pkcs11 0.1.0

data/lib/pkcs11.rb

@@ -0,0 +1,12 @@
+#!/usr/bin/env ruby
+
+# Load the correct version if it's a Windows binary gem
+if RUBY_PLATFORM =~/(mswin|mingw)/i
+  major_minor = RUBY_VERSION[ /^(\d+\.\d+)/ ] or
+    raise "Oops, can't extract the major/minor version from #{RUBY_VERSION.dump}"
+  require "#{major_minor}/pkcs11_ext"
+else
+  require 'pkcs11_ext'
+end
+
+require 'pkcs11/extensions'

data/lib/pkcs11/extensions.rb

@@ -0,0 +1,160 @@
+require 'pkcs11/library'
+require 'pkcs11/slot'
+require 'pkcs11/session'
+require 'pkcs11/object'
+
+# Ruby connector to PKCS#11 libraries.
+#
+# This library allowes to use PKCS#11 librarys in Ruby MRI.
+#
+# Example usage:
+#
+#   pkcs11 = PKCS11.open("/path/to/pkcs11.so")
+#   slot = pkcs11.active_slots.first
+#   p slot.info
+#   session = slot.open(PKCS11::CKF_SERIAL_SESSION|PKCS11::CKF_RW_SESSION)
+#   session.login(:USER, "1234")
+#   ...
+#   session.logout
+#   session.close
+#
+# See unit tests in the <tt>test</tt> directory for further examples of the usage.
+module PKCS11
+
+  class << self
+    # Open a PKCS#11 library file.
+    alias new open
+  end
+  
+  module InspectableStruct
+    # Array of the InspectableStruct's attribute names.
+    def members
+      (self.methods - ::Object.new.methods - InspectableStruct.instance_methods).grep(/[^=]$/).sort
+    end
+    # Array of the InspectableStruct's attribute values.
+    def values
+      members.inject([]){|a,v| a << send(v) }
+    end
+    # Hash with the InspectableStruct's attribute names and values.
+    def to_hash
+      members.inject({}){|h,v| h[v.intern] = send(v); h }
+    end
+    def inspect # :nodoc:
+      "#<#{self.class} #{to_hash.map{|k,v| "#{k}=#{v.inspect}"}.join(", ") }>"
+    end
+  end
+
+  module InspectableAttribute
+    # Array of the InspectableStruct's attribute names.
+    def members
+      ['type', 'value']
+    end
+    # Array of the InspectableStruct's attribute values.
+    def values
+      members.inject([]){|a,v| a << send(v) }
+    end
+    # Hash with the InspectableStruct's attribute names and values.
+    def to_hash
+      members.inject({}){|h,v| h[v.intern] = send(v); h }
+    end
+    # Get the constant name as String of the given value.
+    # Returns <tt>nil</tt> if value is unknown.
+    def to_s
+      ATTRIBUTES[type]
+    end
+    def inspect # :nodoc:
+      "#<#{self.class} #{ to_s ? "#{to_s} (#{type})" : type} value=#{value.inspect}>"
+    end
+  end
+
+  # See InspectableStruct.
+  class CK_INFO
+    include InspectableStruct
+  end
+  # See InspectableStruct.
+  class CK_C_INITIALIZE_ARGS
+    include InspectableStruct
+  end
+  # See InspectableStruct.
+  class CK_ATTRIBUTE
+    include InspectableAttribute
+  end
+  # See InspectableStruct.
+  class CK_TOKEN_INFO
+    include InspectableStruct
+  end
+  # See InspectableStruct.
+  class CK_SLOT_INFO
+    include InspectableStruct
+  end
+  # See InspectableStruct.
+  class CK_MECHANISM_INFO
+    include InspectableStruct
+  end
+  # See InspectableStruct.
+  class CK_SESSION_INFO
+    include InspectableStruct
+  end
+  # See InspectableStruct.
+  class CK_MECHANISM
+    include InspectableStruct
+  end
+
+  class ConstValue
+    def initialize(enum_hash, value) # :nodoc:
+      @enum_hash, @value = enum_hash, value
+    end
+
+    # Get the constant name as String of the given value.
+    # Returns <tt>nil</tt> if value is unknown.
+    def to_s
+      @enum_hash[@value]
+    end
+    def inspect
+#       "#<#{self.class} #{ to_s ? "#{to_s} (#{@value})" : @value}>"
+      @value.inspect
+    end
+
+    # The value of the constant.
+    def to_int
+      @value
+    end
+    alias to_i to_int
+  end
+
+  module ConstValueHash # :nodoc:
+    def [](value)
+      super(value.to_int)
+    end
+  end
+
+  class << self
+    def extend_ConstValueHash(hash_symb) # :nodoc:
+      # The MECHANISMS, ATTRIBUTES, etc. Hashs are freezed.
+      # So, we have make a copy, to extend the class.
+      my_HASH = const_get(hash_symb).dup
+      my_HASH.extend ConstValueHash
+      my_HASH.freeze
+      const_set("UNWRAPPED_#{hash_symb}", hash_symb)
+      remove_const(hash_symb)
+      const_set(hash_symb, my_HASH)
+    end
+    private :extend_ConstValueHash
+  end
+
+  extend_ConstValueHash(:OBJECT_CLASSES)
+  class ObjectClass < ConstValue
+  end
+
+  extend_ConstValueHash(:ATTRIBUTES)
+  class Attribute < ConstValue
+  end
+
+  extend_ConstValueHash(:MECHANISMS)
+  class Mechanism < ConstValue
+  end
+
+#   extend_ConstValueHash(:RETURN_VALUES)
+#   class ReturnValue < ConstValue
+#   end
+end

data/lib/pkcs11/library.rb

@@ -0,0 +1,63 @@
+module PKCS11
+  # A Library instance holds a handle to the opened PKCS#11 - dll or so file.
+  class Library
+    alias unwrapped_initialize initialize # :nodoc:
+
+    # Load and initialize a pkcs11 dynamic library.
+    #
+    # so_path:: Path to the *.so or *.dll file to load.
+    # args:: A Hash or CK_C_INITIALIZE_ARGS instance with load params.
+    def initialize(so_path, args={})
+      case args
+        when Hash
+          pargs = CK_C_INITIALIZE_ARGS.new
+          args.each{|k,v| pargs.send("#{k}=", v) }
+        else
+          pargs = args
+      end
+      unwrapped_initialize(so_path, pargs)
+    end
+
+    alias unwrapped_C_GetInfo C_GetInfo
+    # Returns general information about Cryptoki.
+    def C_GetInfo
+      unwrapped_C_GetInfo
+    end
+    alias info C_GetInfo
+
+    alias unwrapped_C_GetSlotList C_GetSlotList
+    
+    # Obtain an array of Slot objects in the system. tokenPresent indicates
+    # whether the list obtained includes only those slots with a token present (true), or
+    # all slots (false);
+    def C_GetSlotList(tokenPresent=true)
+      slots = unwrapped_C_GetSlotList(tokenPresent)
+      slots.map{|slot|
+        Slot.new self, slot
+      }
+    end
+    alias slots C_GetSlotList
+
+    # Obtain an array of Slot objects in the system with a token present.
+    def active_slots
+      slots(true)
+    end
+    
+    # Obtain an array of Slot objects in the system regardless if a token is present.
+    def all_slots
+      slots(false)
+    end
+    
+    alias unwrapped_C_Finalize C_Finalize
+    # Close and unload library. If not called, the library is freed by the GC.
+    def C_Finalize
+      unwrapped_C_Finalize
+    end
+    alias close C_Finalize
+    
+    private :unwrapped_initialize
+    private :unwrapped_C_GetSlotList
+    private :unwrapped_C_Finalize
+    private :unwrapped_C_GetInfo
+  end
+end

data/lib/pkcs11/object.rb

@@ -0,0 +1,104 @@
+module PKCS11
+  # Cryptoki’s logical view of a token is a device that stores objects and can perform
+  # cryptographic functions. Cryptoki defines three classes of object: data, certificates, and
+  # keys.
+  #
+  # Attributes are characteristics that distinguish an instance of an object.
+  class Object
+    def initialize(pkcs11, session, object) # :nodoc:
+      @pk, @sess, @obj = pkcs11, session, object
+    end
+
+    # The object handle.
+    def to_int
+      @obj
+    end
+    alias to_i to_int
+
+    def inspect # :nodoc:
+      "#<#{self.class} #{@obj.inspect}>"
+    end
+
+    # Returns the value of one attribute of the object.
+    #
+    # attribute:: can be String or Symbol of the attribute constant
+    #             or the attribute number as Integer.
+    #
+    # Returns the attribute value as String, Integer or true/false
+    # depending on the attribute type.
+    # Unknown attributes (out of PKCS#11 v2.2) are not converted but returned as String.
+    # That is true/false will be returned as "\\001" respectively "\\000".
+    def [](attribute)
+      attrs = C_GetAttributeValue( [attribute] )
+      attrs.first.value unless attrs.empty?
+    end
+
+    # Modifies the value of one attribute the object.
+    #
+    # attribute:: can be String or Symbol of the attribute constant
+    #             or the attribute value as Integer.
+    # value:: String value the attribute will be set to.
+    #
+    # Following value conversations are done:
+    #   true   -> 0x01
+    #   false  -> 0x00
+    #   nil    -> NULL pointer
+    #   Fixnum -> binary encoded unsigned long
+    def []=(attribute, value)
+      C_SetAttributeValue( attribute => value )
+    end
+
+    # Modifies the value of one or more attributes of the object in a single call.
+    #
+    # Examples:
+    #   object.attributes = {:SUBJECT => cert_subject, PKCS11::CKA_VALUE => cert_data}
+    def C_SetAttributeValue(template={})
+      template = Session.hash_to_attributes template
+      @pk.C_SetAttributeValue(@sess, @obj, template)
+    end
+    alias attributes= C_SetAttributeValue
+    
+    # Obtains the value of one or more attributes of the object in a single call.
+    #
+    # Without params all known attributes are tried to read from the Object.
+    # This is significant slower then naming the needed attributes and should
+    # be used for debug purposes only.
+    #
+    # Returns an Array of PKCS11::CK_ATTRIBUTE's.
+    #
+    # Example:
+    #   certificate.attributes :ID, :VALUE
+    def C_GetAttributeValue(*template)
+      case template.length
+        when 0
+          return PKCS11::ATTRIBUTES.values.map{|attr|
+            begin
+              attributes(PKCS11.const_get(attr))
+            rescue PKCS11::Error
+            end
+          }.flatten.compact
+        when 1
+          template = template[0]
+      end
+      template = Session.hash_to_attributes template
+      @pk.C_GetAttributeValue(@sess, @obj, template)
+    end
+    alias attributes C_GetAttributeValue
+    
+    # Destroys the object.
+    #
+    # Only session objects can be destroyed during a read-only session. Only public objects
+    # can be destroyed unless the normal user is logged in.
+    def C_DestroyObject()
+      @pk.C_DestroyObject(@sess, @obj)
+    end
+    alias destroy C_DestroyObject
+    
+    # Gets the size of an object in bytes.
+    def C_GetObjectSize()
+      @pk.C_GetObjectSize(@sess, @obj)
+    end
+    alias size C_GetObjectSize
+
+  end
+end

data/lib/pkcs11/session.rb

@@ -0,0 +1,568 @@
+module PKCS11
+  # Cryptoki requires that an application open one or more sessions with a token to gain
+  # access to the token’s objects and functions. A session provides a logical connection
+  # between the application and the token. A session can be a read/write (R/W) session or a
+  # read-only (R/O) session (default).
+  class Session
+    class << self
+      def hash_to_attributes(template) # :nodoc:
+        case template
+          when Array
+            template.map{|v| PKCS11::CK_ATTRIBUTE.new(string_to_handle('CKA_', v), nil) }
+          when Hash
+            template.map{|k,v| PKCS11::CK_ATTRIBUTE.new(string_to_handle('CKA_', k), v) }
+          when String, Symbol
+            [PKCS11::CK_ATTRIBUTE.new(string_to_handle('CKA_', template), nil)]
+          when Integer
+            [PKCS11::CK_ATTRIBUTE.new(template, nil)]
+          else
+            template
+        end
+      end
+
+      def string_to_handle(prefix, attribute) # :nodoc:
+        case attribute
+          when String, Symbol
+            PKCS11.const_get("#{prefix}#{attribute}")
+          else
+            attribute
+        end
+      end
+
+      def hash_to_mechanism(hash) # :nodoc:
+        case hash
+          when String, Symbol
+            PKCS11::CK_MECHANISM.new(string_to_handle('CKM_', hash))
+          when Hash
+            raise "only one mechanism allowed" unless hash.length==1
+            PKCS11::CK_MECHANISM.new(string_to_handle('CKM_', hash.keys.first), hash.values.first)
+          else
+            hash.to_int
+        end
+      end
+    end
+    
+    def initialize(pkcs11, session) # :nodoc:
+      @pk, @sess = pkcs11, session
+    end
+
+    # The session handle.
+    def to_int
+      @sess
+    end
+    alias to_i to_int
+
+    def inspect # :nodoc:
+      "#<#{self.class} #{@sess.inspect}>"
+    end
+
+    # Logs a user into a token.
+    # user_type:: is the user type CKU_*;
+    # pin:: is the user’s PIN.
+    #
+    # When the user type is either CKU_SO or CKU_USER, if the call succeeds, each of the
+    # application's sessions will enter either the "R/W SO Functions" state, the "R/W User
+    # Functions" state, or the "R/O User Functions" state. If the user type is
+    # CKU_CONTEXT_SPECIFIC , the behavior of C_Login depends on the context in which
+    # it is called. Improper use of this user type will result in a return value
+    # CKR_OPERATION_NOT_INITIALIZED.
+    def C_Login(user_type, pin)
+      @pk.C_Login(@sess, Session::string_to_handle('CKU_', user_type), pin)
+    end
+    alias login C_Login
+
+    # Logs a user out from a token.
+    #
+    # Depending on the current user type, if the call succeeds, each of the application’s
+    # sessions will enter either the “R/W Public Session” state or the “R/O Public Session”
+    # state.
+    def C_Logout()
+      @pk.C_Logout(@sess)
+    end
+    alias logout C_Logout
+
+    # Closes the session between an application and a token.
+    def C_CloseSession()
+      @pk.C_CloseSession(@sess)
+    end
+    alias close C_CloseSession
+
+    # Obtains information about a session. Returns a CK_SESSION_INFO.
+    def C_GetSessionInfo()
+      @pk.C_GetSessionInfo(@sess)
+    end
+    alias info C_GetSessionInfo
+    
+    # Initializes a search for token and session objects that match a
+    # template.
+    #
+    # find_template:: points to a search template that
+    #                 specifies the attribute values to match
+    #                 The matching criterion is an exact byte-for-byte match with all attributes in the
+    #                 template. Use empty Hash to find all objects.
+
+    def C_FindObjectsInit(find_template={})
+      @pk.C_FindObjectsInit(@sess, Session.hash_to_attributes(find_template))
+    end
+
+    # Continues a search for token and session objects that match a template,
+    # obtaining additional object handles.
+    #
+    # Returns an array of Object instances.
+    def C_FindObjects(max_count)
+      objs = @pk.C_FindObjects(@sess, max_count)
+      objs.map{|obj| Object.new @pk, @sess, obj }
+    end
+
+    # Terminates a search for token and session objects.
+    def C_FindObjectsFinal
+      @pk.C_FindObjectsFinal(@sess)
+    end
+
+    # Convenience method for the C_FindObjectsInit, C_FindObjects, C_FindObjectsFinal cycle.
+    #
+    # * If called with block, it iterates over all found objects.
+    # * If called without block, it returns with an array of all found Object instances.
+    #
+    # Example (prints subject of all certificates stored in the token):
+    #   session.find_objects(:CLASS => PKCS11::CKO_CERTIFICATE) do |obj|
+    #     p OpenSSL::X509::Name.new(obj[:SUBJECT])
+    #   end
+    def find_objects(template={})
+      all_objs = [] unless block_given?
+      C_FindObjectsInit(template)
+      begin
+        loop do
+          objs = C_FindObjects(20)
+          break if objs.empty?
+          if block_given?
+            objs.each{|obj| yield obj }
+          else
+            all_objs += objs
+          end
+        end
+      ensure
+        C_FindObjectsFinal()
+      end
+      return all_objs
+    end
+
+
+    # Creates a new Object based on given template. Returns a new object’s handle.
+    # If C_CreateObject is used to create a key object, the key object will have its
+    # CKA_LOCAL attribute set to false. If that key object is a secret or private key
+    # then the new key will have the CKA_ALWAYS_SENSITIVE attribute set to
+    # false, and the CKA_NEVER_EXTRACTABLE attribute set to false.
+    #
+    # Only session objects can be created during a read-only session. Only public objects can
+    # be created unless the normal user is logged in.
+    def C_CreateObject(template={})
+      handle = @pk.C_CreateObject(@sess, Session.hash_to_attributes(template))
+      Object.new @pk, @sess, handle
+    end
+    alias create_object C_CreateObject
+
+    # Initializes the normal user’s PIN. This standard
+    # allows PIN values to contain any valid UTF8 character, but the token may impose subset
+    # restrictions.
+    def C_InitPIN(pin)
+      @pk.C_InitPIN(@sess, pin)
+    end
+    alias init_pin C_InitPIN
+
+    # Modifies the PIN of the user that is currently logged in, or the CKU_USER
+    # PIN if the session is not logged in.
+    def C_SetPIN(old_pin, new_pin)
+      @pk.C_SetPIN(@sess, old_pin, new_pin)
+    end
+    alias set_pin C_SetPIN
+
+    class Cipher
+      def initialize(update_block) # :nodoc:
+        @update_block = update_block
+      end
+      def update(data)
+        @update_block.call(data)
+      end
+      alias << update
+    end
+
+    class DigestCipher < Cipher
+      def initialize(update_block, digest_key_block) # :nodoc:
+        super(update_block)
+        @digest_key_block = digest_key_block
+      end
+      alias digest_update update
+      def digest_key(key)
+        @digest_key_block.call(key)
+      end
+    end
+
+    def common_crypt( init, update, final, single, mechanism, key, data=nil) # :nodoc:
+      send(init, mechanism, key)
+      if block_given?
+        raise "data not nil, but block given" if data
+        yield Cipher.new(proc{|data_|
+          send(update, data_)
+        })
+        send(final)
+      else
+        send(single, data)
+      end
+    end
+    private :common_crypt
+    
+    def common_verify( init, update, final, single, mechanism, key, signature, data=nil ) # :nodoc:
+      send(init, mechanism, key)
+      if block_given?
+        raise "data not nil, but block given" if data
+        yield Cipher.new(proc{|data_|
+          send(update, data_)
+        })
+        send(final, signature)
+      else
+        send(single, data, signature)
+      end
+    end
+    private :common_verify
+
+    # Initializes an encryption operation.
+    #
+    # mechanism:: the encryption mechanism, Hash, String or Integer
+    # key:: the object handle of the encryption key.
+    #
+    # See Session#encrypt for convenience.
+    #
+    # The CKA_ENCRYPT attribute of the encryption key, which indicates whether the key
+    # supports encryption, must be true.
+    #
+    # After calling C_EncryptInit, the application can either call C_Encrypt to encrypt data
+    # in a single part; or call C_EncryptUpdate zero or more times, followed by
+    # C_EncryptFinal, to encrypt data in multiple parts. The encryption operation is active
+    # until the application uses a call to C_Encrypt or C_EncryptFinal to actually obtain the
+    # final piece of ciphertext. To process additional data (in single or multiple parts), the
+    # application must call C_EncryptInit again.
+    def C_EncryptInit(mechanism, key)
+      @pk.C_EncryptInit(@sess, Session.hash_to_mechanism(mechanism), key)
+    end
+    # Encrypts single-part data.
+    def C_Encrypt(data, out_size=nil)
+      @pk.C_Encrypt(@sess, data, out_size)
+    end
+    # Continues a multiple-part encryption operation, processing another
+    # data part.
+    def C_EncryptUpdate(data, out_size=nil)
+      @pk.C_EncryptUpdate(@sess, data, out_size)
+    end
+    # Finishes a multiple-part encryption operation.
+    def C_EncryptFinal(out_size=nil)
+      @pk.C_EncryptFinal(@sess, out_size)
+    end
+
+    # Convenience method for the C_EncryptInit, C_EncryptUpdate, C_EncryptFinal call flow.
+    #
+    # If no block is given, the single part operation C_EncryptInit, C_Encrypt is called.
+    # If a block is given, the multi part operation (C_EncryptInit, C_EncryptUpdate, C_EncryptFinal)
+    # is used. The given block is called once with a cipher object. There can be any number of
+    # Cipher#update calls within the block, each giving the encryption result of this part as String.
+    #
+    # Returns the final part of the encryption operation.
+    #
+    # Example:
+    #   iv = "12345678"
+    #   cryptogram = ''
+    #   cryptogram << session.encrypt( {:DES_CBC_PAD=>iv}, key ) do |cipher|
+    #     cryptogram << cipher.update("block 1")
+    #     cryptogram << cipher.update("block 2")
+    #   end
+    def encrypt(mechanism, key, data=nil, &block)
+      common_crypt(:C_EncryptInit, :C_EncryptUpdate, :C_EncryptFinal, :C_Encrypt,
+                   mechanism, key, data, &block)
+    end
+
+    # Initializes a decryption operation.
+    #
+    # See Session#decrypt for convenience.
+    def C_DecryptInit(mechanism, key)
+      @pk.C_DecryptInit(@sess, Session.hash_to_mechanism(mechanism), key)
+    end
+    # Decrypts encrypted data in a single part.
+    def C_Decrypt(data, out_size=nil)
+      @pk.C_Decrypt(@sess, data, out_size)
+    end
+    # Continues a multiple-part decryption operation, processing another
+    # encrypted data part.
+    def C_DecryptUpdate(data, out_size=nil)
+      @pk.C_DecryptUpdate(@sess, data, out_size)
+    end
+    # Finishes a multiple-part decryption operation.
+    def C_DecryptFinal(out_size=nil)
+      @pk.C_DecryptFinal(@sess, out_size)
+    end
+
+    # Convenience method for the C_DecryptInit, C_DecryptUpdate, C_DecryptFinal call flow.
+    #
+    # See Session#encrypt
+    def decrypt(mechanism, key, data=nil, &block)
+      common_crypt(:C_DecryptInit, :C_DecryptUpdate, :C_DecryptFinal, :C_Decrypt,
+                   mechanism, key, data, &block)
+    end
+
+    # Initializes a message-digesting operation.
+    #
+    # See Session#digest for convenience.
+    def C_DigestInit(mechanism)
+      @pk.C_DigestInit(@sess, Session.hash_to_mechanism(mechanism))
+    end
+    # Digests data in a single part.
+    def C_Digest(data, out_size=nil)
+      @pk.C_Digest(@sess, data, out_size)
+    end
+    # Continues a multiple-part message-digesting operation, processing
+    # another data part.
+    def C_DigestUpdate(data)
+      @pk.C_DigestUpdate(@sess, data)
+    end
+    # Continues a multiple-part message-digesting operation by digesting the
+    # value of a secret key.
+    #
+    # The message-digesting operation must have been initialized with C_DigestInit. Calls to
+    # this function and C_DigestUpdate may be interspersed any number of times in any
+    # order.
+    def C_DigestKey(key)
+      @pk.C_DigestKey(@sess, key)
+    end
+    # Finishes a multiple-part message-digesting operation, returning the
+    # message digest as String.
+    def C_DigestFinal(out_size=nil)
+      @pk.C_DigestFinal(@sess, out_size)
+    end
+
+    # Convenience method for the C_DigestInit, C_DigestUpdate, C_DigestKey,
+    # C_DigestFinal call flow.
+    #
+    # Example:
+    #   digest_string = session.digest( :SHA_1 ) do |cipher|
+    #     cipher.update("key prefix")
+    #     cipher.digest_key(some_key)
+    #   end
+    def digest(mechanism, data=nil, &block)
+      C_DigestInit(mechanism)
+      if block_given?
+        raise "data not nil, but block given" if data
+        yield DigestCipher.new(proc{|data_|
+          C_DigestUpdate(data_)
+        }, proc{|key_|
+          C_DigestKey(key_)
+        })
+        C_DigestFinal()
+      else
+        C_Digest(data)
+      end
+    end
+
+    # Initializes a signature operation, where the signature is an appendix to the
+    # data.
+    #
+    # See Session#sign for convenience.
+    def C_SignInit(mechanism, key)
+      @pk.C_SignInit(@sess, Session.hash_to_mechanism(mechanism), key)
+    end
+    # Signs data in a single part, where the signature is an appendix to the data.
+    def C_Sign(data, out_size=nil)
+      @pk.C_Sign(@sess, data, out_size)
+    end
+    # Continues a multiple-part signature operation, processing another data
+    # part.
+    def C_SignUpdate(data)
+      @pk.C_SignUpdate(@sess, data)
+    end
+    # Finishes a multiple-part signature operation, returning the signature.
+    def C_SignFinal(out_size=nil)
+      @pk.C_SignFinal(@sess, out_size)
+    end
+
+    # Convenience method for the C_SignInit, C_SignUpdate, C_SignFinal call flow.
+    #
+    # See Session#encrypt
+    def sign(mechanism, key, data=nil, &block)
+      common_crypt(:C_SignInit, :C_SignUpdate, :C_SignFinal, :C_Sign,
+                   mechanism, key, data, &block)
+    end
+
+
+    # Initializes a verification operation, where the signature is an appendix to
+    # the data.
+    #
+    # See ession#verify for convenience.
+    def C_VerifyInit(mechanism, key)
+      @pk.C_VerifyInit(@sess, Session.hash_to_mechanism(mechanism), key)
+    end
+    # Verifies a signature in a single-part operation, where the signature is an
+    # appendix to the data.
+    def C_Verify(data, out_size=nil)
+      @pk.C_Verify(@sess, data, out_size)
+    end
+    # Continues a multiple-part verification operation, processing another
+    # data part.
+    def C_VerifyUpdate(data)
+      @pk.C_VerifyUpdate(@sess, data)
+    end
+    # Finishes a multiple-part verification operation, checking the signature.
+    #
+    # Returns <tt>true</tt> for valid signature.
+    def C_VerifyFinal(out_size=nil)
+      @pk.C_VerifyFinal(@sess, out_size)
+    end
+
+    # Convenience method for the C_VerifyInit, C_VerifyUpdate, C_VerifyFinal call flow.
+    #
+    # See Session#encrypt
+    def verify(mechanism, key, signature, data=nil, &block)
+      common_verify(:C_VerifyInit, :C_VerifyUpdate, :C_VerifyFinal, :C_Verify,
+                   mechanism, key, signature, data, &block)
+    end
+
+    # Initializes a signature operation, where the data can be recovered
+    # from the signature
+    def C_SignRecoverInit(mechanism, key)
+      @pk.C_SignRecoverInit(@sess, Session.hash_to_mechanism(mechanism), key)
+    end
+    # Signs data in a single operation, where the data can be recovered from
+    # the signature.
+    def C_SignRecover(data, out_size=nil)
+      @pk.C_SignRecover(@sess, data, out_size)
+    end
+
+    # Convenience method for the C_SignRecoverInit, C_SignRecover call flow.
+    def sign_recover(mechanism, key, data)
+      C_SignRecoverInit(mechanism, key)
+      C_SignRecover(data)
+    end
+
+    
+    # Initializes a signature verification operation, where the data can be recovered
+    # from the signature
+    #
+    # See Session#verify_recover for convenience.
+    def C_VerifyRecoverInit(mechanism, key)
+      @pk.C_VerifyRecoverInit(@sess, Session.hash_to_mechanism(mechanism), key)
+    end
+    # Verifies a signature in a single-part operation, where the data is
+    # recovered from the signature.
+    def C_VerifyRecover(signature, out_size=nil)
+      @pk.C_VerifyRecover(@sess, signature, out_size=nil)
+    end
+
+    # Convenience method for the C_VerifyRecoverInit, C_VerifyRecover call flow.
+    def verify_recover(mechanism, key, signature)
+      C_VerifyRecoverInit(mechanism, key)
+      C_VerifyRecover(signature)
+    end
+    
+    # Continues multiple-part digest and encryption operations,
+    # processing another data part.
+    #
+    # Digest and encryption operations must both be active (they must have been initialized
+    # with C_DigestInit and C_EncryptInit, respectively). This function may be called any
+    # number of times in succession, and may be interspersed with C_DigestUpdate,
+    # C_DigestKey, and C_EncryptUpdate calls.
+    def C_DigestEncryptUpdate(data, out_size=nil)
+      @pk.C_DigestEncryptUpdate(@sess, data, out_size)
+    end
+
+    # Continues a multiple-part combined decryption and digest
+    # operation, processing another data part.
+    #
+    # Decryption and digesting operations must both be active (they must have been initialized
+    # with C_DecryptInit and C_DigestInit, respectively). This function may be called any
+    # number of times in succession, and may be interspersed with C_DecryptUpdate,
+    # C_DigestUpdate, and C_DigestKey calls.
+    def C_DecryptDigestUpdate(data, out_size=nil)
+      @pk.C_DecryptDigestUpdate(@sess, data, out_size)
+    end
+
+    # Continues a multiple-part combined signature and encryption
+    # operation, processing another data part.
+    #
+    # Signature and encryption operations must both be active (they must have been initialized
+    # with C_SignInit and C_EncryptInit, respectively). This function may be called any
+    # number of times in succession, and may be interspersed with C_SignUpdate and
+    # C_EncryptUpdate calls.
+    def C_SignEncryptUpdate(data, out_size=nil)
+      @pk.C_SignEncryptUpdate(@sess, data, out_size)
+    end
+    
+    # Continues a multiple-part combined decryption and
+    # verification operation, processing another data part.
+    #
+    # Decryption and signature operations must both be active (they must have been initialized
+    # with C_DecryptInit and C_VerifyInit, respectively). This function may be called any
+    # number of times in succession, and may be interspersed with C_DecryptUpdate and
+    # C_VerifyUpdate calls.
+    def C_DecryptVerifyUpdate(data, out_size=nil)
+      @pk.C_DecryptVerifyUpdate(@sess, data, out_size)
+    end
+
+    # Generates a secret key Object or set of domain parameters, creating a new
+    # Object.
+    #
+    # Returns key Object of the new created key.
+    def C_GenerateKey(mechanism, template={})
+      obj = @pk.C_GenerateKey(@sess, Session.hash_to_mechanism(mechanism), Session.hash_to_attributes(template))
+      Object.new @pk, @sess, obj
+    end
+    alias generate_key C_GenerateKey
+
+    # Generates a public/private key pair, creating new key Object instances.
+    #
+    # Returns an two-items array of new created public and private key Object.
+    def C_GenerateKeyPair(mechanism, pubkey_template={}, privkey_template={})
+      objs = @pk.C_GenerateKeyPair(@sess, Session.hash_to_mechanism(mechanism), Session.hash_to_attributes(pubkey_template), Session.hash_to_attributes(privkey_template))
+      objs.map{|obj| Object.new @pk, @sess, obj }
+    end
+    alias generate_key_pair C_GenerateKeyPair
+
+    # Wraps (i.e., encrypts) a private or secret key.
+    #
+    # Returns the encrypted binary data.
+    def C_WrapKey(mechanism, wrapping_key, wrapped_key, out_size=nil)
+      @pk.C_WrapKey(@sess, Session.hash_to_mechanism(mechanism), wrapping_key, wrapped_key, out_size)
+    end
+    alias wrap_key C_WrapKey
+
+    # Unwraps (i.e. decrypts) a wrapped key, creating a new private key or
+    # secret key object.
+    #
+    # Returns key Object of the new created key.
+    def C_UnwrapKey(mechanism, wrapping_key, wrapped_key, template={})
+      obj = @pk.C_UnwrapKey(@sess, Session.hash_to_mechanism(mechanism), wrapping_key, wrapped_key, Session.hash_to_attributes(template))
+      Object.new @pk, @sess, obj
+    end
+    alias unwrap_key C_UnwrapKey
+
+    # Derives a key from a base key, creating a new key object.
+    #
+    # Returns key Object of the new created key.
+    def C_DeriveKey(mechanism, base_key, template={})
+      obj = @pk.C_DeriveKey(@sess, Session.hash_to_mechanism(mechanism), base_key, Session.hash_to_attributes(template))
+      Object.new @pk, @sess, obj
+    end
+    alias derive_key C_DeriveKey
+
+    # Mixes additional seed material into the token’s random number
+    # generator.
+    def C_SeedRandom(data)
+      @pk.C_SeedRandom(@sess, data)
+    end
+    alias seed_random C_SeedRandom
+    
+    # Generates random or pseudo-random data.
+    #
+    # Returns random or pseudo-random binary data of <tt>out_size</tt> bytes.
+    def C_GenerateRandom(out_size)
+      @pk.C_GenerateRandom(@sess, out_size)
+    end
+    alias generate_random C_GenerateRandom
+  end
+end