot.add_factory(