Filter out sensitive attributes from searches

Signed-off-by: Simo Sorce <[email protected]>
latchset · Nov 22, 2024 · 8f7c9d4 · 8f7c9d4
1 parent d0060c8
commit 8f7c9d4
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/src/storage/nssdb/attrs.rs b/src/storage/nssdb/attrs.rs
@@ -245,3 +245,22 @@ pub fn ignore_attribute(attr: CK_ATTRIBUTE_TYPE) -> bool {
     }
     return false;
 }
+
+pub static NSS_SENSITIVE_ATTRIBUTES: [CK_ATTRIBUTE_TYPE; 7] = [
+    CKA_VALUE,
+    CKA_PRIVATE_EXPONENT,
+    CKA_PRIME_1,
+    CKA_PRIME_2,
+    CKA_EXPONENT_1,
+    CKA_EXPONENT_2,
+    CKA_COEFFICIENT,
+];
+
+pub fn is_sensitive_attribute(attr: CK_ATTRIBUTE_TYPE) -> bool {
+    for a in &NSS_SENSITIVE_ATTRIBUTES {
+        if attr == *a {
+            return true;
+        }
+    }
+    return false;
+}
diff --git a/src/storage/nssdb/mod.rs b/src/storage/nssdb/mod.rs
@@ -445,9 +445,14 @@ impl NSSStorage {
                         CKO_PUBLIC_KEY | CKO_CERTIFICATE => do_keys = false,
                         _ => return Err(CKR_ATTRIBUTE_VALUE_INVALID)?,
                     }
-                    break;
                 }
             }
+            /* In NSSDB sensitive attributes are encrypted, so we can check
+             * if the template is searching for any of the encrypted
+             * attributes and if so just fail immediately */
+            if is_sensitive_attribute(template[idx].type_) {
+                return Err(CKR_ATTRIBUTE_SENSITIVE)?;
+            }
         }
 
         /* if neither was excluded we may be asked for both */
@@ -741,7 +746,6 @@ impl Storage for NSSStorage {
         let mut ids = self.search_databases(template)?;
         let mut result = Vec::<CK_OBJECT_HANDLE>::with_capacity(ids.len());
         for id in ids.drain(..) {
-            /* FIXME: check for sensitive ! */
             let handle = match facilities.handles.get_by_uid(&id) {
                 Some(h) => *h,
                 None => {