Search for token objects matching a template

[Tartopoms]

Hello,
Do you know if the find_objects function for token objects will be available soon?

Because, as stated in the documentation, the find_objects function only searches for session objects, see:

Thus, the practical application of HSM is severely limited. For example, keys cannot be wrapped and exported if the encryption key (the one wrapping the exported keys) cannot be recovered from the token.

Demo with three examples: one with the original session, one with a new session and one with a new context:

// get context, slot and open a session (read_write)
let (pkcs11, slot) = init_pins()?; // softhsm 2.6.1 & cryptoki 0.5.0
let session = get_session(&pkcs11, &slot)?;

// create two token objects (Attribute::Token(true))
create_key_and_forget_it(&session);
create_key_and_forget_it(&session);

// search them
let token_template = vec![Attribute::Token(true)];
println!("Object found with current session: {}", session.find_objects(&token_template)?.len()); // Find 2 objects

// search them again, but after closing the session and opening a new one
session.close();
let session = get_session(&pkcs11, &slot)?;
println!("Object found after session close: {}", session.find_objects(&token_template)?.len()); // Find 2 objects

// search them one more time after droping pkcs11 context, slot and session
session.close();
pkcs11.finalize();
let (pkcs11, slot) = init_pins()?;
let session = get_session(&pkcs11, &slot)?;
println!("Object found after pkcs11 finalize: {}", session.find_objects(&token_template)?.len()); // Find 2 objects

More details on the create_key function:

/// Create a token object and forget the object handle
fn create_key_and_forget_it(session: &Session) {

    let public_exponent: Vec<u8> = vec![0x01, 0x00, 0x01];
    let modulus = vec![0xFF; 1024];

    let template = vec![
        Attribute::Token(true),
        Attribute::Private(false),
        Attribute::PublicExponent(public_exponent),
        Attribute::Modulus(modulus.clone()),
        Attribute::Class(ObjectClass::PUBLIC_KEY),
        Attribute::KeyType(KeyType::RSA),
        Attribute::Verify(true),
    ];

    // Intentionally forget the object handle to find it later
    let _public_key = session.create_object(&template);
}

Terminal output:

Object found with current session: 2
Object found after session close: 2
Object found after pkcs11 finalize: 0

Here's what I'm looking for, it's the documentation of the deprecated pkcs11 rust crate:

[Tartopoms]

Looking at the find_objects function in cryptoki/src/session/object_management.rs (see below), I don't understand why this function succeeds in finding session objects, but fails to find token objects...

And, refering to my demo, it's interesting to note that key objects can still be found after closing and reopening a new session, but not after finalyze pkcs11 context. In fact, after further testing, I found out that it's while initializing a new slot.

impl Session {
    /// Search for session objects matching a template
    pub fn find_objects(&self, template: &[Attribute]) -> Result<Vec<ObjectHandle>> {
        let mut template: Vec<CK_ATTRIBUTE> = template.iter().map(|attr| attr.into()).collect();

        unsafe {
            Rv::from(get_pkcs11!(self.client(), C_FindObjectsInit)( // <- correct call to C_FindObjectsInit
                self.handle(),
                template.as_mut_ptr(),
                template.len().try_into()?,
            ))
            .into_result()?;
        }

        let mut object_handles = [0; MAX_OBJECT_COUNT];
        let mut object_count = 0;
        let mut objects = Vec::new();

        unsafe {
            Rv::from(get_pkcs11!(self.client(), C_FindObjects)( // <- correct call to C_FindObjects
                self.handle(),
                object_handles.as_mut_ptr() as CK_OBJECT_HANDLE_PTR,
                MAX_OBJECT_COUNT.try_into()?,
                &mut object_count,
            ))
            .into_result()?;
        }

        while object_count > 0 { // collect objects in slice of up to ten, for as long as there are objects left to collect
            objects.extend_from_slice(&object_handles[..object_count.try_into()?]);

            unsafe {
                Rv::from(get_pkcs11!(self.client(), C_FindObjects)( // <- correct call to C_FindObjects
                    self.handle(),
                    object_handles.as_mut_ptr() as CK_OBJECT_HANDLE_PTR,
                    MAX_OBJECT_COUNT.try_into()?,
                    &mut object_count,
                ))
                .into_result()?;
            }
        }

        unsafe {
            Rv::from(get_pkcs11!(self.client(), C_FindObjectsFinal)( // <- correct call to C_FindObjectsFinal
                self.handle(),
            ))
            .into_result()?;
        }

        let objects = objects.into_iter().map(ObjectHandle::new).collect();

        Ok(objects)
    }
    
    // ...
}```

[Tartopoms]

Problem solved, it's all my bad.

Actually the function init_token called in init_pins is like overwriting label, and erasing current saved objects of a token.
I got confused because I used the init_pins function from cryptoki/tests/common.rs that initialize a token each time the program runs.

I let the disscussion open so you can edit the find_objects function comment