Merge pull request #271 from Jakuje/unique-id

 Add UniqueId Attribute

Author: hug-dev

cryptoki/src/object.rs

@@ -122,6 +122,8 @@ pub enum AttributeType {
     Token,
     /// Determines if the object is trusted
     Trusted,
+    /// Unique Object Id
+    UniqueId,
     /// Determines if a key supports unwrapping
     Unwrap,
     /// Gives the URL where the complete certificate can be obtained
@@ -258,6 +260,7 @@ impl AttributeType {
             CKA_UNWRAP_TEMPLATE => String::from(stringify!(CKA_UNWRAP_TEMPLATE)),
             CKA_DERIVE_TEMPLATE => String::from(stringify!(CKA_DERIVE_TEMPLATE)),
             CKA_ALLOWED_MECHANISMS => String::from(stringify!(CKA_ALLOWED_MECHANISMS)),
+            CKA_UNIQUE_ID => String::from(stringify!(CKA_UNIQUE_ID)),
             CKA_VENDOR_DEFINED..=MAX_CU_ULONG => {
                 format!("{}_{}", stringify!(CKA_VENDOR_DEFINED), val)
             }
@@ -327,6 +330,7 @@ impl From<AttributeType> for CK_ATTRIBUTE_TYPE {
             AttributeType::Subject => CKA_SUBJECT,
             AttributeType::Token => CKA_TOKEN,
             AttributeType::Trusted => CKA_TRUSTED,
+            AttributeType::UniqueId => CKA_UNIQUE_ID,
             AttributeType::Unwrap => CKA_UNWRAP,
             AttributeType::Url => CKA_URL,
             AttributeType::Value => CKA_VALUE,
@@ -396,6 +400,7 @@ impl TryFrom<CK_ATTRIBUTE_TYPE> for AttributeType {
             CKA_SUBJECT => Ok(AttributeType::Subject),
             CKA_TOKEN => Ok(AttributeType::Token),
             CKA_TRUSTED => Ok(AttributeType::Trusted),
+            CKA_UNIQUE_ID => Ok(AttributeType::UniqueId),
             CKA_UNWRAP => Ok(AttributeType::Unwrap),
             CKA_URL => Ok(AttributeType::Url),
             CKA_VALUE => Ok(AttributeType::Value),
@@ -519,6 +524,8 @@ pub enum Attribute {
     Token(bool),
     /// Determines if an object is trusted
     Trusted(bool),
+    /// Unique Object Id
+    UniqueId(Vec<u8>),
     /// Determines if a key supports unwrapping
     Unwrap(bool),
     /// Gives the URL where the complete certificate can ber obtained
@@ -594,6 +601,7 @@ impl Attribute {
             Attribute::Subject(_) => AttributeType::Subject,
             Attribute::Token(_) => AttributeType::Token,
             Attribute::Trusted(_) => AttributeType::Trusted,
+            Attribute::UniqueId(_) => AttributeType::UniqueId,
             Attribute::Unwrap(_) => AttributeType::Unwrap,
             Attribute::Url(_) => AttributeType::Url,
             Attribute::Value(_) => AttributeType::Value,
@@ -663,6 +671,7 @@ impl Attribute {
             Attribute::PublicKeyInfo(bytes) => bytes.len(),
             Attribute::SerialNumber(bytes) => bytes.len(),
             Attribute::Subject(bytes) => bytes.len(),
+            Attribute::UniqueId(bytes) => bytes.len(),
             Attribute::Value(bytes) => bytes.len(),
             Attribute::ValueLen(_) => size_of::<CK_ULONG>(),
             Attribute::EndDate(_) | Attribute::StartDate(_) => size_of::<CK_DATE>(),
@@ -741,6 +750,7 @@ impl Attribute {
             | Attribute::Owner(bytes)
             | Attribute::SerialNumber(bytes)
             | Attribute::Subject(bytes)
+            | Attribute::UniqueId(bytes)
             | Attribute::Url(bytes)
             | Attribute::Value(bytes)
             | Attribute::VendorDefined((_, bytes))
@@ -868,6 +878,7 @@ impl TryFrom<CK_ATTRIBUTE> for Attribute {
             AttributeType::Owner => Ok(Attribute::Owner(val.to_vec())),
             AttributeType::SerialNumber => Ok(Attribute::SerialNumber(val.to_vec())),
             AttributeType::Subject => Ok(Attribute::Subject(val.to_vec())),
+            AttributeType::UniqueId => Ok(Attribute::UniqueId(val.to_vec())),
             AttributeType::Url => Ok(Attribute::Url(val.to_vec())),
             AttributeType::Value => Ok(Attribute::Value(val.to_vec())),
             AttributeType::Id => Ok(Attribute::Id(val.to_vec())),

cryptoki/src/session/object_management.rs

@@ -57,7 +57,7 @@ const MAX_OBJECT_COUNT: NonZeroUsize = unsafe { NonZeroUsize::new_unchecked(10)
 ///
 ///     let attributes = session.get_attributes(obj, &wanted_attr)?;
 ///
-///     match attributes.get(0) {
+///     match attributes.first() {
 ///         Some(Attribute::Label(l)) => {
 ///             println!(
 ///                 "token object #{}: handle {}, label {}",
@@ -413,7 +413,7 @@ impl Session {
     /// session.login(UserType::User, Some(&AuthPin::new("fedcba".into())));
     ///
     /// let empty_attrib= vec![];
-    /// if let Some(object) = session.find_objects(&empty_attrib).unwrap().get(0) {
+    /// if let Some(object) = session.find_objects(&empty_attrib).unwrap().first() {
     ///     let attribute_types = vec![
     ///         AttributeType::Token,
     ///         AttributeType::Private,

cryptoki/tests/basic.rs

@@ -2476,3 +2476,82 @@ fn aes_cmac_verify_impl(key: [u8; 16], message: &[u8], expected_mac: [u8; 16]) -
     session.verify(&Mechanism::AesCMac, key, message, &expected_mac)?;
     Ok(())
 }
+
+/// AES-CMAC test vectors from RFC 4493
+#[test]
+#[serial]
+fn unique_id() -> TestResult {
+    let (pkcs11, slot) = init_pins();
+    let session = pkcs11.open_rw_session(slot)?;
+    session.login(UserType::User, Some(&AuthPin::new(USER_PIN.into())))?;
+
+    let key: [u8; 16] = [
+        0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f,
+        0x3c,
+    ];
+
+    // Can not create object with Unique Id
+    let key_template = vec![
+        Attribute::Class(ObjectClass::SECRET_KEY),
+        Attribute::KeyType(KeyType::AES),
+        Attribute::Token(true),
+        Attribute::Sensitive(true),
+        Attribute::Private(true),
+        Attribute::Value(key.into()),
+        Attribute::UniqueId(vec![0x00, 0x00, 0x00, 0x01]),
+    ];
+    let res = session.create_object(&key_template);
+    assert!(res.is_err());
+    assert!(matches!(
+        res,
+        Err(Error::Pkcs11(
+            RvError::AttributeTypeInvalid,
+            Function::CreateObject
+        ))
+    ));
+
+    let generate_template = vec![
+        Attribute::Token(true),
+        Attribute::ValueLen(32.into()),
+        Attribute::Encrypt(true),
+    ];
+
+    // generate a secret key
+    let key = session.generate_key(&Mechanism::AesKeyGen, &generate_template)?;
+
+    // we can get the UniqueId attribute
+    let attrs = session.get_attributes(key, &[AttributeType::UniqueId])?;
+    if is_softhsm() {
+        // SoftHSM does not support this attribute at all
+        assert_eq!(attrs.len(), 0);
+    } else {
+        assert!(matches!(attrs.first(), Some(Attribute::UniqueId(_))));
+    }
+
+    // we can not set the UniqueId attribute
+    let update_template = vec![Attribute::UniqueId(vec![0x01, 0x02, 0x03])];
+    let res = session.update_attributes(key, &update_template);
+    assert!(res.is_err());
+    if is_softhsm() {
+        // SoftHSM does not support this attribute at all
+        assert!(matches!(
+            res,
+            Err(Error::Pkcs11(
+                RvError::AttributeTypeInvalid,
+                Function::SetAttributeValue
+            ))
+        ));
+    } else {
+        assert!(matches!(
+            res,
+            Err(Error::Pkcs11(
+                RvError::AttributeReadOnly,
+                Function::SetAttributeValue
+            ))
+        ));
+    }
+
+    session.destroy_object(key)?;
+
+    Ok(())
+}