Bumped secrecy crate from 0.8.0 to 0.10.3

- Modified cryptoki/Cargo.toml to bump version.
- Added INSTALL_NOTES.md to start capturing installation notes for specific development environments.
- Changed deprecated SecretVec<u8> to SecretBox<Vec<u8>>.
- Grammar fixes.

Signed-off-by: Todd Decker <ptdecker@mac.com>

Author: ptdecker

.gitignore

@@ -4,4 +4,10 @@
 *DS_Store
 *.patch
 *NVChip
+
+#IDEs
 .vscode
+.idea
+
+#build artifacts
+cryptoki-sys/pkcs11-precompile.h

Cargo.lock

@@ -0,0 +1,100 @@
+# Installation Notes
+
+Some rough notes for installing Cryptoki and the requisite SoftHSMv2 for testing
+
+## MacOS Installation of Cryptoki crate and SoftHSMv2 for testing purposes
+
+Below is a rough guide to the installation flow for Cryptoki and for the required SoftHSMv2 dependency to support the
+execution of the Cryptoki test suite where Homebrew is used as the package manager. These are rough notes developed
+on macOS Sequoia 15.5 with Homebrew 4.5.6 on a Macbook M1 Pro with a bash shell
+(version 5.2.37(1)-release (aarch64-apple-darwin24.2.0)).
+
+## SoftHSMv2 Installation
+
+SoftHSMv2 is required for Cryptoki test suite execution.  Below are the rough steps required to install, build, and
+check SoftHWMv2 on macOS using Homebrew. Some hoops were jumped through to manually disable DES tests which were causing
+issue. The result was a clean make check excepting some PKCS#11 DES check failures.
+
+> *NOTE* The `--pin` and `--so-pin` values are hard coded in the Cryptoki test suite to the values used below.
+
+```bash
+$ cd ~/code
+$ gh repo clone softhsm/SoftHSMv2
+$ brew install automake cppunit
+$ brew reinstall autoconf automake
+$ export CPPFLAGS="-I/opt/homebrew/opt/openssl@3/include -I/opt/homebrew/opt/cppunit/include"
+$ export LDFLAGS="-L/opt/homebrew/opt/openssl@3/lib -L/opt/homebrew/opt/cppunit/lib"
+$ mkdir -p ~/softhsm2/tokens
+$ echo "directories.tokendir = $HOME/softhsm2/tokens" > ~/softhsm2/softhsm2.conf
+$ export SOFTHSM2_CONF=$HOME/softhsm2/softhsm2.conf
+$ ./src/bin/util/softhsm2-util --init-token --slot 0 --label "TestToken" --so-pin abcdef --pin fedcba --module ./src/lib/.libs/libsofthsm2.so
+$ vi openssl.cnf
+```
+
+Create an openssl.cnf file with the following contents:
+
+```ini
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+legacy = legacy_sect
+
+[default_sect]
+activate = 1
+
+[legacy_sect]
+activate = 1
+```
+
+Continuing...
+
+```bash
+$ export OPENSSL_CONF=/full/path/to/openssl.cnf
+$ make distclean
+$ cd src/lib/crypto/test
+$ mv DESTests.cpp DESTests.cpp.disabled
+$ vi Makefile.am
+```
+
+Remove the DESTests.cpp line.
+
+Continuing...
+
+```bash
+$ cd -
+$ autoreconf -fvi
+$ ./autogen.sh
+$ ./configure --with-crypto-backend=openssl --enable-des
+$ make clean
+$ make -j$(sysctl -n hw.ncpu)
+$ make check
+```
+
+## Cryptoki Installation, Build, and Test
+
+```bash
+$ cd ~/code
+$ gh repo clone parallaxsecond/rust-cryptoki
+$ cd rust-cryptoki/
+$ export TEST_PKCS11_MODULE=~/code/SoftHSMv2/src/lib/.libs/libsofthsm2.so
+$ cargo build
+$ cargo test
+```
+
+## Resetting the SoftHSMv2 Configuration
+
+If you need to reset the SoftHSM configuration (like to change a pin, slot, etc.) you can:
+
+```bash
+$ rm -rf $HOME/softhsm2/
+$ echo "directories.tokendir = $HOME/softhsm2/tokens" > $HOME/softhsm2/softhsm2.conf
+$ export SOFTHSM2_CONF=$HOME/softhsm2/softhsm2.conf
+$ rm -rf $HOME/softhsm2/tokens
+$ mkdir -p $HOME/softhsm2/tokens
+$ ./src/bin/util/softhsm2-util --show-slots --module ./src/lib/.libs/libsofthsm2.so
+$ ./src/bin/util/softhsm2-util --init-token --slot 0 --label "TestToken" --so-pin abcdef --pin fedcba --module ./src/lib/.libs/libsofthsm2.so
+```

INSTALL_NOTES.md

@@ -18,7 +18,7 @@ libloading = "0.8.6"
 log = "0.4.14"
 cryptoki-sys = { path = "../cryptoki-sys", version = "0.4.0" }
 paste = "1.0.6"
-secrecy = "0.8.0"
+secrecy = "0.10.3"
 
 [dev-dependencies]
 num-traits = "0.2.14"

cryptoki/Cargo.toml

@@ -62,8 +62,8 @@ impl Session {
     }
 
     /// Logs a session in using a slice of raw bytes as a PIN. Some dongle drivers allow
-    /// non UTF-8 characters in the PIN and as a result, we aren't guaranteed that we can
-    /// pass in a UTF-8 string to login. Therefore, it's useful to be able to pass in raw bytes
+    /// non UTF-8 characters in the PIN and, as a result, we aren't guaranteed that we can
+    /// pass in a UTF-8 string to `login`. Therefore, it's useful to be able to pass in raw bytes
     /// rather than convert a UTF-8 string to bytes.
     ///
     /// # Arguments

cryptoki/src/session/session_management.rs

@@ -4,8 +4,7 @@
 
 use crate::error::{Error, Result};
 use cryptoki_sys::*;
-use secrecy::SecretString;
-use secrecy::SecretVec;
+use secrecy::{SecretBox, SecretString};
 use std::convert::TryFrom;
 use std::convert::TryInto;
 use std::fmt::Formatter;
@@ -29,7 +28,7 @@ impl Date {
     ///
     /// # Errors
     ///
-    /// If the lengths are invalid a `Error::InvalidValue` will be returned
+    /// If the lengths are invalid, an `Error::InvalidValue` will be returned
     pub fn new_from_str_slice(year: &str, month: &str, day: &str) -> Result<Self> {
         if year.len() != 4 || month.len() != 2 || day.len() != 2 {
             Err(Error::InvalidValue)
@@ -222,22 +221,22 @@ impl From<CK_VERSION> for Version {
 /// A UTC datetime returned by a token's clock if present.
 #[derive(Copy, Clone, Debug)]
 pub struct UtcTime {
-    /// **[Conformance](crate#conformance-notes):**
+    /// **[Conformance](crate#conformance-notes): **
     /// Guaranteed to be in range 0..=9999
     pub year: u16,
-    /// **[Conformance](crate#conformance-notes):**
+    /// **[Conformance](crate#conformance-notes): **
     /// Guaranteed to be in range 0..=99
     pub month: u8,
-    /// **[Conformance](crate#conformance-notes):**
+    /// **[Conformance](crate#conformance-notes): **
     /// Guaranteed to be in range 0..=99
     pub day: u8,
-    /// **[Conformance](crate#conformance-notes):**
+    /// **[Conformance](crate#conformance-notes): **
     /// Guaranteed to be in range 0..=99
     pub hour: u8,
-    /// **[Conformance](crate#conformance-notes):**
+    /// **[Conformance](crate#conformance-notes): **
     /// Guaranteed to be in range 0..=99
     pub minute: u8,
-    /// **[Conformance](crate#conformance-notes):**
+    /// **[Conformance](crate#conformance-notes): **
     /// Guaranteed to be in range 0..=99
     pub second: u8,
 }
@@ -248,7 +247,7 @@ impl UtcTime {
     /// PKCS#11 and ISO are unrelated standards, and this function is provided
     /// only for convenience. ISO format is more widely recognized and parsable
     /// by various date/time utilities, while PKCS#11's internal representation
-    /// of this type is is not used elsewhere.
+    /// of this type is not used elsewhere.
     /// Other than formatting, this crate does not guarantee or enforce any part
     /// of the ISO standard.
     pub fn as_iso8601_string(&self) -> String {
@@ -281,7 +280,7 @@ pub type AuthPin = SecretString;
 /// Secret wrapper for a raw non UTF-8 Pin
 ///
 /// Enable the `serde` feature to add support for Deserialize
-pub type RawAuthPin = SecretVec<u8>;
+pub type RawAuthPin = SecretBox<Vec<u8>>;
 
 #[cfg(test)]
 mod test {