Merge #68: Trace GetAttributeValue

2100eb7 pkcs11mod: Trace fromTemplate (Jeremy Rand) 367cf36 p11mod: Trace GetAttributeValue (Jeremy Rand) 9905eaa pkcs11mod: Trace GetAttributeValue (Jeremy Rand) Pull request description: Refs #58 Top commit has no ACKs. Tree-SHA512: d789dc58cf1b38b5c7ce72e3d5e4dba9008c46add94090ebb7a505a868be117d82293b3a617c534008557e1c4d339fe5804f25f1279c21ab7cc5d9f2ffbe2bf7
namecoin · Mar 9, 2022 · 2fd4a4d · 2fd4a4d
2 parents 67141f8 + 2100eb7
commit 2fd4a4d
Show file tree

Hide file tree

Showing 4 changed files with 212 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -53,7 +53,7 @@ See the `pkcs11proxy` subdirectory for an example of how to use pkcs11mod.  Also
 
 ## Tracing
 
-Set the environment variable `PKCS11MOD_TRACE=1` to enable debug tracing.  The trace will be outputted to the log file.
+Set the environment variable `PKCS11MOD_TRACE=1` to enable debug tracing.  To include sensitive data that might be a privacy leak, also set `PKCS11MOD_TRACE_SENSITIVE=1`.  The trace will be outputted to the log file.
 
 ## Should I use pkcs11mod or p11mod?
 

diff --git a/p11mod/p11mod.go b/p11mod/p11mod.go
@@ -356,6 +356,10 @@ func (ll *llBackend) GetObjectSize(sh pkcs11.SessionHandle, oh pkcs11.ObjectHand
 func (ll *llBackend) GetAttributeValue(sh pkcs11.SessionHandle, oh pkcs11.ObjectHandle, a []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) {
 	session, err := ll.getSessionByHandle(sh)
 	if err != nil {
+		if trace {
+			log.Printf("p11mod GetAttributeValue: %v", err)
+		}
+
 		return []*pkcs11.Attribute{}, err
 	}
 
@@ -371,12 +375,23 @@ func (ll *llBackend) GetAttributeValue(sh pkcs11.SessionHandle, oh pkcs11.Object
 
 	result := make([]*pkcs11.Attribute, len(a))
 	for i, t := range a {
+		if trace {
+			log.Printf("p11mod GetAttributeValue: Type %d", t.Type)
+		}
+
 		value, err := object.Attribute(t.Type)
 		if err != nil && err.Error() != "attribute not found" && err.Error() != "too many attributes found" {
+			if trace {
+				log.Printf("p11mod GetAttributeValue: %v", err)
+			}
 			return nil, err
 		}
 		if value == nil {
 			// CKR_ATTRIBUTE_TYPE_INVALID, attribute not found, or too many attributes found
+			if trace {
+				log.Println("p11mod GetAttributeValue: suppressing CKR_ATTRIBUTE_TYPE_INVALID")
+			}
+
 			value = []byte{}
 		}
 
@@ -386,6 +401,10 @@ func (ll *llBackend) GetAttributeValue(sh pkcs11.SessionHandle, oh pkcs11.Object
 		}
 	}
 
+	if trace {
+		log.Printf("p11mod GetAttributeValue: %d values returned", len(result))
+	}
+
 	return result, nil
 }
 

diff --git a/pkcs11mod.go b/pkcs11mod.go
@@ -33,6 +33,7 @@ import (
 )
 
 var trace bool
+var traceSensitive bool
 
 var logfile io.Closer
 var backend Backend
@@ -59,6 +60,10 @@ func init() {
 	if os.Getenv("PKCS11MOD_TRACE") == "1" {
 		trace = true
 	}
+
+	if os.Getenv("PKCS11MOD_TRACE_SENSITIVE") == "1" {
+		traceSensitive = true
+	}
 }
 
 func SetBackend(b Backend) {
@@ -599,6 +604,10 @@ func Go_GetObjectSize(sessionHandle C.CK_SESSION_HANDLE, objectHandle C.CK_OBJEC
 //export Go_GetAttributeValue
 func Go_GetAttributeValue(sessionHandle C.CK_SESSION_HANDLE, objectHandle C.CK_OBJECT_HANDLE, pTemplate C.CK_ATTRIBUTE_PTR, ulCount C.CK_ULONG) C.CK_RV {
 	if pTemplate == nil && ulCount > 0 {
+		if trace {
+			log.Println("pkcs11mod GetAttributeValue: CKR_ARGUMENTS_BAD")
+		}
+
 		return C.CKR_ARGUMENTS_BAD
 	}
 
@@ -608,10 +617,19 @@ func Go_GetAttributeValue(sessionHandle C.CK_SESSION_HANDLE, objectHandle C.CK_O
 
 	goResults, err := backend.GetAttributeValue(goSessionHandle, goObjectHandle, goTemplate)
 	if err != nil {
+		if trace {
+			log.Printf("pkcs11mod GetAttributeValue: %v", err)
+		}
+
 		return fromError(err)
 	}
 
 	err = fromTemplate(goResults, pTemplate)
+
+	if trace {
+		log.Printf("pkcs11mod GetAttributeValue: %v", err)
+	}
+
 	return fromError(err)
 }
 

diff --git a/types.go b/types.go
@@ -36,6 +36,7 @@ import "C"
 
 import (
 	"fmt"
+	"log"
 	"unsafe"
 
 	"github.com/miekg/pkcs11"
@@ -115,6 +116,10 @@ func fromTemplate(template []*pkcs11.Attribute, clist C.CK_ATTRIBUTE_PTR) error
 	}
 	bufferTooSmall := false
 	for i, x := range template {
+		if trace {
+			log.Printf("pkcs11mod fromTemplate: %s", attrTrace(x))
+		}
+
 		c := l1[i]
 		cLen := C.CK_ULONG(uint(len(x.Value)))
 		if C.getAttributePval(c) == nil {
@@ -189,3 +194,172 @@ func toMechanism(pMechanism C.CK_MECHANISM_PTR) *pkcs11.Mechanism {
 	}
 	return nil
 }
+
+var strCKA = map[uint]string{
+	// awk '/#define CKA_/{ print "pkcs11."$2":\""$2"\"," }' pkcs11t.h | grep -v CKA_SUB_PRIME_BITS | grep -v CKA_EC_PARAMS
+	pkcs11.CKA_CLASS:"CKA_CLASS",
+	pkcs11.CKA_TOKEN:"CKA_TOKEN",
+	pkcs11.CKA_PRIVATE:"CKA_PRIVATE",
+	pkcs11.CKA_LABEL:"CKA_LABEL",
+	pkcs11.CKA_APPLICATION:"CKA_APPLICATION",
+	pkcs11.CKA_VALUE:"CKA_VALUE",
+	pkcs11.CKA_OBJECT_ID:"CKA_OBJECT_ID",
+	pkcs11.CKA_CERTIFICATE_TYPE:"CKA_CERTIFICATE_TYPE",
+	pkcs11.CKA_ISSUER:"CKA_ISSUER",
+	pkcs11.CKA_SERIAL_NUMBER:"CKA_SERIAL_NUMBER",
+	pkcs11.CKA_AC_ISSUER:"CKA_AC_ISSUER",
+	pkcs11.CKA_OWNER:"CKA_OWNER",
+	pkcs11.CKA_ATTR_TYPES:"CKA_ATTR_TYPES",
+	pkcs11.CKA_TRUSTED:"CKA_TRUSTED",
+	pkcs11.CKA_CERTIFICATE_CATEGORY:"CKA_CERTIFICATE_CATEGORY",
+	pkcs11.CKA_JAVA_MIDP_SECURITY_DOMAIN:"CKA_JAVA_MIDP_SECURITY_DOMAIN",
+	pkcs11.CKA_URL:"CKA_URL",
+	pkcs11.CKA_HASH_OF_SUBJECT_PUBLIC_KEY:"CKA_HASH_OF_SUBJECT_PUBLIC_KEY",
+	pkcs11.CKA_HASH_OF_ISSUER_PUBLIC_KEY:"CKA_HASH_OF_ISSUER_PUBLIC_KEY",
+	pkcs11.CKA_NAME_HASH_ALGORITHM:"CKA_NAME_HASH_ALGORITHM",
+	pkcs11.CKA_CHECK_VALUE:"CKA_CHECK_VALUE",
+	pkcs11.CKA_KEY_TYPE:"CKA_KEY_TYPE",
+	pkcs11.CKA_SUBJECT:"CKA_SUBJECT",
+	pkcs11.CKA_ID:"CKA_ID",
+	pkcs11.CKA_SENSITIVE:"CKA_SENSITIVE",
+	pkcs11.CKA_ENCRYPT:"CKA_ENCRYPT",
+	pkcs11.CKA_DECRYPT:"CKA_DECRYPT",
+	pkcs11.CKA_WRAP:"CKA_WRAP",
+	pkcs11.CKA_UNWRAP:"CKA_UNWRAP",
+	pkcs11.CKA_SIGN:"CKA_SIGN",
+	pkcs11.CKA_SIGN_RECOVER:"CKA_SIGN_RECOVER",
+	pkcs11.CKA_VERIFY:"CKA_VERIFY",
+	pkcs11.CKA_VERIFY_RECOVER:"CKA_VERIFY_RECOVER",
+	pkcs11.CKA_DERIVE:"CKA_DERIVE",
+	pkcs11.CKA_START_DATE:"CKA_START_DATE",
+	pkcs11.CKA_END_DATE:"CKA_END_DATE",
+	pkcs11.CKA_MODULUS:"CKA_MODULUS",
+	pkcs11.CKA_MODULUS_BITS:"CKA_MODULUS_BITS",
+	pkcs11.CKA_PUBLIC_EXPONENT:"CKA_PUBLIC_EXPONENT",
+	pkcs11.CKA_PRIVATE_EXPONENT:"CKA_PRIVATE_EXPONENT",
+	pkcs11.CKA_PRIME_1:"CKA_PRIME_1",
+	pkcs11.CKA_PRIME_2:"CKA_PRIME_2",
+	pkcs11.CKA_EXPONENT_1:"CKA_EXPONENT_1",
+	pkcs11.CKA_EXPONENT_2:"CKA_EXPONENT_2",
+	pkcs11.CKA_COEFFICIENT:"CKA_COEFFICIENT",
+	pkcs11.CKA_PUBLIC_KEY_INFO:"CKA_PUBLIC_KEY_INFO",
+	pkcs11.CKA_PRIME:"CKA_PRIME",
+	pkcs11.CKA_SUBPRIME:"CKA_SUBPRIME",
+	pkcs11.CKA_BASE:"CKA_BASE",
+	pkcs11.CKA_PRIME_BITS:"CKA_PRIME_BITS",
+	pkcs11.CKA_SUBPRIME_BITS:"CKA_SUBPRIME_BITS",
+	pkcs11.CKA_VALUE_BITS:"CKA_VALUE_BITS",
+	pkcs11.CKA_VALUE_LEN:"CKA_VALUE_LEN",
+	pkcs11.CKA_EXTRACTABLE:"CKA_EXTRACTABLE",
+	pkcs11.CKA_LOCAL:"CKA_LOCAL",
+	pkcs11.CKA_NEVER_EXTRACTABLE:"CKA_NEVER_EXTRACTABLE",
+	pkcs11.CKA_ALWAYS_SENSITIVE:"CKA_ALWAYS_SENSITIVE",
+	pkcs11.CKA_KEY_GEN_MECHANISM:"CKA_KEY_GEN_MECHANISM",
+	pkcs11.CKA_MODIFIABLE:"CKA_MODIFIABLE",
+	pkcs11.CKA_COPYABLE:"CKA_COPYABLE",
+	pkcs11.CKA_DESTROYABLE:"CKA_DESTROYABLE",
+	pkcs11.CKA_ECDSA_PARAMS:"CKA_ECDSA_PARAMS",
+	pkcs11.CKA_EC_POINT:"CKA_EC_POINT",
+	pkcs11.CKA_SECONDARY_AUTH:"CKA_SECONDARY_AUTH",
+	pkcs11.CKA_AUTH_PIN_FLAGS:"CKA_AUTH_PIN_FLAGS",
+	pkcs11.CKA_ALWAYS_AUTHENTICATE:"CKA_ALWAYS_AUTHENTICATE",
+	pkcs11.CKA_WRAP_WITH_TRUSTED:"CKA_WRAP_WITH_TRUSTED",
+	pkcs11.CKA_WRAP_TEMPLATE:"CKA_WRAP_TEMPLATE",
+	pkcs11.CKA_UNWRAP_TEMPLATE:"CKA_UNWRAP_TEMPLATE",
+	pkcs11.CKA_DERIVE_TEMPLATE:"CKA_DERIVE_TEMPLATE",
+	pkcs11.CKA_OTP_FORMAT:"CKA_OTP_FORMAT",
+	pkcs11.CKA_OTP_LENGTH:"CKA_OTP_LENGTH",
+	pkcs11.CKA_OTP_TIME_INTERVAL:"CKA_OTP_TIME_INTERVAL",
+	pkcs11.CKA_OTP_USER_FRIENDLY_MODE:"CKA_OTP_USER_FRIENDLY_MODE",
+	pkcs11.CKA_OTP_CHALLENGE_REQUIREMENT:"CKA_OTP_CHALLENGE_REQUIREMENT",
+	pkcs11.CKA_OTP_TIME_REQUIREMENT:"CKA_OTP_TIME_REQUIREMENT",
+	pkcs11.CKA_OTP_COUNTER_REQUIREMENT:"CKA_OTP_COUNTER_REQUIREMENT",
+	pkcs11.CKA_OTP_PIN_REQUIREMENT:"CKA_OTP_PIN_REQUIREMENT",
+	pkcs11.CKA_OTP_COUNTER:"CKA_OTP_COUNTER",
+	pkcs11.CKA_OTP_TIME:"CKA_OTP_TIME",
+	pkcs11.CKA_OTP_USER_IDENTIFIER:"CKA_OTP_USER_IDENTIFIER",
+	pkcs11.CKA_OTP_SERVICE_IDENTIFIER:"CKA_OTP_SERVICE_IDENTIFIER",
+	pkcs11.CKA_OTP_SERVICE_LOGO:"CKA_OTP_SERVICE_LOGO",
+	pkcs11.CKA_OTP_SERVICE_LOGO_TYPE:"CKA_OTP_SERVICE_LOGO_TYPE",
+	pkcs11.CKA_GOSTR3410_PARAMS:"CKA_GOSTR3410_PARAMS",
+	pkcs11.CKA_GOSTR3411_PARAMS:"CKA_GOSTR3411_PARAMS",
+	pkcs11.CKA_GOST28147_PARAMS:"CKA_GOST28147_PARAMS",
+	pkcs11.CKA_HW_FEATURE_TYPE:"CKA_HW_FEATURE_TYPE",
+	pkcs11.CKA_RESET_ON_INIT:"CKA_RESET_ON_INIT",
+	pkcs11.CKA_HAS_RESET:"CKA_HAS_RESET",
+	pkcs11.CKA_PIXEL_X:"CKA_PIXEL_X",
+	pkcs11.CKA_PIXEL_Y:"CKA_PIXEL_Y",
+	pkcs11.CKA_RESOLUTION:"CKA_RESOLUTION",
+	pkcs11.CKA_CHAR_ROWS:"CKA_CHAR_ROWS",
+	pkcs11.CKA_CHAR_COLUMNS:"CKA_CHAR_COLUMNS",
+	pkcs11.CKA_COLOR:"CKA_COLOR",
+	pkcs11.CKA_BITS_PER_PIXEL:"CKA_BITS_PER_PIXEL",
+	pkcs11.CKA_CHAR_SETS:"CKA_CHAR_SETS",
+	pkcs11.CKA_ENCODING_METHODS:"CKA_ENCODING_METHODS",
+	pkcs11.CKA_MIME_TYPES:"CKA_MIME_TYPES",
+	pkcs11.CKA_MECHANISM_TYPE:"CKA_MECHANISM_TYPE",
+	pkcs11.CKA_REQUIRED_CMS_ATTRIBUTES:"CKA_REQUIRED_CMS_ATTRIBUTES",
+	pkcs11.CKA_DEFAULT_CMS_ATTRIBUTES:"CKA_DEFAULT_CMS_ATTRIBUTES",
+	pkcs11.CKA_SUPPORTED_CMS_ATTRIBUTES:"CKA_SUPPORTED_CMS_ATTRIBUTES",
+	pkcs11.CKA_ALLOWED_MECHANISMS:"CKA_ALLOWED_MECHANISMS",
+	pkcs11.CKA_VENDOR_DEFINED:"CKA_VENDOR_DEFINED",
+
+	// awk '/CKA_/{ print "pkcs11."$1":\""$1"\"," }' vendor.go
+	pkcs11.CKA_NCIPHER:"CKA_NCIPHER",
+	pkcs11.CKA_NSS:"CKA_NSS",
+	pkcs11.CKA_TRUST:"CKA_TRUST",
+	pkcs11.CKA_NSS_URL:"CKA_NSS_URL",
+	pkcs11.CKA_NSS_EMAIL:"CKA_NSS_EMAIL",
+	pkcs11.CKA_NSS_SMIME_INFO:"CKA_NSS_SMIME_INFO",
+	pkcs11.CKA_NSS_SMIME_TIMESTAMP:"CKA_NSS_SMIME_TIMESTAMP",
+	pkcs11.CKA_NSS_PKCS8_SALT:"CKA_NSS_PKCS8_SALT",
+	pkcs11.CKA_NSS_PASSWORD_CHECK:"CKA_NSS_PASSWORD_CHECK",
+	pkcs11.CKA_NSS_EXPIRES:"CKA_NSS_EXPIRES",
+	pkcs11.CKA_NSS_KRL:"CKA_NSS_KRL",
+	pkcs11.CKA_NSS_PQG_COUNTER:"CKA_NSS_PQG_COUNTER",
+	pkcs11.CKA_NSS_PQG_SEED:"CKA_NSS_PQG_SEED",
+	pkcs11.CKA_NSS_PQG_H:"CKA_NSS_PQG_H",
+	pkcs11.CKA_NSS_PQG_SEED_BITS:"CKA_NSS_PQG_SEED_BITS",
+	pkcs11.CKA_NSS_MODULE_SPEC:"CKA_NSS_MODULE_SPEC",
+	pkcs11.CKA_NSS_OVERRIDE_EXTENSIONS:"CKA_NSS_OVERRIDE_EXTENSIONS",
+	pkcs11.CKA_NSS_JPAKE_SIGNERID:"CKA_NSS_JPAKE_SIGNERID",
+	pkcs11.CKA_NSS_JPAKE_PEERID:"CKA_NSS_JPAKE_PEERID",
+	pkcs11.CKA_NSS_JPAKE_GX1:"CKA_NSS_JPAKE_GX1",
+	pkcs11.CKA_NSS_JPAKE_GX2:"CKA_NSS_JPAKE_GX2",
+	pkcs11.CKA_NSS_JPAKE_GX3:"CKA_NSS_JPAKE_GX3",
+	pkcs11.CKA_NSS_JPAKE_GX4:"CKA_NSS_JPAKE_GX4",
+	pkcs11.CKA_NSS_JPAKE_X2:"CKA_NSS_JPAKE_X2",
+	pkcs11.CKA_NSS_JPAKE_X2S:"CKA_NSS_JPAKE_X2S",
+	pkcs11.CKA_NSS_MOZILLA_CA_POLICY:"CKA_NSS_MOZILLA_CA_POLICY",
+	pkcs11.CKA_TRUST_DIGITAL_SIGNATURE:"CKA_TRUST_DIGITAL_SIGNATURE",
+	pkcs11.CKA_TRUST_NON_REPUDIATION:"CKA_TRUST_NON_REPUDIATION",
+	pkcs11.CKA_TRUST_KEY_ENCIPHERMENT:"CKA_TRUST_KEY_ENCIPHERMENT",
+	pkcs11.CKA_TRUST_DATA_ENCIPHERMENT:"CKA_TRUST_DATA_ENCIPHERMENT",
+	pkcs11.CKA_TRUST_KEY_AGREEMENT:"CKA_TRUST_KEY_AGREEMENT",
+	pkcs11.CKA_TRUST_KEY_CERT_SIGN:"CKA_TRUST_KEY_CERT_SIGN",
+	pkcs11.CKA_TRUST_CRL_SIGN:"CKA_TRUST_CRL_SIGN",
+	pkcs11.CKA_TRUST_SERVER_AUTH:"CKA_TRUST_SERVER_AUTH",
+	pkcs11.CKA_TRUST_CLIENT_AUTH:"CKA_TRUST_CLIENT_AUTH",
+	pkcs11.CKA_TRUST_CODE_SIGNING:"CKA_TRUST_CODE_SIGNING",
+	pkcs11.CKA_TRUST_EMAIL_PROTECTION:"CKA_TRUST_EMAIL_PROTECTION",
+	pkcs11.CKA_TRUST_IPSEC_END_SYSTEM:"CKA_TRUST_IPSEC_END_SYSTEM",
+	pkcs11.CKA_TRUST_IPSEC_TUNNEL:"CKA_TRUST_IPSEC_TUNNEL",
+	pkcs11.CKA_TRUST_IPSEC_USER:"CKA_TRUST_IPSEC_USER",
+	pkcs11.CKA_TRUST_TIME_STAMPING:"CKA_TRUST_TIME_STAMPING",
+	pkcs11.CKA_TRUST_STEP_UP_APPROVED:"CKA_TRUST_STEP_UP_APPROVED",
+	pkcs11.CKA_CERT_SHA1_HASH:"CKA_CERT_SHA1_HASH",
+	pkcs11.CKA_CERT_MD5_HASH:"CKA_CERT_MD5_HASH",
+}
+
+func attrTrace(a *pkcs11.Attribute) string {
+	t, ok := strCKA[a.Type]
+	if !ok {
+		t = fmt.Sprintf("%d", a.Type)
+	}
+
+	if traceSensitive {
+		return fmt.Sprintf("%s: %v", t, a.Value)
+	} else {
+		return fmt.Sprintf("%s", t)
+	}
+}