[thirdparty/systemd.git] / src / shared / pkcs11-util.h

/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once

#if HAVE_OPENSSL
#  include <openssl/x509.h>
#endif
#include <stdbool.h>

#if HAVE_P11KIT
#  include <p11-kit/p11-kit.h>
#  include <p11-kit/uri.h>
#endif

#include "ask-password-api.h"
#include "macro.h"
#include "time-util.h"

bool pkcs11_uri_valid(const char *uri);

#if HAVE_P11KIT

extern char *(*sym_p11_kit_module_get_name)(CK_FUNCTION_LIST *module);
extern void (*sym_p11_kit_modules_finalize_and_release)(CK_FUNCTION_LIST **modules);
extern CK_FUNCTION_LIST **(*sym_p11_kit_modules_load_and_initialize)(int flags);
extern const char *(*sym_p11_kit_strerror)(CK_RV rv);
extern int (*sym_p11_kit_uri_format)(P11KitUri *uri, P11KitUriType uri_type, char **string);
extern void (*sym_p11_kit_uri_free)(P11KitUri *uri);
extern CK_ATTRIBUTE_PTR (*sym_p11_kit_uri_get_attributes)(P11KitUri *uri, CK_ULONG *n_attrs);
extern CK_ATTRIBUTE_PTR (*sym_p11_kit_uri_get_attribute)(P11KitUri *uri, CK_ATTRIBUTE_TYPE attr_type);
extern int (*sym_p11_kit_uri_set_attribute)(P11KitUri *uri, CK_ATTRIBUTE_PTR attr);
extern CK_INFO_PTR (*sym_p11_kit_uri_get_module_info)(P11KitUri *uri);
extern CK_SLOT_INFO_PTR (*sym_p11_kit_uri_get_slot_info)(P11KitUri *uri);
extern CK_TOKEN_INFO_PTR (*sym_p11_kit_uri_get_token_info)(P11KitUri *uri);
extern int (*sym_p11_kit_uri_match_token_info)(const P11KitUri *uri, const CK_TOKEN_INFO *token_info);
extern const char *(*sym_p11_kit_uri_message)(int code);
extern P11KitUri *(*sym_p11_kit_uri_new)(void);
extern int (*sym_p11_kit_uri_parse)(const char *string, P11KitUriType uri_type, P11KitUri *uri);

int uri_from_string(const char *p, P11KitUri **ret);

P11KitUri *uri_from_module_info(const CK_INFO *info);
P11KitUri *uri_from_slot_info(const CK_SLOT_INFO *slot_info);
P11KitUri *uri_from_token_info(const CK_TOKEN_INFO *token_info);

DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(P11KitUri*, sym_p11_kit_uri_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(CK_FUNCTION_LIST**, sym_p11_kit_modules_finalize_and_release, NULL);

CK_RV pkcs11_get_slot_list_malloc(CK_FUNCTION_LIST *m, CK_SLOT_ID **ret_slotids, CK_ULONG *ret_n_slotids);

char *pkcs11_token_label(const CK_TOKEN_INFO *token_info);
char *pkcs11_token_manufacturer_id(const CK_TOKEN_INFO *token_info);
char *pkcs11_token_model(const CK_TOKEN_INFO *token_info);

int pkcs11_token_login_by_pin(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, const CK_TOKEN_INFO *token_info, const char *token_label, const void *pin, size_t pin_size);
int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, AskPasswordFlags ask_password_flags, bool headless, char **ret_used_pin);

int pkcs11_token_find_related_object(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE prototype, CK_OBJECT_CLASS class, CK_OBJECT_HANDLE *ret_object);
int pkcs11_token_find_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, P11KitUri *search_uri, CK_OBJECT_HANDLE *ret_object);
#if HAVE_OPENSSL
int pkcs11_token_read_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object, X509 **ret_cert);
#endif

int pkcs11_token_find_private_key(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, P11KitUri *search_uri, CK_OBJECT_HANDLE *ret_object);
int pkcs11_token_decrypt_data(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object, const void *encrypted_data, size_t encrypted_data_size, void **ret_decrypted_data, size_t *ret_decrypted_data_size);

int pkcs11_token_acquire_rng(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session);

typedef int (*pkcs11_find_token_callback_t)(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_SLOT_INFO *slot_info, const CK_TOKEN_INFO *token_info, P11KitUri *uri, void *userdata);
int pkcs11_find_token(const char *pkcs11_uri, pkcs11_find_token_callback_t callback, void *userdata);

#if HAVE_OPENSSL
int pkcs11_acquire_certificate(const char *uri, const char *askpw_friendly_name, const char *askpw_icon_name, X509 **ret_cert, char **ret_pin_used);
#endif

typedef struct {
        const char *friendly_name;
        usec_t until;
        void *encrypted_key;
        size_t encrypted_key_size;
        void *decrypted_key;
        size_t decrypted_key_size;
        bool free_encrypted_key;
        bool headless;
        AskPasswordFlags askpw_flags;
} pkcs11_crypt_device_callback_data;

void pkcs11_crypt_device_callback_data_release(pkcs11_crypt_device_callback_data *data);

int pkcs11_crypt_device_callback(
                CK_FUNCTION_LIST *m,
                CK_SESSION_HANDLE session,
                CK_SLOT_ID slot_id,
                const CK_SLOT_INFO *slot_info,
                const CK_TOKEN_INFO *token_info,
                P11KitUri *uri,
                void *userdata);

int dlopen_p11kit(void);

#else

static inline int dlopen_p11kit(void) {
        return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "p11kit support is not compiled in.");
}

#endif

typedef struct {
        const char *friendly_name;
        usec_t until;
        bool headless;
        AskPasswordFlags askpw_flags;
} systemd_pkcs11_plugin_params;

int pkcs11_list_tokens(void);
int pkcs11_find_token_auto(char **ret);
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
839fddbe LP	2	#pragma once
839fddbe LP	3
06b77382 VS	4	#if HAVE_OPENSSL
	5	# include <openssl/x509.h>
	6	#endif
839fddbe LP	7	#include <stdbool.h>
	8
	9	#if HAVE_P11KIT
b012a1f4 ZJS	10	# include <p11-kit/p11-kit.h>
b012a1f4 ZJS	11	# include <p11-kit/uri.h>
839fddbe LP	12	#endif
839fddbe LP	13
a758a128	14	#include "ask-password-api.h"
839fddbe LP	15	#include "macro.h"
	16	#include "time-util.h"
	17
	18	bool pkcs11_uri_valid(const char *uri);
	19
	20	#if HAVE_P11KIT
da035a3a LB	21
	22	extern char (sym_p11_kit_module_get_name)(CK_FUNCTION_LIST *module);
	23	extern void (sym_p11_kit_modules_finalize_and_release)(CK_FUNCTION_LIST *modules);
	24	extern CK_FUNCTION_LIST *(sym_p11_kit_modules_load_and_initialize)(int flags);
	25	extern const char (sym_p11_kit_strerror)(CK_RV rv);
	26	extern int (sym_p11_kit_uri_format)(P11KitUri uri, P11KitUriType uri_type, char **string);
	27	extern void (sym_p11_kit_uri_free)(P11KitUri uri);
	28	extern CK_ATTRIBUTE_PTR (sym_p11_kit_uri_get_attributes)(P11KitUri uri, CK_ULONG *n_attrs);
85828ef9 VS	29	extern CK_ATTRIBUTE_PTR (sym_p11_kit_uri_get_attribute)(P11KitUri uri, CK_ATTRIBUTE_TYPE attr_type);
85828ef9 VS	30	extern int (sym_p11_kit_uri_set_attribute)(P11KitUri uri, CK_ATTRIBUTE_PTR attr);
da035a3a LB	31	extern CK_INFO_PTR (sym_p11_kit_uri_get_module_info)(P11KitUri uri);
	32	extern CK_SLOT_INFO_PTR (sym_p11_kit_uri_get_slot_info)(P11KitUri uri);
	33	extern CK_TOKEN_INFO_PTR (sym_p11_kit_uri_get_token_info)(P11KitUri uri);
	34	extern int (sym_p11_kit_uri_match_token_info)(const P11KitUri uri, const CK_TOKEN_INFO *token_info);
	35	extern const char (sym_p11_kit_uri_message)(int code);
	36	extern P11KitUri (sym_p11_kit_uri_new)(void);
	37	extern int (sym_p11_kit_uri_parse)(const char string, P11KitUriType uri_type, P11KitUri *uri);
	38
839fddbe LP	39	int uri_from_string(const char p, P11KitUri *ret);
	40
	41	P11KitUri uri_from_module_info(const CK_INFO info);
	42	P11KitUri uri_from_slot_info(const CK_SLOT_INFO slot_info);
	43	P11KitUri uri_from_token_info(const CK_TOKEN_INFO token_info);
	44
da035a3a LB	45	DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(P11KitUri*, sym_p11_kit_uri_free, NULL);
da035a3a LB	46	DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(CK_FUNCTION_LIST**, sym_p11_kit_modules_finalize_and_release, NULL);
839fddbe LP	47
	48	CK_RV pkcs11_get_slot_list_malloc(CK_FUNCTION_LIST m, CK_SLOT_ID ret_slotids, CK_ULONG ret_n_slotids);
	49
	50	char pkcs11_token_label(const CK_TOKEN_INFO token_info);
0eb3be46 LP	51	char pkcs11_token_manufacturer_id(const CK_TOKEN_INFO token_info);
0eb3be46 LP	52	char pkcs11_token_model(const CK_TOKEN_INFO token_info);
839fddbe	53
0ff60566	54	int pkcs11_token_login_by_pin(CK_FUNCTION_LIST m, CK_SESSION_HANDLE session, const CK_TOKEN_INFO token_info, const char token_label, const void pin, size_t pin_size);
a758a128	55	int pkcs11_token_login(CK_FUNCTION_LIST m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO token_info, const char friendly_name, const char icon_name, const char key_name, const char credential_name, usec_t until, AskPasswordFlags ask_password_flags, bool headless, char **ret_used_pin);
839fddbe	56
06b77382	57	int pkcs11_token_find_related_object(CK_FUNCTION_LIST m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE prototype, CK_OBJECT_CLASS class, CK_OBJECT_HANDLE ret_object);
839fddbe LP	58	int pkcs11_token_find_x509_certificate(CK_FUNCTION_LIST m, CK_SESSION_HANDLE session, P11KitUri search_uri, CK_OBJECT_HANDLE *ret_object);
	59	#if HAVE_OPENSSL
	60	int pkcs11_token_read_x509_certificate(CK_FUNCTION_LIST m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object, X509 *ret_cert);
	61	#endif
	62
	63	int pkcs11_token_find_private_key(CK_FUNCTION_LIST m, CK_SESSION_HANDLE session, P11KitUri search_uri, CK_OBJECT_HANDLE *ret_object);
	64	int pkcs11_token_decrypt_data(CK_FUNCTION_LIST m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object, const void encrypted_data, size_t encrypted_data_size, void *ret_decrypted_data, size_t ret_decrypted_data_size);
	65
	66	int pkcs11_token_acquire_rng(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session);
	67
	68	typedef int (pkcs11_find_token_callback_t)(CK_FUNCTION_LIST m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_SLOT_INFO slot_info, const CK_TOKEN_INFO token_info, P11KitUri uri, void userdata);
	69	int pkcs11_find_token(const char pkcs11_uri, pkcs11_find_token_callback_t callback, void userdata);
2289a784 LP	70
	71	#if HAVE_OPENSSL
	72	int pkcs11_acquire_certificate(const char uri, const char askpw_friendly_name, const char askpw_icon_name, X509 ret_cert, char *ret_pin_used);
	73	#endif
	74
ed3d3af1 OK	75	typedef struct {
	76	const char *friendly_name;
	77	usec_t until;
	78	void *encrypted_key;
	79	size_t encrypted_key_size;
	80	void *decrypted_key;
	81	size_t decrypted_key_size;
	82	bool free_encrypted_key;
	83	bool headless;
a758a128	84	AskPasswordFlags askpw_flags;
ed3d3af1 OK	85	} pkcs11_crypt_device_callback_data;
	86
	87	void pkcs11_crypt_device_callback_data_release(pkcs11_crypt_device_callback_data *data);
	88
	89	int pkcs11_crypt_device_callback(
	90	CK_FUNCTION_LIST *m,
	91	CK_SESSION_HANDLE session,
	92	CK_SLOT_ID slot_id,
	93	const CK_SLOT_INFO *slot_info,
	94	const CK_TOKEN_INFO *token_info,
	95	P11KitUri *uri,
	96	void *userdata);
	97
da035a3a LB	98	int dlopen_p11kit(void);
	99
	100	#else
	101
	102	static inline int dlopen_p11kit(void) {
	103	return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "p11kit support is not compiled in.");
	104	}
	105
839fddbe	106	#endif
f240cbb6	107
8186022c OK	108	typedef struct {
	109	const char *friendly_name;
	110	usec_t until;
	111	bool headless;
a758a128	112	AskPasswordFlags askpw_flags;
8186022c OK	113	} systemd_pkcs11_plugin_params;
8186022c OK	114
f240cbb6 LP	115	int pkcs11_list_tokens(void);
f240cbb6 LP	116	int pkcs11_find_token_auto(char **ret);