// Copyright 2013 Miek Gieben. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. // Package pkcs11 is a wrapper around the PKCS#11 cryptographic library. package pkcs11 // It is *assumed*, that: // // * Go's uint size == PKCS11's CK_ULONG size // * CK_ULONG never overflows an Go int /* #cgo windows CFLAGS: -DPACKED_STRUCTURES #cgo linux LDFLAGS: -ldl #cgo darwin LDFLAGS: -ldl #cgo openbsd LDFLAGS: -ldl #cgo freebsd LDFLAGS: -ldl #include <stdlib.h> #include <stdio.h> #include <string.h> #include <unistd.h> #include "pkcs11go.h" #ifdef _WIN32 #include <windows.h> struct ctx { HMODULE handle; CK_FUNCTION_LIST_PTR sym; }; // New initializes a ctx and fills the symbol table. struct ctx *New(const char *module) { CK_C_GetFunctionList list; struct ctx *c = calloc(1, sizeof(struct ctx)); c->handle = LoadLibrary(module); if (c->handle == NULL) { free(c); return NULL; } list = (CK_C_GetFunctionList) GetProcAddress(c->handle, "C_GetFunctionList"); if (list == NULL) { free(c); return NULL; } list(&c->sym); return c; } // Destroy cleans up a ctx. void Destroy(struct ctx *c) { if (!c) { return; } free(c); } #else #include <dlfcn.h> struct ctx { void *handle; CK_FUNCTION_LIST_PTR sym; }; // New initializes a ctx and fills the symbol table. struct ctx *New(const char *module) { CK_C_GetFunctionList list; struct ctx *c = calloc(1, sizeof(struct ctx)); c->handle = dlopen(module, RTLD_LAZY); if (c->handle == NULL) { free(c); return NULL; } list = (CK_C_GetFunctionList) dlsym(c->handle, "C_GetFunctionList"); if (list == NULL) { free(c); return NULL; } list(&c->sym); return c; } // Destroy cleans up a ctx. void Destroy(struct ctx *c) { if (!c) { return; } if (c->handle == NULL) { return; } if (dlclose(c->handle) < 0) { return; } free(c); } #endif CK_RV Initialize(struct ctx * c) { CK_C_INITIALIZE_ARGS args; memset(&args, 0, sizeof(args)); args.flags = CKF_OS_LOCKING_OK; return c->sym->C_Initialize(&args); } CK_RV Finalize(struct ctx * c) { return c->sym->C_Finalize(NULL); } CK_RV GetInfo(struct ctx * c, ckInfoPtr info) { CK_INFO p; CK_RV e = c->sym->C_GetInfo(&p); if (e != CKR_OK) { return e; } info->cryptokiVersion = p.cryptokiVersion; memcpy(info->manufacturerID, p.manufacturerID, sizeof(p.manufacturerID)); info->flags = p.flags; memcpy(info->libraryDescription, p.libraryDescription, sizeof(p.libraryDescription)); info->libraryVersion = p.libraryVersion; return e; } CK_RV GetSlotList(struct ctx * c, CK_BBOOL tokenPresent, CK_ULONG_PTR * slotList, CK_ULONG_PTR ulCount) { CK_RV e = c->sym->C_GetSlotList(tokenPresent, NULL, ulCount); if (e != CKR_OK) { return e; } *slotList = calloc(*ulCount, sizeof(CK_SLOT_ID)); e = c->sym->C_GetSlotList(tokenPresent, *slotList, ulCount); return e; } CK_RV GetSlotInfo(struct ctx * c, CK_ULONG slotID, CK_SLOT_INFO_PTR info) { CK_RV e = c->sym->C_GetSlotInfo((CK_SLOT_ID) slotID, info); return e; } CK_RV GetTokenInfo(struct ctx * c, CK_ULONG slotID, CK_TOKEN_INFO_PTR info) { CK_RV e = c->sym->C_GetTokenInfo((CK_SLOT_ID) slotID, info); return e; } CK_RV GetMechanismList(struct ctx * c, CK_ULONG slotID, CK_ULONG_PTR * mech, CK_ULONG_PTR mechlen) { CK_RV e = c->sym->C_GetMechanismList((CK_SLOT_ID) slotID, NULL, mechlen); // Gemaltos PKCS11 implementation returns CKR_BUFFER_TOO_SMALL on a NULL ptr instad of CKR_OK as the spec states. if (e != CKR_OK && e != CKR_BUFFER_TOO_SMALL) { return e; } *mech = calloc(*mechlen, sizeof(CK_MECHANISM_TYPE)); e = c->sym->C_GetMechanismList((CK_SLOT_ID) slotID, (CK_MECHANISM_TYPE_PTR) * mech, mechlen); return e; } CK_RV GetMechanismInfo(struct ctx * c, CK_ULONG slotID, CK_MECHANISM_TYPE mech, CK_MECHANISM_INFO_PTR info) { CK_RV e = c->sym->C_GetMechanismInfo((CK_SLOT_ID) slotID, mech, info); return e; } CK_RV InitToken(struct ctx * c, CK_ULONG slotID, char *pin, CK_ULONG pinlen, char *label) { CK_RV e = c->sym->C_InitToken((CK_SLOT_ID) slotID, (CK_UTF8CHAR_PTR) pin, pinlen, (CK_UTF8CHAR_PTR) label); return e; } CK_RV InitPIN(struct ctx * c, CK_SESSION_HANDLE sh, char *pin, CK_ULONG pinlen) { CK_RV e = c->sym->C_InitPIN(sh, (CK_UTF8CHAR_PTR) pin, pinlen); return e; } CK_RV SetPIN(struct ctx * c, CK_SESSION_HANDLE sh, char *oldpin, CK_ULONG oldpinlen, char *newpin, CK_ULONG newpinlen) { CK_RV e = c->sym->C_SetPIN(sh, (CK_UTF8CHAR_PTR) oldpin, oldpinlen, (CK_UTF8CHAR_PTR) newpin, newpinlen); return e; } CK_RV OpenSession(struct ctx * c, CK_ULONG slotID, CK_ULONG flags, CK_SESSION_HANDLE_PTR session) { CK_RV e = c->sym->C_OpenSession((CK_SLOT_ID) slotID, (CK_FLAGS) flags, NULL, NULL, session); return e; } CK_RV CloseSession(struct ctx * c, CK_SESSION_HANDLE session) { CK_RV e = c->sym->C_CloseSession(session); return e; } CK_RV CloseAllSessions(struct ctx * c, CK_ULONG slotID) { CK_RV e = c->sym->C_CloseAllSessions(slotID); return e; } CK_RV GetSessionInfo(struct ctx * c, CK_SESSION_HANDLE session, CK_SESSION_INFO_PTR info) { CK_RV e = c->sym->C_GetSessionInfo(session, info); return e; } CK_RV GetOperationState(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * state, CK_ULONG_PTR statelen) { CK_RV rv = c->sym->C_GetOperationState(session, NULL, statelen); if (rv != CKR_OK) { return rv; } *state = calloc(*statelen, sizeof(CK_BYTE)); if (*state == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_GetOperationState(session, *state, statelen); return rv; } CK_RV SetOperationState(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR state, CK_ULONG statelen, CK_OBJECT_HANDLE encryptkey, CK_OBJECT_HANDLE authkey) { return c->sym->C_SetOperationState(session, state, statelen, encryptkey, authkey); } CK_RV Login(struct ctx *c, CK_SESSION_HANDLE session, CK_USER_TYPE userType, char *pin, CK_ULONG pinLen) { if (pinLen == 0) { pin = NULL; } CK_RV e = c->sym->C_Login(session, userType, (CK_UTF8CHAR_PTR) pin, pinLen); return e; } CK_RV Logout(struct ctx * c, CK_SESSION_HANDLE session) { CK_RV e = c->sym->C_Logout(session); return e; } CK_RV CreateObject(struct ctx * c, CK_SESSION_HANDLE session, CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount, CK_OBJECT_HANDLE_PTR obj) { return c->sym->C_CreateObject(session, temp, tempCount, obj); } CK_RV CopyObject(struct ctx * c, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE o, CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount, CK_OBJECT_HANDLE_PTR obj) { return c->sym->C_CopyObject(session, o, temp, tempCount, obj); } CK_RV DestroyObject(struct ctx * c, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object) { CK_RV e = c->sym->C_DestroyObject(session, object); return e; } CK_RV GetObjectSize(struct ctx * c, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object, CK_ULONG_PTR size) { CK_RV e = c->sym->C_GetObjectSize(session, object, size); return e; } CK_RV GetAttributeValue(struct ctx * c, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object, CK_ATTRIBUTE_PTR temp, CK_ULONG templen) { // Call for the first time, check the returned ulValue in the attributes, then // allocate enough space and try again. CK_RV e = c->sym->C_GetAttributeValue(session, object, temp, templen); if (e != CKR_OK) { return e; } CK_ULONG i; for (i = 0; i < templen; i++) { if ((CK_LONG) temp[i].ulValueLen == -1) { // either access denied or no such object continue; } temp[i].pValue = calloc(temp[i].ulValueLen, sizeof(CK_BYTE)); } return c->sym->C_GetAttributeValue(session, object, temp, templen); } CK_RV SetAttributeValue(struct ctx * c, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object, CK_ATTRIBUTE_PTR temp, CK_ULONG templen) { return c->sym->C_SetAttributeValue(session, object, temp, templen); } CK_RV FindObjectsInit(struct ctx * c, CK_SESSION_HANDLE session, CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount) { return c->sym->C_FindObjectsInit(session, temp, tempCount); } CK_RV FindObjects(struct ctx * c, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE_PTR * obj, CK_ULONG max, CK_ULONG_PTR objCount) { *obj = calloc(max, sizeof(CK_OBJECT_HANDLE)); CK_RV e = c->sym->C_FindObjects(session, *obj, max, objCount); return e; } CK_RV FindObjectsFinal(struct ctx * c, CK_SESSION_HANDLE session) { CK_RV e = c->sym->C_FindObjectsFinal(session); return e; } CK_RV EncryptInit(struct ctx * c, CK_SESSION_HANDLE session, CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key) { return c->sym->C_EncryptInit(session, mechanism, key); } CK_RV Encrypt(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message, CK_ULONG mlen, CK_BYTE_PTR * enc, CK_ULONG_PTR enclen) { CK_RV rv = c->sym->C_Encrypt(session, message, mlen, NULL, enclen); if (rv != CKR_OK) { return rv; } *enc = calloc(*enclen, sizeof(CK_BYTE)); if (*enc == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_Encrypt(session, message, mlen, *enc, enclen); return rv; } CK_RV EncryptUpdate(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR plain, CK_ULONG plainlen, CK_BYTE_PTR * cipher, CK_ULONG_PTR cipherlen) { CK_RV rv = c->sym->C_EncryptUpdate(session, plain, plainlen, NULL, cipherlen); if (rv != CKR_OK) { return rv; } *cipher = calloc(*cipherlen, sizeof(CK_BYTE)); if (*cipher == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_EncryptUpdate(session, plain, plainlen, *cipher, cipherlen); return rv; } CK_RV EncryptFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * cipher, CK_ULONG_PTR cipherlen) { CK_RV rv = c->sym->C_EncryptFinal(session, NULL, cipherlen); if (rv != CKR_OK) { return rv; } *cipher = calloc(*cipherlen, sizeof(CK_BYTE)); if (*cipher == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_EncryptFinal(session, *cipher, cipherlen); return rv; } CK_RV DecryptInit(struct ctx * c, CK_SESSION_HANDLE session, CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key) { return c->sym->C_DecryptInit(session, mechanism, key); } CK_RV Decrypt(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR cipher, CK_ULONG clen, CK_BYTE_PTR * plain, CK_ULONG_PTR plainlen) { CK_RV e = c->sym->C_Decrypt(session, cipher, clen, NULL, plainlen); if (e != CKR_OK) { return e; } *plain = calloc(*plainlen, sizeof(CK_BYTE)); if (*plain == NULL) { return CKR_HOST_MEMORY; } e = c->sym->C_Decrypt(session, cipher, clen, *plain, plainlen); return e; } CK_RV DecryptUpdate(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR cipher, CK_ULONG cipherlen, CK_BYTE_PTR * part, CK_ULONG_PTR partlen) { CK_RV rv = c->sym->C_DecryptUpdate(session, cipher, cipherlen, NULL, partlen); if (rv != CKR_OK) { return rv; } *part = calloc(*partlen, sizeof(CK_BYTE)); if (*part == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_DecryptUpdate(session, cipher, cipherlen, *part, partlen); return rv; } CK_RV DecryptFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * plain, CK_ULONG_PTR plainlen) { CK_RV rv = c->sym->C_DecryptFinal(session, NULL, plainlen); if (rv != CKR_OK) { return rv; } *plain = calloc(*plainlen, sizeof(CK_BYTE)); if (*plain == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_DecryptFinal(session, *plain, plainlen); return rv; } CK_RV DigestInit(struct ctx * c, CK_SESSION_HANDLE session, CK_MECHANISM_PTR mechanism) { return c->sym->C_DigestInit(session, mechanism); } CK_RV Digest(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message, CK_ULONG mlen, CK_BYTE_PTR * hash, CK_ULONG_PTR hashlen) { CK_RV rv = c->sym->C_Digest(session, message, mlen, NULL, hashlen); if (rv != CKR_OK) { return rv; } *hash = calloc(*hashlen, sizeof(CK_BYTE)); if (*hash == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_Digest(session, message, mlen, *hash, hashlen); return rv; } CK_RV DigestUpdate(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message, CK_ULONG mlen) { CK_RV rv = c->sym->C_DigestUpdate(session, message, mlen); return rv; } CK_RV DigestKey(struct ctx * c, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE key) { CK_RV rv = c->sym->C_DigestKey(session, key); return rv; } CK_RV DigestFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * hash, CK_ULONG_PTR hashlen) { CK_RV rv = c->sym->C_DigestFinal(session, NULL, hashlen); if (rv != CKR_OK) { return rv; } *hash = calloc(*hashlen, sizeof(CK_BYTE)); if (*hash == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_DigestFinal(session, *hash, hashlen); return rv; } CK_RV SignInit(struct ctx * c, CK_SESSION_HANDLE session, CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key) { return c->sym->C_SignInit(session, mechanism, key); } CK_RV Sign(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message, CK_ULONG mlen, CK_BYTE_PTR * sig, CK_ULONG_PTR siglen) { CK_RV rv = c->sym->C_Sign(session, message, mlen, NULL, siglen); if (rv != CKR_OK) { return rv; } *sig = calloc(*siglen, sizeof(CK_BYTE)); if (*sig == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_Sign(session, message, mlen, *sig, siglen); return rv; } CK_RV SignUpdate(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message, CK_ULONG mlen) { CK_RV rv = c->sym->C_SignUpdate(session, message, mlen); return rv; } CK_RV SignFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * sig, CK_ULONG_PTR siglen) { CK_RV rv = c->sym->C_SignFinal(session, NULL, siglen); if (rv != CKR_OK) { return rv; } *sig = calloc(*siglen, sizeof(CK_BYTE)); if (*sig == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_SignFinal(session, *sig, siglen); return rv; } CK_RV SignRecoverInit(struct ctx * c, CK_SESSION_HANDLE session, CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key) { return c->sym->C_SignRecoverInit(session, mechanism, key); } CK_RV SignRecover(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR data, CK_ULONG datalen, CK_BYTE_PTR * sig, CK_ULONG_PTR siglen) { CK_RV rv = c->sym->C_SignRecover(session, data, datalen, NULL, siglen); if (rv != CKR_OK) { return rv; } *sig = calloc(*siglen, sizeof(CK_BYTE)); if (*sig == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_SignRecover(session, data, datalen, *sig, siglen); return rv; } CK_RV VerifyInit(struct ctx * c, CK_SESSION_HANDLE session, CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key) { return c->sym->C_VerifyInit(session, mechanism, key); } CK_RV Verify(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message, CK_ULONG mesglen, CK_BYTE_PTR sig, CK_ULONG siglen) { CK_RV rv = c->sym->C_Verify(session, message, mesglen, sig, siglen); return rv; } CK_RV VerifyUpdate(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR part, CK_ULONG partlen) { CK_RV rv = c->sym->C_VerifyUpdate(session, part, partlen); return rv; } CK_RV VerifyFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR sig, CK_ULONG siglen) { CK_RV rv = c->sym->C_VerifyFinal(session, sig, siglen); return rv; } CK_RV VerifyRecoverInit(struct ctx * c, CK_SESSION_HANDLE session, CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key) { return c->sym->C_VerifyRecoverInit(session, mechanism, key); } CK_RV VerifyRecover(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR sig, CK_ULONG siglen, CK_BYTE_PTR * data, CK_ULONG_PTR datalen) { CK_RV rv = c->sym->C_VerifyRecover(session, sig, siglen, NULL, datalen); if (rv != CKR_OK) { return rv; } *data = calloc(*datalen, sizeof(CK_BYTE)); if (*data == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_VerifyRecover(session, sig, siglen, *data, datalen); return rv; } CK_RV DigestEncryptUpdate(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR part, CK_ULONG partlen, CK_BYTE_PTR * enc, CK_ULONG_PTR enclen) { CK_RV rv = c->sym->C_DigestEncryptUpdate(session, part, partlen, NULL, enclen); if (rv != CKR_OK) { return rv; } *enc = calloc(*enclen, sizeof(CK_BYTE)); if (*enc == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_DigestEncryptUpdate(session, part, partlen, *enc, enclen); return rv; } CK_RV DecryptDigestUpdate(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR cipher, CK_ULONG cipherlen, CK_BYTE_PTR * part, CK_ULONG_PTR partlen) { CK_RV rv = c->sym->C_DecryptDigestUpdate(session, cipher, cipherlen, NULL, partlen); if (rv != CKR_OK) { return rv; } *part = calloc(*partlen, sizeof(CK_BYTE)); if (*part == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_DecryptDigestUpdate(session, cipher, cipherlen, *part, partlen); return rv; } CK_RV SignEncryptUpdate(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR part, CK_ULONG partlen, CK_BYTE_PTR * enc, CK_ULONG_PTR enclen) { CK_RV rv = c->sym->C_SignEncryptUpdate(session, part, partlen, NULL, enclen); if (rv != CKR_OK) { return rv; } *enc = calloc(*enclen, sizeof(CK_BYTE)); if (*enc == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_SignEncryptUpdate(session, part, partlen, *enc, enclen); return rv; } CK_RV DecryptVerifyUpdate(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR cipher, CK_ULONG cipherlen, CK_BYTE_PTR * part, CK_ULONG_PTR partlen) { CK_RV rv = c->sym->C_DecryptVerifyUpdate(session, cipher, cipherlen, NULL, partlen); if (rv != CKR_OK) { return rv; } *part = calloc(*partlen, sizeof(CK_BYTE)); if (*part == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_DecryptVerifyUpdate(session, cipher, cipherlen, *part, partlen); return rv; } CK_RV GenerateKey(struct ctx * c, CK_SESSION_HANDLE session, CK_MECHANISM_PTR mechanism, CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount, CK_OBJECT_HANDLE_PTR key) { return c->sym->C_GenerateKey(session, mechanism, temp, tempCount, key); } CK_RV GenerateKeyPair(struct ctx * c, CK_SESSION_HANDLE session, CK_MECHANISM_PTR mechanism, CK_ATTRIBUTE_PTR pub, CK_ULONG pubCount, CK_ATTRIBUTE_PTR priv, CK_ULONG privCount, CK_OBJECT_HANDLE_PTR pubkey, CK_OBJECT_HANDLE_PTR privkey) { return c->sym->C_GenerateKeyPair(session, mechanism, pub, pubCount, priv, privCount, pubkey, privkey); } CK_RV WrapKey(struct ctx * c, CK_SESSION_HANDLE session, CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE wrappingkey, CK_OBJECT_HANDLE key, CK_BYTE_PTR * wrapped, CK_ULONG_PTR wrappedlen) { CK_RV rv = c->sym->C_WrapKey(session, mechanism, wrappingkey, key, NULL, wrappedlen); if (rv != CKR_OK) { return rv; } *wrapped = calloc(*wrappedlen, sizeof(CK_BYTE)); if (*wrapped == NULL) { return CKR_HOST_MEMORY; } rv = c->sym->C_WrapKey(session, mechanism, wrappingkey, key, *wrapped, wrappedlen); return rv; } CK_RV DeriveKey(struct ctx * c, CK_SESSION_HANDLE session, CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE basekey, CK_ATTRIBUTE_PTR a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key) { return c->sym->C_DeriveKey(session, mechanism, basekey, a, alen, key); } CK_RV UnwrapKey(struct ctx * c, CK_SESSION_HANDLE session, CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE unwrappingkey, CK_BYTE_PTR wrappedkey, CK_ULONG wrappedkeylen, CK_ATTRIBUTE_PTR a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key) { return c->sym->C_UnwrapKey(session, mechanism, unwrappingkey, wrappedkey, wrappedkeylen, a, alen, key); } CK_RV SeedRandom(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR seed, CK_ULONG seedlen) { CK_RV e = c->sym->C_SeedRandom(session, seed, seedlen); return e; } CK_RV GenerateRandom(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * rand, CK_ULONG length) { *rand = calloc(length, sizeof(CK_BYTE)); if (*rand == NULL) { return CKR_HOST_MEMORY; } CK_RV e = c->sym->C_GenerateRandom(session, *rand, length); return e; } CK_RV WaitForSlotEvent(struct ctx * c, CK_FLAGS flags, CK_ULONG_PTR slot) { CK_RV e = c->sym->C_WaitForSlotEvent(flags, (CK_SLOT_ID_PTR) slot, NULL); return e; } static inline CK_VOID_PTR getAttributePval(CK_ATTRIBUTE_PTR a) { return a->pValue; } */ import "C" import "strings" import "unsafe" // Ctx contains the current pkcs11 context. type Ctx struct { ctx *C.struct_ctx } // New creates a new context and initializes the module/library for use. func New(module string) *Ctx { c := new(Ctx) mod := C.CString(module) defer C.free(unsafe.Pointer(mod)) c.ctx = C.New(mod) if c.ctx == nil { return nil } return c } // Destroy unloads the module/library and frees any remaining memory. func (c *Ctx) Destroy() { if c == nil || c.ctx == nil { return } C.Destroy(c.ctx) c.ctx = nil } // Initialize initializes the Cryptoki library. func (c *Ctx) Initialize() error { e := C.Initialize(c.ctx) return toError(e) } // Finalize indicates that an application is done with the Cryptoki library. func (c *Ctx) Finalize() error { if c.ctx == nil { return toError(CKR_CRYPTOKI_NOT_INITIALIZED) } e := C.Finalize(c.ctx) return toError(e) } // GetInfo returns general information about Cryptoki. func (c *Ctx) GetInfo() (Info, error) { var p C.ckInfo e := C.GetInfo(c.ctx, &p) i := Info{ CryptokiVersion: toVersion(p.cryptokiVersion), ManufacturerID: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&p.manufacturerID[0]), 32)), " "), Flags: uint(p.flags), LibraryDescription: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&p.libraryDescription[0]), 32)), " "), LibraryVersion: toVersion(p.libraryVersion), } return i, toError(e) } // GetSlotList obtains a list of slots in the system. func (c *Ctx) GetSlotList(tokenPresent bool) ([]uint, error) { var ( slotList C.CK_ULONG_PTR ulCount C.CK_ULONG ) e := C.GetSlotList(c.ctx, cBBool(tokenPresent), &slotList, &ulCount) if toError(e) != nil { return nil, toError(e) } l := toList(slotList, ulCount) return l, nil } // GetSlotInfo obtains information about a particular slot in the system. func (c *Ctx) GetSlotInfo(slotID uint) (SlotInfo, error) { var csi C.CK_SLOT_INFO e := C.GetSlotInfo(c.ctx, C.CK_ULONG(slotID), &csi) s := SlotInfo{ SlotDescription: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&csi.slotDescription[0]), 64)), " "), ManufacturerID: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&csi.manufacturerID[0]), 32)), " "), Flags: uint(csi.flags), HardwareVersion: toVersion(csi.hardwareVersion), FirmwareVersion: toVersion(csi.firmwareVersion), } return s, toError(e) } // GetTokenInfo obtains information about a particular token // in the system. func (c *Ctx) GetTokenInfo(slotID uint) (TokenInfo, error) { var cti C.CK_TOKEN_INFO e := C.GetTokenInfo(c.ctx, C.CK_ULONG(slotID), &cti) s := TokenInfo{ Label: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.label[0]), 32)), " "), ManufacturerID: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.manufacturerID[0]), 32)), " "), Model: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.model[0]), 16)), " "), SerialNumber: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.serialNumber[0]), 16)), " "), Flags: uint(cti.flags), MaxSessionCount: uint(cti.ulMaxSessionCount), SessionCount: uint(cti.ulSessionCount), MaxRwSessionCount: uint(cti.ulMaxRwSessionCount), RwSessionCount: uint(cti.ulRwSessionCount), MaxPinLen: uint(cti.ulMaxPinLen), MinPinLen: uint(cti.ulMinPinLen), TotalPublicMemory: uint(cti.ulTotalPublicMemory), FreePublicMemory: uint(cti.ulFreePublicMemory), TotalPrivateMemory: uint(cti.ulTotalPrivateMemory), FreePrivateMemory: uint(cti.ulFreePrivateMemory), HardwareVersion: toVersion(cti.hardwareVersion), FirmwareVersion: toVersion(cti.firmwareVersion), UTCTime: strings.TrimRight(string(C.GoBytes(unsafe.Pointer(&cti.utcTime[0]), 16)), " "), } return s, toError(e) } // GetMechanismList obtains a list of mechanism types supported by a token. func (c *Ctx) GetMechanismList(slotID uint) ([]*Mechanism, error) { var ( mech C.CK_ULONG_PTR // in pkcs#11 we're all CK_ULONGs \o/ mechlen C.CK_ULONG ) e := C.GetMechanismList(c.ctx, C.CK_ULONG(slotID), &mech, &mechlen) if toError(e) != nil { return nil, toError(e) } // Although the function returns only type, cast them back into real // attributes as this is used in other functions. m := make([]*Mechanism, int(mechlen)) for i, typ := range toList(mech, mechlen) { m[i] = NewMechanism(typ, nil) } return m, nil } // GetMechanismInfo obtains information about a particular // mechanism possibly supported by a token. func (c *Ctx) GetMechanismInfo(slotID uint, m []*Mechanism) (MechanismInfo, error) { var cm C.CK_MECHANISM_INFO e := C.GetMechanismInfo(c.ctx, C.CK_ULONG(slotID), C.CK_MECHANISM_TYPE(m[0].Mechanism), C.CK_MECHANISM_INFO_PTR(&cm)) mi := MechanismInfo{ MinKeySize: uint(cm.ulMinKeySize), MaxKeySize: uint(cm.ulMaxKeySize), Flags: uint(cm.flags), } return mi, toError(e) } // InitToken initializes a token. The label must be 32 characters // long, it is blank padded if it is not. If it is longer it is capped // to 32 characters. func (c *Ctx) InitToken(slotID uint, pin string, label string) error { p := C.CString(pin) defer C.free(unsafe.Pointer(p)) ll := len(label) for ll < 32 { label += " " ll++ } l := C.CString(label[:32]) defer C.free(unsafe.Pointer(l)) e := C.InitToken(c.ctx, C.CK_ULONG(slotID), p, C.CK_ULONG(len(pin)), l) return toError(e) } // InitPIN initializes the normal user's PIN. func (c *Ctx) InitPIN(sh SessionHandle, pin string) error { p := C.CString(pin) defer C.free(unsafe.Pointer(p)) e := C.InitPIN(c.ctx, C.CK_SESSION_HANDLE(sh), p, C.CK_ULONG(len(pin))) return toError(e) } // SetPIN modifies the PIN of the user who is logged in. func (c *Ctx) SetPIN(sh SessionHandle, oldpin string, newpin string) error { old := C.CString(oldpin) defer C.free(unsafe.Pointer(old)) new := C.CString(newpin) defer C.free(unsafe.Pointer(new)) e := C.SetPIN(c.ctx, C.CK_SESSION_HANDLE(sh), old, C.CK_ULONG(len(oldpin)), new, C.CK_ULONG(len(newpin))) return toError(e) } // OpenSession opens a session between an application and a token. func (c *Ctx) OpenSession(slotID uint, flags uint) (SessionHandle, error) { var s C.CK_SESSION_HANDLE e := C.OpenSession(c.ctx, C.CK_ULONG(slotID), C.CK_ULONG(flags), C.CK_SESSION_HANDLE_PTR(&s)) return SessionHandle(s), toError(e) } // CloseSession closes a session between an application and a token. func (c *Ctx) CloseSession(sh SessionHandle) error { if c.ctx == nil { return toError(CKR_CRYPTOKI_NOT_INITIALIZED) } e := C.CloseSession(c.ctx, C.CK_SESSION_HANDLE(sh)) return toError(e) } // CloseAllSessions closes all sessions with a token. func (c *Ctx) CloseAllSessions(slotID uint) error { if c.ctx == nil { return toError(CKR_CRYPTOKI_NOT_INITIALIZED) } e := C.CloseAllSessions(c.ctx, C.CK_ULONG(slotID)) return toError(e) } // GetSessionInfo obtains information about the session. func (c *Ctx) GetSessionInfo(sh SessionHandle) (SessionInfo, error) { var csi C.CK_SESSION_INFO e := C.GetSessionInfo(c.ctx, C.CK_SESSION_HANDLE(sh), &csi) s := SessionInfo{SlotID: uint(csi.slotID), State: uint(csi.state), Flags: uint(csi.flags), DeviceError: uint(csi.ulDeviceError), } return s, toError(e) } // GetOperationState obtains the state of the cryptographic operation in a session. func (c *Ctx) GetOperationState(sh SessionHandle) ([]byte, error) { var ( state C.CK_BYTE_PTR statelen C.CK_ULONG ) e := C.GetOperationState(c.ctx, C.CK_SESSION_HANDLE(sh), &state, &statelen) defer C.free(unsafe.Pointer(state)) if toError(e) != nil { return nil, toError(e) } b := C.GoBytes(unsafe.Pointer(state), C.int(statelen)) return b, nil } // SetOperationState restores the state of the cryptographic operation in a session. func (c *Ctx) SetOperationState(sh SessionHandle, state []byte, encryptKey, authKey ObjectHandle) error { e := C.SetOperationState(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&state[0])), C.CK_ULONG(len(state)), C.CK_OBJECT_HANDLE(encryptKey), C.CK_OBJECT_HANDLE(authKey)) return toError(e) } // Login logs a user into a token. func (c *Ctx) Login(sh SessionHandle, userType uint, pin string) error { p := C.CString(pin) defer C.free(unsafe.Pointer(p)) e := C.Login(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_USER_TYPE(userType), p, C.CK_ULONG(len(pin))) return toError(e) } // Logout logs a user out from a token. func (c *Ctx) Logout(sh SessionHandle) error { if c.ctx == nil { return toError(CKR_CRYPTOKI_NOT_INITIALIZED) } e := C.Logout(c.ctx, C.CK_SESSION_HANDLE(sh)) return toError(e) } // CreateObject creates a new object. func (c *Ctx) CreateObject(sh SessionHandle, temp []*Attribute) (ObjectHandle, error) { var obj C.CK_OBJECT_HANDLE arena, t, tcount := cAttributeList(temp) defer arena.Free() e := C.CreateObject(c.ctx, C.CK_SESSION_HANDLE(sh), t, tcount, C.CK_OBJECT_HANDLE_PTR(&obj)) e1 := toError(e) if e1 == nil { return ObjectHandle(obj), nil } return 0, e1 } // CopyObject copies an object, creating a new object for the copy. func (c *Ctx) CopyObject(sh SessionHandle, o ObjectHandle, temp []*Attribute) (ObjectHandle, error) { var obj C.CK_OBJECT_HANDLE arena, t, tcount := cAttributeList(temp) defer arena.Free() e := C.CopyObject(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), t, tcount, C.CK_OBJECT_HANDLE_PTR(&obj)) e1 := toError(e) if e1 == nil { return ObjectHandle(obj), nil } return 0, e1 } // DestroyObject destroys an object. func (c *Ctx) DestroyObject(sh SessionHandle, oh ObjectHandle) error { e := C.DestroyObject(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(oh)) return toError(e) } // GetObjectSize gets the size of an object in bytes. func (c *Ctx) GetObjectSize(sh SessionHandle, oh ObjectHandle) (uint, error) { var size C.CK_ULONG e := C.GetObjectSize(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(oh), &size) return uint(size), toError(e) } // GetAttributeValue obtains the value of one or more object attributes. func (c *Ctx) GetAttributeValue(sh SessionHandle, o ObjectHandle, a []*Attribute) ([]*Attribute, error) { // copy the attribute list and make all the values nil, so that // the C function can (allocate) fill them in pa := make([]C.CK_ATTRIBUTE, len(a)) for i := 0; i < len(a); i++ { pa[i]._type = C.CK_ATTRIBUTE_TYPE(a[i].Type) } e := C.GetAttributeValue(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), &pa[0], C.CK_ULONG(len(a))) if err := toError(e); err != nil { return nil, err } a1 := make([]*Attribute, len(a)) for i, c := range pa { x := new(Attribute) x.Type = uint(c._type) if int(c.ulValueLen) != -1 { buf := unsafe.Pointer(C.getAttributePval(&c)) x.Value = C.GoBytes(buf, C.int(c.ulValueLen)) C.free(buf) } a1[i] = x } return a1, nil } // SetAttributeValue modifies the value of one or more object attributes func (c *Ctx) SetAttributeValue(sh SessionHandle, o ObjectHandle, a []*Attribute) error { arena, pa, palen := cAttributeList(a) defer arena.Free() e := C.SetAttributeValue(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), pa, palen) return toError(e) } // FindObjectsInit initializes a search for token and session // objects that match a template. func (c *Ctx) FindObjectsInit(sh SessionHandle, temp []*Attribute) error { arena, t, tcount := cAttributeList(temp) defer arena.Free() e := C.FindObjectsInit(c.ctx, C.CK_SESSION_HANDLE(sh), t, tcount) return toError(e) } // FindObjects continues a search for token and session // objects that match a template, obtaining additional object // handles. Calling the function repeatedly may yield additional results until // an empty slice is returned. // // The returned boolean value is deprecated and should be ignored. func (c *Ctx) FindObjects(sh SessionHandle, max int) ([]ObjectHandle, bool, error) { var ( objectList C.CK_OBJECT_HANDLE_PTR ulCount C.CK_ULONG ) e := C.FindObjects(c.ctx, C.CK_SESSION_HANDLE(sh), &objectList, C.CK_ULONG(max), &ulCount) if toError(e) != nil { return nil, false, toError(e) } l := toList(C.CK_ULONG_PTR(unsafe.Pointer(objectList)), ulCount) // Make again a new list of the correct type. // This is copying data, but this is not an often used function. o := make([]ObjectHandle, len(l)) for i, v := range l { o[i] = ObjectHandle(v) } return o, ulCount > C.CK_ULONG(max), nil } // FindObjectsFinal finishes a search for token and session objects. func (c *Ctx) FindObjectsFinal(sh SessionHandle) error { e := C.FindObjectsFinal(c.ctx, C.CK_SESSION_HANDLE(sh)) return toError(e) } // EncryptInit initializes an encryption operation. func (c *Ctx) EncryptInit(sh SessionHandle, m []*Mechanism, o ObjectHandle) error { arena, mech := cMechanism(m) defer arena.Free() e := C.EncryptInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(o)) return toError(e) } // Encrypt encrypts single-part data. func (c *Ctx) Encrypt(sh SessionHandle, message []byte) ([]byte, error) { var ( enc C.CK_BYTE_PTR enclen C.CK_ULONG ) e := C.Encrypt(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)), &enc, &enclen) if toError(e) != nil { return nil, toError(e) } s := C.GoBytes(unsafe.Pointer(enc), C.int(enclen)) C.free(unsafe.Pointer(enc)) return s, nil } // EncryptUpdate continues a multiple-part encryption operation. func (c *Ctx) EncryptUpdate(sh SessionHandle, plain []byte) ([]byte, error) { var ( part C.CK_BYTE_PTR partlen C.CK_ULONG ) e := C.EncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(plain), C.CK_ULONG(len(plain)), &part, &partlen) if toError(e) != nil { return nil, toError(e) } h := C.GoBytes(unsafe.Pointer(part), C.int(partlen)) C.free(unsafe.Pointer(part)) return h, nil } // EncryptFinal finishes a multiple-part encryption operation. func (c *Ctx) EncryptFinal(sh SessionHandle) ([]byte, error) { var ( enc C.CK_BYTE_PTR enclen C.CK_ULONG ) e := C.EncryptFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &enc, &enclen) if toError(e) != nil { return nil, toError(e) } h := C.GoBytes(unsafe.Pointer(enc), C.int(enclen)) C.free(unsafe.Pointer(enc)) return h, nil } // DecryptInit initializes a decryption operation. func (c *Ctx) DecryptInit(sh SessionHandle, m []*Mechanism, o ObjectHandle) error { arena, mech := cMechanism(m) defer arena.Free() e := C.DecryptInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(o)) return toError(e) } // Decrypt decrypts encrypted data in a single part. func (c *Ctx) Decrypt(sh SessionHandle, cipher []byte) ([]byte, error) { var ( plain C.CK_BYTE_PTR plainlen C.CK_ULONG ) e := C.Decrypt(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &plain, &plainlen) if toError(e) != nil { return nil, toError(e) } s := C.GoBytes(unsafe.Pointer(plain), C.int(plainlen)) C.free(unsafe.Pointer(plain)) return s, nil } // DecryptUpdate continues a multiple-part decryption operation. func (c *Ctx) DecryptUpdate(sh SessionHandle, cipher []byte) ([]byte, error) { var ( part C.CK_BYTE_PTR partlen C.CK_ULONG ) e := C.DecryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &part, &partlen) if toError(e) != nil { return nil, toError(e) } h := C.GoBytes(unsafe.Pointer(part), C.int(partlen)) C.free(unsafe.Pointer(part)) return h, nil } // DecryptFinal finishes a multiple-part decryption operation. func (c *Ctx) DecryptFinal(sh SessionHandle) ([]byte, error) { var ( plain C.CK_BYTE_PTR plainlen C.CK_ULONG ) e := C.DecryptFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &plain, &plainlen) if toError(e) != nil { return nil, toError(e) } h := C.GoBytes(unsafe.Pointer(plain), C.int(plainlen)) C.free(unsafe.Pointer(plain)) return h, nil } // DigestInit initializes a message-digesting operation. func (c *Ctx) DigestInit(sh SessionHandle, m []*Mechanism) error { arena, mech := cMechanism(m) defer arena.Free() e := C.DigestInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech) return toError(e) } // Digest digests message in a single part. func (c *Ctx) Digest(sh SessionHandle, message []byte) ([]byte, error) { var ( hash C.CK_BYTE_PTR hashlen C.CK_ULONG ) e := C.Digest(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)), &hash, &hashlen) if toError(e) != nil { return nil, toError(e) } h := C.GoBytes(unsafe.Pointer(hash), C.int(hashlen)) C.free(unsafe.Pointer(hash)) return h, nil } // DigestUpdate continues a multiple-part message-digesting operation. func (c *Ctx) DigestUpdate(sh SessionHandle, message []byte) error { e := C.DigestUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message))) if toError(e) != nil { return toError(e) } return nil } // DigestKey continues a multi-part message-digesting // operation, by digesting the value of a secret key as part of // the data already digested. func (c *Ctx) DigestKey(sh SessionHandle, key ObjectHandle) error { e := C.DigestKey(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(key)) if toError(e) != nil { return toError(e) } return nil } // DigestFinal finishes a multiple-part message-digesting operation. func (c *Ctx) DigestFinal(sh SessionHandle) ([]byte, error) { var ( hash C.CK_BYTE_PTR hashlen C.CK_ULONG ) e := C.DigestFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &hash, &hashlen) if toError(e) != nil { return nil, toError(e) } h := C.GoBytes(unsafe.Pointer(hash), C.int(hashlen)) C.free(unsafe.Pointer(hash)) return h, nil } // SignInit initializes a signature (private key encryption) // operation, where the signature is (will be) an appendix to // the data, and plaintext cannot be recovered from the signature. func (c *Ctx) SignInit(sh SessionHandle, m []*Mechanism, o ObjectHandle) error { arena, mech := cMechanism(m) defer arena.Free() e := C.SignInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(o)) return toError(e) } // Sign signs (encrypts with private key) data in a single part, where the signature // is (will be) an appendix to the data, and plaintext cannot be recovered from the signature. func (c *Ctx) Sign(sh SessionHandle, message []byte) ([]byte, error) { var ( sig C.CK_BYTE_PTR siglen C.CK_ULONG ) e := C.Sign(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)), &sig, &siglen) if toError(e) != nil { return nil, toError(e) } s := C.GoBytes(unsafe.Pointer(sig), C.int(siglen)) C.free(unsafe.Pointer(sig)) return s, nil } // SignUpdate continues a multiple-part signature operation, // where the signature is (will be) an appendix to the data, // and plaintext cannot be recovered from the signature. func (c *Ctx) SignUpdate(sh SessionHandle, message []byte) error { e := C.SignUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message))) return toError(e) } // SignFinal finishes a multiple-part signature operation returning the signature. func (c *Ctx) SignFinal(sh SessionHandle) ([]byte, error) { var ( sig C.CK_BYTE_PTR siglen C.CK_ULONG ) e := C.SignFinal(c.ctx, C.CK_SESSION_HANDLE(sh), &sig, &siglen) if toError(e) != nil { return nil, toError(e) } h := C.GoBytes(unsafe.Pointer(sig), C.int(siglen)) C.free(unsafe.Pointer(sig)) return h, nil } // SignRecoverInit initializes a signature operation, where the data can be recovered from the signature. func (c *Ctx) SignRecoverInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) error { arena, mech := cMechanism(m) defer arena.Free() e := C.SignRecoverInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(key)) return toError(e) } // SignRecover signs data in a single operation, where the data can be recovered from the signature. func (c *Ctx) SignRecover(sh SessionHandle, data []byte) ([]byte, error) { var ( sig C.CK_BYTE_PTR siglen C.CK_ULONG ) e := C.SignRecover(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(data), C.CK_ULONG(len(data)), &sig, &siglen) if toError(e) != nil { return nil, toError(e) } h := C.GoBytes(unsafe.Pointer(sig), C.int(siglen)) C.free(unsafe.Pointer(sig)) return h, nil } // VerifyInit initializes a verification operation, where the // signature is an appendix to the data, and plaintext cannot // be recovered from the signature (e.g. DSA). func (c *Ctx) VerifyInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) error { arena, mech := cMechanism(m) defer arena.Free() e := C.VerifyInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(key)) return toError(e) } // Verify verifies a signature in a single-part operation, // where the signature is an appendix to the data, and plaintext // cannot be recovered from the signature. func (c *Ctx) Verify(sh SessionHandle, data []byte, signature []byte) error { e := C.Verify(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(data), C.CK_ULONG(len(data)), cMessage(signature), C.CK_ULONG(len(signature))) return toError(e) } // VerifyUpdate continues a multiple-part verification // operation, where the signature is an appendix to the data, // and plaintext cannot be recovered from the signature. func (c *Ctx) VerifyUpdate(sh SessionHandle, part []byte) error { e := C.VerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(part), C.CK_ULONG(len(part))) return toError(e) } // VerifyFinal finishes a multiple-part verification // operation, checking the signature. func (c *Ctx) VerifyFinal(sh SessionHandle, signature []byte) error { e := C.VerifyFinal(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(signature), C.CK_ULONG(len(signature))) return toError(e) } // VerifyRecoverInit initializes a signature verification // operation, where the data is recovered from the signature. func (c *Ctx) VerifyRecoverInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) error { arena, mech := cMechanism(m) defer arena.Free() e := C.VerifyRecoverInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(key)) return toError(e) } // VerifyRecover verifies a signature in a single-part // operation, where the data is recovered from the signature. func (c *Ctx) VerifyRecover(sh SessionHandle, signature []byte) ([]byte, error) { var ( data C.CK_BYTE_PTR datalen C.CK_ULONG ) e := C.DecryptVerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(signature), C.CK_ULONG(len(signature)), &data, &datalen) if toError(e) != nil { return nil, toError(e) } h := C.GoBytes(unsafe.Pointer(data), C.int(datalen)) C.free(unsafe.Pointer(data)) return h, nil } // DigestEncryptUpdate continues a multiple-part digesting and encryption operation. func (c *Ctx) DigestEncryptUpdate(sh SessionHandle, part []byte) ([]byte, error) { var ( enc C.CK_BYTE_PTR enclen C.CK_ULONG ) e := C.DigestEncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(part), C.CK_ULONG(len(part)), &enc, &enclen) if toError(e) != nil { return nil, toError(e) } h := C.GoBytes(unsafe.Pointer(enc), C.int(enclen)) C.free(unsafe.Pointer(enc)) return h, nil } // DecryptDigestUpdate continues a multiple-part decryption and digesting operation. func (c *Ctx) DecryptDigestUpdate(sh SessionHandle, cipher []byte) ([]byte, error) { var ( part C.CK_BYTE_PTR partlen C.CK_ULONG ) e := C.DecryptDigestUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &part, &partlen) if toError(e) != nil { return nil, toError(e) } h := C.GoBytes(unsafe.Pointer(part), C.int(partlen)) C.free(unsafe.Pointer(part)) return h, nil } // SignEncryptUpdate continues a multiple-part signing and encryption operation. func (c *Ctx) SignEncryptUpdate(sh SessionHandle, part []byte) ([]byte, error) { var ( enc C.CK_BYTE_PTR enclen C.CK_ULONG ) e := C.SignEncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(part), C.CK_ULONG(len(part)), &enc, &enclen) if toError(e) != nil { return nil, toError(e) } h := C.GoBytes(unsafe.Pointer(enc), C.int(enclen)) C.free(unsafe.Pointer(enc)) return h, nil } // DecryptVerifyUpdate continues a multiple-part decryption and verify operation. func (c *Ctx) DecryptVerifyUpdate(sh SessionHandle, cipher []byte) ([]byte, error) { var ( part C.CK_BYTE_PTR partlen C.CK_ULONG ) e := C.DecryptVerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &part, &partlen) if toError(e) != nil { return nil, toError(e) } h := C.GoBytes(unsafe.Pointer(part), C.int(partlen)) C.free(unsafe.Pointer(part)) return h, nil } // GenerateKey generates a secret key, creating a new key object. func (c *Ctx) GenerateKey(sh SessionHandle, m []*Mechanism, temp []*Attribute) (ObjectHandle, error) { var key C.CK_OBJECT_HANDLE attrarena, t, tcount := cAttributeList(temp) defer attrarena.Free() mecharena, mech := cMechanism(m) defer mecharena.Free() e := C.GenerateKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, t, tcount, C.CK_OBJECT_HANDLE_PTR(&key)) e1 := toError(e) if e1 == nil { return ObjectHandle(key), nil } return 0, e1 } // GenerateKeyPair generates a public-key/private-key pair creating new key objects. func (c *Ctx) GenerateKeyPair(sh SessionHandle, m []*Mechanism, public, private []*Attribute) (ObjectHandle, ObjectHandle, error) { var ( pubkey C.CK_OBJECT_HANDLE privkey C.CK_OBJECT_HANDLE ) pubarena, pub, pubcount := cAttributeList(public) defer pubarena.Free() privarena, priv, privcount := cAttributeList(private) defer privarena.Free() mecharena, mech := cMechanism(m) defer mecharena.Free() e := C.GenerateKeyPair(c.ctx, C.CK_SESSION_HANDLE(sh), mech, pub, pubcount, priv, privcount, C.CK_OBJECT_HANDLE_PTR(&pubkey), C.CK_OBJECT_HANDLE_PTR(&privkey)) e1 := toError(e) if e1 == nil { return ObjectHandle(pubkey), ObjectHandle(privkey), nil } return 0, 0, e1 } // WrapKey wraps (i.e., encrypts) a key. func (c *Ctx) WrapKey(sh SessionHandle, m []*Mechanism, wrappingkey, key ObjectHandle) ([]byte, error) { var ( wrappedkey C.CK_BYTE_PTR wrappedkeylen C.CK_ULONG ) arena, mech := cMechanism(m) defer arena.Free() e := C.WrapKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(wrappingkey), C.CK_OBJECT_HANDLE(key), &wrappedkey, &wrappedkeylen) if toError(e) != nil { return nil, toError(e) } h := C.GoBytes(unsafe.Pointer(wrappedkey), C.int(wrappedkeylen)) C.free(unsafe.Pointer(wrappedkey)) return h, nil } // UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. func (c *Ctx) UnwrapKey(sh SessionHandle, m []*Mechanism, unwrappingkey ObjectHandle, wrappedkey []byte, a []*Attribute) (ObjectHandle, error) { var key C.CK_OBJECT_HANDLE attrarena, ac, aclen := cAttributeList(a) defer attrarena.Free() mecharena, mech := cMechanism(m) defer mecharena.Free() e := C.UnwrapKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(unwrappingkey), C.CK_BYTE_PTR(unsafe.Pointer(&wrappedkey[0])), C.CK_ULONG(len(wrappedkey)), ac, aclen, &key) return ObjectHandle(key), toError(e) } // DeriveKey derives a key from a base key, creating a new key object. func (c *Ctx) DeriveKey(sh SessionHandle, m []*Mechanism, basekey ObjectHandle, a []*Attribute) (ObjectHandle, error) { var key C.CK_OBJECT_HANDLE attrarena, ac, aclen := cAttributeList(a) defer attrarena.Free() mecharena, mech := cMechanism(m) defer mecharena.Free() e := C.DeriveKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(basekey), ac, aclen, &key) return ObjectHandle(key), toError(e) } // SeedRandom mixes additional seed material into the token's // random number generator. func (c *Ctx) SeedRandom(sh SessionHandle, seed []byte) error { e := C.SeedRandom(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&seed[0])), C.CK_ULONG(len(seed))) return toError(e) } // GenerateRandom generates random data. func (c *Ctx) GenerateRandom(sh SessionHandle, length int) ([]byte, error) { var rand C.CK_BYTE_PTR e := C.GenerateRandom(c.ctx, C.CK_SESSION_HANDLE(sh), &rand, C.CK_ULONG(length)) if toError(e) != nil { return nil, toError(e) } h := C.GoBytes(unsafe.Pointer(rand), C.int(length)) C.free(unsafe.Pointer(rand)) return h, nil } // WaitForSlotEvent returns a channel which returns a slot event // (token insertion, removal, etc.) when it occurs. func (c *Ctx) WaitForSlotEvent(flags uint) chan SlotEvent { sl := make(chan SlotEvent, 1) // hold one element go c.waitForSlotEventHelper(flags, sl) return sl } func (c *Ctx) waitForSlotEventHelper(f uint, sl chan SlotEvent) { var slotID C.CK_ULONG C.WaitForSlotEvent(c.ctx, C.CK_FLAGS(f), &slotID) sl <- SlotEvent{uint(slotID)} close(sl) // TODO(miek): Sending and then closing ...? }