pkcs11/_pkcs11.pyx: add support for protected authentication

Grant Sowards · Grant Sowards · commit 7f6276825696 · 2020-06-04T16:24:30.000-06:00
diff --git a/pkcs11/_pkcs11.pyx b/pkcs11/_pkcs11.pyx
@@ -225,7 +225,7 @@ class Slot(types.Slot):
 class Token(types.Token):
     """Extend Token with implementation."""
 
-    def open(self, rw=False, user_pin=None, so_pin=None):
+    def open(self, rw=False, user_pin=None, so_pin=None, p_auth=False):
         cdef CK_SESSION_HANDLE handle
         cdef CK_FLAGS flags = CKF_SERIAL_SESSION
         cdef CK_USER_TYPE user_type
@@ -235,6 +235,13 @@ class Token(types.Token):
 
         if user_pin is not None and so_pin is not None:
             raise ArgumentsBad("Set either `user_pin` or `so_pin`")
+        elif user_pin is not None and use_pap:
+            raise ArgumentsBad("Set either `user_pin` or `p_auth`")
+        elif so_pin is not None and use_pap:
+            raise ArgumentsBad("Set either `so_pin` or `p_auth`")
+        elif p_auth:
+            pin = None
+            user_type = CKU_USER
         elif user_pin is not None:
             pin = user_pin.encode('utf-8')
             user_type = CKU_USER
@@ -247,7 +254,12 @@ class Token(types.Token):
 
         assertRV(_funclist.C_OpenSession(self.slot.slot_id, flags, NULL, NULL, &handle))
 
-        if pin is not None:
+        if p_auth:
+            if self.flags & TokenFlag.PROTECTED_AUTHENTICATION_PATH:
+                assertRV(_funclist.C_Login(handle, user_type, NULL, < CK_ULONG > 0))
+            else:
+                raise ArgumentsBad('Protected authentication is not supported by loaded module')
+        elif pin is not None:
             assertRV(_funclist.C_Login(handle, user_type, pin, <CK_ULONG> len(pin)))
 
         return Session(self, handle, rw=rw, user_type=user_type)
