Add pkcs11-module-default-slot-id cfg for default slot ID

There are use cases when one wants to select the default slot id
(especially when the first slot ID is not convenient for this purpose)
which is used for example for storing public keys.

As part of this change, the test framework was extended to allow
testing of multi slot scenarios.

Signed-off-by: Jakub Zelenka <jakub.openssl@gmail.com>

Author: bukka

docs/provider-pkcs11.7.md

@@ -242,6 +242,23 @@ Example:
 
 ```pkcs11-module-assume-fips = true```
 
+## pkcs11-module-default-slot-id
+
+The default slot ID for new objects.
+
+The default slot is used for any objects that do not have an explicitly
+selected slot. Such objects include, for example, public keys.
+
+This option is useful when multiple slots with different PINs are used. In such
+cases, it allows you to ensure that pkcs11-module-token-pin points to the
+expected slot.
+
+If no value is specified, the first listed slot is used.
+
+Default: none
+
+```pkcs11-module-default-slot-id = 12345```
+
 
 ENVIRONMENT VARIABLES
 =====================

src/provider.c

@@ -33,6 +33,7 @@ struct p11prov_ctx {
     int cache_sessions;
     bool encode_pkey_as_pk11_uri;
     bool assume_fips;
+    CK_SLOT_ID default_slotid;
     /* TODO: ui_method */
     /* TODO: fork id */
 
@@ -463,6 +464,11 @@ P11PROV_INTERFACE *p11prov_ctx_get_interface(P11PROV_CTX *ctx)
     return p11prov_module_get_interface(ctx->module);
 }
 
+CK_SLOT_ID p11prov_ctx_get_default_slotid(P11PROV_CTX *ctx)
+{
+    return ctx->default_slotid;
+}
+
 P11PROV_SLOTS_CTX *p11prov_ctx_get_slots(P11PROV_CTX *ctx)
 {
     return ctx->slots;
@@ -1778,6 +1784,7 @@ enum p11prov_cfg_enum {
     P11PROV_CFG_ENCODE_PROVIDER_URI_TO_PEM,
     P11PROV_CFG_BLOCK_OPS,
     P11PROV_CFG_ASSUME_FIPS,
+    P11PROV_CFG_DEFAULT_SLOT_ID,
     P11PROV_CFG_SIZE,
 };
 
@@ -1797,6 +1804,7 @@ static struct p11prov_cfg_names {
     { "pkcs11-module-encode-provider-uri-to-pem" },
     { "pkcs11-module-block-operations" },
     { "pkcs11-module-assume-fips" },
+    { "pkcs11-module-default-slot-id" },
 };
 
 int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in,
@@ -2090,6 +2098,24 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in,
         return RET_OSSL_ERR;
     }
 
+    if (cfg[P11PROV_CFG_DEFAULT_SLOT_ID] != NULL) {
+        char *end = NULL;
+        errno = 0;
+        ctx->default_slotid =
+            strtoul(cfg[P11PROV_CFG_DEFAULT_SLOT_ID], &end, 0);
+        if (errno != 0 || *end != '\0') {
+            P11PROV_raise(ctx, CKR_GENERAL_ERROR, "Invalid value for %s: (%s)",
+                          p11prov_cfg_names[P11PROV_CFG_DEFAULT_SLOT_ID].name,
+                          cfg[P11PROV_CFG_DEFAULT_SLOT_ID]);
+            p11prov_ctx_free(ctx);
+            return RET_OSSL_ERR;
+        }
+        P11PROV_debug("Default slot ID: %lu", ctx->default_slotid);
+    } else {
+        ctx->default_slotid = CK_UNAVAILABLE_INFORMATION;
+        P11PROV_debug("Default slot ID: None");
+    }
+
     /* PAY ATTENTION: do this as the last thing */
     if (cfg[P11PROV_CFG_LOAD_BEHAVIOR] != NULL
         && strcmp(cfg[P11PROV_CFG_LOAD_BEHAVIOR], "early") == 0) {

src/provider.h

@@ -268,6 +268,7 @@ P11PROV_INTERFACE *p11prov_ctx_get_interface(P11PROV_CTX *ctx);
 CK_UTF8CHAR_PTR p11prov_ctx_pin(P11PROV_CTX *ctx);
 OSSL_LIB_CTX *p11prov_ctx_get_libctx(P11PROV_CTX *ctx);
 CK_RV p11prov_ctx_status(P11PROV_CTX *ctx);
+CK_SLOT_ID p11prov_ctx_get_default_slotid(P11PROV_CTX *ctx);
 P11PROV_SLOTS_CTX *p11prov_ctx_get_slots(P11PROV_CTX *ctx);
 void p11prov_ctx_set_slots(P11PROV_CTX *ctx, P11PROV_SLOTS_CTX *slots);
 CK_RV p11prov_ctx_get_quirk(P11PROV_CTX *ctx, CK_SLOT_ID id, const char *name,

src/slot.c

@@ -173,6 +173,8 @@ CK_RV p11prov_init_slots(P11PROV_CTX *ctx, P11PROV_SLOTS_CTX **slots)
     }
 
     sctx->default_slot = CK_UNAVAILABLE_INFORMATION;
+    CK_SLOT_ID prov_default_slotid =
+        p11prov_ctx_get_default_slotid(sctx->provctx);
 
     for (size_t i = 0; i < num; i++) {
         P11PROV_SLOT *slot;
@@ -238,6 +240,8 @@ CK_RV p11prov_init_slots(P11PROV_CTX *ctx, P11PROV_SLOTS_CTX **slots)
          * softoken has a slot that can't be used to store session keys)
          * and the following query excludes it */
         if ((sctx->default_slot == CK_UNAVAILABLE_INFORMATION)
+            && (prov_default_slotid == CK_UNAVAILABLE_INFORMATION
+                || prov_default_slotid == slot->id)
             && (slot->token.flags & CKF_LOGIN_REQUIRED)
             && (slot->token.flags & CKF_TOKEN_INITIALIZED)
             && (!(slot->token.flags & CKF_USER_PIN_LOCKED))) {

tests/helpers.sh

@@ -117,6 +117,9 @@ ptool() {
     if [ -n "$P11DEFLOGIN" ]; then
         CMDOPTS+=("${P11DEFLOGIN[@]}")
     fi
+    if [ -n "$SLOTID" ]; then
+        CMDOPTS+=("--slot=${SLOTID}")
+    fi
     CMDOPTS+=("$@")
     # when running sanitizer tests libasan is linked via pkcs11-provider into
     # openssl and pkcs11-tool is linked to libcrypto, so we need to break the

tests/kryoptic-init.sh

@@ -26,10 +26,12 @@ find_kryoptic \
 
 title LINE "Creating Kryoptic database"
 
+SLOTID=${SLOTID:-0}
+
 # Kryoptic configuration
 cat << EOF > "$TOKDIR/kryoptic.conf"
 [[slots]]
-slot = 0
+slot = $SLOTID
 dbtype = "sqlite"
 dbargs = "$TOKDIR/kryoptic.sql"
 #mechanisms
@@ -40,10 +42,11 @@ export TOKENLABEL="${TOKENLABEL:-Kryoptic Token}"
 export TOKENLABELURI="${TOKENLABELURI:-Kryoptic%20Token}"
 
 # init token
-ptool --init-token --label "${TOKENLABEL}" --so-pin "${PINVALUE}" 2>&1
+ptool --init-token --slot "${SLOTID}" --label "${TOKENLABEL}" \
+      --so-pin "${PINVALUE}" 2>&1
 # set user pin
-ptool --so-pin "${PINVALUE}" --login --login-type so --init-pin \
-      --pin "${PINVALUE}" 2>&1
+ptool --so-pin "${PINVALUE}" --slot "${SLOTID}" --login --login-type so \
+      --init-pin --pin "${PINVALUE}" 2>&1
 
 export TOKENCONFIGVARS="export KRYOPTIC_CONF=$TOKDIR/kryoptic.conf"
 

tests/kryoptic.multislot-init.sh

@@ -0,0 +1,65 @@
+#!/bin/bash -ex
+# Copyright (C) 2024 Jakub Zelenka <jakub.openssl@gmail.com>
+# SPDX-License-Identifier: Apache-2.0
+#
+
+export SLOTID=42
+export SLOTID2=52
+export TOKEN2LABEL="${TOKENLABEL:-Kryoptic Token 2}"
+export TOKEN2LABELURI="${TOKENLABELURI:-Kryoptic%20Token%202}"
+export PIN2VALUE=11111111
+
+export KRYOPTIC_CONF="${TMPPDIR}/kryoptic.conf"
+cat >"${KRYOPTIC_CONF}" <<_EOF
+[[slots]]
+slot = $SLOTID
+dbtype = "sqlite"
+dbargs = "$TOKDIR/kryoptic.sql"
+#mechanisms
+[[slots]]
+slot = $SLOTID2
+dbtype = "sqlite"
+dbargs = "${TOKDIR}/kryoptic2.sql"
+description = "Kryoptic Token 2"
+_EOF
+
+# this overrides what we define in the generic init
+export TOKENLABEL="Kryoptic Soft Token"
+export TOKENLABELURI="Kryoptic%20Soft%20Token"
+
+# the rest is the same
+source "${TESTSSRCDIR}/kryoptic-init.sh"
+
+# init token 2
+pkcs11-tool --module "${P11LIB}" --init-token --slot "${SLOTID2}" \
+    --label "${TOKEN2LABEL}" --so-pin "${PIN2VALUE}" 2>&1
+# set user pin 2
+pkcs11-tool --module "${P11LIB}" --so-pin "${PIN2VALUE}" --slot "${SLOTID2}" \
+    --login --login-type so --init-pin --pin "${PIN2VALUE}" 2>&1
+
+export TOKENCONFIGVARS="export KRYOPTIC_CONF=${TMPPDIR}/kryoptic.conf"
+export TESTPORT="29000"
+
+# generate RSA key
+KEYID='0201'
+URIKEYID="%02%01"
+
+pkcs11-tool --module "${P11LIB}" --slot "${SLOTID2}" --pin "${PIN2VALUE}" \
+    --keypairgen --key-type="RSA:2048" --id="$KEYID" \
+    --label="testKey" 2>&1
+
+export BASEURI2WITHPINVALUE="pkcs11:id=${URIKEYID}?pin-value=${PINVALUE}"
+export BASEURI2="pkcs11:id=${URIKEYID}"
+export PUBURI2="pkcs11:type=public;id=${URIKEYID}"
+export PRIURI2="pkcs11:type=private;id=${URIKEYID}"
+
+title LINE "RSA PKCS11 URIS"
+echo "${BASEURI2WITHPINVALUE}"
+echo "${BASEURI2}"
+echo "${PUBURI2}"
+echo "${PRIURI2}"
+echo ""
+
+# While this works with the default DB, the NSS DB does not support this
+# attribute
+export SUPPORT_ALLOWED_MECHANISMS=0

tests/kryoptic.nss-init.sh

@@ -3,10 +3,13 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 
+export SLOTID=42
+export SLOTSCOUNT=1
+
 export KRYOPTIC_CONF="${TMPPDIR}/kryoptic.conf"
 cat >"${KRYOPTIC_CONF}" <<_EOF
 [[slots]]
-slot = 42
+slot = ${SLOTID}
 dbtype = "nssdb"
 dbargs = "configDir='${TOKDIR}' flags='passwordRequired'"
 description = "Kryoptic Soft Token"

tests/meson.build

@@ -104,6 +104,7 @@ test_programs = {
   'treadkeys': ['treadkeys.c'],
   'tcmpkeys': ['tcmpkeys.c', 'util.c'],
   'tfork': ['tfork.c', 'util.c'],
+  'tstorepubkey': ['tstorepubkey.c', 'util.c'],
   'tpkey': ['tpkey.c', 'util.c'],
   'pincache': ['pincache.c'],
   'ccerts': ['ccerts.c', 'util.c'],
@@ -122,7 +123,9 @@ foreach t, sources : test_programs
 endforeach
 
 setup_script=find_program('setup.sh')
-all_suites=['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']
+multi_suites=['kryoptic.multislot']
+single_suites=['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']
+all_suites=single_suites + multi_suites
 foreach suite : all_suites
   test(
     'setup',
@@ -136,39 +139,40 @@ foreach suite : all_suites
 endforeach
 
 tests = {
-  'basic': {'suites': all_suites},
+  'basic': {'suites': single_suites},
   'mlkem': {'suites': ['kryoptic']},
   'mldsa': {'suites': ['kryoptic']},
-  'pubkey': {'suites': all_suites},
-  'certs': {'suites': all_suites},
-  'ecc': {'suites': all_suites},
+  'pubkey': {'suites': single_suites},
+  'certs': {'suites': single_suites},
+  'ecc': {'suites': single_suites},
   'edwards': {'suites': ['softhsm', 'kryoptic', 'kryoptic.nss']},
-  'ecdh': {'suites': all_suites},
-  'democa': {'suites': all_suites, 'is_parallel': false},
-  'digest': {'suites': all_suites},
-  'fork': {'suites': all_suites},
+  'ecdh': {'suites': single_suites},
+  'democa': {'suites': single_suites, 'is_parallel': false},
+  'digest': {'suites': single_suites},
+  'fork': {'suites': single_suites},
   'oaepsha2': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
   'hkdf': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
   'imported' : {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
-  'pem_encoder': {'suites': all_suites},
-  'rsa': {'suites': all_suites},
-  'rsapss': {'suites': all_suites},
+  'pem_encoder': {'suites': single_suites},
+  'rsa': {'suites': single_suites},
+  'rsapss': {'suites': single_suites},
   'rsapssam': {'suites': ['softhsm', 'kryoptic']},
-  'genkey': {'suites': all_suites},
-  'pkey': {'suites': all_suites},
+  'genkey': {'suites': single_suites},
+  'pkey': {'suites': single_suites},
   'pkey_provider': {'suites': ['kryoptic', 'kryoptic.nss', 'softokn']},
-  'session': {'suites': all_suites},
+  'session': {'suites': single_suites},
   'skey': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss'], 'timeout': 90},
-  'rand': {'suites': all_suites},
-  'readkeys': {'suites': all_suites},
-  'tls': {'suites': all_suites, 'is_parallel': false, 'timeout': 60},
-  'tlsfuzzer': {'suites': all_suites, 'timeout': 90},
-  'uri': {'suites': all_suites, 'timeout': 90},
+  'rand': {'suites': single_suites},
+  'readkeys': {'suites': single_suites},
+  'tls': {'suites': single_suites, 'is_parallel': false, 'timeout': 60},
+  'tlsfuzzer': {'suites': single_suites, 'timeout': 90},
+  'uri': {'suites': single_suites, 'timeout': 90},
   'ecxc': {'suites': ['softhsm', 'kryoptic', 'kryoptic.nss']},
   'cms': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
   'pinlock': {'suites': ['kryoptic']},
   'aead': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
   'op_state': {'suites': all_suites},
+  'defaultslot': {'suites': ['kryoptic.multislot']},
 }
 
 test_wrapper = find_program('test-wrapper')

tests/openssl.cnf.in

@@ -23,6 +23,7 @@ activate = 1
 [pkcs11_sect]
 module = @libtoollibs@/pkcs11@SHARED_EXT@
 pkcs11-module-token-pin = file:@PINFILE@
+#pkcs11-module-default-slot-id
 ##TOKENOPTIONS
 #pkcs11-module-encode-provider-uri-to-pem
 #pkcs11-module-allow-export