softhsm · nb-tech5 · Aug 1, 2025 · Aug 4, 2025 · Aug 6, 2025 · Aug 18, 2025
@@ -69,6 +69,23 @@ CK_RV P11Attribute::updateAttr(Token *token, bool isPrivate, CK_VOID_PTR pValue,
 	return CKR_OK;
 }
 
+CK_RV P11Attribute::retrieveAttrByteString(Token *token, bool isPrivate, OSAttribute *attr, ByteString &value)
+{
+	if (isPrivate && attr->getByteStringValue().size() != 0)
+	{
+		if (!token->decrypt(attr->getByteStringValue(), value))
+		{
+			ERROR_MSG("Internal error: failed to decrypt private attribute value");
+			return CKR_GENERAL_ERROR;
+		}
+	}
+	else
+	{
+		value = attr->getByteStringValue();
+	}
+	return CKR_OK;
+}
+
 bool P11Attribute::isModifiable()
 {
 	// Get the CKA_MODIFIABLE attribute, when the attribute is
@@ -273,18 +290,13 @@ CK_RV P11Attribute::retrieve(Token *token, bool isPrivate, CK_VOID_PTR pValue, C
 		// Lower level attribute has to be variable sized.
 		if (attr.isByteStringAttribute())
 		{
-			if (isPrivate && attr.getByteStringValue().size() != 0)
+			ByteString value;
+			CK_RV res = retrieveAttrByteString(token, isPrivate, &attr, value);
+			if (res != CKR_OK)
 			{
-				ByteString value;
-				if (!token->decrypt(attr.getByteStringValue(),value))
-				{
-					ERROR_MSG("Internal error: failed to decrypt private attribute value");
-					return CKR_GENERAL_ERROR;
-				}
-				attrSize = value.size();
+				return res;
 			}
-			else
-				attrSize = attr.getByteStringValue().size();
+			attrSize = value.size();
 		}
 		else if (attr.isMechanismTypeSetAttribute())
 		{
@@ -332,22 +344,15 @@ CK_RV P11Attribute::retrieve(Token *token, bool isPrivate, CK_VOID_PTR pValue, C
 		}
 		else if (attr.isByteStringAttribute())
 		{
-			if (isPrivate && attr.getByteStringValue().size() != 0)
+			ByteString value;
+			CK_RV res = retrieveAttrByteString(token, isPrivate, &attr, value);
+			if (res != CKR_OK)
 			{
-				ByteString value;
-				if (!token->decrypt(attr.getByteStringValue(),value))
-				{
-					ERROR_MSG("Internal error: failed to decrypt private attribute value");
-					return CKR_GENERAL_ERROR;
-				}
-				if (value.size() !=  0) {
-					const unsigned char* attrPtr = value.const_byte_str();
-					memcpy(pValue,attrPtr,attrSize);
-				}
+				return res;
 			}
-			else if (attr.getByteStringValue().size() != 0)
-			{
-				const unsigned char* attrPtr = attr.getByteStringValue().const_byte_str();
+
+			if (value.size() !=  0) {
+				const unsigned char* attrPtr = value.const_byte_str();
 				memcpy(pValue,attrPtr,attrSize);
 			}
 		}
@@ -495,6 +500,12 @@ CK_RV P11Attribute::update(Token* token, bool isPrivate, CK_VOID_PTR pValue, CK_
 	return CKR_ATTRIBUTE_READ_ONLY;
 }
 
+CK_RV P11NonPrivateAttribute::retrieveAttrByteString(Token* /*token*/, bool /*isPrivate*/, OSAttribute *attr, ByteString &value)
+{
+	value = attr->getByteStringValue();
+	return CKR_OK;
+}
+
 /*****************************************
  * CKA_CLASS
  *****************************************/

@@ -122,13 +122,26 @@ class P11Attribute
 	// Update the value if allowed
 	virtual CK_RV updateAttr(Token *token, bool isPrivate, CK_VOID_PTR pValue, CK_ULONG ulValueLen, int op);
 
+	// Retrieve the value if allowed
+	virtual CK_RV retrieveAttrByteString(Token *token, bool isPrivate, OSAttribute *attr, ByteString &value);
+
 	// Helper functions
 	bool isModifiable();
 	bool isSensitive();
 	bool isExtractable();
 	bool isTrusted();
 };
 
+class P11NonPrivateAttribute : public P11Attribute
+{
+protected:
+	// Constructor
+	P11NonPrivateAttribute(OSObject* inobject) : P11Attribute(inobject) {};
+
+	// Retrie the value if allowed
+	virtual CK_RV retrieveAttrByteString(Token *token, bool isPrivate, OSAttribute *attr, ByteString &value);
+};
+
 /*****************************************
  * CKA_CLASS
  *****************************************/
@@ -455,11 +468,11 @@ class P11AttrCertificateCategory : public P11Attribute
  * CKA_START_DATE
  *****************************************/
 
-class P11AttrStartDate : public P11Attribute
+class P11AttrStartDate : public P11NonPrivateAttribute
 {
 public:
 	// Constructor
-	P11AttrStartDate(OSObject* inobject, CK_ULONG inchecks) : P11Attribute(inobject) { type = CKA_START_DATE; checks = inchecks; }
+	P11AttrStartDate(OSObject* inobject, CK_ULONG inchecks) : P11NonPrivateAttribute(inobject) { type = CKA_START_DATE; checks = inchecks; }
 
 protected:
 	// Set the default value of the attribute
@@ -473,11 +486,11 @@ class P11AttrStartDate : public P11Attribute
  * CKA_END_DATE
  *****************************************/
 
-class P11AttrEndDate : public P11Attribute
+class P11AttrEndDate : public P11NonPrivateAttribute
 {
 public:
 	// Constructor
-	P11AttrEndDate(OSObject* inobject, CK_ULONG inchecks) : P11Attribute(inobject) { type = CKA_END_DATE; checks = inchecks; }
+	P11AttrEndDate(OSObject* inobject, CK_ULONG inchecks) : P11NonPrivateAttribute(inobject) { type = CKA_END_DATE; checks = inchecks; }
 
 protected:
 	// Set the default value of the attribute

@@ -1782,15 +1782,18 @@ void ObjectTests::testDefaultRSAPrivAttributes()
 			 0x30, 0xD1, 0x4D, 0x3C, 0x60, 0x33, 0xB5, 0xED, 0x4C, 0x39,
 			 0xDA, 0x68, 0x78, 0xF9, 0x6B, 0x4F, 0x47, 0x55, 0xB2, 0x02,
 			 0x00, 0x7E, 0x9C, 0x05 };
-	CK_DATE emptyDate;
+	CK_DATE startDate = {{'2', '0', '0', '0'}, {'0', '1'}, {'0', '2'}};
+	CK_DATE endDate = {{'2', '0', '1', '0'}, {'0', '1'}, {'0', '2'}};
 	// Make the key non-sensitive and extractable so that we can test it.
 	CK_ATTRIBUTE objTemplate[] = {
 		{ CKA_CLASS, &objClass, sizeof(objClass) },
 		{ CKA_KEY_TYPE, &objType, sizeof(objType) },
 		{ CKA_SENSITIVE, &bFalse, sizeof(bFalse) },
 		{ CKA_EXTRACTABLE, &bTrue, sizeof(bTrue) },
 		{ CKA_MODULUS, pN, sizeof(pN) },
-		{ CKA_PRIVATE_EXPONENT, pD, sizeof(pD) }
+		{ CKA_PRIVATE_EXPONENT, pD, sizeof(pD) },
+		{ CKA_START_DATE, &startDate, sizeof(startDate) },
+		{ CKA_END_DATE, &endDate, sizeof(endDate)}
 	};
 
 	// Just make sure that we finalize any previous tests
@@ -1815,8 +1818,7 @@ void ObjectTests::testDefaultRSAPrivAttributes()
 	// Check attributes in RSA public key object
 	checkCommonObjectAttributes(hSession, hObject, objClass);
 	checkCommonStorageObjectAttributes(hSession, hObject, CK_FALSE, CK_TRUE, CK_TRUE, NULL_PTR, 0, CK_TRUE, CK_TRUE);
-	memset(&emptyDate, 0, sizeof(emptyDate));
-	checkCommonKeyAttributes(hSession, hObject, objType, NULL_PTR, 0, emptyDate, 0, emptyDate, 0, CK_FALSE, CK_FALSE, CK_UNAVAILABLE_INFORMATION, NULL_PTR, 0);
+	checkCommonKeyAttributes(hSession, hObject, objType, NULL_PTR, 0, startDate, sizeof(startDate), endDate, sizeof(endDate), CK_FALSE, CK_FALSE, CK_UNAVAILABLE_INFORMATION, NULL_PTR, 0);
 	checkCommonPrivateKeyAttributes(hSession, hObject, NULL_PTR, 0, CK_FALSE, CK_TRUE, CK_TRUE, CK_TRUE, CK_TRUE, CK_TRUE, CK_FALSE, CK_FALSE, CK_FALSE, NULL_PTR, 0, CK_FALSE);
 	checkCommonRSAPrivateKeyAttributes(hSession, hObject, pN, sizeof(pN), NULL_PTR, 0, pD, sizeof(pD), NULL_PTR, 0, NULL_PTR, 0, NULL_PTR, 0, NULL_PTR, 0, NULL_PTR, 0);
 	checkToTrueAttributes(hSession, hObject);