Allow vendor-defined userType values

For user (non-SO) login, the standard value for userType is CKU_USER. This commit allows for vendor-defined values, e.g., as used by Thales Luna HSM 7.
pyauth · Feb 3, 2021 · de2be2d · de2be2d
1 parent c148a2f
commit de2be2d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/pkcs11/_pkcs11.pyx b/pkcs11/_pkcs11.pyx
@@ -253,11 +253,11 @@ class Slot(types.Slot):
 class Token(types.Token):
     """Extend Token with implementation."""
 
-    def open(self, rw=False, user_pin=None, so_pin=None):
+    def open(self, rw=False, user_pin=None, so_pin=None, user_type=None):
         cdef CK_SLOT_ID slot_id = self.slot.slot_id
         cdef CK_SESSION_HANDLE handle
         cdef CK_FLAGS flags = CKF_SERIAL_SESSION
-        cdef CK_USER_TYPE user_type
+        cdef CK_USER_TYPE final_user_type
         cdef CK_UTF8CHAR *pin_data
         cdef CK_ULONG pin_length
 
@@ -268,36 +268,37 @@ class Token(types.Token):
             raise ArgumentsBad("Set either `user_pin` or `so_pin`")
         elif user_pin is PROTECTED_AUTH:
             pin = None
-            user_type = CKU_USER
+            user_type = user_type if user_type is not None else CKU_USER
         elif so_pin is PROTECTED_AUTH:
             pin = None
             user_type = CKU_SO
         elif user_pin is not None:
             pin = user_pin.encode('utf-8')
-            user_type = CKU_USER
+            user_type = user_type if user_type is not None else CKU_USER
         elif so_pin is not None:
             pin = so_pin.encode('utf-8')
             user_type = CKU_SO
         else:
             pin = None
             user_type = UserType.NOBODY
 
+        final_user_type = user_type
         with nogil:
             assertRV(_funclist.C_OpenSession(slot_id, flags, NULL,
                                              NULL, &handle))
 
         if so_pin is PROTECTED_AUTH or user_pin is PROTECTED_AUTH:
             if self.flags & TokenFlag.PROTECTED_AUTHENTICATION_PATH:
                 with nogil:
-                    assertRV(_funclist.C_Login(handle, user_type, NULL, 0))
+                    assertRV(_funclist.C_Login(handle, final_user_type, NULL, 0))
             else:
                 raise ArgumentsBad("Protected authentication is not supported by loaded module")
         elif pin is not None:
             pin_data = pin
             pin_length = len(pin)
 
             with nogil:
-                assertRV(_funclist.C_Login(handle, user_type,
+                assertRV(_funclist.C_Login(handle, final_user_type,
                                            pin_data, pin_length))
 
         return Session(self, handle, rw=rw, user_type=user_type)

diff --git a/pkcs11/types.py b/pkcs11/types.py
@@ -202,7 +202,7 @@ def __init__(self, slot,
     def __eq__(self, other):
         return self.slot == other.slot
 
-    def open(self, rw=False, user_pin=None, so_pin=None):
+    def open(self, rw=False, user_pin=None, so_pin=None, user_type=None):
         """
         Open a session on the token and optionally log in as a user or
         security officer (pass one of `user_pin` or `so_pin`). Pass PROTECTED_AUTH to
@@ -220,6 +220,9 @@ def open(self, rw=False, user_pin=None, so_pin=None):
         :param bytes user_pin: Authenticate to this session as a user.
         :param bytes so_pin: Authenticate to this session as a
             security officer.
+        :param user_type: Sets the userType parameter to C_Login.
+            Allows for vendor-defined values. Defaults to UserType.SO if
+            so_pin is set, otherwise UserType.USER.
 
         :rtype: Session
         """