RE: [pkcs11] Async Operations - comments

[Jonathan Schulze-Hewett <schulze-hewett@infoseccorp.com>]

Hi Darren,

 

Thanks for the detailed feedback. It is much appreciated.

 

1. Tokens must support synchronous sessions. We wanted to be clear that tokens must continue to support the current way of doing things and not switch to only supporting async sessions.
2. The input to C_AsyncComplete is CK_ASYNC_DATA_PTR so C_AsyncComplete can update any of the fields in the structure without them needing to be pointers. That being said, by the same logic, CK_OBJECT_HANDLE_PTR should just be CK_OBJECT_HANDLE. Iâll update.
3. The original buffer refers to the buffer supplied to whatever function was called. I think itâs always a buffer input to a function to contain the âoutput valueâ (i.e., from C_SignFinal, C_Encrypt, etc.). I view this as a buffer input to the function, but youâre seeing it as a buffer to contain output. Iâm happy to call it whatever makes it clearer to everyone. The values in CK_ASYNC_DATA are not input values. They are exclusively output values to be filled in by the C_AsyncComplete function. ulValue and pValue are for the callerâs convenience so that the caller does not have to keep track of the buffer. If C_AsyncComplete returns CKR_PENDING what happens to the CK_ASYNC_DATA structure is undefined. If anyone has language that would help improve the clarify of this Iâll add it in.
4. The intent of the red text is to cover a reboot or restart of the calling application. To enable an application to start an operation, quit, and then check on it later. We did not have a discussion around authentication requirements and itâs up to the module as to what restrictions to place on the session trying to join. We have left the meaning of the ID up to the particular module. My goal was to specify it to the point where it was possible to implement the functionality and leave the details to the implementers.
5. Indeed. Iâll fix.
6. pData and ulData are input to C_AsyncJoin so that they can be returned in the future C_AsyncComplete call. They can be NULL if the original function, say C_GenerateKey pair (which is what got me into this mess in the first place), doesnât take a buffer. Something stating that implementerâs should carefully consider whether or not to use the supplied buffers as the caller may quit on them seems reasonable to me. Anyone care to suggest some language?
7. As in 6, pData and ulData are input to C_AsyncJoin so that they can be returned in the future C_AsyncComplete call.

 

The big thing that was confusing to me at first is the whole C_AsyncComplete NOT taking input values. My first example had C_AsyncComplete returning CKR_BUFFER_TOO_SMALL and then being called again with a properly sized buffer, but thatâs not how it would work (thank you Dieter for explaining my own proposal to me). If C_AsyncComplete returns CKR_BUFFER_TOO_SMALL, the application needs to call the original function again with a properly sized buffer (C_SignFinal then C_AsyncComplete then C_SignFinal again with proper buffer then C_AsyncComplete).

 

Iâll update the doc with changes for 2 and 5 above and with any changes arising from the next email on the subject 😊 If anyone has suggestions for language on 3 and 6 please send it!

 

Sincerely,

Jonathan

 

 

 

From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org> On Behalf Of JOHNSON Darren
Sent: Wednesday, February 15, 2023 9:35 AM
To: pkcs11@lists.oasis-open.org
Subject: [EXT][pkcs11] Async Operations - comments

 

THIS MESSAGE COMES FROM AN EXTERNAL SOURCE. PLEASE VERIFY THE CONTENTS OF THIS MESSAGE BEFORE PROCEEDING.

I missed all the discussions around this proposal.  So I apologize if Iâm asking questions that were already discussed and resolved.

 

1. in section 4.b, it states âIf the token does not support asynchronous operations, it should return CKR_SESSION_ASYNC_NOT_SUPPORTED. Tokens must support synchronous sessions. Tokens may support asynchronous sessions and may return CKR_PENDING if the token determines that the operation will take a long time to conclude.â .

I assume the first part, âTokens must support synchronous sessionsâ is going to be removed?  Tokens may support async sessions.

 

2. In CK_ASYNC_DATA, the field ulValue is defined as CK_ULONG.  But shouldnât it be CK_ULONG_PTR and pulValueLen as this is going to receive the data and is expected to follow the conventions for all functions returning data?

 

3. In CK_ASYNC_DATA, pValue is defined as âon completion contains a pointer to the original input buffer, caller is responsible for freeing this memoryâ.

 

Is this supposed to say âoriginal input bufferâ?  Or should it be âoriginal output bufferâ?

Whether the operation is âon completionâ or âstill processingâ, this value should always âpoints to the location that receives the resultâ.  The state of the operation is unknown to the caller, and should not have an impact on the value of âpValueâ, Right?

On completion, the result is copied there.

 

Do we really require that it is the âsameâ buffer?   Does that imply that we are assuming/expecting or just allowing providers to make use of that buffer during the operation?  Which may make sense for memory constrained environments.  and may also make sense if a token is streaming result data out and filling this buffer as it progresses.

Or should we be more strict and not have this requirement for the âsameâ buffer, which means the provider should not use any of the applications memory.  This would be problematic in many cases I think

 

Regardless, we should clearly state who is the owner of that buffer while the operation is being processed asynchronously.

 

âIfâ it must be the same buffer, should we really require it to be re-provided?  Should we require any of the output pointers to be re-provided?  What is the reason for them to be re-provided?

 

4. In the summary/introduction, it states âreestablish the application/module connection with respect to the asynchronous operationâ.  To be clear, this feature is only covering the case where a session is closed, and the operation is joined/connected to a different session; be it a newly opened session or an existing session.  All of this is within the context of single successful calls to C_Initailize->C_Finalize .    There is no expectation for this to span successful calls to C_Finalize->C_Initalize, right?

 

Looking back at the meeting minutes, I see that this update to the proposal is supposed to cover a reboot.  Is that true?  So an application can be restarted, and attempt to join the operation?

 

Was there any discussion around authentication requirements?  About which role/user initiated the operation vs what role/user is joining the operation?  I would assume that only the same role (and user if a user was authenticated) could resume the operation.  Or is the âIDâ value essentially treated like an authorization token and grants rights for any role/user to join the operation?  Whatever the answer is, it should be documented.

 

What about the current roleâs/userâs ability to access and use the key that is currently being used for the operation.  Without requiring the same role/user that was used to initiate the operation, we get in to discussions around escalation.

 

5. C_AsyncGetID description use âpResultâ instead of âpulIDâ.

 

6. C_AsyncGetID.  Maybe this is just a providerâs problem to deal with and may feed in to their decision to allow this call to succeed or not.  Related to the questions about the result buffer, the wording above suggests that a provider would be able to use the result buffer when handling asynchronous operationsâ because the call to C_AsyncComplete must pass in the same pointer.  So then after a successful call to C_AsyncGetID , the original memory pointed to by the result point (be it form the original call, or any following calls to C_AsyncComplete) must no longer be referenced by the provider.

This may not be obvious to all readers and should probably be mentioned.

 

7. C_AsyncJoin; the field ulValue is defined as CK_ULONG.  But shouldnât it be CK_ULONG_PTR and pulValueLen as this is going to receive the data and is expected to follow the conventions for all functions returning data?  Also, if no output is returned, isnât it better to set the pulDataLen value to 0?

This question may be ignored as it may be addressed by the next question below.

 

Why should C_AsyncJoin need to provide pData and ulData?  From what I understand, the application will need to call C_AsyncComplete, right?  so the output buffer will be provided via CK_ASYNC_DATA?  Requiring pData and ulData during the C_AsyncJoin would only be necessary if we think the provider will need to make use of that memory while processing the operation.  But the operation has gone through a C_AsyncGetID, so it must already have decoupled itself from any application memory space and is presumably still processing

 

Shouldnât C_AsyncJoin pass CKA_ASYNC_DATA as a parameter so that all of the output locations are provided and not just the buffer?

 

It seems to me that C_AsyncJoin should just join the operation followed by C_AsyncComplete, which will provide all the output pointers/buffers and attempt to complete the operation.

 

 

 

Thanks

Darren

 

 

 

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature