in aws_signing_helper/pkcs11_signer.go [233:308]
func getCertsInSession(module *pkcs11.Ctx, slotId uint, session pkcs11.SessionHandle, uri *pkcs11uri.Pkcs11URI) (certs []CertObjInfo, err error) {
var (
sessionCertObjects []pkcs11.ObjectHandle
certObjects []pkcs11.ObjectHandle
templateCrt []*pkcs11.Attribute
)
// Convert the URI into a template for FindObjectsInit().
templateCrt = getFindTemplate(uri, pkcs11.CKO_CERTIFICATE)
if err = module.FindObjectsInit(session, templateCrt); err != nil {
return nil, err
}
for true {
sessionCertObjects, _, err = module.FindObjects(session, MAX_OBJECT_LIMIT)
if err != nil {
return nil, err
}
if len(sessionCertObjects) == 0 {
break
}
certObjects = append(certObjects, sessionCertObjects...)
if len(sessionCertObjects) < MAX_OBJECT_LIMIT {
break
}
}
err = module.FindObjectsFinal(session)
if err != nil {
return nil, err
}
for _, certObject := range certObjects {
crtAttributes := []*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_VALUE, 0),
}
if crtAttributes, err = module.GetAttributeValue(session, certObject, crtAttributes); err != nil {
return nil, err
}
rawCert := crtAttributes[0].Value
var certObj CertObjInfo
certObj.certObject = certObject
certObj.cert, err = x509.ParseCertificate(rawCert) // nosemgrep
if err != nil {
return nil, errors.New("error parsing certificate")
}
// Fetch the CKA_ID and CKA_LABEL of the matching cert(s), so
// that they can be used later when hunting for the matching
// key.
crtAttributes = []*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_ID, 0),
}
crtAttributes, err = module.GetAttributeValue(session, certObject, crtAttributes)
if err == nil {
certObj.id = crtAttributes[0].Value
}
crtAttributes = []*pkcs11.Attribute{
pkcs11.NewAttribute(pkcs11.CKA_LABEL, 0),
}
crtAttributes, err = module.GetAttributeValue(session, certObject, crtAttributes)
if err == nil {
certObj.label = crtAttributes[0].Value
}
certs = append(certs, certObj)
}
return certs, nil
}