github.com/lzy4123/fabric@v2.1.1+incompatible/bccsp/pkcs11/pkcs11.go (about)

     1  /*
     2  Copyright IBM Corp. All Rights Reserved.
     3  
     4  SPDX-License-Identifier: Apache-2.0
     5  */
     6  
     7  package pkcs11
     8  
     9  import (
    10  	"crypto/ecdsa"
    11  	"crypto/elliptic"
    12  	"crypto/sha256"
    13  	"encoding/asn1"
    14  	"encoding/hex"
    15  	"fmt"
    16  	"math/big"
    17  	"sync"
    18  	"time"
    19  
    20  	"github.com/miekg/pkcs11"
    21  	"go.uber.org/zap/zapcore"
    22  )
    23  
    24  func loadLib(lib, pin, label string) (*pkcs11.Ctx, uint, *pkcs11.SessionHandle, error) {
    25  	var slot uint
    26  	logger.Debugf("Loading pkcs11 library [%s]\n", lib)
    27  	if lib == "" {
    28  		return nil, slot, nil, fmt.Errorf("No PKCS11 library default")
    29  	}
    30  
    31  	ctx := pkcs11.New(lib)
    32  	if ctx == nil {
    33  		return nil, slot, nil, fmt.Errorf("Instantiate failed [%s]", lib)
    34  	}
    35  
    36  	ctx.Initialize()
    37  	slots, err := ctx.GetSlotList(true)
    38  	if err != nil {
    39  		return nil, slot, nil, fmt.Errorf("Could not get Slot List [%s]", err)
    40  	}
    41  	found := false
    42  	for _, s := range slots {
    43  		info, errToken := ctx.GetTokenInfo(s)
    44  		if errToken != nil {
    45  			continue
    46  		}
    47  		logger.Debugf("Looking for %s, found label %s\n", label, info.Label)
    48  		if label == info.Label {
    49  			found = true
    50  			slot = s
    51  			break
    52  		}
    53  	}
    54  	if !found {
    55  		return nil, slot, nil, fmt.Errorf("Could not find token with label %s", label)
    56  	}
    57  
    58  	session := createSession(ctx, slot, pin)
    59  
    60  	logger.Debugf("Created new pkcs11 session %+v on slot %d\n", session, slot)
    61  
    62  	if pin == "" {
    63  		return nil, slot, nil, fmt.Errorf("No PIN set")
    64  	}
    65  	err = ctx.Login(session, pkcs11.CKU_USER, pin)
    66  	if err != nil {
    67  		if err != pkcs11.Error(pkcs11.CKR_USER_ALREADY_LOGGED_IN) {
    68  			return nil, slot, nil, fmt.Errorf("Login failed [%s]", err)
    69  		}
    70  	}
    71  
    72  	return ctx, slot, &session, nil
    73  }
    74  
    75  func (csp *impl) getSession() (session pkcs11.SessionHandle) {
    76  	select {
    77  	case session = <-csp.sessions:
    78  		_, err := csp.ctx.GetSessionInfo(session)
    79  		if err != nil {
    80  			logger.Warningf("Get session info failed [%s], closing existing session and getting a new session\n", err)
    81  			csp.ctx.CloseSession(session)
    82  			session = createSession(csp.ctx, csp.slot, csp.pin)
    83  		} else {
    84  			logger.Debugf("Reusing existing pkcs11 session %+v on slot %d\n", session, csp.slot)
    85  		}
    86  
    87  	default:
    88  		// cache is empty (or completely in use), create a new session
    89  		session = createSession(csp.ctx, csp.slot, csp.pin)
    90  	}
    91  	return session
    92  }
    93  
    94  func createSession(ctx *pkcs11.Ctx, slot uint, pin string) pkcs11.SessionHandle {
    95  	var s pkcs11.SessionHandle
    96  	var err error
    97  	// attempt 10 times to open a session with a 100ms delay after each attempt
    98  	for i := 0; i < 10; i++ {
    99  		s, err = ctx.OpenSession(slot, pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
   100  		if err != nil {
   101  			logger.Warningf("OpenSession failed, retrying [%s]\n", err)
   102  		} else {
   103  			break
   104  		}
   105  		time.Sleep(100 * time.Millisecond)
   106  	}
   107  	if err != nil {
   108  		logger.Fatalf("OpenSession failed [%s]", err)
   109  	}
   110  	logger.Debugf("Created new pkcs11 session %+v on slot %d\n", s, slot)
   111  	session := s
   112  
   113  	err = ctx.Login(session, pkcs11.CKU_USER, pin)
   114  	if err != nil {
   115  		if err != pkcs11.Error(pkcs11.CKR_USER_ALREADY_LOGGED_IN) {
   116  			logger.Errorf("Login failed [%s]", err)
   117  		}
   118  	}
   119  	return session
   120  }
   121  
   122  func (csp *impl) returnSession(session pkcs11.SessionHandle) {
   123  	select {
   124  	case csp.sessions <- session:
   125  		// returned session back to session cache
   126  	default:
   127  		// have plenty of sessions in cache, dropping
   128  		csp.ctx.CloseSession(session)
   129  	}
   130  }
   131  
   132  // Look for an EC key by SKI, stored in CKA_ID
   133  func (csp *impl) getECKey(ski []byte) (pubKey *ecdsa.PublicKey, isPriv bool, err error) {
   134  	p11lib := csp.ctx
   135  	session := csp.getSession()
   136  	defer csp.returnSession(session)
   137  	isPriv = true
   138  	_, err = findKeyPairFromSKI(p11lib, session, ski, privateKeyType)
   139  	if err != nil {
   140  		isPriv = false
   141  		logger.Debugf("Private key not found [%s] for SKI [%s], looking for Public key", err, hex.EncodeToString(ski))
   142  	}
   143  
   144  	publicKey, err := findKeyPairFromSKI(p11lib, session, ski, publicKeyType)
   145  	if err != nil {
   146  		return nil, false, fmt.Errorf("Public key not found [%s] for SKI [%s]", err, hex.EncodeToString(ski))
   147  	}
   148  
   149  	ecpt, marshaledOid, err := ecPoint(p11lib, session, *publicKey)
   150  	if err != nil {
   151  		return nil, false, fmt.Errorf("Public key not found [%s] for SKI [%s]", err, hex.EncodeToString(ski))
   152  	}
   153  
   154  	curveOid := new(asn1.ObjectIdentifier)
   155  	_, err = asn1.Unmarshal(marshaledOid, curveOid)
   156  	if err != nil {
   157  		return nil, false, fmt.Errorf("Failed Unmarshaling Curve OID [%s]\n%s", err.Error(), hex.EncodeToString(marshaledOid))
   158  	}
   159  
   160  	curve := namedCurveFromOID(*curveOid)
   161  	if curve == nil {
   162  		return nil, false, fmt.Errorf("Cound not recognize Curve from OID")
   163  	}
   164  	x, y := elliptic.Unmarshal(curve, ecpt)
   165  	if x == nil {
   166  		return nil, false, fmt.Errorf("Failed Unmarshaling Public Key")
   167  	}
   168  
   169  	pubKey = &ecdsa.PublicKey{Curve: curve, X: x, Y: y}
   170  	return pubKey, isPriv, nil
   171  }
   172  
   173  // RFC 5480, 2.1.1.1. Named Curve
   174  //
   175  // secp224r1 OBJECT IDENTIFIER ::= {
   176  //   iso(1) identified-organization(3) certicom(132) curve(0) 33 }
   177  //
   178  // secp256r1 OBJECT IDENTIFIER ::= {
   179  //   iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3)
   180  //   prime(1) 7 }
   181  //
   182  // secp384r1 OBJECT IDENTIFIER ::= {
   183  //   iso(1) identified-organization(3) certicom(132) curve(0) 34 }
   184  //
   185  // secp521r1 OBJECT IDENTIFIER ::= {
   186  //   iso(1) identified-organization(3) certicom(132) curve(0) 35 }
   187  //
   188  var (
   189  	oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
   190  	oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
   191  	oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
   192  	oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
   193  )
   194  
   195  func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
   196  	switch {
   197  	case oid.Equal(oidNamedCurveP224):
   198  		return elliptic.P224()
   199  	case oid.Equal(oidNamedCurveP256):
   200  		return elliptic.P256()
   201  	case oid.Equal(oidNamedCurveP384):
   202  		return elliptic.P384()
   203  	case oid.Equal(oidNamedCurveP521):
   204  		return elliptic.P521()
   205  	}
   206  	return nil
   207  }
   208  
   209  func (csp *impl) generateECKey(curve asn1.ObjectIdentifier, ephemeral bool) (ski []byte, pubKey *ecdsa.PublicKey, err error) {
   210  	p11lib := csp.ctx
   211  	session := csp.getSession()
   212  	defer csp.returnSession(session)
   213  
   214  	id := nextIDCtr()
   215  	publabel := fmt.Sprintf("BCPUB%s", id.Text(16))
   216  	prvlabel := fmt.Sprintf("BCPRV%s", id.Text(16))
   217  
   218  	marshaledOID, err := asn1.Marshal(curve)
   219  	if err != nil {
   220  		return nil, nil, fmt.Errorf("Could not marshal OID [%s]", err.Error())
   221  	}
   222  
   223  	pubkeyT := []*pkcs11.Attribute{
   224  		pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_EC),
   225  		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PUBLIC_KEY),
   226  		pkcs11.NewAttribute(pkcs11.CKA_TOKEN, !ephemeral),
   227  		pkcs11.NewAttribute(pkcs11.CKA_VERIFY, true),
   228  		pkcs11.NewAttribute(pkcs11.CKA_EC_PARAMS, marshaledOID),
   229  
   230  		pkcs11.NewAttribute(pkcs11.CKA_ID, publabel),
   231  		pkcs11.NewAttribute(pkcs11.CKA_LABEL, publabel),
   232  	}
   233  
   234  	prvkeyT := []*pkcs11.Attribute{
   235  		pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_EC),
   236  		pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY),
   237  		pkcs11.NewAttribute(pkcs11.CKA_TOKEN, !ephemeral),
   238  		pkcs11.NewAttribute(pkcs11.CKA_PRIVATE, true),
   239  		pkcs11.NewAttribute(pkcs11.CKA_SIGN, true),
   240  
   241  		pkcs11.NewAttribute(pkcs11.CKA_ID, prvlabel),
   242  		pkcs11.NewAttribute(pkcs11.CKA_LABEL, prvlabel),
   243  
   244  		pkcs11.NewAttribute(pkcs11.CKA_EXTRACTABLE, false),
   245  		pkcs11.NewAttribute(pkcs11.CKA_SENSITIVE, true),
   246  	}
   247  
   248  	pub, prv, err := p11lib.GenerateKeyPair(session,
   249  		[]*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_EC_KEY_PAIR_GEN, nil)},
   250  		pubkeyT, prvkeyT)
   251  
   252  	if err != nil {
   253  		return nil, nil, fmt.Errorf("P11: keypair generate failed [%s]", err)
   254  	}
   255  
   256  	ecpt, _, err := ecPoint(p11lib, session, pub)
   257  	if err != nil {
   258  		return nil, nil, fmt.Errorf("Error querying EC-point: [%s]", err)
   259  	}
   260  	hash := sha256.Sum256(ecpt)
   261  	ski = hash[:]
   262  
   263  	// set CKA_ID of the both keys to SKI(public key) and CKA_LABEL to hex string of SKI
   264  	setskiT := []*pkcs11.Attribute{
   265  		pkcs11.NewAttribute(pkcs11.CKA_ID, ski),
   266  		pkcs11.NewAttribute(pkcs11.CKA_LABEL, hex.EncodeToString(ski)),
   267  	}
   268  
   269  	logger.Infof("Generated new P11 key, SKI %x\n", ski)
   270  	err = p11lib.SetAttributeValue(session, pub, setskiT)
   271  	if err != nil {
   272  		return nil, nil, fmt.Errorf("P11: set-ID-to-SKI[public] failed [%s]", err)
   273  	}
   274  
   275  	err = p11lib.SetAttributeValue(session, prv, setskiT)
   276  	if err != nil {
   277  		return nil, nil, fmt.Errorf("P11: set-ID-to-SKI[private] failed [%s]", err)
   278  	}
   279  
   280  	//Set CKA_Modifible to false for both public key and private keys
   281  	if csp.immutable {
   282  		setCKAModifiable := []*pkcs11.Attribute{
   283  			pkcs11.NewAttribute(pkcs11.CKA_MODIFIABLE, false),
   284  		}
   285  
   286  		_, pubCopyerror := p11lib.CopyObject(session, pub, setCKAModifiable)
   287  		if pubCopyerror != nil {
   288  			return nil, nil, fmt.Errorf("P11: Public Key copy failed with error [%s] . Please contact your HSM vendor", pubCopyerror)
   289  		}
   290  
   291  		pubKeyDestroyError := p11lib.DestroyObject(session, pub)
   292  		if pubKeyDestroyError != nil {
   293  			return nil, nil, fmt.Errorf("P11: Public Key destroy failed with error [%s]. Please contact your HSM vendor", pubCopyerror)
   294  		}
   295  
   296  		_, prvCopyerror := p11lib.CopyObject(session, prv, setCKAModifiable)
   297  		if prvCopyerror != nil {
   298  			return nil, nil, fmt.Errorf("P11: Private Key copy failed with error [%s]. Please contact your HSM vendor", prvCopyerror)
   299  		}
   300  		prvKeyDestroyError := p11lib.DestroyObject(session, prv)
   301  		if pubKeyDestroyError != nil {
   302  			return nil, nil, fmt.Errorf("P11: Private Key destroy failed with error [%s]. Please contact your HSM vendor", prvKeyDestroyError)
   303  		}
   304  	}
   305  
   306  	nistCurve := namedCurveFromOID(curve)
   307  	if curve == nil {
   308  		return nil, nil, fmt.Errorf("Cound not recognize Curve from OID")
   309  	}
   310  	x, y := elliptic.Unmarshal(nistCurve, ecpt)
   311  	if x == nil {
   312  		return nil, nil, fmt.Errorf("Failed Unmarshaling Public Key")
   313  	}
   314  
   315  	pubGoKey := &ecdsa.PublicKey{Curve: nistCurve, X: x, Y: y}
   316  
   317  	if logger.IsEnabledFor(zapcore.DebugLevel) {
   318  		listAttrs(p11lib, session, prv)
   319  		listAttrs(p11lib, session, pub)
   320  	}
   321  
   322  	return ski, pubGoKey, nil
   323  }
   324  
   325  func (csp *impl) signP11ECDSA(ski []byte, msg []byte) (R, S *big.Int, err error) {
   326  	p11lib := csp.ctx
   327  	session := csp.getSession()
   328  	defer csp.returnSession(session)
   329  
   330  	privateKey, err := findKeyPairFromSKI(p11lib, session, ski, privateKeyType)
   331  	if err != nil {
   332  		return nil, nil, fmt.Errorf("Private key not found [%s]", err)
   333  	}
   334  
   335  	err = p11lib.SignInit(session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_ECDSA, nil)}, *privateKey)
   336  	if err != nil {
   337  		return nil, nil, fmt.Errorf("Sign-initialize  failed [%s]", err)
   338  	}
   339  
   340  	var sig []byte
   341  
   342  	sig, err = p11lib.Sign(session, msg)
   343  	if err != nil {
   344  		return nil, nil, fmt.Errorf("P11: sign failed [%s]", err)
   345  	}
   346  
   347  	R = new(big.Int)
   348  	S = new(big.Int)
   349  	R.SetBytes(sig[0 : len(sig)/2])
   350  	S.SetBytes(sig[len(sig)/2:])
   351  
   352  	return R, S, nil
   353  }
   354  
   355  func (csp *impl) verifyP11ECDSA(ski []byte, msg []byte, R, S *big.Int, byteSize int) (bool, error) {
   356  	p11lib := csp.ctx
   357  	session := csp.getSession()
   358  	defer csp.returnSession(session)
   359  
   360  	logger.Debugf("Verify ECDSA\n")
   361  
   362  	publicKey, err := findKeyPairFromSKI(p11lib, session, ski, publicKeyType)
   363  	if err != nil {
   364  		return false, fmt.Errorf("Public key not found [%s]", err)
   365  	}
   366  
   367  	r := R.Bytes()
   368  	s := S.Bytes()
   369  
   370  	// Pad front of R and S with Zeroes if needed
   371  	sig := make([]byte, 2*byteSize)
   372  	copy(sig[byteSize-len(r):byteSize], r)
   373  	copy(sig[2*byteSize-len(s):], s)
   374  
   375  	err = p11lib.VerifyInit(session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_ECDSA, nil)},
   376  		*publicKey)
   377  	if err != nil {
   378  		return false, fmt.Errorf("PKCS11: Verify-initialize [%s]", err)
   379  	}
   380  	err = p11lib.Verify(session, msg, sig)
   381  	if err == pkcs11.Error(pkcs11.CKR_SIGNATURE_INVALID) {
   382  		return false, nil
   383  	}
   384  	if err != nil {
   385  		return false, fmt.Errorf("PKCS11: Verify failed [%s]", err)
   386  	}
   387  
   388  	return true, nil
   389  }
   390  
   391  type keyType int8
   392  
   393  const (
   394  	publicKeyType keyType = iota
   395  	privateKeyType
   396  )
   397  
   398  func findKeyPairFromSKI(mod *pkcs11.Ctx, session pkcs11.SessionHandle, ski []byte, keyType keyType) (*pkcs11.ObjectHandle, error) {
   399  	ktype := pkcs11.CKO_PUBLIC_KEY
   400  	if keyType == privateKeyType {
   401  		ktype = pkcs11.CKO_PRIVATE_KEY
   402  	}
   403  
   404  	template := []*pkcs11.Attribute{
   405  		pkcs11.NewAttribute(pkcs11.CKA_CLASS, ktype),
   406  		pkcs11.NewAttribute(pkcs11.CKA_ID, ski),
   407  	}
   408  	if err := mod.FindObjectsInit(session, template); err != nil {
   409  		return nil, err
   410  	}
   411  
   412  	// single session instance, assume one hit only
   413  	objs, _, err := mod.FindObjects(session, 1)
   414  	if err != nil {
   415  		return nil, err
   416  	}
   417  	if err = mod.FindObjectsFinal(session); err != nil {
   418  		return nil, err
   419  	}
   420  
   421  	if len(objs) == 0 {
   422  		return nil, fmt.Errorf("Key not found [%s]", hex.Dump(ski))
   423  	}
   424  
   425  	return &objs[0], nil
   426  }
   427  
   428  // Fairly straightforward EC-point query, other than opencryptoki
   429  // mis-reporting length, including the 04 Tag of the field following
   430  // the SPKI in EP11-returned MACed publickeys:
   431  //
   432  // attr type 385/x181, length 66 b  -- SHOULD be 1+64
   433  // EC point:
   434  // 00000000  04 ce 30 31 6d 5a fd d3  53 2d 54 9a 27 54 d8 7c
   435  // 00000010  d9 80 35 91 09 2d 6f 06  5a 8e e3 cb c0 01 b7 c9
   436  // 00000020  13 5d 70 d4 e5 62 f2 1b  10 93 f7 d5 77 41 ba 9d
   437  // 00000030  93 3e 18 3e 00 c6 0a 0e  d2 36 cc 7f be 50 16 ef
   438  // 00000040  06 04
   439  //
   440  // cf. correct field:
   441  //   0  89: SEQUENCE {
   442  //   2  19:   SEQUENCE {
   443  //   4   7:     OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)
   444  //  13   8:     OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7)
   445  //        :     }
   446  //  23  66:   BIT STRING
   447  //        :     04 CE 30 31 6D 5A FD D3 53 2D 54 9A 27 54 D8 7C
   448  //        :     D9 80 35 91 09 2D 6F 06 5A 8E E3 CB C0 01 B7 C9
   449  //        :     13 5D 70 D4 E5 62 F2 1B 10 93 F7 D5 77 41 BA 9D
   450  //        :     93 3E 18 3E 00 C6 0A 0E D2 36 CC 7F BE 50 16 EF
   451  //        :     06
   452  //        :   }
   453  //
   454  // as a short-term workaround, remove the trailing byte if:
   455  //   - receiving an even number of bytes == 2*prime-coordinate +2 bytes
   456  //   - starting byte is 04: uncompressed EC point
   457  //   - trailing byte is 04: assume it belongs to the next OCTET STRING
   458  //
   459  // [mis-parsing encountered with v3.5.1, 2016-10-22]
   460  //
   461  // SoftHSM reports extra two bytes before the uncompressed point
   462  // 0x04 || <Length*2+1>
   463  //                 VV< Actual start of point
   464  // 00000000  04 41 04 6c c8 57 32 13  02 12 6a 19 23 1d 5a 64  |.A.l.W2...j.#.Zd|
   465  // 00000010  33 0c eb 75 4d e8 99 22  92 35 96 b2 39 58 14 1e  |3..uM..".5..9X..|
   466  // 00000020  19 de ef 32 46 50 68 02  24 62 36 db ed b1 84 7b  |...2FPh.$b6....{|
   467  // 00000030  93 d8 40 c3 d5 a6 b7 38  16 d2 35 0a 53 11 f9 51  |..@....8..5.S..Q|
   468  // 00000040  fc a7 16                                          |...|
   469  func ecPoint(p11lib *pkcs11.Ctx, session pkcs11.SessionHandle, key pkcs11.ObjectHandle) (ecpt, oid []byte, err error) {
   470  	template := []*pkcs11.Attribute{
   471  		pkcs11.NewAttribute(pkcs11.CKA_EC_POINT, nil),
   472  		pkcs11.NewAttribute(pkcs11.CKA_EC_PARAMS, nil),
   473  	}
   474  
   475  	attr, err := p11lib.GetAttributeValue(session, key, template)
   476  	if err != nil {
   477  		return nil, nil, fmt.Errorf("PKCS11: get(EC point) [%s]", err)
   478  	}
   479  
   480  	for _, a := range attr {
   481  		if a.Type == pkcs11.CKA_EC_POINT {
   482  			logger.Debugf("EC point: attr type %d/0x%x, len %d\n%s\n", a.Type, a.Type, len(a.Value), hex.Dump(a.Value))
   483  
   484  			// workarounds, see above
   485  			if ((len(a.Value) % 2) == 0) &&
   486  				(byte(0x04) == a.Value[0]) &&
   487  				(byte(0x04) == a.Value[len(a.Value)-1]) {
   488  				logger.Debugf("Detected opencryptoki bug, trimming trailing 0x04")
   489  				ecpt = a.Value[0 : len(a.Value)-1] // Trim trailing 0x04
   490  			} else if byte(0x04) == a.Value[0] && byte(0x04) == a.Value[2] {
   491  				logger.Debugf("Detected SoftHSM bug, trimming leading 0x04 0xXX")
   492  				ecpt = a.Value[2:len(a.Value)]
   493  			} else {
   494  				ecpt = a.Value
   495  			}
   496  		} else if a.Type == pkcs11.CKA_EC_PARAMS {
   497  			logger.Debugf("EC point: attr type %d/0x%x, len %d\n%s\n", a.Type, a.Type, len(a.Value), hex.Dump(a.Value))
   498  
   499  			oid = a.Value
   500  		}
   501  	}
   502  	if oid == nil || ecpt == nil {
   503  		return nil, nil, fmt.Errorf("CKA_EC_POINT not found, perhaps not an EC Key?")
   504  	}
   505  
   506  	return ecpt, oid, nil
   507  }
   508  
   509  func listAttrs(p11lib *pkcs11.Ctx, session pkcs11.SessionHandle, obj pkcs11.ObjectHandle) {
   510  	var cktype, ckclass uint
   511  	var ckaid, cklabel []byte
   512  
   513  	if p11lib == nil {
   514  		return
   515  	}
   516  
   517  	template := []*pkcs11.Attribute{
   518  		pkcs11.NewAttribute(pkcs11.CKA_CLASS, ckclass),
   519  		pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, cktype),
   520  		pkcs11.NewAttribute(pkcs11.CKA_ID, ckaid),
   521  		pkcs11.NewAttribute(pkcs11.CKA_LABEL, cklabel),
   522  	}
   523  
   524  	// certain errors are tolerated, if value is missing
   525  	attr, err := p11lib.GetAttributeValue(session, obj, template)
   526  	if err != nil {
   527  		logger.Debugf("P11: get(attrlist) [%s]\n", err)
   528  	}
   529  
   530  	for _, a := range attr {
   531  		// Would be friendlier if the bindings provided a way convert Attribute hex to string
   532  		logger.Debugf("ListAttr: type %d/0x%x, length %d\n%s", a.Type, a.Type, len(a.Value), hex.Dump(a.Value))
   533  	}
   534  }
   535  
   536  var (
   537  	bigone  = new(big.Int).SetInt64(1)
   538  	idCtr   = new(big.Int)
   539  	idMutex sync.Mutex
   540  )
   541  
   542  func nextIDCtr() *big.Int {
   543  	idMutex.Lock()
   544  	idCtr = new(big.Int).Add(idCtr, bigone)
   545  	idMutex.Unlock()
   546  	return idCtr
   547  }