Correct conflicts and unit test failures in v3 branch

.github/workflows/go.yml

@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go: [ 1.16.x, 1.17.x ]
+        go: [ 1.19.x, 1.20.x ]
     steps:
 
     - name: Set up Go

README.md

@@ -1,12 +1,12 @@
 # PKCS#11
 
-This is a Go implementation of the PKCS#11 API. It wraps the library closely, but uses Go idiom where
-it makes sense. It has been tested with SoftHSM.
+This is a Go implementation of the PKCS#11 API. It wraps the library closely, but uses Go idioms where
+they make sense. It has been tested with SoftHSM.
 
 The version used is "PKCS #11 Cryptographic Token Interface Base Specification Version 3.0", see
 <http://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/pkcs11-base-v3.0.html>. Note that the header
-files listed there are *broken*, the fixed ones live in a [github repo](https://github.com/oasis-tcs/pkcs11/tree/master/working/headers).
-From that repo commit 188b0b1024403f1907b6cf5fedc0bc148c2221a2 was pulled into this repository.
+files listed there are *broken*, the fixed ones live in a [github repo](https://github.com/oasis-tcs/pkcs11/tree/pkcs11-3.00/published/3-00).
+From that repo commit d8d3a0b7c47d7cc129063004f1fce6553bc70839 was pulled into this repository.
 
 ## SoftHSM
 
@@ -15,7 +15,7 @@ From that repo commit 188b0b1024403f1907b6cf5fedc0bc148c2221a2 was pulled into t
  *  Then use `softhsm` to init it
 
     ~~~
-    softhsm --init-token --slot 0 --label test --pin 1234
+    softhsm2-util --init-token --slot 0 --label test --pin 1234
     ~~~
 
  *  Then use `libsofthsm2.so` as the pkcs11 module:
@@ -24,6 +24,16 @@ From that repo commit 188b0b1024403f1907b6cf5fedc0bc148c2221a2 was pulled into t
     p := pkcs11.New("/usr/lib/softhsm/libsofthsm2.so")
     ~~~
 
+### Mac OS X
+
+ *  If installing `softhsm` via `homebrew`, set the environment variable
+    `SOFTHSM_LIB` to the location of the homebrew installation:
+
+  ~~~
+  export SOFTHSM_LIB=/opt/homebrew/Cellar/softhsm/2.6.1/lib/softhsm/libsofthsm2.so
+  ~~~
+
+
 ## Examples
 
 A skeleton program would look somewhat like this (yes, pkcs#11 is verbose):

const_generate.go

@@ -28,35 +28,82 @@ func main() {
 
 	scanner := bufio.NewScanner(file)
 	fmt.Fprintln(out, "const (")
+	comment := ""
+	prevpre := ""
+	count := 0
 	for scanner.Scan() {
 		// Fairly simple parsing, any line starting with '#define' will output
-		// $2 = $3 and drop any UL (unsigned long) suffixes
+		// $2 = $3 and drop any UL (unsigned long) suffixes.
+		// Some care is taken to add any comments and make the outputted file
+		// have some decent godoc.
 		fields := strings.Fields(scanner.Text())
+		if len(fields) < 1 {
+			continue
+		}
+		if fields[0] == "/*" || fields[0] == "*" {
+			comment += "//" + scanner.Text()[2:]
+			comment = strings.TrimSuffix(comment, "*/")
+			comment += "\n"
+			continue
+		}
+
 		if len(fields) < 3 {
 			continue
 		}
+
 		if fields[0] != "#define" {
+			comment = ""
 			continue
 		}
-		if strings.HasPrefix(fields[1], "CK_") {
-			continue
+
+		if fields[1] == "_PKCS11T_H_" { // clear accumulated comments from the top of the file
+			comment = ""
 		}
+
 		// fields[1] (const name) needs to be 3 chars, starting with CK
 		if !strings.HasPrefix(fields[1], "CK") {
 			continue
 		}
-		value := strings.TrimSuffix(fields[2], "UL")
-		// special case for things like: (CKF_ARRAY_ATTRIBUTE|0x00000211UL)
-		if strings.HasSuffix(value, "UL)") {
-			value = strings.Replace(value, "UL)", ")", 1)
+
+		if x := fields[1][:3]; x != prevpre { // prefix change, insert a newline
+			fmt.Fprintln(out)
+			prevpre = x
 		}
-		// check for /* deprecated */ comment
-		if len(fields) == 6 && fields[4] == "Deprecated" {
-			fmt.Fprintln(out, fields[1], " = ", value, "// Deprecated")
-			continue
+
+		var value string
+		switch fields[1] {
+		case "CK_TRUE":
+			value = "true"
+		case "CK_FALSE":
+			value = "false"
+		default:
+			value = strings.TrimSuffix(fields[2], "UL")
+			// special case for things like: (CKF_ARRAY_ATTRIBUTE|0x00000211UL)
+			if strings.HasSuffix(value, "UL)") {
+				value = strings.Replace(value, "UL)", ")", 1)
+			}
+			// CK_UNAVAILABLE_INFORMATION is encoded as (~0) (with UL) removed, this needs to be ^uint(0) in Go.
+			// Special case that here.
+			if value == "(~0)" {
+				value = "^uint(0)"
+			}
+		}
+
+		if comment != "" {
+			fmt.Fprintln(out) // newline before comment
+			fmt.Fprint(out, comment)
+			comment = ""
 		}
 
-		fmt.Fprintln(out, fields[1], " = ", value)
+		// check for /* ... */ comments
+		linecomment := ""
+		if len(fields) >= 6 && fields[3] == "/*" {
+			linecomment = "// " + strings.Join(fields[4:], " ")
+			linecomment = strings.TrimSuffix(linecomment, "*/") // there is not always a space before */ so fields might not have all elements
+		}
+
+		fmt.Fprintln(out, fields[1], " = ", value, linecomment)
+		count++
 	}
 
 	if err := scanner.Err(); err != nil {
@@ -74,6 +121,18 @@ func main() {
 	}
 	f.Write(res)
 
+	// Used to double check what we generate. This prints (for 2.40 spec):
+	//
+	// "2022/01/05 12:50:28 Wrote 756 constants to zconst.go"
+	//
+	// A grep confirms this correct:
+	//
+	// % grep '^#define CK' pkcs11t.h |wc
+	//     756    2362   38807
+	//
+	// Also see const_test.go where we test this.
+	log.Printf("Wrote %d constants to zconst.go", count)
+
 }
 
 const header = `// Copyright 2013 Miek Gieben. All rights reserved.
@@ -82,7 +141,6 @@ const header = `// Copyright 2013 Miek Gieben. All rights reserved.
 
 // Code generated by "go run const_generate.go"; DO NOT EDIT.
 
-
 package pkcs11
 
 `

const_test.go

@@ -0,0 +1,43 @@
+package pkcs11
+
+import (
+	"bytes"
+	"go/ast"
+	"go/parser"
+	"go/token"
+	"os/exec"
+	"testing"
+)
+
+func TestConstCouunt(t *testing.T) {
+	fset := token.NewFileSet()
+	f, err := parser.ParseFile(fset, "zconst.go", nil, 0)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	count := 0
+	// Range through declarations:
+	for _, dd := range f.Decls {
+		if gd, ok := dd.(*ast.GenDecl); ok {
+			if gd.Tok == token.CONST {
+				for range gd.Specs {
+					count++
+				}
+			}
+		}
+	}
+
+	// Now to validate, run a shell pipeline to get the number in a different way from pkcs11t.h .
+	grep := exec.Command("grep", "^#define CK", "pkcs11t.h")
+	out, err := grep.Output()
+	if err != nil {
+		t.Fatal(err)
+	}
+	newline := []byte{'\n'}
+	defines := bytes.Count(out, newline)
+
+	if count != defines {
+		t.Fatalf("Got %d constants from zconst.go, but %d #defines from pkcs11t.h", count, defines)
+	}
+}

p11/crypto.go

@@ -46,6 +46,37 @@ func (priv PrivateKey) Sign(mechanism pkcs11.Mechanism, message []byte) ([]byte,
 	return out, nil
 }
 
+func (priv PrivateKey) deriveInner(mechanism pkcs11.Mechanism, attributes []*pkcs11.Attribute) (*Object, error) {
+	s := priv.session
+	s.Lock()
+	defer s.Unlock()
+	objectHandle, err := s.ctx.DeriveKey(s.handle, []*pkcs11.Mechanism{&mechanism}, priv.objectHandle, attributes)
+	if err != nil {
+		return nil, err
+	}
+
+	obj := Object{
+		session:      s,
+		objectHandle: objectHandle,
+	}
+	return &obj, nil
+}
+
+// Derive derives a shared secret with a given mechanism.
+func (priv PrivateKey) Derive(mechanism pkcs11.Mechanism, attributes []*pkcs11.Attribute) ([]byte, error) {
+	sharedObj, err := priv.deriveInner(mechanism, attributes)
+	if err != nil {
+		return nil, err
+	}
+
+	sharedSecret, err := sharedObj.Value()
+	if err != nil {
+		return nil, err
+	}
+
+	return sharedSecret, nil
+}
+
 // Verify verifies a signature over a message with a given mechanism.
 func (pub PublicKey) Verify(mechanism pkcs11.Mechanism, message, signature []byte) error {
 	s := pub.session

p11/module.go

@@ -71,11 +71,11 @@ var modulesMu sync.Mutex
 // OpenModule loads a PKCS#11 module (a .so file or dynamically loaded library).
 // It's an error to load a PKCS#11 module multiple times, so this package
 // will return a previously loaded Module for the same path if possible.
-// Note that there is no facility to unload a module ("finalize" in PKCS#11
-// parlance). In general, modules will be unloaded at the end of the process.
-// The only place where you are likely to need to explicitly unload a module is
-// if you fork your process. If you need to fork, you may want to use the
-// lower-level `pkcs11` package.
+//
+// In general, modules will be unloaded at the end of the process. The only
+// place where you are likely to need to explicitly unload a module is if you
+// fork your process. If you need to fork, you may want to use the lower-level
+// `pkcs11` package.
 func OpenModule(path string) (Module, error) {
 	modulesMu.Lock()
 	defer modulesMu.Unlock()
@@ -125,6 +125,24 @@ func (m Module) Slots() ([]Slot, error) {
 }
 
 // Destroy unloads the module/library.
+//
+// Once called, any code which uses this module might crash the application.
 func (m Module) Destroy() {
+	modulesMu.Lock()
+	defer modulesMu.Unlock()
+
+	// Find initialized module based on ctx
+	var path string
+	for k, v := range modules {
+		if v.ctx == m.ctx {
+			path = k
+			break
+		}
+	}
+	if path != "" {
+		delete(modules, path)
+	}
+
+	_ = m.ctx.Finalize()
 	m.ctx.Destroy()
 }

p11/slot.go

@@ -91,6 +91,16 @@ type Mechanism struct {
 	slot      Slot
 }
 
+// Type returns the type of mechanism.
+func (m *Mechanism) Type() uint {
+	return m.mechanism.Mechanism
+}
+
+// Parameter returns any parameters required by the mechanism.
+func (m *Mechanism) Parameter() []byte {
+	return m.mechanism.Parameter
+}
+
 // Info returns information about this mechanism.
 func (m *Mechanism) Info() (pkcs11.MechanismInfo, error) {
 	return m.slot.ctx.GetMechanismInfo(m.slot.id, []*pkcs11.Mechanism{m.mechanism})