Removed additional types to match the PKCS#11 spec 1-to-1

jacobprudhomme · jacobprudhomme · commit 07ba6f1515e1 · 2025-04-15T11:36:48.000+02:00
Gave up some type safety on which types of PRF data parameters are allowed for
which KDF modes, in exchange for being a 1-to-1 binding with the PKCS#11 spec.
Depending on the wants of the project, this can be reversed.

Signed-off-by: Jacob Prud'homme &lt;2160185+jacobprudhomme@users.noreply.github.com&gt;
diff --git a/cryptoki/src/mechanism/kbkdf.rs b/cryptoki/src/mechanism/kbkdf.rs
@@ -95,7 +95,7 @@ impl KbkdfDkmLengthFormat {
 #[derive(Debug, Clone, Copy)]
 pub enum PrfDataParamType<'a> {
     /// Identifies location of predefined iteration variable in constructed PRF input data.
-    IterationVariable,
+    IterationVariable(Option<&'a KbkdfCounterFormat>),
     /// Identifies location of counter in constructed PRF input data.
     Counter(&'a KbkdfCounterFormat),
     /// Identifies location of DKM (derived key material) length in constructed PRF input data.
@@ -124,11 +124,19 @@ impl<'a> PrfDataParam<'a> {
     pub fn new(type_: PrfDataParamType<'a>) -> Self {
         Self {
             inner: match type_ {
-                PrfDataParamType::IterationVariable => cryptoki_sys::CK_PRF_DATA_PARAM {
+                PrfDataParamType::IterationVariable(None) => cryptoki_sys::CK_PRF_DATA_PARAM {
                     type_: cryptoki_sys::CK_SP800_108_ITERATION_VARIABLE,
                     pValue: ptr::null_mut(),
                     ulValueLen: 0,
                 },
+                PrfDataParamType::IterationVariable(Some(counter_format)) => {
+                    cryptoki_sys::CK_PRF_DATA_PARAM {
+                        type_: cryptoki_sys::CK_SP800_108_ITERATION_VARIABLE,
+                        pValue: counter_format as *const _ as *mut _,
+                        ulValueLen: size_of::<cryptoki_sys::CK_SP800_108_COUNTER_FORMAT>()
+                            as cryptoki_sys::CK_ULONG,
+                    }
+                }
                 PrfDataParamType::Counter(counter_format) => cryptoki_sys::CK_PRF_DATA_PARAM {
                     type_: cryptoki_sys::CK_SP800_108_COUNTER,
                     pValue: counter_format as *const _ as *mut _,
@@ -155,67 +163,6 @@ impl<'a> PrfDataParam<'a> {
     }
 }
 
-/// The type of a segment of input data for the PRF, for a KBKDF operating in counter-mode.
-#[derive(Debug, Clone, Copy)]
-pub enum PrfCounterDataParamType<'a> {
-    /// Identifies location of iteration variable (a counter in this case) in constructed PRF input data.
-    IterationVariable(&'a KbkdfCounterFormat),
-    /// Identifies location of DKM (derived key material) length in constructed PRF input data.
-    DkmLength(&'a KbkdfDkmLengthFormat),
-    /// Identifies location and value of byte array of data in constructed PRF input data.
-    ByteArray(&'a [u8]),
-}
-
-/// A segment of input data for the PRF, to be used to construct a sequence of input.
-///
-/// Corresponds to CK_PRF_DATA_PARAM in the specific case of the KDF operating in counter-mode.
-#[derive(Debug, Clone, Copy)]
-#[repr(transparent)]
-pub struct PrfCounterDataParam<'a> {
-    inner: cryptoki_sys::CK_PRF_DATA_PARAM,
-    /// Marker type to ensure we don't outlive the data
-    _marker: PhantomData<&'a [u8]>,
-}
-
-impl<'a> PrfCounterDataParam<'a> {
-    /// Construct data parameter for input of the PRF internal to the KBKDF.
-    ///
-    /// # Arguments
-    ///
-    /// * `type_` - The specific type and parameters for the data parameter.
-    pub fn new(type_: PrfCounterDataParamType<'a>) -> Self {
-        Self {
-            inner: match type_ {
-                PrfCounterDataParamType::IterationVariable(counter_format) => {
-                    cryptoki_sys::CK_PRF_DATA_PARAM {
-                        type_: cryptoki_sys::CK_SP800_108_ITERATION_VARIABLE,
-                        pValue: counter_format as *const _ as *mut _,
-                        ulValueLen: size_of::<cryptoki_sys::CK_SP800_108_COUNTER_FORMAT>()
-                            as cryptoki_sys::CK_ULONG,
-                    }
-                }
-                PrfCounterDataParamType::DkmLength(dkm_length_format) => {
-                    cryptoki_sys::CK_PRF_DATA_PARAM {
-                        type_: cryptoki_sys::CK_SP800_108_DKM_LENGTH,
-                        pValue: dkm_length_format as *const _ as *mut _,
-                        ulValueLen: size_of::<cryptoki_sys::CK_SP800_108_DKM_LENGTH_FORMAT>()
-                            as cryptoki_sys::CK_ULONG,
-                    }
-                }
-                PrfCounterDataParamType::ByteArray(data) => cryptoki_sys::CK_PRF_DATA_PARAM {
-                    type_: cryptoki_sys::CK_SP800_108_BYTE_ARRAY,
-                    pValue: data.as_ptr() as *mut _,
-                    ulValueLen: data
-                        .len()
-                        .try_into()
-                        .expect("length of data parameter does not fit in CK_ULONG"),
-                },
-            },
-            _marker: PhantomData,
-        }
-    }
-}
-
 /// Container for information on an additional key to be derived.
 #[derive(Debug)]
 pub struct DerivedKey {
@@ -258,7 +205,7 @@ impl From<&mut DerivedKey> for cryptoki_sys::CK_DERIVED_KEY {
 ///
 /// This structure wraps a `CK_SP800_108_KDF_PARAMS` structure.
 #[derive(Debug)]
-pub struct KbkdfCounterParams<'a> {
+pub struct KbkdfParams<'a> {
     /// Holds own data so that we have a contiguous memory region to give to backend
     additional_derived_keys: Option<Pin<Box<[cryptoki_sys::CK_DERIVED_KEY]>>>,
 
@@ -267,7 +214,7 @@ pub struct KbkdfCounterParams<'a> {
     _marker: PhantomData<&'a [u8]>,
 }
 
-impl<'a> KbkdfCounterParams<'a> {
+impl<'a> KbkdfParams<'a> {
     /// Construct parameters for NIST SP 800-108 KDF (aka KBKDF) pseuderandom function-based key
     /// derivation function, in counter-mode.
     ///
@@ -280,7 +227,7 @@ impl<'a> KbkdfCounterParams<'a> {
     /// * `additional_derived_keys` - Any additional keys to be generated by the KDF from the base key.
     pub fn new(
         prf_mechanism: MechanismType,
-        prf_data_params: &'a [PrfCounterDataParam<'a>],
+        prf_data_params: &'a [PrfDataParam<'a>],
         additional_derived_keys: Option<&'a mut [DerivedKey]>,
     ) -> Self {
         let mut additional_derived_keys = additional_derived_keys
@@ -424,84 +371,3 @@ impl<'a> KbkdfFeedbackParams<'a> {
         })
     }
 }
-
-/// NIST SP 800-108 (aka KBKDF) double pipeline-mode parameters.
-///
-/// This structure wraps a `CK_SP800_108_KDF_PARAMS` structure.
-#[derive(Debug)]
-pub struct KbkdfDoublePipelineParams<'a> {
-    /// Holds own data so that we have a contiguous memory region to give to backend
-    additional_derived_keys: Option<Pin<Box<[cryptoki_sys::CK_DERIVED_KEY]>>>,
-
-    inner: cryptoki_sys::CK_SP800_108_KDF_PARAMS,
-    /// Marker type to ensure we don't outlive the data
-    _marker: PhantomData<&'a [u8]>,
-}
-
-impl<'a> KbkdfDoublePipelineParams<'a> {
-    /// Construct parameters for NIST SP 800-108 KDF (aka KBKDF) pseuderandom function-based key
-    /// derivation function, in double pipeline-mode.
-    ///
-    /// # Arguments
-    ///
-    /// * `prf_mechanism` - The pseudorandom function that underlies the KBKDF operation.
-    ///
-    /// * `prf_data_params` - The sequence of data segments used as input data for the PRF. Requires at least [`PrfDataParam::IterationVariable`].
-    ///
-    /// * `additional_derived_keys` - Any additional keys to be generated by the KDF from the base key.
-    pub fn new(
-        prf_mechanism: MechanismType,
-        prf_data_params: &'a [PrfDataParam<'a>],
-        additional_derived_keys: Option<&'a mut [DerivedKey]>,
-    ) -> Self {
-        let mut additional_derived_keys = additional_derived_keys
-            .map(|keys| {
-                keys.iter_mut()
-                    .map(Into::into)
-                    .collect::<Box<[cryptoki_sys::CK_DERIVED_KEY]>>()
-            })
-            .map(Pin::new);
-
-        let inner = cryptoki_sys::CK_SP800_108_KDF_PARAMS {
-            prfType: prf_mechanism.into(),
-            ulNumberOfDataParams: prf_data_params
-                .len()
-                .try_into()
-                .expect("number of data parameters does not fit in CK_ULONG"),
-            pDataParams: prf_data_params.as_ptr() as cryptoki_sys::CK_PRF_DATA_PARAM_PTR,
-            ulAdditionalDerivedKeys: additional_derived_keys.as_ref().map_or(0, |keys| {
-                keys.len()
-                    .try_into()
-                    .expect("number of additional derived keys does not fit in CK_ULONG")
-            }),
-            pAdditionalDerivedKeys: additional_derived_keys
-                .as_mut()
-                .map_or(ptr::null_mut(), |keys| {
-                    keys.as_mut_ptr() as cryptoki_sys::CK_DERIVED_KEY_PTR
-                }),
-        };
-
-        Self {
-            additional_derived_keys,
-
-            inner,
-            _marker: PhantomData,
-        }
-    }
-
-    pub(crate) fn inner(&self) -> &cryptoki_sys::CK_SP800_108_KDF_PARAMS {
-        &self.inner
-    }
-
-    /// The additional keys derived by the KDF, as per the params
-    pub(crate) fn additional_derived_keys(&self) -> Option<Vec<ObjectHandle>> {
-        self.additional_derived_keys.as_ref().map(|keys| {
-            keys.iter()
-                .map(|key| {
-                    // SAFETY: a value is always provided during construction
-                    ObjectHandle::new(unsafe { *key.phKey })
-                })
-                .collect()
-        })
-    }
-}
diff --git a/cryptoki/src/mechanism/mod.rs b/cryptoki/src/mechanism/mod.rs
@@ -1000,11 +1000,11 @@ pub enum Mechanism<'a> {
 
     // NIST SP 800-108 KDF (aka KBKDF)
     /// NIST SP 800-108 KDF (aka KBKDF) mechanism in counter-mode
-    KbkdfCounter(kbkdf::KbkdfCounterParams<'a>),
+    KbkdfCounter(kbkdf::KbkdfParams<'a>),
     /// NIST SP 800-108 KDF (aka KBKDF) mechanism in feedback-mode
     KbkdfFeedback(kbkdf::KbkdfFeedbackParams<'a>),
     /// NIST SP 800-108 KDF (aka KBKDF) mechanism in double pipeline-mode
-    KbkdfDoublePipeline(kbkdf::KbkdfDoublePipelineParams<'a>),
+    KbkdfDoublePipeline(kbkdf::KbkdfParams<'a>),
 
     /// Vendor defined mechanism
     VendorDefined(VendorDefinedMechanism<'a>),
@@ -1137,9 +1137,10 @@ impl From<&Mechanism<'_>> for CK_MECHANISM {
             Mechanism::HkdfDerive(params) | Mechanism::HkdfData(params) => {
                 make_mechanism(mechanism, params)
             }
-            Mechanism::KbkdfCounter(params) => make_mechanism(mechanism, params.inner()),
+            Mechanism::KbkdfCounter(params) | Mechanism::KbkdfDoublePipeline(params) => {
+                make_mechanism(mechanism, params.inner())
+            }
             Mechanism::KbkdfFeedback(params) => make_mechanism(mechanism, params.inner()),
-            Mechanism::KbkdfDoublePipeline(params) => make_mechanism(mechanism, params.inner()),
             // Mechanisms without parameters
             Mechanism::AesKeyGen
             | Mechanism::AesEcb
