F-2369 - https://fenrir.wolfssl.com/finding/2369 - Enforce CKA_PRIVATE access control in WP11_Object_Find

Author: aidangarske

src/internal.c

@@ -9154,8 +9154,24 @@ int WP11_Object_Find(WP11_Session* session, CK_OBJECT_HANDLE objHandle,
         WP11_Lock_UnlockRO(&session->slot->token.lock);
     }
 
-    if (obj && (obj->handle == objHandle))
-        *object = obj;
+    if (ret == 0 && obj != NULL && (obj->handle == objHandle)) {
+        /* Enforce CKA_PRIVATE: reject private objects from public sessions */
+        if ((obj->opFlag & WP11_FLAG_PRIVATE) == WP11_FLAG_PRIVATE) {
+            int loginState;
+            if (!onToken)
+                WP11_Lock_LockRO(&session->slot->token.lock);
+            loginState = session->slot->token.loginState;
+            if (!WP11_Slot_Has_Empty_Pin(session->slot) &&
+                (loginState == WP11_APP_STATE_RW_PUBLIC ||
+                 loginState == WP11_APP_STATE_RO_PUBLIC)) {
+                ret = BAD_FUNC_ARG;
+            }
+            if (!onToken)
+                WP11_Lock_UnlockRO(&session->slot->token.lock);
+        }
+        if (ret == 0)
+            *object = obj;
+    }
 
     return ret;
 }

tests/pkcs11test.c

@@ -16461,6 +16461,67 @@ static CK_RV test_private_object_access(void* args)
     return ret;
 }
 
+static CK_RV test_private_object_handle_access(void* args)
+{
+    CK_SESSION_HANDLE session = *(CK_SESSION_HANDLE*)args;
+    CK_RV ret;
+    CK_OBJECT_HANDLE obj = CK_INVALID_HANDLE;
+    static byte keyData[] = { 0x01, 0x02, 0x03, 0x04 };
+    CK_BBOOL isPrivate = CK_TRUE;
+    CK_ATTRIBUTE tmpl[] = {
+        { CKA_CLASS,             &secretKeyClass,   sizeof(secretKeyClass)    },
+        { CKA_KEY_TYPE,          &genericKeyType,   sizeof(genericKeyType)    },
+        { CKA_VALUE,             keyData,           sizeof(keyData)           },
+        { CKA_PRIVATE,           &isPrivate,        sizeof(isPrivate)         },
+        { CKA_TOKEN,             &ckTrue,           sizeof(ckTrue)            },
+    };
+    CK_ULONG tmplCnt = sizeof(tmpl) / sizeof(*tmpl);
+    CK_ULONG valueLen = 0;
+    CK_ATTRIBUTE getValueTmpl = { CKA_VALUE_LEN, &valueLen, sizeof(valueLen) };
+    byte iv[16];
+    CK_MECHANISM mech;
+
+    memset(iv, 9, sizeof(iv));
+    mech.mechanism      = CKM_SHA256_HMAC;
+    mech.ulParameterLen = 0;
+    mech.pParameter     = NULL;
+
+    /* Create a private token object while logged in */
+    ret = funcList->C_CreateObject(session, tmpl, tmplCnt, &obj);
+    CHECK_CKR(ret, "Create Private Object for handle test");
+
+    if (ret == CKR_OK) {
+        ret = funcList->C_Logout(session);
+        CHECK_CKR(ret, "Logout for handle test");
+    }
+
+    /* Try direct handle access via C_GetAttributeValue — should fail */
+    if (ret == CKR_OK) {
+        ret = funcList->C_GetAttributeValue(session, obj, &getValueTmpl, 1);
+        CHECK_CKR_FAIL(ret, CKR_OBJECT_HANDLE_INVALID,
+                        "GetAttributeValue on private obj when not logged in");
+    }
+
+    /* Try direct handle access via C_SignInit — should fail */
+    if (ret == CKR_OK) {
+        ret = funcList->C_SignInit(session, &mech, obj);
+        CHECK_CKR_FAIL(ret, CKR_OBJECT_HANDLE_INVALID,
+                        "SignInit on private obj when not logged in");
+    }
+
+    /* Re-login and clean up */
+    if (ret == CKR_OK) {
+        ret = funcList->C_Login(session, CKU_USER, userPin, userPinLen);
+        CHECK_CKR(ret, "Re-login after handle test");
+    }
+
+    if (obj != CK_INVALID_HANDLE) {
+        funcList->C_DestroyObject(session, obj);
+    }
+
+    return ret;
+}
+
 /* C_GetAttributeValue must process all attributes in the template even when one
  * returns an error, setting ulValueLen to (CK_ULONG)-1 for invalid types and
  * returning the accumulated error. */
@@ -16994,6 +17055,7 @@ static TEST_FUNC testFunc[] = {
     PKCS11TEST_FUNC_SESS_DECL(test_get_attr_value_all_processed),
     PKCS11TEST_FUNC_SESS_DECL(test_find_objects),
     PKCS11TEST_FUNC_SESS_DECL(test_private_object_access),
+    PKCS11TEST_FUNC_SESS_DECL(test_private_object_handle_access),
     PKCS11TEST_FUNC_SESS_DECL(test_encrypt_decrypt),
 #ifndef NO_AES
     PKCS11TEST_FUNC_SESS_DECL(test_encrypt_decrypt_op_not_supported),