From: Lennart Poettering Date: Mon, 19 Feb 2024 16:44:01 +0000 (+0100) Subject: pkcs11-util: clean up credential handling for PKCS11 PIN X-Git-Tag: v256-rc1~797^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a96c284f10dd28ebad99d52bd72e00f3cb93bfaa;p=thirdparty%2Fsystemd.git pkcs11-util: clean up credential handling for PKCS11 PIN similar as the previous commit, let's clean up the credential name we use. Use home.token-pin in case of homectl, and cryptenroll.pkcs11-pin in case of cryptenroll. --- diff --git a/src/cryptenroll/cryptenroll-pkcs11.c b/src/cryptenroll/cryptenroll-pkcs11.c index 6b70a147c33..9cdb8407639 100644 --- a/src/cryptenroll/cryptenroll-pkcs11.c +++ b/src/cryptenroll/cryptenroll-pkcs11.c @@ -55,7 +55,7 @@ int enroll_pkcs11( assert_se(node = crypt_get_device_name(cd)); - r = pkcs11_acquire_public_key(uri, "volume enrollment operation", "drive-harddisk", &pkey, NULL); + r = pkcs11_acquire_public_key(uri, "volume enrollment operation", "drive-harddisk", "cryptenroll.pkcs11-pin", &pkey, NULL); if (r < 0) return r; diff --git a/src/home/homectl-pkcs11.c b/src/home/homectl-pkcs11.c index 5c54ec016ee..b9ee8acc4c1 100644 --- a/src/home/homectl-pkcs11.c +++ b/src/home/homectl-pkcs11.c @@ -153,7 +153,7 @@ int identity_add_pkcs11_key_data(JsonVariant **v, const char *uri) { assert(v); - r = pkcs11_acquire_public_key(uri, "home directory operation", "user-home", &pkey, &pin); + r = pkcs11_acquire_public_key(uri, "home directory operation", "user-home", "home.token-pin", &pkey, &pin); if (r < 0) return r; diff --git a/src/shared/pkcs11-util.c b/src/shared/pkcs11-util.c index 6d7568d69bf..bfaca79bc8b 100644 --- a/src/shared/pkcs11-util.c +++ b/src/shared/pkcs11-util.c @@ -291,9 +291,9 @@ int pkcs11_token_login( CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, - const char *icon_name, - const char *key_name, - const char *credential_name, + const char *askpw_icon, + const char *askpw_keyring, + const char *askpw_credential, usec_t until, AskPasswordFlags ask_password_flags, bool headless, @@ -377,10 +377,10 @@ int pkcs11_token_login( AskPasswordRequest req = { .message = text, - .icon = icon_name, + .icon = askpw_icon, .id = id, - .keyring = key_name, - .credential = credential_name, + .keyring = askpw_keyring, + .credential = askpw_credential, }; /* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */ @@ -1651,7 +1651,7 @@ int pkcs11_find_token( struct pkcs11_acquire_public_key_callback_data { char *pin_used; EVP_PKEY *pkey; - const char *askpw_friendly_name, *askpw_icon_name; + const char *askpw_friendly_name, *askpw_icon, *askpw_credential; AskPasswordFlags askpw_flags; bool headless; }; @@ -1698,9 +1698,9 @@ static int pkcs11_acquire_public_key_callback( slot_id, token_info, data->askpw_friendly_name, - data->askpw_icon_name, - "pkcs11-pin", + data->askpw_icon, "pkcs11-pin", + data->askpw_credential, UINT64_MAX, data->askpw_flags, data->headless, @@ -1829,13 +1829,15 @@ success: int pkcs11_acquire_public_key( const char *uri, const char *askpw_friendly_name, - const char *askpw_icon_name, + const char *askpw_icon, + const char *askpw_credential, EVP_PKEY **ret_pkey, char **ret_pin_used) { _cleanup_(pkcs11_acquire_public_key_callback_data_release) struct pkcs11_acquire_public_key_callback_data data = { .askpw_friendly_name = askpw_friendly_name, - .askpw_icon_name = askpw_icon_name, + .askpw_icon = askpw_icon, + .askpw_credential = askpw_credential, }; int r; @@ -2040,7 +2042,7 @@ int pkcs11_crypt_device_callback( data->friendly_name, "drive-harddisk", "pkcs11-pin", - "cryptsetup.pkcs11-pin", + data->askpw_credential, data->until, data->askpw_flags, data->headless, diff --git a/src/shared/pkcs11-util.h b/src/shared/pkcs11-util.h index 838f90b6c17..9b4336dc056 100644 --- a/src/shared/pkcs11-util.h +++ b/src/shared/pkcs11-util.h @@ -71,7 +71,7 @@ typedef int (*pkcs11_find_token_callback_t)(CK_FUNCTION_LIST *m, CK_SESSION_HAND int pkcs11_find_token(const char *pkcs11_uri, pkcs11_find_token_callback_t callback, void *userdata); #if HAVE_OPENSSL -int pkcs11_acquire_public_key(const char *uri, const char *askpw_friendly_name, const char *askpw_icon_name, EVP_PKEY **ret_pkey, char **ret_pin_used); +int pkcs11_acquire_public_key(const char *uri, const char *askpw_friendly_name, const char *askpw_icon, const char *askpw_credential, EVP_PKEY **ret_pkey, char **ret_pin_used); #endif typedef struct { @@ -83,6 +83,7 @@ typedef struct { size_t decrypted_key_size; bool free_encrypted_key; bool headless; + const char *askpw_credential; AskPasswordFlags askpw_flags; } pkcs11_crypt_device_callback_data;