feat: add SLOT_FILTER

2024-11-09 23:19:09 +08:00
parent e0c736271a
commit a97e0ae577
5 changed files with 228 additions and 158 deletions
--- a/native-pkcs11-piv/src/piv/backend.rs
+++ b/native-pkcs11-piv/src/piv/backend.rs
@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

+use std::collections::HashSet;
 use std::sync::{Arc, Mutex};

 use tracing::instrument;
@@ -37,8 +38,23 @@ static ENABLE_RETIRED: Lazy<bool> = Lazy::new(|| {
        v == "true" || v == "yes" || v == "on" || v == "1"
    }).unwrap_or(false)
 });
+static SLOT_FILTER_SET: Lazy<Option<HashSet<String>>> = Lazy::new(|| {
+    match std::env::var("SLOT_FILTER") {
+        Ok(slot_filter) => {
+            let mut slot_filter_set = HashSet::new();
+            slot_filter.split(",").for_each(|slot| {
+                let slot = slot.trim().to_lowercase();
+                if !slot.is_empty() {
+                    slot_filter_set.insert(slot);
+                }
+            });
+            Some(slot_filter_set)
+        }
+        Err(_) => None
+    }
+});

-fn clear_pin() -> () {
+fn clear_pin() {
    let mut cached_pin = CACHED_PIN.lock().unwrap();
    if cached_pin.is_some() {
        *cached_pin = None;
@@ -72,7 +88,7 @@ impl YubikeyPivBackend {
        if yubikey.is_none() {
            *yubikey = Some(YubiKey::open()?);
        }
-        let mut yk = yubikey.as_mut().unwrap();
+        let yk = yubikey.as_mut().unwrap();
        if verify {
            let pin = prepare_pin()?;
            let verify_result = yk.verify_pin(pin.as_bytes());
@@ -81,7 +97,7 @@ impl YubikeyPivBackend {
            }
            verify_result?;
        }
-        callback(&mut yk)
+        callback(yk)
    }

    fn init_slot_objects(&self) -> P11Result<()> {
@@ -95,10 +111,22 @@ impl YubikeyPivBackend {
            let keys = yk.piv_keys()?;
            for key in keys {
                let slot_id = key.slot();
-                if !*ENABLE_RETIRED && matches!(slot_id, SlotId::Retired(_)) {
-                    // SKIP RETIRED
-                    continue;
+                if let Some(slot_filter_set) = &*SLOT_FILTER_SET {
+                    let slot_id_u8: u8 = slot_id.into();
+                    let slot_id_hex = format!("{:x}", slot_id_u8).to_lowercase();
+                    let slot_name = slot_id.to_string().to_lowercase();
+                    let is_slot_matches = slot_filter_set.contains(&slot_id_hex) || slot_filter_set.contains(&slot_name);
+                    // println!(">>>> {:?} {} {} {}", slot_filter_set, slot_id_hex, slot_name, is_slot_matches);
+                    if !is_slot_matches {
+                        continue;
+                    }
+                } else {
+                    if !*ENABLE_RETIRED && matches!(slot_id, SlotId::Retired(_)) {
+                        // SKIP RETIRED
+                        continue;
+                    }
                }
+
                let certificate_der = key.certificate().cert.to_der()?;
                let public_key_der = key.certificate().cert.tbs_certificate.subject_public_key_info.to_der()?;