use a session ref

baloo · baloo · commit a68557d1948a · 2023-11-24T22:59:00.000-08:00
Signed-off-by: Arthur Gautier &lt;baloo@superbaloo.net&gt;
diff --git a/cryptoki-rustcrypto/src/ecdsa.rs b/cryptoki-rustcrypto/src/ecdsa.rs
@@ -1,7 +1,6 @@
 use cryptoki::{
     mechanism::Mechanism,
     object::{Attribute, AttributeType, KeyType, ObjectClass, ObjectHandle},
-    session::Session,
 };
 use der::{
     asn1::{ObjectIdentifier, OctetStringRef},
@@ -25,6 +24,8 @@ use spki::{
 use std::{convert::TryFrom, ops::Add};
 use thiserror::Error;
 
+use crate::SessionLike;
+
 #[derive(Error, Debug)]
 pub enum Error {
     #[error("Cryptoki error: {0}")]
@@ -47,19 +48,19 @@ impl SignAlgorithm for p256::NistP256 {
     }
 }
 
-pub struct Signer<C: SignAlgorithm> {
-    session: Session,
+pub struct Signer<C: SignAlgorithm, S: SessionLike> {
+    session: S,
     _public_key: ObjectHandle,
     private_key: ObjectHandle,
     verifying_key: VerifyingKey<C>,
 }
 
-impl<C: SignAlgorithm> Signer<C>
+impl<C: SignAlgorithm, S: SessionLike> Signer<C, S>
 where
     FieldBytesSize<C>: ModulusSize,
     AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
 {
-    pub fn new(session: Session, label: &[u8]) -> Result<Self, Error> {
+    pub fn new(session: S, label: &[u8]) -> Result<Self, Error> {
         // First we'll lookup a private key with that label.
         let template = vec![
             Attribute::Token(true),
@@ -123,12 +124,12 @@ where
         })
     }
 
-    pub fn into_session(self) -> Session {
+    pub fn into_session(self) -> S {
         self.session
     }
 }
 
-impl<C: SignAlgorithm> AssociatedAlgorithmIdentifier for Signer<C>
+impl<C: SignAlgorithm, S: SessionLike> AssociatedAlgorithmIdentifier for Signer<C, S>
 where
     C: AssociatedOid,
 {
@@ -138,15 +139,15 @@ where
         PublicKey::<C>::ALGORITHM_IDENTIFIER;
 }
 
-impl<C: SignAlgorithm> signature::Keypair for Signer<C> {
+impl<C: SignAlgorithm, S: SessionLike> signature::Keypair for Signer<C, S> {
     type VerifyingKey = VerifyingKey<C>;
 
     fn verifying_key(&self) -> Self::VerifyingKey {
         self.verifying_key
     }
 }
 
-impl<C: SignAlgorithm> signature::Signer<Signature<C>> for Signer<C>
+impl<C: SignAlgorithm, S: SessionLike> signature::Signer<Signature<C>> for Signer<C, S>
 where
     <<C as ecdsa::elliptic_curve::Curve>::FieldBytesSize as Add>::Output: ArrayLength<u8>,
 {
@@ -168,7 +169,7 @@ where
     }
 }
 
-impl<C: SignAlgorithm> SignatureAlgorithmIdentifier for Signer<C>
+impl<C: SignAlgorithm, S: SessionLike> SignatureAlgorithmIdentifier for Signer<C, S>
 where
     AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
     FieldBytesSize<C>: ModulusSize,
diff --git a/cryptoki-rustcrypto/src/lib.rs b/cryptoki-rustcrypto/src/lib.rs
@@ -1,2 +1,51 @@
+use cryptoki::{
+    error::Result,
+    mechanism::Mechanism,
+    object::{Attribute, AttributeType, ObjectHandle},
+    session::Session,
+};
+
 pub mod ecdsa;
 pub mod rsa;
+
+pub trait SessionLike {
+    fn find_objects(&self, template: &[Attribute]) -> Result<Vec<ObjectHandle>>;
+    fn get_attributes(
+        &self,
+        object: ObjectHandle,
+        attributes: &[AttributeType],
+    ) -> Result<Vec<Attribute>>;
+    fn sign(&self, mechanism: &Mechanism, key: ObjectHandle, data: &[u8]) -> Result<Vec<u8>>;
+}
+
+impl SessionLike for Session {
+    fn find_objects(&self, template: &[Attribute]) -> Result<Vec<ObjectHandle>> {
+        Session::find_objects(self, template)
+    }
+    fn get_attributes(
+        &self,
+        object: ObjectHandle,
+        attributes: &[AttributeType],
+    ) -> Result<Vec<Attribute>> {
+        Session::get_attributes(self, object, attributes)
+    }
+    fn sign(&self, mechanism: &Mechanism, key: ObjectHandle, data: &[u8]) -> Result<Vec<u8>> {
+        Session::sign(self, mechanism, key, data)
+    }
+}
+
+impl<'s> SessionLike for &'s Session {
+    fn find_objects(&self, template: &[Attribute]) -> Result<Vec<ObjectHandle>> {
+        Session::find_objects(self, template)
+    }
+    fn get_attributes(
+        &self,
+        object: ObjectHandle,
+        attributes: &[AttributeType],
+    ) -> Result<Vec<Attribute>> {
+        Session::get_attributes(self, object, attributes)
+    }
+    fn sign(&self, mechanism: &Mechanism, key: ObjectHandle, data: &[u8]) -> Result<Vec<u8>> {
+        Session::sign(self, mechanism, key, data)
+    }
+}
diff --git a/cryptoki-rustcrypto/src/rsa/pkcs1v15.rs b/cryptoki-rustcrypto/src/rsa/pkcs1v15.rs
@@ -1,7 +1,4 @@
-use cryptoki::{
-    object::{Attribute, AttributeType, KeyType, ObjectClass, ObjectHandle},
-    session::Session,
-};
+use cryptoki::object::{Attribute, AttributeType, KeyType, ObjectClass, ObjectHandle};
 use der::AnyRef;
 use rsa::{
     pkcs1,
@@ -12,16 +9,17 @@ use spki::{AlgorithmIdentifierRef, AssociatedAlgorithmIdentifier, SignatureAlgor
 use std::convert::TryFrom;
 
 use super::{DigestSigning, Error};
+use crate::SessionLike;
 
-pub struct Signer<D: DigestSigning> {
-    session: Session,
+pub struct Signer<D: DigestSigning, S: SessionLike> {
+    session: S,
     _public_key: ObjectHandle,
     private_key: ObjectHandle,
     verifying_key: VerifyingKey<D>,
 }
 
-impl<D: DigestSigning> Signer<D> {
-    pub fn new(session: Session, label: &[u8]) -> Result<Self, Error> {
+impl<D: DigestSigning, S: SessionLike> Signer<D, S> {
+    pub fn new(session: S, label: &[u8]) -> Result<Self, Error> {
         // First we'll lookup a private key with that label.
         let template = vec![
             Attribute::Token(true),
@@ -80,25 +78,25 @@ impl<D: DigestSigning> Signer<D> {
         })
     }
 
-    pub fn into_session(self) -> Session {
+    pub fn into_session(self) -> S {
         self.session
     }
 }
 
-impl<D: DigestSigning> AssociatedAlgorithmIdentifier for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> AssociatedAlgorithmIdentifier for Signer<D, S> {
     type Params = AnyRef<'static>;
     const ALGORITHM_IDENTIFIER: AlgorithmIdentifierRef<'static> = pkcs1::ALGORITHM_ID;
 }
 
-impl<D: DigestSigning> signature::Keypair for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> signature::Keypair for Signer<D, S> {
     type VerifyingKey = VerifyingKey<D>;
 
     fn verifying_key(&self) -> Self::VerifyingKey {
         self.verifying_key.clone()
     }
 }
 
-impl<D: DigestSigning> signature::Signer<Signature> for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> signature::Signer<Signature> for Signer<D, S> {
     fn try_sign(&self, msg: &[u8]) -> Result<Signature, signature::Error> {
         let bytes = self
             .session
@@ -113,7 +111,7 @@ impl<D: DigestSigning> signature::Signer<Signature> for Signer<D> {
     }
 }
 
-impl<D: DigestSigning> SignatureAlgorithmIdentifier for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> SignatureAlgorithmIdentifier for Signer<D, S> {
     type Params = AnyRef<'static>;
 
     const SIGNATURE_ALGORITHM_IDENTIFIER: AlgorithmIdentifierRef<'static> =
diff --git a/cryptoki-rustcrypto/src/rsa/pss.rs b/cryptoki-rustcrypto/src/rsa/pss.rs
@@ -1,7 +1,4 @@
-use cryptoki::{
-    object::{Attribute, AttributeType, KeyType, ObjectClass, ObjectHandle},
-    session::Session,
-};
+use cryptoki::object::{Attribute, AttributeType, KeyType, ObjectClass, ObjectHandle};
 use der::{asn1::ObjectIdentifier, oid::AssociatedOid, Any, AnyRef};
 use rsa::{
     pkcs1::{self, RsaPssParams},
@@ -17,17 +14,18 @@ use spki::{
 use std::convert::TryFrom;
 
 use super::{DigestSigning, Error};
+use crate::SessionLike;
 
-pub struct Signer<D: DigestSigning> {
-    session: Session,
+pub struct Signer<D: DigestSigning, S: SessionLike> {
+    session: S,
     _public_key: ObjectHandle,
     private_key: ObjectHandle,
     verifying_key: VerifyingKey<D>,
     salt_len: usize,
 }
 
-impl<D: DigestSigning> Signer<D> {
-    pub fn new(session: Session, label: &[u8]) -> Result<Self, Error> {
+impl<D: DigestSigning, S: SessionLike> Signer<D, S> {
+    pub fn new(session: S, label: &[u8]) -> Result<Self, Error> {
         // First we'll lookup a private key with that label.
         let template = vec![
             Attribute::Token(true),
@@ -88,25 +86,25 @@ impl<D: DigestSigning> Signer<D> {
         })
     }
 
-    pub fn into_session(self) -> Session {
+    pub fn into_session(self) -> S {
         self.session
     }
 }
 
-impl<D: DigestSigning> AssociatedAlgorithmIdentifier for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> AssociatedAlgorithmIdentifier for Signer<D, S> {
     type Params = AnyRef<'static>;
     const ALGORITHM_IDENTIFIER: AlgorithmIdentifierRef<'static> = pkcs1::ALGORITHM_ID;
 }
 
-impl<D: DigestSigning> signature::Keypair for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> signature::Keypair for Signer<D, S> {
     type VerifyingKey = VerifyingKey<D>;
 
     fn verifying_key(&self) -> Self::VerifyingKey {
         self.verifying_key.clone()
     }
 }
 
-impl<D: DigestSigning> signature::Signer<Signature> for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> signature::Signer<Signature> for Signer<D, S> {
     fn try_sign(&self, msg: &[u8]) -> Result<Signature, signature::Error> {
         let bytes = self
             .session
@@ -121,7 +119,7 @@ impl<D: DigestSigning> signature::Signer<Signature> for Signer<D> {
     }
 }
 
-impl<D: DigestSigning> DynSignatureAlgorithmIdentifier for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> DynSignatureAlgorithmIdentifier for Signer<D, S> {
     fn signature_algorithm_identifier(&self) -> pkcs8::spki::Result<AlgorithmIdentifierOwned> {
         get_pss_signature_algo_id::<D>(self.salt_len as u8)
     }
diff --git a/cryptoki-rustcrypto/tests/ecdsa.rs b/cryptoki-rustcrypto/tests/ecdsa.rs
@@ -66,15 +66,13 @@ fn sign_verify() -> TestResult {
     let data = [0xFF, 0x55, 0xDD];
 
     let signer =
-        ecdsa::Signer::<p256::NistP256>::new(session, label).expect("Lookup keys from HSM");
+        ecdsa::Signer::<p256::NistP256, _>::new(&session, label).expect("Lookup keys from HSM");
 
     let signature = signer.sign(&data);
 
     let verifying_key = signer.verifying_key();
     verifying_key.verify(&data, &signature)?;
 
-    let session = signer.into_session();
-
     // delete keys
     session.destroy_object(public)?;
     session.destroy_object(private)?;
diff --git a/cryptoki-rustcrypto/tests/rsa.rs b/cryptoki-rustcrypto/tests/rsa.rs
@@ -49,15 +49,13 @@ fn pkcs1v15_sign_verify() -> TestResult {
     let data = [0xFF, 0x55, 0xDD];
 
     let signer =
-        pkcs1v15::Signer::<sha2::Sha256>::new(session, label).expect("Lookup keys from HSM");
+        pkcs1v15::Signer::<sha2::Sha256, _>::new(&session, label).expect("Lookup keys from HSM");
 
     let signature = signer.sign(&data);
 
     let verifying_key = signer.verifying_key();
     verifying_key.verify(&data, &signature)?;
 
-    let session = signer.into_session();
-
     // delete keys
     session.destroy_object(public)?;
     session.destroy_object(private)?;
@@ -103,15 +101,14 @@ fn pss_sign_verify() -> TestResult {
     // data to sign
     let data = [0xFF, 0x55, 0xDD];
 
-    let signer = pss::Signer::<sha2::Sha256>::new(session, label).expect("Lookup keys from HSM");
+    let signer =
+        pss::Signer::<sha2::Sha256, _>::new(&session, label).expect("Lookup keys from HSM");
 
     let signature = signer.sign(&data);
 
     let verifying_key = signer.verifying_key();
     verifying_key.verify(&data, &signature)?;
 
-    let session = signer.into_session();
-
     // delete keys
     session.destroy_object(public)?;
     session.destroy_object(private)?;
diff --git a/cryptoki-rustcrypto/tests/x509-ca.rs b/cryptoki-rustcrypto/tests/x509-ca.rs
@@ -54,7 +54,8 @@ fn pss_create_ca() -> TestResult {
     let (public, private) =
         session.generate_key_pair(&mechanism, &pub_key_template, &priv_key_template)?;
 
-    let signer = pss::Signer::<sha2::Sha256>::new(session, label).expect("Lookup keys from HSM");
+    let signer =
+        pss::Signer::<sha2::Sha256, _>::new(&session, label).expect("Lookup keys from HSM");
 
     let serial_number = SerialNumber::from(42u32);
     let validity = Validity::from_now(Duration::new(5, 0)).unwrap();
@@ -72,8 +73,6 @@ fn pss_create_ca() -> TestResult {
     let pem = certificate.to_pem(LineEnding::LF).expect("generate pem");
     println!("{}", pem);
 
-    let session = signer.into_session();
-
     // delete keys
     session.destroy_object(public)?;
     session.destroy_object(private)?;

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,6 @@`
`1`	`1`	`use cryptoki::{`
`2`	`2`	`mechanism::Mechanism,`
`3`	`3`	`object::{Attribute, AttributeType, KeyType, ObjectClass, ObjectHandle},`
`4`		`- session::Session,`
`5`	`4`	`};`
`6`	`5`	`use der::{`
`7`	`6`	`asn1::{ObjectIdentifier, OctetStringRef},`
`@@ -25,6 +24,8 @@ use spki::{`
`25`	`24`	`use std::{convert::TryFrom, ops::Add};`
`26`	`25`	`use thiserror::Error;`
`27`	`26`
	`27`	`+use crate::SessionLike;`
	`28`	`+`
`28`	`29`	`#[derive(Error, Debug)]`
`29`	`30`	`pub enum Error {`
`30`	`31`	`#[error("Cryptoki error: {0}")]`
`@@ -47,19 +48,19 @@ impl SignAlgorithm for p256::NistP256 {`
`47`	`48`	`}`
`48`	`49`	`}`
`49`	`50`
`50`		`-pub struct Signer<C: SignAlgorithm> {`
`51`		`- session: Session,`
	`51`	`+pub struct Signer<C: SignAlgorithm, S: SessionLike> {`
	`52`	`+ session: S,`
`52`	`53`	`_public_key: ObjectHandle,`
`53`	`54`	`private_key: ObjectHandle,`
`54`	`55`	`verifying_key: VerifyingKey<C>,`
`55`	`56`	`}`
`56`	`57`
`57`		`-impl<C: SignAlgorithm> Signer<C>`
	`58`	`+impl<C: SignAlgorithm, S: SessionLike> Signer<C, S>`
`58`	`59`	`where`
`59`	`60`	`FieldBytesSize<C>: ModulusSize,`
`60`	`61`	`AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,`
`61`	`62`	`{`
`62`		`- pub fn new(session: Session, label: &[u8]) -> Result<Self, Error> {`
	`63`	`+ pub fn new(session: S, label: &[u8]) -> Result<Self, Error> {`
`63`	`64`	`// First we'll lookup a private key with that label.`
`64`	`65`	`let template = vec![`
`65`	`66`	`Attribute::Token(true),`
`@@ -123,12 +124,12 @@ where`
`123`	`124`	`})`
`124`	`125`	`}`
`125`	`126`
`126`		`- pub fn into_session(self) -> Session {`
	`127`	`+ pub fn into_session(self) -> S {`
`127`	`128`	`self.session`
`128`	`129`	`}`
`129`	`130`	`}`
`130`	`131`
`131`		`-impl<C: SignAlgorithm> AssociatedAlgorithmIdentifier for Signer<C>`
	`132`	`+impl<C: SignAlgorithm, S: SessionLike> AssociatedAlgorithmIdentifier for Signer<C, S>`
`132`	`133`	`where`
`133`	`134`	`C: AssociatedOid,`
`134`	`135`	`{`
`@@ -138,15 +139,15 @@ where`
`138`	`139`	`PublicKey::<C>::ALGORITHM_IDENTIFIER;`
`139`	`140`	`}`
`140`	`141`
`141`		`-impl<C: SignAlgorithm> signature::Keypair for Signer<C> {`
	`142`	`+impl<C: SignAlgorithm, S: SessionLike> signature::Keypair for Signer<C, S> {`
`142`	`143`	`type VerifyingKey = VerifyingKey<C>;`
`143`	`144`
`144`	`145`	`fn verifying_key(&self) -> Self::VerifyingKey {`
`145`	`146`	`self.verifying_key`
`146`	`147`	`}`
`147`	`148`	`}`
`148`	`149`
`149`		`-impl<C: SignAlgorithm> signature::Signer<Signature<C>> for Signer<C>`
	`150`	`+impl<C: SignAlgorithm, S: SessionLike> signature::Signer<Signature<C>> for Signer<C, S>`
`150`	`151`	`where`
`151`	`152`	`<<C as ecdsa::elliptic_curve::Curve>::FieldBytesSize as Add>::Output: ArrayLength<u8>,`
`152`	`153`	`{`
`@@ -168,7 +169,7 @@ where`
`168`	`169`	`}`
`169`	`170`	`}`
`170`	`171`
`171`		`-impl<C: SignAlgorithm> SignatureAlgorithmIdentifier for Signer<C>`
	`172`	`+impl<C: SignAlgorithm, S: SessionLike> SignatureAlgorithmIdentifier for Signer<C, S>`
`172`	`173`	`where`
`173`	`174`	`AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,`
`174`	`175`	`FieldBytesSize<C>: ModulusSize,`