Add Encapsulation/Decapsulation operation

Jakuje · Jakuje · commit 81428718502a · 2025-07-08T12:22:45.000+02:00
Signed-off-by: Jakub Jelen &lt;jjelen@redhat.com&gt;
diff --git a/cryptoki/src/mechanism/mechanism_info.rs b/cryptoki/src/mechanism/mechanism_info.rs
@@ -32,6 +32,8 @@ bitflags! {
         const MESSAGE_ENCRYPT = CKF_MESSAGE_ENCRYPT;
         const MESSAGE_DECRYPT = CKF_MESSAGE_DECRYPT;
         const MULTI_MESSAGE = CKF_MULTI_MESSAGE;
+        const ENCAPSULATE = CKF_ENCAPSULATE;
+        const DECAPSULATE = CKF_DECAPSULATE;
     }
 }
 
@@ -252,6 +254,18 @@ impl MechanismInfo {
     pub fn multi_message(&self) -> bool {
         self.flags.contains(MechanismInfoFlags::MULTI_MESSAGE)
     }
+
+    /// True if the mechanism can be used to encapsulate other keys
+    ///
+    pub fn encapsulate(&self) -> bool {
+        self.flags.contains(MechanismInfoFlags::ENCAPSULATE)
+    }
+
+    /// True if the mechanism can be used to decapsulate other keys
+    ///
+    pub fn decapsulate(&self) -> bool {
+        self.flags.contains(MechanismInfoFlags::DECAPSULATE)
+    }
 }
 
 impl std::fmt::Display for MechanismInfo {
@@ -294,7 +308,7 @@ HW | ENCRYPT | DECRYPT | DIGEST | SIGN | SIGN_RECOVER | VERIFY | \
 VERIFY_RECOVER | GENERATE | GENERATE_KEY_PAIR | WRAP | UNWRAP | DERIVE | \
 EXTENSION | EC_F_P | EC_F_2M | EC_ECPARAMETERS | EC_NAMEDCURVE | \
 EC_OID | EC_UNCOMPRESS | EC_COMPRESS | MESSAGE_ENCRYPT | MESSAGE_DECRYPT | \
-MULTI_MESSAGE";
+MULTI_MESSAGE | ENCAPSULATE | DECAPSULATE";
         let all = MechanismInfoFlags::all();
         let observed = format!("{all:#?}");
         println!("{observed}");
diff --git a/cryptoki/src/session/encapsulation.rs b/cryptoki/src/session/encapsulation.rs
@@ -0,0 +1,90 @@
+// Copyright 2025 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+//! Encapsulating/decapsulating data
+
+use crate::context::Function;
+use crate::error::{Result, Rv};
+use crate::mechanism::Mechanism;
+use crate::object::{Attribute, ObjectHandle};
+use crate::session::Session;
+use cryptoki_sys::*;
+use std::convert::TryInto;
+
+impl Session {
+    /// Encapsulate key
+    pub fn encapsulate_key(
+        &self,
+        mechanism: &Mechanism,
+        publickey: ObjectHandle,
+        template: &[Attribute],
+    ) -> Result<(Vec<u8>, ObjectHandle)> {
+        let mut mechanism: CK_MECHANISM = mechanism.into();
+        let mut template: Vec<CK_ATTRIBUTE> = template.iter().map(|attr| attr.into()).collect();
+        let mut encapsulated_len = 0;
+        let mut handle = 0;
+
+        // Get the output buffer length
+        unsafe {
+            Rv::from(get_pkcs11!(self.client(), C_EncapsulateKey)(
+                self.handle(),
+                &mut mechanism as CK_MECHANISM_PTR,
+                publickey.handle(),
+                template.as_mut_ptr(),
+                template.len().try_into()?,
+                std::ptr::null_mut(),
+                &mut encapsulated_len,
+                &mut handle,
+            ))
+            .into_result(Function::EncapsulateKey)?;
+        }
+
+        let mut encapsulated = vec![0; encapsulated_len.try_into()?];
+
+        unsafe {
+            Rv::from(get_pkcs11!(self.client(), C_EncapsulateKey)(
+                self.handle(),
+                &mut mechanism as CK_MECHANISM_PTR,
+                publickey.handle(),
+                template.as_mut_ptr(),
+                template.len().try_into()?,
+                encapsulated.as_mut_ptr(),
+                &mut encapsulated_len,
+                &mut handle,
+            ))
+            .into_result(Function::EncapsulateKey)?;
+        }
+
+        encapsulated.resize(encapsulated_len.try_into()?, 0);
+
+        Ok((encapsulated, ObjectHandle::new(handle)))
+    }
+
+    /// Decapsulate key
+    pub fn decapsulate_key(
+        &self,
+        mechanism: &Mechanism,
+        privatekey: ObjectHandle,
+        template: &[Attribute],
+        ciphertext: &[u8],
+    ) -> Result<ObjectHandle> {
+        let mut mechanism: CK_MECHANISM = mechanism.into();
+        let mut template: Vec<CK_ATTRIBUTE> = template.iter().map(|attr| attr.into()).collect();
+        let mut handle = 0;
+
+        unsafe {
+            Rv::from(get_pkcs11!(self.client(), C_DecapsulateKey)(
+                self.handle(),
+                &mut mechanism as CK_MECHANISM_PTR,
+                privatekey.handle(),
+                template.as_mut_ptr(),
+                template.len().try_into()?,
+                ciphertext.as_ptr() as *mut u8,
+                ciphertext.len().try_into()?,
+                &mut handle,
+            ))
+            .into_result(Function::DecapsulateKey)?;
+        }
+
+        Ok(ObjectHandle::new(handle))
+    }
+}
diff --git a/cryptoki/src/session/mod.rs b/cryptoki/src/session/mod.rs
@@ -10,6 +10,7 @@ use std::marker::PhantomData;
 
 mod decryption;
 mod digesting;
+mod encapsulation;
 mod encryption;
 mod key_management;
 mod message_decryption;
