Add PKCS#11 3.2 bindings + plug them into the cryptoki #264
Conversation
|
Oh, lovely! The CI does not like the generated binding as it is too complex. Who would say it for a function with 10 arguments: Is this something we should fix in the generated bindings or open an issue for the bindgen? Not sure if this is a new issue with the new bindgen, but more likely the issue of the new PKCS#11 API having that insane number of arguments .... |
|
Hmm fortunately this is just a clippy issue. I guess suppressing it somewhere would be an okayish workaround. (maybe in lib.rs of -sys?) I'd still report it to bindgen. This may improve their code generation or at least make them consider adding the lint suppression in the generated code. |
|
Thanks for the pointer! I see the lib.rs has already some more warnings ignored. I am not sure if there is some way how to improve the code generation to avoid this. I can think of using some temporary named type for the function, but I think it just moves the problem one more function argument away. I think this is inherent issue of the PKCS#11 specification, introducing this complex functions. |
FWIW I didn't mean that. Slapping the lint suppression there is sufficient enough for me. |
|
Kryoptic tests now fail as there are few bugs in the last release that were already fixed in main. I think this is already good for first reviews, but I would probably wait for the pkcs11 3.2 to get released officially and I will likely implement also the SLH-DSA (they look quite simple and similar to the ML-DSA, but I do not have an implementation to test against yet). |
|
Feel free to ping us when you want us to review this again! |
|
I think this should be ready for reviews! Rebased and updated links to the final headers. |
|
I found a small issue. When I ask for an I think the patch introduces |
Yeah, I was aware of this issue, but I am not sure how this could be easily handled given that this attribute has different values for different key types. Any thoughts? I think it would require some logic in the GetAttributeValue mapping the type to the correct aliased "subtype" based on the key type, but I really did not look into that yet. |
|
I think the aliasing is most surprising. The Rust model is a refinement of the interface model, i.e. it is more expressive. I think that is a mistake at this point. It is also surprising for people coming from the PKCS#11 spec. Instead, I think we should offer explicit conversion functions from |
| let (p_context, ul_context_len) = match context { | ||
| Some(c) => ( | ||
| c.as_ptr() as *mut _, | ||
| c.len().try_into().expect("usize can not fit in CK_ULONG"), | ||
| ), | ||
| None => (null_mut(), 0), | ||
| }; |
There was a problem hiding this comment.
| let (p_context, ul_context_len) = match context { | |
| Some(c) => ( | |
| c.as_ptr() as *mut _, | |
| c.len().try_into().expect("usize can not fit in CK_ULONG"), | |
| ), | |
| None => (null_mut(), 0), | |
| }; | |
| let (p_context, ul_context_len) = if let Some(c) = context { | |
| (c.as_ptr() as *mut _, | |
| c.len().try_into().expect("usize can not fit in CK_ULONG")), | |
| } else { | |
| (null_mut(), 0), | |
| }; | |
| }; |
I tend to avoid matches which then destructure into Some/None as I think if let is more readable... but it's not a blocker :)
| @@ -16,6 +16,7 @@ fn get_pkcs11_path() -> String { | |||
| .unwrap_or_else(|_| "/usr/local/lib/softhsm/libsofthsm2.so".to_string()) | |||
| } | |||
|
|
|||
| #[allow(dead_code)] | |||
There was a problem hiding this comment.
warning: function `is_softhsm` is never used
--> cryptoki/tests/common/mod.rs:19:8
|
19 | pub fn is_softhsm() -> bool {
| ^^^^^^^^^^
|
= note: `#[warn(dead_code)]` on by default
warning: `cryptoki` (test "ml_kem") generated 1 warning
warning: `cryptoki` (test "ml_dsa") generated 1 warning (1 duplicate)
I did some restructure of the tests and this reports failure for the two now (mlkem and mldsa) as they do not use this public function.
I think the whole test structure can be improved as now it builds separate test binaries, which is not very effective.
So as a after-thought I think we should really have one test binary and source code split to separate files, probably something similar as we have in kryoptic (but that lives under src/tests, which I understand is not a standard place to push tests according to rust.
There was a problem hiding this comment.
which is not very effective.
Oh yeah, this is definitely an annoying aspect of cargo test and part of the reason why in other projects we're instead using cargo nextest run instead of bare cargo test.
Jakuje
force-pushed
the
pkcs11-3.2
branch
4 times, most recently
from
38fc896 to
31b8bdc
Compare
|
I still want to resolve the |
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
this requires the new version of proc-macro2 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
One of the new functions in PKCS#11 3.2 have 10(!) arguments, which goes
over the threshold of what clippy considers reasonable. But given that
we need to be compatible with this API, there is no other reasonable way
to tackle this than to ignore the warning/error.
error: very complex type used. Consider factoring parts into `type` definitions
--> /home/runner/work/rust-cryptoki/rust-cryptoki/cryptoki-sys/src/bindings/x86_64-unknown-linux-gnu.rs:6801:35
|
6801 | pub C_UnwrapKeyAuthenticated: Result<
| ___________________________________^
6802 | | unsafe extern "C" fn(
6803 | | arg1: CK_SESSION_HANDLE,
6804 | | arg2: *mut CK_MECHANISM,
... |
6814 | | ::libloading::Error,
6815 | | >,
| |_____^
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
... which is no longer basic after having 2000+ lines Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
This is needed for multiplart ML-DSA signature verifications Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
@teythoon I did rehash the |
|
Yes, that was what I had in mind. But, I remember Simo suggesting to keep the aliases, always make sure to request the key type as well, and when wrapping the response in Rust types, convert the generic parameter set response to a specific one based on the reported key type. If that is feasible to implement, that'd be most convenient for the downstream users. |
I guess I will have to think about that a bit more (and will probably not get back to that before I will get back from holiday). It will either have to be some ad-hoc change in the C_GetAttribute to do both of the pulling of the key type and converting the parameter set to the key-specific one. Or some new more generic logic to do this. But as far as I know the ParameterSet of the three new PQC algorithms is the only one so the ad-hoc solution might be enough. |
The PKCS#11 3.2 headers are available and considered final:
https://github.com/latchset/pkcs11-headers/tree/main/public-domain/3.2
This pulls the new headers, regenerates bindings and adjusts the initialization so they can be used.
I took also the chance to update bindgen to 0.71.1 once we generate new binding version