Changed paradigm for how additional derived keys should be retrieved after KDF operation

jacobprudhomme · jacobprudhomme · commit 89f4c560de0d · 2025-04-15T11:38:33.000+02:00
Signed-off-by: Jacob Prud'homme &lt;2160185+jacobprudhomme@users.noreply.github.com&gt;
diff --git a/cryptoki/src/mechanism/kbkdf.rs b/cryptoki/src/mechanism/kbkdf.rs
@@ -182,7 +182,16 @@ impl DerivedKey {
 
         Self {
             template,
-            handle: 0,
+            handle: cryptoki_sys::CK_INVALID_HANDLE,
+        }
+    }
+
+    /// Return handle for derived key, if it has been created yet
+    pub fn handle(&self) -> Option<ObjectHandle> {
+        if self.handle == cryptoki_sys::CK_INVALID_HANDLE {
+            None
+        } else {
+            Some(ObjectHandle::new(self.handle))
         }
     }
 }
@@ -207,7 +216,7 @@ impl From<&mut DerivedKey> for cryptoki_sys::CK_DERIVED_KEY {
 #[derive(Debug)]
 pub struct KbkdfParams<'a> {
     /// Holds own data so that we have a contiguous memory region to give to backend
-    additional_derived_keys: Option<Pin<Box<[cryptoki_sys::CK_DERIVED_KEY]>>>,
+    _additional_derived_keys: Option<Pin<Box<[cryptoki_sys::CK_DERIVED_KEY]>>>,
 
     inner: cryptoki_sys::CK_SP800_108_KDF_PARAMS,
     /// Marker type to ensure we don't outlive the data
@@ -258,7 +267,7 @@ impl<'a> KbkdfParams<'a> {
         };
 
         Self {
-            additional_derived_keys,
+            _additional_derived_keys: additional_derived_keys,
 
             inner,
             _marker: PhantomData,
@@ -268,18 +277,6 @@ impl<'a> KbkdfParams<'a> {
     pub(crate) fn inner(&self) -> &cryptoki_sys::CK_SP800_108_KDF_PARAMS {
         &self.inner
     }
-
-    /// The additional keys derived by the KDF, as per the params
-    pub(crate) fn additional_derived_keys(&self) -> Option<Vec<ObjectHandle>> {
-        self.additional_derived_keys.as_ref().map(|keys| {
-            keys.iter()
-                .map(|key| {
-                    // SAFETY: a value is always provided during construction
-                    ObjectHandle::new(unsafe { *key.phKey })
-                })
-                .collect()
-        })
-    }
 }
 
 /// NIST SP 800-108 (aka KBKDF) feedback-mode parameters.
@@ -288,7 +285,7 @@ impl<'a> KbkdfParams<'a> {
 #[derive(Debug)]
 pub struct KbkdfFeedbackParams<'a> {
     /// Holds own data so that we have a contiguous memory region to give to backend
-    additional_derived_keys: Option<Pin<Box<[cryptoki_sys::CK_DERIVED_KEY]>>>,
+    _additional_derived_keys: Option<Pin<Box<[cryptoki_sys::CK_DERIVED_KEY]>>>,
 
     inner: cryptoki_sys::CK_SP800_108_FEEDBACK_KDF_PARAMS,
     /// Marker type to ensure we don't outlive the data
@@ -348,7 +345,7 @@ impl<'a> KbkdfFeedbackParams<'a> {
         };
 
         Self {
-            additional_derived_keys,
+            _additional_derived_keys: additional_derived_keys,
 
             inner,
             _marker: PhantomData,
@@ -358,16 +355,4 @@ impl<'a> KbkdfFeedbackParams<'a> {
     pub(crate) fn inner(&self) -> &cryptoki_sys::CK_SP800_108_FEEDBACK_KDF_PARAMS {
         &self.inner
     }
-
-    /// The additional keys derived by the KDF, as per the params
-    pub(crate) fn additional_derived_keys(&self) -> Option<Vec<ObjectHandle>> {
-        self.additional_derived_keys.as_ref().map(|keys| {
-            keys.iter()
-                .map(|key| {
-                    // SAFETY: a value is always provided during construction
-                    ObjectHandle::new(unsafe { *key.phKey })
-                })
-                .collect()
-        })
-    }
 }
diff --git a/cryptoki/src/mechanism/mod.rs b/cryptoki/src/mechanism/mod.rs
@@ -24,7 +24,6 @@ use vendor_defined::VendorDefinedMechanism;
 
 use crate::error::Error;
 use crate::mechanism::rsa::PkcsOaepParams;
-use crate::object::ObjectHandle;
 pub use mechanism_info::MechanismInfo;
 
 #[derive(Copy, Debug, Clone, PartialEq, Eq)]
@@ -1227,20 +1226,3 @@ impl MessageParam<'_> {
         }
     }
 }
-
-/// Trait for mechanism types that define additional keys to be derived in their parameters
-pub trait HasAdditionalDerivedKeys {
-    /// Get the object handles for the additional keys that were derived
-    fn additional_derived_keys(&self) -> Vec<ObjectHandle>;
-}
-
-impl HasAdditionalDerivedKeys for &Mechanism<'_> {
-    fn additional_derived_keys(&self) -> Vec<ObjectHandle> {
-        match self {
-            Mechanism::KbkdfCounter(params) => params.additional_derived_keys().unwrap_or_default(),
-            Mechanism::KbkdfFeedback(params) => params.additional_derived_keys().unwrap_or_default(),
-            Mechanism::KbkdfDoublePipeline(params) => params.additional_derived_keys().unwrap_or_default(),
-            _ => unimplemented!("The given mechanism doesn't define additional keys to derive"), // TODO: this or return an option?
-        }
-    }
-}
diff --git a/cryptoki/src/session/key_management.rs b/cryptoki/src/session/key_management.rs
@@ -4,7 +4,7 @@
 
 use crate::context::Function;
 use crate::error::{Result, Rv};
-use crate::mechanism::{HasAdditionalDerivedKeys as _, Mechanism};
+use crate::mechanism::Mechanism;
 use crate::object::{Attribute, ObjectHandle};
 use crate::session::Session;
 use cryptoki_sys::{CK_ATTRIBUTE, CK_MECHANISM, CK_MECHANISM_PTR};
@@ -93,33 +93,6 @@ impl Session {
         Ok(ObjectHandle::new(handle))
     }
 
-    /// Derives multiple keys from a base key
-    pub fn derive_keys(
-        &self,
-        mechanism: &Mechanism,
-        base_key: ObjectHandle,
-        template: &[Attribute],
-    ) -> Result<(ObjectHandle, Vec<ObjectHandle>)> {
-        let mut c_mechanism: CK_MECHANISM = mechanism.into();
-        let mut template: Vec<CK_ATTRIBUTE> = template.iter().map(|attr| attr.into()).collect();
-        let mut handle = 0;
-        unsafe {
-            Rv::from(get_pkcs11!(self.client(), C_DeriveKey)(
-                self.handle(),
-                &mut c_mechanism as CK_MECHANISM_PTR,
-                base_key.handle(),
-                template.as_mut_ptr(),
-                template.len().try_into()?,
-                &mut handle,
-            ))
-            .into_result(Function::DeriveKey)?;
-        }
-
-        let additional_key_handles = mechanism.additional_derived_keys();
-
-        Ok((ObjectHandle::new(handle), additional_key_handles))
-    }
-
     /// Wrap key
     pub fn wrap_key(
         &self,
