1 /* SPDX-License-Identifier: LGPL-2.1+ */
5 #include "ask-password-api.h"
9 #include "memory-util.h"
11 #include "openssl-util.h"
13 #include "pkcs11-util.h"
14 #include "random-util.h"
15 #include "string-util.h"
18 bool pkcs11_uri_valid(const char *uri
) {
21 /* A very superficial checker for RFC7512 PKCS#11 URI syntax */
26 p
= startswith(uri
, "pkcs11:");
33 if (!in_charset(p
, ALPHANUMERICAL
"-_?;&%="))
41 int uri_from_string(const char *p
, P11KitUri
**ret
) {
42 _cleanup_(p11_kit_uri_freep
) P11KitUri
*uri
= NULL
;
47 uri
= p11_kit_uri_new();
51 if (p11_kit_uri_parse(p
, P11_KIT_URI_FOR_ANY
, uri
) != P11_KIT_URI_OK
)
58 P11KitUri
*uri_from_module_info(const CK_INFO
*info
) {
63 uri
= p11_kit_uri_new();
67 *p11_kit_uri_get_module_info(uri
) = *info
;
71 P11KitUri
*uri_from_slot_info(const CK_SLOT_INFO
*slot_info
) {
76 uri
= p11_kit_uri_new();
80 *p11_kit_uri_get_slot_info(uri
) = *slot_info
;
84 P11KitUri
*uri_from_token_info(const CK_TOKEN_INFO
*token_info
) {
89 uri
= p11_kit_uri_new();
93 *p11_kit_uri_get_token_info(uri
) = *token_info
;
97 CK_RV
pkcs11_get_slot_list_malloc(
99 CK_SLOT_ID
**ret_slotids
,
100 CK_ULONG
*ret_n_slotids
) {
106 assert(ret_n_slotids
);
108 for (unsigned tries
= 0; tries
< 16; tries
++) {
109 _cleanup_free_ CK_SLOT_ID
*slotids
= NULL
;
110 CK_ULONG n_slotids
= 0;
112 rv
= m
->C_GetSlotList(0, NULL
, &n_slotids
);
115 if (n_slotids
== 0) {
121 slotids
= new(CK_SLOT_ID
, n_slotids
);
123 return CKR_HOST_MEMORY
;
125 rv
= m
->C_GetSlotList(0, slotids
, &n_slotids
);
127 *ret_slotids
= TAKE_PTR(slotids
);
128 *ret_n_slotids
= n_slotids
;
132 if (rv
!= CKR_BUFFER_TOO_SMALL
)
135 /* Hu? Maybe somebody plugged something in and things changed? Let's try again */
138 return CKR_BUFFER_TOO_SMALL
;
141 char *pkcs11_token_label(const CK_TOKEN_INFO
*token_info
) {
144 /* The label is not NUL terminated and likely padded with spaces, let's make a copy here, so that we
146 t
= strndup((char*) token_info
->label
, sizeof(token_info
->label
));
154 char *pkcs11_token_manufacturer_id(const CK_TOKEN_INFO
*token_info
) {
157 t
= strndup((char*) token_info
->manufacturerID
, sizeof(token_info
->manufacturerID
));
165 char *pkcs11_token_model(const CK_TOKEN_INFO
*token_info
) {
168 t
= strndup((char*) token_info
->model
, sizeof(token_info
->model
));
176 int pkcs11_token_login(
178 CK_SESSION_HANDLE session
,
180 const CK_TOKEN_INFO
*token_info
,
181 const char *friendly_name
,
182 const char *icon_name
,
185 char **ret_used_pin
) {
187 _cleanup_free_
char *token_uri_string
= NULL
, *token_uri_escaped
= NULL
, *id
= NULL
, *token_label
= NULL
;
188 _cleanup_(p11_kit_uri_freep
) P11KitUri
*token_uri
= NULL
;
189 CK_TOKEN_INFO updated_token_info
;
196 token_label
= pkcs11_token_label(token_info
);
200 token_uri
= uri_from_token_info(token_info
);
204 uri_result
= p11_kit_uri_format(token_uri
, P11_KIT_URI_FOR_ANY
, &token_uri_string
);
205 if (uri_result
!= P11_KIT_URI_OK
)
206 return log_warning_errno(SYNTHETIC_ERRNO(EAGAIN
), "Failed to format slot URI: %s", p11_kit_uri_message(uri_result
));
208 if (FLAGS_SET(token_info
->flags
, CKF_PROTECTED_AUTHENTICATION_PATH
)) {
209 rv
= m
->C_Login(session
, CKU_USER
, NULL
, 0);
211 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
212 "Failed to log into security token '%s': %s", token_label
, p11_kit_strerror(rv
));
214 log_info("Successfully logged into security token '%s' via protected authentication path.", token_label
);
216 *ret_used_pin
= NULL
;
220 if (!FLAGS_SET(token_info
->flags
, CKF_LOGIN_REQUIRED
)) {
221 log_info("No login into security token '%s' required.", token_label
);
223 *ret_used_pin
= NULL
;
227 token_uri_escaped
= cescape(token_uri_string
);
228 if (!token_uri_escaped
)
231 id
= strjoin("pkcs11:", token_uri_escaped
);
235 for (unsigned tries
= 0; tries
< 3; tries
++) {
236 _cleanup_strv_free_erase_
char **passwords
= NULL
;
241 passwords
= strv_new(e
);
246 if (unsetenv("PIN") < 0)
247 return log_error_errno(errno
, "Failed to unset $PIN: %m");
249 _cleanup_free_
char *text
= NULL
;
251 if (FLAGS_SET(token_info
->flags
, CKF_USER_PIN_FINAL_TRY
))
253 "Please enter correct PIN for security token '%s' in order to unlock %s (final try):",
254 token_label
, friendly_name
);
255 else if (FLAGS_SET(token_info
->flags
, CKF_USER_PIN_COUNT_LOW
))
257 "PIN has been entered incorrectly previously, please enter correct PIN for security token '%s' in order to unlock %s:",
258 token_label
, friendly_name
);
261 "Please enter PIN for security token '%s' in order to unlock %s:",
262 token_label
, friendly_name
);
265 "Please enter PIN for security token '%s' in order to unlock %s (try #%u):",
266 token_label
, friendly_name
, tries
+1);
270 /* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */
271 r
= ask_password_auto(text
, icon_name
, id
, keyname
, until
, 0, &passwords
);
273 return log_error_errno(r
, "Failed to query PIN for security token '%s': %m", token_label
);
276 STRV_FOREACH(i
, passwords
) {
277 rv
= m
->C_Login(session
, CKU_USER
, (CK_UTF8CHAR
*) *i
, strlen(*i
));
290 log_info("Successfully logged into security token '%s'.", token_label
);
293 if (rv
== CKR_PIN_LOCKED
)
294 return log_error_errno(SYNTHETIC_ERRNO(EPERM
),
295 "PIN has been locked, please reset PIN of security token '%s'.", token_label
);
296 if (!IN_SET(rv
, CKR_PIN_INCORRECT
, CKR_PIN_LEN_RANGE
))
297 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
298 "Failed to log into security token '%s': %s", token_label
, p11_kit_strerror(rv
));
300 /* Referesh the token info, so that we can prompt knowing the new flags if they changed. */
301 rv
= m
->C_GetTokenInfo(slotid
, &updated_token_info
);
303 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
304 "Failed to acquire updated security token information for slot %lu: %s",
305 slotid
, p11_kit_strerror(rv
));
307 token_info
= &updated_token_info
;
308 log_notice("PIN for token '%s' is incorrect, please try again.", token_label
);
312 return log_error_errno(SYNTHETIC_ERRNO(EPERM
), "Too many attempts to log into token '%s'.", token_label
);
315 int pkcs11_token_find_x509_certificate(
317 CK_SESSION_HANDLE session
,
318 P11KitUri
*search_uri
,
319 CK_OBJECT_HANDLE
*ret_object
) {
321 bool found_class
= false, found_certificate_type
= false;
322 _cleanup_free_ CK_ATTRIBUTE
*attributes_buffer
= NULL
;
323 CK_ULONG n_attributes
, a
, n_objects
;
324 CK_ATTRIBUTE
*attributes
= NULL
;
325 CK_OBJECT_HANDLE objects
[2];
332 attributes
= p11_kit_uri_get_attributes(search_uri
, &n_attributes
);
333 for (a
= 0; a
< n_attributes
; a
++) {
335 /* We use the URI's included match attributes, but make them more strict. This allows users
336 * to specify a token URL instead of an object URL and the right thing should happen if
337 * there's only one suitable key on the token. */
339 switch (attributes
[a
].type
) {
344 if (attributes
[a
].ulValueLen
!= sizeof(c
))
345 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid PKCS#11 CKA_CLASS attribute size.");
347 memcpy(&c
, attributes
[a
].pValue
, sizeof(c
));
348 if (c
!= CKO_CERTIFICATE
)
349 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Selected PKCS#11 object is not an X.509 certificate, refusing.");
355 case CKA_CERTIFICATE_TYPE
: {
356 CK_CERTIFICATE_TYPE t
;
358 if (attributes
[a
].ulValueLen
!= sizeof(t
))
359 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid PKCS#11 CKA_CERTIFICATE_TYPE attribute size.");
361 memcpy(&t
, attributes
[a
].pValue
, sizeof(t
));
363 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Selected PKCS#11 object is not an X.509 certificate, refusing.");
365 found_certificate_type
= true;
370 if (!found_class
|| !found_certificate_type
) {
371 /* Hmm, let's slightly extend the attribute list we search for */
373 attributes_buffer
= new(CK_ATTRIBUTE
, n_attributes
+ !found_class
+ !found_certificate_type
);
374 if (!attributes_buffer
)
377 memcpy(attributes_buffer
, attributes
, sizeof(CK_ATTRIBUTE
) * n_attributes
);
380 static const CK_OBJECT_CLASS
class = CKO_CERTIFICATE
;
382 attributes_buffer
[n_attributes
++] = (CK_ATTRIBUTE
) {
384 .pValue
= (CK_OBJECT_CLASS
*) &class,
385 .ulValueLen
= sizeof(class),
389 if (!found_certificate_type
) {
390 static const CK_CERTIFICATE_TYPE type
= CKC_X_509
;
392 attributes_buffer
[n_attributes
++] = (CK_ATTRIBUTE
) {
393 .type
= CKA_CERTIFICATE_TYPE
,
394 .pValue
= (CK_CERTIFICATE_TYPE
*) &type
,
395 .ulValueLen
= sizeof(type
),
399 attributes
= attributes_buffer
;
402 rv
= m
->C_FindObjectsInit(session
, attributes
, n_attributes
);
404 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
405 "Failed to initialize object find call: %s", p11_kit_strerror(rv
));
407 rv
= m
->C_FindObjects(session
, objects
, ELEMENTSOF(objects
), &n_objects
);
408 rv2
= m
->C_FindObjectsFinal(session
);
410 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
411 "Failed to find objects: %s", p11_kit_strerror(rv
));
413 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
414 "Failed to finalize object find call: %s", p11_kit_strerror(rv
));
416 return log_error_errno(SYNTHETIC_ERRNO(ENOENT
),
417 "Failed to find selected X509 certificate on token.");
419 return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ
),
420 "Configured URI matches multiple certificates, refusing.");
422 *ret_object
= objects
[0];
427 int pkcs11_token_read_x509_certificate(
429 CK_SESSION_HANDLE session
,
430 CK_OBJECT_HANDLE object
,
433 _cleanup_free_
void *buffer
= NULL
;
434 _cleanup_free_
char *t
= NULL
;
435 CK_ATTRIBUTE attribute
= {
439 _cleanup_(X509_freep
) X509
*x509
= NULL
;
440 X509_NAME
*name
= NULL
;
441 const unsigned char *p
;
443 rv
= m
->C_GetAttributeValue(session
, object
, &attribute
, 1);
445 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
446 "Failed to read X.509 certificate size off token: %s", p11_kit_strerror(rv
));
448 buffer
= malloc(attribute
.ulValueLen
);
452 attribute
.pValue
= buffer
;
454 rv
= m
->C_GetAttributeValue(session
, object
, &attribute
, 1);
456 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
457 "Failed to read X.509 certificate data off token: %s", p11_kit_strerror(rv
));
459 p
= attribute
.pValue
;
460 x509
= d2i_X509(NULL
, &p
, attribute
.ulValueLen
);
462 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Failed parse X.509 certificate.");
464 name
= X509_get_subject_name(x509
);
466 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Failed to acquire X.509 subject name.");
468 t
= X509_NAME_oneline(name
, NULL
, 0);
470 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Failed to format X.509 subject name as string.");
472 log_debug("Using X.509 certificate issued for '%s'.", t
);
474 *ret_cert
= TAKE_PTR(x509
);
479 int pkcs11_token_find_private_key(
481 CK_SESSION_HANDLE session
,
482 P11KitUri
*search_uri
,
483 CK_OBJECT_HANDLE
*ret_object
) {
485 bool found_decrypt
= false, found_class
= false, found_key_type
= false;
486 _cleanup_free_ CK_ATTRIBUTE
*attributes_buffer
= NULL
;
487 CK_ULONG n_attributes
, a
, n_objects
;
488 CK_ATTRIBUTE
*attributes
= NULL
;
489 CK_OBJECT_HANDLE objects
[2];
496 attributes
= p11_kit_uri_get_attributes(search_uri
, &n_attributes
);
497 for (a
= 0; a
< n_attributes
; a
++) {
499 /* We use the URI's included match attributes, but make them more strict. This allows users
500 * to specify a token URL instead of an object URL and the right thing should happen if
501 * there's only one suitable key on the token. */
503 switch (attributes
[a
].type
) {
508 if (attributes
[a
].ulValueLen
!= sizeof(c
))
509 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid PKCS#11 CKA_CLASS attribute size.");
511 memcpy(&c
, attributes
[a
].pValue
, sizeof(c
));
512 if (c
!= CKO_PRIVATE_KEY
)
513 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
514 "Selected PKCS#11 object is not a private key, refusing.");
523 if (attributes
[a
].ulValueLen
!= sizeof(b
))
524 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid PKCS#11 CKA_DECRYPT attribute size.");
526 memcpy(&b
, attributes
[a
].pValue
, sizeof(b
));
528 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
529 "Selected PKCS#11 object is not suitable for decryption, refusing.");
531 found_decrypt
= true;
538 if (attributes
[a
].ulValueLen
!= sizeof(t
))
539 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid PKCS#11 CKA_KEY_TYPE attribute size.");
541 memcpy(&t
, attributes
[a
].pValue
, sizeof(t
));
543 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Selected PKCS#11 object is not an RSA key, refusing.");
545 found_key_type
= true;
550 if (!found_decrypt
|| !found_class
|| !found_key_type
) {
551 /* Hmm, let's slightly extend the attribute list we search for */
553 attributes_buffer
= new(CK_ATTRIBUTE
, n_attributes
+ !found_decrypt
+ !found_class
+ !found_key_type
);
554 if (!attributes_buffer
)
557 memcpy(attributes_buffer
, attributes
, sizeof(CK_ATTRIBUTE
) * n_attributes
);
559 if (!found_decrypt
) {
560 static const CK_BBOOL yes
= true;
562 attributes_buffer
[n_attributes
++] = (CK_ATTRIBUTE
) {
564 .pValue
= (CK_BBOOL
*) &yes
,
565 .ulValueLen
= sizeof(yes
),
570 static const CK_OBJECT_CLASS
class = CKO_PRIVATE_KEY
;
572 attributes_buffer
[n_attributes
++] = (CK_ATTRIBUTE
) {
574 .pValue
= (CK_OBJECT_CLASS
*) &class,
575 .ulValueLen
= sizeof(class),
579 if (!found_key_type
) {
580 static const CK_KEY_TYPE type
= CKK_RSA
;
582 attributes_buffer
[n_attributes
++] = (CK_ATTRIBUTE
) {
583 .type
= CKA_KEY_TYPE
,
584 .pValue
= (CK_KEY_TYPE
*) &type
,
585 .ulValueLen
= sizeof(type
),
589 attributes
= attributes_buffer
;
592 rv
= m
->C_FindObjectsInit(session
, attributes
, n_attributes
);
594 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
595 "Failed to initialize object find call: %s", p11_kit_strerror(rv
));
597 rv
= m
->C_FindObjects(session
, objects
, ELEMENTSOF(objects
), &n_objects
);
598 rv2
= m
->C_FindObjectsFinal(session
);
600 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
601 "Failed to find objects: %s", p11_kit_strerror(rv
));
603 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
604 "Failed to finalize object find call: %s", p11_kit_strerror(rv
));
606 return log_error_errno(SYNTHETIC_ERRNO(ENOENT
),
607 "Failed to find selected private key suitable for decryption on token.");
609 return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ
),
610 "Configured private key URI matches multiple keys, refusing.");
612 *ret_object
= objects
[0];
616 int pkcs11_token_decrypt_data(
618 CK_SESSION_HANDLE session
,
619 CK_OBJECT_HANDLE object
,
620 const void *encrypted_data
,
621 size_t encrypted_data_size
,
622 void **ret_decrypted_data
,
623 size_t *ret_decrypted_data_size
) {
625 static const CK_MECHANISM mechanism
= {
626 .mechanism
= CKM_RSA_PKCS
628 _cleanup_(erase_and_freep
) CK_BYTE
*dbuffer
= NULL
;
629 CK_ULONG dbuffer_size
= 0;
633 assert(encrypted_data
);
634 assert(encrypted_data_size
> 0);
635 assert(ret_decrypted_data
);
636 assert(ret_decrypted_data_size
);
638 rv
= m
->C_DecryptInit(session
, (CK_MECHANISM
*) &mechanism
, object
);
640 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
641 "Failed to initialize decryption on security token: %s", p11_kit_strerror(rv
));
643 dbuffer_size
= encrypted_data_size
; /* Start with something reasonable */
644 dbuffer
= malloc(dbuffer_size
);
648 rv
= m
->C_Decrypt(session
, (CK_BYTE
*) encrypted_data
, encrypted_data_size
, dbuffer
, &dbuffer_size
);
649 if (rv
== CKR_BUFFER_TOO_SMALL
) {
650 erase_and_free(dbuffer
);
652 dbuffer
= malloc(dbuffer_size
);
656 rv
= m
->C_Decrypt(session
, (CK_BYTE
*) encrypted_data
, encrypted_data_size
, dbuffer
, &dbuffer_size
);
659 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
660 "Failed to decrypt key on security token: %s", p11_kit_strerror(rv
));
662 log_info("Successfully decrypted key with security token.");
664 *ret_decrypted_data
= TAKE_PTR(dbuffer
);
665 *ret_decrypted_data_size
= dbuffer_size
;
669 int pkcs11_token_acquire_rng(
671 CK_SESSION_HANDLE session
) {
673 _cleanup_free_
void *buffer
= NULL
;
674 _cleanup_close_
int fd
= -1;
681 /* While we are at it, let's read some RNG data from the PKCS#11 token and pass it to the kernel
682 * random pool. This should be cheap if we are talking to the device already. Note that we don't
683 * credit any entropy, since we don't know about the quality of the pkcs#11 token's RNG. Why bother
684 * at all? There are two sides to the argument whether to generate private keys on tokens or on the
685 * host. By crediting some data from the token RNG to the host's pool we at least can say that any
686 * key generated from it is at least as good as both sources individually. */
688 rps
= random_pool_size();
690 buffer
= malloc(rps
);
694 rv
= m
->C_GenerateRandom(session
, buffer
, rps
);
696 return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
),
697 "Failed to generate RNG data on security token: %s", p11_kit_strerror(rv
));
699 fd
= open("/dev/urandom", O_WRONLY
|O_CLOEXEC
|O_NOCTTY
);
701 return log_debug_errno(errno
, "Failed to open /dev/urandom for writing: %m");
703 r
= loop_write(fd
, buffer
, rps
, false);
705 return log_debug_errno(r
, "Failed to write PKCS#11 acquired random data to /dev/urandom: %m");
707 log_debug("Successfully written %zu bytes random data acquired via PKCS#11 to kernel random pool.", rps
);
712 static int token_process(
715 const CK_SLOT_INFO
*slot_info
,
716 const CK_TOKEN_INFO
*token_info
,
717 P11KitUri
*search_uri
,
718 pkcs11_find_token_callback_t callback
,
721 _cleanup_free_
char *token_label
= NULL
;
722 CK_SESSION_HANDLE session
;
730 token_label
= pkcs11_token_label(token_info
);
734 rv
= m
->C_OpenSession(slotid
, CKF_SERIAL_SESSION
, NULL
, NULL
, &session
);
736 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
737 "Failed to create session for security token '%s': %s", token_label
, p11_kit_strerror(rv
));
740 r
= callback(m
, session
, slotid
, slot_info
, token_info
, search_uri
, userdata
);
742 r
= 1; /* if not callback was specified, just say we found what we were looking for */
744 rv
= m
->C_CloseSession(session
);
746 log_warning("Failed to close session on PKCS#11 token, ignoring: %s", p11_kit_strerror(rv
));
751 static int slot_process(
754 P11KitUri
*search_uri
,
755 pkcs11_find_token_callback_t callback
,
758 _cleanup_(p11_kit_uri_freep
) P11KitUri
* slot_uri
= NULL
, *token_uri
= NULL
;
759 _cleanup_free_
char *token_uri_string
= NULL
;
760 CK_TOKEN_INFO token_info
;
761 CK_SLOT_INFO slot_info
;
767 /* We return -EAGAIN for all failures we can attribute to a specific slot in some way, so that the
768 * caller might try other slots before giving up. */
770 rv
= m
->C_GetSlotInfo(slotid
, &slot_info
);
772 log_warning("Failed to acquire slot info for slot %lu, ignoring slot: %s", slotid
, p11_kit_strerror(rv
));
776 slot_uri
= uri_from_slot_info(&slot_info
);
781 _cleanup_free_
char *slot_uri_string
= NULL
;
783 uri_result
= p11_kit_uri_format(slot_uri
, P11_KIT_URI_FOR_ANY
, &slot_uri_string
);
784 if (uri_result
!= P11_KIT_URI_OK
) {
785 log_warning("Failed to format slot URI, ignoring slot: %s", p11_kit_uri_message(uri_result
));
789 log_debug("Found slot with URI %s", slot_uri_string
);
792 rv
= m
->C_GetTokenInfo(slotid
, &token_info
);
793 if (rv
== CKR_TOKEN_NOT_PRESENT
) {
794 return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN
),
795 "Token not present in slot, ignoring.");
796 } else if (rv
!= CKR_OK
) {
797 log_warning("Failed to acquire token info for slot %lu, ignoring slot: %s", slotid
, p11_kit_strerror(rv
));
801 token_uri
= uri_from_token_info(&token_info
);
805 uri_result
= p11_kit_uri_format(token_uri
, P11_KIT_URI_FOR_ANY
, &token_uri_string
);
806 if (uri_result
!= P11_KIT_URI_OK
) {
807 log_warning("Failed to format slot URI: %s", p11_kit_uri_message(uri_result
));
811 if (search_uri
&& !p11_kit_uri_match_token_info(search_uri
, &token_info
))
812 return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN
),
813 "Found non-matching token with URI %s.",
816 log_debug("Found matching token with URI %s.", token_uri_string
);
818 return token_process(
828 static int module_process(
830 P11KitUri
*search_uri
,
831 pkcs11_find_token_callback_t callback
,
834 _cleanup_free_
char *name
= NULL
, *module_uri_string
= NULL
;
835 _cleanup_(p11_kit_uri_freep
) P11KitUri
* module_uri
= NULL
;
836 _cleanup_free_ CK_SLOT_ID
*slotids
= NULL
;
837 CK_ULONG n_slotids
= 0;
846 /* We ignore most errors from modules here, in order to skip over faulty modules: one faulty module
847 * should not have the effect that we don't try the others anymore. We indicate such per-module
848 * failures with -EAGAIN, which let's the caller try the next module. */
850 name
= p11_kit_module_get_name(m
);
854 log_debug("Trying PKCS#11 module %s.", name
);
856 rv
= m
->C_GetInfo(&info
);
858 log_warning("Failed to get info on PKCS#11 module, ignoring module: %s", p11_kit_strerror(rv
));
862 module_uri
= uri_from_module_info(&info
);
866 uri_result
= p11_kit_uri_format(module_uri
, P11_KIT_URI_FOR_ANY
, &module_uri_string
);
867 if (uri_result
!= P11_KIT_URI_OK
) {
868 log_warning("Failed to format module URI, ignoring module: %s", p11_kit_uri_message(uri_result
));
872 log_debug("Found module with URI %s", module_uri_string
);
874 rv
= pkcs11_get_slot_list_malloc(m
, &slotids
, &n_slotids
);
876 log_warning("Failed to get slot list, ignoring module: %s", p11_kit_strerror(rv
));
880 return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN
),
881 "This module has no slots? Ignoring module.");
883 for (k
= 0; k
< n_slotids
; k
++) {
897 int pkcs11_find_token(
898 const char *pkcs11_uri
,
899 pkcs11_find_token_callback_t callback
,
902 _cleanup_(p11_kit_modules_finalize_and_releasep
) CK_FUNCTION_LIST
**modules
= NULL
;
903 _cleanup_(p11_kit_uri_freep
) P11KitUri
*search_uri
= NULL
;
906 /* Execute the specified callback for each matching token found. If nothing is found returns
907 * -EAGAIN. Logs about all errors, except for EAGAIN, which the caller has to log about. */
910 r
= uri_from_string(pkcs11_uri
, &search_uri
);
912 return log_error_errno(r
, "Failed to parse PKCS#11 URI '%s': %m", pkcs11_uri
);
915 modules
= p11_kit_modules_load_and_initialize(0);
917 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Failed to initialize pkcs11 modules");
919 for (CK_FUNCTION_LIST
**i
= modules
; *i
; i
++) {