Draft: SlotInfo refactor and reimplement flags types #63
Conversation
vkkoskie
force-pushed
the
slot-info-refactor
branch
2 times, most recently
from
ea0cc74 to
dac8df9
Compare
| //! | ||
| //! # Conformance Notes | ||
| //! | ||
| //! Throughout this crate, many functions and other items include additional | ||
| //! "**Conformance**" notes. These notes may provide guarantees about behavior or | ||
| //! additional, contextual information. In all cases, such items pertain | ||
| //! to information from the PKCS#11 standard and are contingent on the provider | ||
| //! being accessed through this crate conforming to that standard. That is, this | ||
| //! crate is permitted to *assume* these guarantees, and is does not necessarily | ||
| //! check for or enforce them itself. |
There was a problem hiding this comment.
Thanks for adding this. It's a nice message to provide to the user to set expectations appropriately.
|
I really like these changes, and definitely think it's worthwhile to continue making these changes (I'm particularly interested in how Really appreciate the effort you're putting into this crate. As someone relatively new to Rust this has been a fun learning experience! |
|
I don't plan to touch |
This flag indicates a failure in a token self-test. See: PKCS#11 2.40, Table 6 Signed-off-by: Keith Koskie <[email protected]>
|
Hey! I had a brief skim through and it looks pretty good, both the code and documentation, happy to move in this direction. I have only one worry (and this comes a bit late, given your previous large PR!) - we should try and either cram all these changes in one big release - when we do end up releasing - or pushing them onto a develop branch and cherry-pick only the important fixes otherwise. I'm just a bit cautious of making constant, large changes to the API, and how sustainable that is for users. (I'm sure you're aware of this, just wanted to reach some broad consensus on it and maybe flag it out in a new issue, tracking what changes we want to make before the next release, etc.) |
|
I don't know what your expected release schedule or plan is, so I can't really speak to that. I bumped the version in my first PR to avoid conflicts for clients. They might have to use a stricter semver specifier to stick to 0.2.0, but that's a one-line change in their TOML. 0.x.y versions don't guarantee stability. If it's still a concern, and you want to reset main to the end of 0.2.0 and name the current branch tip to 0.3.x or something, I can adjust. Just for context, I found my way here after being equally frustrated by the existing pkcs11 crate. I started to write my own abstraction layer and learned a lot about the standard in the process. I found this crate part way into that project and (after realizing it wasn't empty 😉) saw that it was far enough along that contributing here would be a better use of time than starting from scratch. My ultimate goal is to be a user of this crate, though. Anyway, that false start filled me with all sorts of ideas and opinions about what a rust API would look like, and those came with me for better or for worse. I've been trying to work incrementally to get buy-in at each step and not spend a lot of time on something that will never get merged. But I've got a lot in my head I'm still interested in committing. I've been fairly surprised and how open to you've all been to big, breaking changes. I also took that as a clue that there weren't looking to release any time soon, and I had plenty of time to really pile on. |
|
@ionut-arm how closely do you want to tie releases of this crate to say, Parsec? I'm of the opinion that, even though the Parsec program did start this crate and the majority of the maintainers are Parsec people, this crate should set it's own release schedule. As far as I can tell, the contents of the crate at v0.2.0 (which was the previous release) is "good enough" for use by the Parsec program. I haven't seen any feature requests/additions needed thus far to support them. If you suspect that there are imminent changes required for it, maybe we create a v0.3.x branch back before the API changes occurred and rebase main up to that point onto that branch. |
Speaking for myself, I'm using this crate as an opportunity to learn Rust. I have a lot of PKCS11 experience from my current job and thought this would be a good place for me to get my hands dirty. So far, everything I've seen you add has helped the crate and has taught me a lot about the language. So my point of view is keep the changes coming! |
Slight change of topic. I'm looking at |
|
I'm not sure where this
Looks like we're missing
What do you mean? This should be coming from mechanism spec |
|
🙁 It looks like I've been reading the wrong thing. I've been using this as a reference. Both are marked 2.40, but yours is a year younger and is "curr" vs "base". Can you help me understand what the differences are, so I don't make the same mistake with the 3.0 draft draft I've also been glancing at occasionally? Between you with the standard and me we Rust, this should be a very educational experience for us both! |
|
Ah, that makes sense now. What I linked was v2.40 with errata 01. I fault oasis with not updating the version number. I believe it mostly clarified some inconsistencies. Raises a good point though, which spec should we be using? This pkcs11.h file is missing some fields that are defined in the "current" v2.40 spec. |
|
I assume that that header, which has copyright info from somewhere else, was just for a quick start with bindgen and wasn't written for the purpose it's being used for now. An audit/refactor there is another item I've thought a bit about, but consider it a distant enough goal that I haven't put much more thought than that into it. |
|
Created #65 to track this. |
Signed-off-by: Keith Koskie <[email protected]>
vkkoskie
force-pushed
the
slot-info-refactor
branch
from
dac8df9 to
8e1bb31
Compare
Signed-off-by: Keith Koskie <[email protected]>
Give the SlotInfo struct its own member definitions instead of being a wrapper around CK_SLOT_INFO. This causes the conversion for each memmber to happen once on construction. Signed-off-by: Keith Koskie <[email protected]>
Using the From trait here is both more flexible and also a better semantic match for how SlotInfo is constructed. Signed-off-by: Keith Koskie <[email protected]>
These functions differ only in a boolean. Them being distinct is even less necessary since they've been accessed through parent module stubs. Signed-off-by: Keith Koskie <[email protected]>
Fixes parallaxsecond#34 with respect to slots (still open for mechanisms) Signed-off-by: Keith Koskie <[email protected]>
Flags being accumulated into an integer is an implementation detail that has no significant meaning to its consumers. Instead, expose the information from the flags as booleans. Signed-off-by: Keith Koskie <[email protected]>
Information from SlotFlags is now available through SlotInfo, the only type that uses it. It's also a read-only value. The PCKS#11 provider sets these flags to be read, but setting the flags on the client side at best has no effect, and at worst is misleading about how the slot can be properly interacted with. Signed-off-by: Keith Koskie <[email protected]>
This commit is the first of several with the end goal of removing Flags types from the public interface. It makes several design changes. * Type state information encoded into an integer as flags is now exposed publically as booleans only. * The boolean values are read and/or written through the structure that contains the flag integer value. They do not exist as distinct entities, but as features of their outer type. * Flags are now type-bound to their container. Even though the CK_FLAGS type still backs them all, flag sets associated with one structure cannot interact with flags from a different structure. * Operations on the generic flag type are restricted to those required to set, unset, toggle, and test the values as needed by their outer types. These operations are limited to avoid common errors while still having the terseness of binary oprations. * Debug implementation for flags that display the full contents of the flag set as through it were a 'Flags' struct of named booleans. * Display implementation for flags that display only the relevant attributes as a set of string labels. Signed-off-by: Keith Koskie <[email protected]>
This replaces the prior documentation of SlotInfo members with wording from the standard itself. It also adds a crate-level Conformance Notes to provide context about documentation that would otherise have the appearance of a guarantee issued by this crate. Signed-off-by: Keith Koskie <[email protected]>
vkkoskie
force-pushed
the
slot-info-refactor
branch
2 times, most recently
from
52fa4a9 to
6a4f13c
Compare
Signed-off-by: Keith Koskie <[email protected]>
Signed-off-by: Keith Koskie <[email protected]>
Signed-off-by: Keith Koskie <[email protected]>
vkkoskie
force-pushed
the
slot-info-refactor
branch
from
6a4f13c to
5fad61c
Compare
This take the three previously refactored info+flag types
and moves them together.
Before, the flag types had to reach into their parent module to bring
their associated info type into scope, while the info type had to do
the same in the other direction. While this is legal, the tighter
coupling made it natural to place them together.
This has a side effect that all FlagBit constants can be made private
within the new files.
slot/{mod.rs:SlotInfo,flag.rs:CkFlag<SlotInfo>} -> slot/slot_info.rs
slot/{mod.rs:TokenInfo,flag.rs:CkFlag<TokenInfo>} -> slot/token_info.rs
mechanism/{mod.rs:MechanismInfo,flags.rs} -> mechanism/mechanism_info.rs
Signed-off-by: Keith Koskie <[email protected]>
Signed-off-by: Keith Koskie <[email protected]>
Function added to support unit testing Signed-off-by: Keith Koskie <[email protected]>
Signed-off-by: Keith Koskie <[email protected]>
Having a human-readable format for the flag types seemed like a good idea initially. They were more compact than the Debug equivalents and had the flexibility of rephrasing for clarity. However, the format for these outputs was somewhat arbitrary which makes them potentially unstable. But most importantly, they were for a private type and served no purpose within the crate. In order for them to be usable in client code, the Display trait would need to be implemented on the containing info type as well. Again, the arbitrariness of the output presents concerns about fragility in client code, and there's no obvious use case that Debug can't also serve. This commit will be left behind rather than squashed out in case it becomes useful to revert. Signed-off-by: Keith Koskie <[email protected]>
Signed-off-by: Keith Koskie <[email protected]>
vkkoskie
force-pushed
the
slot-info-refactor
branch
from
c86773a to
1b8eb84
Compare
We don't want to tie them, though in the future we might ask for a release to happen so that we get some feature that was implemented in this crate into Parsec as well, but everyone could put in that sort of request for a feature that's been implemented but not released yet. So Parsec is just a user of this crate, but that's about it.
Well, we took over this crate in order to make PKCS11 better/easier for Rust developers, so anything that seems like a step in that direction is welcome!
Indeed, we're not planning to release soon, but it'd be nice to have some (rough) draft for a roadmap. Then we could point to that if someone (new to the project) comes to us for a new feature and a release because they need it somewhere. |
I'm more or less done with the read-only flag sets (mechanism, slot, token). This leaves three other sets:
So I think my plan is:
The last two items would be covered by a different PR(s), and I'm pausing work on this PR until session types aren't in potential conflict. |
Probably just need a simple
I feel that the locking API that is provided is something from antiquity and probably not really used in more recent implementations of Cryptoki (e.g. some libraries will just happily accept a If you look at section 5.4 of the spec, there's four cases spelled out for what the library should do depending upon the state of the supplied locking mechanisms and the flag
|
|
I still have eyes on this, but life is a little busy/chaotic at the moment. I hope to get through the rest of the changes by the end of the week. |
cryptoki/src/slot/mod.rs
Outdated
| /// If `None`, this information was unavailable. | ||
| /// If `Some(None)` there is no maximum, meaning the value is effectively infinite | ||
| /// If `Some(Some(n))` the maximum number of sessions is `n` |
There was a problem hiding this comment.
Would this be cleaner if we used an enum like:
enum SomethingTokenInfo
{
Unavailable,
Infinite,
Defined(u64)
}There was a problem hiding this comment.
I definitely considered something like this, and could still be talked into it. I ended up going with this one for a few reasons:
- At the time, I wasn't sure how widely used the two special constants were that make this necessary, and wasn't sold on creating a new type if it turned out to be just this spot. Taking a look at the standard, that does appear to be the case.
- Between the two options, if I later decide I was wrong and want to switch, it's marginally easier to replace standard types with custom ones than the other way around.
- The Option type comes with a lot of functionality attached for free like converting into a Result, and
flatten()which could be demonstrated in a doc comment. - Personal bias: This crate (really PCKS#11 itself) requires the use of a lot of jargon like "token" and "slot" and "object" that all have meaning specific to the standard. In that context, I'm a bit biased toward a smaller number of custom types for the sake of having the main ones easier to identify. I wouldn't necessarily feel the same way for other crates.
- Rust provides
Option::Noneprecisely to be a semantic equivalent to "unavailable" and avoid having to encode it into the type itself (a la a null pointer).
That last item seems to imply that an idomatic new type would look more like
enum Limit {
EffectivelyInfinite,
Defined(u64),
}and then return an Option<Limit>. But when I looked at that, I thought, "That's just anotherOption but it does less." and talked myself out of it.
cryptoki/src/slot/mod.rs
Outdated
| /// Returns None if the token is not equipped with a clock (i.e., | ||
| /// `self.clock_on_token() == false`) | ||
| pub fn utc_time(&self) -> Option<&str> { | ||
| // TODO |
There was a problem hiding this comment.
Ah, that's to myself, and is just part of my personal workflow. It would have (will be) removed before marking the PR ready for merge. I leave these behind for myself as I work (not always with explanatory text if the context is enough) when I have something I want to return to but not get sidetracked by right then or even have to switch contexts to a separate document. Any time I think I've reached my intended goal, I'll do a sweep for them, and they only occasionally make it into WIP commits.
In this case, I'd like to replace these raw bytes with an existing, functional date-time type TBD. But that's a completely different PR. So this tag is just going to get pulled out into a better note elsewhere.
|
I'm a little sad about b1a449d. I like having the ability to "pretty-print" the flag values, but I understand your reasoning. |
|
Also apologies about the comments on the outdated code, I was stepping through the commits reviewing them. |
|
DAMN.... I meant to merge the other one and ended up clicking on the wrong tab. Sorry everyone, I'll open a PR to revert this and you can take it over from there. Sorry again. |
This may be worth revisiting when the more fundamental changes stabilize. Until then, I'll note that most documentation will point you to |
Not ready for merge. Posting an initial draft for discussion.
This branch intends to rework how CK_FLAGS are abstracted in the API. As a test case, the commits so far update only
SlotInfoand its flags member. I wanted to get a sense of whether this was likely to be merged if I did the same for the remaining handful of flags types as well.The commit messages walk through individual changes, but here are the highlights:
These are all piled into one PR because they all change the same few types, but most of these can be broken out for acceptance or rejection independent of one another. I'd like to get and idea of which ones are welcome to make a roadmap for what to revert and what to duplicate on the other flags.