[thirdparty/systemd.git] / src / cryptenroll / cryptenroll-pkcs11.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include "cryptenroll-pkcs11.h"
#include "hexdecoct.h"
#include "json.h"
#include "memory-util.h"
#include "openssl-util.h"
#include "pkcs11-util.h"

static int uri_set_private_class(const char *uri, char **ret_uri) {
        _cleanup_(sym_p11_kit_uri_freep) P11KitUri *p11kit_uri = NULL;
        _cleanup_free_ char *private_uri = NULL;
        int r;

        r = uri_from_string(uri, &p11kit_uri);
        if (r < 0)
                return log_error_errno(r, "Failed to parse PKCS#11 URI '%s': %m", uri);

        if (sym_p11_kit_uri_get_attribute(p11kit_uri, CKA_CLASS)) {
                CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
                CK_ATTRIBUTE attribute = { CKA_CLASS, &class, sizeof(class) };

                if (sym_p11_kit_uri_set_attribute(p11kit_uri, &attribute) != P11_KIT_URI_OK)
                        return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to set class for URI '%s'.", uri);

                if (sym_p11_kit_uri_format(p11kit_uri, P11_KIT_URI_FOR_ANY, &private_uri) != P11_KIT_URI_OK)
                        return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to format PKCS#11 URI.");
        }

        *ret_uri = TAKE_PTR(private_uri);
        return 0;
}

int enroll_pkcs11(
                struct crypt_device *cd,
                const void *volume_key,
                size_t volume_key_size,
                const char *uri) {

        _cleanup_(erase_and_freep) void *decrypted_key = NULL;
        _cleanup_(erase_and_freep) char *base64_encoded = NULL;
        _cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
        _cleanup_free_ char *keyslot_as_string = NULL, *private_uri = NULL;
        size_t decrypted_key_size, saved_key_size;
        _cleanup_free_ void *saved_key = NULL;
        _cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL;
        ssize_t base64_encoded_size;
        const char *node;
        int r;

        assert_se(cd);
        assert_se(volume_key);
        assert_se(volume_key_size > 0);
        assert_se(uri);

        assert_se(node = crypt_get_device_name(cd));

        r = pkcs11_acquire_public_key(
                        uri,
                        "volume enrollment operation",
                        "drive-harddisk",
                        "cryptenroll.pkcs11-pin",
                        /* askpw_flags= */ 0,
                        &pkey,
                        /* ret_pin_used= */ NULL);
        if (r < 0)
                return r;

        r = pkey_generate_volume_keys(pkey, &decrypted_key, &decrypted_key_size, &saved_key, &saved_key_size);
        if (r < 0)
                return log_error_errno(r, "Failed to generate volume keys: %m");

        /* Let's base64 encode the key to use, for compat with homed (and it's easier to type it in by
         * keyboard, if that might ever end up being necessary.) */
        base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
        if (base64_encoded_size < 0)
                return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");

        r = cryptsetup_set_minimal_pbkdf(cd);
        if (r < 0)
                return log_error_errno(r, "Failed to set minimal PBKDF: %m");

        int keyslot = crypt_keyslot_add_by_volume_key(
                        cd,
                        CRYPT_ANY_SLOT,
                        volume_key,
                        volume_key_size,
                        base64_encoded,
                        base64_encoded_size);
        if (keyslot < 0)
                return log_error_errno(keyslot, "Failed to add new PKCS#11 key to %s: %m", node);

        if (asprintf(&keyslot_as_string, "%i", keyslot) < 0)
                return log_oom();

        /* Change 'type=cert' or 'type=public' in the provided URI to 'type=private' before storing in
           a LUKS2 header. This allows users to use output of some PKCS#11 tools directly without
           modifications. */
        r = uri_set_private_class(uri, &private_uri);
        if (r < 0)
                return r;

        r = json_build(&v,
                JSON_BUILD_OBJECT(
                        JSON_BUILD_PAIR("type", JSON_BUILD_CONST_STRING("systemd-pkcs11")),
                        JSON_BUILD_PAIR("keyslots", JSON_BUILD_ARRAY(JSON_BUILD_STRING(keyslot_as_string))),
                        JSON_BUILD_PAIR("pkcs11-uri", JSON_BUILD_STRING(private_uri ?: uri)),
                        JSON_BUILD_PAIR("pkcs11-key", JSON_BUILD_BASE64(saved_key, saved_key_size))));
        if (r < 0)
                return log_error_errno(r, "Failed to prepare PKCS#11 JSON token object: %m");

        r = cryptsetup_add_token_json(cd, v);
        if (r < 0)
                return log_error_errno(r, "Failed to add PKCS#11 JSON token to LUKS2 header: %m");

        log_info("New PKCS#11 token enrolled as key slot %i.", keyslot);
        return keyslot;
}
Commit	Line	Data
8710a681 LP	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
	2
	3	#include "cryptenroll-pkcs11.h"
	4	#include "hexdecoct.h"
	5	#include "json.h"
	6	#include "memory-util.h"
	7	#include "openssl-util.h"
	8	#include "pkcs11-util.h"
8710a681	9
85828ef9 VS	10	static int uri_set_private_class(const char uri, char *ret_uri) {
	11	_cleanup_(sym_p11_kit_uri_freep) P11KitUri *p11kit_uri = NULL;
	12	_cleanup_free_ char *private_uri = NULL;
	13	int r;
	14
	15	r = uri_from_string(uri, &p11kit_uri);
	16	if (r < 0)
	17	return log_error_errno(r, "Failed to parse PKCS#11 URI '%s': %m", uri);
	18
	19	if (sym_p11_kit_uri_get_attribute(p11kit_uri, CKA_CLASS)) {
	20	CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
	21	CK_ATTRIBUTE attribute = { CKA_CLASS, &class, sizeof(class) };
	22
	23	if (sym_p11_kit_uri_set_attribute(p11kit_uri, &attribute) != P11_KIT_URI_OK)
4e494e6a	24	return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to set class for URI '%s'.", uri);
85828ef9 VS	25
85828ef9 VS	26	if (sym_p11_kit_uri_format(p11kit_uri, P11_KIT_URI_FOR_ANY, &private_uri) != P11_KIT_URI_OK)
4e494e6a	27	return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to format PKCS#11 URI.");
85828ef9 VS	28	}
	29
	30	*ret_uri = TAKE_PTR(private_uri);
	31	return 0;
	32	}
	33
8710a681 LP	34	int enroll_pkcs11(
	35	struct crypt_device *cd,
	36	const void *volume_key,
	37	size_t volume_key_size,
	38	const char *uri) {
	39
	40	_cleanup_(erase_and_freep) void *decrypted_key = NULL;
	41	_cleanup_(erase_and_freep) char *base64_encoded = NULL;
	42	_cleanup_(json_variant_unrefp) JsonVariant *v = NULL;
85828ef9	43	_cleanup_free_ char keyslot_as_string = NULL, private_uri = NULL;
876206f2 VS	44	size_t decrypted_key_size, saved_key_size;
876206f2 VS	45	_cleanup_free_ void *saved_key = NULL;
85686b37	46	_cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL;
5e476b85	47	ssize_t base64_encoded_size;
8710a681	48	const char *node;
85828ef9	49	int r;
8710a681 LP	50
	51	assert_se(cd);
	52	assert_se(volume_key);
	53	assert_se(volume_key_size > 0);
	54	assert_se(uri);
	55
	56	assert_se(node = crypt_get_device_name(cd));
	57
b2ac9280 LP	58	r = pkcs11_acquire_public_key(
	59	uri,
	60	"volume enrollment operation",
	61	"drive-harddisk",
	62	"cryptenroll.pkcs11-pin",
	63	/* askpw_flags= */ 0,
	64	&pkey,
	65	/* ret_pin_used= */ NULL);
8710a681 LP	66	if (r < 0)
	67	return r;
	68
85686b37	69	r = pkey_generate_volume_keys(pkey, &decrypted_key, &decrypted_key_size, &saved_key, &saved_key_size);
8710a681	70	if (r < 0)
876206f2	71	return log_error_errno(r, "Failed to generate volume keys: %m");
8710a681 LP	72
	73	/* Let's base64 encode the key to use, for compat with homed (and it's easier to type it in by
	74	* keyboard, if that might ever end up being necessary.) */
5e476b85 LP	75	base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
	76	if (base64_encoded_size < 0)
	77	return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
8710a681 LP	78
	79	r = cryptsetup_set_minimal_pbkdf(cd);
	80	if (r < 0)
	81	return log_error_errno(r, "Failed to set minimal PBKDF: %m");
	82
85828ef9	83	int keyslot = crypt_keyslot_add_by_volume_key(
8710a681 LP	84	cd,
	85	CRYPT_ANY_SLOT,
	86	volume_key,
	87	volume_key_size,
	88	base64_encoded,
5e476b85	89	base64_encoded_size);
8710a681 LP	90	if (keyslot < 0)
	91	return log_error_errno(keyslot, "Failed to add new PKCS#11 key to %s: %m", node);
	92
	93	if (asprintf(&keyslot_as_string, "%i", keyslot) < 0)
	94	return log_oom();
	95
85686b37 VS	96	/* Change 'type=cert' or 'type=public' in the provided URI to 'type=private' before storing in
	97	a LUKS2 header. This allows users to use output of some PKCS#11 tools directly without
	98	modifications. */
85828ef9 VS	99	r = uri_set_private_class(uri, &private_uri);
	100	if (r < 0)
	101	return r;
	102
8710a681	103	r = json_build(&v,
85828ef9 VS	104	JSON_BUILD_OBJECT(
	105	JSON_BUILD_PAIR("type", JSON_BUILD_CONST_STRING("systemd-pkcs11")),
	106	JSON_BUILD_PAIR("keyslots", JSON_BUILD_ARRAY(JSON_BUILD_STRING(keyslot_as_string))),
	107	JSON_BUILD_PAIR("pkcs11-uri", JSON_BUILD_STRING(private_uri ?: uri)),
	108	JSON_BUILD_PAIR("pkcs11-key", JSON_BUILD_BASE64(saved_key, saved_key_size))));
8710a681 LP	109	if (r < 0)
	110	return log_error_errno(r, "Failed to prepare PKCS#11 JSON token object: %m");
	111
	112	r = cryptsetup_add_token_json(cd, v);
	113	if (r < 0)
	114	return log_error_errno(r, "Failed to add PKCS#11 JSON token to LUKS2 header: %m");
	115
	116	log_info("New PKCS#11 token enrolled as key slot %i.", keyslot);
	117	return keyslot;
	118	}