use a session ref

Signed-off-by: Arthur Gautier <[email protected]>

Author: baloo

cryptoki-rustcrypto/src/ecdsa.rs

@@ -4,7 +4,6 @@
 use cryptoki::{
     mechanism::Mechanism,
     object::{Attribute, AttributeType, KeyType, ObjectClass, ObjectHandle},
-    session::Session,
 };
 use der::{
     asn1::{ObjectIdentifier, OctetStringRef},
@@ -28,6 +27,8 @@ use spki::{
 use std::{convert::TryFrom, ops::Add};
 use thiserror::Error;
 
+use crate::SessionLike;
+
 #[derive(Error, Debug)]
 pub enum Error {
     #[error("Cryptoki error: {0}")]
@@ -50,19 +51,19 @@ impl SignAlgorithm for p256::NistP256 {
     }
 }
 
-pub struct Signer<C: SignAlgorithm> {
-    session: Session,
+pub struct Signer<C: SignAlgorithm, S: SessionLike> {
+    session: S,
     _public_key: ObjectHandle,
     private_key: ObjectHandle,
     verifying_key: VerifyingKey<C>,
 }
 
-impl<C: SignAlgorithm> Signer<C>
+impl<C: SignAlgorithm, S: SessionLike> Signer<C, S>
 where
     FieldBytesSize<C>: ModulusSize,
     AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
 {
-    pub fn new(session: Session, label: &[u8]) -> Result<Self, Error> {
+    pub fn new(session: S, label: &[u8]) -> Result<Self, Error> {
         // First we'll lookup a private key with that label.
         let template = vec![
             Attribute::Token(true),
@@ -126,12 +127,12 @@ where
         })
     }
 
-    pub fn into_session(self) -> Session {
+    pub fn into_session(self) -> S {
         self.session
     }
 }
 
-impl<C: SignAlgorithm> AssociatedAlgorithmIdentifier for Signer<C>
+impl<C: SignAlgorithm, S: SessionLike> AssociatedAlgorithmIdentifier for Signer<C, S>
 where
     C: AssociatedOid,
 {
@@ -141,15 +142,15 @@ where
         PublicKey::<C>::ALGORITHM_IDENTIFIER;
 }
 
-impl<C: SignAlgorithm> signature::Keypair for Signer<C> {
+impl<C: SignAlgorithm, S: SessionLike> signature::Keypair for Signer<C, S> {
     type VerifyingKey = VerifyingKey<C>;
 
     fn verifying_key(&self) -> Self::VerifyingKey {
         self.verifying_key
     }
 }
 
-impl<C: SignAlgorithm> signature::Signer<Signature<C>> for Signer<C>
+impl<C: SignAlgorithm, S: SessionLike> signature::Signer<Signature<C>> for Signer<C, S>
 where
     <<C as ecdsa::elliptic_curve::Curve>::FieldBytesSize as Add>::Output: ArrayLength<u8>,
 {
@@ -171,7 +172,7 @@ where
     }
 }
 
-impl<C: SignAlgorithm> SignatureAlgorithmIdentifier for Signer<C>
+impl<C: SignAlgorithm, S: SessionLike> SignatureAlgorithmIdentifier for Signer<C, S>
 where
     AffinePoint<C>: FromEncodedPoint<C> + ToEncodedPoint<C>,
     FieldBytesSize<C>: ModulusSize,

cryptoki-rustcrypto/src/lib.rs

@@ -1,5 +1,54 @@
 // Copyright 2023 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
 
+use cryptoki::{
+    error::Result,
+    mechanism::Mechanism,
+    object::{Attribute, AttributeType, ObjectHandle},
+    session::Session,
+};
+
 pub mod ecdsa;
 pub mod rsa;
+
+pub trait SessionLike {
+    fn find_objects(&self, template: &[Attribute]) -> Result<Vec<ObjectHandle>>;
+    fn get_attributes(
+        &self,
+        object: ObjectHandle,
+        attributes: &[AttributeType],
+    ) -> Result<Vec<Attribute>>;
+    fn sign(&self, mechanism: &Mechanism, key: ObjectHandle, data: &[u8]) -> Result<Vec<u8>>;
+}
+
+impl SessionLike for Session {
+    fn find_objects(&self, template: &[Attribute]) -> Result<Vec<ObjectHandle>> {
+        Session::find_objects(self, template)
+    }
+    fn get_attributes(
+        &self,
+        object: ObjectHandle,
+        attributes: &[AttributeType],
+    ) -> Result<Vec<Attribute>> {
+        Session::get_attributes(self, object, attributes)
+    }
+    fn sign(&self, mechanism: &Mechanism, key: ObjectHandle, data: &[u8]) -> Result<Vec<u8>> {
+        Session::sign(self, mechanism, key, data)
+    }
+}
+
+impl<'s> SessionLike for &'s Session {
+    fn find_objects(&self, template: &[Attribute]) -> Result<Vec<ObjectHandle>> {
+        Session::find_objects(self, template)
+    }
+    fn get_attributes(
+        &self,
+        object: ObjectHandle,
+        attributes: &[AttributeType],
+    ) -> Result<Vec<Attribute>> {
+        Session::get_attributes(self, object, attributes)
+    }
+    fn sign(&self, mechanism: &Mechanism, key: ObjectHandle, data: &[u8]) -> Result<Vec<u8>> {
+        Session::sign(self, mechanism, key, data)
+    }
+}

cryptoki-rustcrypto/src/rsa/pkcs1v15.rs

@@ -1,10 +1,7 @@
 // Copyright 2023 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
 
-use cryptoki::{
-    object::{Attribute, AttributeType, KeyType, ObjectClass, ObjectHandle},
-    session::Session,
-};
+use cryptoki::object::{Attribute, AttributeType, KeyType, ObjectClass, ObjectHandle};
 use der::AnyRef;
 use rsa::{
     pkcs1,
@@ -15,16 +12,17 @@ use spki::{AlgorithmIdentifierRef, AssociatedAlgorithmIdentifier, SignatureAlgor
 use std::convert::TryFrom;
 
 use super::{DigestSigning, Error};
+use crate::SessionLike;
 
-pub struct Signer<D: DigestSigning> {
-    session: Session,
+pub struct Signer<D: DigestSigning, S: SessionLike> {
+    session: S,
     _public_key: ObjectHandle,
     private_key: ObjectHandle,
     verifying_key: VerifyingKey<D>,
 }
 
-impl<D: DigestSigning> Signer<D> {
-    pub fn new(session: Session, label: &[u8]) -> Result<Self, Error> {
+impl<D: DigestSigning, S: SessionLike> Signer<D, S> {
+    pub fn new(session: S, label: &[u8]) -> Result<Self, Error> {
         // First we'll lookup a private key with that label.
         let template = vec![
             Attribute::Token(true),
@@ -83,25 +81,25 @@ impl<D: DigestSigning> Signer<D> {
         })
     }
 
-    pub fn into_session(self) -> Session {
+    pub fn into_session(self) -> S {
         self.session
     }
 }
 
-impl<D: DigestSigning> AssociatedAlgorithmIdentifier for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> AssociatedAlgorithmIdentifier for Signer<D, S> {
     type Params = AnyRef<'static>;
     const ALGORITHM_IDENTIFIER: AlgorithmIdentifierRef<'static> = pkcs1::ALGORITHM_ID;
 }
 
-impl<D: DigestSigning> signature::Keypair for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> signature::Keypair for Signer<D, S> {
     type VerifyingKey = VerifyingKey<D>;
 
     fn verifying_key(&self) -> Self::VerifyingKey {
         self.verifying_key.clone()
     }
 }
 
-impl<D: DigestSigning> signature::Signer<Signature> for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> signature::Signer<Signature> for Signer<D, S> {
     fn try_sign(&self, msg: &[u8]) -> Result<Signature, signature::Error> {
         let bytes = self
             .session
@@ -116,7 +114,7 @@ impl<D: DigestSigning> signature::Signer<Signature> for Signer<D> {
     }
 }
 
-impl<D: DigestSigning> SignatureAlgorithmIdentifier for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> SignatureAlgorithmIdentifier for Signer<D, S> {
     type Params = AnyRef<'static>;
 
     const SIGNATURE_ALGORITHM_IDENTIFIER: AlgorithmIdentifierRef<'static> =

cryptoki-rustcrypto/src/rsa/pss.rs

@@ -1,10 +1,7 @@
 // Copyright 2023 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
 
-use cryptoki::{
-    object::{Attribute, AttributeType, KeyType, ObjectClass, ObjectHandle},
-    session::Session,
-};
+use cryptoki::object::{Attribute, AttributeType, KeyType, ObjectClass, ObjectHandle};
 use der::{asn1::ObjectIdentifier, oid::AssociatedOid, Any, AnyRef};
 use rsa::{
     pkcs1::{self, RsaPssParams},
@@ -20,17 +17,18 @@ use spki::{
 use std::convert::TryFrom;
 
 use super::{DigestSigning, Error};
+use crate::SessionLike;
 
-pub struct Signer<D: DigestSigning> {
-    session: Session,
+pub struct Signer<D: DigestSigning, S: SessionLike> {
+    session: S,
     _public_key: ObjectHandle,
     private_key: ObjectHandle,
     verifying_key: VerifyingKey<D>,
     salt_len: usize,
 }
 
-impl<D: DigestSigning> Signer<D> {
-    pub fn new(session: Session, label: &[u8]) -> Result<Self, Error> {
+impl<D: DigestSigning, S: SessionLike> Signer<D, S> {
+    pub fn new(session: S, label: &[u8]) -> Result<Self, Error> {
         // First we'll lookup a private key with that label.
         let template = vec![
             Attribute::Token(true),
@@ -91,25 +89,25 @@ impl<D: DigestSigning> Signer<D> {
         })
     }
 
-    pub fn into_session(self) -> Session {
+    pub fn into_session(self) -> S {
         self.session
     }
 }
 
-impl<D: DigestSigning> AssociatedAlgorithmIdentifier for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> AssociatedAlgorithmIdentifier for Signer<D, S> {
     type Params = AnyRef<'static>;
     const ALGORITHM_IDENTIFIER: AlgorithmIdentifierRef<'static> = pkcs1::ALGORITHM_ID;
 }
 
-impl<D: DigestSigning> signature::Keypair for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> signature::Keypair for Signer<D, S> {
     type VerifyingKey = VerifyingKey<D>;
 
     fn verifying_key(&self) -> Self::VerifyingKey {
         self.verifying_key.clone()
     }
 }
 
-impl<D: DigestSigning> signature::Signer<Signature> for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> signature::Signer<Signature> for Signer<D, S> {
     fn try_sign(&self, msg: &[u8]) -> Result<Signature, signature::Error> {
         let bytes = self
             .session
@@ -124,7 +122,7 @@ impl<D: DigestSigning> signature::Signer<Signature> for Signer<D> {
     }
 }
 
-impl<D: DigestSigning> DynSignatureAlgorithmIdentifier for Signer<D> {
+impl<D: DigestSigning, S: SessionLike> DynSignatureAlgorithmIdentifier for Signer<D, S> {
     fn signature_algorithm_identifier(&self) -> pkcs8::spki::Result<AlgorithmIdentifierOwned> {
         get_pss_signature_algo_id::<D>(self.salt_len as u8)
     }

cryptoki-rustcrypto/tests/ecdsa.rs

@@ -67,15 +67,13 @@ fn sign_verify() -> TestResult {
     let data = [0xFF, 0x55, 0xDD];
 
     let signer =
-        ecdsa::Signer::<p256::NistP256>::new(session, label).expect("Lookup keys from HSM");
+        ecdsa::Signer::<p256::NistP256, _>::new(&session, label).expect("Lookup keys from HSM");
 
     let signature = signer.sign(&data);
 
     let verifying_key = signer.verifying_key();
     verifying_key.verify(&data, &signature)?;
 
-    let session = signer.into_session();
-
     // delete keys
     session.destroy_object(public)?;
     session.destroy_object(private)?;

cryptoki-rustcrypto/tests/rsa.rs

@@ -50,15 +50,13 @@ fn pkcs1v15_sign_verify() -> TestResult {
     let data = [0xFF, 0x55, 0xDD];
 
     let signer =
-        pkcs1v15::Signer::<sha2::Sha256>::new(session, label).expect("Lookup keys from HSM");
+        pkcs1v15::Signer::<sha2::Sha256, _>::new(&session, label).expect("Lookup keys from HSM");
 
     let signature = signer.sign(&data);
 
     let verifying_key = signer.verifying_key();
     verifying_key.verify(&data, &signature)?;
 
-    let session = signer.into_session();
-
     // delete keys
     session.destroy_object(public)?;
     session.destroy_object(private)?;
@@ -104,15 +102,14 @@ fn pss_sign_verify() -> TestResult {
     // data to sign
     let data = [0xFF, 0x55, 0xDD];
 
-    let signer = pss::Signer::<sha2::Sha256>::new(session, label).expect("Lookup keys from HSM");
+    let signer =
+        pss::Signer::<sha2::Sha256, _>::new(&session, label).expect("Lookup keys from HSM");
 
     let signature = signer.sign(&data);
 
     let verifying_key = signer.verifying_key();
     verifying_key.verify(&data, &signature)?;
 
-    let session = signer.into_session();
-
     // delete keys
     session.destroy_object(public)?;
     session.destroy_object(private)?;

cryptoki-rustcrypto/tests/x509-ca.rs

@@ -55,7 +55,8 @@ fn pss_create_ca() -> TestResult {
     let (public, private) =
         session.generate_key_pair(&mechanism, &pub_key_template, &priv_key_template)?;
 
-    let signer = pss::Signer::<sha2::Sha256>::new(session, label).expect("Lookup keys from HSM");
+    let signer =
+        pss::Signer::<sha2::Sha256, _>::new(&session, label).expect("Lookup keys from HSM");
 
     let serial_number = SerialNumber::from(42u32);
     let validity = Validity::from_now(Duration::new(5, 0)).unwrap();
@@ -73,8 +74,6 @@ fn pss_create_ca() -> TestResult {
     let pem = certificate.to_pem(LineEnding::LF).expect("generate pem");
     println!("{}", pem);
 
-    let session = signer.into_session();
-
     // delete keys
     session.destroy_object(public)?;
     session.destroy_object(private)?;