func (ps *Key) getPrivateKey(module ctx, session pkcs11.SessionHandle, label string) (pkcs11.ObjectHandle, error) { var noHandle pkcs11.ObjectHandle template := []*pkcs11.Attribute{ pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY), pkcs11.NewAttribute(pkcs11.CKA_LABEL, label), } if err := module.FindObjectsInit(session, template); err != nil { return noHandle, err } objs, _, err := module.FindObjects(session, 2) if err != nil { return noHandle, err } if err = module.FindObjectsFinal(session); err != nil { return noHandle, err } if len(objs) == 0 { return noHandle, fmt.Errorf("private key not found") } privateKeyHandle := objs[0] // Check whether the key has the CKA_ALWAYS_AUTHENTICATE attribute. // If so, fail: we don't want to have to re-authenticate for each sign // operation. attributes, err := module.GetAttributeValue(session, privateKeyHandle, []*pkcs11.Attribute{ pkcs11.NewAttribute(pkcs11.CKA_ALWAYS_AUTHENTICATE, false), }) // The PKCS#11 spec states that C_GetAttributeValue may return // CKR_ATTRIBUTE_TYPE_INVALID if an object simply does not posses a given // attribute. We don't consider that an error: the absence of the // CKR_ATTRIBUTE_TYPE_INVALID property is just fine. if err != nil && err == pkcs11.Error(pkcs11.CKR_ATTRIBUTE_TYPE_INVALID) { return privateKeyHandle, nil } else if err != nil { return noHandle, err } for _, attribute := range attributes { if len(attribute.Value) > 0 && attribute.Value[0] == 1 { ps.alwaysAuthenticate = true } } return privateKeyHandle, nil }
func (ps *Key) openSession() (pkcs11.SessionHandle, error) { var noSession pkcs11.SessionHandle slots, err := ps.module.GetSlotList(true) if err != nil { return noSession, err } for _, slot := range slots { // Check that token label matches. tokenInfo, err := ps.module.GetTokenInfo(slot) if err != nil { return noSession, err } if tokenInfo.Label != ps.tokenLabel { continue } // Open session session, err := ps.module.OpenSession(slot, pkcs11.CKF_SERIAL_SESSION) if err != nil { return session, err } // Login // Note: Logged-in status is application-wide, not per session. But in // practice it appears to be okay to login to a token multiple times with the same // credentials. if err = ps.module.Login(session, pkcs11.CKU_USER, ps.pin); err != nil { if err == pkcs11.Error(pkcs11.CKR_USER_ALREADY_LOGGED_IN) { // But if the token says we're already logged in, it's ok. err = nil } else { ps.module.CloseSession(session) return session, err } } return session, err } return noSession, fmt.Errorf("No slot found matching token label '%s'", ps.tokenLabel) }