const char *key_name,
const char *credential_name,
usec_t until,
+ AskPasswordFlags ask_password_flags,
bool headless,
char **ret_used_pin) {
return log_oom();
/* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */
- r = ask_password_auto(text, icon_name, id, key_name, credential_name, until, 0, &passwords);
+ r = ask_password_auto(text, icon_name, id, key_name, credential_name, until, ask_password_flags, &passwords);
if (r < 0)
return log_error_errno(r, "Failed to query PIN for security token '%s': %m", token_label);
}
if (r != -ENOLCK)
return r;
- /* Referesh the token info, so that we can prompt knowing the new flags if they changed. */
+ /* Refresh the token info, so that we can prompt knowing the new flags if they changed. */
rv = m->C_GetTokenInfo(slotid, &updated_token_info);
if (rv != CKR_OK)
return log_error_errno(SYNTHETIC_ERRNO(EIO),
P11KitUri *search_uri,
CK_OBJECT_HANDLE *ret_object) {
- bool found_decrypt = false, found_class = false, found_key_type = false;
+ uint_fast8_t n_objects = 0;
+ bool found_class = false;
_cleanup_free_ CK_ATTRIBUTE *attributes_buffer = NULL;
- CK_ULONG n_attributes, a, n_objects;
- CK_ATTRIBUTE *attributes = NULL;
- CK_OBJECT_HANDLE objects[2];
- CK_RV rv, rv2;
- int r;
+ CK_OBJECT_HANDLE object, candidate;
+ static const CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
+ CK_BBOOL decrypt_value, derive_value;
+ CK_ATTRIBUTE optional_attributes[] = {
+ { CKA_DECRYPT, &decrypt_value, sizeof(decrypt_value) },
+ { CKA_DERIVE, &derive_value, sizeof(derive_value) }
+ };
+ CK_RV rv;
assert(m);
assert(search_uri);
assert(ret_object);
- r = dlopen_p11kit();
- if (r < 0)
- return r;
-
- attributes = sym_p11_kit_uri_get_attributes(search_uri, &n_attributes);
- for (a = 0; a < n_attributes; a++) {
+ CK_ULONG n_attributes;
+ CK_ATTRIBUTE *attributes = sym_p11_kit_uri_get_attributes(search_uri, &n_attributes);
+ for (CK_ULONG i = 0; i < n_attributes; i++) {
/* We use the URI's included match attributes, but make them more strict. This allows users
* to specify a token URL instead of an object URL and the right thing should happen if
* there's only one suitable key on the token. */
- switch (attributes[a].type) {
-
+ switch (attributes[i].type) {
case CKA_CLASS: {
CK_OBJECT_CLASS c;
- if (attributes[a].ulValueLen != sizeof(c))
+ if (attributes[i].ulValueLen != sizeof(c))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_CLASS attribute size.");
- memcpy(&c, attributes[a].pValue, sizeof(c));
+ memcpy(&c, attributes[i].pValue, sizeof(c));
if (c != CKO_PRIVATE_KEY)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Selected PKCS#11 object is not a private key, refusing.");
found_class = true;
break;
- }
+ }}
+ }
- case CKA_DECRYPT: {
- CK_BBOOL b;
+ if (!found_class) {
+ /* Hmm, let's slightly extend the attribute list we search for */
- if (attributes[a].ulValueLen != sizeof(b))
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_DECRYPT attribute size.");
+ attributes_buffer = new(CK_ATTRIBUTE, n_attributes + 1);
+ if (!attributes_buffer)
+ return log_oom();
- memcpy(&b, attributes[a].pValue, sizeof(b));
- if (!b)
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
- "Selected PKCS#11 object is not suitable for decryption, refusing.");
+ memcpy(attributes_buffer, attributes, sizeof(CK_ATTRIBUTE) * n_attributes);
- found_decrypt = true;
+ attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) {
+ .type = CKA_CLASS,
+ .pValue = (CK_OBJECT_CLASS*) &class,
+ .ulValueLen = sizeof(class),
+ };
+
+ attributes = attributes_buffer;
+ }
+
+ rv = m->C_FindObjectsInit(session, attributes, n_attributes);
+ if (rv != CKR_OK)
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "Failed to initialize object find call: %s", sym_p11_kit_strerror(rv));
+
+ for (;;) {
+ CK_ULONG b;
+ rv = m->C_FindObjects(session, &candidate, 1, &b);
+ if (rv != CKR_OK)
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "Failed to find objects: %s", sym_p11_kit_strerror(rv));
+
+ if (b == 0)
break;
+
+ bool can_decrypt = false, can_derive = false;
+ optional_attributes[0].ulValueLen = sizeof(decrypt_value);
+ optional_attributes[1].ulValueLen = sizeof(derive_value);
+
+ rv = m->C_GetAttributeValue(session, candidate, optional_attributes, ELEMENTSOF(optional_attributes));
+ if (rv != CKR_OK && rv != CKR_ATTRIBUTE_TYPE_INVALID)
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "Failed to get attributes of a selected private key: %s", sym_p11_kit_strerror(rv));
+
+ if (optional_attributes[0].ulValueLen != CK_UNAVAILABLE_INFORMATION && decrypt_value == CK_TRUE)
+ can_decrypt = true;
+
+ if (optional_attributes[1].ulValueLen != CK_UNAVAILABLE_INFORMATION && derive_value == CK_TRUE)
+ can_derive = true;
+
+ if (can_decrypt || can_derive) {
+ n_objects++;
+ if (n_objects > 1)
+ break;
+ object = candidate;
}
+ }
- case CKA_KEY_TYPE: {
- CK_KEY_TYPE t;
+ rv = m->C_FindObjectsFinal(session);
+ if (rv != CKR_OK)
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "Failed to finalize object find call: %s", sym_p11_kit_strerror(rv));
- if (attributes[a].ulValueLen != sizeof(t))
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_KEY_TYPE attribute size.");
+ if (n_objects == 0)
+ return log_error_errno(SYNTHETIC_ERRNO(ENOENT),
+ "Failed to find selected private key suitable for decryption or derivation on token.");
- memcpy(&t, attributes[a].pValue, sizeof(t));
- if (t != CKK_RSA)
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Selected PKCS#11 object is not an RSA key, refusing.");
+ if (n_objects > 1)
+ return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
+ "Configured private key URI matches multiple keys, refusing.");
- found_key_type = true;
- break;
- }}
+ *ret_object = object;
+ return 0;
+}
+
+static const char* object_class_to_string(CK_OBJECT_CLASS class) {
+ switch (class) {
+ case CKO_CERTIFICATE:
+ return "CKO_CERTIFICATE";
+ case CKO_PUBLIC_KEY:
+ return "CKO_PUBLIC_KEY";
+ case CKO_PRIVATE_KEY:
+ return "CKO_PRIVATE_KEY";
+ case CKO_SECRET_KEY:
+ return "CKO_SECRET_KEY";
+ default:
+ return NULL;
}
+}
- if (!found_decrypt || !found_class || !found_key_type) {
- /* Hmm, let's slightly extend the attribute list we search for */
+/* Returns an object with the given class and the same CKA_ID or CKA_LABEL as prototype */
+int pkcs11_token_find_related_object(
+ CK_FUNCTION_LIST *m,
+ CK_SESSION_HANDLE session,
+ CK_OBJECT_HANDLE prototype,
+ CK_OBJECT_CLASS class,
+ CK_OBJECT_HANDLE *ret_object ) {
- attributes_buffer = new(CK_ATTRIBUTE, n_attributes + !found_decrypt + !found_class + !found_key_type);
- if (!attributes_buffer)
+ _cleanup_free_ void *buffer = NULL;
+ CK_ATTRIBUTE attributes[] = {
+ { CKA_ID, NULL_PTR, 0 },
+ { CKA_LABEL, NULL_PTR, 0 }
+ };
+ CK_OBJECT_CLASS search_class = class;
+ CK_ATTRIBUTE search_attributes[2] = {
+ { CKA_CLASS, &search_class, sizeof(search_class) }
+ };
+ CK_ULONG n_objects;
+ CK_OBJECT_HANDLE objects[2];
+ CK_RV rv;
+
+ rv = m->C_GetAttributeValue(session, prototype, attributes, ELEMENTSOF(attributes));
+ if (rv != CKR_OK && rv != CKR_ATTRIBUTE_TYPE_INVALID)
+ return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve length of attributes: %s", sym_p11_kit_strerror(rv));
+
+ if (attributes[0].ulValueLen != CK_UNAVAILABLE_INFORMATION) {
+ buffer = malloc(attributes[0].ulValueLen);
+ if (!buffer)
return log_oom();
- memcpy(attributes_buffer, attributes, sizeof(CK_ATTRIBUTE) * n_attributes);
+ attributes[0].pValue = buffer;
+ rv = m->C_GetAttributeValue(session, prototype, &attributes[0], 1);
+ if (rv != CKR_OK)
+ return log_debug_errno(SYNTHETIC_ERRNO(EIO),
+ "Failed to retrieve CKA_ID: %s", sym_p11_kit_strerror(rv));
- if (!found_decrypt) {
- static const CK_BBOOL yes = true;
+ search_attributes[1] = attributes[0];
- attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) {
- .type = CKA_DECRYPT,
- .pValue = (CK_BBOOL*) &yes,
- .ulValueLen = sizeof(yes),
- };
- }
+ } else if (attributes[1].ulValueLen != CK_UNAVAILABLE_INFORMATION) {
+ buffer = malloc(attributes[1].ulValueLen);
+ if (!buffer)
+ return log_oom();
- if (!found_class) {
- static const CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
+ attributes[1].pValue = buffer;
+ rv = m->C_GetAttributeValue(session, prototype, &attributes[1], 1);
+ if (rv != CKR_OK)
+ return log_debug_errno(SYNTHETIC_ERRNO(EIO),
+ "Failed to retrieve CKA_LABEL: %s", sym_p11_kit_strerror(rv));
- attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) {
- .type = CKA_CLASS,
- .pValue = (CK_OBJECT_CLASS*) &class,
- .ulValueLen = sizeof(class),
- };
- }
+ search_attributes[1] = attributes[1];
- if (!found_key_type) {
- static const CK_KEY_TYPE type = CKK_RSA;
+ } else
+ return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "The prototype does not have CKA_ID or CKA_LABEL");
- attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) {
- .type = CKA_KEY_TYPE,
- .pValue = (CK_KEY_TYPE*) &type,
- .ulValueLen = sizeof(type),
- };
- }
+ rv = m->C_FindObjectsInit(session, search_attributes, 2);
+ if (rv != CKR_OK)
+ return log_debug_errno(SYNTHETIC_ERRNO(EIO),
+ "Failed to initialize object find call: %s", sym_p11_kit_strerror(rv));
- attributes = attributes_buffer;
+ rv = m->C_FindObjects(session, objects, 2, &n_objects);
+ if (rv != CKR_OK)
+ return log_debug_errno(SYNTHETIC_ERRNO(EIO),
+ "Failed to find objects: %s", sym_p11_kit_strerror(rv));
+
+ rv = m->C_FindObjectsFinal(session);
+ if (rv != CKR_OK)
+ return log_debug_errno(SYNTHETIC_ERRNO(EIO),
+ "Failed to finalize object find call: %s", sym_p11_kit_strerror(rv));
+
+ if (n_objects == 0)
+ return log_debug_errno(SYNTHETIC_ERRNO(ENOENT),
+ "Failed to find a related object with class %s", object_class_to_string(class));
+
+ if (n_objects > 1)
+ log_warning("Found multiple related objects with class %s, using the first object.",
+ object_class_to_string(class));
+
+ *ret_object = objects[0];
+ return 0;
+}
+
+#if HAVE_OPENSSL
+static int ecc_convert_to_compressed(
+ CK_FUNCTION_LIST *m,
+ CK_SESSION_HANDLE session,
+ CK_OBJECT_HANDLE object,
+ const void *uncompressed_point,
+ size_t uncompressed_point_size,
+ void **ret_compressed_point,
+ size_t *ret_compressed_point_size) {
+
+ _cleanup_free_ void *ec_params_buffer = NULL;
+ CK_ATTRIBUTE ec_params_attr = { CKA_EC_PARAMS, NULL_PTR, 0 };
+ CK_RV rv;
+ int r;
+
+ rv = m->C_GetAttributeValue(session, object, &ec_params_attr, 1);
+ if (rv != CKR_OK && rv != CKR_ATTRIBUTE_TYPE_INVALID)
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "Failed to retrieve length of CKA_EC_PARAMS: %s", sym_p11_kit_strerror(rv));
+
+ if (ec_params_attr.ulValueLen != CK_UNAVAILABLE_INFORMATION) {
+ ec_params_buffer = malloc(ec_params_attr.ulValueLen);
+ if (!ec_params_buffer)
+ return log_oom();
+
+ ec_params_attr.pValue = ec_params_buffer;
+ rv = m->C_GetAttributeValue(session, object, &ec_params_attr, 1);
+ if (rv != CKR_OK)
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "Failed to retrieve CKA_EC_PARAMS from a private key: %s", sym_p11_kit_strerror(rv));
+ } else {
+ CK_OBJECT_HANDLE public_key;
+ r = pkcs11_token_find_related_object(m, session, object, CKO_PUBLIC_KEY, &public_key);
+ if (r < 0)
+ return log_error_errno(r, "Failed to find a public key for compressing a EC point");
+
+ ec_params_attr.ulValueLen = 0;
+ rv = m->C_GetAttributeValue(session, public_key, &ec_params_attr, 1);
+ if (rv != CKR_OK && rv != CKR_ATTRIBUTE_TYPE_INVALID)
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "Failed to retrieve length of CKA_EC_PARAMS: %s", sym_p11_kit_strerror(rv));
+
+ if (ec_params_attr.ulValueLen == CK_UNAVAILABLE_INFORMATION)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "The public key does not have CKA_EC_PARAMS");
+
+ ec_params_buffer = malloc(ec_params_attr.ulValueLen);
+ if (!ec_params_buffer)
+ return log_oom();
+
+ ec_params_attr.pValue = ec_params_buffer;
+ rv = m->C_GetAttributeValue(session, public_key, &ec_params_attr, 1);
+ if (rv != CKR_OK)
+ return log_error_errno(SYNTHETIC_ERRNO(EIO),
+ "Failed to retrieve CKA_EC_PARAMS from a public key: %s", sym_p11_kit_strerror(rv));
}
- rv = m->C_FindObjectsInit(session, attributes, n_attributes);
+ _cleanup_(EC_GROUP_freep) EC_GROUP *group = NULL;
+ _cleanup_(EC_POINT_freep) EC_POINT *point = NULL;
+ _cleanup_(BN_CTX_freep) BN_CTX *bnctx = NULL;
+ _cleanup_free_ void *compressed_point = NULL;
+ size_t compressed_point_size;
+
+ const unsigned char *ec_params_value = ec_params_attr.pValue;
+ group = d2i_ECPKParameters(NULL, &ec_params_value, ec_params_attr.ulValueLen);
+ if (!group)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to decode CKA_EC_PARAMS");
+
+ point = EC_POINT_new(group);
+ if (!point)
+ return log_oom();
+
+ bnctx = BN_CTX_new();
+ if (!bnctx)
+ return log_oom();
+
+ if (EC_POINT_oct2point(group, point, uncompressed_point, uncompressed_point_size, bnctx) != 1)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to decode an uncompressed EC point");
+
+ compressed_point_size = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, NULL, 0, bnctx);
+ if (compressed_point_size == 0)
+ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to determine size of a compressed EC point");
+
+ compressed_point = malloc(compressed_point_size);
+ if (!compressed_point)
+ return log_oom();
+
+ compressed_point_size = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, compressed_point, compressed_point_size, bnctx);
+ if (compressed_point_size == 0)
+ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to convert a EC point to compressed format");
+
+ *ret_compressed_point = TAKE_PTR(compressed_point);
+ *ret_compressed_point_size = compressed_point_size;
+ return 0;
+}
+#endif
+
+/* Since EC keys doesn't support encryption directly, we use ECDH protocol to derive shared secret here.
+ * We use PKCS#11 C_DeriveKey function to derive a shared secret with a private key stored in the token and
+ * a public key saved on enrollment. */
+static int pkcs11_token_decrypt_data_ecc(
+ CK_FUNCTION_LIST *m,
+ CK_SESSION_HANDLE session,
+ CK_OBJECT_HANDLE object,
+ const void *encrypted_data,
+ size_t encrypted_data_size,
+ void **ret_decrypted_data,
+ size_t *ret_decrypted_data_size) {
+
+ static const CK_BBOOL yes = CK_TRUE, no = CK_FALSE;
+ static const CK_OBJECT_CLASS shared_secret_class = CKO_SECRET_KEY;
+ static const CK_KEY_TYPE shared_secret_type = CKK_GENERIC_SECRET;
+ static const CK_ATTRIBUTE shared_secret_template[] = {
+ { CKA_TOKEN, (void*) &no, sizeof(no) },
+ { CKA_CLASS, (void*) &shared_secret_class, sizeof(shared_secret_class) },
+ { CKA_KEY_TYPE, (void*) &shared_secret_type, sizeof(shared_secret_type) },
+ { CKA_SENSITIVE, (void*) &no, sizeof(no) },
+ { CKA_EXTRACTABLE, (void*) &yes, sizeof(yes) }
+ };
+ CK_ECDH1_DERIVE_PARAMS params = {
+ .kdf = CKD_NULL,
+ .pPublicData = (void*) encrypted_data,
+ .ulPublicDataLen = encrypted_data_size
+ };
+ CK_MECHANISM mechanism = {
+ .mechanism = CKM_ECDH1_DERIVE,
+ .pParameter = ¶ms,
+ .ulParameterLen = sizeof(params)
+ };
+ CK_OBJECT_HANDLE shared_secret_handle;
+ CK_SESSION_INFO session_info;
+ CK_MECHANISM_INFO mechanism_info;
+ CK_RV rv, rv2;
+#if HAVE_OPENSSL
+ _cleanup_free_ void *compressed_point = NULL;
+ int r;
+#endif
+
+ rv = m->C_GetSessionInfo(session, &session_info);
if (rv != CKR_OK)
return log_error_errno(SYNTHETIC_ERRNO(EIO),
- "Failed to initialize object find call: %s", sym_p11_kit_strerror(rv));
+ "Failed to get information about the PKCS#11 session: %s", sym_p11_kit_strerror(rv));
- rv = m->C_FindObjects(session, objects, ELEMENTSOF(objects), &n_objects);
- rv2 = m->C_FindObjectsFinal(session);
+ rv = m->C_GetMechanismInfo(session_info.slotID, CKM_ECDH1_DERIVE, &mechanism_info);
if (rv != CKR_OK)
return log_error_errno(SYNTHETIC_ERRNO(EIO),
- "Failed to find objects: %s", sym_p11_kit_strerror(rv));
+ "Failed to get information about CKM_ECDH1_DERIVE: %s", sym_p11_kit_strerror(rv));
+
+ if (!(mechanism_info.flags & CKF_EC_UNCOMPRESS)) {
+ if (mechanism_info.flags & CKF_EC_COMPRESS) {
+#if HAVE_OPENSSL
+ log_debug("CKM_ECDH1_DERIVE accepts compressed EC points only, trying to convert.");
+ size_t compressed_point_size;
+ r = ecc_convert_to_compressed(m, session, object, encrypted_data, encrypted_data_size, &compressed_point, &compressed_point_size);
+ if (r < 0)
+ return r;
+
+ params.pPublicData = compressed_point;
+ params.ulPublicDataLen = compressed_point_size;
+#else
+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "CKM_ECDH1_DERIVE does not support uncompressed format of EC points");
+#endif
+ } else
+ log_debug("Both CKF_EC_UNCOMPRESS and CKF_EC_COMPRESS are false for CKM_ECDH1_DERIVE, ignoring.");
+ }
+
+ rv = m->C_DeriveKey(session, &mechanism, object, (CK_ATTRIBUTE*) shared_secret_template, ELEMENTSOF(shared_secret_template), &shared_secret_handle);
+ if (rv != CKR_OK)
+ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to derive a shared secret: %s", sym_p11_kit_strerror(rv));
+
+ CK_ATTRIBUTE shared_secret_attr = { CKA_VALUE, NULL_PTR, 0};
+
+ rv = m->C_GetAttributeValue(session, shared_secret_handle, &shared_secret_attr, 1);
+ if (rv != CKR_OK) {
+ rv2 = m->C_DestroyObject(session, shared_secret_handle);
+ if (rv2 != CKR_OK)
+ log_warning("Failed to destroy a shared secret, ignoring: %s", sym_p11_kit_strerror(rv2));
+ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve shared secret length: %s", sym_p11_kit_strerror(rv));
+ }
+
+ shared_secret_attr.pValue = malloc(shared_secret_attr.ulValueLen);
+ if (!shared_secret_attr.pValue)
+ return log_oom();
+
+ rv = m->C_GetAttributeValue(session, shared_secret_handle, &shared_secret_attr, 1);
+ rv2 = m->C_DestroyObject(session, shared_secret_handle);
if (rv2 != CKR_OK)
- return log_error_errno(SYNTHETIC_ERRNO(EIO),
- "Failed to finalize object find call: %s", sym_p11_kit_strerror(rv));
- if (n_objects == 0)
- return log_error_errno(SYNTHETIC_ERRNO(ENOENT),
- "Failed to find selected private key suitable for decryption on token.");
- if (n_objects > 1)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
- "Configured private key URI matches multiple keys, refusing.");
+ log_warning("Failed to destroy a shared secret, ignoring: %s", sym_p11_kit_strerror(rv2));
- *ret_object = objects[0];
+ if (rv != CKR_OK) {
+ erase_and_free(shared_secret_attr.pValue);
+ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve a shared secret: %s", sym_p11_kit_strerror(rv));
+ }
+
+ log_info("Successfully derived key with security token.");
+
+ *ret_decrypted_data = shared_secret_attr.pValue;
+ *ret_decrypted_data_size = shared_secret_attr.ulValueLen;
return 0;
}
-int pkcs11_token_decrypt_data(
+static int pkcs11_token_decrypt_data_rsa(
CK_FUNCTION_LIST *m,
CK_SESSION_HANDLE session,
CK_OBJECT_HANDLE object,
_cleanup_(erase_and_freep) CK_BYTE *dbuffer = NULL;
CK_ULONG dbuffer_size = 0;
CK_RV rv;
- int r;
-
- assert(m);
- assert(encrypted_data);
- assert(encrypted_data_size > 0);
- assert(ret_decrypted_data);
- assert(ret_decrypted_data_size);
-
- r = dlopen_p11kit();
- if (r < 0)
- return r;
rv = m->C_DecryptInit(session, (CK_MECHANISM*) &mechanism, object);
if (rv != CKR_OK)
return 0;
}
+int pkcs11_token_decrypt_data(
+ CK_FUNCTION_LIST *m,
+ CK_SESSION_HANDLE session,
+ CK_OBJECT_HANDLE object,
+ const void *encrypted_data,
+ size_t encrypted_data_size,
+ void **ret_decrypted_data,
+ size_t *ret_decrypted_data_size) {
+
+ CK_KEY_TYPE key_type;
+ CK_ATTRIBUTE key_type_template = { CKA_KEY_TYPE, &key_type, sizeof(key_type) };
+ CK_RV rv;
+
+ assert(m);
+ assert(encrypted_data);
+ assert(encrypted_data_size > 0);
+ assert(ret_decrypted_data);
+ assert(ret_decrypted_data_size);
+
+ rv = m->C_GetAttributeValue(session, object, &key_type_template, 1);
+ if (rv != CKR_OK)
+ return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve private key type");
+
+ switch (key_type) {
+
+ case CKK_RSA:
+ return pkcs11_token_decrypt_data_rsa(m, session, object, encrypted_data, encrypted_data_size, ret_decrypted_data, ret_decrypted_data_size);
+
+ case CKK_EC:
+ return pkcs11_token_decrypt_data_ecc(m, session, object, encrypted_data, encrypted_data_size, ret_decrypted_data, ret_decrypted_data_size);
+
+ default:
+ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unsupported private key type: %lu", key_type);
+ }
+}
+
int pkcs11_token_acquire_rng(
CK_FUNCTION_LIST *m,
CK_SESSION_HANDLE session) {
char *pin_used;
X509 *cert;
const char *askpw_friendly_name, *askpw_icon_name;
+ AskPasswordFlags askpw_flags;
+ bool headless;
};
static void pkcs11_acquire_certificate_callback_data_release(struct pkcs11_acquire_certificate_callback_data *data) {
/* Called for every token matching our URI */
- r = pkcs11_token_login(m, session, slot_id, token_info, data->askpw_friendly_name, data->askpw_icon_name, "pkcs11-pin", "pkcs11-pin", UINT64_MAX, false, &pin_used);
+ r = pkcs11_token_login(
+ m,
+ session,
+ slot_id,
+ token_info,
+ data->askpw_friendly_name,
+ data->askpw_icon_name,
+ "pkcs11-pin",
+ "pkcs11-pin",
+ UINT64_MAX,
+ data->askpw_flags,
+ data->headless,
+ &pin_used);
if (r < 0)
return r;
* out. (Note that the user can explicitly specify non-hardware tokens if they like, but during
* enumeration we'll filter those, since software tokens are typically the system certificate store
* and such, and it's typically not what people want to bind their home directories to.) */
- if (!FLAGS_SET(token_info->flags, CKF_HW_SLOT|CKF_TOKEN_PRESENT))
+ if (!FLAGS_SET(slot_info->flags, CKF_HW_SLOT|CKF_TOKEN_PRESENT))
return -EAGAIN;
token_label = pkcs11_token_label(token_info);
"pkcs11-pin",
"cryptsetup.pkcs11-pin",
data->until,
+ data->askpw_flags,
data->headless,
NULL);
if (r < 0)
projects / thirdparty / systemd.git / blobdiff