Use session close function from oxide fork of yubihsm.rs.

The `Client` type previously had a `Drop` implementation that closed the session if the Client had an open one. This seems to have caused problems in other downstream projects and was subsequently removed: iqlusioninc/tmkms#37 iqlusioninc/yubihsm.rs#265 The replacement was to provide a `session()` function that returns an Arc / MutexGuard wrapped reference to the optional session. This isn't useful for us here because we don't and AFAIK can't take ownership of the session which we need because the Sesison::close function consumes the session (it can't be reopened). Our solution requires an upstream change to the `Client` type adding a `close_session` function that just closes the session if one is open.
flihp · Apr 2, 2024 · cca9d8d · cca9d8d
1 parent 321221e
commit cca9d8d
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -33,5 +33,5 @@ thiserror = "1.0.58"
 # vsss-rs v3 has a dependency that requires rustc 1.65 but we're pinned
 # to 1.64 till offline-keystore-os supports it
 vsss-rs = "2.7.1"
-yubihsm = { version = "0.42.1", features = ["usb", "untested"] }
+yubihsm = { git = "https://github.com/oxidecomputer/yubihsm.rs", branch = "session-close", features = ["usb", "untested"] }
 zeroize = "1.7.0"
diff --git a/src/ca.rs b/src/ca.rs
@@ -474,7 +474,7 @@ pub fn sign(
                 return Err(e);
             }
         } else if filename.ends_with(DCSRSPEC_EXT) {
-            let hsm = Hsm::new(
+            let mut hsm = Hsm::new(
                 0x0002,
                 &passwd_from_env("OKM_HSM_PKCS11_AUTH")?,
                 publish,
@@ -492,6 +492,7 @@ pub fn sign(
                 }
                 return Err(e);
             }
+            hsm.client.close_session();
         } else {
             error!("Unknown input spec: {}", path.display());
         }