Add pub accessors for object/session handles and unsafe ObjectHandle new_from_raw

jhshannon17 · jack-shannon-ripple · commit a99ad88cf2bc · 2025-10-22T12:29:21.000-04:00
Signed-off-by: Jack Shannon &lt;jhshannon17@gmail.com&gt;
diff --git a/cryptoki/src/object.rs b/cryptoki/src/object.rs
@@ -1193,7 +1193,15 @@ impl ObjectHandle {
         ObjectHandle { handle }
     }
 
-    pub(crate) fn handle(&self) -> CK_OBJECT_HANDLE {
+    /// Create a new object handle from a raw handle.
+    /// # Safety
+    /// Considered unsafe due to ability for client to arbitrarily create object handles.
+    pub unsafe fn new_from_raw(handle: CK_OBJECT_HANDLE) -> Self {
+        ObjectHandle { handle }
+    }
+
+    /// Get the raw handle of the object.
+    pub fn handle(&self) -> CK_OBJECT_HANDLE {
         self.handle
     }
 }
diff --git a/cryptoki/src/session/mod.rs b/cryptoki/src/session/mod.rs
@@ -78,7 +78,8 @@ impl Session {
     /// This will be called on drop as well.
     pub fn close(self) {}
 
-    pub(crate) fn handle(&self) -> CK_SESSION_HANDLE {
+    /// Get the raw handle of the session.
+    pub fn handle(&self) -> CK_SESSION_HANDLE {
         self.handle
     }
 
diff --git a/cryptoki/tests/basic.rs b/cryptoki/tests/basic.rs
@@ -4296,3 +4296,55 @@ fn validation() -> TestResult {
 
     Ok(())
 }
+
+#[test]
+#[serial]
+fn object_handle_new_from_raw() -> TestResult {
+    let (pkcs11, slot) = init_pins();
+
+    // open a session
+    let session = pkcs11.open_rw_session(slot)?;
+
+    // log in the session
+    session.login(UserType::User, Some(&AuthPin::new(USER_PIN.into())))?;
+
+    // get mechanism
+    let mechanism = Mechanism::RsaPkcsKeyPairGen;
+
+    let public_exponent: Vec<u8> = vec![0x01, 0x00, 0x01];
+    let modulus_bits = 2048;
+
+    // pub key template
+    let pub_key_template = vec![
+        Attribute::Token(true),
+        Attribute::Private(false),
+        Attribute::PublicExponent(public_exponent),
+        Attribute::ModulusBits(modulus_bits.into()),
+        Attribute::Verify(true),
+    ];
+
+    // priv key template
+    let priv_key_template = vec![Attribute::Token(true), Attribute::Sign(true)];
+
+    // generate a key pair
+    let (public, private) =
+        session.generate_key_pair(&mechanism, &pub_key_template, &priv_key_template)?;
+
+    let private_cloned = unsafe { ObjectHandle::new_from_raw(private.handle()) };
+    let public_cloned = unsafe { ObjectHandle::new_from_raw(public.handle()) };
+
+    // data to sign
+    let data = [0xFF, 0x55, 0xDD];
+
+    // sign something with it
+    let signature = session.sign(&Mechanism::RsaPkcs, private_cloned, &data)?;
+
+    // verify the signature
+    session.verify(&Mechanism::RsaPkcs, public_cloned, &data, &signature)?;
+
+    // delete keys
+    session.destroy_object(public)?;
+    session.destroy_object(private)?;
+
+    Ok(())
+}

Original file line number	Diff line number	Diff line change
`@@ -1193,7 +1193,15 @@ impl ObjectHandle {`
`1193`	`1193`	`ObjectHandle { handle }`
`1194`	`1194`	`}`
`1195`	`1195`
`1196`		`- pub(crate) fn handle(&self) -> CK_OBJECT_HANDLE {`
	`1196`	`+ /// Create a new object handle from a raw handle.`
	`1197`	`+ /// # Safety`
	`1198`	`+ /// Considered unsafe due to ability for client to arbitrarily create object handles.`
	`1199`	`+ pub unsafe fn new_from_raw(handle: CK_OBJECT_HANDLE) -> Self {`
	`1200`	`+ ObjectHandle { handle }`
	`1201`	`+ }`
	`1202`	`+`
	`1203`	`+ /// Get the raw handle of the object.`
	`1204`	`+ pub fn handle(&self) -> CK_OBJECT_HANDLE {`
`1197`	`1205`	`self.handle`
`1198`	`1206`	`}`
`1199`	`1207`	`}`
Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,8 @@ impl Session {`
`78`	`78`	`/// This will be called on drop as well.`
`79`	`79`	`pub fn close(self) {}`
`80`	`80`
`81`		`- pub(crate) fn handle(&self) -> CK_SESSION_HANDLE {`
	`81`	`+ /// Get the raw handle of the session.`
	`82`	`+ pub fn handle(&self) -> CK_SESSION_HANDLE {`
`82`	`83`	`self.handle`
`83`	`84`	`}`
`84`	`85`