1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #include "errno-util.h"
4 #include "format-table.h"
6 #include "homectl-pkcs11.h"
7 #include "libcrypt-util.h"
8 #include "memory-util.h"
9 #include "openssl-util.h"
10 #include "pkcs11-util.h"
11 #include "random-util.h"
14 static int add_pkcs11_encrypted_key(
17 const void *encrypted_key
, size_t encrypted_key_size
,
18 const void *decrypted_key
, size_t decrypted_key_size
) {
20 _cleanup_(json_variant_unrefp
) JsonVariant
*l
= NULL
, *w
= NULL
, *e
= NULL
;
21 _cleanup_(erase_and_freep
) char *base64_encoded
= NULL
, *hashed
= NULL
;
22 ssize_t base64_encoded_size
;
27 assert(encrypted_key
);
28 assert(encrypted_key_size
> 0);
29 assert(decrypted_key
);
30 assert(decrypted_key_size
> 0);
32 /* Before using UNIX hashing on the supplied key we base64 encode it, since crypt_r() and friends
33 * expect a NUL terminated string, and we use a binary key */
34 base64_encoded_size
= base64mem(decrypted_key
, decrypted_key_size
, &base64_encoded
);
35 if (base64_encoded_size
< 0)
36 return log_error_errno(base64_encoded_size
, "Failed to base64 encode secret key: %m");
38 r
= hash_password(base64_encoded
, &hashed
);
40 return log_error_errno(errno_or_else(EINVAL
), "Failed to UNIX hash secret key: %m");
42 r
= json_build(&e
, JSON_BUILD_OBJECT(
43 JSON_BUILD_PAIR("uri", JSON_BUILD_STRING(uri
)),
44 JSON_BUILD_PAIR("data", JSON_BUILD_BASE64(encrypted_key
, encrypted_key_size
)),
45 JSON_BUILD_PAIR("hashedPassword", JSON_BUILD_STRING(hashed
))));
47 return log_error_errno(r
, "Failed to build encrypted JSON key object: %m");
49 w
= json_variant_ref(json_variant_by_key(*v
, "privileged"));
50 l
= json_variant_ref(json_variant_by_key(w
, "pkcs11EncryptedKey"));
52 r
= json_variant_append_array(&l
, e
);
54 return log_error_errno(r
, "Failed append PKCS#11 encrypted key: %m");
56 r
= json_variant_set_field(&w
, "pkcs11EncryptedKey", l
);
58 return log_error_errno(r
, "Failed to set PKCS#11 encrypted key: %m");
60 r
= json_variant_set_field(v
, "privileged", w
);
62 return log_error_errno(r
, "Failed to update privileged field: %m");
67 static int add_pkcs11_token_uri(JsonVariant
**v
, const char *uri
) {
68 _cleanup_(json_variant_unrefp
) JsonVariant
*w
= NULL
;
69 _cleanup_strv_free_
char **l
= NULL
;
75 w
= json_variant_ref(json_variant_by_key(*v
, "pkcs11TokenUri"));
77 r
= json_variant_strv(w
, &l
);
79 return log_error_errno(r
, "Failed to parse PKCS#11 token list: %m");
81 if (strv_contains(l
, uri
))
85 r
= strv_extend(&l
, uri
);
89 w
= json_variant_unref(w
);
90 r
= json_variant_new_array_strv(&w
, l
);
92 return log_error_errno(r
, "Failed to create PKCS#11 token URI JSON: %m");
94 r
= json_variant_set_field(v
, "pkcs11TokenUri", w
);
96 return log_error_errno(r
, "Failed to update PKCS#11 token URI list: %m");
101 int identity_add_token_pin(JsonVariant
**v
, const char *pin
) {
102 _cleanup_(json_variant_unrefp
) JsonVariant
*w
= NULL
, *l
= NULL
;
103 _cleanup_strv_free_erase_
char **pins
= NULL
;
111 w
= json_variant_ref(json_variant_by_key(*v
, "secret"));
112 l
= json_variant_ref(json_variant_by_key(w
, "tokenPin"));
114 r
= json_variant_strv(l
, &pins
);
116 return log_error_errno(r
, "Failed to convert PIN array: %m");
118 if (strv_contains(pins
, pin
))
121 r
= strv_extend(&pins
, pin
);
127 l
= json_variant_unref(l
);
129 r
= json_variant_new_array_strv(&l
, pins
);
131 return log_error_errno(r
, "Failed to allocate new PIN array JSON: %m");
133 json_variant_sensitive(l
);
135 r
= json_variant_set_field(&w
, "tokenPin", l
);
137 return log_error_errno(r
, "Failed to update PIN field: %m");
139 r
= json_variant_set_field(v
, "secret", w
);
141 return log_error_errno(r
, "Failed to update secret object: %m");
146 static int acquire_pkcs11_certificate(
148 const char *askpw_friendly_name
,
149 const char *askpw_icon_name
,
151 char **ret_pin_used
) {
153 return pkcs11_acquire_certificate(uri
, askpw_friendly_name
, askpw_icon_name
, ret_cert
, ret_pin_used
);
155 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
),
156 "PKCS#11 tokens not supported on this build.");
160 int identity_add_pkcs11_key_data(JsonVariant
**v
, const char *uri
) {
161 _cleanup_(erase_and_freep
) void *decrypted_key
= NULL
, *encrypted_key
= NULL
;
162 _cleanup_(erase_and_freep
) char *pin
= NULL
;
163 size_t decrypted_key_size
, encrypted_key_size
;
164 _cleanup_(X509_freep
) X509
*cert
= NULL
;
170 r
= acquire_pkcs11_certificate(uri
, "home directory operation", "user-home", &cert
, &pin
);
174 pkey
= X509_get0_pubkey(cert
);
176 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Failed to extract public key from X.509 certificate.");
178 r
= rsa_pkey_to_suitable_key_size(pkey
, &decrypted_key_size
);
180 return log_error_errno(r
, "Failed to extract RSA key size from X509 certificate.");
182 log_debug("Generating %zu bytes random key.", decrypted_key_size
);
184 decrypted_key
= malloc(decrypted_key_size
);
188 r
= crypto_random_bytes(decrypted_key
, decrypted_key_size
);
190 return log_error_errno(r
, "Failed to generate random key: %m");
192 r
= rsa_encrypt_bytes(pkey
, decrypted_key
, decrypted_key_size
, &encrypted_key
, &encrypted_key_size
);
194 return log_error_errno(r
, "Failed to encrypt key: %m");
196 /* Add the token URI to the public part of the record. */
197 r
= add_pkcs11_token_uri(v
, uri
);
201 /* Include the encrypted version of the random key we just generated in the privileged part of the record */
202 r
= add_pkcs11_encrypted_key(
205 encrypted_key
, encrypted_key_size
,
206 decrypted_key
, decrypted_key_size
);
210 /* If we acquired the PIN also include it in the secret section of the record, so that systemd-homed
211 * can use it if it needs to, given that it likely needs to decrypt the key again to pass to LUKS or
213 r
= identity_add_token_pin(v
, pin
);