From a6d2ec331ba81815aedf3400aef29dc6aadcb616 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Wed, 14 Jul 2010 17:44:27 +0200 Subject: [PATCH] Implemented a credential set on top of a PKCS#11 token --- src/libstrongswan/plugins/pkcs11/Makefile.am | 1 + .../plugins/pkcs11/pkcs11_creds.c | 287 ++++++++++++++++++ .../plugins/pkcs11/pkcs11_creds.h | 68 +++++ .../plugins/pkcs11/pkcs11_library.c | 2 +- .../plugins/pkcs11/pkcs11_plugin.c | 63 ++++ 5 files changed, 420 insertions(+), 1 deletion(-) create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_creds.c create mode 100644 src/libstrongswan/plugins/pkcs11/pkcs11_creds.h diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.am b/src/libstrongswan/plugins/pkcs11/Makefile.am index 0849fa9142..cfd8f02d91 100644 --- a/src/libstrongswan/plugins/pkcs11/Makefile.am +++ b/src/libstrongswan/plugins/pkcs11/Makefile.am @@ -13,6 +13,7 @@ endif libstrongswan_pkcs11_la_SOURCES = \ pkcs11_plugin.h pkcs11_plugin.c pkcs11.h \ pkcs11_library.h pkcs11_library.c \ + pkcs11_creds.h pkcs11_creds.c \ pkcs11_manager.h pkcs11_manager.c libstrongswan_pkcs11_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c new file mode 100644 index 0000000000..5f79775b99 --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c @@ -0,0 +1,287 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pkcs11_creds.h" + +#include +#include + +typedef struct private_pkcs11_creds_t private_pkcs11_creds_t; + +/** + * Private data of an pkcs11_creds_t object. + */ +struct private_pkcs11_creds_t { + + /** + * Public pkcs11_creds_t interface. + */ + pkcs11_creds_t public; + + /** + * PKCS# library + */ + pkcs11_library_t *lib; + + /** + * Token slot + */ + CK_SLOT_ID slot; + + /** + * List of trusted certificates + */ + linked_list_t *trusted; + + /** + * List of untrusted certificates + */ + linked_list_t *untrusted; +}; + +/** + * Handle a certificate object, optionally trusted + */ +static void handle_certificate(private_pkcs11_creds_t *this, + CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object, + CK_BBOOL trusted) +{ + CK_ATTRIBUTE attrs[] = { + {CKA_VALUE, NULL, 0}, + {CKA_LABEL, NULL, 0}, + }; + CK_RV rv; + certificate_t *cert; + + rv = this->lib->f->C_GetAttributeValue(session, object, + attrs, countof(attrs)); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "C_GetAttributeValue(NULL) error: %N", ck_rv_names, rv); + return; + } + if (attrs[0].ulValueLen) + { + attrs[0].pValue = malloc(attrs[0].ulValueLen); + } + if (attrs[1].ulValueLen) + { + attrs[1].pValue = malloc(attrs[1].ulValueLen); + } + rv = this->lib->f->C_GetAttributeValue(session, object, + attrs, countof(attrs)); + if (rv == CKR_OK) + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_ASN1_DER, + chunk_create(attrs[0].pValue, attrs[0].ulValueLen), + BUILD_END); + if (cert) + { + DBG1(DBG_CFG, " loaded %strusted cert '%.*s'", + trusted ? "" : "un", attrs[1].ulValueLen, attrs[1].pValue); + /* trusted certificates are also returned as untrusted */ + this->untrusted->insert_last(this->untrusted, cert); + if (trusted) + { + this->trusted->insert_last(this->trusted, cert->get_ref(cert)); + } + } + else + { + DBG1(DBG_CFG, " loading cert '%.*s' failed", + attrs[1].ulValueLen, attrs[1].pValue); + } + } + else + { + DBG1(DBG_CFG, "C_GetAttributeValue() error: %N", ck_rv_names, rv); + } + free(attrs[0].pValue); + free(attrs[1].pValue); +} + +/** + * Find certificates, optionally trusted + */ +static void find_certificates(private_pkcs11_creds_t *this, + CK_SESSION_HANDLE session, CK_BBOOL trusted) +{ + CK_OBJECT_CLASS class = CKO_CERTIFICATE; + CK_CERTIFICATE_TYPE type = CKC_X_509; + CK_ATTRIBUTE template[] = { + {CKA_CLASS, &class, sizeof(class)}, + {CKA_CERTIFICATE_TYPE, &type, sizeof(type)}, + {CKA_TRUSTED, &trusted, sizeof(trusted)}, + }; + CK_OBJECT_HANDLE object; + CK_ULONG found; + CK_RV rv; + + rv = this->lib->f->C_FindObjectsInit(session, template, countof(template)); + if (rv == CKR_OK) + { + while (TRUE) + { + rv = this->lib->f->C_FindObjects(session, &object, 1, &found); + if (rv == CKR_OK) + { + if (found == 1) + { + handle_certificate(this, session, object, trusted); + } + else + { + break; + } + } + else + { + DBG1(DBG_CFG, "C_FindObjects() error: %N", ck_rv_names, rv); + break; + } + } + } + this->lib->f->C_FindObjectsFinal(session); +} + +/** + * Load in the certificates from the token + */ +static bool load_certificates(private_pkcs11_creds_t *this) +{ + CK_SESSION_HANDLE session; + CK_RV rv; + + rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION, + NULL, NULL, &session); + if (rv != CKR_OK) + { + DBG1(DBG_CFG, "opening session failed: %N", ck_rv_names, rv); + return FALSE; + } + + find_certificates(this, session, CK_TRUE); + find_certificates(this, session, CK_FALSE); + + this->lib->f->C_CloseSession(session); + return TRUE; +} + +/** + * filter function for certs enumerator + */ +static bool certs_filter(identification_t *id, + certificate_t **in, certificate_t **out) +{ + public_key_t *public; + certificate_t *cert = *in; + + if (id == NULL || cert->has_subject(cert, id)) + { + *out = *in; + return TRUE; + } + public = cert->get_public_key(cert); + if (public) + { + if (public->has_fingerprint(public, id->get_encoding(id))) + { + public->destroy(public); + *out = *in; + return TRUE; + } + public->destroy(public); + } + return FALSE; +} + +METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, + private_pkcs11_creds_t *this, certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) +{ + enumerator_t *inner; + + if (cert != CERT_X509 && cert != CERT_ANY) + { + return NULL; + } + if (trusted) + { + inner = this->trusted->create_enumerator(this->trusted); + } + else + { + inner = this->untrusted->create_enumerator(this->untrusted); + } + return enumerator_create_filter(inner, (void*)certs_filter, id, NULL); +} + +METHOD(pkcs11_creds_t, get_library, pkcs11_library_t*, + private_pkcs11_creds_t *this) +{ + return this->lib; +} + +METHOD(pkcs11_creds_t, get_slot, CK_SLOT_ID, + private_pkcs11_creds_t *this) +{ + return this->slot; +} + +METHOD(pkcs11_creds_t, destroy, void, + private_pkcs11_creds_t *this) +{ + this->trusted->destroy_offset(this->trusted, + offsetof(certificate_t, destroy)); + this->untrusted->destroy_offset(this->untrusted, + offsetof(certificate_t, destroy)); + free(this); +} + +/** + * See header + */ +pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot) +{ + private_pkcs11_creds_t *this; + + INIT(this, + .public = { + .set = { + .create_shared_enumerator = (void*)enumerator_create_empty, + .create_private_enumerator = (void*)enumerator_create_empty, + .create_cert_enumerator = _create_cert_enumerator, + .create_cdp_enumerator = (void*)enumerator_create_empty, + .cache_cert = (void*)nop, + }, + .get_library = _get_library, + .get_slot = _get_slot, + .destroy = _destroy, + }, + .lib = p11, + .slot = slot, + .trusted = linked_list_create(), + .untrusted = linked_list_create(), + ); + + if (!load_certificates(this)) + { + free(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h new file mode 100644 index 0000000000..c40a8dea6b --- /dev/null +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.h @@ -0,0 +1,68 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pkcs11_creds pkcs11_creds + * @{ @ingroup pkcs11 + */ + +#ifndef PKCS11_CREDS_H_ +#define PKCS11_CREDS_H_ + +typedef struct pkcs11_creds_t pkcs11_creds_t; + +#include "pkcs11_library.h" + +#include + +/** + * Credential set on top on a PKCS#11 token. + */ +struct pkcs11_creds_t { + + /** + * Implements credential_set_t. + */ + credential_set_t set; + + /** + * Get the PKCS#11 library this set uses. + * + * @return library + */ + pkcs11_library_t* (*get_library)(pkcs11_creds_t *this); + + /** + * Get the slot of the token this set uses. + * + * @return slot + */ + CK_SLOT_ID (*get_slot)(pkcs11_creds_t *this); + + /** + * Destroy a pkcs11_creds_t. + */ + void (*destroy)(pkcs11_creds_t *this); +}; + +/** + * Create a pkcs11_creds instance. + * + * @param p11 loaded PKCS#11 library + * @param slot slot of the token we hand out credentials + */ +pkcs11_creds_t *pkcs11_creds_create(pkcs11_library_t *p11, CK_SLOT_ID slot); + +#endif /** PKCS11_CREDS_H_ @}*/ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c index 76c09a6b4f..bff84b6976 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c @@ -477,7 +477,7 @@ METHOD(pkcs11_library_t, destroy, void, private_pkcs11_library_t *this) { this->public.f->C_Finalize(NULL); - dlclose(this->handle); + //dlclose(this->handle); free(this); } diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c index 2d9b286dc6..6befacd6b7 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c @@ -17,8 +17,11 @@ #include #include +#include +#include #include "pkcs11_manager.h" +#include "pkcs11_creds.h" typedef struct private_pkcs11_plugin_t private_pkcs11_plugin_t; @@ -36,6 +39,16 @@ struct private_pkcs11_plugin_t { * PKCS#11 library/slot manager */ pkcs11_manager_t *manager; + + /** + * List of credential sets, pkcs11_creds_t + */ + linked_list_t *creds; + + /** + * mutex to lock list + */ + mutex_t *mutex; }; /** @@ -44,12 +57,60 @@ struct private_pkcs11_plugin_t { static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11, CK_SLOT_ID slot, bool add) { + enumerator_t *enumerator; + pkcs11_creds_t *creds, *found = NULL;; + + if (add) + { + creds = pkcs11_creds_create(p11, slot); + if (creds) + { + this->mutex->lock(this->mutex); + this->creds->insert_last(this->creds, creds); + this->mutex->unlock(this->mutex); + lib->credmgr->add_set(lib->credmgr, &creds->set); + } + } + else + { + this->mutex->lock(this->mutex); + enumerator = this->creds->create_enumerator(this->creds); + while (enumerator->enumerate(enumerator, &creds)) + { + if (creds->get_library(creds) == p11 && + creds->get_slot(creds) == slot) + { + found = creds; + this->creds->remove_at(this->creds, enumerator); + break; + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); + + if (found) + { + lib->credmgr->remove_set(lib->credmgr, &found->set); + found->destroy(found); + /* flush the cache after a token is gone */ + lib->credmgr->flush_cache(lib->credmgr, CERT_X509); + } + } } METHOD(plugin_t, destroy, void, private_pkcs11_plugin_t *this) { + pkcs11_creds_t *creds; + + while (this->creds->remove_last(this->creds, (void**)&creds) == SUCCESS) + { + lib->credmgr->remove_set(lib->credmgr, &creds->set); + creds->destroy(creds); + } + this->creds->destroy(this->creds); this->manager->destroy(this->manager); + this->mutex->destroy(this->mutex); free(this); } @@ -62,6 +123,8 @@ plugin_t *pkcs11_plugin_create() INIT(this, .public.plugin.destroy = _destroy, + .creds = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), ); this->manager = pkcs11_manager_create((void*)token_event_cb, this); -- 2.47.2