From 41bc63d2ee629610de41c793e1eb00e1571d38d4 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Mon, 24 Oct 2016 17:57:35 -0400
Subject: Flesh out key object access control.

This is more complicated than I'd have liked, because the PKCS #11
semantics are (much) more complicated than just "are you logged in?"

New code passes basic testing with libhal.py and the PKCS #11 unit
tests, but there are still unexplored corner cases to be checked.

Private token objects remain simple.  Code which does not need PKCS
HAL_KEY_FLAG_TOKEN and avoid HAL_KEY_FLAG_PUBLIC.
---
 libhal.py | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

(limited to 'libhal.py')

diff --git a/libhal.py b/libhal.py
index 8334f12..c35a51a 100644
--- a/libhal.py
+++ b/libhal.py
@@ -224,7 +224,7 @@ HAL_KEY_FLAG_USAGE_DIGITALSIGNATURE     = (1 << 0)
 HAL_KEY_FLAG_USAGE_KEYENCIPHERMENT      = (1 << 1)
 HAL_KEY_FLAG_USAGE_DATAENCIPHERMENT     = (1 << 2)
 HAL_KEY_FLAG_TOKEN                      = (1 << 3)
-
+HAL_KEY_FLAG_PUBLIC                     = (1 << 4)
 
 class Attribute(object):
 
@@ -590,10 +590,17 @@ class HSM(object):
 
 if __name__ == "__main__":
 
+    import argparse
+
     def hexstr(s):
         return "".join("{:02x}".format(ord(c)) for c in s)
 
-    hsm = HSM()
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--device", default = os.getenv("CRYPTECH_RPC_CLIENT_SERIAL_DEVICE", "/dev/ttyUSB0"))
+    parser.add_argument("--pin", default = "fnord")
+    args = parser.parse_args()
+
+    hsm = HSM(device = args.device)
 
     print "Version:", hex(hsm.get_version())
 
@@ -607,6 +614,10 @@ if __name__ == "__main__":
     h.update("Hi, Dad")
     print "HMAC:", hexstr(h.finalize())
 
+    print "Logging in"
+    hsm.login(HAL_USER_NORMAL, args.pin)
+
+    print "Generating key"
     k = hsm.pkey_generate_ec(HAL_CURVE_P256)
     print "PKey: {0.uuid} {0.key_type} {0.key_flags} {1}".format(k, hexstr(k.public_key))
     hsm.pkey_close(k)
@@ -621,3 +632,5 @@ if __name__ == "__main__":
 
     k = hsm.pkey_find(k.uuid)
     hsm.pkey_delete(k)
+
+    hsm.logout()
-- 
cgit v1.2.3