Add option to control caching of keys in session

Add an option to allow disabling wven trying to cache keys in session objects. This is useful for tokens that can export key material in software like soft tokens and certain Cloud HSMs, as this can significantly speed up key usage while still formally keeping private keys out of direct user hands. Signed-off-by: Simo Sorce <[email protected]>
latchset · Mar 30, 2023 · 7301317 · 7301317
1 parent d7aa189
commit 7301317
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 11 deletions.
diff --git a/src/objects.c b/src/objects.c
@@ -325,6 +325,13 @@ static void cache_key(P11PROV_OBJ *obj)
     CK_SESSION_HANDLE sess;
     CK_BBOOL can_cache = CK_TRUE;
     CK_RV ret;
+    int cache_keys;
+
+    /* check whether keys should be cached at all */
+    cache_keys = p11prov_ctx_cache_keys(obj->ctx);
+    if (cache_keys == P11PROV_CACHE_KEYS_NEVER) {
+        return;
+    }
 
     /* We cache only keys on the token */
     if ((obj->class != CKO_PRIVATE_KEY && obj->class != CKO_PUBLIC_KEY)

diff --git a/src/provider.c b/src/provider.c
@@ -28,6 +28,7 @@ struct p11prov_ctx {
     int allow_export;
     int login_behavior;
     bool cache_pins;
+    int cache_keys;
     /* TODO: ui_method */
     /* TODO: fork id */
 
@@ -538,6 +539,12 @@ bool p11prov_ctx_cache_pins(P11PROV_CTX *ctx)
     return ctx->cache_pins;
 }
 
+int p11prov_ctx_cache_keys(P11PROV_CTX *ctx)
+{
+    P11PROV_debug("cache_keys = %d", ctx->cache_keys);
+    return ctx->cache_keys;
+}
+
 static void p11prov_teardown(void *ctx)
 {
     p11prov_ctx_free((P11PROV_CTX *)ctx);
@@ -1196,6 +1203,7 @@ enum p11prov_cfg_enum {
     P11PROV_CFG_LOGIN_BEHAVIOR,
     P11PROV_CFG_LOAD_BEHAVIOR,
     P11PROV_CFG_CACHE_PINS,
+    P11PROV_CFG_CACHE_KEYS,
     P11PROV_CFG_SIZE,
 };
 
@@ -1205,23 +1213,14 @@ static struct p11prov_cfg_names {
     { "pkcs11-module-path" },           { "pkcs11-module-init-args" },
     { "pkcs11-module-token-pin" },      { "pkcs11-module-allow-export" },
     { "pkcs11-module-login-behavior" }, { "pkcs11-module-load-behavior" },
-    { "pkcs11-module-cache-pins" },
+    { "pkcs11-module-cache-pins" },     { "pkcs11-module-cache-keys" },
 };
 
 int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in,
                        const OSSL_DISPATCH **out, void **provctx)
 {
     const char *cfg[P11PROV_CFG_SIZE] = { 0 };
-    OSSL_PARAM core_params[P11PROV_CFG_SIZE + 1] = {
-        OSSL_PARAM_utf8_ptr(p11prov_cfg_names[0].name, &cfg[0], sizeof(void *)),
-        OSSL_PARAM_utf8_ptr(p11prov_cfg_names[1].name, &cfg[1], sizeof(void *)),
-        OSSL_PARAM_utf8_ptr(p11prov_cfg_names[2].name, &cfg[2], sizeof(void *)),
-        OSSL_PARAM_utf8_ptr(p11prov_cfg_names[3].name, &cfg[3], sizeof(void *)),
-        OSSL_PARAM_utf8_ptr(p11prov_cfg_names[4].name, &cfg[4], sizeof(void *)),
-        OSSL_PARAM_utf8_ptr(p11prov_cfg_names[5].name, &cfg[5], sizeof(void *)),
-        OSSL_PARAM_utf8_ptr(p11prov_cfg_names[6].name, &cfg[6], sizeof(void *)),
-        OSSL_PARAM_END
-    };
+    OSSL_PARAM core_params[P11PROV_CFG_SIZE + 1];
     P11PROV_CTX *ctx;
     int ret;
 
@@ -1249,6 +1248,12 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in,
         return RET_OSSL_ERR;
     }
 
+    for (int i = 0; i < P11PROV_CFG_SIZE; i++) {
+        core_params[i] = OSSL_PARAM_construct_utf8_ptr(
+            p11prov_cfg_names[i].name, (char **)&cfg[i], sizeof(void *));
+    }
+    core_params[P11PROV_CFG_SIZE] = OSSL_PARAM_construct_end();
+
     ret = core_get_params(handle, core_params);
     if (ret != RET_OSSL_OK) {
         ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
@@ -1307,6 +1312,17 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in,
         ctx->cache_pins = true;
     }
 
+    if (cfg[P11PROV_CFG_CACHE_KEYS] != NULL) {
+        if (strcmp(cfg[P11PROV_CFG_CACHE_KEYS], "true") == 0) {
+            ctx->cache_keys = P11PROV_CACHE_KEYS_IN_SESSION;
+        } else if (strcmp(cfg[P11PROV_CFG_CACHE_KEYS], "false") == 0) {
+            ctx->cache_keys = P11PROV_CACHE_KEYS_NEVER;
+        }
+    } else {
+        /* defaults to session */
+        ctx->cache_keys = P11PROV_CACHE_KEYS_IN_SESSION;
+    }
+
     /* do this as the last thing */
     if (cfg[P11PROV_CFG_LOAD_BEHAVIOR] != NULL
         && strcmp(cfg[P11PROV_CFG_LOAD_BEHAVIOR], "early") == 0) {

diff --git a/src/provider.h b/src/provider.h
@@ -94,6 +94,12 @@ int p11prov_ctx_allow_export(P11PROV_CTX *ctx);
 int p11prov_ctx_login_behavior(P11PROV_CTX *ctx);
 bool p11prov_ctx_cache_pins(P11PROV_CTX *ctx);
 
+enum p11prov_cache_keys {
+    P11PROV_CACHE_KEYS_NEVER = 0,
+    P11PROV_CACHE_KEYS_IN_SESSION,
+};
+int p11prov_ctx_cache_keys(P11PROV_CTX *ctx);
+
 #include "debug.h"
 
 /* Errors */