From 73013172a051e5d4c4db5af2d8568cbf5a9ee545 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 29 Mar 2023 12:20:51 -0400
Subject: [PATCH] Add option to control caching of keys in session

Add an option to allow disabling wven trying to cache keys in session
objects. This is useful for tokens that can export key material in
software like soft tokens and certain Cloud HSMs, as this can
significantly speed up key usage while still formally keeping private
keys out of direct user hands.

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 src/objects.c  |  7 +++++++
 src/provider.c | 38 +++++++++++++++++++++++++++-----------
 src/provider.h |  6 ++++++
 3 files changed, 40 insertions(+), 11 deletions(-)

diff --git a/src/objects.c b/src/objects.c
index c7590eba..5898c875 100644
--- a/src/objects.c
+++ b/src/objects.c
@@ -325,6 +325,13 @@ static void cache_key(P11PROV_OBJ *obj)
     CK_SESSION_HANDLE sess;
     CK_BBOOL can_cache = CK_TRUE;
     CK_RV ret;
+    int cache_keys;
+
+    /* check whether keys should be cached at all */
+    cache_keys = p11prov_ctx_cache_keys(obj->ctx);
+    if (cache_keys == P11PROV_CACHE_KEYS_NEVER) {
+        return;
+    }
 
     /* We cache only keys on the token */
     if ((obj->class != CKO_PRIVATE_KEY && obj->class != CKO_PUBLIC_KEY)
diff --git a/src/provider.c b/src/provider.c
index c8783f32..1e428b63 100644
--- a/src/provider.c
+++ b/src/provider.c
@@ -28,6 +28,7 @@ struct p11prov_ctx {
     int allow_export;
     int login_behavior;
     bool cache_pins;
+    int cache_keys;
     /* TODO: ui_method */
     /* TODO: fork id */
 
@@ -538,6 +539,12 @@ bool p11prov_ctx_cache_pins(P11PROV_CTX *ctx)
     return ctx->cache_pins;
 }
 
+int p11prov_ctx_cache_keys(P11PROV_CTX *ctx)
+{
+    P11PROV_debug("cache_keys = %d", ctx->cache_keys);
+    return ctx->cache_keys;
+}
+
 static void p11prov_teardown(void *ctx)
 {
     p11prov_ctx_free((P11PROV_CTX *)ctx);
@@ -1196,6 +1203,7 @@ enum p11prov_cfg_enum {
     P11PROV_CFG_LOGIN_BEHAVIOR,
     P11PROV_CFG_LOAD_BEHAVIOR,
     P11PROV_CFG_CACHE_PINS,
+    P11PROV_CFG_CACHE_KEYS,
     P11PROV_CFG_SIZE,
 };
 
@@ -1205,23 +1213,14 @@ static struct p11prov_cfg_names {
     { "pkcs11-module-path" },           { "pkcs11-module-init-args" },
     { "pkcs11-module-token-pin" },      { "pkcs11-module-allow-export" },
     { "pkcs11-module-login-behavior" }, { "pkcs11-module-load-behavior" },
-    { "pkcs11-module-cache-pins" },
+    { "pkcs11-module-cache-pins" },     { "pkcs11-module-cache-keys" },
 };
 
 int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in,
                        const OSSL_DISPATCH **out, void **provctx)
 {
     const char *cfg[P11PROV_CFG_SIZE] = { 0 };
-    OSSL_PARAM core_params[P11PROV_CFG_SIZE + 1] = {
-        OSSL_PARAM_utf8_ptr(p11prov_cfg_names[0].name, &cfg[0], sizeof(void *)),
-        OSSL_PARAM_utf8_ptr(p11prov_cfg_names[1].name, &cfg[1], sizeof(void *)),
-        OSSL_PARAM_utf8_ptr(p11prov_cfg_names[2].name, &cfg[2], sizeof(void *)),
-        OSSL_PARAM_utf8_ptr(p11prov_cfg_names[3].name, &cfg[3], sizeof(void *)),
-        OSSL_PARAM_utf8_ptr(p11prov_cfg_names[4].name, &cfg[4], sizeof(void *)),
-        OSSL_PARAM_utf8_ptr(p11prov_cfg_names[5].name, &cfg[5], sizeof(void *)),
-        OSSL_PARAM_utf8_ptr(p11prov_cfg_names[6].name, &cfg[6], sizeof(void *)),
-        OSSL_PARAM_END
-    };
+    OSSL_PARAM core_params[P11PROV_CFG_SIZE + 1];
     P11PROV_CTX *ctx;
     int ret;
 
@@ -1249,6 +1248,12 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in,
         return RET_OSSL_ERR;
     }
 
+    for (int i = 0; i < P11PROV_CFG_SIZE; i++) {
+        core_params[i] = OSSL_PARAM_construct_utf8_ptr(
+            p11prov_cfg_names[i].name, (char **)&cfg[i], sizeof(void *));
+    }
+    core_params[P11PROV_CFG_SIZE] = OSSL_PARAM_construct_end();
+
     ret = core_get_params(handle, core_params);
     if (ret != RET_OSSL_OK) {
         ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GET_PARAMETER);
@@ -1307,6 +1312,17 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in,
         ctx->cache_pins = true;
     }
 
+    if (cfg[P11PROV_CFG_CACHE_KEYS] != NULL) {
+        if (strcmp(cfg[P11PROV_CFG_CACHE_KEYS], "true") == 0) {
+            ctx->cache_keys = P11PROV_CACHE_KEYS_IN_SESSION;
+        } else if (strcmp(cfg[P11PROV_CFG_CACHE_KEYS], "false") == 0) {
+            ctx->cache_keys = P11PROV_CACHE_KEYS_NEVER;
+        }
+    } else {
+        /* defaults to session */
+        ctx->cache_keys = P11PROV_CACHE_KEYS_IN_SESSION;
+    }
+
     /* do this as the last thing */
     if (cfg[P11PROV_CFG_LOAD_BEHAVIOR] != NULL
         && strcmp(cfg[P11PROV_CFG_LOAD_BEHAVIOR], "early") == 0) {
diff --git a/src/provider.h b/src/provider.h
index a9e12252..f0231629 100644
--- a/src/provider.h
+++ b/src/provider.h
@@ -94,6 +94,12 @@ int p11prov_ctx_allow_export(P11PROV_CTX *ctx);
 int p11prov_ctx_login_behavior(P11PROV_CTX *ctx);
 bool p11prov_ctx_cache_pins(P11PROV_CTX *ctx);
 
+enum p11prov_cache_keys {
+    P11PROV_CACHE_KEYS_NEVER = 0,
+    P11PROV_CACHE_KEYS_IN_SESSION,
+};
+int p11prov_ctx_cache_keys(P11PROV_CTX *ctx);
+
 #include "debug.h"
 
 /* Errors */