Add pub accessors for object/session handles and unsafe ObjectHandle new_from_raw

Signed-off-by: Jack Shannon <[email protected]>

Author: jhshannon17

cryptoki/src/object.rs

@@ -1193,7 +1193,15 @@ impl ObjectHandle {
         ObjectHandle { handle }
     }
 
-    pub(crate) fn handle(&self) -> CK_OBJECT_HANDLE {
+    /// Create a new object handle from a raw handle.
+    /// # Safety
+    /// Considered unsafe due to ability for client to arbitrarily create object handles.
+    pub unsafe fn new_from_raw(handle: CK_OBJECT_HANDLE) -> Self {
+        ObjectHandle { handle }
+    }
+
+    /// Get the raw handle of the object.
+    pub fn handle(&self) -> CK_OBJECT_HANDLE {
         self.handle
     }
 }

cryptoki/src/session/mod.rs

@@ -78,7 +78,8 @@ impl Session {
     /// This will be called on drop as well.
     pub fn close(self) {}
 
-    pub(crate) fn handle(&self) -> CK_SESSION_HANDLE {
+    /// Get the raw handle of the session.
+    pub fn handle(&self) -> CK_SESSION_HANDLE {
         self.handle
     }
 

cryptoki/tests/basic.rs

@@ -4296,3 +4296,55 @@ fn validation() -> TestResult {
 
     Ok(())
 }
+
+#[test]
+#[serial]
+fn object_handle_new_from_raw() -> TestResult {
+    let (pkcs11, slot) = init_pins();
+
+    // open a session
+    let session = pkcs11.open_rw_session(slot)?;
+
+    // log in the session
+    session.login(UserType::User, Some(&AuthPin::new(USER_PIN.into())))?;
+
+    // get mechanism
+    let mechanism = Mechanism::RsaPkcsKeyPairGen;
+
+    let public_exponent: Vec<u8> = vec![0x01, 0x00, 0x01];
+    let modulus_bits = 2048;
+
+    // pub key template
+    let pub_key_template = vec![
+        Attribute::Token(true),
+        Attribute::Private(false),
+        Attribute::PublicExponent(public_exponent),
+        Attribute::ModulusBits(modulus_bits.into()),
+        Attribute::Verify(true),
+    ];
+
+    // priv key template
+    let priv_key_template = vec![Attribute::Token(true), Attribute::Sign(true)];
+
+    // generate a key pair
+    let (public, private) =
+        session.generate_key_pair(&mechanism, &pub_key_template, &priv_key_template)?;
+
+    let private_cloned = unsafe { ObjectHandle::new_from_raw(private.handle()) };
+    let public_cloned = unsafe { ObjectHandle::new_from_raw(public.handle()) };
+
+    // data to sign
+    let data = [0xFF, 0x55, 0xDD];
+
+    // sign something with it
+    let signature = session.sign(&Mechanism::RsaPkcs, private_cloned, &data)?;
+
+    // verify the signature
+    session.verify(&Mechanism::RsaPkcs, public_cloned, &data, &signature)?;
+
+    // delete keys
+    session.destroy_object(public)?;
+    session.destroy_object(private)?;
+
+    Ok(())
+}

cryptoki/tests/common/mod.rs

@@ -12,7 +12,7 @@ pub static USER_PIN: &str = "fedcba123456";
 // The default SO pin
 pub static SO_PIN: &str = "abcdef654321";
 
-fn get_pkcs11_path() -> String {
+pub fn get_pkcs11_path() -> String {
     env::var("TEST_PKCS11_MODULE")
         .unwrap_or_else(|_| "/usr/local/lib/softhsm/libsofthsm2.so".to_string())
 }
@@ -41,9 +41,21 @@ pub fn get_pkcs11() -> Pkcs11 {
     Pkcs11::new(get_pkcs11_path()).unwrap()
 }
 
+#[allow(dead_code)]
+pub fn get_pkcs11_from_self() -> Pkcs11 {
+    Pkcs11::new_from_self().unwrap()
+}
+
+#[allow(dead_code)]
 pub fn init_pins() -> (Pkcs11, Slot) {
     let pkcs11 = get_pkcs11();
 
+    let slot = init_pins_from_pkcs11(&pkcs11);
+
+    (pkcs11, slot)
+}
+
+pub fn init_pins_from_pkcs11(pkcs11: &Pkcs11) -> Slot {
     // initialize the library
     pkcs11.initialize(CInitializeArgs::OsThreads).unwrap();
 
@@ -61,7 +73,7 @@ pub fn init_pins() -> (Pkcs11, Slot) {
         session.init_pin(&AuthPin::new(USER_PIN.into())).unwrap();
     }
 
-    (pkcs11, slot)
+    slot
 }
 
 #[allow(dead_code)]