Do not refresh object store before fetching object.

src/lib/SoftHSM.cpp

@@ -610,6 +610,8 @@ CK_RV SoftHSM::C_Initialize(CK_VOID_PTR pInitArgs)
 	// Load the handle manager
 	handleManager = new HandleManager();
 
+	doRefresh = Configuration::i()->getBool("objectstore.readrefresh", true);
+
 	// Set the state to initialised
 	isInitialised = true;
 
@@ -1610,7 +1612,7 @@ CK_RV SoftHSM::C_CopyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject
 
 	// Check the object handle.
 	OSObject *object = (OSObject *)handleManager->getObject(hObject);
-	if (object == NULL_PTR || !object->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (object == NULL_PTR || !object->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL wasOnToken = object->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL wasPrivate = object->getBooleanValue(CKA_PRIVATE, true);
@@ -1779,7 +1781,7 @@ CK_RV SoftHSM::C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObj
 
 	// Check the object handle.
 	OSObject *object = (OSObject *)handleManager->getObject(hObject);
-	if (object == NULL_PTR || !object->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (object == NULL_PTR || !object->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = object->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = object->getBooleanValue(CKA_PRIVATE, true);
@@ -1827,7 +1829,7 @@ CK_RV SoftHSM::C_GetObjectSize(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObj
 
 	// Check the object handle.
 	OSObject *object = (OSObject *)handleManager->getObject(hObject);
-	if (object == NULL_PTR || !object->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (object == NULL_PTR || !object->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	*pulSize = CK_UNAVAILABLE_INFORMATION;
 
@@ -1851,7 +1853,7 @@ CK_RV SoftHSM::C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE
 
 	// Check the object handle.
 	OSObject *object = (OSObject *)handleManager->getObject(hObject);
-	if (object == NULL_PTR || !object->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (object == NULL_PTR || !object->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = object->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = object->getBooleanValue(CKA_PRIVATE, true);
@@ -1898,7 +1900,7 @@ CK_RV SoftHSM::C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE
 
 	// Check the object handle.
 	OSObject *object = (OSObject *)handleManager->getObject(hObject);
-	if (object == NULL_PTR || !object->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (object == NULL_PTR || !object->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = object->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = object->getBooleanValue(CKA_PRIVATE, true);
@@ -2168,7 +2170,7 @@ CK_RV SoftHSM::SymEncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -2416,7 +2418,7 @@ CK_RV SoftHSM::AsymEncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMec
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -2897,7 +2899,7 @@ CK_RV SoftHSM::SymDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -3146,7 +3148,7 @@ CK_RV SoftHSM::AsymDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMec
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -3797,7 +3799,7 @@ CK_RV SoftHSM::C_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hObject);
-	if (key == NULL_PTR || !key->isValid()) return CKR_KEY_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_KEY_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -3948,7 +3950,7 @@ CK_RV SoftHSM::MacSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechani
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -4100,7 +4102,7 @@ CK_RV SoftHSM::AsymSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechan
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -4926,7 +4928,7 @@ CK_RV SoftHSM::MacVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMecha
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -5078,7 +5080,7 @@ CK_RV SoftHSM::AsymVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -6514,7 +6516,7 @@ CK_RV SoftHSM::C_WrapKey
 
 	// Check the wrapping key handle.
 	OSObject *wrapKey = (OSObject *)handleManager->getObject(hWrappingKey);
-	if (wrapKey == NULL_PTR || !wrapKey->isValid()) return CKR_WRAPPING_KEY_HANDLE_INVALID;
+	if (wrapKey == NULL_PTR || !wrapKey->isValid(doRefresh)) return CKR_WRAPPING_KEY_HANDLE_INVALID;
 
 	CK_BBOOL isWrapKeyOnToken = wrapKey->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isWrapKeyPrivate = wrapKey->getBooleanValue(CKA_PRIVATE, true);
@@ -6556,7 +6558,7 @@ CK_RV SoftHSM::C_WrapKey
 
 	// Check the to be wrapped key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_KEY_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_KEY_HANDLE_INVALID;
 
 	CK_BBOOL isKeyOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isKeyPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -6982,7 +6984,7 @@ CK_RV SoftHSM::C_UnwrapKey
 
 	// Check the unwrapping key handle.
 	OSObject *unwrapKey = (OSObject *)handleManager->getObject(hUnwrappingKey);
-	if (unwrapKey == NULL_PTR || !unwrapKey->isValid()) return CKR_UNWRAPPING_KEY_HANDLE_INVALID;
+	if (unwrapKey == NULL_PTR || !unwrapKey->isValid(doRefresh)) return CKR_UNWRAPPING_KEY_HANDLE_INVALID;
 
 	CK_BBOOL isUnwrapKeyOnToken = unwrapKey->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isUnwrapKeyPrivate = unwrapKey->getBooleanValue(CKA_PRIVATE, true);
@@ -7282,7 +7284,7 @@ CK_RV SoftHSM::C_DeriveKey
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hBaseKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isKeyOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isKeyPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -10388,7 +10390,7 @@ CK_RV SoftHSM::deriveDH
 
 	// Get the base key handle
 	OSObject *baseKey = (OSObject *)handleManager->getObject(hBaseKey);
-	if (baseKey == NULL || !baseKey->isValid())
+	if (baseKey == NULL || !baseKey->isValid(doRefresh))
 		return CKR_KEY_HANDLE_INVALID;
 
 	// Get the DH algorithm handler
@@ -10720,7 +10722,7 @@ CK_RV SoftHSM::deriveECDH
 
 	// Get the base key handle
 	OSObject *baseKey = (OSObject *)handleManager->getObject(hBaseKey);
-	if (baseKey == NULL || !baseKey->isValid())
+	if (baseKey == NULL || !baseKey->isValid(doRefresh))
 		return CKR_KEY_HANDLE_INVALID;
 
 	// Get the ECDH algorithm handler
@@ -11074,7 +11076,7 @@ CK_RV SoftHSM::deriveEDDSA
 
 	// Get the base key handle
 	OSObject *baseKey = (OSObject *)handleManager->getObject(hBaseKey);
-	if (baseKey == NULL || !baseKey->isValid())
+	if (baseKey == NULL || !baseKey->isValid(doRefresh))
 		return CKR_KEY_HANDLE_INVALID;
 
 	// Get the EDDSA algorithm handler
@@ -11600,7 +11602,7 @@ CK_RV SoftHSM::deriveSymmetric
 
 	// Check the key handle
 	OSObject *baseKey = (OSObject *)handleManager->getObject(hBaseKey);
-	if (baseKey == NULL_PTR || !baseKey->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (baseKey == NULL_PTR || !baseKey->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
     // Get the data
     ByteString secretValue;

src/lib/SoftHSM.h

@@ -186,6 +186,8 @@ class SoftHSM
 	// Is the SoftHSM PKCS #11 library initialised?
 	bool isInitialised;
 	bool isRemovable;
+	// Do refresh of all objects from storage before validating.
+	bool doRefresh;
 
 	SessionObjectStore* sessionObjectStore;
 	ObjectStore* objectStore;

src/lib/common/Configuration.cpp

@@ -51,6 +51,7 @@ const struct config Configuration::valid_config[] = {
 	{ "slots.removable",		CONFIG_TYPE_BOOL },
 	{ "slots.mechanisms",		CONFIG_TYPE_STRING },
 	{ "library.reset_on_fork",	CONFIG_TYPE_BOOL },
+	{ "objectstore.readrefresh",	CONFIG_TYPE_BOOL },
 	{ "",				CONFIG_TYPE_UNSUPPORTED }
 };
 

src/lib/common/softhsm2.conf.5.in

@@ -102,6 +102,31 @@ library.reset_on_fork = true
 .fi
 .RE
 .LP
+.SH OBJECTSTORE.READREFRESH
+If set to false and if 'objectstore.backend = file', then this will affect
+the refreshing of the object store.
+Before using an object that is not changed, no files will be read.
+.LP
+Depending of what kind of HW that is used setting 'false' may improve the
+performance of the HSM.
+.LP
+But the drawback is that if one processes is using an object handle from a
+token for multiple function calls then this process may still use the old
+unmodified or deleted object even if it is changed or deleted. Another
+process may have called C_DestroyObject or C_SetAttributeValue. But every
+time a process gets a new handle for an object the objectstore of this
+process is updated for all objects even if this property is false.
+.LP
+If 'objectstore.backend = db' then the value of this property is ignored.
+.LP
+Default is true.
+.LP
+.RS
+.nf
+objectstore.readrefresh = false
+.fi
+.RE
+.LP
 .SH ENVIRONMENT
 .TP
 SOFTHSM2_CONF

src/lib/common/softhsm2.conf.in

@@ -15,3 +15,6 @@ slots.mechanisms = ALL
 
 # If the library should reset the state on fork
 library.reset_on_fork = false
+
+# Set to false if there should be no update of a token objects each time it is used.
+objectstore.readrefresh = true

src/lib/object_store/DBObject.cpp

@@ -1364,7 +1364,7 @@ bool DBObject::deleteAttribute(CK_ATTRIBUTE_TYPE type)
 }
 
 // The validity state of the object
-bool DBObject::isValid()
+bool DBObject::isValid(const bool doRefresh __attribute__((unused)))
 {
 	MutexLocker lock(_mutex);
 

src/lib/object_store/DBObject.h

@@ -96,7 +96,7 @@ class DBObject : public OSObject
 	virtual bool deleteAttribute(CK_ATTRIBUTE_TYPE type);
 
 	// The validity state of the object
-	virtual bool isValid();
+	virtual bool isValid(bool doRefresh);
 
 	// Start an attribute set transaction; this method is used when - for
 	// example - a key is generated and all its attributes need to be

src/lib/object_store/DBToken.cpp

@@ -684,7 +684,7 @@ OSObject *DBToken::createObject()
 		return NULL;
 	}
 
-	if (!newObject->isValid())
+	if (!newObject->isValid(true))
 	{
 		newObject->abortTransaction();
 		delete newObject;

src/lib/object_store/OSObject.h

@@ -64,7 +64,8 @@ class OSObject
 	virtual bool deleteAttribute(CK_ATTRIBUTE_TYPE type) = 0;
 
 	// The validity state of the object
-	virtual bool isValid() = 0;
+	// If doRefresh==true then update the object from the storage before validating.
+	virtual bool isValid(bool doRefresh=true) = 0;
 
 	// Start an attribute set transaction; this method is used when - for
 	// example - a key is generated and all its attributes need to be

src/lib/object_store/OSToken.cpp

@@ -179,7 +179,8 @@ bool OSToken::setSOPIN(const ByteString& soPINBlob)
 // Get the SO PIN
 bool OSToken::getSOPIN(ByteString& soPINBlob)
 {
-	if (!valid || !tokenObject->isValid())
+	// this is done so rarely so will not impact the performance to refresh.
+	if (!valid || !tokenObject->isValid(true))
 	{
 		return false;
 	}
@@ -223,7 +224,8 @@ bool OSToken::setUserPIN(ByteString userPINBlob)
 // Get the user PIN
 bool OSToken::getUserPIN(ByteString& userPINBlob)
 {
-	if (!valid || !tokenObject->isValid())
+	// this is done so rarely so will not impact the performance to refresh.
+	if (!valid || !tokenObject->isValid(true))
 	{
 		return false;
 	}
@@ -243,7 +245,8 @@ bool OSToken::getUserPIN(ByteString& userPINBlob)
 // Retrieve the token label
 bool OSToken::getTokenLabel(ByteString& label)
 {
-	if (!valid || !tokenObject->isValid())
+	// this is done so rarely so will not impact the performance to refresh.
+	if (!valid || !tokenObject->isValid(true))
 	{
 		return false;
 	}
@@ -263,7 +266,8 @@ bool OSToken::getTokenLabel(ByteString& label)
 // Retrieve the token serial
 bool OSToken::getTokenSerial(ByteString& serial)
 {
-	if (!valid || !tokenObject->isValid())
+	// this is done so rarely so will not impact the performance to refresh.
+	if (!valid || !tokenObject->isValid(true))
 	{
 		return false;
 	}
@@ -283,7 +287,8 @@ bool OSToken::getTokenSerial(ByteString& serial)
 // Get the token flags
 bool OSToken::getTokenFlags(CK_ULONG& flags)
 {
-	if (!valid || !tokenObject->isValid())
+	// this is done so rarely so will not impact the performance to refresh.
+	if (!valid || !tokenObject->isValid(true))
 	{
 		return false;
 	}

src/lib/object_store/ObjectFile.cpp

@@ -262,11 +262,13 @@ bool ObjectFile::deleteAttribute(CK_ATTRIBUTE_TYPE type)
 	return valid;
 }
 
-// The validity state of the object (refresh from disk as a side effect)
-bool ObjectFile::isValid()
+// The validity state of the object (may refresh from disk as a side effect)
+bool ObjectFile::isValid(const bool doRefresh)
 {
-	refresh();
-
+	if(doRefresh)
+	{
+		refresh();
+	}
 	return valid;
 }
 

src/lib/object_store/ObjectFile.h

@@ -76,7 +76,7 @@ class ObjectFile : public OSObject
 	virtual bool deleteAttribute(CK_ATTRIBUTE_TYPE type);
 
 	// The validity state of the object (refresh from disk as a side effect)
-	virtual bool isValid();
+	virtual bool isValid(bool doRefresh);
 
 	// Invalidate the object file externally; this method is normally
 	// only called by the OSToken class in case an object file has

src/lib/object_store/SessionObject.cpp

@@ -217,7 +217,8 @@ bool SessionObject::deleteAttribute(CK_ATTRIBUTE_TYPE type)
 }
 
 // The validity state of the object
-bool SessionObject::isValid()
+// the doRefresh parameter has no meaning for this implementation since noting is stored on disk.
+bool SessionObject::isValid(const bool /*doRefresh*/)
 {
     return valid;
 }

src/lib/object_store/SessionObject.h

@@ -73,7 +73,8 @@ class SessionObject : public OSObject
 	virtual bool deleteAttribute(CK_ATTRIBUTE_TYPE type);
 
 	// The validity state of the object
-	virtual bool isValid();
+	// doRefresh has no meaning since this is a session object.
+	virtual bool isValid(bool doRefresh=true);
 
 	bool hasSlotID(CK_SLOT_ID inSlotID);