https-github-com-bit
diff --git a/‎cmd/ceremony/cert.go‎
Lines changed: 8 additions & 11 deletions b/‎cmd/ceremony/cert.go‎
Lines changed: 8 additions & 11 deletions
diff --git a/‎cmd/ceremony/cert_test.go‎
Lines changed: 25 additions & 27 deletions b/‎cmd/ceremony/cert_test.go‎
Lines changed: 25 additions & 27 deletions
diff --git a/‎cmd/ceremony/ecdsa.go‎
Lines changed: 10 additions & 11 deletions b/‎cmd/ceremony/ecdsa.go‎
Lines changed: 10 additions & 11 deletions
@@ -317,9 +317,7 @@ func (fr *failReader) Read([]byte) (int, error) {
 // PKCS#11 ECDSA signature format and the RFC 5480 one which is required
 // for X.509 certificates
 type x509Signer struct {
-	ctx pkcs11helpers.PKCtx
-
-	session      pkcs11.SessionHandle
+	session      *pkcs11helpers.Session
 	objectHandle pkcs11.ObjectHandle
 	keyType      pkcs11helpers.KeyType
 
@@ -330,7 +328,7 @@ type x509Signer struct {
 // is converted from the PKCS#11 format to the RFC 5480 format. For RSA keys a
 // conversion step is not needed.
 func (p *x509Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
-	signature, err := pkcs11helpers.Sign(p.ctx, p.session, p.objectHandle, p.keyType, digest, opts.HashFunc())
+	signature, err := p.session.Sign(p.objectHandle, p.keyType, digest, opts.HashFunc())
 	if err != nil {
 		return nil, err
 	}
@@ -359,18 +357,18 @@ func (p *x509Signer) Public() crypto.PublicKey {
 // having the actual public key object in order to retrieve the private key
 // handle. This is because we already have the key pair object ID, and as such
 // do not need to query the HSM to retrieve it.
-func newSigner(ctx pkcs11helpers.PKCtx, session pkcs11.SessionHandle, label string, id []byte) (crypto.Signer, error) {
+func newSigner(session *pkcs11helpers.Session, label string, id []byte) (crypto.Signer, error) {
 	// Retrieve the private key handle that will later be used for the certificate
 	// signing operation
-	privateHandle, err := pkcs11helpers.FindObject(ctx, session, []*pkcs11.Attribute{
+	privateHandle, err := session.FindObject([]*pkcs11.Attribute{
 		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
 		pkcs11.NewAttribute(pkcs11.CKA_LABEL, label),
 		pkcs11.NewAttribute(pkcs11.CKA_ID, id),
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to retrieve private key handle: %s", err)
 	}
-	attrs, err := ctx.GetAttributeValue(session, privateHandle, []*pkcs11.Attribute{
+	attrs, err := session.GetAttributeValue(privateHandle, []*pkcs11.Attribute{
 		pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, nil)},
 	)
 	if err != nil {
@@ -382,7 +380,7 @@ func newSigner(ctx pkcs11helpers.PKCtx, session pkcs11.SessionHandle, label stri
 
 	// Retrieve the public key handle with the same CKA_ID as the private key
 	// and construct a {rsa,ecdsa}.PublicKey for use in x509.CreateCertificate
-	pubHandle, err := pkcs11helpers.FindObject(ctx, session, []*pkcs11.Attribute{
+	pubHandle, err := session.FindObject([]*pkcs11.Attribute{
 		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PUBLIC_KEY),
 		pkcs11.NewAttribute(pkcs11.CKA_LABEL, label),
 		pkcs11.NewAttribute(pkcs11.CKA_ID, id),
@@ -397,14 +395,14 @@ func newSigner(ctx pkcs11helpers.PKCtx, session pkcs11.SessionHandle, label stri
 	// 0x00000000, CKK_RSA
 	case bytes.Equal(attrs[0].Value, []byte{0, 0, 0, 0, 0, 0, 0, 0}):
 		keyType = pkcs11helpers.RSAKey
-		pub, err = pkcs11helpers.GetRSAPublicKey(ctx, session, pubHandle)
+		pub, err = session.GetRSAPublicKey(pubHandle)
 		if err != nil {
 			return nil, fmt.Errorf("failed to retrieve public key: %s", err)
 		}
 	// 0x00000003, CKK_ECDSA
 	case bytes.Equal(attrs[0].Value, []byte{3, 0, 0, 0, 0, 0, 0, 0}):
 		keyType = pkcs11helpers.ECDSAKey
-		pub, err = pkcs11helpers.GetECDSAPublicKey(ctx, session, pubHandle)
+		pub, err = session.GetECDSAPublicKey(pubHandle)
 		if err != nil {
 			return nil, fmt.Errorf("failed to retrieve public key: %s", err)
 		}
@@ -413,7 +411,6 @@ func newSigner(ctx pkcs11helpers.PKCtx, session pkcs11.SessionHandle, label stri
 	}
 
 	return &x509Signer{
-		ctx:          ctx,
 		session:      session,
 		objectHandle: privateHandle,
 		keyType:      keyType,
 
@@ -20,7 +20,7 @@ import (
 )
 
 func TestX509Signer(t *testing.T) {
-	ctx := pkcs11helpers.MockCtx{}
+	s, ctx := pkcs11helpers.NewSessionWithMock()
 
 	// test that x509Signer.Sign properly converts the PKCS#11 format signature to
 	// the RFC 5480 format signature
@@ -51,7 +51,7 @@ func TestX509Signer(t *testing.T) {
 		return append(rBytes, sBytes...), nil
 	}
 	digest := sha256.Sum256([]byte("hello"))
-	signer := &x509Signer{ctx: ctx, keyType: pkcs11helpers.ECDSAKey, pub: tk.Public()}
+	signer := &x509Signer{session: s, keyType: pkcs11helpers.ECDSAKey, pub: tk.Public()}
 	signature, err := signer.Sign(nil, digest[:], crypto.SHA256)
 	test.AssertNotError(t, err, "x509Signer.Sign failed")
 
@@ -78,9 +78,9 @@ func TestParseOID(t *testing.T) {
 }
 
 func TestMakeTemplate(t *testing.T) {
-	ctx := pkcs11helpers.MockCtx{}
+	s, ctx := pkcs11helpers.NewSessionWithMock()
 	profile := &certProfile{}
-	randReader := newRandReader(&ctx, 0)
+	randReader := newRandReader(s)
 
 	pubKey, err := hex.DecodeString("3059301306072a8648ce3d020106082a8648ce3d03010703420004b06745ef0375c9c54057098f077964e18d3bed0aacd54545b16eab8c539b5768cc1cea93ba56af1e22a7a01c33048c8885ed17c9c55ede70649b707072689f5e")
 	test.AssertNotError(t, err, "failed to decode test public key")
@@ -157,14 +157,13 @@ func TestMakeTemplate(t *testing.T) {
 }
 
 func TestMakeTemplateOCSP(t *testing.T) {
-	ctx := pkcs11helpers.MockCtx{
-		GenerateRandomFunc: func(_ pkcs11.SessionHandle, length int) ([]byte, error) {
-			r := make([]byte, length)
-			_, err := rand.Read(r)
-			return r, err
-		},
+	s, ctx := pkcs11helpers.NewSessionWithMock()
+	ctx.GenerateRandomFunc = func(_ pkcs11.SessionHandle, length int) ([]byte, error) {
+		r := make([]byte, length)
+		_, err := rand.Read(r)
+		return r, err
 	}
-	randReader := newRandReader(&ctx, 0)
+	randReader := newRandReader(s)
 	profile := &certProfile{
 		SignatureAlgorithm: "SHA256WithRSA",
 		CommonName:         "common name",
@@ -206,14 +205,13 @@ func TestMakeTemplateOCSP(t *testing.T) {
 }
 
 func TestMakeTemplateCRL(t *testing.T) {
-	ctx := pkcs11helpers.MockCtx{
-		GenerateRandomFunc: func(_ pkcs11.SessionHandle, length int) ([]byte, error) {
-			r := make([]byte, length)
-			_, err := rand.Read(r)
-			return r, err
-		},
+	s, ctx := pkcs11helpers.NewSessionWithMock()
+	ctx.GenerateRandomFunc = func(_ pkcs11.SessionHandle, length int) ([]byte, error) {
+		r := make([]byte, length)
+		_, err := rand.Read(r)
+		return r, err
 	}
-	randReader := newRandReader(&ctx, 0)
+	randReader := newRandReader(s)
 	profile := &certProfile{
 		SignatureAlgorithm: "SHA256WithRSA",
 		CommonName:         "common name",
@@ -462,13 +460,13 @@ func TestVerifyProfile(t *testing.T) {
 }
 
 func TestGetKey(t *testing.T) {
-	ctx := pkcs11helpers.MockCtx{}
+	s, ctx := pkcs11helpers.NewSessionWithMock()
 
 	// test newSigner fails when pkcs11helpers.FindObject for private key handle fails
 	ctx.FindObjectsInitFunc = func(pkcs11.SessionHandle, []*pkcs11.Attribute) error {
 		return errors.New("broken")
 	}
-	_, err := newSigner(ctx, 0, "label", []byte{255, 255})
+	_, err := newSigner(s, "label", []byte{255, 255})
 	test.AssertError(t, err, "newSigner didn't fail when pkcs11helpers.FindObject for private key handle failed")
 
 	// test newSigner fails when GetAttributeValue fails
@@ -484,14 +482,14 @@ func TestGetKey(t *testing.T) {
 	ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
 		return nil, errors.New("broken")
 	}
-	_, err = newSigner(ctx, 0, "label", []byte{255, 255})
+	_, err = newSigner(s, "label", []byte{255, 255})
 	test.AssertError(t, err, "newSigner didn't fail when GetAttributeValue for private key type failed")
 
 	// test newSigner fails when GetAttributeValue returns no attributes
 	ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
 		return nil, nil
 	}
-	_, err = newSigner(ctx, 0, "label", []byte{255, 255})
+	_, err = newSigner(s, "label", []byte{255, 255})
 	test.AssertError(t, err, "newSigner didn't fail when GetAttributeValue for private key type returned no attributes")
 
 	// test newSigner fails when pkcs11helpers.FindObject for public key handle fails
@@ -504,7 +502,7 @@ func TestGetKey(t *testing.T) {
 		}
 		return nil
 	}
-	_, err = newSigner(ctx, 0, "label", []byte{255, 255})
+	_, err = newSigner(s, "label", []byte{255, 255})
 	test.AssertError(t, err, "newSigner didn't fail when pkcs11helpers.FindObject for public key handle failed")
 
 	// test newSigner fails when pkcs11helpers.FindObject for private key returns unknown CKA_KEY_TYPE
@@ -514,21 +512,21 @@ func TestGetKey(t *testing.T) {
 	ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
 		return []*pkcs11.Attribute{pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, []byte{2, 0, 0, 0, 0, 0, 0, 0})}, nil
 	}
-	_, err = newSigner(ctx, 0, "label", []byte{255, 255})
+	_, err = newSigner(s, "label", []byte{255, 255})
 	test.AssertError(t, err, "newSigner didn't fail when GetAttributeValue for private key returned unknown key type")
 
 	// test newSigner fails when GetRSAPublicKey fails
 	ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
 		return []*pkcs11.Attribute{pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, []byte{0, 0, 0, 0, 0, 0, 0, 0})}, nil
 	}
-	_, err = newSigner(ctx, 0, "label", []byte{255, 255})
+	_, err = newSigner(s, "label", []byte{255, 255})
 	test.AssertError(t, err, "newSigner didn't fail when GetRSAPublicKey fails")
 
 	// test newSigner fails when GetECDSAPublicKey fails
 	ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
 		return []*pkcs11.Attribute{pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, []byte{3, 0, 0, 0, 0, 0, 0, 0})}, nil
 	}
-	_, err = newSigner(ctx, 0, "label", []byte{255, 255})
+	_, err = newSigner(s, "label", []byte{255, 255})
 	test.AssertError(t, err, "newSigner didn't fail when GetECDSAPublicKey fails")
 
 	// test newSigner works when everything... works
@@ -548,6 +546,6 @@ func TestGetKey(t *testing.T) {
 		}
 		return returns, nil
 	}
-	_, err = newSigner(ctx, 0, "label", []byte{255, 255})
+	_, err = newSigner(s, "label", []byte{255, 255})
 	test.AssertNotError(t, err, "newSigner failed when everything worked properly")
 }
@@ -76,12 +76,11 @@ func ecArgs(label string, curve elliptic.Curve, keyID []byte) generateArgs {
 // handle, and constructs an ecdsa.PublicKey. It also checks that the key is of
 // the correct curve type.
 func ecPub(
-	ctx pkcs11helpers.PKCtx,
-	session pkcs11.SessionHandle,
+	session *pkcs11helpers.Session,
 	object pkcs11.ObjectHandle,
 	expectedCurve elliptic.Curve,
 ) (*ecdsa.PublicKey, error) {
-	pubKey, err := pkcs11helpers.GetECDSAPublicKey(ctx, session, object)
+	pubKey, err := session.GetECDSAPublicKey(object)
 	if err != nil {
 		return nil, err
 	}
@@ -97,9 +96,9 @@ func ecPub(
 // private key on the device, specified by the provided object handle, by signing
 // a nonce generated on the device and verifying the returned signature using the
 // public key.
-func ecVerify(ctx pkcs11helpers.PKCtx, session pkcs11.SessionHandle, object pkcs11.ObjectHandle, pub *ecdsa.PublicKey) error {
+func ecVerify(session *pkcs11helpers.Session, object pkcs11.ObjectHandle, pub *ecdsa.PublicKey) error {
 	nonce := make([]byte, 4)
-	_, err := newRandReader(ctx, session).Read(nonce)
+	_, err := newRandReader(session).Read(nonce)
 	if err != nil {
 		return fmt.Errorf("failed to construct nonce: %s", err)
 	}
@@ -108,7 +107,7 @@ func ecVerify(ctx pkcs11helpers.PKCtx, session pkcs11.SessionHandle, object pkcs
 	hashFunc.Write(nonce)
 	digest := hashFunc.Sum(nil)
 	log.Printf("\tMessage %s hash: %X\n", hashToString[curveToHash[pub.Curve]], digest)
-	signature, err := pkcs11helpers.Sign(ctx, session, object, pkcs11helpers.ECDSAKey, digest, curveToHash[pub.Curve])
+	signature, err := session.Sign(object, pkcs11helpers.ECDSAKey, digest, curveToHash[pub.Curve])
 	if err != nil {
 		return err
 	}
@@ -126,31 +125,31 @@ func ecVerify(ctx pkcs11helpers.PKCtx, session pkcs11.SessionHandle, object pkcs
 // specified by curveStr and with the provided label. It returns the public
 // part of the generated key pair as a ecdsa.PublicKey and the random key ID
 // that the HSM uses to identify the key pair.
-func ecGenerate(ctx pkcs11helpers.PKCtx, session pkcs11.SessionHandle, label, curveStr string) (*ecdsa.PublicKey, []byte, error) {
+func ecGenerate(session *pkcs11helpers.Session, label, curveStr string) (*ecdsa.PublicKey, []byte, error) {
 	curve, present := stringToCurve[curveStr]
 	if !present {
 		return nil, nil, fmt.Errorf("curve %q not supported", curveStr)
 	}
 	keyID := make([]byte, 4)
-	_, err := newRandReader(ctx, session).Read(keyID)
+	_, err := newRandReader(session).Read(keyID)
 	if err != nil {
 		return nil, nil, err
 	}
 	log.Printf("Generating ECDSA key with curve %s and ID %x\n", curveStr, keyID)
 	args := ecArgs(label, curve, keyID)
-	pub, priv, err := ctx.GenerateKeyPair(session, args.mechanism, args.publicAttrs, args.privateAttrs)
+	pub, priv, err := session.GenerateKeyPair(args.mechanism, args.publicAttrs, args.privateAttrs)
 	if err != nil {
 		return nil, nil, err
 	}
 	log.Println("Key generated")
 	log.Println("Extracting public key")
-	pk, err := ecPub(ctx, session, pub, curve)
+	pk, err := ecPub(session, pub, curve)
 	if err != nil {
 		return nil, nil, err
 	}
 	log.Println("Extracted public key")
 	log.Println("Verifying public key")
-	err = ecVerify(ctx, session, priv, pk)
+	err = ecVerify(session, priv, pk)
 	if err != nil {
 		return nil, nil, err
 	}