in aws_signing_helper/pkcs11_signer.go [951:1021]
func (pkcs11Signer *PKCS11Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) {
var (
module *pkcs11.Ctx
session pkcs11.SessionHandle
certUri *pkcs11uri.Pkcs11URI
keyUri *pkcs11uri.Pkcs11URI
userPin string
contextSpecificPin string
privateKeyObj KeyObjInfo
keySlot SlotIdInfo
keyType uint
certSlotNr uint
certObj CertObjInfo
slots []SlotIdInfo
loggedIn bool
reusePin bool
alwaysAuth uint
certSlot SlotIdInfo
)
hashFunc := opts.HashFunc()
module = pkcs11Signer.module
userPin = pkcs11Signer.userPin
alwaysAuth = pkcs11Signer.alwaysAuth
contextSpecificPin = pkcs11Signer.contextSpecificPin
certUri = pkcs11Signer.certUri
keyUri = pkcs11Signer.keyUri
reusePin = pkcs11Signer.reusePin
// If a PKCS#11 URI was provided for the certificate, use it.
if certUri != nil {
certSlot, slots, session, loggedIn, certObj, err = getCertificate(module, certUri, userPin)
if err != nil {
goto cleanUp
}
certSlotNr = certSlot.id
}
// Otherwise, if the certificate's PKCS#11 URI wasn't provided, enumerate slots.
if certUri == nil {
slots, err = enumerateSlotsInPKCS11Module(module)
if err != nil {
goto cleanUp
}
}
session, userPin, keyUri, keyType, privateKeyObj, keySlot, alwaysAuth, contextSpecificPin, err = getPKCS11Key(module, session, loggedIn, certUri, keyUri, false, certSlotNr, certObj, userPin, contextSpecificPin, reusePin, slots)
if err != nil {
goto cleanUp
}
contextSpecificPin, signature, err = signHelper(module, session, privateKeyObj, keySlot, userPin, alwaysAuth, contextSpecificPin, reusePin, keyType, digest, hashFunc)
if err != nil {
goto cleanUp
} else {
pkcs11Signer.contextSpecificPin = contextSpecificPin
}
// Note that the session should be logged out of and closed even if there
// are no errors after the signing operation.
cleanUp:
if session != 0 {
if loggedIn {
module.Logout(session)
}
module.CloseSession(session)
}
return signature, err
}