]>
Commit | Line | Data |
---|---|---|
93295a25 LP |
1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
2 | ||
3 | #include "errno-util.h" | |
4 | #include "hexdecoct.h" | |
5 | #include "homectl-pkcs11.h" | |
6 | #include "libcrypt-util.h" | |
7 | #include "memory-util.h" | |
8 | #include "openssl-util.h" | |
9 | #include "pkcs11-util.h" | |
10 | #include "random-util.h" | |
11 | #include "strv.h" | |
12 | ||
13 | struct pkcs11_callback_data { | |
14 | char *pin_used; | |
15 | X509 *cert; | |
16 | }; | |
17 | ||
18 | static void pkcs11_callback_data_release(struct pkcs11_callback_data *data) { | |
19 | erase_and_free(data->pin_used); | |
20 | X509_free(data->cert); | |
21 | } | |
22 | ||
23 | #if HAVE_P11KIT | |
24 | static int pkcs11_callback( | |
25 | CK_FUNCTION_LIST *m, | |
26 | CK_SESSION_HANDLE session, | |
27 | CK_SLOT_ID slot_id, | |
28 | const CK_SLOT_INFO *slot_info, | |
29 | const CK_TOKEN_INFO *token_info, | |
30 | P11KitUri *uri, | |
31 | void *userdata) { | |
32 | ||
33 | _cleanup_(erase_and_freep) char *pin_used = NULL; | |
34 | struct pkcs11_callback_data *data = userdata; | |
35 | CK_OBJECT_HANDLE object; | |
36 | int r; | |
37 | ||
38 | assert(m); | |
39 | assert(slot_info); | |
40 | assert(token_info); | |
41 | assert(uri); | |
42 | assert(data); | |
43 | ||
44 | /* Called for every token matching our URI */ | |
45 | ||
46 | r = pkcs11_token_login(m, session, slot_id, token_info, "home directory operation", "user-home", "pkcs11-pin", UINT64_MAX, &pin_used); | |
47 | if (r < 0) | |
48 | return r; | |
49 | ||
50 | r = pkcs11_token_find_x509_certificate(m, session, uri, &object); | |
51 | if (r < 0) | |
52 | return r; | |
53 | ||
54 | r = pkcs11_token_read_x509_certificate(m, session, object, &data->cert); | |
55 | if (r < 0) | |
56 | return r; | |
57 | ||
58 | /* Let's read some random data off the token and write it to the kernel pool before we generate our | |
59 | * random key from it. This way we can claim the quality of the RNG is at least as good as the | |
60 | * kernel's and the token's pool */ | |
61 | (void) pkcs11_token_acquire_rng(m, session); | |
62 | ||
63 | data->pin_used = TAKE_PTR(pin_used); | |
64 | return 1; | |
65 | } | |
66 | #endif | |
67 | ||
68 | static int acquire_pkcs11_certificate( | |
69 | const char *uri, | |
70 | X509 **ret_cert, | |
71 | char **ret_pin_used) { | |
72 | ||
73 | #if HAVE_P11KIT | |
74 | _cleanup_(pkcs11_callback_data_release) struct pkcs11_callback_data data = {}; | |
75 | int r; | |
76 | ||
77 | r = pkcs11_find_token(uri, pkcs11_callback, &data); | |
78 | if (r == -EAGAIN) /* pkcs11_find_token() doesn't log about this error, but all others */ | |
79 | return log_error_errno(ENXIO, "Specified PKCS#11 token with URI '%s' not found.", uri); | |
80 | if (r < 0) | |
81 | return r; | |
82 | ||
83 | *ret_cert = TAKE_PTR(data.cert); | |
84 | *ret_pin_used = TAKE_PTR(data.pin_used); | |
85 | ||
86 | return 0; | |
87 | #else | |
88 | return log_error_errno(EOPNOTSUPP, "PKCS#11 tokens not supported on this build."); | |
89 | #endif | |
90 | } | |
91 | ||
92 | static int encrypt_bytes( | |
93 | EVP_PKEY *pkey, | |
94 | const void *decrypted_key, | |
95 | size_t decrypted_key_size, | |
96 | void **ret_encrypt_key, | |
97 | size_t *ret_encrypt_key_size) { | |
98 | ||
99 | _cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *ctx = NULL; | |
100 | _cleanup_free_ void *b = NULL; | |
101 | size_t l; | |
102 | ||
103 | ctx = EVP_PKEY_CTX_new(pkey, NULL); | |
104 | if (!ctx) | |
105 | return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to allocate public key context"); | |
106 | ||
107 | if (EVP_PKEY_encrypt_init(ctx) <= 0) | |
108 | return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to initialize public key context"); | |
109 | ||
110 | if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) | |
111 | return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to configure PKCS#1 padding"); | |
112 | ||
113 | if (EVP_PKEY_encrypt(ctx, NULL, &l, decrypted_key, decrypted_key_size) <= 0) | |
114 | return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to determine encrypted key size"); | |
115 | ||
116 | b = malloc(l); | |
117 | if (!b) | |
118 | return log_oom(); | |
119 | ||
120 | if (EVP_PKEY_encrypt(ctx, b, &l, decrypted_key, decrypted_key_size) <= 0) | |
121 | return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to determine encrypted key size"); | |
122 | ||
123 | *ret_encrypt_key = TAKE_PTR(b); | |
124 | *ret_encrypt_key_size = l; | |
125 | ||
126 | return 0; | |
127 | } | |
128 | ||
129 | static int add_pkcs11_encrypted_key( | |
130 | JsonVariant **v, | |
131 | const char *uri, | |
132 | const void *encrypted_key, size_t encrypted_key_size, | |
133 | const void *decrypted_key, size_t decrypted_key_size) { | |
134 | ||
135 | _cleanup_(json_variant_unrefp) JsonVariant *l = NULL, *w = NULL, *e = NULL; | |
136 | _cleanup_(erase_and_freep) char *base64_encoded = NULL; | |
137 | _cleanup_free_ char *salt = NULL; | |
138 | struct crypt_data cd = {}; | |
139 | char *k; | |
140 | int r; | |
141 | ||
142 | assert(v); | |
143 | assert(uri); | |
144 | assert(encrypted_key); | |
145 | assert(encrypted_key_size > 0); | |
146 | assert(decrypted_key); | |
147 | assert(decrypted_key_size > 0); | |
148 | ||
149 | r = make_salt(&salt); | |
150 | if (r < 0) | |
151 | return log_error_errno(r, "Failed to generate salt: %m"); | |
152 | ||
153 | /* Before using UNIX hashing on the supplied key we base64 encode it, since crypt_r() and friends | |
154 | * expect a NUL terminated string, and we use a binary key */ | |
155 | r = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); | |
156 | if (r < 0) | |
157 | return log_error_errno(r, "Failed to base64 encode secret key: %m"); | |
158 | ||
159 | errno = 0; | |
160 | k = crypt_r(base64_encoded, salt, &cd); | |
161 | if (!k) | |
162 | return log_error_errno(errno_or_else(EINVAL), "Failed to UNIX hash secret key: %m"); | |
163 | ||
164 | r = json_build(&e, JSON_BUILD_OBJECT( | |
165 | JSON_BUILD_PAIR("uri", JSON_BUILD_STRING(uri)), | |
166 | JSON_BUILD_PAIR("data", JSON_BUILD_BASE64(encrypted_key, encrypted_key_size)), | |
167 | JSON_BUILD_PAIR("hashedPassword", JSON_BUILD_STRING(k)))); | |
168 | if (r < 0) | |
169 | return log_error_errno(r, "Failed to build encrypted JSON key object: %m"); | |
170 | ||
171 | w = json_variant_ref(json_variant_by_key(*v, "privileged")); | |
172 | l = json_variant_ref(json_variant_by_key(w, "pkcs11EncryptedKey")); | |
173 | ||
174 | r = json_variant_append_array(&l, e); | |
175 | if (r < 0) | |
176 | return log_error_errno(r, "Failed append PKCS#11 encrypted key: %m"); | |
177 | ||
178 | r = json_variant_set_field(&w, "pkcs11EncryptedKey", l); | |
179 | if (r < 0) | |
180 | return log_error_errno(r, "Failed to set PKCS#11 encrypted key: %m"); | |
181 | ||
182 | r = json_variant_set_field(v, "privileged", w); | |
183 | if (r < 0) | |
184 | return log_error_errno(r, "Failed to update privileged field: %m"); | |
185 | ||
186 | return 0; | |
187 | } | |
188 | ||
189 | static int add_pkcs11_token_uri(JsonVariant **v, const char *uri) { | |
190 | _cleanup_(json_variant_unrefp) JsonVariant *w = NULL; | |
191 | _cleanup_strv_free_ char **l = NULL; | |
192 | int r; | |
193 | ||
194 | assert(v); | |
195 | assert(uri); | |
196 | ||
197 | w = json_variant_ref(json_variant_by_key(*v, "pkcs11TokenUri")); | |
198 | if (w) { | |
199 | r = json_variant_strv(w, &l); | |
200 | if (r < 0) | |
201 | return log_error_errno(r, "Failed to parse PKCS#11 token list: %m"); | |
202 | ||
203 | if (strv_contains(l, uri)) | |
204 | return 0; | |
205 | } | |
206 | ||
207 | r = strv_extend(&l, uri); | |
208 | if (r < 0) | |
209 | return log_oom(); | |
210 | ||
211 | w = json_variant_unref(w); | |
212 | r = json_variant_new_array_strv(&w, l); | |
213 | if (r < 0) | |
214 | return log_error_errno(r, "Failed to create PKCS#11 token URI JSON: %m"); | |
215 | ||
216 | r = json_variant_set_field(v, "pkcs11TokenUri", w); | |
217 | if (r < 0) | |
218 | return log_error_errno(r, "Failed to update PKCS#11 token URI list: %m"); | |
219 | ||
220 | return 0; | |
221 | } | |
222 | ||
223 | int identity_add_token_pin(JsonVariant **v, const char *pin) { | |
224 | _cleanup_(json_variant_unrefp) JsonVariant *w = NULL, *l = NULL; | |
225 | _cleanup_(strv_free_erasep) char **pins = NULL; | |
226 | int r; | |
227 | ||
228 | assert(v); | |
229 | ||
230 | if (isempty(pin)) | |
231 | return 0; | |
232 | ||
233 | w = json_variant_ref(json_variant_by_key(*v, "secret")); | |
234 | l = json_variant_ref(json_variant_by_key(w, "tokenPin")); | |
235 | ||
236 | r = json_variant_strv(l, &pins); | |
237 | if (r < 0) | |
238 | return log_error_errno(r, "Failed to convert PIN array: %m"); | |
239 | ||
240 | if (strv_find(pins, pin)) | |
241 | return 0; | |
242 | ||
243 | r = strv_extend(&pins, pin); | |
244 | if (r < 0) | |
245 | return log_oom(); | |
246 | ||
247 | strv_uniq(pins); | |
248 | ||
249 | l = json_variant_unref(l); | |
250 | ||
251 | r = json_variant_new_array_strv(&l, pins); | |
252 | if (r < 0) | |
253 | return log_error_errno(r, "Failed to allocate new PIN array JSON: %m"); | |
254 | ||
255 | json_variant_sensitive(l); | |
256 | ||
257 | r = json_variant_set_field(&w, "tokenPin", l); | |
258 | if (r < 0) | |
259 | return log_error_errno(r, "Failed to update PIN field: %m"); | |
260 | ||
261 | r = json_variant_set_field(v, "secret", w); | |
262 | if (r < 0) | |
263 | return log_error_errno(r, "Failed to update secret object: %m"); | |
264 | ||
265 | return 1; | |
266 | } | |
267 | ||
268 | int identity_add_pkcs11_key_data(JsonVariant **v, const char *uri) { | |
269 | _cleanup_(erase_and_freep) void *decrypted_key = NULL, *encrypted_key = NULL; | |
270 | _cleanup_(erase_and_freep) char *pin = NULL; | |
271 | size_t decrypted_key_size, encrypted_key_size; | |
272 | _cleanup_(X509_freep) X509 *cert = NULL; | |
273 | EVP_PKEY *pkey; | |
274 | RSA *rsa; | |
275 | int bits; | |
276 | int r; | |
277 | ||
278 | assert(v); | |
279 | ||
280 | r = acquire_pkcs11_certificate(uri, &cert, &pin); | |
281 | if (r < 0) | |
282 | return r; | |
283 | ||
284 | pkey = X509_get0_pubkey(cert); | |
285 | if (!pkey) | |
286 | return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to extract public key from X.509 certificate."); | |
287 | ||
288 | if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA) | |
289 | return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "X.509 certificate does not refer to RSA key."); | |
290 | ||
291 | rsa = EVP_PKEY_get0_RSA(pkey); | |
292 | if (!rsa) | |
293 | return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to acquire RSA public key from X.509 certificate."); | |
294 | ||
295 | bits = RSA_bits(rsa); | |
296 | log_debug("Bits in RSA key: %i", bits); | |
297 | ||
298 | /* We use PKCS#1 padding for the RSA cleartext, hence let's leave some extra space for it, hence only | |
299 | * generate a random key half the size of the RSA length */ | |
300 | decrypted_key_size = bits / 8 / 2; | |
301 | ||
302 | if (decrypted_key_size < 1) | |
303 | return log_error_errno(SYNTHETIC_ERRNO(EIO), "Uh, RSA key size too short?"); | |
304 | ||
305 | log_debug("Generating %zu bytes random key.", decrypted_key_size); | |
306 | ||
307 | decrypted_key = malloc(decrypted_key_size); | |
308 | if (!decrypted_key) | |
309 | return log_oom(); | |
310 | ||
311 | r = genuine_random_bytes(decrypted_key, decrypted_key_size, RANDOM_BLOCK); | |
312 | if (r < 0) | |
313 | return log_error_errno(r, "Failed to generate random key: %m"); | |
314 | ||
315 | r = encrypt_bytes(pkey, decrypted_key, decrypted_key_size, &encrypted_key, &encrypted_key_size); | |
316 | if (r < 0) | |
317 | return log_error_errno(r, "Failed to encrypt key: %m"); | |
318 | ||
319 | /* Add the token URI to the public part of the record. */ | |
320 | r = add_pkcs11_token_uri(v, uri); | |
321 | if (r < 0) | |
322 | return r; | |
323 | ||
324 | /* Include the encrypted version of the random key we just generated in the privileged part of the record */ | |
325 | r = add_pkcs11_encrypted_key( | |
326 | v, | |
327 | uri, | |
328 | encrypted_key, encrypted_key_size, | |
329 | decrypted_key, decrypted_key_size); | |
330 | if (r < 0) | |
331 | return r; | |
332 | ||
333 | /* If we acquired the PIN also include it in the secret section of the record, so that systemd-homed | |
334 | * can use it if it needs to, given that it likely needs to decrypt the key again to pass to LUKS or | |
335 | * fscrypt. */ | |
336 | r = identity_add_token_pin(v, pin); | |
337 | if (r < 0) | |
338 | return r; | |
339 | ||
340 | return 0; | |
341 | } |