diff options
Diffstat (limited to 'src/shared')
-rw-r--r-- | src/shared/openssl-util.c | 172 | ||||
-rw-r--r-- | src/shared/openssl-util.h | 2 | ||||
-rw-r--r-- | src/shared/pkcs11-util.c | 485 | ||||
-rw-r--r-- | src/shared/pkcs11-util.h | 5 |
4 files changed, 567 insertions, 97 deletions
diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c index b0a5563395..d4a689cf85 100644 --- a/src/shared/openssl-util.c +++ b/src/shared/openssl-util.c @@ -4,11 +4,12 @@ #include "fd-util.h" #include "hexdecoct.h" #include "openssl-util.h" +#include "random-util.h" #include "string-util.h" #if HAVE_OPENSSL -/* For each error in the the OpenSSL thread error queue, log the provided message and the OpenSSL error - * string. If there are no errors in the OpenSSL thread queue, this logs the message with "No openssl +/* For each error in the OpenSSL thread error queue, log the provided message and the OpenSSL error + * string. If there are no errors in the OpenSSL thread queue, this logs the message with "No OpenSSL * errors." This logs at level debug. Returns -EIO (or -ENOMEM). */ #define log_openssl_errors(fmt, ...) _log_openssl_errors(UNIQ, fmt, ##__VA_ARGS__) #define _log_openssl_errors(u, fmt, ...) \ @@ -523,7 +524,6 @@ int rsa_encrypt_bytes( *ret_encrypt_key = TAKE_PTR(b); *ret_encrypt_key_size = l; - return 0; } @@ -989,7 +989,7 @@ int ecc_ecdh(const EVP_PKEY *private_pkey, if (EVP_PKEY_derive(ctx, NULL, &shared_secret_size) <= 0) return log_openssl_errors("Failed to get ECC shared secret size"); - _cleanup_free_ void *shared_secret = malloc(shared_secret_size); + _cleanup_(erase_and_freep) void *shared_secret = malloc(shared_secret_size); if (!shared_secret) return log_oom_debug(); @@ -1128,6 +1128,170 @@ int string_hashsum( return 0; } # endif + +static int ecc_pkey_generate_volume_keys( + EVP_PKEY *pkey, + void **ret_decrypted_key, + size_t *ret_decrypted_key_size, + void **ret_saved_key, + size_t *ret_saved_key_size) { + + _cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey_new = NULL; + _cleanup_(erase_and_freep) void *decrypted_key = NULL; + _cleanup_free_ unsigned char *saved_key = NULL; + size_t decrypted_key_size, saved_key_size; + int nid = NID_undef; + int r; + +#if OPENSSL_VERSION_MAJOR >= 3 + _cleanup_free_ char *curve_name = NULL; + size_t len = 0; + + if (EVP_PKEY_get_group_name(pkey, NULL, 0, &len) != 1 || len == 0) + return log_openssl_errors("Failed to determine PKEY group name length"); + + len++; + curve_name = new(char, len); + if (!curve_name) + return log_oom_debug(); + + if (EVP_PKEY_get_group_name(pkey, curve_name, len, &len) != 1) + return log_openssl_errors("Failed to get PKEY group name"); + + nid = OBJ_sn2nid(curve_name); +#else + EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey); + if (!ec_key) + return log_openssl_errors("PKEY doesn't have EC_KEY associated"); + + if (EC_KEY_check_key(ec_key) != 1) + return log_openssl_errors("EC_KEY associated with PKEY is not valid"); + + nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)); +#endif + + r = ecc_pkey_new(nid, &pkey_new); + if (r < 0) + return log_debug_errno(r, "Failed to generate a new EC keypair: %m"); + + r = ecc_ecdh(pkey_new, pkey, &decrypted_key, &decrypted_key_size); + if (r < 0) + return log_debug_errno(r, "Failed to derive shared secret: %m"); + +#if OPENSSL_VERSION_MAJOR >= 3 + /* EVP_PKEY_get1_encoded_public_key() always returns uncompressed format of EC points. + See https://github.com/openssl/openssl/discussions/22835 */ + saved_key_size = EVP_PKEY_get1_encoded_public_key(pkey_new, &saved_key); + if (saved_key_size == 0) + return log_openssl_errors("Failed to convert the generated public key to SEC1 format"); +#else + EC_KEY *ec_key_new = EVP_PKEY_get0_EC_KEY(pkey_new); + if (!ec_key_new) + return log_openssl_errors("The generated key doesn't have associated EC_KEY"); + + if (EC_KEY_check_key(ec_key_new) != 1) + return log_openssl_errors("EC_KEY associated with the generated key is not valid"); + + saved_key_size = EC_POINT_point2oct(EC_KEY_get0_group(ec_key_new), + EC_KEY_get0_public_key(ec_key_new), + POINT_CONVERSION_UNCOMPRESSED, + NULL, 0, NULL); + if (saved_key_size == 0) + return log_openssl_errors("Failed to determine size of the generated public key"); + + saved_key = malloc(saved_key_size); + if (!saved_key) + return log_oom_debug(); + + saved_key_size = EC_POINT_point2oct(EC_KEY_get0_group(ec_key_new), + EC_KEY_get0_public_key(ec_key_new), + POINT_CONVERSION_UNCOMPRESSED, + saved_key, saved_key_size, NULL); + if (saved_key_size == 0) + return log_openssl_errors("Failed to convert the generated public key to SEC1 format"); +#endif + + *ret_decrypted_key = TAKE_PTR(decrypted_key); + *ret_decrypted_key_size = decrypted_key_size; + *ret_saved_key = TAKE_PTR(saved_key); + *ret_saved_key_size = saved_key_size; + return 0; +} + +static int rsa_pkey_generate_volume_keys( + EVP_PKEY *pkey, + void **ret_decrypted_key, + size_t *ret_decrypted_key_size, + void **ret_saved_key, + size_t *ret_saved_key_size) { + + _cleanup_(erase_and_freep) void *decrypted_key = NULL; + _cleanup_free_ void *saved_key = NULL; + size_t decrypted_key_size, saved_key_size; + int r; + + r = rsa_pkey_to_suitable_key_size(pkey, &decrypted_key_size); + if (r < 0) + return log_debug_errno(r, "Failed to determine RSA public key size."); + + log_debug("Generating %zu bytes random key.", decrypted_key_size); + + decrypted_key = malloc(decrypted_key_size); + if (!decrypted_key) + return log_oom_debug(); + + r = crypto_random_bytes(decrypted_key, decrypted_key_size); + if (r < 0) + return log_debug_errno(r, "Failed to generate random key: %m"); + + r = rsa_encrypt_bytes(pkey, decrypted_key, decrypted_key_size, &saved_key, &saved_key_size); + if (r < 0) + return log_debug_errno(r, "Failed to encrypt random key: %m"); + + *ret_decrypted_key = TAKE_PTR(decrypted_key); + *ret_decrypted_key_size = decrypted_key_size; + *ret_saved_key = TAKE_PTR(saved_key); + *ret_saved_key_size = saved_key_size; + return 0; +} + +int x509_generate_volume_keys( + X509 *cert, + void **ret_decrypted_key, + size_t *ret_decrypted_key_size, + void **ret_saved_key, + size_t *ret_saved_key_size) { + + assert(cert); + assert(ret_decrypted_key); + assert(ret_decrypted_key_size); + assert(ret_saved_key); + assert(ret_saved_key_size); + + EVP_PKEY *pkey = X509_get0_pubkey(cert); + if (!pkey) + return log_openssl_errors("Failed to extract public key from X.509 certificate."); + +#if OPENSSL_VERSION_MAJOR >= 3 + int type = EVP_PKEY_get_base_id(pkey); +#else + int type = EVP_PKEY_base_id(pkey); +#endif + switch (type) { + + case EVP_PKEY_RSA: + return rsa_pkey_generate_volume_keys(pkey, ret_decrypted_key, ret_decrypted_key_size, ret_saved_key, ret_saved_key_size); + + case EVP_PKEY_EC: + return ecc_pkey_generate_volume_keys(pkey, ret_decrypted_key, ret_decrypted_key_size, ret_saved_key, ret_saved_key_size); + + case NID_undef: + return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to determine a type of public key"); + + default: + return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unsupported public key type: %s", OBJ_nid2sn(type)); + } +} #endif int x509_fingerprint(X509 *cert, uint8_t buffer[static SHA256_DIGEST_SIZE]) { diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h index e3f34a8576..2ca3e8c1ce 100644 --- a/src/shared/openssl-util.h +++ b/src/shared/openssl-util.h @@ -108,6 +108,8 @@ int ecc_pkey_new(int curve_id, EVP_PKEY **ret); int ecc_ecdh(const EVP_PKEY *private_pkey, const EVP_PKEY *peer_pkey, void **ret_shared_secret, size_t *ret_shared_secret_size); +int x509_generate_volume_keys(X509 *cert, void **ret_decrypted_key, size_t *ret_decrypted_key_size, void **ret_saved_key, size_t *ret_saved_key_size); + int pubkey_fingerprint(EVP_PKEY *pk, const EVP_MD *md, void **ret, size_t *ret_size); int digest_and_sign(const EVP_MD *md, EVP_PKEY *privkey, const void *data, size_t size, void **ret, size_t *ret_size); diff --git a/src/shared/pkcs11-util.c b/src/shared/pkcs11-util.c index 6e88dc3803..c3d97b80f9 100644 --- a/src/shared/pkcs11-util.c +++ b/src/shared/pkcs11-util.c @@ -586,143 +586,419 @@ int pkcs11_token_find_private_key( P11KitUri *search_uri, CK_OBJECT_HANDLE *ret_object) { - bool found_decrypt = false, found_class = false, found_key_type = false; + uint_fast8_t n_objects = 0; + bool found_class = false; _cleanup_free_ CK_ATTRIBUTE *attributes_buffer = NULL; - CK_ULONG n_attributes, a, n_objects; - CK_ATTRIBUTE *attributes = NULL; - CK_OBJECT_HANDLE objects[2]; - CK_RV rv, rv2; - int r; + CK_OBJECT_HANDLE object, candidate; + static const CK_OBJECT_CLASS class = CKO_PRIVATE_KEY; + CK_BBOOL decrypt_value, derive_value; + CK_ATTRIBUTE optional_attributes[] = { + { CKA_DECRYPT, &decrypt_value, sizeof(decrypt_value) }, + { CKA_DERIVE, &derive_value, sizeof(derive_value) } + }; + CK_RV rv; assert(m); assert(search_uri); assert(ret_object); - r = dlopen_p11kit(); - if (r < 0) - return r; - - attributes = sym_p11_kit_uri_get_attributes(search_uri, &n_attributes); - for (a = 0; a < n_attributes; a++) { + CK_ULONG n_attributes; + CK_ATTRIBUTE *attributes = sym_p11_kit_uri_get_attributes(search_uri, &n_attributes); + for (CK_ULONG i = 0; i < n_attributes; i++) { /* We use the URI's included match attributes, but make them more strict. This allows users * to specify a token URL instead of an object URL and the right thing should happen if * there's only one suitable key on the token. */ - switch (attributes[a].type) { - + switch (attributes[i].type) { case CKA_CLASS: { CK_OBJECT_CLASS c; - if (attributes[a].ulValueLen != sizeof(c)) + if (attributes[i].ulValueLen != sizeof(c)) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_CLASS attribute size."); - memcpy(&c, attributes[a].pValue, sizeof(c)); + memcpy(&c, attributes[i].pValue, sizeof(c)); if (c != CKO_PRIVATE_KEY) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Selected PKCS#11 object is not a private key, refusing."); found_class = true; break; - } + }} + } + + if (!found_class) { + /* Hmm, let's slightly extend the attribute list we search for */ - case CKA_DECRYPT: { - CK_BBOOL b; + attributes_buffer = new(CK_ATTRIBUTE, n_attributes + 1); + if (!attributes_buffer) + return log_oom(); - if (attributes[a].ulValueLen != sizeof(b)) - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_DECRYPT attribute size."); + memcpy(attributes_buffer, attributes, sizeof(CK_ATTRIBUTE) * n_attributes); - memcpy(&b, attributes[a].pValue, sizeof(b)); - if (!b) - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "Selected PKCS#11 object is not suitable for decryption, refusing."); + attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) { + .type = CKA_CLASS, + .pValue = (CK_OBJECT_CLASS*) &class, + .ulValueLen = sizeof(class), + }; + + attributes = attributes_buffer; + } + + rv = m->C_FindObjectsInit(session, attributes, n_attributes); + if (rv != CKR_OK) + return log_error_errno(SYNTHETIC_ERRNO(EIO), + "Failed to initialize object find call: %s", sym_p11_kit_strerror(rv)); + + for (;;) { + CK_ULONG b; + rv = m->C_FindObjects(session, &candidate, 1, &b); + if (rv != CKR_OK) + return log_error_errno(SYNTHETIC_ERRNO(EIO), + "Failed to find objects: %s", sym_p11_kit_strerror(rv)); - found_decrypt = true; + if (b == 0) break; + + bool can_decrypt = false, can_derive = false; + optional_attributes[0].ulValueLen = sizeof(decrypt_value); + optional_attributes[1].ulValueLen = sizeof(derive_value); + + rv = m->C_GetAttributeValue(session, candidate, optional_attributes, ELEMENTSOF(optional_attributes)); + if (rv != CKR_OK && rv != CKR_ATTRIBUTE_TYPE_INVALID) + return log_error_errno(SYNTHETIC_ERRNO(EIO), + "Failed to get attributes of a selected private key: %s", sym_p11_kit_strerror(rv)); + + if (optional_attributes[0].ulValueLen != CK_UNAVAILABLE_INFORMATION && decrypt_value == CK_TRUE) + can_decrypt = true; + + if (optional_attributes[1].ulValueLen != CK_UNAVAILABLE_INFORMATION && derive_value == CK_TRUE) + can_derive = true; + + if (can_decrypt || can_derive) { + n_objects++; + if (n_objects > 1) + break; + object = candidate; } + } - case CKA_KEY_TYPE: { - CK_KEY_TYPE t; + rv = m->C_FindObjectsFinal(session); + if (rv != CKR_OK) + return log_error_errno(SYNTHETIC_ERRNO(EIO), + "Failed to finalize object find call: %s", sym_p11_kit_strerror(rv)); - if (attributes[a].ulValueLen != sizeof(t)) - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_KEY_TYPE attribute size."); + if (n_objects == 0) + return log_error_errno(SYNTHETIC_ERRNO(ENOENT), + "Failed to find selected private key suitable for decryption or derivation on token."); - memcpy(&t, attributes[a].pValue, sizeof(t)); - if (t != CKK_RSA) - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Selected PKCS#11 object is not an RSA key, refusing."); + if (n_objects > 1) + return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ), + "Configured private key URI matches multiple keys, refusing."); - found_key_type = true; - break; - }} + *ret_object = object; + return 0; +} + +static const char* object_class_to_string(CK_OBJECT_CLASS class) { + switch (class) { + case CKO_CERTIFICATE: + return "CKO_CERTIFICATE"; + case CKO_PUBLIC_KEY: + return "CKO_PUBLIC_KEY"; + case CKO_PRIVATE_KEY: + return "CKO_PRIVATE_KEY"; + case CKO_SECRET_KEY: + return "CKO_SECRET_KEY"; + default: + return NULL; } +} - if (!found_decrypt || !found_class || !found_key_type) { - /* Hmm, let's slightly extend the attribute list we search for */ +/* Returns an object with the given class and the same CKA_ID or CKA_LABEL as prototype */ +int pkcs11_token_find_related_object( + CK_FUNCTION_LIST *m, + CK_SESSION_HANDLE session, + CK_OBJECT_HANDLE prototype, + CK_OBJECT_CLASS class, + CK_OBJECT_HANDLE *ret_object ) { - attributes_buffer = new(CK_ATTRIBUTE, n_attributes + !found_decrypt + !found_class + !found_key_type); - if (!attributes_buffer) + _cleanup_free_ void *buffer = NULL; + CK_ATTRIBUTE attributes[] = { + { CKA_ID, NULL_PTR, 0 }, + { CKA_LABEL, NULL_PTR, 0 } + }; + CK_OBJECT_CLASS search_class = class; + CK_ATTRIBUTE search_attributes[2] = { + { CKA_CLASS, &search_class, sizeof(search_class) } + }; + CK_ULONG n_objects; + CK_OBJECT_HANDLE objects[2]; + CK_RV rv; + + rv = m->C_GetAttributeValue(session, prototype, attributes, ELEMENTSOF(attributes)); + if (rv != CKR_OK && rv != CKR_ATTRIBUTE_TYPE_INVALID) + return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve length of attributes: %s", sym_p11_kit_strerror(rv)); + + if (attributes[0].ulValueLen != CK_UNAVAILABLE_INFORMATION) { + buffer = malloc(attributes[0].ulValueLen); + if (!buffer) return log_oom(); - memcpy(attributes_buffer, attributes, sizeof(CK_ATTRIBUTE) * n_attributes); + attributes[0].pValue = buffer; + rv = m->C_GetAttributeValue(session, prototype, &attributes[0], 1); + if (rv != CKR_OK) + return log_debug_errno(SYNTHETIC_ERRNO(EIO), + "Failed to retrieve CKA_ID: %s", sym_p11_kit_strerror(rv)); - if (!found_decrypt) { - static const CK_BBOOL yes = true; + search_attributes[1] = attributes[0]; - attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) { - .type = CKA_DECRYPT, - .pValue = (CK_BBOOL*) &yes, - .ulValueLen = sizeof(yes), - }; - } + } else if (attributes[1].ulValueLen != CK_UNAVAILABLE_INFORMATION) { + buffer = malloc(attributes[1].ulValueLen); + if (!buffer) + return log_oom(); - if (!found_class) { - static const CK_OBJECT_CLASS class = CKO_PRIVATE_KEY; + attributes[1].pValue = buffer; + rv = m->C_GetAttributeValue(session, prototype, &attributes[1], 1); + if (rv != CKR_OK) + return log_debug_errno(SYNTHETIC_ERRNO(EIO), + "Failed to retrieve CKA_LABEL: %s", sym_p11_kit_strerror(rv)); - attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) { - .type = CKA_CLASS, - .pValue = (CK_OBJECT_CLASS*) &class, - .ulValueLen = sizeof(class), - }; - } + search_attributes[1] = attributes[1]; - if (!found_key_type) { - static const CK_KEY_TYPE type = CKK_RSA; + } else + return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "The prototype does not have CKA_ID or CKA_LABEL"); - attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) { - .type = CKA_KEY_TYPE, - .pValue = (CK_KEY_TYPE*) &type, - .ulValueLen = sizeof(type), - }; - } + rv = m->C_FindObjectsInit(session, search_attributes, 2); + if (rv != CKR_OK) + return log_debug_errno(SYNTHETIC_ERRNO(EIO), + "Failed to initialize object find call: %s", sym_p11_kit_strerror(rv)); - attributes = attributes_buffer; + rv = m->C_FindObjects(session, objects, 2, &n_objects); + if (rv != CKR_OK) + return log_debug_errno(SYNTHETIC_ERRNO(EIO), + "Failed to find objects: %s", sym_p11_kit_strerror(rv)); + + rv = m->C_FindObjectsFinal(session); + if (rv != CKR_OK) + return log_debug_errno(SYNTHETIC_ERRNO(EIO), + "Failed to finalize object find call: %s", sym_p11_kit_strerror(rv)); + + if (n_objects == 0) + return log_debug_errno(SYNTHETIC_ERRNO(ENOENT), + "Failed to find a related object with class %s", object_class_to_string(class)); + + if (n_objects > 1) + log_warning("Found multiple related objects with class %s, using the first object.", + object_class_to_string(class)); + + *ret_object = objects[0]; + return 0; +} + +#if HAVE_OPENSSL +static int ecc_convert_to_compressed( + CK_FUNCTION_LIST *m, + CK_SESSION_HANDLE session, + CK_OBJECT_HANDLE object, + const void *uncompressed_point, + size_t uncompressed_point_size, + void **ret_compressed_point, + size_t *ret_compressed_point_size) { + + _cleanup_free_ void *ec_params_buffer = NULL; + CK_ATTRIBUTE ec_params_attr = { CKA_EC_PARAMS, NULL_PTR, 0 }; + CK_RV rv; + int r; + + rv = m->C_GetAttributeValue(session, object, &ec_params_attr, 1); + if (rv != CKR_OK && rv != CKR_ATTRIBUTE_TYPE_INVALID) + return log_error_errno(SYNTHETIC_ERRNO(EIO), + "Failed to retrieve length of CKA_EC_PARAMS: %s", sym_p11_kit_strerror(rv)); + + if (ec_params_attr.ulValueLen != CK_UNAVAILABLE_INFORMATION) { + ec_params_buffer = malloc(ec_params_attr.ulValueLen); + if (!ec_params_buffer) + return log_oom(); + + ec_params_attr.pValue = ec_params_buffer; + rv = m->C_GetAttributeValue(session, object, &ec_params_attr, 1); + if (rv != CKR_OK) + return log_error_errno(SYNTHETIC_ERRNO(EIO), + "Failed to retrieve CKA_EC_PARAMS from a private key: %s", sym_p11_kit_strerror(rv)); + } else { + CK_OBJECT_HANDLE public_key; + r = pkcs11_token_find_related_object(m, session, object, CKO_PUBLIC_KEY, &public_key); + if (r < 0) + return log_error_errno(r, "Failed to find a public key for compressing a EC point"); + + ec_params_attr.ulValueLen = 0; + rv = m->C_GetAttributeValue(session, public_key, &ec_params_attr, 1); + if (rv != CKR_OK && rv != CKR_ATTRIBUTE_TYPE_INVALID) + return log_error_errno(SYNTHETIC_ERRNO(EIO), + "Failed to retrieve length of CKA_EC_PARAMS: %s", sym_p11_kit_strerror(rv)); + + if (ec_params_attr.ulValueLen == CK_UNAVAILABLE_INFORMATION) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "The public key does not have CKA_EC_PARAMS"); + + ec_params_buffer = malloc(ec_params_attr.ulValueLen); + if (!ec_params_buffer) + return log_oom(); + + ec_params_attr.pValue = ec_params_buffer; + rv = m->C_GetAttributeValue(session, public_key, &ec_params_attr, 1); + if (rv != CKR_OK) + return log_error_errno(SYNTHETIC_ERRNO(EIO), + "Failed to retrieve CKA_EC_PARAMS from a public key: %s", sym_p11_kit_strerror(rv)); } - rv = m->C_FindObjectsInit(session, attributes, n_attributes); + _cleanup_(EC_GROUP_freep) EC_GROUP *group = NULL; + _cleanup_(EC_POINT_freep) EC_POINT *point = NULL; + _cleanup_(BN_CTX_freep) BN_CTX *bnctx = NULL; + _cleanup_free_ void *compressed_point = NULL; + size_t compressed_point_size; + + const unsigned char *ec_params_value = ec_params_attr.pValue; + group = d2i_ECPKParameters(NULL, &ec_params_value, ec_params_attr.ulValueLen); + if (!group) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to decode CKA_EC_PARAMS"); + + point = EC_POINT_new(group); + if (!point) + return log_oom(); + + bnctx = BN_CTX_new(); + if (!bnctx) + return log_oom(); + + if (EC_POINT_oct2point(group, point, uncompressed_point, uncompressed_point_size, bnctx) != 1) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unable to decode an uncompressed EC point"); + + compressed_point_size = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, NULL, 0, bnctx); + if (compressed_point_size == 0) + return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to determine size of a compressed EC point"); + + compressed_point = malloc(compressed_point_size); + if (!compressed_point) + return log_oom(); + + compressed_point_size = EC_POINT_point2oct(group, point, POINT_CONVERSION_COMPRESSED, compressed_point, compressed_point_size, bnctx); + if (compressed_point_size == 0) + return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to convert a EC point to compressed format"); + + *ret_compressed_point = TAKE_PTR(compressed_point); + *ret_compressed_point_size = compressed_point_size; + return 0; +} +#endif + +/* Since EC keys doesn't support encryption directly, we use ECDH protocol to derive shared secret here. + * We use PKCS#11 C_DeriveKey function to derive a shared secret with a private key stored in the token and + * a public key saved on enrollment. */ +static int pkcs11_token_decrypt_data_ecc( + CK_FUNCTION_LIST *m, + CK_SESSION_HANDLE session, + CK_OBJECT_HANDLE object, + const void *encrypted_data, + size_t encrypted_data_size, + void **ret_decrypted_data, + size_t *ret_decrypted_data_size) { + + static const CK_BBOOL yes = CK_TRUE, no = CK_FALSE; + static const CK_OBJECT_CLASS shared_secret_class = CKO_SECRET_KEY; + static const CK_KEY_TYPE shared_secret_type = CKK_GENERIC_SECRET; + static const CK_ATTRIBUTE shared_secret_template[] = { + { CKA_TOKEN, (void*) &no, sizeof(no) }, + { CKA_CLASS, (void*) &shared_secret_class, sizeof(shared_secret_class) }, + { CKA_KEY_TYPE, (void*) &shared_secret_type, sizeof(shared_secret_type) }, + { CKA_SENSITIVE, (void*) &no, sizeof(no) }, + { CKA_EXTRACTABLE, (void*) &yes, sizeof(yes) } + }; + CK_ECDH1_DERIVE_PARAMS params = { + .kdf = CKD_NULL, + .pPublicData = (void*) encrypted_data, + .ulPublicDataLen = encrypted_data_size + }; + CK_MECHANISM mechanism = { + .mechanism = CKM_ECDH1_DERIVE, + .pParameter = ¶ms, + .ulParameterLen = sizeof(params) + }; + CK_OBJECT_HANDLE shared_secret_handle; + CK_SESSION_INFO session_info; + CK_MECHANISM_INFO mechanism_info; + CK_RV rv, rv2; +#if HAVE_OPENSSL + _cleanup_free_ void *compressed_point = NULL; + int r; +#endif + + rv = m->C_GetSessionInfo(session, &session_info); if (rv != CKR_OK) return log_error_errno(SYNTHETIC_ERRNO(EIO), - "Failed to initialize object find call: %s", sym_p11_kit_strerror(rv)); + "Failed to get information about the PKCS#11 session: %s", sym_p11_kit_strerror(rv)); - rv = m->C_FindObjects(session, objects, ELEMENTSOF(objects), &n_objects); - rv2 = m->C_FindObjectsFinal(session); + rv = m->C_GetMechanismInfo(session_info.slotID, CKM_ECDH1_DERIVE, &mechanism_info); if (rv != CKR_OK) return log_error_errno(SYNTHETIC_ERRNO(EIO), - "Failed to find objects: %s", sym_p11_kit_strerror(rv)); + "Failed to get information about CKM_ECDH1_DERIVE: %s", sym_p11_kit_strerror(rv)); + + if (!(mechanism_info.flags & CKF_EC_UNCOMPRESS)) { + if (mechanism_info.flags & CKF_EC_COMPRESS) { +#if HAVE_OPENSSL + log_debug("CKM_ECDH1_DERIVE accepts compressed EC points only, trying to convert."); + size_t compressed_point_size; + r = ecc_convert_to_compressed(m, session, object, encrypted_data, encrypted_data_size, &compressed_point, &compressed_point_size); + if (r < 0) + return r; + + params.pPublicData = compressed_point; + params.ulPublicDataLen = compressed_point_size; +#else + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), + "CKM_ECDH1_DERIVE does not support uncompressed format of EC points"); +#endif + } else + log_debug("Both CKF_EC_UNCOMPRESS and CKF_EC_COMPRESS are false for CKM_ECDH1_DERIVE, ignoring."); + } + + rv = m->C_DeriveKey(session, &mechanism, object, (CK_ATTRIBUTE*) shared_secret_template, ELEMENTSOF(shared_secret_template), &shared_secret_handle); + if (rv != CKR_OK) + return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to derive a shared secret: %s", sym_p11_kit_strerror(rv)); + + CK_ATTRIBUTE shared_secret_attr = { CKA_VALUE, NULL_PTR, 0}; + + rv = m->C_GetAttributeValue(session, shared_secret_handle, &shared_secret_attr, 1); + if (rv != CKR_OK) { + rv2 = m->C_DestroyObject(session, shared_secret_handle); + if (rv2 != CKR_OK) + log_warning("Failed to destroy a shared secret, ignoring: %s", sym_p11_kit_strerror(rv2)); + return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve shared secret length: %s", sym_p11_kit_strerror(rv)); + } + + shared_secret_attr.pValue = malloc(shared_secret_attr.ulValueLen); + if (!shared_secret_attr.pValue) + return log_oom(); + + rv = m->C_GetAttributeValue(session, shared_secret_handle, &shared_secret_attr, 1); + rv2 = m->C_DestroyObject(session, shared_secret_handle); if (rv2 != CKR_OK) - return log_error_errno(SYNTHETIC_ERRNO(EIO), - "Failed to finalize object find call: %s", sym_p11_kit_strerror(rv)); - if (n_objects == 0) - return log_error_errno(SYNTHETIC_ERRNO(ENOENT), - "Failed to find selected private key suitable for decryption on token."); - if (n_objects > 1) - return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ), - "Configured private key URI matches multiple keys, refusing."); + log_warning("Failed to destroy a shared secret, ignoring: %s", sym_p11_kit_strerror(rv2)); - *ret_object = objects[0]; + if (rv != CKR_OK) { + erase_and_free(shared_secret_attr.pValue); + return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve a shared secret: %s", sym_p11_kit_strerror(rv)); + } + + log_info("Successfully derived key with security token."); + + *ret_decrypted_data = shared_secret_attr.pValue; + *ret_decrypted_data_size = shared_secret_attr.ulValueLen; return 0; } -int pkcs11_token_decrypt_data( +static int pkcs11_token_decrypt_data_rsa( CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object, @@ -737,17 +1013,6 @@ int pkcs11_token_decrypt_data( _cleanup_(erase_and_freep) CK_BYTE *dbuffer = NULL; CK_ULONG dbuffer_size = 0; CK_RV rv; - int r; - - assert(m); - assert(encrypted_data); - assert(encrypted_data_size > 0); - assert(ret_decrypted_data); - assert(ret_decrypted_data_size); - - r = dlopen_p11kit(); - if (r < 0) - return r; rv = m->C_DecryptInit(session, (CK_MECHANISM*) &mechanism, object); if (rv != CKR_OK) @@ -780,6 +1045,42 @@ int pkcs11_token_decrypt_data( return 0; } +int pkcs11_token_decrypt_data( + CK_FUNCTION_LIST *m, + CK_SESSION_HANDLE session, + CK_OBJECT_HANDLE object, + const void *encrypted_data, + size_t encrypted_data_size, + void **ret_decrypted_data, + size_t *ret_decrypted_data_size) { + + CK_KEY_TYPE key_type; + CK_ATTRIBUTE key_type_template = { CKA_KEY_TYPE, &key_type, sizeof(key_type) }; + CK_RV rv; + + assert(m); + assert(encrypted_data); + assert(encrypted_data_size > 0); + assert(ret_decrypted_data); + assert(ret_decrypted_data_size); + + rv = m->C_GetAttributeValue(session, object, &key_type_template, 1); + if (rv != CKR_OK) + return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to retrieve private key type"); + + switch (key_type) { + + case CKK_RSA: + return pkcs11_token_decrypt_data_rsa(m, session, object, encrypted_data, encrypted_data_size, ret_decrypted_data, ret_decrypted_data_size); + + case CKK_EC: + return pkcs11_token_decrypt_data_ecc(m, session, object, encrypted_data, encrypted_data_size, ret_decrypted_data, ret_decrypted_data_size); + + default: + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unsupported private key type: %lu", key_type); + } +} + int pkcs11_token_acquire_rng( CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session) { diff --git a/src/shared/pkcs11-util.h b/src/shared/pkcs11-util.h index 5bc23c14c4..2ff6997823 100644 --- a/src/shared/pkcs11-util.h +++ b/src/shared/pkcs11-util.h @@ -1,6 +1,9 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ #pragma once +#if HAVE_OPENSSL +# include <openssl/x509.h> +#endif #include <stdbool.h> #if HAVE_P11KIT @@ -10,7 +13,6 @@ #include "ask-password-api.h" #include "macro.h" -#include "openssl-util.h" #include "time-util.h" bool pkcs11_uri_valid(const char *uri); @@ -50,6 +52,7 @@ char *pkcs11_token_model(const CK_TOKEN_INFO *token_info); int pkcs11_token_login_by_pin(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, const CK_TOKEN_INFO *token_info, const char *token_label, const void *pin, size_t pin_size); int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, AskPasswordFlags ask_password_flags, bool headless, char **ret_used_pin); +int pkcs11_token_find_related_object(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE prototype, CK_OBJECT_CLASS class, CK_OBJECT_HANDLE *ret_object); int pkcs11_token_find_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, P11KitUri *search_uri, CK_OBJECT_HANDLE *ret_object); #if HAVE_OPENSSL int pkcs11_token_read_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object, X509 **ret_cert); |