Expose single-part crypto operations

simo5 · Gemini · simo5 · commit 6e6e6520c7c0 · 2026-02-12T15:45:44.000-05:00
Refactor encryption, decryption, signing, verification, and digesting
operations to separate the initialization logic from the single-part
execution logic.

This exposes `*_single` methods publicly, allowing greater flexibility
in operation flows. For example, this supports context-specific user
authentication where the operation must be initialized before the
authentication step occurs.

Co-authored-by: Gemini &lt;gemini@google.com&gt;
Signed-off-by: Simo Sorce &lt;simo@redhat.com&gt;
diff --git a/cryptoki/src/session/decryption.rs b/cryptoki/src/session/decryption.rs
@@ -18,17 +18,13 @@ impl Session {
         key: ObjectHandle,
         encrypted_data: &[u8],
     ) -> Result<Vec<u8>> {
-        let mut mechanism: CK_MECHANISM = mechanism.into();
-        let mut data_len = 0;
+        self.decrypt_init(mechanism, key)?;
+        self.decrypt_single(encrypted_data)
+    }
 
-        unsafe {
-            Rv::from(get_pkcs11!(self.client(), C_DecryptInit)(
-                self.handle(),
-                &mut mechanism as CK_MECHANISM_PTR,
-                key.handle(),
-            ))
-            .into_result(Function::DecryptInit)?;
-        }
+    /// Single-part decryption operation, assuming the operation was already initialized.
+    pub fn decrypt_single(&self, encrypted_data: &[u8]) -> Result<Vec<u8>> {
+        let mut data_len = 0;
 
         // Get the output buffer length
         unsafe {
diff --git a/cryptoki/src/session/digesting.rs b/cryptoki/src/session/digesting.rs
@@ -12,17 +12,14 @@ use std::convert::TryInto;
 
 impl Session {
     /// Single-part digesting operation
-    pub fn digest(&self, m: &Mechanism, data: &[u8]) -> Result<Vec<u8>> {
-        let mut mechanism: CK_MECHANISM = m.into();
-        let mut digest_len = 0;
+    pub fn digest(&self, mechanism: &Mechanism, data: &[u8]) -> Result<Vec<u8>> {
+        self.digest_init(mechanism)?;
+        self.digest_single(data)
+    }
 
-        unsafe {
-            Rv::from(get_pkcs11!(self.client(), C_DigestInit)(
-                self.handle(),
-                &mut mechanism as CK_MECHANISM_PTR,
-            ))
-            .into_result(Function::DigestInit)?;
-        }
+    /// Digest data in single-part, assuming the operation was already initialized.
+    pub fn digest_single(&self, data: &[u8]) -> Result<Vec<u8>> {
+        let mut digest_len = 0;
 
         // Get the output buffer length
         unsafe {
diff --git a/cryptoki/src/session/encryption.rs b/cryptoki/src/session/encryption.rs
@@ -18,17 +18,13 @@ impl Session {
         key: ObjectHandle,
         data: &[u8],
     ) -> Result<Vec<u8>> {
-        let mut mechanism: CK_MECHANISM = mechanism.into();
-        let mut encrypted_data_len = 0;
+        self.encrypt_init(mechanism, key)?;
+        self.encrypt_single(data)
+    }
 
-        unsafe {
-            Rv::from(get_pkcs11!(self.client(), C_EncryptInit)(
-                self.handle(),
-                &mut mechanism as CK_MECHANISM_PTR,
-                key.handle(),
-            ))
-            .into_result(Function::EncryptInit)?;
-        }
+    /// Single-part encryption operation, assuming the operation was already initialized.
+    pub fn encrypt_single(&self, data: &[u8]) -> Result<Vec<u8>> {
+        let mut encrypted_data_len = 0;
 
         // Get the output buffer length
         unsafe {
diff --git a/cryptoki/src/session/signing_macing.rs b/cryptoki/src/session/signing_macing.rs
@@ -13,17 +13,13 @@ use std::convert::TryInto;
 impl Session {
     /// Sign data in single-part
     pub fn sign(&self, mechanism: &Mechanism, key: ObjectHandle, data: &[u8]) -> Result<Vec<u8>> {
-        let mut mechanism: CK_MECHANISM = mechanism.into();
-        let mut signature_len = 0;
+        self.sign_init(mechanism, key)?;
+        self.sign_single(data)
+    }
 
-        unsafe {
-            Rv::from(get_pkcs11!(self.client(), C_SignInit)(
-                self.handle(),
-                &mut mechanism as CK_MECHANISM_PTR,
-                key.handle(),
-            ))
-            .into_result(Function::SignInit)?;
-        }
+    /// Sign data in single-part, assuming the operation was already initialized.
+    pub fn sign_single(&self, data: &[u8]) -> Result<Vec<u8>> {
+        let mut signature_len = 0;
 
         // Get the output buffer length
         unsafe {
@@ -126,17 +122,12 @@ impl Session {
         data: &[u8],
         signature: &[u8],
     ) -> Result<()> {
-        let mut mechanism: CK_MECHANISM = mechanism.into();
-
-        unsafe {
-            Rv::from(get_pkcs11!(self.client(), C_VerifyInit)(
-                self.handle(),
-                &mut mechanism as CK_MECHANISM_PTR,
-                key.handle(),
-            ))
-            .into_result(Function::VerifyInit)?;
-        }
+        self.verify_init(mechanism, key)?;
+        self.verify_single(data, signature)
+    }
 
+    /// Verify data in single-part, assuming the operation was already initialized.
+    pub fn verify_single(&self, data: &[u8], signature: &[u8]) -> Result<()> {
         unsafe {
             Rv::from(get_pkcs11!(self.client(), C_Verify)(
                 self.handle(),
@@ -257,4 +248,4 @@ impl Session {
 
         Ok(())
     }
-}
+}
diff --git a/cryptoki/tests/basic.rs b/cryptoki/tests/basic.rs
@@ -239,6 +239,56 @@ fn sign_verify_eddsa_with_ed448_schemes() -> TestResult {
     Ok(())
 }
 
+#[test]
+#[serial]
+fn sign_verify_single_part() -> TestResult {
+    let (pkcs11, slot) = init_pins();
+
+    // Open a session and log in
+    let session = pkcs11.open_rw_session(slot)?;
+    session.login(UserType::User, Some(&AuthPin::new(USER_PIN.into())))?;
+
+    // Define parameters for keypair
+    let public_exponent = vec![0x01, 0x00, 0x01];
+    let modulus_bits = 2048;
+
+    let pub_key_template = vec![
+        Attribute::Token(true),
+        Attribute::Private(false),
+        Attribute::PublicExponent(public_exponent),
+        Attribute::ModulusBits(modulus_bits.into()),
+        Attribute::Verify(true),
+    ];
+    let priv_key_template = vec![Attribute::Token(true), Attribute::Sign(true)];
+
+    // Generate keypair
+    let (pub_key, priv_key) = session.generate_key_pair(
+        &Mechanism::RsaPkcsKeyPairGen,
+        &pub_key_template,
+        &priv_key_template,
+    )?;
+
+    // Data to sign
+    let data = [0xFF, 0x55, 0xDD, 0x11, 0xBB, 0x33];
+
+    // Sign data in a single part using separate init and single call
+    session.sign_init(&Mechanism::Sha256RsaPkcs, priv_key)?;
+    let signature = session.sign_single(&data)?;
+
+    // Verify signature in a single part using separate init and single call
+    session.verify_init(&Mechanism::Sha256RsaPkcs, pub_key)?;
+    session.verify_single(&data, &signature)?;
+
+    // Delete keys
+    session.destroy_object(pub_key)?;
+    session.destroy_object(priv_key)?;
+
+    session.close()?;
+    pkcs11.finalize()?;
+
+    Ok(())
+}
+
 #[test]
 #[serial]
 fn sign_verify_multipart() -> TestResult {
