in aws_signing_helper/pkcs11_signer.go [432:502]
func GetMatchingPKCSCerts(uriStr string, lib string) (matchingCerts []CertificateContainer, err error) {
var (
slots []SlotIdInfo
module *pkcs11.Ctx
uri *pkcs11uri.Pkcs11URI
userPin string
certObjs []CertObjInfo
session pkcs11.SessionHandle
loggedIn bool
slot SlotIdInfo
)
uri = pkcs11uri.New()
err = uri.Parse(uriStr)
if err != nil {
return nil, err
}
userPin, _ = uri.GetQueryAttribute("pin-value", false)
module, err = initializePKCS11Module(lib)
if err != nil {
goto cleanUp
}
slots, err = enumerateSlotsInPKCS11Module(module)
if err != nil {
goto cleanUp
}
slot, session, loggedIn, certObjs, err = getMatchingCerts(module, slots, uri, userPin, false)
if err != nil {
goto cleanUp
}
for _, obj := range certObjs {
curUri := pkcs11uri.New()
curUri.AddPathAttribute("model", slot.tokInfo.Model)
curUri.AddPathAttribute("manufacturer", slot.tokInfo.ManufacturerID)
curUri.AddPathAttribute("serial", slot.tokInfo.SerialNumber)
curUri.AddPathAttribute("slot-description", slot.info.SlotDescription)
curUri.AddPathAttribute("slot-manufacturer", slot.info.ManufacturerID)
if obj.id != nil {
curUri.AddPathAttribute("id", string(obj.id[:]))
}
if obj.label != nil {
curUri.AddPathAttribute("object", string(obj.label[:]))
}
curUri.AddPathAttribute("type", "cert")
curUriStr, err := curUri.Format() // nosemgrep
if err != nil {
curUriStr = ""
}
matchingCerts = append(matchingCerts, CertificateContainer{-1, obj.cert, curUriStr})
}
// Note that this clean up should happen regardless of failure.
cleanUp:
if module != nil {
if session != 0 {
if loggedIn {
module.Logout(session)
}
module.CloseSession(session)
}
module.Finalize()
module.Destroy()
}
return matchingCerts, err
}