]>
Commit | Line | Data |
---|---|---|
8710a681 LP |
1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
2 | ||
3 | #include "cryptenroll-pkcs11.h" | |
4 | #include "hexdecoct.h" | |
5 | #include "json.h" | |
6 | #include "memory-util.h" | |
7 | #include "openssl-util.h" | |
8 | #include "pkcs11-util.h" | |
9 | #include "random-util.h" | |
10 | ||
11 | int enroll_pkcs11( | |
12 | struct crypt_device *cd, | |
13 | const void *volume_key, | |
14 | size_t volume_key_size, | |
15 | const char *uri) { | |
16 | ||
17 | _cleanup_(erase_and_freep) void *decrypted_key = NULL; | |
18 | _cleanup_(erase_and_freep) char *base64_encoded = NULL; | |
19 | _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; | |
20 | _cleanup_free_ char *keyslot_as_string = NULL; | |
21 | size_t decrypted_key_size, encrypted_key_size; | |
22 | _cleanup_free_ void *encrypted_key = NULL; | |
23 | _cleanup_(X509_freep) X509 *cert = NULL; | |
5e476b85 | 24 | ssize_t base64_encoded_size; |
8710a681 LP |
25 | const char *node; |
26 | EVP_PKEY *pkey; | |
27 | int keyslot, r; | |
28 | ||
29 | assert_se(cd); | |
30 | assert_se(volume_key); | |
31 | assert_se(volume_key_size > 0); | |
32 | assert_se(uri); | |
33 | ||
34 | assert_se(node = crypt_get_device_name(cd)); | |
35 | ||
36 | r = pkcs11_acquire_certificate(uri, "volume enrollment operation", "drive-harddisk", &cert, NULL); | |
37 | if (r < 0) | |
38 | return r; | |
39 | ||
40 | pkey = X509_get0_pubkey(cert); | |
41 | if (!pkey) | |
42 | return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to extract public key from X.509 certificate."); | |
43 | ||
44 | r = rsa_pkey_to_suitable_key_size(pkey, &decrypted_key_size); | |
45 | if (r < 0) | |
46 | return log_error_errno(r, "Failed to determine RSA public key size."); | |
47 | ||
48 | log_debug("Generating %zu bytes random key.", decrypted_key_size); | |
49 | ||
50 | decrypted_key = malloc(decrypted_key_size); | |
51 | if (!decrypted_key) | |
52 | return log_oom(); | |
53 | ||
87cb1ab6 | 54 | r = crypto_random_bytes(decrypted_key, decrypted_key_size); |
8710a681 LP |
55 | if (r < 0) |
56 | return log_error_errno(r, "Failed to generate random key: %m"); | |
57 | ||
58 | r = rsa_encrypt_bytes(pkey, decrypted_key, decrypted_key_size, &encrypted_key, &encrypted_key_size); | |
59 | if (r < 0) | |
60 | return log_error_errno(r, "Failed to encrypt key: %m"); | |
61 | ||
62 | /* Let's base64 encode the key to use, for compat with homed (and it's easier to type it in by | |
63 | * keyboard, if that might ever end up being necessary.) */ | |
5e476b85 LP |
64 | base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); |
65 | if (base64_encoded_size < 0) | |
66 | return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m"); | |
8710a681 LP |
67 | |
68 | r = cryptsetup_set_minimal_pbkdf(cd); | |
69 | if (r < 0) | |
70 | return log_error_errno(r, "Failed to set minimal PBKDF: %m"); | |
71 | ||
72 | keyslot = crypt_keyslot_add_by_volume_key( | |
73 | cd, | |
74 | CRYPT_ANY_SLOT, | |
75 | volume_key, | |
76 | volume_key_size, | |
77 | base64_encoded, | |
5e476b85 | 78 | base64_encoded_size); |
8710a681 LP |
79 | if (keyslot < 0) |
80 | return log_error_errno(keyslot, "Failed to add new PKCS#11 key to %s: %m", node); | |
81 | ||
82 | if (asprintf(&keyslot_as_string, "%i", keyslot) < 0) | |
83 | return log_oom(); | |
84 | ||
85 | r = json_build(&v, | |
86 | JSON_BUILD_OBJECT( | |
0cdf6b14 | 87 | JSON_BUILD_PAIR("type", JSON_BUILD_CONST_STRING("systemd-pkcs11")), |
8710a681 LP |
88 | JSON_BUILD_PAIR("keyslots", JSON_BUILD_ARRAY(JSON_BUILD_STRING(keyslot_as_string))), |
89 | JSON_BUILD_PAIR("pkcs11-uri", JSON_BUILD_STRING(uri)), | |
90 | JSON_BUILD_PAIR("pkcs11-key", JSON_BUILD_BASE64(encrypted_key, encrypted_key_size)))); | |
91 | if (r < 0) | |
92 | return log_error_errno(r, "Failed to prepare PKCS#11 JSON token object: %m"); | |
93 | ||
94 | r = cryptsetup_add_token_json(cd, v); | |
95 | if (r < 0) | |
96 | return log_error_errno(r, "Failed to add PKCS#11 JSON token to LUKS2 header: %m"); | |
97 | ||
98 | log_info("New PKCS#11 token enrolled as key slot %i.", keyslot); | |
99 | return keyslot; | |
100 | } |