Address skoll review and fix CI

aidangarske · aidangarske · commit 9595cf51b7ac · 2026-04-10T15:21:46.000-07:00
- src/internal.c — WP11_Object_Find private-access check now uses slot-&gt;lock consistently (matches WP11_Slot_IsLoggedIn pattern) instead of conditionally using token.lock only
  for non-token objects
  - tests/pkcs11mtt.c — Added CKA_SENSITIVE to test key templates so they work with the new CKA_SENSITIVE=TRUE default from F-2368. When extractable=TRUE, sensitive is set FALSE
  so tests can read key values. When extractable=FALSE, sensitive stays TRUE matching the hardened default. Applied to test_attribute, get_generic_key, get_rsa_priv_key,
  get_ecc_priv_key, and get_dh_priv_key.
diff --git a/src/internal.c b/src/internal.c
@@ -9175,16 +9175,14 @@ int WP11_Object_Find(WP11_Session* session, CK_OBJECT_HANDLE objHandle,
         /* Enforce CKA_PRIVATE: reject private objects from public sessions */
         if ((obj->opFlag & WP11_FLAG_PRIVATE) == WP11_FLAG_PRIVATE) {
             int loginState;
-            if (!onToken)
-                WP11_Lock_LockRO(&session->slot->token.lock);
+            WP11_Lock_LockRO(&session->slot->lock);
             loginState = session->slot->token.loginState;
             if (!WP11_Slot_Has_Empty_Pin(session->slot) &&
                 (loginState == WP11_APP_STATE_RW_PUBLIC ||
                  loginState == WP11_APP_STATE_RO_PUBLIC)) {
                 ret = BAD_FUNC_ARG;
             }
-            if (!onToken)
-                WP11_Lock_UnlockRO(&session->slot->token.lock);
+            WP11_Lock_UnlockRO(&session->slot->lock);
         }
         if (ret == 0)
             *object = obj;
diff --git a/tests/pkcs11mtt.c b/tests/pkcs11mtt.c
@@ -487,6 +487,7 @@ static CK_RV test_attribute(void* args)
         { CKA_CLASS,             &privKeyClass,     sizeof(privKeyClass)      },
         { CKA_KEY_TYPE,          &genericKeyType,   sizeof(genericKeyType)    },
         { CKA_EXTRACTABLE,       &ckTrue,           sizeof(ckTrue)            },
+        { CKA_SENSITIVE,         &ckFalse,          sizeof(ckFalse)           },
         { CKA_VALUE,             keyData,           sizeof(keyData)           },
     };
     CK_ULONG tmplCnt = sizeof(tmpl) / sizeof(*tmpl);
@@ -786,10 +787,12 @@ static CK_RV get_generic_key(CK_SESSION_HANDLE session, unsigned char* data,
                              CK_OBJECT_HANDLE* key)
 {
     CK_RV ret;
+    CK_BBOOL sensitive = (extractable == CK_TRUE) ? CK_FALSE : CK_TRUE;
     CK_ATTRIBUTE generic_key[] = {
         { CKA_CLASS,             &secretKeyClass,   sizeof(secretKeyClass)    },
         { CKA_KEY_TYPE,          &genericKeyType,   sizeof(genericKeyType)    },
         { CKA_EXTRACTABLE,       &extractable,      sizeof(CK_BBOOL)          },
+        { CKA_SENSITIVE,         &sensitive,         sizeof(CK_BBOOL)          },
         { CKA_SIGN,              &ckTrue,           sizeof(ckTrue)            },
         { CKA_VERIFY,            &ckTrue,           sizeof(ckTrue)            },
         { CKA_VALUE,             data,              len                       },
@@ -2055,6 +2058,7 @@ static CK_RV get_rsa_priv_key(CK_SESSION_HANDLE session, unsigned char* privId,
                               CK_OBJECT_HANDLE* obj)
 {
     CK_RV ret;
+    CK_BBOOL sensitive = (extractable == CK_TRUE) ? CK_FALSE : CK_TRUE;
     CK_ATTRIBUTE rsa_2048_priv_key[] = {
         { CKA_CLASS,             &privKeyClass,     sizeof(privKeyClass)      },
         { CKA_KEY_TYPE,          &rsaKeyType,       sizeof(rsaKeyType)        },
@@ -2068,6 +2072,7 @@ static CK_RV get_rsa_priv_key(CK_SESSION_HANDLE session, unsigned char* privId,
         { CKA_COEFFICIENT,       rsa_2048_u,        sizeof(rsa_2048_u)        },
         { CKA_PUBLIC_EXPONENT,   rsa_2048_pub_exp,  sizeof(rsa_2048_pub_exp)  },
         { CKA_EXTRACTABLE,       &extractable,      sizeof(CK_BBOOL)          },
+        { CKA_SENSITIVE,         &sensitive,         sizeof(CK_BBOOL)          },
         { CKA_TOKEN,             &ckTrue,           sizeof(ckTrue)            },
         { CKA_ID,                privId,            privIdLen                 },
     };
@@ -3401,10 +3406,12 @@ static CK_OBJECT_HANDLE get_ecc_priv_key(CK_SESSION_HANDLE session,
                                          CK_OBJECT_HANDLE* obj)
 {
     CK_RV ret;
+    CK_BBOOL sensitive = (extractable == CK_TRUE) ? CK_FALSE : CK_TRUE;
     CK_ATTRIBUTE ecc_p256_priv_key[] = {
         { CKA_CLASS,             &privKeyClass,     sizeof(privKeyClass)      },
         { CKA_KEY_TYPE,          &eccKeyType,       sizeof(eccKeyType)        },
         { CKA_EXTRACTABLE,       &extractable,      sizeof(CK_BBOOL)          },
+        { CKA_SENSITIVE,         &sensitive,         sizeof(CK_BBOOL)          },
         { CKA_VERIFY,            &ckTrue,           sizeof(ckTrue)            },
         { CKA_EC_PARAMS,         ecc_p256_params,   sizeof(ecc_p256_params)   },
         { CKA_VALUE,             ecc_p256_priv,     sizeof(ecc_p256_priv)     },
@@ -4190,10 +4197,12 @@ static CK_OBJECT_HANDLE get_dh_priv_key(CK_SESSION_HANDLE session,
                                         CK_OBJECT_HANDLE* obj)
 {
     CK_RV ret;
+    CK_BBOOL sensitive = (extractable == CK_TRUE) ? CK_FALSE : CK_TRUE;
     CK_ATTRIBUTE dh_2048_priv_key[] = {
         { CKA_CLASS,             &privKeyClass,     sizeof(privKeyClass)      },
         { CKA_KEY_TYPE,          &dhKeyType,        sizeof(dhKeyType)         },
         { CKA_EXTRACTABLE,       &extractable,      sizeof(CK_BBOOL)          },
+        { CKA_SENSITIVE,         &sensitive,         sizeof(CK_BBOOL)          },
         { CKA_DERIVE,            &ckTrue,           sizeof(ckTrue)            },
         { CKA_PRIME,             dh_ffdhe2048_p,    sizeof(dh_ffdhe2048_p)    },
         { CKA_BASE,              dh_ffdhe2048_g,    sizeof(dh_ffdhe2048_g)    },
