mirror of
https://github.com/systemd/systemd
synced 2024-10-15 04:24:19 +00:00
cryptsetup: Add support for EC keys in PKCS#11 tokens
Since EC keys doesn't support encryption directly, we use ECDH protocol. We generate a pair of EC keys in the same EC group, then derive a shared secret using the generated private key and the public key in the token. The derived shared secret is used as a volume key. The generated public key is stored in the LUKS2 JSON token header area. The generated private key is erased. To unlock a volume, we derive the shared secret with the stored public key and a private key in the token. Co-authored-by: MkfsSion <mkfssion@mkfssion.com>
This commit is contained in:
parent
876206f267
commit
3d05c05873
|
@ -104,10 +104,14 @@
|
||||||
see above and below.</para></listitem>
|
see above and below.</para></listitem>
|
||||||
|
|
||||||
<listitem><para>The key may be acquired via a PKCS#11 compatible hardware security token or
|
<listitem><para>The key may be acquired via a PKCS#11 compatible hardware security token or
|
||||||
smartcard. In this case an encrypted key is stored on disk/removable media, acquired via
|
smartcard. In this case a saved key used in unlock process is stored on disk/removable media, acquired via
|
||||||
<constant>AF_UNIX</constant>, or stored in the LUKS2 JSON token metadata header. The encrypted key is
|
<constant>AF_UNIX</constant>, or stored in the LUKS2 JSON token metadata header. For RSA, the saved key
|
||||||
then decrypted by the PKCS#11 token with an RSA key stored on it, and then used to unlock the encrypted
|
is an encrypted volume key. The encrypted volume key is then decrypted by the PKCS#11 token with an RSA
|
||||||
volume. Use the <option>pkcs11-uri=</option> option described below to use this mechanism.</para></listitem>
|
private key stored on it, and used to unlock the encrypted volume. For elliptic-curve (EC) cryptography,
|
||||||
|
the saved key is the public key generated in enrollment process. The public key is then used to derive
|
||||||
|
a shared secret with a private key stored in the PKCS#11 token. The derived shared secret is then used
|
||||||
|
to unlock the volume. Use the <option>pkcs11-uri=</option> option described below to use this mechanism.
|
||||||
|
</para></listitem>
|
||||||
|
|
||||||
<listitem><para>Similarly, the key may be acquired via a FIDO2 compatible hardware security token
|
<listitem><para>Similarly, the key may be acquired via a FIDO2 compatible hardware security token
|
||||||
(which must implement the "hmac-secret" extension). In this case a key generated randomly during
|
(which must implement the "hmac-secret" extension). In this case a key generated randomly during
|
||||||
|
@ -643,7 +647,7 @@
|
||||||
<term><option>pkcs11-uri=</option></term>
|
<term><option>pkcs11-uri=</option></term>
|
||||||
|
|
||||||
<listitem><para>Takes either the special value <literal>auto</literal> or an <ulink
|
<listitem><para>Takes either the special value <literal>auto</literal> or an <ulink
|
||||||
url="https://tools.ietf.org/html/rfc7512">RFC7512 PKCS#11 URI</ulink> pointing to a private RSA key
|
url="https://tools.ietf.org/html/rfc7512">RFC7512 PKCS#11 URI</ulink> pointing to a private key
|
||||||
which is used to decrypt the encrypted key specified in the third column of the line. This is useful
|
which is used to decrypt the encrypted key specified in the third column of the line. This is useful
|
||||||
for unlocking encrypted volumes through PKCS#11 compatible security tokens or smartcards. See below
|
for unlocking encrypted volumes through PKCS#11 compatible security tokens or smartcards. See below
|
||||||
for an example how to set up this mechanism for unlocking a LUKS2 volume with a YubiKey security
|
for an example how to set up this mechanism for unlocking a LUKS2 volume with a YubiKey security
|
||||||
|
@ -653,16 +657,16 @@
|
||||||
security token metadata in its LUKS2 JSON token section. In this mode the URI and the encrypted key
|
security token metadata in its LUKS2 JSON token section. In this mode the URI and the encrypted key
|
||||||
are automatically read from the LUKS2 JSON token header. Use
|
are automatically read from the LUKS2 JSON token header. Use
|
||||||
<citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||||
as simple tool for enrolling PKCS#11 security tokens or smartcards in a way compatible with
|
as a simple tool for enrolling PKCS#11 security tokens or smartcards in a way compatible with
|
||||||
<literal>auto</literal>. In this mode the third column of the line should remain empty (that is,
|
<literal>auto</literal>. In this mode the third column of the line should remain empty (that is,
|
||||||
specified as <literal>-</literal>).</para>
|
specified as <literal>-</literal>).</para>
|
||||||
|
|
||||||
<para>The specified URI can refer directly to a private RSA key stored on a token or alternatively
|
<para>The specified URI can refer directly to a private key stored on a token or alternatively
|
||||||
just to a slot or token, in which case a search for a suitable private RSA key will be performed. In
|
just to a slot or token, in which case a search for a suitable private key will be performed. In
|
||||||
this case if multiple suitable objects are found the token is refused. The encrypted key configured
|
this case if multiple suitable objects are found the token is refused. The keyfile configured
|
||||||
in the third column of the line is passed as is (i.e. in binary form, unprocessed) to RSA
|
in the third column of the line is used as is (i.e. in binary form, unprocessed). The resulting
|
||||||
decryption. The resulting decrypted key is then Base64 encoded before it is used to unlock the LUKS
|
decrypted key (for RSA) or derived shared secret (for ECC) is then Base64 encoded before it is used
|
||||||
volume.</para>
|
to unlock the LUKS volume.</para>
|
||||||
|
|
||||||
<para>Use <command>systemd-cryptenroll --pkcs11-token-uri=list</command> to list all suitable PKCS#11
|
<para>Use <command>systemd-cryptenroll --pkcs11-token-uri=list</command> to list all suitable PKCS#11
|
||||||
security tokens currently plugged in, along with their URIs.</para>
|
security tokens currently plugged in, along with their URIs.</para>
|
||||||
|
@ -969,8 +973,8 @@ external /dev/sda3 keyfile:LABEL=keydev keyfile-timeout=10s,cipher=xchac
|
||||||
<title>Yubikey-based PKCS#11 Volume Unlocking Example</title>
|
<title>Yubikey-based PKCS#11 Volume Unlocking Example</title>
|
||||||
|
|
||||||
<para>The PKCS#11 logic allows hooking up any compatible security token that is capable of storing RSA
|
<para>The PKCS#11 logic allows hooking up any compatible security token that is capable of storing RSA
|
||||||
decryption keys for unlocking an encrypted volume. Here's an example how to set up a Yubikey security
|
or EC cryptographic keys for unlocking an encrypted volume. Here's an example how to set up a Yubikey
|
||||||
token for this purpose on a LUKS2 volume, using <citerefentry
|
security token for this purpose on a LUKS2 volume, using <citerefentry
|
||||||
project='debian'><refentrytitle>ykmap</refentrytitle><manvolnum>1</manvolnum></citerefentry> from the
|
project='debian'><refentrytitle>ykmap</refentrytitle><manvolnum>1</manvolnum></citerefentry> from the
|
||||||
yubikey-manager project to initialize the token and
|
yubikey-manager project to initialize the token and
|
||||||
<citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||||
|
|
|
@ -36,8 +36,8 @@
|
||||||
supports tokens and credentials of the following kind to be enrolled:</para>
|
supports tokens and credentials of the following kind to be enrolled:</para>
|
||||||
|
|
||||||
<orderedlist>
|
<orderedlist>
|
||||||
<listitem><para>PKCS#11 security tokens and smartcards that may carry an RSA key pair (e.g. various
|
<listitem><para>PKCS#11 security tokens and smartcards that may carry an RSA or EC key pair (e.g.
|
||||||
YubiKeys)</para></listitem>
|
various YubiKeys)</para></listitem>
|
||||||
|
|
||||||
<listitem><para>FIDO2 security tokens that implement the <literal>hmac-secret</literal> extension (most
|
<listitem><para>FIDO2 security tokens that implement the <literal>hmac-secret</literal> extension (most
|
||||||
FIDO2 keys, including YubiKeys)</para></listitem>
|
FIDO2 keys, including YubiKeys)</para></listitem>
|
||||||
|
@ -317,9 +317,16 @@
|
||||||
smartcard URI referring to the token. Alternatively the special value <literal>auto</literal> may
|
smartcard URI referring to the token. Alternatively the special value <literal>auto</literal> may
|
||||||
be specified, in order to automatically determine the URI of a currently plugged in security token
|
be specified, in order to automatically determine the URI of a currently plugged in security token
|
||||||
(of which there must be exactly one). The special value <literal>list</literal> may be used to
|
(of which there must be exactly one). The special value <literal>list</literal> may be used to
|
||||||
enumerate all suitable PKCS#11 tokens currently plugged in. The security token must contain an RSA
|
enumerate all suitable PKCS#11 tokens currently plugged in.</para>
|
||||||
key pair which is used to encrypt the randomly generated key that is used to unlock the LUKS2
|
|
||||||
volume. The encrypted key is then stored in the LUKS2 JSON token header area.</para>
|
<para>The PKCS#11 token must contain an RSA or EC key pair which will be used to unlock a LUKS2 volume.
|
||||||
|
For RSA, a randomly generated volume key is encrypted with a public key in the token, and stored in
|
||||||
|
the LUKS2 JSON token header area. To unlock a volume, the stored encrypted volume key will be decrypted
|
||||||
|
with a private key in the token. For ECC, ECDH algorithm is used: we generate a pair of EC keys in
|
||||||
|
the same EC group, then derive a shared secret using the generated private key and the public key
|
||||||
|
in the token. The derived shared secret is used as a volume key. The generated public key is
|
||||||
|
stored in the LUKS2 JSON token header area. The generated private key is erased. To unlock a volume,
|
||||||
|
we derive the shared secret with the stored public key and a private key in the token.</para>
|
||||||
|
|
||||||
<para>In order to unlock a LUKS2 volume with an enrolled PKCS#11 security token, specify the
|
<para>In order to unlock a LUKS2 volume with an enrolled PKCS#11 security token, specify the
|
||||||
<option>pkcs11-uri=</option> option in the respective <filename>/etc/crypttab</filename> line:</para>
|
<option>pkcs11-uri=</option> option in the respective <filename>/etc/crypttab</filename> line:</para>
|
||||||
|
|
|
@ -8,8 +8,8 @@
|
||||||
#include "string-util.h"
|
#include "string-util.h"
|
||||||
|
|
||||||
#if HAVE_OPENSSL
|
#if HAVE_OPENSSL
|
||||||
/* For each error in the the OpenSSL thread error queue, log the provided message and the OpenSSL error
|
/* For each error in the OpenSSL thread error queue, log the provided message and the OpenSSL error
|
||||||
* string. If there are no errors in the OpenSSL thread queue, this logs the message with "No openssl
|
* string. If there are no errors in the OpenSSL thread queue, this logs the message with "No OpenSSL
|
||||||
* errors." This logs at level debug. Returns -EIO (or -ENOMEM). */
|
* errors." This logs at level debug. Returns -EIO (or -ENOMEM). */
|
||||||
#define log_openssl_errors(fmt, ...) _log_openssl_errors(UNIQ, fmt, ##__VA_ARGS__)
|
#define log_openssl_errors(fmt, ...) _log_openssl_errors(UNIQ, fmt, ##__VA_ARGS__)
|
||||||
#define _log_openssl_errors(u, fmt, ...) \
|
#define _log_openssl_errors(u, fmt, ...) \
|
||||||
|
@ -524,7 +524,6 @@ int rsa_encrypt_bytes(
|
||||||
|
|
||||||
*ret_encrypt_key = TAKE_PTR(b);
|
*ret_encrypt_key = TAKE_PTR(b);
|
||||||
*ret_encrypt_key_size = l;
|
*ret_encrypt_key_size = l;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -990,7 +989,7 @@ int ecc_ecdh(const EVP_PKEY *private_pkey,
|
||||||
if (EVP_PKEY_derive(ctx, NULL, &shared_secret_size) <= 0)
|
if (EVP_PKEY_derive(ctx, NULL, &shared_secret_size) <= 0)
|
||||||
return log_openssl_errors("Failed to get ECC shared secret size");
|
return log_openssl_errors("Failed to get ECC shared secret size");
|
||||||
|
|
||||||
_cleanup_free_ void *shared_secret = malloc(shared_secret_size);
|
_cleanup_(erase_and_freep) void *shared_secret = malloc(shared_secret_size);
|
||||||
if (!shared_secret)
|
if (!shared_secret)
|
||||||
return log_oom_debug();
|
return log_oom_debug();
|
||||||
|
|
||||||
|
@ -1130,6 +1129,95 @@ int string_hashsum(
|
||||||
}
|
}
|
||||||
# endif
|
# endif
|
||||||
|
|
||||||
|
static int ecc_pkey_generate_volume_keys(
|
||||||
|
EVP_PKEY *pkey,
|
||||||
|
void **ret_decrypted_key,
|
||||||
|
size_t *ret_decrypted_key_size,
|
||||||
|
void **ret_saved_key,
|
||||||
|
size_t *ret_saved_key_size) {
|
||||||
|
|
||||||
|
_cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey_new = NULL;
|
||||||
|
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
|
||||||
|
_cleanup_free_ unsigned char *saved_key = NULL;
|
||||||
|
size_t decrypted_key_size, saved_key_size;
|
||||||
|
int nid = NID_undef;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_MAJOR >= 3
|
||||||
|
_cleanup_free_ char *curve_name = NULL;
|
||||||
|
size_t len = 0;
|
||||||
|
|
||||||
|
if (EVP_PKEY_get_group_name(pkey, NULL, 0, &len) != 1 || len == 0)
|
||||||
|
return log_openssl_errors("Failed to determine PKEY group name length");
|
||||||
|
|
||||||
|
len++;
|
||||||
|
curve_name = new(char, len);
|
||||||
|
if (!curve_name)
|
||||||
|
return log_oom_debug();
|
||||||
|
|
||||||
|
if (EVP_PKEY_get_group_name(pkey, curve_name, len, &len) != 1)
|
||||||
|
return log_openssl_errors("Failed to get PKEY group name");
|
||||||
|
|
||||||
|
nid = OBJ_sn2nid(curve_name);
|
||||||
|
#else
|
||||||
|
EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);
|
||||||
|
if (!ec_key)
|
||||||
|
return log_openssl_errors("PKEY doesn't have EC_KEY associated");
|
||||||
|
|
||||||
|
if (EC_KEY_check_key(ec_key) != 1)
|
||||||
|
return log_openssl_errors("EC_KEY associated with PKEY is not valid");
|
||||||
|
|
||||||
|
nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));
|
||||||
|
#endif
|
||||||
|
|
||||||
|
r = ecc_pkey_new(nid, &pkey_new);
|
||||||
|
if (r < 0)
|
||||||
|
return log_debug_errno(r, "Failed to generate a new EC keypair: %m");
|
||||||
|
|
||||||
|
r = ecc_ecdh(pkey_new, pkey, &decrypted_key, &decrypted_key_size);
|
||||||
|
if (r < 0)
|
||||||
|
return log_debug_errno(r, "Failed to derive shared secret: %m");
|
||||||
|
|
||||||
|
#if OPENSSL_VERSION_MAJOR >= 3
|
||||||
|
/* EVP_PKEY_get1_encoded_public_key() always returns uncompressed format of EC points.
|
||||||
|
See https://github.com/openssl/openssl/discussions/22835 */
|
||||||
|
saved_key_size = EVP_PKEY_get1_encoded_public_key(pkey_new, &saved_key);
|
||||||
|
if (saved_key_size == 0)
|
||||||
|
return log_openssl_errors("Failed to convert the generated public key to SEC1 format");
|
||||||
|
#else
|
||||||
|
EC_KEY *ec_key_new = EVP_PKEY_get0_EC_KEY(pkey_new);
|
||||||
|
if (!ec_key_new)
|
||||||
|
return log_openssl_errors("The generated key doesn't have associated EC_KEY");
|
||||||
|
|
||||||
|
if (EC_KEY_check_key(ec_key_new) != 1)
|
||||||
|
return log_openssl_errors("EC_KEY associated with the generated key is not valid");
|
||||||
|
|
||||||
|
saved_key_size = EC_POINT_point2oct(EC_KEY_get0_group(ec_key_new),
|
||||||
|
EC_KEY_get0_public_key(ec_key_new),
|
||||||
|
POINT_CONVERSION_UNCOMPRESSED,
|
||||||
|
NULL, 0, NULL);
|
||||||
|
if (saved_key_size == 0)
|
||||||
|
return log_openssl_errors("Failed to determine size of the generated public key");
|
||||||
|
|
||||||
|
saved_key = malloc(saved_key_size);
|
||||||
|
if (!saved_key)
|
||||||
|
return log_oom_debug();
|
||||||
|
|
||||||
|
saved_key_size = EC_POINT_point2oct(EC_KEY_get0_group(ec_key_new),
|
||||||
|
EC_KEY_get0_public_key(ec_key_new),
|
||||||
|
POINT_CONVERSION_UNCOMPRESSED,
|
||||||
|
saved_key, saved_key_size, NULL);
|
||||||
|
if (saved_key_size == 0)
|
||||||
|
return log_openssl_errors("Failed to convert the generated public key to SEC1 format");
|
||||||
|
#endif
|
||||||
|
|
||||||
|
*ret_decrypted_key = TAKE_PTR(decrypted_key);
|
||||||
|
*ret_decrypted_key_size = decrypted_key_size;
|
||||||
|
*ret_saved_key = TAKE_PTR(saved_key);
|
||||||
|
*ret_saved_key_size = saved_key_size;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int rsa_pkey_generate_volume_keys(
|
static int rsa_pkey_generate_volume_keys(
|
||||||
EVP_PKEY *pkey,
|
EVP_PKEY *pkey,
|
||||||
void **ret_decrypted_key,
|
void **ret_decrypted_key,
|
||||||
|
@ -1194,6 +1282,9 @@ int x509_generate_volume_keys(
|
||||||
case EVP_PKEY_RSA:
|
case EVP_PKEY_RSA:
|
||||||
return rsa_pkey_generate_volume_keys(pkey, ret_decrypted_key, ret_decrypted_key_size, ret_saved_key, ret_saved_key_size);
|
return rsa_pkey_generate_volume_keys(pkey, ret_decrypted_key, ret_decrypted_key_size, ret_saved_key, ret_saved_key_size);
|
||||||
|
|
||||||
|
case EVP_PKEY_EC:
|
||||||
|
return ecc_pkey_generate_volume_keys(pkey, ret_decrypted_key, ret_decrypted_key_size, ret_saved_key, ret_saved_key_size);
|
||||||
|
|
||||||
case NID_undef:
|
case NID_undef:
|
||||||
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to determine a type of public key");
|
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to determine a type of public key");
|
||||||
|
|
||||||
|
|
|
@ -586,114 +586,61 @@ int pkcs11_token_find_private_key(
|
||||||
P11KitUri *search_uri,
|
P11KitUri *search_uri,
|
||||||
CK_OBJECT_HANDLE *ret_object) {
|
CK_OBJECT_HANDLE *ret_object) {
|
||||||
|
|
||||||
bool found_decrypt = false, found_class = false, found_key_type = false;
|
uint_fast8_t n_objects = 0;
|
||||||
|
bool found_class = false;
|
||||||
_cleanup_free_ CK_ATTRIBUTE *attributes_buffer = NULL;
|
_cleanup_free_ CK_ATTRIBUTE *attributes_buffer = NULL;
|
||||||
CK_ULONG n_attributes, a, n_objects;
|
CK_OBJECT_HANDLE object, candidate;
|
||||||
CK_ATTRIBUTE *attributes = NULL;
|
static const CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
|
||||||
CK_OBJECT_HANDLE objects[2];
|
CK_BBOOL decrypt_value, derive_value;
|
||||||
CK_RV rv, rv2;
|
CK_ATTRIBUTE optional_attributes[] = {
|
||||||
int r;
|
{ CKA_DECRYPT, &decrypt_value, sizeof(decrypt_value) },
|
||||||
|
{ CKA_DERIVE, &derive_value, sizeof(derive_value) }
|
||||||
|
};
|
||||||
|
CK_RV rv;
|
||||||
|
|
||||||
assert(m);
|
assert(m);
|
||||||
assert(search_uri);
|
assert(search_uri);
|
||||||
assert(ret_object);
|
assert(ret_object);
|
||||||
|
|
||||||
r = dlopen_p11kit();
|
CK_ULONG n_attributes;
|
||||||
if (r < 0)
|
CK_ATTRIBUTE *attributes = sym_p11_kit_uri_get_attributes(search_uri, &n_attributes);
|
||||||
return r;
|
for (CK_ULONG i = 0; i < n_attributes; i++) {
|
||||||
|
|
||||||
attributes = sym_p11_kit_uri_get_attributes(search_uri, &n_attributes);
|
|
||||||
for (a = 0; a < n_attributes; a++) {
|
|
||||||
|
|
||||||
/* We use the URI's included match attributes, but make them more strict. This allows users
|
/* We use the URI's included match attributes, but make them more strict. This allows users
|
||||||
* to specify a token URL instead of an object URL and the right thing should happen if
|
* to specify a token URL instead of an object URL and the right thing should happen if
|
||||||
* there's only one suitable key on the token. */
|
* there's only one suitable key on the token. */
|
||||||
|
|
||||||
switch (attributes[a].type) {
|
switch (attributes[i].type) {
|
||||||
|
|
||||||
case CKA_CLASS: {
|
case CKA_CLASS: {
|
||||||
CK_OBJECT_CLASS c;
|
CK_OBJECT_CLASS c;
|
||||||
|
|
||||||
if (attributes[a].ulValueLen != sizeof(c))
|
if (attributes[i].ulValueLen != sizeof(c))
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_CLASS attribute size.");
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_CLASS attribute size.");
|
||||||
|
|
||||||
memcpy(&c, attributes[a].pValue, sizeof(c));
|
memcpy(&c, attributes[i].pValue, sizeof(c));
|
||||||
if (c != CKO_PRIVATE_KEY)
|
if (c != CKO_PRIVATE_KEY)
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||||
"Selected PKCS#11 object is not a private key, refusing.");
|
"Selected PKCS#11 object is not a private key, refusing.");
|
||||||
|
|
||||||
found_class = true;
|
found_class = true;
|
||||||
break;
|
break;
|
||||||
}
|
|
||||||
|
|
||||||
case CKA_DECRYPT: {
|
|
||||||
CK_BBOOL b;
|
|
||||||
|
|
||||||
if (attributes[a].ulValueLen != sizeof(b))
|
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_DECRYPT attribute size.");
|
|
||||||
|
|
||||||
memcpy(&b, attributes[a].pValue, sizeof(b));
|
|
||||||
if (!b)
|
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
||||||
"Selected PKCS#11 object is not suitable for decryption, refusing.");
|
|
||||||
|
|
||||||
found_decrypt = true;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
case CKA_KEY_TYPE: {
|
|
||||||
CK_KEY_TYPE t;
|
|
||||||
|
|
||||||
if (attributes[a].ulValueLen != sizeof(t))
|
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_KEY_TYPE attribute size.");
|
|
||||||
|
|
||||||
memcpy(&t, attributes[a].pValue, sizeof(t));
|
|
||||||
if (t != CKK_RSA)
|
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Selected PKCS#11 object is not an RSA key, refusing.");
|
|
||||||
|
|
||||||
found_key_type = true;
|
|
||||||
break;
|
|
||||||
}}
|
}}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!found_decrypt || !found_class || !found_key_type) {
|
if (!found_class) {
|
||||||
/* Hmm, let's slightly extend the attribute list we search for */
|
/* Hmm, let's slightly extend the attribute list we search for */
|
||||||
|
|
||||||
attributes_buffer = new(CK_ATTRIBUTE, n_attributes + !found_decrypt + !found_class + !found_key_type);
|
attributes_buffer = new(CK_ATTRIBUTE, n_attributes + 1);
|
||||||
if (!attributes_buffer)
|
if (!attributes_buffer)
|
||||||
return log_oom();
|
return log_oom();
|
||||||
|
|
||||||
memcpy(attributes_buffer, attributes, sizeof(CK_ATTRIBUTE) * n_attributes);
|
memcpy(attributes_buffer, attributes, sizeof(CK_ATTRIBUTE) * n_attributes);
|
||||||
|
|
||||||
if (!found_decrypt) {
|
attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) {
|
||||||
static const CK_BBOOL yes = true;
|
.type = CKA_CLASS,
|
||||||
|
.pValue = (CK_OBJECT_CLASS*) &class,
|
||||||
attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) {
|
.ulValueLen = sizeof(class),
|
||||||
.type = CKA_DECRYPT,
|
};
|
||||||
.pValue = (CK_BBOOL*) &yes,
|
|
||||||
.ulValueLen = sizeof(yes),
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!found_class) {
|
|
||||||
static const CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
|
|
||||||
|
|
||||||
attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) {
|
|
||||||
.type = CKA_CLASS,
|
|
||||||
.pValue = (CK_OBJECT_CLASS*) &class,
|
|
||||||
.ulValueLen = sizeof(class),
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!found_key_type) {
|
|
||||||
static const CK_KEY_TYPE type = CKK_RSA;
|
|
||||||
|
|
||||||
attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) {
|
|
||||||
.type = CKA_KEY_TYPE,
|
|
||||||
.pValue = (CK_KEY_TYPE*) &type,
|
|
||||||
.ulValueLen = sizeof(type),
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
attributes = attributes_buffer;
|
attributes = attributes_buffer;
|
||||||
}
|
}
|
||||||
|
@ -703,26 +650,127 @@ int pkcs11_token_find_private_key(
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
||||||
"Failed to initialize object find call: %s", sym_p11_kit_strerror(rv));
|
"Failed to initialize object find call: %s", sym_p11_kit_strerror(rv));
|
||||||
|
|
||||||
rv = m->C_FindObjects(session, objects, ELEMENTSOF(objects), &n_objects);
|
for (;;) {
|
||||||
rv2 = m->C_FindObjectsFinal(session);
|
CK_ULONG b;
|
||||||
|
rv = m->C_FindObjects(session, &candidate, 1, &b);
|
||||||
|
if (rv != CKR_OK)
|
||||||
|
return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
||||||
|
"Failed to find objects: %s", sym_p11_kit_strerror(rv));
|
||||||
|
|
||||||
|
if (b == 0)
|
||||||
|
break;
|
||||||
|
|
||||||
|
bool can_decrypt = false, can_derive = false;
|
||||||
|
optional_attributes[0].ulValueLen = sizeof(decrypt_value);
|
||||||
|
optional_attributes[1].ulValueLen = sizeof(derive_value);
|
||||||
|
|
||||||
|
rv = m->C_GetAttributeValue(session, candidate, optional_attributes, ELEMENTSOF(optional_attributes));
|
||||||
|
if (rv != CKR_OK && rv != CKR_ATTRIBUTE_TYPE_INVALID)
|
||||||
|
return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
||||||
|
"Failed to get attributes of a selected private key: %s", sym_p11_kit_strerror(rv));
|
||||||
|
|
||||||
|
if (optional_attributes[0].ulValueLen != CK_UNAVAILABLE_INFORMATION && decrypt_value == CK_TRUE)
|
||||||
|
can_decrypt = true;
|
||||||
|
|
||||||
|
if (optional_attributes[1].ulValueLen != CK_UNAVAILABLE_INFORMATION && derive_value == CK_TRUE)
|
||||||
|
can_derive = true;
|
||||||
|
|
||||||
|
if (can_decrypt || can_derive) {
|
||||||
|
n_objects++;
|
||||||
|
if (n_objects > 1)
|
||||||
|
break;
|
||||||
|
object = candidate;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
rv = m->C_FindObjectsFinal(session);
|
||||||
if (rv != CKR_OK)
|
if (rv != CKR_OK)
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
||||||
"Failed to find objects: %s", sym_p11_kit_strerror(rv));
|
"Failed to finalize object find call: %s", sym_p11_kit_strerror(rv));
|
||||||
if (rv2 != CKR_OK)
|
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
|
||||||
"Failed to finalize object find call: %s", sym_p11_kit_strerror(rv));
|
|
||||||
if (n_objects == 0)
|
if (n_objects == 0)
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(ENOENT),
|
return log_error_errno(SYNTHETIC_ERRNO(ENOENT),
|
||||||
"Failed to find selected private key suitable for decryption on token.");
|
"Failed to find selected private key suitable for decryption or derivation on token.");
|
||||||
|
|
||||||
if (n_objects > 1)
|
if (n_objects > 1)
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
|
return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
|
||||||
"Configured private key URI matches multiple keys, refusing.");
|
"Configured private key URI matches multiple keys, refusing.");
|
||||||
|
|
||||||
*ret_object = objects[0];
|
*ret_object = object;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int pkcs11_token_decrypt_data(
|
/* Since EC keys doesn't support encryption directly, we use ECDH protocol to derive shared secret here.
|
||||||
|
* We use PKCS#11 C_DeriveKey function to derive a shared secret with a private key stored in the token and
|
||||||
|
* a public key saved on enrollment. */
|
||||||
|
static int pkcs11_token_decrypt_data_ecc(
|
||||||
|
CK_FUNCTION_LIST *m,
|
||||||
|
CK_SESSION_HANDLE session,
|
||||||
|
CK_OBJECT_HANDLE object,
|
||||||
|
const void *encrypted_data,
|
||||||
|
size_t encrypted_data_size,
|
||||||
|
void **ret_decrypted_data,
|
||||||
|
size_t *ret_decrypted_data_size) {
|
||||||
|
|
||||||
|
static const CK_BBOOL yes = CK_TRUE, no = CK_FALSE;
|
||||||
|
static const CK_OBJECT_CLASS shared_secret_class = CKO_SECRET_KEY;
|
||||||
|
static const CK_KEY_TYPE shared_secret_type = CKK_GENERIC_SECRET;
|
||||||
|
static const CK_ATTRIBUTE shared_secret_template[] = {
|
||||||
|
{ CKA_TOKEN, (void*) &no, sizeof(no) },
|
||||||
|
{ CKA_CLASS, (void*) &shared_secret_class, sizeof(shared_secret_class) },
|
||||||
|
{ CKA_KEY_TYPE, (void*) &shared_secret_type, sizeof(shared_secret_type) },
|
||||||
|
{ CKA_SENSITIVE, (void*) &no, sizeof(no) },
|
||||||
|
{ CKA_EXTRACTABLE, (void*) &yes, sizeof(yes) }
|
||||||
|
};
|
||||||
|
CK_ECDH1_DERIVE_PARAMS params = {
|
||||||
|
.kdf = CKD_NULL,
|
||||||
|
.pPublicData = (void*) encrypted_data,
|
||||||
|
.ulPublicDataLen = encrypted_data_size
|
||||||
|
};
|
||||||
|
CK_MECHANISM mechanism = {
|
||||||
|
.mechanism = CKM_ECDH1_DERIVE,
|
||||||
|
.pParameter = ¶ms,
|
||||||
|
.ulParameterLen = sizeof(params)
|
||||||
|
};
|
||||||
|
CK_OBJECT_HANDLE shared_secret_handle;
|
||||||
|
CK_RV rv, rv2;
|
||||||
|
|
||||||
|
rv = m->C_DeriveKey(session, &mechanism, object, (CK_ATTRIBUTE*) shared_secret_template, ELEMENTSOF(shared_secret_template), &shared_secret_handle);
|
||||||
|
if (rv != CKR_OK)
|
||||||
|
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to derive a shared secret: %s", sym_p11_kit_strerror(rv));
|
||||||
|
|
||||||
|
CK_ATTRIBUTE shared_secret_attr = { CKA_VALUE, NULL_PTR, 0};
|
||||||
|
|
||||||
|
rv = m->C_GetAttributeValue(session, shared_secret_handle, &shared_secret_attr, 1);
|
||||||
|
if (rv != CKR_OK) {
|
||||||
|
rv2 = m->C_DestroyObject(session, shared_secret_handle);
|
||||||
|
if (rv2 != CKR_OK)
|
||||||
|
log_warning("Failed to destroy a shared secret, ignoring: %s", sym_p11_kit_strerror(rv2));
|
||||||
|
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve shared secret length: %s", sym_p11_kit_strerror(rv));
|
||||||
|
}
|
||||||
|
|
||||||
|
shared_secret_attr.pValue = malloc(shared_secret_attr.ulValueLen);
|
||||||
|
if (!shared_secret_attr.pValue)
|
||||||
|
return log_oom();
|
||||||
|
|
||||||
|
rv = m->C_GetAttributeValue(session, shared_secret_handle, &shared_secret_attr, 1);
|
||||||
|
rv2 = m->C_DestroyObject(session, shared_secret_handle);
|
||||||
|
if (rv2 != CKR_OK)
|
||||||
|
log_warning("Failed to destroy a shared secret, ignoring: %s", sym_p11_kit_strerror(rv2));
|
||||||
|
|
||||||
|
if (rv != CKR_OK) {
|
||||||
|
erase_and_free(shared_secret_attr.pValue);
|
||||||
|
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve a shared secret: %s", sym_p11_kit_strerror(rv));
|
||||||
|
}
|
||||||
|
|
||||||
|
log_info("Successfully derived key with security token.");
|
||||||
|
|
||||||
|
*ret_decrypted_data = shared_secret_attr.pValue;
|
||||||
|
*ret_decrypted_data_size = shared_secret_attr.ulValueLen;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int pkcs11_token_decrypt_data_rsa(
|
||||||
CK_FUNCTION_LIST *m,
|
CK_FUNCTION_LIST *m,
|
||||||
CK_SESSION_HANDLE session,
|
CK_SESSION_HANDLE session,
|
||||||
CK_OBJECT_HANDLE object,
|
CK_OBJECT_HANDLE object,
|
||||||
|
@ -737,17 +785,6 @@ int pkcs11_token_decrypt_data(
|
||||||
_cleanup_(erase_and_freep) CK_BYTE *dbuffer = NULL;
|
_cleanup_(erase_and_freep) CK_BYTE *dbuffer = NULL;
|
||||||
CK_ULONG dbuffer_size = 0;
|
CK_ULONG dbuffer_size = 0;
|
||||||
CK_RV rv;
|
CK_RV rv;
|
||||||
int r;
|
|
||||||
|
|
||||||
assert(m);
|
|
||||||
assert(encrypted_data);
|
|
||||||
assert(encrypted_data_size > 0);
|
|
||||||
assert(ret_decrypted_data);
|
|
||||||
assert(ret_decrypted_data_size);
|
|
||||||
|
|
||||||
r = dlopen_p11kit();
|
|
||||||
if (r < 0)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
rv = m->C_DecryptInit(session, (CK_MECHANISM*) &mechanism, object);
|
rv = m->C_DecryptInit(session, (CK_MECHANISM*) &mechanism, object);
|
||||||
if (rv != CKR_OK)
|
if (rv != CKR_OK)
|
||||||
|
@ -780,6 +817,42 @@ int pkcs11_token_decrypt_data(
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int pkcs11_token_decrypt_data(
|
||||||
|
CK_FUNCTION_LIST *m,
|
||||||
|
CK_SESSION_HANDLE session,
|
||||||
|
CK_OBJECT_HANDLE object,
|
||||||
|
const void *encrypted_data,
|
||||||
|
size_t encrypted_data_size,
|
||||||
|
void **ret_decrypted_data,
|
||||||
|
size_t *ret_decrypted_data_size) {
|
||||||
|
|
||||||
|
CK_KEY_TYPE key_type;
|
||||||
|
CK_ATTRIBUTE key_type_template = { CKA_KEY_TYPE, &key_type, sizeof(key_type) };
|
||||||
|
CK_RV rv;
|
||||||
|
|
||||||
|
assert(m);
|
||||||
|
assert(encrypted_data);
|
||||||
|
assert(encrypted_data_size > 0);
|
||||||
|
assert(ret_decrypted_data);
|
||||||
|
assert(ret_decrypted_data_size);
|
||||||
|
|
||||||
|
rv = m->C_GetAttributeValue(session, object, &key_type_template, 1);
|
||||||
|
if (rv != CKR_OK)
|
||||||
|
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve private key type");
|
||||||
|
|
||||||
|
switch (key_type) {
|
||||||
|
|
||||||
|
case CKK_RSA:
|
||||||
|
return pkcs11_token_decrypt_data_rsa(m, session, object, encrypted_data, encrypted_data_size, ret_decrypted_data, ret_decrypted_data_size);
|
||||||
|
|
||||||
|
case CKK_EC:
|
||||||
|
return pkcs11_token_decrypt_data_ecc(m, session, object, encrypted_data, encrypted_data_size, ret_decrypted_data, ret_decrypted_data_size);
|
||||||
|
|
||||||
|
default:
|
||||||
|
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unsupported private key type: %lu", key_type);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
int pkcs11_token_acquire_rng(
|
int pkcs11_token_acquire_rng(
|
||||||
CK_FUNCTION_LIST *m,
|
CK_FUNCTION_LIST *m,
|
||||||
CK_SESSION_HANDLE session) {
|
CK_SESSION_HANDLE session) {
|
||||||
|
|
Loading…
Reference in a new issue