]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/shared/pkcs11-util.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tree-wide: use ASSERT_PTR more
[thirdparty/systemd.git] / src / shared / pkcs11-util.c
CommitLineData
db9ecf05 1/* SPDX-License-Identifier: LGPL-2.1-or-later */
839fddbe
LP		 2
3#include <fcntl.h>
4
5#include "ask-password-api.h"
7a6abbe9 6#include "env-util.h"
839fddbe
LP		 7#include "escape.h"
8#include "fd-util.h"
f240cbb6 9#include "format-table.h"
839fddbe
LP		 10#include "io-util.h"
11#include "memory-util.h"
12#if HAVE_OPENSSL
13#include "openssl-util.h"
14#endif
15#include "pkcs11-util.h"
16#include "random-util.h"
17#include "string-util.h"
18#include "strv.h"
19
20bool pkcs11_uri_valid(const char *uri) {
21 const char *p;
22
23 /* A very superficial checker for RFC7512 PKCS#11 URI syntax */
24
25 if (isempty(uri))
26 return false;
27
28 p = startswith(uri, "pkcs11:");
29 if (!p)
30 return false;
31
32 if (isempty(p))
33 return false;
34
b204bdd4 35 if (!in_charset(p, ALPHANUMERICAL ".~/-_?;&%="))
839fddbe
LP		 36 return false;
37
38 return true;
39}
40
41#if HAVE_P11KIT
42
43int uri_from_string(const char *p, P11KitUri **ret) {
44 _cleanup_(p11_kit_uri_freep) P11KitUri *uri = NULL;
45
46 assert(p);
47 assert(ret);
48
49 uri = p11_kit_uri_new();
50 if (!uri)
51 return -ENOMEM;
52
53 if (p11_kit_uri_parse(p, P11_KIT_URI_FOR_ANY, uri) != P11_KIT_URI_OK)
54 return -EINVAL;
55
56 *ret = TAKE_PTR(uri);
57 return 0;
58}
59
60P11KitUri *uri_from_module_info(const CK_INFO *info) {
61 P11KitUri *uri;
62
63 assert(info);
64
65 uri = p11_kit_uri_new();
66 if (!uri)
67 return NULL;
68
69 *p11_kit_uri_get_module_info(uri) = *info;
70 return uri;
71}
72
73P11KitUri *uri_from_slot_info(const CK_SLOT_INFO *slot_info) {
74 P11KitUri *uri;
75
76 assert(slot_info);
77
78 uri = p11_kit_uri_new();
79 if (!uri)
80 return NULL;
81
82 *p11_kit_uri_get_slot_info(uri) = *slot_info;
83 return uri;
84}
85
86P11KitUri *uri_from_token_info(const CK_TOKEN_INFO *token_info) {
87 P11KitUri *uri;
88
89 assert(token_info);
90
91 uri = p11_kit_uri_new();
92 if (!uri)
93 return NULL;
94
95 *p11_kit_uri_get_token_info(uri) = *token_info;
96 return uri;
97}
98
99CK_RV pkcs11_get_slot_list_malloc(
100 CK_FUNCTION_LIST *m,
101 CK_SLOT_ID **ret_slotids,
102 CK_ULONG *ret_n_slotids) {
103
104 CK_RV rv;
105
106 assert(m);
107 assert(ret_slotids);
108 assert(ret_n_slotids);
109
110 for (unsigned tries = 0; tries < 16; tries++) {
111 _cleanup_free_ CK_SLOT_ID *slotids = NULL;
112 CK_ULONG n_slotids = 0;
113
114 rv = m->C_GetSlotList(0, NULL, &n_slotids);
115 if (rv != CKR_OK)
116 return rv;
117 if (n_slotids == 0) {
118 *ret_slotids = NULL;
119 *ret_n_slotids = 0;
120 return CKR_OK;
121 }
122
123 slotids = new(CK_SLOT_ID, n_slotids);
124 if (!slotids)
125 return CKR_HOST_MEMORY;
126
127 rv = m->C_GetSlotList(0, slotids, &n_slotids);
128 if (rv == CKR_OK) {
129 *ret_slotids = TAKE_PTR(slotids);
130 *ret_n_slotids = n_slotids;
131 return CKR_OK;
132 }
133
134 if (rv != CKR_BUFFER_TOO_SMALL)
135 return rv;
136
137 /* Hu? Maybe somebody plugged something in and things changed? Let's try again */
138 }
139
140 return CKR_BUFFER_TOO_SMALL;
141}
142
143char *pkcs11_token_label(const CK_TOKEN_INFO *token_info) {
144 char *t;
145
146 /* The label is not NUL terminated and likely padded with spaces, let's make a copy here, so that we
147 * can strip that. */
148 t = strndup((char*) token_info->label, sizeof(token_info->label));
149 if (!t)
150 return NULL;
151
152 strstrip(t);
153 return t;
154}
155
0eb3be46
LP		 156char *pkcs11_token_manufacturer_id(const CK_TOKEN_INFO *token_info) {
157 char *t;
158
159 t = strndup((char*) token_info->manufacturerID, sizeof(token_info->manufacturerID));
160 if (!t)
161 return NULL;
162
163 strstrip(t);
164 return t;
165}
166
167char *pkcs11_token_model(const CK_TOKEN_INFO *token_info) {
168 char *t;
169
170 t = strndup((char*) token_info->model, sizeof(token_info->model));
171 if (!t)
172 return NULL;
173
174 strstrip(t);
175 return t;
176}
177
0ff60566
OK		 178int pkcs11_token_login_by_pin(
179 CK_FUNCTION_LIST *m,
180 CK_SESSION_HANDLE session,
181 const CK_TOKEN_INFO *token_info,
182 const char *token_label,
183 const void *pin,
184 size_t pin_size) {
185
186 CK_RV rv;
187
188 assert(m);
189 assert(token_info);
190
191 if (FLAGS_SET(token_info->flags, CKF_PROTECTED_AUTHENTICATION_PATH)) {
192 rv = m->C_Login(session, CKU_USER, NULL, 0);
193 if (rv != CKR_OK)
194 return log_error_errno(SYNTHETIC_ERRNO(EIO),
195 "Failed to log into security token '%s': %s", token_label, p11_kit_strerror(rv));
196
197 log_info("Successfully logged into security token '%s' via protected authentication path.", token_label);
198 return 0;
199 }
200
201 if (!FLAGS_SET(token_info->flags, CKF_LOGIN_REQUIRED)) {
202 log_info("No login into security token '%s' required.", token_label);
203 return 0;
204 }
205
206 if (!pin)
207 return -ENOANO;
208
209 rv = m->C_Login(session, CKU_USER, (CK_UTF8CHAR*) pin, pin_size);
210 if (rv == CKR_OK) {
211 log_info("Successfully logged into security token '%s'.", token_label);
212 return 0;
213 }
214
215 if (rv == CKR_PIN_LOCKED)
216 return log_error_errno(SYNTHETIC_ERRNO(EPERM),
217 "PIN has been locked, please reset PIN of security token '%s'.", token_label);
218 if (!IN_SET(rv, CKR_PIN_INCORRECT, CKR_PIN_LEN_RANGE))
219 return log_error_errno(SYNTHETIC_ERRNO(EIO),
220 "Failed to log into security token '%s': %s", token_label, p11_kit_strerror(rv));
221
b98416e1
FS		 222 return log_notice_errno(SYNTHETIC_ERRNO(ENOLCK),
223 "PIN for token '%s' is incorrect, please try again.",
224 token_label);
0ff60566
OK		 225}
226
839fddbe
LP		 227int pkcs11_token_login(
228 CK_FUNCTION_LIST *m,
229 CK_SESSION_HANDLE session,
230 CK_SLOT_ID slotid,
231 const CK_TOKEN_INFO *token_info,
232 const char *friendly_name,
233 const char *icon_name,
8806bb4b
LP		 234 const char *key_name,
235 const char *credential_name,
839fddbe 236 usec_t until,
cd5f57bd 237 bool headless,
839fddbe
LP		 238 char **ret_used_pin) {
239
240 _cleanup_free_ char *token_uri_string = NULL, *token_uri_escaped = NULL, *id = NULL, *token_label = NULL;
241 _cleanup_(p11_kit_uri_freep) P11KitUri *token_uri = NULL;
242 CK_TOKEN_INFO updated_token_info;
0eb3be46 243 int uri_result, r;
839fddbe 244 CK_RV rv;
839fddbe
LP		 245
246 assert(m);
247 assert(token_info);
248
249 token_label = pkcs11_token_label(token_info);
250 if (!token_label)
251 return log_oom();
252
253 token_uri = uri_from_token_info(token_info);
254 if (!token_uri)
255 return log_oom();
256
257 uri_result = p11_kit_uri_format(token_uri, P11_KIT_URI_FOR_ANY, &token_uri_string);
258 if (uri_result != P11_KIT_URI_OK)
259 return log_warning_errno(SYNTHETIC_ERRNO(EAGAIN), "Failed to format slot URI: %s", p11_kit_uri_message(uri_result));
260
0ff60566
OK		 261 r = pkcs11_token_login_by_pin(m, session, token_info, token_label, /* pin= */ NULL, 0);
262 if (r == 0 && ret_used_pin)
263 *ret_used_pin = NULL;
839fddbe 264
0ff60566
OK		 265 if (r != -ENOANO) /* pin required */
266 return r;
839fddbe
LP		 267
268 token_uri_escaped = cescape(token_uri_string);
269 if (!token_uri_escaped)
270 return log_oom();
271
272 id = strjoin("pkcs11:", token_uri_escaped);
273 if (!id)
274 return log_oom();
275
276 for (unsigned tries = 0; tries < 3; tries++) {
277 _cleanup_strv_free_erase_ char **passwords = NULL;
e99ca147 278 _cleanup_(erase_and_freep) char *envpin = NULL;
e99ca147
LP		 279
280 r = getenv_steal_erase("PIN", &envpin);
281 if (r < 0)
282 return log_error_errno(r, "Failed to acquire PIN from environment: %m");
283 if (r > 0) {
284 passwords = strv_new(envpin);
839fddbe
LP		 285 if (!passwords)
286 return log_oom();
287
cd5f57bd
LB		 288 } else if (headless)
289 return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the 'PIN' environment variable.");
290 else {
c63ec11b
LP		 291 _cleanup_free_ char *text = NULL;
292
293 if (FLAGS_SET(token_info->flags, CKF_USER_PIN_FINAL_TRY))
294 r = asprintf(&text,
295 "Please enter correct PIN for security token '%s' in order to unlock %s (final try):",
296 token_label, friendly_name);
297 else if (FLAGS_SET(token_info->flags, CKF_USER_PIN_COUNT_LOW))
298 r = asprintf(&text,
299 "PIN has been entered incorrectly previously, please enter correct PIN for security token '%s' in order to unlock %s:",
300 token_label, friendly_name);
301 else if (tries == 0)
302 r = asprintf(&text,
303 "Please enter PIN for security token '%s' in order to unlock %s:",
304 token_label, friendly_name);
305 else
306 r = asprintf(&text,
307 "Please enter PIN for security token '%s' in order to unlock %s (try #%u):",
308 token_label, friendly_name, tries+1);
309 if (r < 0)
310 return log_oom();
311
839fddbe 312 /* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */
8806bb4b 313 r = ask_password_auto(text, icon_name, id, key_name, credential_name, until, 0, &passwords);
839fddbe
LP		 314 if (r < 0)
315 return log_error_errno(r, "Failed to query PIN for security token '%s': %m", token_label);
316 }
317
318 STRV_FOREACH(i, passwords) {
0ff60566
OK		 319 r = pkcs11_token_login_by_pin(m, session, token_info, token_label, *i, strlen(*i));
320 if (r == 0 && ret_used_pin) {
321 char *c;
839fddbe 322
0ff60566
OK		 323 c = strdup(*i);
324 if (!c)
325 return log_oom();
839fddbe 326
0ff60566 327 *ret_used_pin = c;
839fddbe 328 }
0ff60566
OK		 329
330 if (r != -ENOLCK)
331 return r;
839fddbe
LP		 332
333 /* Referesh the token info, so that we can prompt knowing the new flags if they changed. */
334 rv = m->C_GetTokenInfo(slotid, &updated_token_info);
335 if (rv != CKR_OK)
336 return log_error_errno(SYNTHETIC_ERRNO(EIO),
337 "Failed to acquire updated security token information for slot %lu: %s",
338 slotid, p11_kit_strerror(rv));
339
340 token_info = &updated_token_info;
839fddbe
LP		 341 }
342 }
343
344 return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Too many attempts to log into token '%s'.", token_label);
345}
346
347int pkcs11_token_find_x509_certificate(
348 CK_FUNCTION_LIST *m,
349 CK_SESSION_HANDLE session,
350 P11KitUri *search_uri,
351 CK_OBJECT_HANDLE *ret_object) {
352
353 bool found_class = false, found_certificate_type = false;
354 _cleanup_free_ CK_ATTRIBUTE *attributes_buffer = NULL;
355 CK_ULONG n_attributes, a, n_objects;
356 CK_ATTRIBUTE *attributes = NULL;
357 CK_OBJECT_HANDLE objects[2];
358 CK_RV rv, rv2;
359
360 assert(m);
361 assert(search_uri);
362 assert(ret_object);
363
364 attributes = p11_kit_uri_get_attributes(search_uri, &n_attributes);
365 for (a = 0; a < n_attributes; a++) {
366
367 /* We use the URI's included match attributes, but make them more strict. This allows users
368 * to specify a token URL instead of an object URL and the right thing should happen if
369 * there's only one suitable key on the token. */
370
371 switch (attributes[a].type) {
372
373 case CKA_CLASS: {
374 CK_OBJECT_CLASS c;
375
376 if (attributes[a].ulValueLen != sizeof(c))
377 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_CLASS attribute size.");
378
379 memcpy(&c, attributes[a].pValue, sizeof(c));
380 if (c != CKO_CERTIFICATE)
381 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Selected PKCS#11 object is not an X.509 certificate, refusing.");
382
383 found_class = true;
384 break;
385 }
386
387 case CKA_CERTIFICATE_TYPE: {
388 CK_CERTIFICATE_TYPE t;
389
390 if (attributes[a].ulValueLen != sizeof(t))
391 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_CERTIFICATE_TYPE attribute size.");
392
393 memcpy(&t, attributes[a].pValue, sizeof(t));
394 if (t != CKC_X_509)
395 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Selected PKCS#11 object is not an X.509 certificate, refusing.");
396
397 found_certificate_type = true;
398 break;
399 }}
400 }
401
402 if (!found_class || !found_certificate_type) {
403 /* Hmm, let's slightly extend the attribute list we search for */
404
405 attributes_buffer = new(CK_ATTRIBUTE, n_attributes + !found_class + !found_certificate_type);
406 if (!attributes_buffer)
407 return log_oom();
408
409 memcpy(attributes_buffer, attributes, sizeof(CK_ATTRIBUTE) * n_attributes);
410
411 if (!found_class) {
412 static const CK_OBJECT_CLASS class = CKO_CERTIFICATE;
413
414 attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) {
415 .type = CKA_CLASS,
416 .pValue = (CK_OBJECT_CLASS*) &class,
417 .ulValueLen = sizeof(class),
418 };
419 }
420
421 if (!found_certificate_type) {
422 static const CK_CERTIFICATE_TYPE type = CKC_X_509;
423
424 attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) {
425 .type = CKA_CERTIFICATE_TYPE,
426 .pValue = (CK_CERTIFICATE_TYPE*) &type,
427 .ulValueLen = sizeof(type),
428 };
429 }
430
431 attributes = attributes_buffer;
432 }
433
434 rv = m->C_FindObjectsInit(session, attributes, n_attributes);
435 if (rv != CKR_OK)
436 return log_error_errno(SYNTHETIC_ERRNO(EIO),
437 "Failed to initialize object find call: %s", p11_kit_strerror(rv));
438
439 rv = m->C_FindObjects(session, objects, ELEMENTSOF(objects), &n_objects);
440 rv2 = m->C_FindObjectsFinal(session);
441 if (rv != CKR_OK)
442 return log_error_errno(SYNTHETIC_ERRNO(EIO),
443 "Failed to find objects: %s", p11_kit_strerror(rv));
444 if (rv2 != CKR_OK)
445 return log_error_errno(SYNTHETIC_ERRNO(EIO),
446 "Failed to finalize object find call: %s", p11_kit_strerror(rv));
447 if (n_objects == 0)
448 return log_error_errno(SYNTHETIC_ERRNO(ENOENT),
449 "Failed to find selected X509 certificate on token.");
450 if (n_objects > 1)
451 return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
452 "Configured URI matches multiple certificates, refusing.");
453
454 *ret_object = objects[0];
455 return 0;
456}
457
458#if HAVE_OPENSSL
459int pkcs11_token_read_x509_certificate(
460 CK_FUNCTION_LIST *m,
461 CK_SESSION_HANDLE session,
462 CK_OBJECT_HANDLE object,
463 X509 **ret_cert) {
464
465 _cleanup_free_ void *buffer = NULL;
466 _cleanup_free_ char *t = NULL;
467 CK_ATTRIBUTE attribute = {
468 .type = CKA_VALUE
469 };
470 CK_RV rv;
471 _cleanup_(X509_freep) X509 *x509 = NULL;
472 X509_NAME *name = NULL;
473 const unsigned char *p;
474
475 rv = m->C_GetAttributeValue(session, object, &attribute, 1);
476 if (rv != CKR_OK)
477 return log_error_errno(SYNTHETIC_ERRNO(EIO),
478 "Failed to read X.509 certificate size off token: %s", p11_kit_strerror(rv));
479
480 buffer = malloc(attribute.ulValueLen);
481 if (!buffer)
482 return log_oom();
483
484 attribute.pValue = buffer;
485
486 rv = m->C_GetAttributeValue(session, object, &attribute, 1);
487 if (rv != CKR_OK)
488 return log_error_errno(SYNTHETIC_ERRNO(EIO),
489 "Failed to read X.509 certificate data off token: %s", p11_kit_strerror(rv));
490
491 p = attribute.pValue;
492 x509 = d2i_X509(NULL, &p, attribute.ulValueLen);
493 if (!x509)
494 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Failed parse X.509 certificate.");
495
496 name = X509_get_subject_name(x509);
497 if (!name)
498 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Failed to acquire X.509 subject name.");
499
500 t = X509_NAME_oneline(name, NULL, 0);
501 if (!t)
502 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to format X.509 subject name as string.");
503
504 log_debug("Using X.509 certificate issued for '%s'.", t);
505
506 *ret_cert = TAKE_PTR(x509);
507 return 0;
508}
509#endif
510
511int pkcs11_token_find_private_key(
512 CK_FUNCTION_LIST *m,
513 CK_SESSION_HANDLE session,
514 P11KitUri *search_uri,
515 CK_OBJECT_HANDLE *ret_object) {
516
517 bool found_decrypt = false, found_class = false, found_key_type = false;
518 _cleanup_free_ CK_ATTRIBUTE *attributes_buffer = NULL;
519 CK_ULONG n_attributes, a, n_objects;
520 CK_ATTRIBUTE *attributes = NULL;
521 CK_OBJECT_HANDLE objects[2];
522 CK_RV rv, rv2;
523
524 assert(m);
525 assert(search_uri);
526 assert(ret_object);
527
528 attributes = p11_kit_uri_get_attributes(search_uri, &n_attributes);
529 for (a = 0; a < n_attributes; a++) {
530
531 /* We use the URI's included match attributes, but make them more strict. This allows users
532 * to specify a token URL instead of an object URL and the right thing should happen if
533 * there's only one suitable key on the token. */
534
535 switch (attributes[a].type) {
536
537 case CKA_CLASS: {
538 CK_OBJECT_CLASS c;
539
540 if (attributes[a].ulValueLen != sizeof(c))
541 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_CLASS attribute size.");
542
543 memcpy(&c, attributes[a].pValue, sizeof(c));
544 if (c != CKO_PRIVATE_KEY)
545 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
546 "Selected PKCS#11 object is not a private key, refusing.");
547
548 found_class = true;
549 break;
550 }
551
552 case CKA_DECRYPT: {
553 CK_BBOOL b;
554
555 if (attributes[a].ulValueLen != sizeof(b))
556 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_DECRYPT attribute size.");
557
558 memcpy(&b, attributes[a].pValue, sizeof(b));
559 if (!b)
560 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
561 "Selected PKCS#11 object is not suitable for decryption, refusing.");
562
563 found_decrypt = true;
564 break;
565 }
566
567 case CKA_KEY_TYPE: {
568 CK_KEY_TYPE t;
569
570 if (attributes[a].ulValueLen != sizeof(t))
571 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_KEY_TYPE attribute size.");
572
573 memcpy(&t, attributes[a].pValue, sizeof(t));
574 if (t != CKK_RSA)
575 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Selected PKCS#11 object is not an RSA key, refusing.");
576
577 found_key_type = true;
578 break;
579 }}
580 }
581
582 if (!found_decrypt || !found_class || !found_key_type) {
583 /* Hmm, let's slightly extend the attribute list we search for */
584
585 attributes_buffer = new(CK_ATTRIBUTE, n_attributes + !found_decrypt + !found_class + !found_key_type);
586 if (!attributes_buffer)
587 return log_oom();
588
589 memcpy(attributes_buffer, attributes, sizeof(CK_ATTRIBUTE) * n_attributes);
590
591 if (!found_decrypt) {
592 static const CK_BBOOL yes = true;
593
594 attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) {
595 .type = CKA_DECRYPT,
596 .pValue = (CK_BBOOL*) &yes,
597 .ulValueLen = sizeof(yes),
598 };
599 }
600
601 if (!found_class) {
602 static const CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
603
604 attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) {
605 .type = CKA_CLASS,
606 .pValue = (CK_OBJECT_CLASS*) &class,
607 .ulValueLen = sizeof(class),
608 };
609 }
610
611 if (!found_key_type) {
612 static const CK_KEY_TYPE type = CKK_RSA;
613
614 attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) {
615 .type = CKA_KEY_TYPE,
616 .pValue = (CK_KEY_TYPE*) &type,
617 .ulValueLen = sizeof(type),
618 };
619 }
620
621 attributes = attributes_buffer;
622 }
623
624 rv = m->C_FindObjectsInit(session, attributes, n_attributes);
625 if (rv != CKR_OK)
626 return log_error_errno(SYNTHETIC_ERRNO(EIO),
627 "Failed to initialize object find call: %s", p11_kit_strerror(rv));
628
629 rv = m->C_FindObjects(session, objects, ELEMENTSOF(objects), &n_objects);
630 rv2 = m->C_FindObjectsFinal(session);
631 if (rv != CKR_OK)
632 return log_error_errno(SYNTHETIC_ERRNO(EIO),
633 "Failed to find objects: %s", p11_kit_strerror(rv));
634 if (rv2 != CKR_OK)
635 return log_error_errno(SYNTHETIC_ERRNO(EIO),
636 "Failed to finalize object find call: %s", p11_kit_strerror(rv));
637 if (n_objects == 0)
638 return log_error_errno(SYNTHETIC_ERRNO(ENOENT),
639 "Failed to find selected private key suitable for decryption on token.");
640 if (n_objects > 1)
641 return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
642 "Configured private key URI matches multiple keys, refusing.");
643
644 *ret_object = objects[0];
645 return 0;
646}
647
648int pkcs11_token_decrypt_data(
649 CK_FUNCTION_LIST *m,
650 CK_SESSION_HANDLE session,
651 CK_OBJECT_HANDLE object,
652 const void *encrypted_data,
653 size_t encrypted_data_size,
654 void **ret_decrypted_data,
655 size_t *ret_decrypted_data_size) {
656
657 static const CK_MECHANISM mechanism = {
658 .mechanism = CKM_RSA_PKCS
659 };
660 _cleanup_(erase_and_freep) CK_BYTE *dbuffer = NULL;
661 CK_ULONG dbuffer_size = 0;
662 CK_RV rv;
663
664 assert(m);
665 assert(encrypted_data);
666 assert(encrypted_data_size > 0);
667 assert(ret_decrypted_data);
668 assert(ret_decrypted_data_size);
669
670 rv = m->C_DecryptInit(session, (CK_MECHANISM*) &mechanism, object);
671 if (rv != CKR_OK)
672 return log_error_errno(SYNTHETIC_ERRNO(EIO),
673 "Failed to initialize decryption on security token: %s", p11_kit_strerror(rv));
674
675 dbuffer_size = encrypted_data_size; /* Start with something reasonable */
676 dbuffer = malloc(dbuffer_size);
677 if (!dbuffer)
678 return log_oom();
679
680 rv = m->C_Decrypt(session, (CK_BYTE*) encrypted_data, encrypted_data_size, dbuffer, &dbuffer_size);
681 if (rv == CKR_BUFFER_TOO_SMALL) {
682 erase_and_free(dbuffer);
683
684 dbuffer = malloc(dbuffer_size);
685 if (!dbuffer)
686 return log_oom();
687
688 rv = m->C_Decrypt(session, (CK_BYTE*) encrypted_data, encrypted_data_size, dbuffer, &dbuffer_size);
689 }
690 if (rv != CKR_OK)
691 return log_error_errno(SYNTHETIC_ERRNO(EIO),
692 "Failed to decrypt key on security token: %s", p11_kit_strerror(rv));
693
694 log_info("Successfully decrypted key with security token.");
695
696 *ret_decrypted_data = TAKE_PTR(dbuffer);
697 *ret_decrypted_data_size = dbuffer_size;
698 return 0;
699}
700
701int pkcs11_token_acquire_rng(
702 CK_FUNCTION_LIST *m,
703 CK_SESSION_HANDLE session) {
704
705 _cleanup_free_ void *buffer = NULL;
839fddbe
LP		 706 size_t rps;
707 CK_RV rv;
708 int r;
709
710 assert(m);
711
712 /* While we are at it, let's read some RNG data from the PKCS#11 token and pass it to the kernel
713 * random pool. This should be cheap if we are talking to the device already. Note that we don't
714 * credit any entropy, since we don't know about the quality of the pkcs#11 token's RNG. Why bother
715 * at all? There are two sides to the argument whether to generate private keys on tokens or on the
716 * host. By crediting some data from the token RNG to the host's pool we at least can say that any
717 * key generated from it is at least as good as both sources individually. */
718
719 rps = random_pool_size();
720
721 buffer = malloc(rps);
722 if (!buffer)
723 return log_oom();
724
725 rv = m->C_GenerateRandom(session, buffer, rps);
726 if (rv != CKR_OK)
727 return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
728 "Failed to generate RNG data on security token: %s", p11_kit_strerror(rv));
729
61bd7d1e 730 r = random_write_entropy(-1, buffer, rps, false);
839fddbe
LP		 731 if (r < 0)
732 return log_debug_errno(r, "Failed to write PKCS#11 acquired random data to /dev/urandom: %m");
733
734 log_debug("Successfully written %zu bytes random data acquired via PKCS#11 to kernel random pool.", rps);
735
736 return 0;
737}
738
739static int token_process(
740 CK_FUNCTION_LIST *m,
741 CK_SLOT_ID slotid,
742 const CK_SLOT_INFO *slot_info,
743 const CK_TOKEN_INFO *token_info,
744 P11KitUri *search_uri,
745 pkcs11_find_token_callback_t callback,
746 void *userdata) {
747
748 _cleanup_free_ char *token_label = NULL;
749 CK_SESSION_HANDLE session;
750 CK_RV rv;
751 int r;
752
753 assert(m);
754 assert(slot_info);
755 assert(token_info);
839fddbe
LP		 756
757 token_label = pkcs11_token_label(token_info);
758 if (!token_label)
759 return log_oom();
760
761 rv = m->C_OpenSession(slotid, CKF_SERIAL_SESSION, NULL, NULL, &session);
762 if (rv != CKR_OK)
763 return log_error_errno(SYNTHETIC_ERRNO(EIO),
764 "Failed to create session for security token '%s': %s", token_label, p11_kit_strerror(rv));
765
766 if (callback)
767 r = callback(m, session, slotid, slot_info, token_info, search_uri, userdata);
768 else
769 r = 1; /* if not callback was specified, just say we found what we were looking for */
770
771 rv = m->C_CloseSession(session);
772 if (rv != CKR_OK)
773 log_warning("Failed to close session on PKCS#11 token, ignoring: %s", p11_kit_strerror(rv));
774
775 return r;
776}
777
778static int slot_process(
779 CK_FUNCTION_LIST *m,
780 CK_SLOT_ID slotid,
781 P11KitUri *search_uri,
782 pkcs11_find_token_callback_t callback,
783 void *userdata) {
784
785 _cleanup_(p11_kit_uri_freep) P11KitUri* slot_uri = NULL, *token_uri = NULL;
786 _cleanup_free_ char *token_uri_string = NULL;
787 CK_TOKEN_INFO token_info;
788 CK_SLOT_INFO slot_info;
789 int uri_result;
790 CK_RV rv;
791
792 assert(m);
839fddbe
LP		 793
794 /* We return -EAGAIN for all failures we can attribute to a specific slot in some way, so that the
795 * caller might try other slots before giving up. */
796
797 rv = m->C_GetSlotInfo(slotid, &slot_info);
798 if (rv != CKR_OK) {
799 log_warning("Failed to acquire slot info for slot %lu, ignoring slot: %s", slotid, p11_kit_strerror(rv));
800 return -EAGAIN;
801 }
802
803 slot_uri = uri_from_slot_info(&slot_info);
804 if (!slot_uri)
805 return log_oom();
806
807 if (DEBUG_LOGGING) {
808 _cleanup_free_ char *slot_uri_string = NULL;
809
810 uri_result = p11_kit_uri_format(slot_uri, P11_KIT_URI_FOR_ANY, &slot_uri_string);
811 if (uri_result != P11_KIT_URI_OK) {
812 log_warning("Failed to format slot URI, ignoring slot: %s", p11_kit_uri_message(uri_result));
813 return -EAGAIN;
814 }
815
816 log_debug("Found slot with URI %s", slot_uri_string);
817 }
818
819 rv = m->C_GetTokenInfo(slotid, &token_info);
820 if (rv == CKR_TOKEN_NOT_PRESENT) {
d7a0f1f4
FS		 821 return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
822 "Token not present in slot, ignoring.");
839fddbe
LP		 823 } else if (rv != CKR_OK) {
824 log_warning("Failed to acquire token info for slot %lu, ignoring slot: %s", slotid, p11_kit_strerror(rv));
825 return -EAGAIN;
826 }
827
828 token_uri = uri_from_token_info(&token_info);
829 if (!token_uri)
830 return log_oom();
831
832 uri_result = p11_kit_uri_format(token_uri, P11_KIT_URI_FOR_ANY, &token_uri_string);
833 if (uri_result != P11_KIT_URI_OK) {
834 log_warning("Failed to format slot URI: %s", p11_kit_uri_message(uri_result));
835 return -EAGAIN;
836 }
837
d7a0f1f4
FS		 838 if (search_uri && !p11_kit_uri_match_token_info(search_uri, &token_info))
839 return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
840 "Found non-matching token with URI %s.",
841 token_uri_string);
839fddbe
LP		 842
843 log_debug("Found matching token with URI %s.", token_uri_string);
844
845 return token_process(
846 m,
847 slotid,
848 &slot_info,
849 &token_info,
850 search_uri,
851 callback,
852 userdata);
853}
854
855static int module_process(
856 CK_FUNCTION_LIST *m,
857 P11KitUri *search_uri,
858 pkcs11_find_token_callback_t callback,
859 void *userdata) {
860
861 _cleanup_free_ char *name = NULL, *module_uri_string = NULL;
862 _cleanup_(p11_kit_uri_freep) P11KitUri* module_uri = NULL;
863 _cleanup_free_ CK_SLOT_ID *slotids = NULL;
864 CK_ULONG n_slotids = 0;
865 int uri_result;
866 CK_INFO info;
867 size_t k;
868 CK_RV rv;
869 int r;
870
871 assert(m);
839fddbe
LP		 872
873 /* We ignore most errors from modules here, in order to skip over faulty modules: one faulty module
874 * should not have the effect that we don't try the others anymore. We indicate such per-module
875 * failures with -EAGAIN, which let's the caller try the next module. */
876
877 name = p11_kit_module_get_name(m);
878 if (!name)
879 return log_oom();
880
881 log_debug("Trying PKCS#11 module %s.", name);
882
883 rv = m->C_GetInfo(&info);
884 if (rv != CKR_OK) {
885 log_warning("Failed to get info on PKCS#11 module, ignoring module: %s", p11_kit_strerror(rv));
886 return -EAGAIN;
887 }
888
889 module_uri = uri_from_module_info(&info);
890 if (!module_uri)
891 return log_oom();
892
893 uri_result = p11_kit_uri_format(module_uri, P11_KIT_URI_FOR_ANY, &module_uri_string);
894 if (uri_result != P11_KIT_URI_OK) {
895 log_warning("Failed to format module URI, ignoring module: %s", p11_kit_uri_message(uri_result));
896 return -EAGAIN;
897 }
898
899 log_debug("Found module with URI %s", module_uri_string);
900
901 rv = pkcs11_get_slot_list_malloc(m, &slotids, &n_slotids);
902 if (rv != CKR_OK) {
903 log_warning("Failed to get slot list, ignoring module: %s", p11_kit_strerror(rv));
904 return -EAGAIN;
905 }
d7a0f1f4
FS		 906 if (n_slotids == 0)
907 return log_debug_errno(SYNTHETIC_ERRNO(EAGAIN),
908 "This module has no slots? Ignoring module.");
839fddbe
LP		 909
910 for (k = 0; k < n_slotids; k++) {
911 r = slot_process(
912 m,
913 slotids[k],
914 search_uri,
915 callback,
916 userdata);
917 if (r != -EAGAIN)
918 return r;
919 }
920
921 return -EAGAIN;
922}
923
924int pkcs11_find_token(
925 const char *pkcs11_uri,
926 pkcs11_find_token_callback_t callback,
927 void *userdata) {
928
929 _cleanup_(p11_kit_modules_finalize_and_releasep) CK_FUNCTION_LIST **modules = NULL;
930 _cleanup_(p11_kit_uri_freep) P11KitUri *search_uri = NULL;
931 int r;
932
839fddbe
LP		 933 /* Execute the specified callback for each matching token found. If nothing is found returns
934 * -EAGAIN. Logs about all errors, except for EAGAIN, which the caller has to log about. */
935
0eb3be46
LP		 936 if (pkcs11_uri) {
937 r = uri_from_string(pkcs11_uri, &search_uri);
938 if (r < 0)
939 return log_error_errno(r, "Failed to parse PKCS#11 URI '%s': %m", pkcs11_uri);
940 }
839fddbe
LP		 941
942 modules = p11_kit_modules_load_and_initialize(0);
943 if (!modules)
944 return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to initialize pkcs11 modules");
945
946 for (CK_FUNCTION_LIST **i = modules; *i; i++) {
947 r = module_process(
948 *i,
949 search_uri,
950 callback,
951 userdata);
952 if (r != -EAGAIN)
953 return r;
954 }
955
956 return -EAGAIN;
957}
958
2289a784
LP		 959#if HAVE_OPENSSL
960struct pkcs11_acquire_certificate_callback_data {
961 char *pin_used;
962 X509 *cert;
963 const char *askpw_friendly_name, *askpw_icon_name;
964};
965
966static void pkcs11_acquire_certificate_callback_data_release(struct pkcs11_acquire_certificate_callback_data *data) {
967 erase_and_free(data->pin_used);
968 X509_free(data->cert);
969}
970
971static int pkcs11_acquire_certificate_callback(
972 CK_FUNCTION_LIST *m,
973 CK_SESSION_HANDLE session,
974 CK_SLOT_ID slot_id,
975 const CK_SLOT_INFO *slot_info,
976 const CK_TOKEN_INFO *token_info,
977 P11KitUri *uri,
978 void *userdata) {
979
980 _cleanup_(erase_and_freep) char *pin_used = NULL;
99534007 981 struct pkcs11_acquire_certificate_callback_data *data = ASSERT_PTR(userdata);
2289a784
LP		 982 CK_OBJECT_HANDLE object;
983 int r;
984
985 assert(m);
986 assert(slot_info);
987 assert(token_info);
988 assert(uri);
2289a784
LP		 989
990 /* Called for every token matching our URI */
991
cd5f57bd 992 r = pkcs11_token_login(m, session, slot_id, token_info, data->askpw_friendly_name, data->askpw_icon_name, "pkcs11-pin", "pkcs11-pin", UINT64_MAX, false, &pin_used);
2289a784
LP		 993 if (r < 0)
994 return r;
995
996 r = pkcs11_token_find_x509_certificate(m, session, uri, &object);
997 if (r < 0)
998 return r;
999
1000 r = pkcs11_token_read_x509_certificate(m, session, object, &data->cert);
1001 if (r < 0)
1002 return r;
1003
1004 /* Let's read some random data off the token and write it to the kernel pool before we generate our
1005 * random key from it. This way we can claim the quality of the RNG is at least as good as the
1006 * kernel's and the token's pool */
1007 (void) pkcs11_token_acquire_rng(m, session);
1008
1009 data->pin_used = TAKE_PTR(pin_used);
1010 return 1;
1011}
1012
1013int pkcs11_acquire_certificate(
1014 const char *uri,
1015 const char *askpw_friendly_name,
1016 const char *askpw_icon_name,
1017 X509 **ret_cert,
1018 char **ret_pin_used) {
1019
1020 _cleanup_(pkcs11_acquire_certificate_callback_data_release) struct pkcs11_acquire_certificate_callback_data data = {
1021 .askpw_friendly_name = askpw_friendly_name,
1022 .askpw_icon_name = askpw_icon_name,
1023 };
1024 int r;
1025
1026 assert(uri);
1027 assert(ret_cert);
1028
1029 r = pkcs11_find_token(uri, pkcs11_acquire_certificate_callback, &data);
1030 if (r == -EAGAIN) /* pkcs11_find_token() doesn't log about this error, but all others */
1031 return log_error_errno(SYNTHETIC_ERRNO(ENXIO),
1032 "Specified PKCS#11 token with URI '%s' not found.",
1033 uri);
1034 if (r < 0)
1035 return r;
1036
1037 *ret_cert = TAKE_PTR(data.cert);
1038
1039 if (ret_pin_used)
1040 *ret_pin_used = TAKE_PTR(data.pin_used);
1041
1042 return 0;
1043}
f240cbb6
LP		 1044#endif
1045
1046static int list_callback(
1047 CK_FUNCTION_LIST *m,
1048 CK_SESSION_HANDLE session,
1049 CK_SLOT_ID slot_id,
1050 const CK_SLOT_INFO *slot_info,
1051 const CK_TOKEN_INFO *token_info,
1052 P11KitUri *uri,
1053 void *userdata) {
1054
1055 _cleanup_free_ char *token_uri_string = NULL, *token_label = NULL, *token_manufacturer_id = NULL, *token_model = NULL;
1056 _cleanup_(p11_kit_uri_freep) P11KitUri *token_uri = NULL;
1057 Table *t = userdata;
1058 int uri_result, r;
1059
1060 assert(slot_info);
1061 assert(token_info);
1062
1063 /* We only care about hardware devices here with a token inserted. Let's filter everything else
1064 * out. (Note that the user can explicitly specify non-hardware tokens if they like, but during
1065 * enumeration we'll filter those, since software tokens are typically the system certificate store
1066 * and such, and it's typically not what people want to bind their home directories to.) */
1067 if (!FLAGS_SET(token_info->flags, CKF_HW_SLOT|CKF_TOKEN_PRESENT))
1068 return -EAGAIN;
1069
1070 token_label = pkcs11_token_label(token_info);
1071 if (!token_label)
1072 return log_oom();
1073
1074 token_manufacturer_id = pkcs11_token_manufacturer_id(token_info);
1075 if (!token_manufacturer_id)
1076 return log_oom();
1077
1078 token_model = pkcs11_token_model(token_info);
1079 if (!token_model)
1080 return log_oom();
1081
1082 token_uri = uri_from_token_info(token_info);
1083 if (!token_uri)
1084 return log_oom();
1085
1086 uri_result = p11_kit_uri_format(token_uri, P11_KIT_URI_FOR_ANY, &token_uri_string);
1087 if (uri_result != P11_KIT_URI_OK)
1088 return log_warning_errno(SYNTHETIC_ERRNO(EAGAIN), "Failed to format slot URI: %s", p11_kit_uri_message(uri_result));
1089
1090 r = table_add_many(
1091 t,
1092 TABLE_STRING, token_uri_string,
1093 TABLE_STRING, token_label,
1094 TABLE_STRING, token_manufacturer_id,
1095 TABLE_STRING, token_model);
1096 if (r < 0)
1097 return table_log_add_error(r);
1098
1099 return -EAGAIN; /* keep scanning */
1100}
1101#endif
1102
1103int pkcs11_list_tokens(void) {
1104#if HAVE_P11KIT
1105 _cleanup_(table_unrefp) Table *t = NULL;
1106 int r;
1107
1108 t = table_new("uri", "label", "manufacturer", "model");
1109 if (!t)
1110 return log_oom();
1111
1112 r = pkcs11_find_token(NULL, list_callback, t);
1113 if (r < 0 && r != -EAGAIN)
1114 return r;
2289a784 1115
f240cbb6
LP		 1116 if (table_get_rows(t) <= 1) {
1117 log_info("No suitable PKCS#11 tokens found.");
1118 return 0;
1119 }
1120
1121 r = table_print(t, stdout);
1122 if (r < 0)
1123 return log_error_errno(r, "Failed to show device table: %m");
1124
1125 return 0;
1126#else
1127 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
1128 "PKCS#11 tokens not supported on this build.");
1129#endif
1130}
1131
1132#if HAVE_P11KIT
1133static int auto_callback(
1134 CK_FUNCTION_LIST *m,
1135 CK_SESSION_HANDLE session,
1136 CK_SLOT_ID slot_id,
1137 const CK_SLOT_INFO *slot_info,
1138 const CK_TOKEN_INFO *token_info,
1139 P11KitUri *uri,
1140 void *userdata) {
1141
1142 _cleanup_(p11_kit_uri_freep) P11KitUri *token_uri = NULL;
1143 char **t = userdata;
1144 int uri_result;
1145
1146 assert(slot_info);
1147 assert(token_info);
1148
1149 if (!FLAGS_SET(token_info->flags, CKF_HW_SLOT|CKF_TOKEN_PRESENT))
1150 return -EAGAIN;
1151
1152 if (*t)
1153 return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
1154 "More than one suitable PKCS#11 token found.");
1155
1156 token_uri = uri_from_token_info(token_info);
1157 if (!token_uri)
1158 return log_oom();
1159
1160 uri_result = p11_kit_uri_format(token_uri, P11_KIT_URI_FOR_ANY, t);
1161 if (uri_result != P11_KIT_URI_OK)
1162 return log_warning_errno(SYNTHETIC_ERRNO(EAGAIN), "Failed to format slot URI: %s", p11_kit_uri_message(uri_result));
1163
1164 return 0;
1165}
2289a784 1166#endif
f240cbb6
LP		 1167
1168int pkcs11_find_token_auto(char **ret) {
1169#if HAVE_P11KIT
1170 int r;
1171
1172 r = pkcs11_find_token(NULL, auto_callback, ret);
1173 if (r == -EAGAIN)
1174 return log_error_errno(SYNTHETIC_ERRNO(ENODEV), "No suitable PKCS#11 tokens found.");
1175 if (r < 0)
1176 return r;
1177
1178 return 0;
1179#else
1180 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
1181 "PKCS#11 tokens not supported on this build.");
839fddbe 1182#endif
f240cbb6 1183}
ed3d3af1
OK		 1184
1185#if HAVE_P11KIT
1186void pkcs11_crypt_device_callback_data_release(pkcs11_crypt_device_callback_data *data) {
1187 erase_and_free(data->decrypted_key);
1188
1189 if (data->free_encrypted_key)
1190 free(data->encrypted_key);
1191}
1192
1193int pkcs11_crypt_device_callback(
1194 CK_FUNCTION_LIST *m,
1195 CK_SESSION_HANDLE session,
1196 CK_SLOT_ID slot_id,
1197 const CK_SLOT_INFO *slot_info,
1198 const CK_TOKEN_INFO *token_info,
1199 P11KitUri *uri,
1200 void *userdata) {
1201
99534007 1202 pkcs11_crypt_device_callback_data *data = ASSERT_PTR(userdata);
ed3d3af1
OK		 1203 CK_OBJECT_HANDLE object;
1204 int r;
1205
1206 assert(m);
1207 assert(slot_info);
1208 assert(token_info);
1209 assert(uri);
ed3d3af1
OK		 1210
1211 /* Called for every token matching our URI */
1212
1213 r = pkcs11_token_login(
1214 m,
1215 session,
1216 slot_id,
1217 token_info,
1218 data->friendly_name,
1219 "drive-harddisk",
1220 "pkcs11-pin",
1221 "cryptsetup.pkcs11-pin",
1222 data->until,
1223 data->headless,
1224 NULL);
1225 if (r < 0)
1226 return r;
1227
1228 /* We are likely called during early boot, where entropy is scarce. Mix some data from the PKCS#11
1229 * token, if it supports that. It should be cheap, given that we already are talking to it anyway and
1230 * shouldn't hurt. */
1231 (void) pkcs11_token_acquire_rng(m, session);
1232
1233 r = pkcs11_token_find_private_key(m, session, uri, &object);
1234 if (r < 0)
1235 return r;
1236
1237 r = pkcs11_token_decrypt_data(
1238 m,
1239 session,
1240 object,
1241 data->encrypted_key,
1242 data->encrypted_key_size,
1243 &data->decrypted_key,
1244 &data->decrypted_key_size);
1245 if (r < 0)
1246 return r;
1247
1248 return 0;
1249}
1250#endif
Unnamed repository; edit this file 'description' to name the repository.