pkcs11-util: clean up credential handling for PKCS11 PIN

similar as the previous commit, let's clean up the credential name we
use. Use home.token-pin in case of homectl, and cryptenroll.pkcs11-pin
in case of cryptenroll.

diff --git a/src/cryptenroll/cryptenroll-pkcs11.c b/src/cryptenroll/cryptenroll-pkcs11.c
index 6b70a147c33f58e27580c427727cb9dbc3283ce9..9cdb8407639f1dd318a83e9117c01ca389822687 100644 (file)
--- a/src/cryptenroll/cryptenroll-pkcs11.c
+++ b/src/cryptenroll/cryptenroll-pkcs11.c
@@ -55,7 +55,7 @@ int enroll_pkcs11(
 
         assert_se(node = crypt_get_device_name(cd));
 
-        r = pkcs11_acquire_public_key(uri, "volume enrollment operation", "drive-harddisk", &pkey, NULL);
+        r = pkcs11_acquire_public_key(uri, "volume enrollment operation", "drive-harddisk", "cryptenroll.pkcs11-pin", &pkey, NULL);
         if (r < 0)
                 return r;
 

diff --git a/src/home/homectl-pkcs11.c b/src/home/homectl-pkcs11.c
index 5c54ec016eee5a414d735ce50b72473bb952f634..b9ee8acc4c1b18c95d05bb5ce02f7a4416c88a0a 100644 (file)
--- a/src/home/homectl-pkcs11.c
+++ b/src/home/homectl-pkcs11.c
@@ -153,7 +153,7 @@ int identity_add_pkcs11_key_data(JsonVariant **v, const char *uri) {
 
         assert(v);
 
-        r = pkcs11_acquire_public_key(uri, "home directory operation", "user-home", &pkey, &pin);
+        r = pkcs11_acquire_public_key(uri, "home directory operation", "user-home", "home.token-pin", &pkey, &pin);
         if (r < 0)
                 return r;
 

diff --git a/src/shared/pkcs11-util.c b/src/shared/pkcs11-util.c
index 6d7568d69bfc8aa4ec4b2a750ed77a7e9ef32bfd..bfaca79bc8bfea458f4cf9734b09e6d23115f94b 100644 (file)
--- a/src/shared/pkcs11-util.c
+++ b/src/shared/pkcs11-util.c
@@ -291,9 +291,9 @@ int pkcs11_token_login(
                 CK_SLOT_ID slotid,
                 const CK_TOKEN_INFO *token_info,
                 const char *friendly_name,
-                const char *icon_name,
-                const char *key_name,
-                const char *credential_name,
+                const char *askpw_icon,
+                const char *askpw_keyring,
+                const char *askpw_credential,
                 usec_t until,
                 AskPasswordFlags ask_password_flags,
                 bool headless,
@@ -377,10 +377,10 @@ int pkcs11_token_login(
 
                         AskPasswordRequest req = {
                                 .message = text,
-                                .icon = icon_name,
+                                .icon = askpw_icon,
                                 .id = id,
-                                .keyring = key_name,
-                                .credential = credential_name,
+                                .keyring = askpw_keyring,
+                                .credential = askpw_credential,
                         };
 
                         /* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */
@@ -1651,7 +1651,7 @@ int pkcs11_find_token(
 struct pkcs11_acquire_public_key_callback_data {
         char *pin_used;
         EVP_PKEY *pkey;
-        const char *askpw_friendly_name, *askpw_icon_name;
+        const char *askpw_friendly_name, *askpw_icon, *askpw_credential;
         AskPasswordFlags askpw_flags;
         bool headless;
 };
@@ -1698,9 +1698,9 @@ static int pkcs11_acquire_public_key_callback(
                         slot_id,
                         token_info,
                         data->askpw_friendly_name,
-                        data->askpw_icon_name,
-                        "pkcs11-pin",
+                        data->askpw_icon,
                         "pkcs11-pin",
+                        data->askpw_credential,
                         UINT64_MAX,
                         data->askpw_flags,
                         data->headless,
@@ -1829,13 +1829,15 @@ success:
 int pkcs11_acquire_public_key(
                 const char *uri,
                 const char *askpw_friendly_name,
-                const char *askpw_icon_name,
+                const char *askpw_icon,
+                const char *askpw_credential,
                 EVP_PKEY **ret_pkey,
                 char **ret_pin_used) {
 
         _cleanup_(pkcs11_acquire_public_key_callback_data_release) struct pkcs11_acquire_public_key_callback_data data = {
                 .askpw_friendly_name = askpw_friendly_name,
-                .askpw_icon_name = askpw_icon_name,
+                .askpw_icon = askpw_icon,
+                .askpw_credential = askpw_credential,
         };
         int r;
 
@@ -2040,7 +2042,7 @@ int pkcs11_crypt_device_callback(
                         data->friendly_name,
                         "drive-harddisk",
                         "pkcs11-pin",
-                        "cryptsetup.pkcs11-pin",
+                        data->askpw_credential,
                         data->until,
                         data->askpw_flags,
                         data->headless,

diff --git a/src/shared/pkcs11-util.h b/src/shared/pkcs11-util.h
index 838f90b6c17dbd091a00fca8b2e6422237b29ad5..9b4336dc05605d2858ffefed07e07db3af2e13a7 100644 (file)
--- a/src/shared/pkcs11-util.h
+++ b/src/shared/pkcs11-util.h
@@ -71,7 +71,7 @@ typedef int (*pkcs11_find_token_callback_t)(CK_FUNCTION_LIST *m, CK_SESSION_HAND
 int pkcs11_find_token(const char *pkcs11_uri, pkcs11_find_token_callback_t callback, void *userdata);
 
 #if HAVE_OPENSSL
-int pkcs11_acquire_public_key(const char *uri, const char *askpw_friendly_name, const char *askpw_icon_name, EVP_PKEY **ret_pkey, char **ret_pin_used);
+int pkcs11_acquire_public_key(const char *uri, const char *askpw_friendly_name, const char *askpw_icon, const char *askpw_credential, EVP_PKEY **ret_pkey, char **ret_pin_used);
 #endif
 
 typedef struct {
@@ -83,6 +83,7 @@ typedef struct {
         size_t decrypted_key_size;
         bool free_encrypted_key;
         bool headless;
+        const char *askpw_credential;
         AskPasswordFlags askpw_flags;
 } pkcs11_crypt_device_callback_data;