Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit 5cbde15

Browse files
author
Lars Silvén
committedMar 9, 2021
Do not refresh object store before fetching object.
Before this commit the object store for a file token was always refreshed by reading the file of the token every time an object of the token was fetched. Now the HSM may be configured not to refresh when fetching an object. But the refresh will still be done after an application gets a handle for an object. The reason for this change is that the CPU time consumed by the reading may not be negligible for some HW.
1 parent 3593859 commit 5cbde15

14 files changed

+79
-36
lines changed
 

‎src/lib/SoftHSM.cpp

+24-22
Original file line numberDiff line numberDiff line change
@@ -609,6 +609,8 @@ CK_RV SoftHSM::C_Initialize(CK_VOID_PTR pInitArgs)
609609
// Load the handle manager
610610
handleManager = new HandleManager();
611611

612+
doRefresh = Configuration::i()->getBool("objectstore.readrefresh", true);
613+
612614
// Set the state to initialised
613615
isInitialised = true;
614616

@@ -1598,7 +1600,7 @@ CK_RV SoftHSM::C_CopyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject
15981600

15991601
// Check the object handle.
16001602
OSObject *object = (OSObject *)handleManager->getObject(hObject);
1601-
if (object == NULL_PTR || !object->isValid()) return CKR_OBJECT_HANDLE_INVALID;
1603+
if (object == NULL_PTR || !object->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
16021604

16031605
CK_BBOOL wasOnToken = object->getBooleanValue(CKA_TOKEN, false);
16041606
CK_BBOOL wasPrivate = object->getBooleanValue(CKA_PRIVATE, true);
@@ -1767,7 +1769,7 @@ CK_RV SoftHSM::C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObj
17671769

17681770
// Check the object handle.
17691771
OSObject *object = (OSObject *)handleManager->getObject(hObject);
1770-
if (object == NULL_PTR || !object->isValid()) return CKR_OBJECT_HANDLE_INVALID;
1772+
if (object == NULL_PTR || !object->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
17711773

17721774
CK_BBOOL isOnToken = object->getBooleanValue(CKA_TOKEN, false);
17731775
CK_BBOOL isPrivate = object->getBooleanValue(CKA_PRIVATE, true);
@@ -1815,7 +1817,7 @@ CK_RV SoftHSM::C_GetObjectSize(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObj
18151817

18161818
// Check the object handle.
18171819
OSObject *object = (OSObject *)handleManager->getObject(hObject);
1818-
if (object == NULL_PTR || !object->isValid()) return CKR_OBJECT_HANDLE_INVALID;
1820+
if (object == NULL_PTR || !object->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
18191821

18201822
*pulSize = CK_UNAVAILABLE_INFORMATION;
18211823

@@ -1839,7 +1841,7 @@ CK_RV SoftHSM::C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE
18391841

18401842
// Check the object handle.
18411843
OSObject *object = (OSObject *)handleManager->getObject(hObject);
1842-
if (object == NULL_PTR || !object->isValid()) return CKR_OBJECT_HANDLE_INVALID;
1844+
if (object == NULL_PTR || !object->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
18431845

18441846
CK_BBOOL isOnToken = object->getBooleanValue(CKA_TOKEN, false);
18451847
CK_BBOOL isPrivate = object->getBooleanValue(CKA_PRIVATE, true);
@@ -1886,7 +1888,7 @@ CK_RV SoftHSM::C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE
18861888

18871889
// Check the object handle.
18881890
OSObject *object = (OSObject *)handleManager->getObject(hObject);
1889-
if (object == NULL_PTR || !object->isValid()) return CKR_OBJECT_HANDLE_INVALID;
1891+
if (object == NULL_PTR || !object->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
18901892

18911893
CK_BBOOL isOnToken = object->getBooleanValue(CKA_TOKEN, false);
18921894
CK_BBOOL isPrivate = object->getBooleanValue(CKA_PRIVATE, true);
@@ -2156,7 +2158,7 @@ CK_RV SoftHSM::SymEncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
21562158

21572159
// Check the key handle.
21582160
OSObject *key = (OSObject *)handleManager->getObject(hKey);
2159-
if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
2161+
if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
21602162

21612163
CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
21622164
CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -2403,7 +2405,7 @@ CK_RV SoftHSM::AsymEncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMec
24032405

24042406
// Check the key handle.
24052407
OSObject *key = (OSObject *)handleManager->getObject(hKey);
2406-
if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
2408+
if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
24072409

24082410
CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
24092411
CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -2875,7 +2877,7 @@ CK_RV SoftHSM::SymDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
28752877

28762878
// Check the key handle.
28772879
OSObject *key = (OSObject *)handleManager->getObject(hKey);
2878-
if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
2880+
if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
28792881

28802882
CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
28812883
CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -3123,7 +3125,7 @@ CK_RV SoftHSM::AsymDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMec
31233125

31243126
// Check the key handle.
31253127
OSObject *key = (OSObject *)handleManager->getObject(hKey);
3126-
if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
3128+
if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
31273129

31283130
CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
31293131
CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -3766,7 +3768,7 @@ CK_RV SoftHSM::C_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
37663768

37673769
// Check the key handle.
37683770
OSObject *key = (OSObject *)handleManager->getObject(hObject);
3769-
if (key == NULL_PTR || !key->isValid()) return CKR_KEY_HANDLE_INVALID;
3771+
if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_KEY_HANDLE_INVALID;
37703772

37713773
CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
37723774
CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -3917,7 +3919,7 @@ CK_RV SoftHSM::MacSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechani
39173919

39183920
// Check the key handle.
39193921
OSObject *key = (OSObject *)handleManager->getObject(hKey);
3920-
if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
3922+
if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
39213923

39223924
CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
39233925
CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -4069,7 +4071,7 @@ CK_RV SoftHSM::AsymSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechan
40694071

40704072
// Check the key handle.
40714073
OSObject *key = (OSObject *)handleManager->getObject(hKey);
4072-
if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
4074+
if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
40734075

40744076
CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
40754077
CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -4895,7 +4897,7 @@ CK_RV SoftHSM::MacVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMecha
48954897

48964898
// Check the key handle.
48974899
OSObject *key = (OSObject *)handleManager->getObject(hKey);
4898-
if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
4900+
if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
48994901

49004902
CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
49014903
CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -5047,7 +5049,7 @@ CK_RV SoftHSM::AsymVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
50475049

50485050
// Check the key handle.
50495051
OSObject *key = (OSObject *)handleManager->getObject(hKey);
5050-
if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
5052+
if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
50515053

50525054
CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
50535055
CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -6407,7 +6409,7 @@ CK_RV SoftHSM::C_WrapKey
64076409

64086410
// Check the wrapping key handle.
64096411
OSObject *wrapKey = (OSObject *)handleManager->getObject(hWrappingKey);
6410-
if (wrapKey == NULL_PTR || !wrapKey->isValid()) return CKR_WRAPPING_KEY_HANDLE_INVALID;
6412+
if (wrapKey == NULL_PTR || !wrapKey->isValid(doRefresh)) return CKR_WRAPPING_KEY_HANDLE_INVALID;
64116413

64126414
CK_BBOOL isWrapKeyOnToken = wrapKey->getBooleanValue(CKA_TOKEN, false);
64136415
CK_BBOOL isWrapKeyPrivate = wrapKey->getBooleanValue(CKA_PRIVATE, true);
@@ -6449,7 +6451,7 @@ CK_RV SoftHSM::C_WrapKey
64496451

64506452
// Check the to be wrapped key handle.
64516453
OSObject *key = (OSObject *)handleManager->getObject(hKey);
6452-
if (key == NULL_PTR || !key->isValid()) return CKR_KEY_HANDLE_INVALID;
6454+
if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_KEY_HANDLE_INVALID;
64536455

64546456
CK_BBOOL isKeyOnToken = key->getBooleanValue(CKA_TOKEN, false);
64556457
CK_BBOOL isKeyPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -6805,7 +6807,7 @@ CK_RV SoftHSM::C_UnwrapKey
68056807

68066808
// Check the unwrapping key handle.
68076809
OSObject *unwrapKey = (OSObject *)handleManager->getObject(hUnwrappingKey);
6808-
if (unwrapKey == NULL_PTR || !unwrapKey->isValid()) return CKR_UNWRAPPING_KEY_HANDLE_INVALID;
6810+
if (unwrapKey == NULL_PTR || !unwrapKey->isValid(doRefresh)) return CKR_UNWRAPPING_KEY_HANDLE_INVALID;
68096811

68106812
CK_BBOOL isUnwrapKeyOnToken = unwrapKey->getBooleanValue(CKA_TOKEN, false);
68116813
CK_BBOOL isUnwrapKeyPrivate = unwrapKey->getBooleanValue(CKA_PRIVATE, true);
@@ -7098,7 +7100,7 @@ CK_RV SoftHSM::C_DeriveKey
70987100

70997101
// Check the key handle.
71007102
OSObject *key = (OSObject *)handleManager->getObject(hBaseKey);
7101-
if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
7103+
if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
71027104

71037105
CK_BBOOL isKeyOnToken = key->getBooleanValue(CKA_TOKEN, false);
71047106
CK_BBOOL isKeyPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -10201,7 +10203,7 @@ CK_RV SoftHSM::deriveDH
1020110203

1020210204
// Get the base key handle
1020310205
OSObject *baseKey = (OSObject *)handleManager->getObject(hBaseKey);
10204-
if (baseKey == NULL || !baseKey->isValid())
10206+
if (baseKey == NULL || !baseKey->isValid(doRefresh))
1020510207
return CKR_KEY_HANDLE_INVALID;
1020610208

1020710209
// Get the DH algorithm handler
@@ -10533,7 +10535,7 @@ CK_RV SoftHSM::deriveECDH
1053310535

1053410536
// Get the base key handle
1053510537
OSObject *baseKey = (OSObject *)handleManager->getObject(hBaseKey);
10536-
if (baseKey == NULL || !baseKey->isValid())
10538+
if (baseKey == NULL || !baseKey->isValid(doRefresh))
1053710539
return CKR_KEY_HANDLE_INVALID;
1053810540

1053910541
// Get the ECDH algorithm handler
@@ -10887,7 +10889,7 @@ CK_RV SoftHSM::deriveEDDSA
1088710889

1088810890
// Get the base key handle
1088910891
OSObject *baseKey = (OSObject *)handleManager->getObject(hBaseKey);
10890-
if (baseKey == NULL || !baseKey->isValid())
10892+
if (baseKey == NULL || !baseKey->isValid(doRefresh))
1089110893
return CKR_KEY_HANDLE_INVALID;
1089210894

1089310895
// Get the EDDSA algorithm handler
@@ -11413,7 +11415,7 @@ CK_RV SoftHSM::deriveSymmetric
1141311415

1141411416
// Check the key handle
1141511417
OSObject *baseKey = (OSObject *)handleManager->getObject(hBaseKey);
11416-
if (baseKey == NULL_PTR || !baseKey->isValid()) return CKR_OBJECT_HANDLE_INVALID;
11418+
if (baseKey == NULL_PTR || !baseKey->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
1141711419

1141811420
// Get the data
1141911421
ByteString secretValue;

‎src/lib/SoftHSM.h

+2
Original file line numberDiff line numberDiff line change
@@ -186,6 +186,8 @@ class SoftHSM
186186
// Is the SoftHSM PKCS #11 library initialised?
187187
bool isInitialised;
188188
bool isRemovable;
189+
// Do refresh of all objects from storage before validating.
190+
bool doRefresh;
189191

190192
SessionObjectStore* sessionObjectStore;
191193
ObjectStore* objectStore;

‎src/lib/common/Configuration.cpp

+1
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,7 @@ const struct config Configuration::valid_config[] = {
5151
{ "slots.removable", CONFIG_TYPE_BOOL },
5252
{ "slots.mechanisms", CONFIG_TYPE_STRING },
5353
{ "library.reset_on_fork", CONFIG_TYPE_BOOL },
54+
{ "objectstore.readrefresh", CONFIG_TYPE_BOOL },
5455
{ "", CONFIG_TYPE_UNSUPPORTED }
5556
};
5657

‎src/lib/common/softhsm2.conf.5.in

+26
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,32 @@ library.reset_on_fork = true
102102
.fi
103103
.RE
104104
.LP
105+
.SH OBJECTSTORE.READREFRESH
106+
If set to false, then this will affect the refreshing of the object store in
107+
the following way before an object is used but not changed:
108+
.IP * 2
109+
No files will be read if 'objectstore.backend = file'.
110+
.IP * 2
111+
No wait for mutex to unlock if 'objectstore.backend = db'.
112+
.LP
113+
Depending of what kind of HW that is used setting 'false' may improve the
114+
performance of the HSM.
115+
.LP
116+
But the drawback is that if one processes is using an object handle from a
117+
token for multiple function calls then this process may still use the old
118+
unmodified or deleted object even if it is changed or deleted. Another
119+
process may have called C_DestroyObject or C_SetAttributeValue. But every
120+
time a process gets a new handle for an object the objectstore of this
121+
process is updated for all objects even if this property is false.
122+
.LP
123+
Default is true.
124+
.LP
125+
.RS
126+
.nf
127+
objectstore.readrefresh = false
128+
.fi
129+
.RE
130+
.LP
105131
.SH ENVIRONMENT
106132
.TP
107133
SOFTHSM2_CONF

‎src/lib/common/softhsm2.conf.in

+3
Original file line numberDiff line numberDiff line change
@@ -15,3 +15,6 @@ slots.mechanisms = ALL
1515

1616
# If the library should reset the state on fork
1717
library.reset_on_fork = false
18+
19+
# Set to false if there should be no update of a token objects each time it is used.
20+
objectstore.readrefresh = true

‎src/lib/object_store/DBObject.cpp

+8-3
Original file line numberDiff line numberDiff line change
@@ -1362,10 +1362,15 @@ bool DBObject::deleteAttribute(CK_ATTRIBUTE_TYPE type)
13621362
}
13631363

13641364
// The validity state of the object
1365-
bool DBObject::isValid()
1365+
// If not 'doRefresh' we know that the object allready exists in the DB
1366+
// and hence _objectId should have been initialized.
1367+
bool DBObject::isValid(const bool doRefresh)
13661368
{
1367-
MutexLocker lock(_mutex);
1368-
1369+
if (doRefresh)
1370+
{
1371+
// Wait for update of object.
1372+
MutexLocker lock(_mutex);
1373+
}
13691374
return _objectId != 0 && _connection != NULL;
13701375
}
13711376

‎src/lib/object_store/DBObject.h

+1-1
Original file line numberDiff line numberDiff line change
@@ -96,7 +96,7 @@ class DBObject : public OSObject
9696
virtual bool deleteAttribute(CK_ATTRIBUTE_TYPE type);
9797

9898
// The validity state of the object
99-
virtual bool isValid();
99+
virtual bool isValid(bool doRefresh);
100100

101101
// Start an attribute set transaction; this method is used when - for
102102
// example - a key is generated and all its attributes need to be

‎src/lib/object_store/DBToken.cpp

+1-1
Original file line numberDiff line numberDiff line change
@@ -679,7 +679,7 @@ OSObject *DBToken::createObject()
679679
return NULL;
680680
}
681681

682-
if (!newObject->isValid())
682+
if (!newObject->isValid(true))
683683
{
684684
newObject->abortTransaction();
685685
delete newObject;

‎src/lib/object_store/OSObject.h

+2-1
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,8 @@ class OSObject
6464
virtual bool deleteAttribute(CK_ATTRIBUTE_TYPE type) = 0;
6565

6666
// The validity state of the object
67-
virtual bool isValid() = 0;
67+
// If doRefresh==true then update the object from the storage before validating.
68+
virtual bool isValid(bool doRefresh=true) = 0;
6869

6970
// Start an attribute set transaction; this method is used when - for
7071
// example - a key is generated and all its attributes need to be

‎src/lib/object_store/ObjectFile.cpp

+6-4
Original file line numberDiff line numberDiff line change
@@ -262,11 +262,13 @@ bool ObjectFile::deleteAttribute(CK_ATTRIBUTE_TYPE type)
262262
return valid;
263263
}
264264

265-
// The validity state of the object (refresh from disk as a side effect)
266-
bool ObjectFile::isValid()
265+
// The validity state of the object (may refresh from disk as a side effect)
266+
bool ObjectFile::isValid(const bool doRefresh)
267267
{
268-
refresh();
269-
268+
if(doRefresh)
269+
{
270+
refresh();
271+
}
270272
return valid;
271273
}
272274

‎src/lib/object_store/ObjectFile.h

+1-1
Original file line numberDiff line numberDiff line change
@@ -76,7 +76,7 @@ class ObjectFile : public OSObject
7676
virtual bool deleteAttribute(CK_ATTRIBUTE_TYPE type);
7777

7878
// The validity state of the object (refresh from disk as a side effect)
79-
virtual bool isValid();
79+
virtual bool isValid(bool doRefresh=true);
8080

8181
// Invalidate the object file externally; this method is normally
8282
// only called by the OSToken class in case an object file has

‎src/lib/object_store/SessionObject.cpp

+2-1
Original file line numberDiff line numberDiff line change
@@ -217,7 +217,8 @@ bool SessionObject::deleteAttribute(CK_ATTRIBUTE_TYPE type)
217217
}
218218

219219
// The validity state of the object
220-
bool SessionObject::isValid()
220+
// the doRefresh parameter has no meaning for this implementation since noting is stored on disk.
221+
bool SessionObject::isValid(const bool doRefresh __attribute__((unused)))
221222
{
222223
return valid;
223224
}

‎src/lib/object_store/SessionObject.h

+1-1
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ class SessionObject : public OSObject
7373
virtual bool deleteAttribute(CK_ATTRIBUTE_TYPE type);
7474

7575
// The validity state of the object
76-
virtual bool isValid();
76+
virtual bool isValid(bool doRefresh);
7777

7878
bool hasSlotID(CK_SLOT_ID inSlotID);
7979

‎src/lib/object_store/SessionObjectStore.cpp

+1-1
Original file line numberDiff line numberDiff line change
@@ -106,7 +106,7 @@ SessionObject* SessionObjectStore::createObject(CK_SLOT_ID slotID, CK_SESSION_HA
106106
// Create the new object file
107107
SessionObject* newObject = new SessionObject(this, slotID, hSession, isPrivate);
108108

109-
if (!newObject->isValid())
109+
if (!newObject->isValid(false))
110110
{
111111
ERROR_MSG("Failed to create new object");
112112

0 commit comments

Comments
 (0)
Please sign in to comment.