Merge pull request #83 from grant100/protected_authentication

pkcs11/_pkcs11.pyx: add support for protected authentication
pyauth · Jul 28, 2020 · b0495cd · b0495cd
2 parents 3629924 + 5edd88a
commit b0495cd
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/pkcs11/_pkcs11.pyx b/pkcs11/_pkcs11.pyx
@@ -32,6 +32,7 @@ from .types import (
     _CK_UTF8CHAR_to_str,
     _CK_VERSION_to_tuple,
     _CK_MECHANISM_TYPE_to_enum,
+    PROTECTED_AUTH,
 )
 
 
@@ -235,6 +236,12 @@ class Token(types.Token):
 
         if user_pin is not None and so_pin is not None:
             raise ArgumentsBad("Set either `user_pin` or `so_pin`")
+        elif user_pin is PROTECTED_AUTH:
+            pin = None
+            user_type = CKU_USER
+        elif so_pin is PROTECTED_AUTH:
+            pin = None
+            user_type = CKU_SO
         elif user_pin is not None:
             pin = user_pin.encode('utf-8')
             user_type = CKU_USER
@@ -247,7 +254,12 @@ class Token(types.Token):
 
         assertRV(_funclist.C_OpenSession(self.slot.slot_id, flags, NULL, NULL, &handle))
 
-        if pin is not None:
+        if so_pin is PROTECTED_AUTH or user_pin is PROTECTED_AUTH:
+            if self.flags & TokenFlag.PROTECTED_AUTHENTICATION_PATH:
+                assertRV(_funclist.C_Login(handle, user_type, NULL, <CK_ULONG> 0))
+            else:
+                raise ArgumentsBad("Protected authentication is not supported by loaded module")
+        elif pin is not None:
             assertRV(_funclist.C_Login(handle, user_type, pin, <CK_ULONG> len(pin)))
 
         return Session(self, handle, rw=rw, user_type=user_type)

diff --git a/pkcs11/types.py b/pkcs11/types.py
@@ -27,6 +27,8 @@
     SignatureLenRange,
 )
 
+PROTECTED_AUTH = object()
+"""Indicate the pin should be supplied via an external mechanism (e.g. pin pad)"""
 
 def _CK_UTF8CHAR_to_str(data):
     """Convert CK_UTF8CHAR to string."""
@@ -203,7 +205,8 @@ def __eq__(self, other):
     def open(self, rw=False, user_pin=None, so_pin=None):
         """
         Open a session on the token and optionally log in as a user or
-        security officer (pass one of `user_pin` or `so_pin`).
+        security officer (pass one of `user_pin` or `so_pin`). Pass PROTECTED_AUTH to
+        indicate the pin should be supplied via an external mechanism (e.g. pin pad).
 
         Can be used as a context manager or close with :meth:`Session.close`.