Do not refresh object store before fetching object.

Before this commit the object store for a file token was always refreshed by reading
the file of the token every time an object of the token was fetched.
Now the HSM may be configured not to refresh when fetching an object. But the
refresh will still be done after an application gets a handle for an object.

The reason for this change is that the CPU time consumed by the reading may not
be negligible for some HW.

It is only the objects store on file that are affected by this feature. If DB is
used refreshing will always be done since the is then no difference in CPU usage.

Author: Lars Silvén

src/lib/SoftHSM.cpp

@@ -610,6 +610,8 @@ CK_RV SoftHSM::C_Initialize(CK_VOID_PTR pInitArgs)
 	// Load the handle manager
 	handleManager = new HandleManager();
 
+	doRefresh = Configuration::i()->getBool("objectstore.readrefresh", true);
+
 	// Set the state to initialised
 	isInitialised = true;
 
@@ -1608,7 +1610,7 @@ CK_RV SoftHSM::C_CopyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject
 
 	// Check the object handle.
 	OSObject *object = (OSObject *)handleManager->getObject(hObject);
-	if (object == NULL_PTR || !object->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (object == NULL_PTR || !object->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL wasOnToken = object->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL wasPrivate = object->getBooleanValue(CKA_PRIVATE, true);
@@ -1777,7 +1779,7 @@ CK_RV SoftHSM::C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObj
 
 	// Check the object handle.
 	OSObject *object = (OSObject *)handleManager->getObject(hObject);
-	if (object == NULL_PTR || !object->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (object == NULL_PTR || !object->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = object->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = object->getBooleanValue(CKA_PRIVATE, true);
@@ -1825,7 +1827,7 @@ CK_RV SoftHSM::C_GetObjectSize(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObj
 
 	// Check the object handle.
 	OSObject *object = (OSObject *)handleManager->getObject(hObject);
-	if (object == NULL_PTR || !object->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (object == NULL_PTR || !object->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	*pulSize = CK_UNAVAILABLE_INFORMATION;
 
@@ -1849,7 +1851,7 @@ CK_RV SoftHSM::C_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE
 
 	// Check the object handle.
 	OSObject *object = (OSObject *)handleManager->getObject(hObject);
-	if (object == NULL_PTR || !object->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (object == NULL_PTR || !object->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = object->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = object->getBooleanValue(CKA_PRIVATE, true);
@@ -1896,7 +1898,7 @@ CK_RV SoftHSM::C_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE
 
 	// Check the object handle.
 	OSObject *object = (OSObject *)handleManager->getObject(hObject);
-	if (object == NULL_PTR || !object->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (object == NULL_PTR || !object->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = object->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = object->getBooleanValue(CKA_PRIVATE, true);
@@ -2166,7 +2168,7 @@ CK_RV SoftHSM::SymEncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -2414,7 +2416,7 @@ CK_RV SoftHSM::AsymEncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMec
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -2895,7 +2897,7 @@ CK_RV SoftHSM::SymDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -3144,7 +3146,7 @@ CK_RV SoftHSM::AsymDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMec
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -3795,7 +3797,7 @@ CK_RV SoftHSM::C_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hObject);
-	if (key == NULL_PTR || !key->isValid()) return CKR_KEY_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_KEY_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -3946,7 +3948,7 @@ CK_RV SoftHSM::MacSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechani
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -4098,7 +4100,7 @@ CK_RV SoftHSM::AsymSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechan
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -4924,7 +4926,7 @@ CK_RV SoftHSM::MacVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMecha
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -5076,7 +5078,7 @@ CK_RV SoftHSM::AsymVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMech
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -6512,7 +6514,7 @@ CK_RV SoftHSM::C_WrapKey
 
 	// Check the wrapping key handle.
 	OSObject *wrapKey = (OSObject *)handleManager->getObject(hWrappingKey);
-	if (wrapKey == NULL_PTR || !wrapKey->isValid()) return CKR_WRAPPING_KEY_HANDLE_INVALID;
+	if (wrapKey == NULL_PTR || !wrapKey->isValid(doRefresh)) return CKR_WRAPPING_KEY_HANDLE_INVALID;
 
 	CK_BBOOL isWrapKeyOnToken = wrapKey->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isWrapKeyPrivate = wrapKey->getBooleanValue(CKA_PRIVATE, true);
@@ -6554,7 +6556,7 @@ CK_RV SoftHSM::C_WrapKey
 
 	// Check the to be wrapped key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_KEY_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_KEY_HANDLE_INVALID;
 
 	CK_BBOOL isKeyOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isKeyPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -6980,7 +6982,7 @@ CK_RV SoftHSM::C_UnwrapKey
 
 	// Check the unwrapping key handle.
 	OSObject *unwrapKey = (OSObject *)handleManager->getObject(hUnwrappingKey);
-	if (unwrapKey == NULL_PTR || !unwrapKey->isValid()) return CKR_UNWRAPPING_KEY_HANDLE_INVALID;
+	if (unwrapKey == NULL_PTR || !unwrapKey->isValid(doRefresh)) return CKR_UNWRAPPING_KEY_HANDLE_INVALID;
 
 	CK_BBOOL isUnwrapKeyOnToken = unwrapKey->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isUnwrapKeyPrivate = unwrapKey->getBooleanValue(CKA_PRIVATE, true);
@@ -7280,7 +7282,7 @@ CK_RV SoftHSM::C_DeriveKey
 
 	// Check the key handle.
 	OSObject *key = (OSObject *)handleManager->getObject(hBaseKey);
-	if (key == NULL_PTR || !key->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (key == NULL_PTR || !key->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
 	CK_BBOOL isKeyOnToken = key->getBooleanValue(CKA_TOKEN, false);
 	CK_BBOOL isKeyPrivate = key->getBooleanValue(CKA_PRIVATE, true);
@@ -10386,7 +10388,7 @@ CK_RV SoftHSM::deriveDH
 
 	// Get the base key handle
 	OSObject *baseKey = (OSObject *)handleManager->getObject(hBaseKey);
-	if (baseKey == NULL || !baseKey->isValid())
+	if (baseKey == NULL || !baseKey->isValid(doRefresh))
 		return CKR_KEY_HANDLE_INVALID;
 
 	// Get the DH algorithm handler
@@ -10718,7 +10720,7 @@ CK_RV SoftHSM::deriveECDH
 
 	// Get the base key handle
 	OSObject *baseKey = (OSObject *)handleManager->getObject(hBaseKey);
-	if (baseKey == NULL || !baseKey->isValid())
+	if (baseKey == NULL || !baseKey->isValid(doRefresh))
 		return CKR_KEY_HANDLE_INVALID;
 
 	// Get the ECDH algorithm handler
@@ -11072,7 +11074,7 @@ CK_RV SoftHSM::deriveEDDSA
 
 	// Get the base key handle
 	OSObject *baseKey = (OSObject *)handleManager->getObject(hBaseKey);
-	if (baseKey == NULL || !baseKey->isValid())
+	if (baseKey == NULL || !baseKey->isValid(doRefresh))
 		return CKR_KEY_HANDLE_INVALID;
 
 	// Get the EDDSA algorithm handler
@@ -11598,7 +11600,7 @@ CK_RV SoftHSM::deriveSymmetric
 
 	// Check the key handle
 	OSObject *baseKey = (OSObject *)handleManager->getObject(hBaseKey);
-	if (baseKey == NULL_PTR || !baseKey->isValid()) return CKR_OBJECT_HANDLE_INVALID;
+	if (baseKey == NULL_PTR || !baseKey->isValid(doRefresh)) return CKR_OBJECT_HANDLE_INVALID;
 
     // Get the data
     ByteString secretValue;

src/lib/SoftHSM.h

@@ -186,6 +186,8 @@ class SoftHSM
 	// Is the SoftHSM PKCS #11 library initialised?
 	bool isInitialised;
 	bool isRemovable;
+	// Do refresh of all objects from storage before validating.
+	bool doRefresh;
 
 	SessionObjectStore* sessionObjectStore;
 	ObjectStore* objectStore;

src/lib/common/Configuration.cpp

@@ -51,6 +51,7 @@ const struct config Configuration::valid_config[] = {
 	{ "slots.removable",		CONFIG_TYPE_BOOL },
 	{ "slots.mechanisms",		CONFIG_TYPE_STRING },
 	{ "library.reset_on_fork",	CONFIG_TYPE_BOOL },
+	{ "objectstore.readrefresh",	CONFIG_TYPE_BOOL },
 	{ "",				CONFIG_TYPE_UNSUPPORTED }
 };
 

src/lib/common/softhsm2.conf.5.in

@@ -102,6 +102,31 @@ library.reset_on_fork = true
 .fi
 .RE
 .LP
+.SH OBJECTSTORE.READREFRESH
+If set to false and if 'objectstore.backend = file', then this will affect
+the refreshing of the object store.
+Before using an object that is not changed, no files will be read.
+.LP
+Depending of what kind of HW that is used setting 'false' may improve the
+performance of the HSM.
+.LP
+But the drawback is that if one processes is using an object handle from a
+token for multiple function calls then this process may still use the old
+unmodified or deleted object even if it is changed or deleted. Another
+process may have called C_DestroyObject or C_SetAttributeValue. But every
+time a process gets a new handle for an object the objectstore of this
+process is updated for all objects even if this property is false.
+.LP
+If 'objectstore.backend = db' then the value of this property is ignored.
+.LP
+Default is true.
+.LP
+.RS
+.nf
+objectstore.readrefresh = false
+.fi
+.RE
+.LP
 .SH ENVIRONMENT
 .TP
 SOFTHSM2_CONF

src/lib/common/softhsm2.conf.in

@@ -15,3 +15,6 @@ slots.mechanisms = ALL
 
 # If the library should reset the state on fork
 library.reset_on_fork = false
+
+# Set to false if there should be no update of a token objects each time it is used.
+objectstore.readrefresh = true

src/lib/object_store/DBObject.cpp

@@ -1364,7 +1364,7 @@ bool DBObject::deleteAttribute(CK_ATTRIBUTE_TYPE type)
 }
 
 // The validity state of the object
-bool DBObject::isValid()
+bool DBObject::isValid(const bool doRefresh __attribute__((unused)))
 {
 	MutexLocker lock(_mutex);
 

src/lib/object_store/DBObject.h

@@ -96,7 +96,7 @@ class DBObject : public OSObject
 	virtual bool deleteAttribute(CK_ATTRIBUTE_TYPE type);
 
 	// The validity state of the object
-	virtual bool isValid();
+	virtual bool isValid(bool doRefresh);
 
 	// Start an attribute set transaction; this method is used when - for
 	// example - a key is generated and all its attributes need to be

src/lib/object_store/DBToken.cpp

@@ -684,7 +684,7 @@ OSObject *DBToken::createObject()
 		return NULL;
 	}
 
-	if (!newObject->isValid())
+	if (!newObject->isValid(true))
 	{
 		newObject->abortTransaction();
 		delete newObject;

src/lib/object_store/OSObject.h

@@ -64,7 +64,8 @@ class OSObject
 	virtual bool deleteAttribute(CK_ATTRIBUTE_TYPE type) = 0;
 
 	// The validity state of the object
-	virtual bool isValid() = 0;
+	// If doRefresh==true then update the object from the storage before validating.
+	virtual bool isValid(bool doRefresh=true) = 0;
 
 	// Start an attribute set transaction; this method is used when - for
 	// example - a key is generated and all its attributes need to be

src/lib/object_store/OSToken.cpp

@@ -179,7 +179,8 @@ bool OSToken::setSOPIN(const ByteString& soPINBlob)
 // Get the SO PIN
 bool OSToken::getSOPIN(ByteString& soPINBlob)
 {
-	if (!valid || !tokenObject->isValid())
+	// this is done so rarely so will not impact the performance to refresh.
+	if (!valid || !tokenObject->isValid(true))
 	{
 		return false;
 	}
@@ -223,7 +224,8 @@ bool OSToken::setUserPIN(ByteString userPINBlob)
 // Get the user PIN
 bool OSToken::getUserPIN(ByteString& userPINBlob)
 {
-	if (!valid || !tokenObject->isValid())
+	// this is done so rarely so will not impact the performance to refresh.
+	if (!valid || !tokenObject->isValid(true))
 	{
 		return false;
 	}
@@ -243,7 +245,8 @@ bool OSToken::getUserPIN(ByteString& userPINBlob)
 // Retrieve the token label
 bool OSToken::getTokenLabel(ByteString& label)
 {
-	if (!valid || !tokenObject->isValid())
+	// this is done so rarely so will not impact the performance to refresh.
+	if (!valid || !tokenObject->isValid(true))
 	{
 		return false;
 	}
@@ -263,7 +266,8 @@ bool OSToken::getTokenLabel(ByteString& label)
 // Retrieve the token serial
 bool OSToken::getTokenSerial(ByteString& serial)
 {
-	if (!valid || !tokenObject->isValid())
+	// this is done so rarely so will not impact the performance to refresh.
+	if (!valid || !tokenObject->isValid(true))
 	{
 		return false;
 	}
@@ -283,7 +287,8 @@ bool OSToken::getTokenSerial(ByteString& serial)
 // Get the token flags
 bool OSToken::getTokenFlags(CK_ULONG& flags)
 {
-	if (!valid || !tokenObject->isValid())
+	// this is done so rarely so will not impact the performance to refresh.
+	if (!valid || !tokenObject->isValid(true))
 	{
 		return false;
 	}

src/lib/object_store/ObjectFile.cpp

@@ -262,11 +262,13 @@ bool ObjectFile::deleteAttribute(CK_ATTRIBUTE_TYPE type)
 	return valid;
 }
 
-// The validity state of the object (refresh from disk as a side effect)
-bool ObjectFile::isValid()
+// The validity state of the object (may refresh from disk as a side effect)
+bool ObjectFile::isValid(const bool doRefresh)
 {
-	refresh();
-
+	if(doRefresh)
+	{
+		refresh();
+	}
 	return valid;
 }
 

src/lib/object_store/ObjectFile.h

@@ -76,7 +76,7 @@ class ObjectFile : public OSObject
 	virtual bool deleteAttribute(CK_ATTRIBUTE_TYPE type);
 
 	// The validity state of the object (refresh from disk as a side effect)
-	virtual bool isValid();
+	virtual bool isValid(bool doRefresh);
 
 	// Invalidate the object file externally; this method is normally
 	// only called by the OSToken class in case an object file has

src/lib/object_store/SessionObject.cpp

@@ -217,7 +217,8 @@ bool SessionObject::deleteAttribute(CK_ATTRIBUTE_TYPE type)
 }
 
 // The validity state of the object
-bool SessionObject::isValid()
+// the doRefresh parameter has no meaning for this implementation since noting is stored on disk.
+bool SessionObject::isValid(const bool /*doRefresh*/)
 {
     return valid;
 }

src/lib/object_store/SessionObject.h

@@ -73,7 +73,8 @@ class SessionObject : public OSObject
 	virtual bool deleteAttribute(CK_ATTRIBUTE_TYPE type);
 
 	// The validity state of the object
-	virtual bool isValid();
+	// doRefresh has no meaning since this is a session object.
+	virtual bool isValid(bool doRefresh=true);
 
 	bool hasSlotID(CK_SLOT_ID inSlotID);