]>
Commit | Line | Data |
---|---|---|
8710a681 LP |
1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
2 | ||
3 | #include "cryptenroll-pkcs11.h" | |
4 | #include "hexdecoct.h" | |
5 | #include "json.h" | |
6 | #include "memory-util.h" | |
7 | #include "openssl-util.h" | |
8 | #include "pkcs11-util.h" | |
8710a681 | 9 | |
85828ef9 VS |
10 | static int uri_set_private_class(const char *uri, char **ret_uri) { |
11 | _cleanup_(sym_p11_kit_uri_freep) P11KitUri *p11kit_uri = NULL; | |
12 | _cleanup_free_ char *private_uri = NULL; | |
13 | int r; | |
14 | ||
15 | r = uri_from_string(uri, &p11kit_uri); | |
16 | if (r < 0) | |
17 | return log_error_errno(r, "Failed to parse PKCS#11 URI '%s': %m", uri); | |
18 | ||
19 | if (sym_p11_kit_uri_get_attribute(p11kit_uri, CKA_CLASS)) { | |
20 | CK_OBJECT_CLASS class = CKO_PRIVATE_KEY; | |
21 | CK_ATTRIBUTE attribute = { CKA_CLASS, &class, sizeof(class) }; | |
22 | ||
23 | if (sym_p11_kit_uri_set_attribute(p11kit_uri, &attribute) != P11_KIT_URI_OK) | |
4e494e6a | 24 | return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to set class for URI '%s'.", uri); |
85828ef9 VS |
25 | |
26 | if (sym_p11_kit_uri_format(p11kit_uri, P11_KIT_URI_FOR_ANY, &private_uri) != P11_KIT_URI_OK) | |
4e494e6a | 27 | return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to format PKCS#11 URI."); |
85828ef9 VS |
28 | } |
29 | ||
30 | *ret_uri = TAKE_PTR(private_uri); | |
31 | return 0; | |
32 | } | |
33 | ||
8710a681 LP |
34 | int enroll_pkcs11( |
35 | struct crypt_device *cd, | |
36 | const void *volume_key, | |
37 | size_t volume_key_size, | |
38 | const char *uri) { | |
39 | ||
40 | _cleanup_(erase_and_freep) void *decrypted_key = NULL; | |
41 | _cleanup_(erase_and_freep) char *base64_encoded = NULL; | |
42 | _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; | |
85828ef9 | 43 | _cleanup_free_ char *keyslot_as_string = NULL, *private_uri = NULL; |
876206f2 VS |
44 | size_t decrypted_key_size, saved_key_size; |
45 | _cleanup_free_ void *saved_key = NULL; | |
85686b37 | 46 | _cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL; |
5e476b85 | 47 | ssize_t base64_encoded_size; |
8710a681 | 48 | const char *node; |
85828ef9 | 49 | int r; |
8710a681 LP |
50 | |
51 | assert_se(cd); | |
52 | assert_se(volume_key); | |
53 | assert_se(volume_key_size > 0); | |
54 | assert_se(uri); | |
55 | ||
56 | assert_se(node = crypt_get_device_name(cd)); | |
57 | ||
b2ac9280 LP |
58 | r = pkcs11_acquire_public_key( |
59 | uri, | |
60 | "volume enrollment operation", | |
61 | "drive-harddisk", | |
62 | "cryptenroll.pkcs11-pin", | |
63 | /* askpw_flags= */ 0, | |
64 | &pkey, | |
65 | /* ret_pin_used= */ NULL); | |
8710a681 LP |
66 | if (r < 0) |
67 | return r; | |
68 | ||
85686b37 | 69 | r = pkey_generate_volume_keys(pkey, &decrypted_key, &decrypted_key_size, &saved_key, &saved_key_size); |
8710a681 | 70 | if (r < 0) |
876206f2 | 71 | return log_error_errno(r, "Failed to generate volume keys: %m"); |
8710a681 LP |
72 | |
73 | /* Let's base64 encode the key to use, for compat with homed (and it's easier to type it in by | |
74 | * keyboard, if that might ever end up being necessary.) */ | |
5e476b85 LP |
75 | base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); |
76 | if (base64_encoded_size < 0) | |
77 | return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m"); | |
8710a681 LP |
78 | |
79 | r = cryptsetup_set_minimal_pbkdf(cd); | |
80 | if (r < 0) | |
81 | return log_error_errno(r, "Failed to set minimal PBKDF: %m"); | |
82 | ||
85828ef9 | 83 | int keyslot = crypt_keyslot_add_by_volume_key( |
8710a681 LP |
84 | cd, |
85 | CRYPT_ANY_SLOT, | |
86 | volume_key, | |
87 | volume_key_size, | |
88 | base64_encoded, | |
5e476b85 | 89 | base64_encoded_size); |
8710a681 LP |
90 | if (keyslot < 0) |
91 | return log_error_errno(keyslot, "Failed to add new PKCS#11 key to %s: %m", node); | |
92 | ||
93 | if (asprintf(&keyslot_as_string, "%i", keyslot) < 0) | |
94 | return log_oom(); | |
95 | ||
85686b37 VS |
96 | /* Change 'type=cert' or 'type=public' in the provided URI to 'type=private' before storing in |
97 | a LUKS2 header. This allows users to use output of some PKCS#11 tools directly without | |
98 | modifications. */ | |
85828ef9 VS |
99 | r = uri_set_private_class(uri, &private_uri); |
100 | if (r < 0) | |
101 | return r; | |
102 | ||
8710a681 | 103 | r = json_build(&v, |
85828ef9 VS |
104 | JSON_BUILD_OBJECT( |
105 | JSON_BUILD_PAIR("type", JSON_BUILD_CONST_STRING("systemd-pkcs11")), | |
106 | JSON_BUILD_PAIR("keyslots", JSON_BUILD_ARRAY(JSON_BUILD_STRING(keyslot_as_string))), | |
107 | JSON_BUILD_PAIR("pkcs11-uri", JSON_BUILD_STRING(private_uri ?: uri)), | |
108 | JSON_BUILD_PAIR("pkcs11-key", JSON_BUILD_BASE64(saved_key, saved_key_size)))); | |
8710a681 LP |
109 | if (r < 0) |
110 | return log_error_errno(r, "Failed to prepare PKCS#11 JSON token object: %m"); | |
111 | ||
112 | r = cryptsetup_add_token_json(cd, v); | |
113 | if (r < 0) | |
114 | return log_error_errno(r, "Failed to add PKCS#11 JSON token to LUKS2 header: %m"); | |
115 | ||
116 | log_info("New PKCS#11 token enrolled as key slot %i.", keyslot); | |
117 | return keyslot; | |
118 | } |