src/home/homectl-pkcs11.c

   1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
   2
   3 #include "errno-util.h"
   4 #include "format-table.h"
   5 #include "hexdecoct.h"
   6 #include "homectl-pkcs11.h"
   7 #include "libcrypt-util.h"
   8 #include "memory-util.h"
   9 #include "openssl-util.h"
  10 #include "pkcs11-util.h"
  11 #include "strv.h"
  12
  13 int identity_add_token_pin(JsonVariant **v, const char *pin) {
  14         _cleanup_(json_variant_unrefp) JsonVariant *w = NULL, *l = NULL;
  15         _cleanup_strv_free_erase_ char **pins = NULL;
  16         int r;
  17
  18         assert(v);
  19
  20         if (isempty(pin))
  21                 return 0;
  22
  23         w = json_variant_ref(json_variant_by_key(*v, "secret"));
  24         l = json_variant_ref(json_variant_by_key(w, "tokenPin"));
  25
  26         r = json_variant_strv(l, &pins);
  27         if (r < 0)
  28                 return log_error_errno(r, "Failed to convert PIN array: %m");
  29
  30         if (strv_contains(pins, pin))
  31                 return 0;
  32
  33         r = strv_extend(&pins, pin);
  34         if (r < 0)
  35                 return log_oom();
  36
  37         strv_uniq(pins);
  38
  39         l = json_variant_unref(l);
  40
  41         r = json_variant_new_array_strv(&l, pins);
  42         if (r < 0)
  43                 return log_error_errno(r, "Failed to allocate new PIN array JSON: %m");
  44
  45         json_variant_sensitive(l);
  46
  47         r = json_variant_set_field(&w, "tokenPin", l);
  48         if (r < 0)
  49                 return log_error_errno(r, "Failed to update PIN field: %m");
  50
  51         r = json_variant_set_field(v, "secret", w);
  52         if (r < 0)
  53                 return log_error_errno(r, "Failed to update secret object: %m");
  54
  55         return 1;
  56 }
  57
  58 #if HAVE_P11KIT
  59
  60 static int add_pkcs11_token_uri(JsonVariant **v, const char *uri) {
  61         _cleanup_(json_variant_unrefp) JsonVariant *w = NULL;
  62         _cleanup_strv_free_ char **l = NULL;
  63         int r;
  64
  65         assert(v);
  66         assert(uri);
  67
  68         w = json_variant_ref(json_variant_by_key(*v, "pkcs11TokenUri"));
  69         if (w) {
  70                 r = json_variant_strv(w, &l);
  71                 if (r < 0)
  72                         return log_error_errno(r, "Failed to parse PKCS#11 token list: %m");
  73
  74                 if (strv_contains(l, uri))
  75                         return 0;
  76         }
  77
  78         r = strv_extend(&l, uri);
  79         if (r < 0)
  80                 return log_oom();
  81
  82         w = json_variant_unref(w);
  83         r = json_variant_new_array_strv(&w, l);
  84         if (r < 0)
  85                 return log_error_errno(r, "Failed to create PKCS#11 token URI JSON: %m");
  86
  87         r = json_variant_set_field(v, "pkcs11TokenUri", w);
  88         if (r < 0)
  89                 return log_error_errno(r, "Failed to update PKCS#11 token URI list: %m");
  90
  91         return 0;
  92 }
  93
  94 static int add_pkcs11_encrypted_key(
  95                 JsonVariant **v,
  96                 const char *uri,
  97                 const void *encrypted_key, size_t encrypted_key_size,
  98                 const void *decrypted_key, size_t decrypted_key_size) {
  99
 100         _cleanup_(json_variant_unrefp) JsonVariant *l = NULL, *w = NULL, *e = NULL;
 101         _cleanup_(erase_and_freep) char *base64_encoded = NULL, *hashed = NULL;
 102         ssize_t base64_encoded_size;
 103         int r;
 104
 105         assert(v);
 106         assert(uri);
 107         assert(encrypted_key);
 108         assert(encrypted_key_size > 0);
 109         assert(decrypted_key);
 110         assert(decrypted_key_size > 0);
 111
 112         /* Before using UNIX hashing on the supplied key we base64 encode it, since crypt_r() and friends
 113          * expect a NUL terminated string, and we use a binary key */
 114         base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
 115         if (base64_encoded_size < 0)
 116                 return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
 117
 118         r = hash_password(base64_encoded, &hashed);
 119         if (r < 0)
 120                 return log_error_errno(errno_or_else(EINVAL), "Failed to UNIX hash secret key: %m");
 121
 122         r = json_build(&e, JSON_BUILD_OBJECT(
 123                                        JSON_BUILD_PAIR("uri", JSON_BUILD_STRING(uri)),
 124                                        JSON_BUILD_PAIR("data", JSON_BUILD_BASE64(encrypted_key, encrypted_key_size)),
 125                                        JSON_BUILD_PAIR("hashedPassword", JSON_BUILD_STRING(hashed))));
 126         if (r < 0)
 127                 return log_error_errno(r, "Failed to build encrypted JSON key object: %m");
 128
 129         w = json_variant_ref(json_variant_by_key(*v, "privileged"));
 130         l = json_variant_ref(json_variant_by_key(w, "pkcs11EncryptedKey"));
 131
 132         r = json_variant_append_array(&l, e);
 133         if (r < 0)
 134                 return log_error_errno(r, "Failed append PKCS#11 encrypted key: %m");
 135
 136         r = json_variant_set_field(&w, "pkcs11EncryptedKey", l);
 137         if (r < 0)
 138                 return log_error_errno(r, "Failed to set PKCS#11 encrypted key: %m");
 139
 140         r = json_variant_set_field(v, "privileged", w);
 141         if (r < 0)
 142                 return log_error_errno(r, "Failed to update privileged field: %m");
 143
 144         return 0;
 145 }
 146
 147 int identity_add_pkcs11_key_data(JsonVariant **v, const char *uri) {
 148         _cleanup_(erase_and_freep) void *decrypted_key = NULL, *saved_key = NULL;
 149         _cleanup_(erase_and_freep) char *pin = NULL;
 150         size_t decrypted_key_size, saved_key_size;
 151         _cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL;
 152         int r;
 153
 154         assert(v);
 155
 156         r = pkcs11_acquire_public_key(
 157                         uri,
 158                         "home directory operation",
 159                         "user-home",
 160                         "home.token-pin",
 161                         /* askpw_flags= */ 0,
 162                         &pkey,
 163                         &pin);
 164         if (r < 0)
 165                 return r;
 166
 167         r = pkey_generate_volume_keys(pkey, &decrypted_key, &decrypted_key_size, &saved_key, &saved_key_size);
 168         if (r < 0)
 169                 return log_error_errno(r, "Failed to generate volume keys: %m");
 170
 171         /* Add the token URI to the public part of the record. */
 172         r = add_pkcs11_token_uri(v, uri);
 173         if (r < 0)
 174                 return r;
 175
 176         /* Include the encrypted version of the random key we just generated in the privileged part of the record */
 177         r = add_pkcs11_encrypted_key(
 178                         v,
 179                         uri,
 180                         saved_key, saved_key_size,
 181                         decrypted_key, decrypted_key_size);
 182         if (r < 0)
 183                 return r;
 184
 185         /* If we acquired the PIN also include it in the secret section of the record, so that systemd-homed
 186          * can use it if it needs to, given that it likely needs to decrypt the key again to pass to LUKS or
 187          * fscrypt. */
 188         r = identity_add_token_pin(v, pin);
 189         if (r < 0)
 190                 return r;
 191
 192         return 0;
 193 }
 194
 195 #endif