mirror of
https://github.com/systemd/systemd
synced 2024-07-21 18:24:38 +00:00
cryptenroll: allow to use a public key on a token
This patch allows systemd-cryptenroll to enroll directly with a public key if a certificate is missing on a token. Fixes: #30675
This commit is contained in:
parent
e104d77da2
commit
85686b37b0
|
@ -314,10 +314,10 @@
|
|||
<term><option>--pkcs11-token-uri=</option><replaceable>URI</replaceable></term>
|
||||
|
||||
<listitem><para>Enroll a PKCS#11 security token or smartcard (e.g. a YubiKey). Expects a PKCS#11 URI
|
||||
that allows to find an X.509 certificate on the token. The URI must also be suitable to find
|
||||
a related private key after changing the type of object in it. Alternatively the special value
|
||||
<literal>auto</literal> may be specified, in order to automatically determine the suitable URI if
|
||||
a single security token containing a single key pair is plugged in. The special value
|
||||
that allows to find an X.509 certificate or a public key on the token. The URI must also be suitable
|
||||
to find a related private key after changing the type of object in it. Alternatively the special
|
||||
value <literal>auto</literal> may be specified, in order to automatically determine the suitable URI
|
||||
if a single security token containing a single key pair is plugged in. The special value
|
||||
<literal>list</literal> may be used to enumerate all suitable PKCS#11 tokens currently plugged in.
|
||||
</para>
|
||||
|
||||
|
|
|
@ -39,3 +39,19 @@ bool memeqbyte(uint8_t byte, const void *data, size_t length) {
|
|||
/* Now we know first 16 bytes match, memcmp() with self. */
|
||||
return memcmp(data, p + 16, length) == 0;
|
||||
}
|
||||
|
||||
void *memdup_reverse(const void *mem, size_t size) {
|
||||
assert(mem);
|
||||
assert(size != 0);
|
||||
|
||||
void *p = malloc(size);
|
||||
if (!p)
|
||||
return NULL;
|
||||
|
||||
uint8_t *p_dst = p;
|
||||
const uint8_t *p_src = mem;
|
||||
for (size_t i = 0, k = size; i < size; i++, k--)
|
||||
p_dst[i] = p_src[k-1];
|
||||
|
||||
return p;
|
||||
}
|
||||
|
|
|
@ -107,3 +107,6 @@ static inline void erase_and_freep(void *p) {
|
|||
static inline void erase_char(char *p) {
|
||||
explicit_bzero_safe(p, sizeof(char));
|
||||
}
|
||||
|
||||
/* Makes a copy of the buffer with reversed order of bytes */
|
||||
void *memdup_reverse(const void *mem, size_t size);
|
||||
|
|
|
@ -43,7 +43,7 @@ int enroll_pkcs11(
|
|||
_cleanup_free_ char *keyslot_as_string = NULL, *private_uri = NULL;
|
||||
size_t decrypted_key_size, saved_key_size;
|
||||
_cleanup_free_ void *saved_key = NULL;
|
||||
_cleanup_(X509_freep) X509 *cert = NULL;
|
||||
_cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL;
|
||||
ssize_t base64_encoded_size;
|
||||
const char *node;
|
||||
int r;
|
||||
|
@ -55,11 +55,11 @@ int enroll_pkcs11(
|
|||
|
||||
assert_se(node = crypt_get_device_name(cd));
|
||||
|
||||
r = pkcs11_acquire_certificate(uri, "volume enrollment operation", "drive-harddisk", &cert, NULL);
|
||||
r = pkcs11_acquire_public_key(uri, "volume enrollment operation", "drive-harddisk", &pkey, NULL);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = x509_generate_volume_keys(cert, &decrypted_key, &decrypted_key_size, &saved_key, &saved_key_size);
|
||||
r = pkey_generate_volume_keys(pkey, &decrypted_key, &decrypted_key_size, &saved_key, &saved_key_size);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to generate volume keys: %m");
|
||||
|
||||
|
@ -86,8 +86,9 @@ int enroll_pkcs11(
|
|||
if (asprintf(&keyslot_as_string, "%i", keyslot) < 0)
|
||||
return log_oom();
|
||||
|
||||
/* Change 'type=cert' in the provided URI to 'type=private' before storing in a LUKS2 header.
|
||||
This allows users to use output of some PKCS#11 tools directly without modifications. */
|
||||
/* Change 'type=cert' or 'type=public' in the provided URI to 'type=private' before storing in
|
||||
a LUKS2 header. This allows users to use output of some PKCS#11 tools directly without
|
||||
modifications. */
|
||||
r = uri_set_private_class(uri, &private_uri);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
|
|
@ -10,6 +10,87 @@
|
|||
#include "pkcs11-util.h"
|
||||
#include "strv.h"
|
||||
|
||||
int identity_add_token_pin(JsonVariant **v, const char *pin) {
|
||||
_cleanup_(json_variant_unrefp) JsonVariant *w = NULL, *l = NULL;
|
||||
_cleanup_strv_free_erase_ char **pins = NULL;
|
||||
int r;
|
||||
|
||||
assert(v);
|
||||
|
||||
if (isempty(pin))
|
||||
return 0;
|
||||
|
||||
w = json_variant_ref(json_variant_by_key(*v, "secret"));
|
||||
l = json_variant_ref(json_variant_by_key(w, "tokenPin"));
|
||||
|
||||
r = json_variant_strv(l, &pins);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to convert PIN array: %m");
|
||||
|
||||
if (strv_contains(pins, pin))
|
||||
return 0;
|
||||
|
||||
r = strv_extend(&pins, pin);
|
||||
if (r < 0)
|
||||
return log_oom();
|
||||
|
||||
strv_uniq(pins);
|
||||
|
||||
l = json_variant_unref(l);
|
||||
|
||||
r = json_variant_new_array_strv(&l, pins);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to allocate new PIN array JSON: %m");
|
||||
|
||||
json_variant_sensitive(l);
|
||||
|
||||
r = json_variant_set_field(&w, "tokenPin", l);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to update PIN field: %m");
|
||||
|
||||
r = json_variant_set_field(v, "secret", w);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to update secret object: %m");
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
#if HAVE_P11KIT
|
||||
|
||||
static int add_pkcs11_token_uri(JsonVariant **v, const char *uri) {
|
||||
_cleanup_(json_variant_unrefp) JsonVariant *w = NULL;
|
||||
_cleanup_strv_free_ char **l = NULL;
|
||||
int r;
|
||||
|
||||
assert(v);
|
||||
assert(uri);
|
||||
|
||||
w = json_variant_ref(json_variant_by_key(*v, "pkcs11TokenUri"));
|
||||
if (w) {
|
||||
r = json_variant_strv(w, &l);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to parse PKCS#11 token list: %m");
|
||||
|
||||
if (strv_contains(l, uri))
|
||||
return 0;
|
||||
}
|
||||
|
||||
r = strv_extend(&l, uri);
|
||||
if (r < 0)
|
||||
return log_oom();
|
||||
|
||||
w = json_variant_unref(w);
|
||||
r = json_variant_new_array_strv(&w, l);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to create PKCS#11 token URI JSON: %m");
|
||||
|
||||
r = json_variant_set_field(v, "pkcs11TokenUri", w);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to update PKCS#11 token URI list: %m");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int add_pkcs11_encrypted_key(
|
||||
JsonVariant **v,
|
||||
const char *uri,
|
||||
|
@ -63,113 +144,20 @@ static int add_pkcs11_encrypted_key(
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int add_pkcs11_token_uri(JsonVariant **v, const char *uri) {
|
||||
_cleanup_(json_variant_unrefp) JsonVariant *w = NULL;
|
||||
_cleanup_strv_free_ char **l = NULL;
|
||||
int r;
|
||||
|
||||
assert(v);
|
||||
assert(uri);
|
||||
|
||||
w = json_variant_ref(json_variant_by_key(*v, "pkcs11TokenUri"));
|
||||
if (w) {
|
||||
r = json_variant_strv(w, &l);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to parse PKCS#11 token list: %m");
|
||||
|
||||
if (strv_contains(l, uri))
|
||||
return 0;
|
||||
}
|
||||
|
||||
r = strv_extend(&l, uri);
|
||||
if (r < 0)
|
||||
return log_oom();
|
||||
|
||||
w = json_variant_unref(w);
|
||||
r = json_variant_new_array_strv(&w, l);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to create PKCS#11 token URI JSON: %m");
|
||||
|
||||
r = json_variant_set_field(v, "pkcs11TokenUri", w);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to update PKCS#11 token URI list: %m");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int identity_add_token_pin(JsonVariant **v, const char *pin) {
|
||||
_cleanup_(json_variant_unrefp) JsonVariant *w = NULL, *l = NULL;
|
||||
_cleanup_strv_free_erase_ char **pins = NULL;
|
||||
int r;
|
||||
|
||||
assert(v);
|
||||
|
||||
if (isempty(pin))
|
||||
return 0;
|
||||
|
||||
w = json_variant_ref(json_variant_by_key(*v, "secret"));
|
||||
l = json_variant_ref(json_variant_by_key(w, "tokenPin"));
|
||||
|
||||
r = json_variant_strv(l, &pins);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to convert PIN array: %m");
|
||||
|
||||
if (strv_contains(pins, pin))
|
||||
return 0;
|
||||
|
||||
r = strv_extend(&pins, pin);
|
||||
if (r < 0)
|
||||
return log_oom();
|
||||
|
||||
strv_uniq(pins);
|
||||
|
||||
l = json_variant_unref(l);
|
||||
|
||||
r = json_variant_new_array_strv(&l, pins);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to allocate new PIN array JSON: %m");
|
||||
|
||||
json_variant_sensitive(l);
|
||||
|
||||
r = json_variant_set_field(&w, "tokenPin", l);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to update PIN field: %m");
|
||||
|
||||
r = json_variant_set_field(v, "secret", w);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to update secret object: %m");
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int acquire_pkcs11_certificate(
|
||||
const char *uri,
|
||||
const char *askpw_friendly_name,
|
||||
const char *askpw_icon_name,
|
||||
X509 **ret_cert,
|
||||
char **ret_pin_used) {
|
||||
#if HAVE_P11KIT
|
||||
return pkcs11_acquire_certificate(uri, askpw_friendly_name, askpw_icon_name, ret_cert, ret_pin_used);
|
||||
#else
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||
"PKCS#11 tokens not supported on this build.");
|
||||
#endif
|
||||
}
|
||||
|
||||
int identity_add_pkcs11_key_data(JsonVariant **v, const char *uri) {
|
||||
_cleanup_(erase_and_freep) void *decrypted_key = NULL, *saved_key = NULL;
|
||||
_cleanup_(erase_and_freep) char *pin = NULL;
|
||||
size_t decrypted_key_size, saved_key_size;
|
||||
_cleanup_(X509_freep) X509 *cert = NULL;
|
||||
_cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL;
|
||||
int r;
|
||||
|
||||
assert(v);
|
||||
|
||||
r = acquire_pkcs11_certificate(uri, "home directory operation", "user-home", &cert, &pin);
|
||||
r = pkcs11_acquire_public_key(uri, "home directory operation", "user-home", &pkey, &pin);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = x509_generate_volume_keys(cert, &decrypted_key, &decrypted_key_size, &saved_key, &saved_key_size);
|
||||
r = pkey_generate_volume_keys(pkey, &decrypted_key, &decrypted_key_size, &saved_key, &saved_key_size);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to generate volume keys: %m");
|
||||
|
||||
|
@ -196,3 +184,5 @@ int identity_add_pkcs11_key_data(JsonVariant **v, const char *uri) {
|
|||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
|
|
@ -5,7 +5,13 @@
|
|||
|
||||
int identity_add_token_pin(JsonVariant **v, const char *pin);
|
||||
|
||||
#if HAVE_P11KIT
|
||||
int identity_add_pkcs11_key_data(JsonVariant **v, const char *token_uri);
|
||||
#else
|
||||
static inline int identity_add_pkcs11_key_data(JsonVariant **v, const char *token_uri) {
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "PKCS#11 tokens not supported on this build.");
|
||||
}
|
||||
#endif
|
||||
|
||||
int list_pkcs11_tokens(void);
|
||||
int find_pkcs11_token_auto(char **ret);
|
||||
|
|
|
@ -1,8 +1,11 @@
|
|||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include <endian.h>
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "fd-util.h"
|
||||
#include "hexdecoct.h"
|
||||
#include "memory-util.h"
|
||||
#include "openssl-util.h"
|
||||
#include "random-util.h"
|
||||
#include "string-util.h"
|
||||
|
@ -624,19 +627,47 @@ int rsa_pkey_to_suitable_key_size(
|
|||
return 0;
|
||||
}
|
||||
|
||||
/* Generate RSA public key from provided "n" and "e" values. Note that if "e" is a number (e.g. uint32_t), it
|
||||
* must be provided here big-endian, e.g. wrap it with htobe32(). */
|
||||
/* Generate RSA public key from provided "n" and "e" values. Numbers "n" and "e" must be provided here
|
||||
* in big-endian format, e.g. wrap it with htobe32() for uint32_t. */
|
||||
int rsa_pkey_from_n_e(const void *n, size_t n_size, const void *e, size_t e_size, EVP_PKEY **ret) {
|
||||
_cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL;
|
||||
|
||||
assert(n);
|
||||
assert(n_size != 0);
|
||||
assert(e);
|
||||
assert(e_size != 0);
|
||||
assert(ret);
|
||||
|
||||
_cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
|
||||
#if OPENSSL_VERSION_MAJOR >= 3
|
||||
_cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
|
||||
if (!ctx)
|
||||
return log_openssl_errors("Failed to create new EVP_PKEY_CTX");
|
||||
|
||||
if (EVP_PKEY_fromdata_init(ctx) <= 0)
|
||||
return log_openssl_errors("Failed to initialize EVP_PKEY_CTX");
|
||||
|
||||
OSSL_PARAM params[3];
|
||||
|
||||
#if __BYTE_ORDER == __BIG_ENDIAN
|
||||
params[0] = OSSL_PARAM_construct_BN(OSSL_PKEY_PARAM_RSA_N, (void*)n, n_size);
|
||||
params[1] = OSSL_PARAM_construct_BN(OSSL_PKEY_PARAM_RSA_E, (void*)e, e_size);
|
||||
#else
|
||||
_cleanup_free_ void *native_n = memdup_reverse(n, n_size);
|
||||
if (!native_n)
|
||||
return log_oom_debug();
|
||||
|
||||
_cleanup_free_ void *native_e = memdup_reverse(e, e_size);
|
||||
if (!native_e)
|
||||
return log_oom_debug();
|
||||
|
||||
params[0] = OSSL_PARAM_construct_BN(OSSL_PKEY_PARAM_RSA_N, native_n, n_size);
|
||||
params[1] = OSSL_PARAM_construct_BN(OSSL_PKEY_PARAM_RSA_E, native_e, e_size);
|
||||
#endif
|
||||
params[2] = OSSL_PARAM_construct_end();
|
||||
|
||||
if (EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) <= 0)
|
||||
return log_openssl_errors("Failed to create RSA EVP_PKEY");
|
||||
#else
|
||||
_cleanup_(BN_freep) BIGNUM *bn_n = BN_bin2bn(n, n_size, NULL);
|
||||
if (!bn_n)
|
||||
return log_openssl_errors("Failed to create BIGNUM for RSA n");
|
||||
|
@ -645,27 +676,6 @@ int rsa_pkey_from_n_e(const void *n, size_t n_size, const void *e, size_t e_size
|
|||
if (!bn_e)
|
||||
return log_openssl_errors("Failed to create BIGNUM for RSA e");
|
||||
|
||||
#if OPENSSL_VERSION_MAJOR >= 3
|
||||
if (EVP_PKEY_fromdata_init(ctx) <= 0)
|
||||
return log_openssl_errors("Failed to initialize EVP_PKEY_CTX");
|
||||
|
||||
_cleanup_(OSSL_PARAM_BLD_freep) OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
|
||||
if (!bld)
|
||||
return log_openssl_errors("Failed to create new OSSL_PARAM_BLD");
|
||||
|
||||
if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, bn_n))
|
||||
return log_openssl_errors("Failed to set RSA OSSL_PKEY_PARAM_RSA_N");
|
||||
|
||||
if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, bn_e))
|
||||
return log_openssl_errors("Failed to set RSA OSSL_PKEY_PARAM_RSA_E");
|
||||
|
||||
_cleanup_(OSSL_PARAM_freep) OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(bld);
|
||||
if (!params)
|
||||
return log_openssl_errors("Failed to build RSA OSSL_PARAM");
|
||||
|
||||
if (EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) <= 0)
|
||||
return log_openssl_errors("Failed to create RSA EVP_PKEY");
|
||||
#else
|
||||
_cleanup_(RSA_freep) RSA *rsa_key = RSA_new();
|
||||
if (!rsa_key)
|
||||
return log_openssl_errors("Failed to create new RSA");
|
||||
|
@ -1255,23 +1265,19 @@ static int rsa_pkey_generate_volume_keys(
|
|||
return 0;
|
||||
}
|
||||
|
||||
int x509_generate_volume_keys(
|
||||
X509 *cert,
|
||||
int pkey_generate_volume_keys(
|
||||
EVP_PKEY *pkey,
|
||||
void **ret_decrypted_key,
|
||||
size_t *ret_decrypted_key_size,
|
||||
void **ret_saved_key,
|
||||
size_t *ret_saved_key_size) {
|
||||
|
||||
assert(cert);
|
||||
assert(pkey);
|
||||
assert(ret_decrypted_key);
|
||||
assert(ret_decrypted_key_size);
|
||||
assert(ret_saved_key);
|
||||
assert(ret_saved_key_size);
|
||||
|
||||
EVP_PKEY *pkey = X509_get0_pubkey(cert);
|
||||
if (!pkey)
|
||||
return log_openssl_errors("Failed to extract public key from X.509 certificate.");
|
||||
|
||||
#if OPENSSL_VERSION_MAJOR >= 3
|
||||
int type = EVP_PKEY_get_base_id(pkey);
|
||||
#else
|
||||
|
|
|
@ -40,6 +40,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7*, PKCS7_free, NULL);
|
|||
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL);
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL);
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL);
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_OCTET_STRING*, ASN1_OCTET_STRING_free, NULL);
|
||||
#if OPENSSL_VERSION_MAJOR >= 3
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER*, EVP_CIPHER_free, NULL);
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_KDF*, EVP_KDF_free, NULL);
|
||||
|
@ -108,7 +109,7 @@ int ecc_pkey_new(int curve_id, EVP_PKEY **ret);
|
|||
|
||||
int ecc_ecdh(const EVP_PKEY *private_pkey, const EVP_PKEY *peer_pkey, void **ret_shared_secret, size_t *ret_shared_secret_size);
|
||||
|
||||
int x509_generate_volume_keys(X509 *cert, void **ret_decrypted_key, size_t *ret_decrypted_key_size, void **ret_saved_key, size_t *ret_saved_key_size);
|
||||
int pkey_generate_volume_keys(EVP_PKEY *pkey, void **ret_decrypted_key, size_t *ret_decrypted_key_size, void **ret_saved_key, size_t *ret_saved_key_size);
|
||||
|
||||
int pubkey_fingerprint(EVP_PKEY *pk, const EVP_MD *md, void **ret, size_t *ret_size);
|
||||
|
||||
|
|
|
@ -527,13 +527,294 @@ int pkcs11_token_find_x509_certificate(
|
|||
}
|
||||
|
||||
#if HAVE_OPENSSL
|
||||
static int read_public_key_info(
|
||||
CK_FUNCTION_LIST *m,
|
||||
CK_SESSION_HANDLE session,
|
||||
CK_OBJECT_HANDLE object,
|
||||
EVP_PKEY **ret_pkey) {
|
||||
|
||||
CK_ATTRIBUTE attribute = { CKA_PUBLIC_KEY_INFO, NULL_PTR, 0 };
|
||||
_cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL;
|
||||
CK_RV rv;
|
||||
|
||||
rv = m->C_GetAttributeValue(session, object, &attribute, 1);
|
||||
if (rv != CKR_OK)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"Failed to get size of CKA_PUBLIC_KEY_INFO: %s", sym_p11_kit_strerror(rv));
|
||||
|
||||
if (attribute.ulValueLen == 0)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), "CKA_PUBLIC_KEY_INFO is empty");
|
||||
|
||||
_cleanup_free_ void *buffer = malloc(attribute.ulValueLen);
|
||||
if (!buffer)
|
||||
return log_oom_debug();
|
||||
|
||||
attribute.pValue = buffer;
|
||||
|
||||
rv = m->C_GetAttributeValue(session, object, &attribute, 1);
|
||||
if (rv != CKR_OK)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO),
|
||||
"Failed to read CKA_PUBLIC_KEY_INFO: %s", sym_p11_kit_strerror(rv));
|
||||
|
||||
const unsigned char *value = attribute.pValue;
|
||||
pkey = d2i_PUBKEY(NULL, &value, attribute.ulValueLen);
|
||||
if (!pkey)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "Failed to parse CKA_PUBLIC_KEY_INFO");
|
||||
|
||||
*ret_pkey = TAKE_PTR(pkey);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int pkcs11_token_read_public_key(
|
||||
CK_FUNCTION_LIST *m,
|
||||
CK_SESSION_HANDLE session,
|
||||
CK_OBJECT_HANDLE object,
|
||||
EVP_PKEY **ret_pkey) {
|
||||
|
||||
_cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL;
|
||||
CK_RV rv;
|
||||
int r;
|
||||
|
||||
r = read_public_key_info(m, session, object, &pkey);
|
||||
if (r >= 0) {
|
||||
*ret_pkey = TAKE_PTR(pkey);
|
||||
return 0;
|
||||
}
|
||||
|
||||
CK_KEY_TYPE key_type;
|
||||
CK_ATTRIBUTE attribute = { CKA_KEY_TYPE, &key_type, sizeof(key_type) };
|
||||
|
||||
rv = m->C_GetAttributeValue(session, object, &attribute, 1);
|
||||
if (rv != CKR_OK)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO),
|
||||
"Failed to get CKA_KEY_TYPE of a public key: %s", sym_p11_kit_strerror(rv));
|
||||
|
||||
switch (key_type) {
|
||||
case CKK_RSA: {
|
||||
CK_ATTRIBUTE rsa_attributes[] = {
|
||||
{ CKA_MODULUS, NULL_PTR, 0 },
|
||||
{ CKA_PUBLIC_EXPONENT, NULL_PTR, 0 },
|
||||
};
|
||||
|
||||
rv = m->C_GetAttributeValue(session, object, rsa_attributes, ELEMENTSOF(rsa_attributes));
|
||||
if (rv != CKR_OK)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO),
|
||||
"Failed to get size of attributes of an RSA public key: %s", sym_p11_kit_strerror(rv));
|
||||
|
||||
if (rsa_attributes[0].ulValueLen == 0)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "An RSA public key has empty CKA_MODULUS.");
|
||||
|
||||
_cleanup_free_ void *modulus = malloc(rsa_attributes[0].ulValueLen);
|
||||
if (!modulus)
|
||||
return log_oom_debug();
|
||||
|
||||
rsa_attributes[0].pValue = modulus;
|
||||
|
||||
if (rsa_attributes[1].ulValueLen == 0)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "An RSA public key has empty CKA_PUBLIC_EXPONENT.");
|
||||
|
||||
_cleanup_free_ void *public_exponent = malloc(rsa_attributes[1].ulValueLen);
|
||||
if (!public_exponent)
|
||||
return log_oom_debug();
|
||||
|
||||
rsa_attributes[1].pValue = public_exponent;
|
||||
|
||||
rv = m->C_GetAttributeValue(session, object, rsa_attributes, ELEMENTSOF(rsa_attributes));
|
||||
if (rv != CKR_OK)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO),
|
||||
"Failed to get attributes of an RSA public key: %s", sym_p11_kit_strerror(rv));
|
||||
|
||||
size_t n_size = rsa_attributes[0].ulValueLen, e_size = rsa_attributes[1].ulValueLen;
|
||||
r = rsa_pkey_from_n_e(rsa_attributes[0].pValue, n_size, rsa_attributes[1].pValue, e_size, &pkey);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to create an EVP_PKEY from RSA parameters.");
|
||||
|
||||
break;
|
||||
}
|
||||
case CKK_EC: {
|
||||
CK_ATTRIBUTE ec_attributes[] = {
|
||||
{ CKA_EC_PARAMS, NULL_PTR, 0 },
|
||||
{ CKA_EC_POINT, NULL_PTR, 0 },
|
||||
};
|
||||
|
||||
rv = m->C_GetAttributeValue(session, object, ec_attributes, ELEMENTSOF(ec_attributes));
|
||||
if (rv != CKR_OK)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO),
|
||||
"Failed to get size of attributes of an EC public key: %s", sym_p11_kit_strerror(rv));
|
||||
|
||||
if (ec_attributes[0].ulValueLen == 0)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "An EC public key has empty CKA_EC_PARAMS.");
|
||||
|
||||
_cleanup_free_ void *ec_group = malloc(ec_attributes[0].ulValueLen);
|
||||
if (!ec_group)
|
||||
return log_oom_debug();
|
||||
|
||||
ec_attributes[0].pValue = ec_group;
|
||||
|
||||
if (ec_attributes[1].ulValueLen == 0)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "An EC public key has empty CKA_EC_POINT.");
|
||||
|
||||
_cleanup_free_ void *ec_point = malloc(ec_attributes[1].ulValueLen);
|
||||
if (!ec_point)
|
||||
return log_oom_debug();
|
||||
|
||||
ec_attributes[1].pValue = ec_point;
|
||||
|
||||
rv = m->C_GetAttributeValue(session, object, ec_attributes, ELEMENTSOF(ec_attributes));
|
||||
if (rv != CKR_OK)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO),
|
||||
"Failed to get attributes of an EC public key: %s", sym_p11_kit_strerror(rv));
|
||||
|
||||
_cleanup_(EC_GROUP_freep) EC_GROUP *group = NULL;
|
||||
_cleanup_(ASN1_OCTET_STRING_freep) ASN1_OCTET_STRING *os = NULL;
|
||||
|
||||
const unsigned char *ec_params_value = ec_attributes[0].pValue;
|
||||
group = d2i_ECPKParameters(NULL, &ec_params_value, ec_attributes[0].ulValueLen);
|
||||
if (!group)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to decode CKA_EC_PARAMS.");
|
||||
|
||||
const unsigned char *ec_point_value = ec_attributes[1].pValue;
|
||||
os = d2i_ASN1_OCTET_STRING(NULL, &ec_point_value, ec_attributes[1].ulValueLen);
|
||||
if (!os)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to decode CKA_EC_POINT.");
|
||||
|
||||
#if OPENSSL_VERSION_MAJOR >= 3
|
||||
_cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
|
||||
if (!ctx)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to create an EVP_PKEY_CTX for EC.");
|
||||
|
||||
if (EVP_PKEY_fromdata_init(ctx) != 1)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to init an EVP_PKEY_CTX for EC.");
|
||||
|
||||
OSSL_PARAM ec_params[8] = {
|
||||
OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, os->data, os->length)
|
||||
};
|
||||
|
||||
_cleanup_free_ void *order = NULL, *p = NULL, *a = NULL, *b = NULL, *generator = NULL;
|
||||
size_t order_size, p_size, a_size, b_size, generator_size;
|
||||
|
||||
int nid = EC_GROUP_get_curve_name(group);
|
||||
if (nid != NID_undef) {
|
||||
const char* name = OSSL_EC_curve_nid2name(nid);
|
||||
ec_params[1] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, (char*)name, strlen(name));
|
||||
ec_params[2] = OSSL_PARAM_construct_end();
|
||||
} else {
|
||||
const char *field_type = EC_GROUP_get_field_type(group) == NID_X9_62_prime_field ?
|
||||
"prime-field" : "characteristic-two-field";
|
||||
|
||||
const BIGNUM *bn_order = EC_GROUP_get0_order(group);
|
||||
|
||||
_cleanup_(BN_CTX_freep) BN_CTX *bnctx = BN_CTX_new();
|
||||
if (!bnctx)
|
||||
return log_oom_debug();
|
||||
|
||||
_cleanup_(BN_freep) BIGNUM *bn_p = BN_new();
|
||||
if (!bn_p)
|
||||
return log_oom_debug();
|
||||
|
||||
_cleanup_(BN_freep) BIGNUM *bn_a = BN_new();
|
||||
if (!bn_a)
|
||||
return log_oom_debug();
|
||||
|
||||
_cleanup_(BN_freep) BIGNUM *bn_b = BN_new();
|
||||
if (!bn_b)
|
||||
return log_oom_debug();
|
||||
|
||||
if (EC_GROUP_get_curve(group, bn_p, bn_a, bn_b, bnctx) != 1)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to extract EC parameters from EC_GROUP.");
|
||||
|
||||
order_size = BN_num_bytes(bn_order);
|
||||
p_size = BN_num_bytes(bn_p);
|
||||
a_size = BN_num_bytes(bn_a);
|
||||
b_size = BN_num_bytes(bn_b);
|
||||
|
||||
order = malloc(order_size);
|
||||
if (!order)
|
||||
return log_oom_debug();
|
||||
|
||||
p = malloc(p_size);
|
||||
if (!p)
|
||||
return log_oom_debug();
|
||||
|
||||
a = malloc(a_size);
|
||||
if (!a)
|
||||
return log_oom_debug();
|
||||
|
||||
b = malloc(b_size);
|
||||
if (!b)
|
||||
return log_oom_debug();
|
||||
|
||||
if (BN_bn2nativepad(bn_order, order, order_size) <= 0 ||
|
||||
BN_bn2nativepad(bn_p, p, p_size) <= 0 ||
|
||||
BN_bn2nativepad(bn_a, a, a_size) <= 0 ||
|
||||
BN_bn2nativepad(bn_b, b, b_size) <= 0 )
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to store EC parameters in native byte order.");
|
||||
|
||||
const EC_POINT *point_gen = EC_GROUP_get0_generator(group);
|
||||
generator_size = EC_POINT_point2oct(group, point_gen, POINT_CONVERSION_UNCOMPRESSED, NULL, 0, bnctx);
|
||||
if (generator_size == 0)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to determine size of a EC generator.");
|
||||
|
||||
generator = malloc(generator_size);
|
||||
if (!generator)
|
||||
return log_oom_debug();
|
||||
|
||||
generator_size = EC_POINT_point2oct(group, point_gen, POINT_CONVERSION_UNCOMPRESSED, generator, generator_size, bnctx);
|
||||
if (generator_size == 0)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to convert a EC generator to octet string.");
|
||||
|
||||
ec_params[1] = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_EC_FIELD_TYPE, (char*)field_type, strlen(field_type));
|
||||
ec_params[2] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_EC_GENERATOR, generator, generator_size);
|
||||
ec_params[3] = OSSL_PARAM_construct_BN(OSSL_PKEY_PARAM_EC_ORDER, order, order_size);
|
||||
ec_params[4] = OSSL_PARAM_construct_BN(OSSL_PKEY_PARAM_EC_P, p, p_size);
|
||||
ec_params[5] = OSSL_PARAM_construct_BN(OSSL_PKEY_PARAM_EC_A, a, a_size);
|
||||
ec_params[6] = OSSL_PARAM_construct_BN(OSSL_PKEY_PARAM_EC_B, b, b_size);
|
||||
ec_params[7] = OSSL_PARAM_construct_end();
|
||||
}
|
||||
|
||||
if (EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, ec_params) != 1)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to create EVP_PKEY from EC parameters.");
|
||||
#else
|
||||
_cleanup_(EC_POINT_freep) EC_POINT *point = EC_POINT_new(group);
|
||||
if (!point)
|
||||
return log_oom_debug();
|
||||
|
||||
if (EC_POINT_oct2point(group, point, os->data, os->length, NULL) != 1)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to decode CKA_EC_POINT.");
|
||||
|
||||
_cleanup_(EC_KEY_freep) EC_KEY *ec_key = EC_KEY_new();
|
||||
if (!ec_key)
|
||||
return log_oom_debug();
|
||||
|
||||
if (EC_KEY_set_group(ec_key, group) != 1)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to set group for EC_KEY.");
|
||||
|
||||
if (EC_KEY_set_public_key(ec_key, point) != 1)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to set public key for EC_KEY.");
|
||||
|
||||
pkey = EVP_PKEY_new();
|
||||
if (!pkey)
|
||||
return log_oom_debug();
|
||||
|
||||
if (EVP_PKEY_set1_EC_KEY(pkey, ec_key) != 1)
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to assign EC_KEY to EVP_PKEY.");
|
||||
#endif
|
||||
break;
|
||||
}
|
||||
default:
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unsupported type of public key: %lu", key_type);
|
||||
}
|
||||
|
||||
*ret_pkey = TAKE_PTR(pkey);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int pkcs11_token_read_x509_certificate(
|
||||
CK_FUNCTION_LIST *m,
|
||||
CK_SESSION_HANDLE session,
|
||||
CK_OBJECT_HANDLE object,
|
||||
X509 **ret_cert) {
|
||||
|
||||
_cleanup_free_ void *buffer = NULL;
|
||||
_cleanup_free_ char *t = NULL;
|
||||
CK_ATTRIBUTE attribute = {
|
||||
.type = CKA_VALUE
|
||||
|
@ -541,7 +822,6 @@ int pkcs11_token_read_x509_certificate(
|
|||
CK_RV rv;
|
||||
_cleanup_(X509_freep) X509 *x509 = NULL;
|
||||
X509_NAME *name = NULL;
|
||||
const unsigned char *p;
|
||||
int r;
|
||||
|
||||
r = dlopen_p11kit();
|
||||
|
@ -550,32 +830,32 @@ int pkcs11_token_read_x509_certificate(
|
|||
|
||||
rv = m->C_GetAttributeValue(session, object, &attribute, 1);
|
||||
if (rv != CKR_OK)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO),
|
||||
"Failed to read X.509 certificate size off token: %s", sym_p11_kit_strerror(rv));
|
||||
|
||||
buffer = malloc(attribute.ulValueLen);
|
||||
_cleanup_free_ void *buffer = malloc(attribute.ulValueLen);
|
||||
if (!buffer)
|
||||
return log_oom();
|
||||
return log_oom_debug();
|
||||
|
||||
attribute.pValue = buffer;
|
||||
|
||||
rv = m->C_GetAttributeValue(session, object, &attribute, 1);
|
||||
if (rv != CKR_OK)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO),
|
||||
"Failed to read X.509 certificate data off token: %s", sym_p11_kit_strerror(rv));
|
||||
|
||||
p = attribute.pValue;
|
||||
const unsigned char *p = attribute.pValue;
|
||||
x509 = d2i_X509(NULL, &p, attribute.ulValueLen);
|
||||
if (!x509)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Failed parse X.509 certificate.");
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "Failed to parse X.509 certificate.");
|
||||
|
||||
name = X509_get_subject_name(x509);
|
||||
if (!name)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Failed to acquire X.509 subject name.");
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "Failed to acquire X.509 subject name.");
|
||||
|
||||
t = X509_NAME_oneline(name, NULL, 0);
|
||||
if (!t)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to format X.509 subject name as string.");
|
||||
return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to format X.509 subject name as string.");
|
||||
|
||||
log_debug("Using X.509 certificate issued for '%s'.", t);
|
||||
|
||||
|
@ -1360,20 +1640,20 @@ int pkcs11_find_token(
|
|||
}
|
||||
|
||||
#if HAVE_OPENSSL
|
||||
struct pkcs11_acquire_certificate_callback_data {
|
||||
struct pkcs11_acquire_public_key_callback_data {
|
||||
char *pin_used;
|
||||
X509 *cert;
|
||||
EVP_PKEY *pkey;
|
||||
const char *askpw_friendly_name, *askpw_icon_name;
|
||||
AskPasswordFlags askpw_flags;
|
||||
bool headless;
|
||||
};
|
||||
|
||||
static void pkcs11_acquire_certificate_callback_data_release(struct pkcs11_acquire_certificate_callback_data *data) {
|
||||
static void pkcs11_acquire_public_key_callback_data_release(struct pkcs11_acquire_public_key_callback_data *data) {
|
||||
erase_and_free(data->pin_used);
|
||||
X509_free(data->cert);
|
||||
EVP_PKEY_free(data->pkey);
|
||||
}
|
||||
|
||||
static int pkcs11_acquire_certificate_callback(
|
||||
static int pkcs11_acquire_public_key_callback(
|
||||
CK_FUNCTION_LIST *m,
|
||||
CK_SESSION_HANDLE session,
|
||||
CK_SLOT_ID slot_id,
|
||||
|
@ -1383,8 +1663,16 @@ static int pkcs11_acquire_certificate_callback(
|
|||
void *userdata) {
|
||||
|
||||
_cleanup_(erase_and_freep) char *pin_used = NULL;
|
||||
struct pkcs11_acquire_certificate_callback_data *data = ASSERT_PTR(userdata);
|
||||
CK_OBJECT_HANDLE object;
|
||||
_cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL;
|
||||
CK_OBJECT_CLASS class;
|
||||
CK_CERTIFICATE_TYPE type;
|
||||
CK_ATTRIBUTE candidate_attributes[] = {
|
||||
{ CKA_CLASS, &class, sizeof(class) },
|
||||
{ CKA_CERTIFICATE_TYPE, &type, sizeof(type) },
|
||||
};
|
||||
CK_OBJECT_HANDLE candidate, public_key = CK_INVALID_HANDLE, certificate = CK_INVALID_HANDLE;
|
||||
uint8_t n_public_keys = 0, n_certificates = 0;
|
||||
CK_RV rv;
|
||||
int r;
|
||||
|
||||
assert(m);
|
||||
|
@ -1392,6 +1680,8 @@ static int pkcs11_acquire_certificate_callback(
|
|||
assert(token_info);
|
||||
assert(uri);
|
||||
|
||||
struct pkcs11_acquire_public_key_callback_data *data = ASSERT_PTR(userdata);
|
||||
|
||||
/* Called for every token matching our URI */
|
||||
|
||||
r = pkcs11_token_login(
|
||||
|
@ -1410,40 +1700,141 @@ static int pkcs11_acquire_certificate_callback(
|
|||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = pkcs11_token_find_x509_certificate(m, session, uri, &object);
|
||||
if (r < 0)
|
||||
return r;
|
||||
CK_ULONG n_attributes;
|
||||
CK_ATTRIBUTE *attributes = sym_p11_kit_uri_get_attributes(uri, &n_attributes);
|
||||
for (CK_ULONG i = 0; i < n_attributes; i++) {
|
||||
switch (attributes[i].type) {
|
||||
case CKA_CLASS: {
|
||||
CK_OBJECT_CLASS requested_class = *((CK_OBJECT_CLASS*) attributes[i].pValue);
|
||||
if (requested_class != CKO_PUBLIC_KEY && requested_class != CKO_CERTIFICATE)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"Selected PKCS#11 object is not a public key or certificate, refusing.");
|
||||
break;
|
||||
}
|
||||
|
||||
r = pkcs11_token_read_x509_certificate(m, session, object, &data->cert);
|
||||
if (r < 0)
|
||||
return r;
|
||||
case CKA_CERTIFICATE_TYPE: {
|
||||
CK_CERTIFICATE_TYPE requested_type = *((CK_CERTIFICATE_TYPE*) attributes[i].pValue);
|
||||
if (requested_type != CKC_X_509)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Selected PKCS#11 object is not an X.509 certificate, refusing.");
|
||||
break;
|
||||
}}
|
||||
}
|
||||
|
||||
rv = m->C_FindObjectsInit(session, attributes, n_attributes);
|
||||
if (rv != CKR_OK)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
||||
"Failed to initialize object find call: %s", sym_p11_kit_strerror(rv));
|
||||
|
||||
for (;;) {
|
||||
CK_ULONG n;
|
||||
rv = m->C_FindObjects(session, &candidate, 1, &n);
|
||||
if (rv != CKR_OK)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
||||
"Failed to find objects: %s", sym_p11_kit_strerror(rv));
|
||||
|
||||
if (n == 0)
|
||||
break;
|
||||
|
||||
candidate_attributes[0].ulValueLen = sizeof(class);
|
||||
candidate_attributes[1].ulValueLen = sizeof(type);
|
||||
rv = m->C_GetAttributeValue(session, candidate, candidate_attributes, ELEMENTSOF(candidate_attributes));
|
||||
if (rv != CKR_OK && rv != CKR_ATTRIBUTE_TYPE_INVALID)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
||||
"Failed to get attributes of a selected candidate: %s", sym_p11_kit_strerror(rv));
|
||||
|
||||
if (candidate_attributes[0].ulValueLen == CK_UNAVAILABLE_INFORMATION) {
|
||||
log_debug("Failed to get CKA_CLASS of a selected candidate");
|
||||
continue;
|
||||
}
|
||||
|
||||
if (class == CKO_PUBLIC_KEY) {
|
||||
n_public_keys++;
|
||||
if (n_public_keys > 1)
|
||||
break;
|
||||
public_key = candidate;
|
||||
continue;
|
||||
}
|
||||
|
||||
if (class == CKO_CERTIFICATE) {
|
||||
if (candidate_attributes[1].ulValueLen == CK_UNAVAILABLE_INFORMATION) {
|
||||
log_debug("Failed to get CKA_CERTIFICATE_TYPE of a selected candidate");
|
||||
continue;
|
||||
}
|
||||
if (type != CKC_X_509)
|
||||
continue;
|
||||
n_certificates++;
|
||||
if (n_certificates > 1)
|
||||
break;
|
||||
certificate = candidate;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
rv = m->C_FindObjectsFinal(session);
|
||||
if (rv != CKR_OK)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EIO),
|
||||
"Failed to finalize object find call: %s", sym_p11_kit_strerror(rv));
|
||||
|
||||
if (n_public_keys == 0 && n_certificates == 0)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(ENOENT),
|
||||
"Failed to find selected public key or X.509 certificate.");
|
||||
|
||||
if (n_public_keys > 1)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
|
||||
"Provided URI matches multiple public keys, refusing.");
|
||||
|
||||
if (n_certificates > 1)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
|
||||
"Provided URI matches multiple certificates, refusing.");
|
||||
|
||||
if (n_public_keys != 0) {
|
||||
r = pkcs11_token_read_public_key(m, session, public_key, &pkey);
|
||||
if (r >= 0)
|
||||
goto success;
|
||||
}
|
||||
|
||||
if (n_certificates == 0)
|
||||
return log_error_errno(r, "Failed to read a found public key.");
|
||||
|
||||
{
|
||||
_cleanup_(X509_freep) X509 *cert = NULL;
|
||||
|
||||
r = pkcs11_token_read_x509_certificate(m, session, certificate, &cert);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to read a found X.509 certificate.");
|
||||
|
||||
pkey = X509_get_pubkey(cert);
|
||||
if (!pkey)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to extract public key from X.509 certificate.");
|
||||
}
|
||||
success:
|
||||
/* Let's read some random data off the token and write it to the kernel pool before we generate our
|
||||
* random key from it. This way we can claim the quality of the RNG is at least as good as the
|
||||
* kernel's and the token's pool */
|
||||
(void) pkcs11_token_acquire_rng(m, session);
|
||||
|
||||
data->pin_used = TAKE_PTR(pin_used);
|
||||
return 1;
|
||||
data->pkey = TAKE_PTR(pkey);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int pkcs11_acquire_certificate(
|
||||
int pkcs11_acquire_public_key(
|
||||
const char *uri,
|
||||
const char *askpw_friendly_name,
|
||||
const char *askpw_icon_name,
|
||||
X509 **ret_cert,
|
||||
EVP_PKEY **ret_pkey,
|
||||
char **ret_pin_used) {
|
||||
|
||||
_cleanup_(pkcs11_acquire_certificate_callback_data_release) struct pkcs11_acquire_certificate_callback_data data = {
|
||||
_cleanup_(pkcs11_acquire_public_key_callback_data_release) struct pkcs11_acquire_public_key_callback_data data = {
|
||||
.askpw_friendly_name = askpw_friendly_name,
|
||||
.askpw_icon_name = askpw_icon_name,
|
||||
};
|
||||
int r;
|
||||
|
||||
assert(uri);
|
||||
assert(ret_cert);
|
||||
assert(ret_pkey);
|
||||
|
||||
r = pkcs11_find_token(uri, pkcs11_acquire_certificate_callback, &data);
|
||||
r = pkcs11_find_token(uri, pkcs11_acquire_public_key_callback, &data);
|
||||
if (r == -EAGAIN) /* pkcs11_find_token() doesn't log about this error, but all others */
|
||||
return log_error_errno(SYNTHETIC_ERRNO(ENXIO),
|
||||
"Specified PKCS#11 token with URI '%s' not found.",
|
||||
|
@ -1451,11 +1842,9 @@ int pkcs11_acquire_certificate(
|
|||
if (r < 0)
|
||||
return r;
|
||||
|
||||
*ret_cert = TAKE_PTR(data.cert);
|
||||
|
||||
*ret_pkey = TAKE_PTR(data.pkey);
|
||||
if (ret_pin_used)
|
||||
*ret_pin_used = TAKE_PTR(data.pin_used);
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
#pragma once
|
||||
|
||||
#if HAVE_OPENSSL
|
||||
# include <openssl/evp.h>
|
||||
# include <openssl/x509.h>
|
||||
#endif
|
||||
#include <stdbool.h>
|
||||
|
@ -57,6 +58,7 @@ int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_I
|
|||
int pkcs11_token_find_related_object(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE prototype, CK_OBJECT_CLASS class, CK_OBJECT_HANDLE *ret_object);
|
||||
int pkcs11_token_find_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, P11KitUri *search_uri, CK_OBJECT_HANDLE *ret_object);
|
||||
#if HAVE_OPENSSL
|
||||
int pkcs11_token_read_public_key(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object, EVP_PKEY **ret_pkey);
|
||||
int pkcs11_token_read_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object, X509 **ret_cert);
|
||||
#endif
|
||||
|
||||
|
@ -69,7 +71,7 @@ typedef int (*pkcs11_find_token_callback_t)(CK_FUNCTION_LIST *m, CK_SESSION_HAND
|
|||
int pkcs11_find_token(const char *pkcs11_uri, pkcs11_find_token_callback_t callback, void *userdata);
|
||||
|
||||
#if HAVE_OPENSSL
|
||||
int pkcs11_acquire_certificate(const char *uri, const char *askpw_friendly_name, const char *askpw_icon_name, X509 **ret_cert, char **ret_pin_used);
|
||||
int pkcs11_acquire_public_key(const char *uri, const char *askpw_friendly_name, const char *askpw_icon_name, EVP_PKEY **ret_pkey, char **ret_pin_used);
|
||||
#endif
|
||||
|
||||
typedef struct {
|
||||
|
|
|
@ -145,6 +145,10 @@ EOF
|
|||
|
||||
mkdir -p "$initdir/etc/systemd/system/systemd-cryptsetup@.service.d"
|
||||
cat >"$initdir/etc/systemd/system/systemd-cryptsetup@.service.d/PKCS11.conf" <<EOF
|
||||
[Unit]
|
||||
# Make sure we can start systemd-cryptsetup@empty_pkcs11_auto.service many times
|
||||
StartLimitBurst=10
|
||||
|
||||
[Service]
|
||||
Environment="SOFTHSM2_CONF=/etc/softhsm2.conf"
|
||||
Environment="PIN=$GNUTLS_PIN"
|
||||
|
|
|
@ -242,6 +242,11 @@ if [[ -r /etc/softhsm2.conf ]]; then
|
|||
cryptsetup luksKillSlot -q "$IMAGE_EMPTY" 2
|
||||
cryptsetup token remove --token-id 0 "$IMAGE_EMPTY"
|
||||
|
||||
PIN="1234" systemd-cryptenroll --pkcs11-token-uri="pkcs11:token=TestToken;object=RSATestKey;type=public" --unlock-key-file="$IMAGE_EMPTY_KEYFILE" "$IMAGE_EMPTY"
|
||||
cryptsetup_start_and_check empty_pkcs11_auto
|
||||
cryptsetup luksKillSlot -q "$IMAGE_EMPTY" 2
|
||||
cryptsetup token remove --token-id 0 "$IMAGE_EMPTY"
|
||||
|
||||
PIN="1234" systemd-cryptenroll --pkcs11-token-uri="pkcs11:token=TestToken;object=ECTestKey" --unlock-key-file="$IMAGE_EMPTY_KEYFILE" "$IMAGE_EMPTY"
|
||||
cryptsetup_start_and_check empty_pkcs11_auto
|
||||
cryptsetup luksKillSlot -q "$IMAGE_EMPTY" 2
|
||||
|
@ -251,6 +256,11 @@ if [[ -r /etc/softhsm2.conf ]]; then
|
|||
cryptsetup_start_and_check empty_pkcs11_auto
|
||||
cryptsetup luksKillSlot -q "$IMAGE_EMPTY" 2
|
||||
cryptsetup token remove --token-id 0 "$IMAGE_EMPTY"
|
||||
|
||||
PIN="1234" systemd-cryptenroll --pkcs11-token-uri="pkcs11:token=TestToken;object=ECTestKey;type=public" --unlock-key-file="$IMAGE_EMPTY_KEYFILE" "$IMAGE_EMPTY"
|
||||
cryptsetup_start_and_check empty_pkcs11_auto
|
||||
cryptsetup luksKillSlot -q "$IMAGE_EMPTY" 2
|
||||
cryptsetup token remove --token-id 0 "$IMAGE_EMPTY"
|
||||
fi
|
||||
|
||||
cryptsetup_start_and_check detached
|
||||
|
|
Loading…
Reference in a new issue