CODEWITHSUNDEEP
cpkcs#11
user1118764
user1118764

Reputation: 9845

Reading objects from PKCS11 token

I have a PKCS11 token with an object that were created by an application. I'm trying to write another application that reads the object. I've managed to find the objects using C_FindObjectsInit() and C_FindObjects(). I then call C_GetObjectSize() to make sure the object size is as expected. It is. Next, I call C_GetAttributeValue() to read the object. The returned template has the correct ulValueLen, but the pValue is 0. What am I doing wrong? The code to read the object is as follows:

CK_ATTRIBUTE dataTemplate[] = {
    {CKA_VALUE, NULL_PTR, 0}
};

ret = C_GetObjectSize(hSession, hObject, &ulSize);  
if(ret != CKR_OK) {
    LOGE("C_GetObjectSize exception! Return value was %x", (int)ret);
    return -1;
}
LOGD("Size of object is %d", ulSize);
ret = C_GetAttributeValue(hSession, hObject, dataTemplate, sizeof(dataTemplate)/sizeof(CK_ATTRIBUTE));
if(ret != CKR_OK)
{
    LOGE("C_GetAttributeValue error! Return value was %d", (int)ret);
    return -1;
}

Upvotes: 1

Views: 5476

Answers (2)

ChenHuang
ChenHuang

Reputation: 392

You no need call C_GetObjectSize to get value's lenght of object, can use only C_GetAttributeValue if you have handle of object before.

This code i often use to get object's value inside PKCS#11 Token. Hope this help.

CK_ATTRIBUTE dataTemplate[] = {
    {CKA_VALUE, NULL_PTR, 0}
};

//use to get len of value
ret = C_GetAttributeValue(hSession, hObject, dataTemplate, 1);

if(ret != CKR_OK) {
 return;
}

dataTemplate[0].value = new char[dataTemplate[0].ulValueLen];

ret = C_GetAttributeValue(hSession, hObject, dataTemplate, 1);

if(ret != CKR_OK) {
 delete[] dataTemplate[0].pValue;
 return;
}

//Now we have value of object, can show or do something
show_or_do_smth(dataTemplate[0].pValue)

Upvotes: 1

vlp
vlp

Reputation: 8116

You need to provide a valid buffer where the value gets copied. I.e.:

CK_BYTE valueBuffer[128];
CK_ATTRIBUTE dataTemplate[] = {
    {CKA_VALUE, valueBuffer, sizeof(valueBuffer)}
};

Citing pkcs11:

For each (type, pValue, ulValueLen) triple in the template, C_GetAttributeValue performs the following algorithm: If the specified attribute (i.e., the attribute specified by the type field) for the object cannot be revealed because the object is sensitive or unextractable, then the ulValueLen field in that triple is modified to hold the value -1 (i.e., when it is cast to a CK_LONG, it holds -1).

Otherwise, if the specified attribute for the object is invalid (the object does not possess such an attribute), then the ulValueLen field in that triple is modified to hold the value -1.

Otherwise, if the pValue field has the value NULL_PTR, then the ulValueLen field is modified to hold the exact length of the specified attribute for the object.

Otherwise, if the length specified in ulValueLen is large enough to hold the value of the specified attribute for the object, then that attribute is copied into the buffer located at pValue, and the ulValueLen field is modified to hold the exact length of the attribute.

Otherwise, the ulValueLen field is modified to hold the value -1.

Upvotes: 2

Related Questions