1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
5 #include "ask-password-api.h"
6 #include "dlfcn-util.h"
10 #include "format-table.h"
12 #include "memory-util.h"
14 #include "openssl-util.h"
16 #include "pkcs11-util.h"
17 #include "random-util.h"
18 #include "string-util.h"
21 bool pkcs11_uri_valid(const char *uri
) {
24 /* A very superficial checker for RFC7512 PKCS#11 URI syntax */
29 p
= startswith(uri
, "pkcs11:");
36 if (!in_charset(p
, ALPHANUMERICAL
".~/-_?;&%="))
44 static void *p11kit_dl
= NULL
;
46 char *(*sym_p11_kit_module_get_name
)(CK_FUNCTION_LIST
*module
);
47 void (*sym_p11_kit_modules_finalize_and_release
)(CK_FUNCTION_LIST
**modules
);
48 CK_FUNCTION_LIST
**(*sym_p11_kit_modules_load_and_initialize
)(int flags
);
49 const char *(*sym_p11_kit_strerror
)(CK_RV rv
);
50 int (*sym_p11_kit_uri_format
)(P11KitUri
*uri
, P11KitUriType uri_type
, char **string
);
51 void (*sym_p11_kit_uri_free
)(P11KitUri
*uri
);
52 CK_ATTRIBUTE_PTR (*sym_p11_kit_uri_get_attributes
)(P11KitUri
*uri
, CK_ULONG
*n_attrs
);
53 CK_INFO_PTR (*sym_p11_kit_uri_get_module_info
)(P11KitUri
*uri
);
54 CK_SLOT_INFO_PTR (*sym_p11_kit_uri_get_slot_info
)(P11KitUri
*uri
);
55 CK_TOKEN_INFO_PTR (*sym_p11_kit_uri_get_token_info
)(P11KitUri
*uri
);
56 int (*sym_p11_kit_uri_match_token_info
)(const P11KitUri
*uri
, const CK_TOKEN_INFO
*token_info
);
57 const char *(*sym_p11_kit_uri_message
)(int code
);
58 P11KitUri
*(*sym_p11_kit_uri_new
)(void);
59 int (*sym_p11_kit_uri_parse
)(const char *string
, P11KitUriType uri_type
, P11KitUri
*uri
);
61 int dlopen_p11kit(void) {
62 return dlopen_many_sym_or_warn(
64 "libp11-kit.so.0", LOG_DEBUG
,
65 DLSYM_ARG(p11_kit_module_get_name
),
66 DLSYM_ARG(p11_kit_modules_finalize_and_release
),
67 DLSYM_ARG(p11_kit_modules_load_and_initialize
),
68 DLSYM_ARG(p11_kit_strerror
),
69 DLSYM_ARG(p11_kit_uri_format
),
70 DLSYM_ARG(p11_kit_uri_free
),
71 DLSYM_ARG(p11_kit_uri_get_attributes
),
72 DLSYM_ARG(p11_kit_uri_get_module_info
),
73 DLSYM_ARG(p11_kit_uri_get_slot_info
),
74 DLSYM_ARG(p11_kit_uri_get_token_info
),
75 DLSYM_ARG(p11_kit_uri_match_token_info
),
76 DLSYM_ARG(p11_kit_uri_message
),
77 DLSYM_ARG(p11_kit_uri_new
),
78 DLSYM_ARG(p11_kit_uri_parse
));
81 int uri_from_string(const char *p
, P11KitUri
**ret
) {
82 _cleanup_(sym_p11_kit_uri_freep
) P11KitUri
*uri
= NULL
;
92 uri
= sym_p11_kit_uri_new();
96 if (sym_p11_kit_uri_parse(p
, P11_KIT_URI_FOR_ANY
, uri
) != P11_KIT_URI_OK
)
103 P11KitUri
*uri_from_module_info(const CK_INFO
*info
) {
108 if (dlopen_p11kit() < 0)
111 uri
= sym_p11_kit_uri_new();
115 *sym_p11_kit_uri_get_module_info(uri
) = *info
;
119 P11KitUri
*uri_from_slot_info(const CK_SLOT_INFO
*slot_info
) {
124 if (dlopen_p11kit() < 0)
127 uri
= sym_p11_kit_uri_new();
131 *sym_p11_kit_uri_get_slot_info(uri
) = *slot_info
;
135 P11KitUri
*uri_from_token_info(const CK_TOKEN_INFO
*token_info
) {
140 if (dlopen_p11kit() < 0)
143 uri
= sym_p11_kit_uri_new();
147 *sym_p11_kit_uri_get_token_info(uri
) = *token_info
;
151 CK_RV
pkcs11_get_slot_list_malloc(
153 CK_SLOT_ID
**ret_slotids
,
154 CK_ULONG
*ret_n_slotids
) {
160 assert(ret_n_slotids
);
162 for (unsigned tries
= 0; tries
< 16; tries
++) {
163 _cleanup_free_ CK_SLOT_ID
*slotids
= NULL
;
164 CK_ULONG n_slotids
= 0;
166 rv
= m
->C_GetSlotList(0, NULL
, &n_slotids
);
169 if (n_slotids
== 0) {
175 slotids
= new(CK_SLOT_ID
, n_slotids
);
177 return CKR_HOST_MEMORY
;
179 rv
= m
->C_GetSlotList(0, slotids
, &n_slotids
);
181 *ret_slotids
= TAKE_PTR(slotids
);
182 *ret_n_slotids
= n_slotids
;
186 if (rv
!= CKR_BUFFER_TOO_SMALL
)
189 /* Hu? Maybe somebody plugged something in and things changed? Let's try again */
192 return CKR_BUFFER_TOO_SMALL
;
195 char *pkcs11_token_label(const CK_TOKEN_INFO
*token_info
) {
198 /* The label is not NUL terminated and likely padded with spaces, let's make a copy here, so that we
200 t
= strndup((char*) token_info
->label
, sizeof(token_info
->label
));
208 char *pkcs11_token_manufacturer_id(const CK_TOKEN_INFO
*token_info
) {
211 t
= strndup((char*) token_info
->manufacturerID
, sizeof(token_info
->manufacturerID
));
219 char *pkcs11_token_model(const CK_TOKEN_INFO
*token_info
) {
222 t
= strndup((char*) token_info
->model
, sizeof(token_info
->model
));
230 int pkcs11_token_login_by_pin(
232 CK_SESSION_HANDLE session
,
233 const CK_TOKEN_INFO
*token_info
,
234 const char *token_label
,
248 if (FLAGS_SET(token_info
->flags
, CKF_PROTECTED_AUTHENTICATION_PATH
)) {
249 rv
= m
->C_Login(session
, CKU_USER
, NULL
, 0);
251 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
252 "Failed to log into security token '%s': %s", token_label
, sym_p11_kit_strerror(rv
));
254 log_info("Successfully logged into security token '%s' via protected authentication path.", token_label
);
258 if (!FLAGS_SET(token_info
->flags
, CKF_LOGIN_REQUIRED
)) {
259 log_info("No login into security token '%s' required.", token_label
);
266 rv
= m
->C_Login(session
, CKU_USER
, (CK_UTF8CHAR
*) pin
, pin_size
);
268 log_info("Successfully logged into security token '%s'.", token_label
);
272 if (rv
== CKR_PIN_LOCKED
)
273 return log_error_errno(SYNTHETIC_ERRNO(EPERM
),
274 "PIN has been locked, please reset PIN of security token '%s'.", token_label
);
275 if (!IN_SET(rv
, CKR_PIN_INCORRECT
, CKR_PIN_LEN_RANGE
))
276 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
277 "Failed to log into security token '%s': %s", token_label
, sym_p11_kit_strerror(rv
));
279 return log_notice_errno(SYNTHETIC_ERRNO(ENOLCK
),
280 "PIN for token '%s' is incorrect, please try again.",
284 int pkcs11_token_login(
286 CK_SESSION_HANDLE session
,
288 const CK_TOKEN_INFO
*token_info
,
289 const char *friendly_name
,
290 const char *icon_name
,
291 const char *key_name
,
292 const char *credential_name
,
294 AskPasswordFlags ask_password_flags
,
296 char **ret_used_pin
) {
298 _cleanup_free_
char *token_uri_string
= NULL
, *token_uri_escaped
= NULL
, *id
= NULL
, *token_label
= NULL
;
299 _cleanup_(sym_p11_kit_uri_freep
) P11KitUri
*token_uri
= NULL
;
300 CK_TOKEN_INFO updated_token_info
;
311 token_label
= pkcs11_token_label(token_info
);
315 token_uri
= uri_from_token_info(token_info
);
319 uri_result
= sym_p11_kit_uri_format(token_uri
, P11_KIT_URI_FOR_ANY
, &token_uri_string
);
320 if (uri_result
!= P11_KIT_URI_OK
)
321 return log_warning_errno(SYNTHETIC_ERRNO(EAGAIN
), "Failed to format slot URI: %s", sym_p11_kit_uri_message(uri_result
));
323 r
= pkcs11_token_login_by_pin(m
, session
, token_info
, token_label
, /* pin= */ NULL
, 0);
324 if (r
== 0 && ret_used_pin
)
325 *ret_used_pin
= NULL
;
327 if (r
!= -ENOANO
) /* pin required */
330 token_uri_escaped
= cescape(token_uri_string
);
331 if (!token_uri_escaped
)
334 id
= strjoin("pkcs11:", token_uri_escaped
);
338 for (unsigned tries
= 0; tries
< 3; tries
++) {
339 _cleanup_strv_free_erase_
char **passwords
= NULL
;
340 _cleanup_(erase_and_freep
) char *envpin
= NULL
;
342 r
= getenv_steal_erase("PIN", &envpin
);
344 return log_error_errno(r
, "Failed to acquire PIN from environment: %m");
346 passwords
= strv_new(envpin
);
351 return log_error_errno(SYNTHETIC_ERRNO(ENOPKG
), "PIN querying disabled via 'headless' option. Use the 'PIN' environment variable.");
353 _cleanup_free_
char *text
= NULL
;
355 if (FLAGS_SET(token_info
->flags
, CKF_USER_PIN_FINAL_TRY
))
357 "Please enter correct PIN for security token '%s' in order to unlock %s (final try):",
358 token_label
, friendly_name
);
359 else if (FLAGS_SET(token_info
->flags
, CKF_USER_PIN_COUNT_LOW
))
361 "PIN has been entered incorrectly previously, please enter correct PIN for security token '%s' in order to unlock %s:",
362 token_label
, friendly_name
);
365 "Please enter PIN for security token '%s' in order to unlock %s:",
366 token_label
, friendly_name
);
369 "Please enter PIN for security token '%s' in order to unlock %s (try #%u):",
370 token_label
, friendly_name
, tries
+1);
374 /* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */
375 r
= ask_password_auto(text
, icon_name
, id
, key_name
, credential_name
, until
, ask_password_flags
, &passwords
);
377 return log_error_errno(r
, "Failed to query PIN for security token '%s': %m", token_label
);
380 STRV_FOREACH(i
, passwords
) {
381 r
= pkcs11_token_login_by_pin(m
, session
, token_info
, token_label
, *i
, strlen(*i
));
382 if (r
== 0 && ret_used_pin
) {
395 /* Refresh the token info, so that we can prompt knowing the new flags if they changed. */
396 rv
= m
->C_GetTokenInfo(slotid
, &updated_token_info
);
398 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
399 "Failed to acquire updated security token information for slot %lu: %s",
400 slotid
, sym_p11_kit_strerror(rv
));
402 token_info
= &updated_token_info
;
406 return log_error_errno(SYNTHETIC_ERRNO(EPERM
), "Too many attempts to log into token '%s'.", token_label
);
409 int pkcs11_token_find_x509_certificate(
411 CK_SESSION_HANDLE session
,
412 P11KitUri
*search_uri
,
413 CK_OBJECT_HANDLE
*ret_object
) {
415 bool found_class
= false, found_certificate_type
= false;
416 _cleanup_free_ CK_ATTRIBUTE
*attributes_buffer
= NULL
;
417 CK_ULONG n_attributes
, a
, n_objects
;
418 CK_ATTRIBUTE
*attributes
= NULL
;
419 CK_OBJECT_HANDLE objects
[2];
431 attributes
= sym_p11_kit_uri_get_attributes(search_uri
, &n_attributes
);
432 for (a
= 0; a
< n_attributes
; a
++) {
434 /* We use the URI's included match attributes, but make them more strict. This allows users
435 * to specify a token URL instead of an object URL and the right thing should happen if
436 * there's only one suitable key on the token. */
438 switch (attributes
[a
].type
) {
443 if (attributes
[a
].ulValueLen
!= sizeof(c
))
444 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid PKCS#11 CKA_CLASS attribute size.");
446 memcpy(&c
, attributes
[a
].pValue
, sizeof(c
));
447 if (c
!= CKO_CERTIFICATE
)
448 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Selected PKCS#11 object is not an X.509 certificate, refusing.");
454 case CKA_CERTIFICATE_TYPE
: {
455 CK_CERTIFICATE_TYPE t
;
457 if (attributes
[a
].ulValueLen
!= sizeof(t
))
458 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid PKCS#11 CKA_CERTIFICATE_TYPE attribute size.");
460 memcpy(&t
, attributes
[a
].pValue
, sizeof(t
));
462 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Selected PKCS#11 object is not an X.509 certificate, refusing.");
464 found_certificate_type
= true;
469 if (!found_class
|| !found_certificate_type
) {
470 /* Hmm, let's slightly extend the attribute list we search for */
472 attributes_buffer
= new(CK_ATTRIBUTE
, n_attributes
+ !found_class
+ !found_certificate_type
);
473 if (!attributes_buffer
)
476 memcpy(attributes_buffer
, attributes
, sizeof(CK_ATTRIBUTE
) * n_attributes
);
479 static const CK_OBJECT_CLASS
class = CKO_CERTIFICATE
;
481 attributes_buffer
[n_attributes
++] = (CK_ATTRIBUTE
) {
483 .pValue
= (CK_OBJECT_CLASS
*) &class,
484 .ulValueLen
= sizeof(class),
488 if (!found_certificate_type
) {
489 static const CK_CERTIFICATE_TYPE type
= CKC_X_509
;
491 attributes_buffer
[n_attributes
++] = (CK_ATTRIBUTE
) {
492 .type
= CKA_CERTIFICATE_TYPE
,
493 .pValue
= (CK_CERTIFICATE_TYPE
*) &type
,
494 .ulValueLen
= sizeof(type
),
498 attributes
= attributes_buffer
;
501 rv
= m
->C_FindObjectsInit(session
, attributes
, n_attributes
);
503 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
504 "Failed to initialize object find call: %s", sym_p11_kit_strerror(rv
));
506 rv
= m
->C_FindObjects(session
, objects
, ELEMENTSOF(objects
), &n_objects
);
507 rv2
= m
->C_FindObjectsFinal(session
);
509 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
510 "Failed to find objects: %s", sym_p11_kit_strerror(rv
));
512 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
513 "Failed to finalize object find call: %s", sym_p11_kit_strerror(rv
));
515 return log_error_errno(SYNTHETIC_ERRNO(ENOENT
),
516 "Failed to find selected X509 certificate on token.");
518 return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ
),
519 "Configured URI matches multiple certificates, refusing.");
521 *ret_object
= objects
[0];
526 int pkcs11_token_read_x509_certificate(
528 CK_SESSION_HANDLE session
,
529 CK_OBJECT_HANDLE object
,
532 _cleanup_free_
void *buffer
= NULL
;
533 _cleanup_free_
char *t
= NULL
;
534 CK_ATTRIBUTE attribute
= {
538 _cleanup_(X509_freep
) X509
*x509
= NULL
;
539 X509_NAME
*name
= NULL
;
540 const unsigned char *p
;
547 rv
= m
->C_GetAttributeValue(session
, object
, &attribute
, 1);
549 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
550 "Failed to read X.509 certificate size off token: %s", sym_p11_kit_strerror(rv
));
552 buffer
= malloc(attribute
.ulValueLen
);
556 attribute
.pValue
= buffer
;
558 rv
= m
->C_GetAttributeValue(session
, object
, &attribute
, 1);
560 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
561 "Failed to read X.509 certificate data off token: %s", sym_p11_kit_strerror(rv
));
563 p
= attribute
.pValue
;
564 x509
= d2i_X509(NULL
, &p
, attribute
.ulValueLen
);
566 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Failed parse X.509 certificate.");
568 name
= X509_get_subject_name(x509
);
570 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Failed to acquire X.509 subject name.");
572 t
= X509_NAME_oneline(name
, NULL
, 0);
574 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Failed to format X.509 subject name as string.");
576 log_debug("Using X.509 certificate issued for '%s'.", t
);
578 *ret_cert
= TAKE_PTR(x509
);
583 int pkcs11_token_find_private_key(
585 CK_SESSION_HANDLE session
,
586 P11KitUri
*search_uri
,
587 CK_OBJECT_HANDLE
*ret_object
) {
589 uint_fast8_t n_objects
= 0;
590 bool found_class
= false;
591 _cleanup_free_ CK_ATTRIBUTE
*attributes_buffer
= NULL
;
592 CK_OBJECT_HANDLE object
, candidate
;
593 static const CK_OBJECT_CLASS
class = CKO_PRIVATE_KEY
;
594 CK_BBOOL decrypt_value
, derive_value
;
595 CK_ATTRIBUTE optional_attributes
[] = {
596 { CKA_DECRYPT
, &decrypt_value
, sizeof(decrypt_value
) },
597 { CKA_DERIVE
, &derive_value
, sizeof(derive_value
) }
605 CK_ULONG n_attributes
;
606 CK_ATTRIBUTE
*attributes
= sym_p11_kit_uri_get_attributes(search_uri
, &n_attributes
);
607 for (CK_ULONG i
= 0; i
< n_attributes
; i
++) {
609 /* We use the URI's included match attributes, but make them more strict. This allows users
610 * to specify a token URL instead of an object URL and the right thing should happen if
611 * there's only one suitable key on the token. */
613 switch (attributes
[i
].type
) {
617 if (attributes
[i
].ulValueLen
!= sizeof(c
))
618 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid PKCS#11 CKA_CLASS attribute size.");
620 memcpy(&c
, attributes
[i
].pValue
, sizeof(c
));
621 if (c
!= CKO_PRIVATE_KEY
)
622 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
623 "Selected PKCS#11 object is not a private key, refusing.");
631 /* Hmm, let's slightly extend the attribute list we search for */
633 attributes_buffer
= new(CK_ATTRIBUTE
, n_attributes
+ 1);
634 if (!attributes_buffer
)
637 memcpy(attributes_buffer
, attributes
, sizeof(CK_ATTRIBUTE
) * n_attributes
);
639 attributes_buffer
[n_attributes
++] = (CK_ATTRIBUTE
) {
641 .pValue
= (CK_OBJECT_CLASS
*) &class,
642 .ulValueLen
= sizeof(class),
645 attributes
= attributes_buffer
;
648 rv
= m
->C_FindObjectsInit(session
, attributes
, n_attributes
);
650 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
651 "Failed to initialize object find call: %s", sym_p11_kit_strerror(rv
));
655 rv
= m
->C_FindObjects(session
, &candidate
, 1, &b
);
657 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
658 "Failed to find objects: %s", sym_p11_kit_strerror(rv
));
663 bool can_decrypt
= false, can_derive
= false;
664 optional_attributes
[0].ulValueLen
= sizeof(decrypt_value
);
665 optional_attributes
[1].ulValueLen
= sizeof(derive_value
);
667 rv
= m
->C_GetAttributeValue(session
, candidate
, optional_attributes
, ELEMENTSOF(optional_attributes
));
668 if (rv
!= CKR_OK
&& rv
!= CKR_ATTRIBUTE_TYPE_INVALID
)
669 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
670 "Failed to get attributes of a selected private key: %s", sym_p11_kit_strerror(rv
));
672 if (optional_attributes
[0].ulValueLen
!= CK_UNAVAILABLE_INFORMATION
&& decrypt_value
== CK_TRUE
)
675 if (optional_attributes
[1].ulValueLen
!= CK_UNAVAILABLE_INFORMATION
&& derive_value
== CK_TRUE
)
678 if (can_decrypt
|| can_derive
) {
686 rv
= m
->C_FindObjectsFinal(session
);
688 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
689 "Failed to finalize object find call: %s", sym_p11_kit_strerror(rv
));
692 return log_error_errno(SYNTHETIC_ERRNO(ENOENT
),
693 "Failed to find selected private key suitable for decryption or derivation on token.");
696 return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ
),
697 "Configured private key URI matches multiple keys, refusing.");
699 *ret_object
= object
;
703 static const char* object_class_to_string(CK_OBJECT_CLASS
class) {
705 case CKO_CERTIFICATE
:
706 return "CKO_CERTIFICATE";
708 return "CKO_PUBLIC_KEY";
709 case CKO_PRIVATE_KEY
:
710 return "CKO_PRIVATE_KEY";
712 return "CKO_SECRET_KEY";
718 /* Returns an object with the given class and the same CKA_ID or CKA_LABEL as prototype */
719 int pkcs11_token_find_related_object(
721 CK_SESSION_HANDLE session
,
722 CK_OBJECT_HANDLE prototype
,
723 CK_OBJECT_CLASS
class,
724 CK_OBJECT_HANDLE
*ret_object
) {
726 _cleanup_free_
void *buffer
= NULL
;
727 CK_ATTRIBUTE attributes
[] = {
728 { CKA_ID
, NULL_PTR
, 0 },
729 { CKA_LABEL
, NULL_PTR
, 0 }
731 CK_OBJECT_CLASS search_class
= class;
732 CK_ATTRIBUTE search_attributes
[2] = {
733 { CKA_CLASS
, &search_class
, sizeof(search_class
) }
736 CK_OBJECT_HANDLE objects
[2];
739 rv
= m
->C_GetAttributeValue(session
, prototype
, attributes
, ELEMENTSOF(attributes
));
740 if (rv
!= CKR_OK
&& rv
!= CKR_ATTRIBUTE_TYPE_INVALID
)
741 return log_debug_errno(SYNTHETIC_ERRNO(EIO
), "Failed to retrieve length of attributes: %s", sym_p11_kit_strerror(rv
));
743 if (attributes
[0].ulValueLen
!= CK_UNAVAILABLE_INFORMATION
) {
744 buffer
= malloc(attributes
[0].ulValueLen
);
748 attributes
[0].pValue
= buffer
;
749 rv
= m
->C_GetAttributeValue(session
, prototype
, &attributes
[0], 1);
751 return log_debug_errno(SYNTHETIC_ERRNO(EIO
),
752 "Failed to retrieve CKA_ID: %s", sym_p11_kit_strerror(rv
));
754 search_attributes
[1] = attributes
[0];
756 } else if (attributes
[1].ulValueLen
!= CK_UNAVAILABLE_INFORMATION
) {
757 buffer
= malloc(attributes
[1].ulValueLen
);
761 attributes
[1].pValue
= buffer
;
762 rv
= m
->C_GetAttributeValue(session
, prototype
, &attributes
[1], 1);
764 return log_debug_errno(SYNTHETIC_ERRNO(EIO
),
765 "Failed to retrieve CKA_LABEL: %s", sym_p11_kit_strerror(rv
));
767 search_attributes
[1] = attributes
[1];
770 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
), "The prototype does not have CKA_ID or CKA_LABEL");
772 rv
= m
->C_FindObjectsInit(session
, search_attributes
, 2);
774 return log_debug_errno(SYNTHETIC_ERRNO(EIO
),
775 "Failed to initialize object find call: %s", sym_p11_kit_strerror(rv
));
777 rv
= m
->C_FindObjects(session
, objects
, 2, &n_objects
);
779 return log_debug_errno(SYNTHETIC_ERRNO(EIO
),
780 "Failed to find objects: %s", sym_p11_kit_strerror(rv
));
782 rv
= m
->C_FindObjectsFinal(session
);
784 return log_debug_errno(SYNTHETIC_ERRNO(EIO
),
785 "Failed to finalize object find call: %s", sym_p11_kit_strerror(rv
));
788 return log_debug_errno(SYNTHETIC_ERRNO(ENOENT
),
789 "Failed to find a related object with class %s", object_class_to_string(class));
792 log_warning("Found multiple related objects with class %s, using the first object.",
793 object_class_to_string(class));
795 *ret_object
= objects
[0];
800 static int ecc_convert_to_compressed(
802 CK_SESSION_HANDLE session
,
803 CK_OBJECT_HANDLE object
,
804 const void *uncompressed_point
,
805 size_t uncompressed_point_size
,
806 void **ret_compressed_point
,
807 size_t *ret_compressed_point_size
) {
809 _cleanup_free_
void *ec_params_buffer
= NULL
;
810 CK_ATTRIBUTE ec_params_attr
= { CKA_EC_PARAMS
, NULL_PTR
, 0 };
814 rv
= m
->C_GetAttributeValue(session
, object
, &ec_params_attr
, 1);
815 if (rv
!= CKR_OK
&& rv
!= CKR_ATTRIBUTE_TYPE_INVALID
)
816 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
817 "Failed to retrieve length of CKA_EC_PARAMS: %s", sym_p11_kit_strerror(rv
));
819 if (ec_params_attr
.ulValueLen
!= CK_UNAVAILABLE_INFORMATION
) {
820 ec_params_buffer
= malloc(ec_params_attr
.ulValueLen
);
821 if (!ec_params_buffer
)
824 ec_params_attr
.pValue
= ec_params_buffer
;
825 rv
= m
->C_GetAttributeValue(session
, object
, &ec_params_attr
, 1);
827 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
828 "Failed to retrieve CKA_EC_PARAMS from a private key: %s", sym_p11_kit_strerror(rv
));
830 CK_OBJECT_HANDLE public_key
;
831 r
= pkcs11_token_find_related_object(m
, session
, object
, CKO_PUBLIC_KEY
, &public_key
);
833 return log_error_errno(r
, "Failed to find a public key for compressing a EC point");
835 ec_params_attr
.ulValueLen
= 0;
836 rv
= m
->C_GetAttributeValue(session
, public_key
, &ec_params_attr
, 1);
837 if (rv
!= CKR_OK
&& rv
!= CKR_ATTRIBUTE_TYPE_INVALID
)
838 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
839 "Failed to retrieve length of CKA_EC_PARAMS: %s", sym_p11_kit_strerror(rv
));
841 if (ec_params_attr
.ulValueLen
== CK_UNAVAILABLE_INFORMATION
)
842 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
843 "The public key does not have CKA_EC_PARAMS");
845 ec_params_buffer
= malloc(ec_params_attr
.ulValueLen
);
846 if (!ec_params_buffer
)
849 ec_params_attr
.pValue
= ec_params_buffer
;
850 rv
= m
->C_GetAttributeValue(session
, public_key
, &ec_params_attr
, 1);
852 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
853 "Failed to retrieve CKA_EC_PARAMS from a public key: %s", sym_p11_kit_strerror(rv
));
856 _cleanup_(EC_GROUP_freep
) EC_GROUP
*group
= NULL
;
857 _cleanup_(EC_POINT_freep
) EC_POINT
*point
= NULL
;
858 _cleanup_(BN_CTX_freep
) BN_CTX
*bnctx
= NULL
;
859 _cleanup_free_
void *compressed_point
= NULL
;
860 size_t compressed_point_size
;
862 const unsigned char *ec_params_value
= ec_params_attr
.pValue
;
863 group
= d2i_ECPKParameters(NULL
, &ec_params_value
, ec_params_attr
.ulValueLen
);
865 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Unable to decode CKA_EC_PARAMS");
867 point
= EC_POINT_new(group
);
871 bnctx
= BN_CTX_new();
875 if (EC_POINT_oct2point(group
, point
, uncompressed_point
, uncompressed_point_size
, bnctx
) != 1)
876 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Unable to decode an uncompressed EC point");
878 compressed_point_size
= EC_POINT_point2oct(group
, point
, POINT_CONVERSION_COMPRESSED
, NULL
, 0, bnctx
);
879 if (compressed_point_size
== 0)
880 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Failed to determine size of a compressed EC point");
882 compressed_point
= malloc(compressed_point_size
);
883 if (!compressed_point
)
886 compressed_point_size
= EC_POINT_point2oct(group
, point
, POINT_CONVERSION_COMPRESSED
, compressed_point
, compressed_point_size
, bnctx
);
887 if (compressed_point_size
== 0)
888 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Failed to convert a EC point to compressed format");
890 *ret_compressed_point
= TAKE_PTR(compressed_point
);
891 *ret_compressed_point_size
= compressed_point_size
;
896 /* Since EC keys doesn't support encryption directly, we use ECDH protocol to derive shared secret here.
897 * We use PKCS#11 C_DeriveKey function to derive a shared secret with a private key stored in the token and
898 * a public key saved on enrollment. */
899 static int pkcs11_token_decrypt_data_ecc(
901 CK_SESSION_HANDLE session
,
902 CK_OBJECT_HANDLE object
,
903 const void *encrypted_data
,
904 size_t encrypted_data_size
,
905 void **ret_decrypted_data
,
906 size_t *ret_decrypted_data_size
) {
908 static const CK_BBOOL yes
= CK_TRUE
, no
= CK_FALSE
;
909 static const CK_OBJECT_CLASS shared_secret_class
= CKO_SECRET_KEY
;
910 static const CK_KEY_TYPE shared_secret_type
= CKK_GENERIC_SECRET
;
911 static const CK_ATTRIBUTE shared_secret_template
[] = {
912 { CKA_TOKEN
, (void*) &no
, sizeof(no
) },
913 { CKA_CLASS
, (void*) &shared_secret_class
, sizeof(shared_secret_class
) },
914 { CKA_KEY_TYPE
, (void*) &shared_secret_type
, sizeof(shared_secret_type
) },
915 { CKA_SENSITIVE
, (void*) &no
, sizeof(no
) },
916 { CKA_EXTRACTABLE
, (void*) &yes
, sizeof(yes
) }
918 CK_ECDH1_DERIVE_PARAMS params
= {
920 .pPublicData
= (void*) encrypted_data
,
921 .ulPublicDataLen
= encrypted_data_size
923 CK_MECHANISM mechanism
= {
924 .mechanism
= CKM_ECDH1_DERIVE
,
925 .pParameter
= ¶ms
,
926 .ulParameterLen
= sizeof(params
)
928 CK_OBJECT_HANDLE shared_secret_handle
;
929 CK_SESSION_INFO session_info
;
930 CK_MECHANISM_INFO mechanism_info
;
933 _cleanup_free_
void *compressed_point
= NULL
;
937 rv
= m
->C_GetSessionInfo(session
, &session_info
);
939 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
940 "Failed to get information about the PKCS#11 session: %s", sym_p11_kit_strerror(rv
));
942 rv
= m
->C_GetMechanismInfo(session_info
.slotID
, CKM_ECDH1_DERIVE
, &mechanism_info
);
944 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
945 "Failed to get information about CKM_ECDH1_DERIVE: %s", sym_p11_kit_strerror(rv
));
947 if (!(mechanism_info
.flags
& CKF_EC_UNCOMPRESS
)) {
948 if (mechanism_info
.flags
& CKF_EC_COMPRESS
) {
950 log_debug("CKM_ECDH1_DERIVE accepts compressed EC points only, trying to convert.");
951 size_t compressed_point_size
;
952 r
= ecc_convert_to_compressed(m
, session
, object
, encrypted_data
, encrypted_data_size
, &compressed_point
, &compressed_point_size
);
956 params
.pPublicData
= compressed_point
;
957 params
.ulPublicDataLen
= compressed_point_size
;
959 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
),
960 "CKM_ECDH1_DERIVE does not support uncompressed format of EC points");
963 log_debug("Both CKF_EC_UNCOMPRESS and CKF_EC_COMPRESS are false for CKM_ECDH1_DERIVE, ignoring.");
966 rv
= m
->C_DeriveKey(session
, &mechanism
, object
, (CK_ATTRIBUTE
*) shared_secret_template
, ELEMENTSOF(shared_secret_template
), &shared_secret_handle
);
968 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Failed to derive a shared secret: %s", sym_p11_kit_strerror(rv
));
970 CK_ATTRIBUTE shared_secret_attr
= { CKA_VALUE
, NULL_PTR
, 0};
972 rv
= m
->C_GetAttributeValue(session
, shared_secret_handle
, &shared_secret_attr
, 1);
974 rv2
= m
->C_DestroyObject(session
, shared_secret_handle
);
976 log_warning("Failed to destroy a shared secret, ignoring: %s", sym_p11_kit_strerror(rv2
));
977 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Failed to retrieve shared secret length: %s", sym_p11_kit_strerror(rv
));
980 shared_secret_attr
.pValue
= malloc(shared_secret_attr
.ulValueLen
);
981 if (!shared_secret_attr
.pValue
)
984 rv
= m
->C_GetAttributeValue(session
, shared_secret_handle
, &shared_secret_attr
, 1);
985 rv2
= m
->C_DestroyObject(session
, shared_secret_handle
);
987 log_warning("Failed to destroy a shared secret, ignoring: %s", sym_p11_kit_strerror(rv2
));
990 erase_and_free(shared_secret_attr
.pValue
);
991 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Failed to retrieve a shared secret: %s", sym_p11_kit_strerror(rv
));
994 log_info("Successfully derived key with security token.");
996 *ret_decrypted_data
= shared_secret_attr
.pValue
;
997 *ret_decrypted_data_size
= shared_secret_attr
.ulValueLen
;
1001 static int pkcs11_token_decrypt_data_rsa(
1002 CK_FUNCTION_LIST
*m
,
1003 CK_SESSION_HANDLE session
,
1004 CK_OBJECT_HANDLE object
,
1005 const void *encrypted_data
,
1006 size_t encrypted_data_size
,
1007 void **ret_decrypted_data
,
1008 size_t *ret_decrypted_data_size
) {
1010 static const CK_MECHANISM mechanism
= {
1011 .mechanism
= CKM_RSA_PKCS
1013 _cleanup_(erase_and_freep
) CK_BYTE
*dbuffer
= NULL
;
1014 CK_ULONG dbuffer_size
= 0;
1017 rv
= m
->C_DecryptInit(session
, (CK_MECHANISM
*) &mechanism
, object
);
1019 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
1020 "Failed to initialize decryption on security token: %s", sym_p11_kit_strerror(rv
));
1022 dbuffer_size
= encrypted_data_size
; /* Start with something reasonable */
1023 dbuffer
= malloc(dbuffer_size
);
1027 rv
= m
->C_Decrypt(session
, (CK_BYTE
*) encrypted_data
, encrypted_data_size
, dbuffer
, &dbuffer_size
);
1028 if (rv
== CKR_BUFFER_TOO_SMALL
) {
1029 erase_and_free(dbuffer
);
1031 dbuffer
= malloc(dbuffer_size
);
1035 rv
= m
->C_Decrypt(session
, (CK_BYTE
*) encrypted_data
, encrypted_data_size
, dbuffer
, &dbuffer_size
);
1038 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
1039 "Failed to decrypt key on security token: %s", sym_p11_kit_strerror(rv
));
1041 log_info("Successfully decrypted key with security token.");
1043 *ret_decrypted_data
= TAKE_PTR(dbuffer
);
1044 *ret_decrypted_data_size
= dbuffer_size
;
1048 int pkcs11_token_decrypt_data(
1049 CK_FUNCTION_LIST
*m
,
1050 CK_SESSION_HANDLE session
,
1051 CK_OBJECT_HANDLE object
,
1052 const void *encrypted_data
,
1053 size_t encrypted_data_size
,
1054 void **ret_decrypted_data
,
1055 size_t *ret_decrypted_data_size
) {
1057 CK_KEY_TYPE key_type
;
1058 CK_ATTRIBUTE key_type_template
= { CKA_KEY_TYPE
, &key_type
, sizeof(key_type
) };
1062 assert(encrypted_data
);
1063 assert(encrypted_data_size
> 0);
1064 assert(ret_decrypted_data
);
1065 assert(ret_decrypted_data_size
);
1067 rv
= m
->C_GetAttributeValue(session
, object
, &key_type_template
, 1);
1069 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Failed to retrieve private key type");
1074 return pkcs11_token_decrypt_data_rsa(m
, session
, object
, encrypted_data
, encrypted_data_size
, ret_decrypted_data
, ret_decrypted_data_size
);
1077 return pkcs11_token_decrypt_data_ecc(m
, session
, object
, encrypted_data
, encrypted_data_size
, ret_decrypted_data
, ret_decrypted_data_size
);
1080 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Unsupported private key type: %lu", key_type
);
1084 int pkcs11_token_acquire_rng(
1085 CK_FUNCTION_LIST
*m
,
1086 CK_SESSION_HANDLE session
) {
1088 _cleanup_free_
void *buffer
= NULL
;
1095 r
= dlopen_p11kit();
1099 /* While we are at it, let's read some RNG data from the PKCS#11 token and pass it to the kernel
1100 * random pool. This should be cheap if we are talking to the device already. Note that we don't
1101 * credit any entropy, since we don't know about the quality of the pkcs#11 token's RNG. Why bother
1102 * at all? There are two sides to the argument whether to generate private keys on tokens or on the
1103 * host. By crediting some data from the token RNG to the host's pool we at least can say that any
1104 * key generated from it is at least as good as both sources individually. */
1106 rps
= random_pool_size();
1108 buffer
= malloc(rps
);
1112 rv
= m
->C_GenerateRandom(session
, buffer
, rps
);
1114 return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
),
1115 "Failed to generate RNG data on security token: %s", sym_p11_kit_strerror(rv
));
1117 r
= random_write_entropy(-1, buffer
, rps
, false);
1119 return log_debug_errno(r
, "Failed to write PKCS#11 acquired random data to /dev/urandom: %m");
1121 log_debug("Successfully written %zu bytes random data acquired via PKCS#11 to kernel random pool.", rps
);
1126 static int token_process(
1127 CK_FUNCTION_LIST
*m
,
1129 const CK_SLOT_INFO
*slot_info
,
1130 const CK_TOKEN_INFO
*token_info
,
1131 P11KitUri
*search_uri
,
1132 pkcs11_find_token_callback_t callback
,
1135 _cleanup_free_
char *token_label
= NULL
;
1136 CK_SESSION_HANDLE session
;
1144 token_label
= pkcs11_token_label(token_info
);
1148 rv
= m
->C_OpenSession(slotid
, CKF_SERIAL_SESSION
, NULL
, NULL
, &session
);
1150 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
1151 "Failed to create session for security token '%s': %s", token_label
, sym_p11_kit_strerror(rv
));
1154 r
= callback(m
, session
, slotid
, slot_info
, token_info
, search_uri
, userdata
);
1156 r
= 1; /* if not callback was specified, just say we found what we were looking for */
1158 rv
= m
->C_CloseSession(session
);
1160 log_warning("Failed to close session on PKCS#11 token, ignoring: %s", sym_p11_kit_strerror(rv
));
1165 static int slot_process(
1166 CK_FUNCTION_LIST
*m
,
1168 P11KitUri
*search_uri
,
1169 pkcs11_find_token_callback_t callback
,
1172 _cleanup_(sym_p11_kit_uri_freep
) P11KitUri
* slot_uri
= NULL
, *token_uri
= NULL
;
1173 _cleanup_free_
char *token_uri_string
= NULL
;
1174 CK_TOKEN_INFO token_info
;
1175 CK_SLOT_INFO slot_info
;
1181 r
= dlopen_p11kit();
1185 /* We return -EAGAIN for all failures we can attribute to a specific slot in some way, so that the
1186 * caller might try other slots before giving up. */
1188 rv
= m
->C_GetSlotInfo(slotid
, &slot_info
);
1190 log_warning("Failed to acquire slot info for slot %lu, ignoring slot: %s", slotid
, sym_p11_kit_strerror(rv
));
1194 slot_uri
= uri_from_slot_info(&slot_info
);
1198 if (DEBUG_LOGGING
) {
1199 _cleanup_free_
char *slot_uri_string
= NULL
;
1201 uri_result
= sym_p11_kit_uri_format(slot_uri
, P11_KIT_URI_FOR_ANY
, &slot_uri_string
);
1202 if (uri_result
!= P11_KIT_URI_OK
) {
1203 log_warning("Failed to format slot URI, ignoring slot: %s", sym_p11_kit_uri_message(uri_result
));
1207 log_debug("Found slot with URI %s", slot_uri_string
);
1210 rv
= m
->C_GetTokenInfo(slotid
, &token_info
);
1211 if (rv
== CKR_TOKEN_NOT_PRESENT
) {
1212 return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN
),
1213 "Token not present in slot, ignoring.");
1214 } else if (rv
!= CKR_OK
) {
1215 log_warning("Failed to acquire token info for slot %lu, ignoring slot: %s", slotid
, sym_p11_kit_strerror(rv
));
1219 token_uri
= uri_from_token_info(&token_info
);
1223 uri_result
= sym_p11_kit_uri_format(token_uri
, P11_KIT_URI_FOR_ANY
, &token_uri_string
);
1224 if (uri_result
!= P11_KIT_URI_OK
) {
1225 log_warning("Failed to format slot URI: %s", sym_p11_kit_uri_message(uri_result
));
1229 if (search_uri
&& !sym_p11_kit_uri_match_token_info(search_uri
, &token_info
))
1230 return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN
),
1231 "Found non-matching token with URI %s.",
1234 log_debug("Found matching token with URI %s.", token_uri_string
);
1236 return token_process(
1246 static int module_process(
1247 CK_FUNCTION_LIST
*m
,
1248 P11KitUri
*search_uri
,
1249 pkcs11_find_token_callback_t callback
,
1252 _cleanup_(sym_p11_kit_uri_freep
) P11KitUri
* module_uri
= NULL
;
1253 _cleanup_free_
char *name
= NULL
, *module_uri_string
= NULL
;
1254 _cleanup_free_ CK_SLOT_ID
*slotids
= NULL
;
1255 CK_ULONG n_slotids
= 0;
1264 r
= dlopen_p11kit();
1268 /* We ignore most errors from modules here, in order to skip over faulty modules: one faulty module
1269 * should not have the effect that we don't try the others anymore. We indicate such per-module
1270 * failures with -EAGAIN, which let's the caller try the next module. */
1272 name
= sym_p11_kit_module_get_name(m
);
1276 log_debug("Trying PKCS#11 module %s.", name
);
1278 rv
= m
->C_GetInfo(&info
);
1280 log_warning("Failed to get info on PKCS#11 module, ignoring module: %s", sym_p11_kit_strerror(rv
));
1284 module_uri
= uri_from_module_info(&info
);
1288 uri_result
= sym_p11_kit_uri_format(module_uri
, P11_KIT_URI_FOR_ANY
, &module_uri_string
);
1289 if (uri_result
!= P11_KIT_URI_OK
) {
1290 log_warning("Failed to format module URI, ignoring module: %s", sym_p11_kit_uri_message(uri_result
));
1294 log_debug("Found module with URI %s", module_uri_string
);
1296 rv
= pkcs11_get_slot_list_malloc(m
, &slotids
, &n_slotids
);
1298 log_warning("Failed to get slot list, ignoring module: %s", sym_p11_kit_strerror(rv
));
1302 return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN
),
1303 "This module has no slots? Ignoring module.");
1305 for (k
= 0; k
< n_slotids
; k
++) {
1319 int pkcs11_find_token(
1320 const char *pkcs11_uri
,
1321 pkcs11_find_token_callback_t callback
,
1324 _cleanup_(sym_p11_kit_modules_finalize_and_releasep
) CK_FUNCTION_LIST
**modules
= NULL
;
1325 _cleanup_(sym_p11_kit_uri_freep
) P11KitUri
*search_uri
= NULL
;
1328 r
= dlopen_p11kit();
1332 /* Execute the specified callback for each matching token found. If nothing is found returns
1333 * -EAGAIN. Logs about all errors, except for EAGAIN, which the caller has to log about. */
1336 r
= uri_from_string(pkcs11_uri
, &search_uri
);
1338 return log_error_errno(r
, "Failed to parse PKCS#11 URI '%s': %m", pkcs11_uri
);
1341 modules
= sym_p11_kit_modules_load_and_initialize(0);
1343 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Failed to initialize pkcs11 modules");
1345 for (CK_FUNCTION_LIST
**i
= modules
; *i
; i
++) {
1359 struct pkcs11_acquire_certificate_callback_data
{
1362 const char *askpw_friendly_name
, *askpw_icon_name
;
1363 AskPasswordFlags askpw_flags
;
1367 static void pkcs11_acquire_certificate_callback_data_release(struct pkcs11_acquire_certificate_callback_data
*data
) {
1368 erase_and_free(data
->pin_used
);
1369 X509_free(data
->cert
);
1372 static int pkcs11_acquire_certificate_callback(
1373 CK_FUNCTION_LIST
*m
,
1374 CK_SESSION_HANDLE session
,
1376 const CK_SLOT_INFO
*slot_info
,
1377 const CK_TOKEN_INFO
*token_info
,
1381 _cleanup_(erase_and_freep
) char *pin_used
= NULL
;
1382 struct pkcs11_acquire_certificate_callback_data
*data
= ASSERT_PTR(userdata
);
1383 CK_OBJECT_HANDLE object
;
1391 /* Called for every token matching our URI */
1393 r
= pkcs11_token_login(
1398 data
->askpw_friendly_name
,
1399 data
->askpw_icon_name
,
1409 r
= pkcs11_token_find_x509_certificate(m
, session
, uri
, &object
);
1413 r
= pkcs11_token_read_x509_certificate(m
, session
, object
, &data
->cert
);
1417 /* Let's read some random data off the token and write it to the kernel pool before we generate our
1418 * random key from it. This way we can claim the quality of the RNG is at least as good as the
1419 * kernel's and the token's pool */
1420 (void) pkcs11_token_acquire_rng(m
, session
);
1422 data
->pin_used
= TAKE_PTR(pin_used
);
1426 int pkcs11_acquire_certificate(
1428 const char *askpw_friendly_name
,
1429 const char *askpw_icon_name
,
1431 char **ret_pin_used
) {
1433 _cleanup_(pkcs11_acquire_certificate_callback_data_release
) struct pkcs11_acquire_certificate_callback_data data
= {
1434 .askpw_friendly_name
= askpw_friendly_name
,
1435 .askpw_icon_name
= askpw_icon_name
,
1442 r
= pkcs11_find_token(uri
, pkcs11_acquire_certificate_callback
, &data
);
1443 if (r
== -EAGAIN
) /* pkcs11_find_token() doesn't log about this error, but all others */
1444 return log_error_errno(SYNTHETIC_ERRNO(ENXIO
),
1445 "Specified PKCS#11 token with URI '%s' not found.",
1450 *ret_cert
= TAKE_PTR(data
.cert
);
1453 *ret_pin_used
= TAKE_PTR(data
.pin_used
);
1459 static int list_callback(
1460 CK_FUNCTION_LIST
*m
,
1461 CK_SESSION_HANDLE session
,
1463 const CK_SLOT_INFO
*slot_info
,
1464 const CK_TOKEN_INFO
*token_info
,
1468 _cleanup_free_
char *token_uri_string
= NULL
, *token_label
= NULL
, *token_manufacturer_id
= NULL
, *token_model
= NULL
;
1469 _cleanup_(sym_p11_kit_uri_freep
) P11KitUri
*token_uri
= NULL
;
1470 Table
*t
= userdata
;
1476 r
= dlopen_p11kit();
1480 /* We only care about hardware devices here with a token inserted. Let's filter everything else
1481 * out. (Note that the user can explicitly specify non-hardware tokens if they like, but during
1482 * enumeration we'll filter those, since software tokens are typically the system certificate store
1483 * and such, and it's typically not what people want to bind their home directories to.) */
1484 if (!FLAGS_SET(slot_info
->flags
, CKF_HW_SLOT
|CKF_TOKEN_PRESENT
))
1487 token_label
= pkcs11_token_label(token_info
);
1491 token_manufacturer_id
= pkcs11_token_manufacturer_id(token_info
);
1492 if (!token_manufacturer_id
)
1495 token_model
= pkcs11_token_model(token_info
);
1499 token_uri
= uri_from_token_info(token_info
);
1503 uri_result
= sym_p11_kit_uri_format(token_uri
, P11_KIT_URI_FOR_ANY
, &token_uri_string
);
1504 if (uri_result
!= P11_KIT_URI_OK
)
1505 return log_warning_errno(SYNTHETIC_ERRNO(EAGAIN
), "Failed to format slot URI: %s", sym_p11_kit_uri_message(uri_result
));
1509 TABLE_STRING
, token_uri_string
,
1510 TABLE_STRING
, token_label
,
1511 TABLE_STRING
, token_manufacturer_id
,
1512 TABLE_STRING
, token_model
);
1514 return table_log_add_error(r
);
1516 return -EAGAIN
; /* keep scanning */
1520 int pkcs11_list_tokens(void) {
1522 _cleanup_(table_unrefp
) Table
*t
= NULL
;
1525 t
= table_new("uri", "label", "manufacturer", "model");
1529 r
= pkcs11_find_token(NULL
, list_callback
, t
);
1530 if (r
< 0 && r
!= -EAGAIN
)
1533 if (table_get_rows(t
) <= 1) {
1534 log_info("No suitable PKCS#11 tokens found.");
1538 r
= table_print(t
, stdout
);
1540 return log_error_errno(r
, "Failed to show device table: %m");
1544 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
),
1545 "PKCS#11 tokens not supported on this build.");
1550 static int auto_callback(
1551 CK_FUNCTION_LIST
*m
,
1552 CK_SESSION_HANDLE session
,
1554 const CK_SLOT_INFO
*slot_info
,
1555 const CK_TOKEN_INFO
*token_info
,
1559 _cleanup_(sym_p11_kit_uri_freep
) P11KitUri
*token_uri
= NULL
;
1560 char **t
= userdata
;
1566 r
= dlopen_p11kit();
1570 if (!FLAGS_SET(token_info
->flags
, CKF_HW_SLOT
|CKF_TOKEN_PRESENT
))
1574 return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ
),
1575 "More than one suitable PKCS#11 token found.");
1577 token_uri
= uri_from_token_info(token_info
);
1581 uri_result
= sym_p11_kit_uri_format(token_uri
, P11_KIT_URI_FOR_ANY
, t
);
1582 if (uri_result
!= P11_KIT_URI_OK
)
1583 return log_warning_errno(SYNTHETIC_ERRNO(EAGAIN
), "Failed to format slot URI: %s", sym_p11_kit_uri_message(uri_result
));
1589 int pkcs11_find_token_auto(char **ret
) {
1593 r
= pkcs11_find_token(NULL
, auto_callback
, ret
);
1595 return log_error_errno(SYNTHETIC_ERRNO(ENODEV
), "No suitable PKCS#11 tokens found.");
1601 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
),
1602 "PKCS#11 tokens not supported on this build.");
1607 void pkcs11_crypt_device_callback_data_release(pkcs11_crypt_device_callback_data
*data
) {
1608 erase_and_free(data
->decrypted_key
);
1610 if (data
->free_encrypted_key
)
1611 free(data
->encrypted_key
);
1614 int pkcs11_crypt_device_callback(
1615 CK_FUNCTION_LIST
*m
,
1616 CK_SESSION_HANDLE session
,
1618 const CK_SLOT_INFO
*slot_info
,
1619 const CK_TOKEN_INFO
*token_info
,
1623 pkcs11_crypt_device_callback_data
*data
= ASSERT_PTR(userdata
);
1624 CK_OBJECT_HANDLE object
;
1632 /* Called for every token matching our URI */
1634 r
= pkcs11_token_login(
1639 data
->friendly_name
,
1642 "cryptsetup.pkcs11-pin",
1650 /* We are likely called during early boot, where entropy is scarce. Mix some data from the PKCS#11
1651 * token, if it supports that. It should be cheap, given that we already are talking to it anyway and
1652 * shouldn't hurt. */
1653 (void) pkcs11_token_acquire_rng(m
, session
);
1655 r
= pkcs11_token_find_private_key(m
, session
, uri
, &object
);
1659 r
= pkcs11_token_decrypt_data(
1663 data
->encrypted_key
,
1664 data
->encrypted_key_size
,
1665 &data
->decrypted_key
,
1666 &data
->decrypted_key_size
);