G'day,
Thanks to a tip from David Corcoran, I modified my p11_objects.c patch
to use st.slots[slotID-1] rather than st.slots[slotID], and can confirm
that data objects can be deleted without having to modify p11x_object.c:
$ ./p11-delete-data-object-test --module
/usr/local/lib/libmusclepkcs11.so --slot 1 --pin 00000000
## Loading module: /usr/local/lib/libmusclepkcs11.so ...ok
## Opening session for slot = 01 ... ok
## Performing login with PIN '00000000' .... ok
## Creating data object ... ok (handle = 0x804C290)
## Deleting object 0x804C290 ... ok
## Searching for data object ... ok (no objects found)
Test successful
## Finalizing ... ok
(I'm sure there's a documented reason for always having a slot number
that must be decremented before use, but it eludes me)
Attached is the patch, against version 1.23 of p11_object.c as found in
muscleframework-1.1.5.
I have not tested this patch against key or certificate objects. I
*think* (based on perusal of the code) that certificate objects will be
deleted, but I have not handled deletion of key objects (this is marked
as a TODO). I have also assumed that failure to delete an object on the
card does not prevent freeing up the memory of that object.
-- Geoff
--- /tmp/muscleframework-1.1.5/libmusclepkcs11/src/p11_object.c 2003-10-04 18:30:18.000000000 +1000
+++ src/p11_object.c 2005-05-26 15:10:23.000000000 +1000
@@ -11,6 +11,7 @@
******************************************************************************/
#include "cryptoki.h"
+#include <assert.h>
/* C_CreateObject creates a new object. */
CK_DEFINE_FUNCTION(CK_RV, C_CreateObject)
@@ -235,6 +236,7 @@
{
CK_RV rv = CKR_OK;
P11_Session *session; // = (P11_Session *)hSession;
+ P11_Object *object;
P11_LOG_START("C_DestroyObject");
@@ -246,7 +248,69 @@
goto finish;
}
+ /* Check that the object handle is valid */
+ if (hObject == CK_INVALID_HANDLE) {
+ rv = CKR_OBJECT_HANDLE_INVALID;
+ goto finish;
+ }
+
log_Log(LOG_LOW, "Object handle: %lX", hObject);
+
+ /* Delete the MSC object(s) representing the PKCS#11 object */
+ object = (P11_Object *) hObject;
+ assert (object != NULL);
+
+ if (object->msc_obj)
+ {
+ char obj_id[MSC_MAXSIZE_OBJID];
+ P11_Slot *slot;
+
+ /* Get the slot from the slotID. */
+ /* TODO why is slotID always one greater that actual value? */
+ assert(session->session.slotID >= 1);
+ slot = &st.slots[session->session.slotID-1];
+
+ /*
+ * The PKCS#11 object is stored under two MSC object IDs. The
+ * first MSC object contains the value of the CKA_VALUE attribute,
+ * and has an ID such as "O0". The second MSC object contains the
+ * values of the remaining PKCS#11 data object attributes (such
+ * as CKA_APPLICATION, CKA_LABEL, etc) and has an ID such as
+ * "o0" (that is, the ID of the first object, with the initial
+ * letter converted to lower case).
+ *
+ * TODO does this work for certificate objects too?
+ */
+
+ /* Get a copy of the object ID */
+ strncpy((char *) obj_id, object->msc_obj->objectID, sizeof (obj_id));
+
+ /* Delete the first MSC object (ie, the CKA_VALUE). If this fails,
+ then still delete the next object */
+ log_Log(LOG_LOW, "Deleting object with ID '%s' (CKA_VALUE)",
+ (char *) obj_id);
+ if (MSC_ERROR(msc_DeleteObject(&slot->conn, obj_id, 0))) {
+ log_Log(LOG_LOW, "DeleteObject failed for ID '%s'", obj_id);
+ rv = CKR_FUNCTION_FAILED;
+ /* ... fallthrough ... */
+ }
+
+ /* Delete the second MSC object (ie, the other attributes). If
+ this fails, then still free the memory */
+ obj_id[0] = tolower(obj_id[0]);
+ log_Log(LOG_LOW, "Deleting object with ID '%s' (other attributes)",
+ (char *) obj_id);
+ if (MSC_ERROR(msc_DeleteObject(&slot->conn, obj_id, 0))) {
+ log_Log(LOG_LOW, "DeleteObject failed for ID '%s'", obj_id);
+ rv = CKR_FUNCTION_FAILED;
+ /* ... fallthrough ... */
+ }
+ }
+ else if (object->msc_key)
+ {
+ /* TODO delete MSC object(s) representing the key */
+ }
+
object_FreeObject(session->session.slotID, (P11_Object *)hObject);
finish:
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
