summaryrefslogtreecommitdiffstats
path: root/src/home/homectl-pkcs11.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/home/homectl-pkcs11.c')
-rw-r--r--src/home/homectl-pkcs11.c183
1 files changed, 80 insertions, 103 deletions
diff --git a/src/home/homectl-pkcs11.c b/src/home/homectl-pkcs11.c
index 2539af0..bb582d7 100644
--- a/src/home/homectl-pkcs11.c
+++ b/src/home/homectl-pkcs11.c
@@ -8,62 +8,55 @@
#include "memory-util.h"
#include "openssl-util.h"
#include "pkcs11-util.h"
-#include "random-util.h"
#include "strv.h"
-static int add_pkcs11_encrypted_key(
- JsonVariant **v,
- const char *uri,
- const void *encrypted_key, size_t encrypted_key_size,
- const void *decrypted_key, size_t decrypted_key_size) {
-
- _cleanup_(json_variant_unrefp) JsonVariant *l = NULL, *w = NULL, *e = NULL;
- _cleanup_(erase_and_freep) char *base64_encoded = NULL, *hashed = NULL;
- ssize_t base64_encoded_size;
+int identity_add_token_pin(JsonVariant **v, const char *pin) {
+ _cleanup_(json_variant_unrefp) JsonVariant *w = NULL, *l = NULL;
+ _cleanup_strv_free_erase_ char **pins = NULL;
int r;
assert(v);
- assert(uri);
- assert(encrypted_key);
- assert(encrypted_key_size > 0);
- assert(decrypted_key);
- assert(decrypted_key_size > 0);
- /* Before using UNIX hashing on the supplied key we base64 encode it, since crypt_r() and friends
- * expect a NUL terminated string, and we use a binary key */
- base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
- if (base64_encoded_size < 0)
- return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
+ if (isempty(pin))
+ return 0;
- r = hash_password(base64_encoded, &hashed);
+ w = json_variant_ref(json_variant_by_key(*v, "secret"));
+ l = json_variant_ref(json_variant_by_key(w, "tokenPin"));
+
+ r = json_variant_strv(l, &pins);
if (r < 0)
- return log_error_errno(errno_or_else(EINVAL), "Failed to UNIX hash secret key: %m");
+ return log_error_errno(r, "Failed to convert PIN array: %m");
- r = json_build(&e, JSON_BUILD_OBJECT(
- JSON_BUILD_PAIR("uri", JSON_BUILD_STRING(uri)),
- JSON_BUILD_PAIR("data", JSON_BUILD_BASE64(encrypted_key, encrypted_key_size)),
- JSON_BUILD_PAIR("hashedPassword", JSON_BUILD_STRING(hashed))));
+ if (strv_contains(pins, pin))
+ return 0;
+
+ r = strv_extend(&pins, pin);
if (r < 0)
- return log_error_errno(r, "Failed to build encrypted JSON key object: %m");
+ return log_oom();
- w = json_variant_ref(json_variant_by_key(*v, "privileged"));
- l = json_variant_ref(json_variant_by_key(w, "pkcs11EncryptedKey"));
+ strv_uniq(pins);
- r = json_variant_append_array(&l, e);
+ l = json_variant_unref(l);
+
+ r = json_variant_new_array_strv(&l, pins);
if (r < 0)
- return log_error_errno(r, "Failed append PKCS#11 encrypted key: %m");
+ return log_error_errno(r, "Failed to allocate new PIN array JSON: %m");
- r = json_variant_set_field(&w, "pkcs11EncryptedKey", l);
+ json_variant_sensitive(l);
+
+ r = json_variant_set_field(&w, "tokenPin", l);
if (r < 0)
- return log_error_errno(r, "Failed to set PKCS#11 encrypted key: %m");
+ return log_error_errno(r, "Failed to update PIN field: %m");
- r = json_variant_set_field(v, "privileged", w);
+ r = json_variant_set_field(v, "secret", w);
if (r < 0)
- return log_error_errno(r, "Failed to update privileged field: %m");
+ return log_error_errno(r, "Failed to update secret object: %m");
- return 0;
+ return 1;
}
+#if HAVE_P11KIT
+
static int add_pkcs11_token_uri(JsonVariant **v, const char *uri) {
_cleanup_(json_variant_unrefp) JsonVariant *w = NULL;
_cleanup_strv_free_ char **l = NULL;
@@ -98,100 +91,82 @@ static int add_pkcs11_token_uri(JsonVariant **v, const char *uri) {
return 0;
}
-int identity_add_token_pin(JsonVariant **v, const char *pin) {
- _cleanup_(json_variant_unrefp) JsonVariant *w = NULL, *l = NULL;
- _cleanup_strv_free_erase_ char **pins = NULL;
+static int add_pkcs11_encrypted_key(
+ JsonVariant **v,
+ const char *uri,
+ const void *encrypted_key, size_t encrypted_key_size,
+ const void *decrypted_key, size_t decrypted_key_size) {
+
+ _cleanup_(json_variant_unrefp) JsonVariant *l = NULL, *w = NULL, *e = NULL;
+ _cleanup_(erase_and_freep) char *base64_encoded = NULL, *hashed = NULL;
+ ssize_t base64_encoded_size;
int r;
assert(v);
+ assert(uri);
+ assert(encrypted_key);
+ assert(encrypted_key_size > 0);
+ assert(decrypted_key);
+ assert(decrypted_key_size > 0);
- if (isempty(pin))
- return 0;
-
- w = json_variant_ref(json_variant_by_key(*v, "secret"));
- l = json_variant_ref(json_variant_by_key(w, "tokenPin"));
+ /* Before using UNIX hashing on the supplied key we base64 encode it, since crypt_r() and friends
+ * expect a NUL terminated string, and we use a binary key */
+ base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded);
+ if (base64_encoded_size < 0)
+ return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m");
- r = json_variant_strv(l, &pins);
+ r = hash_password(base64_encoded, &hashed);
if (r < 0)
- return log_error_errno(r, "Failed to convert PIN array: %m");
-
- if (strv_contains(pins, pin))
- return 0;
+ return log_error_errno(errno_or_else(EINVAL), "Failed to UNIX hash secret key: %m");
- r = strv_extend(&pins, pin);
+ r = json_build(&e, JSON_BUILD_OBJECT(
+ JSON_BUILD_PAIR("uri", JSON_BUILD_STRING(uri)),
+ JSON_BUILD_PAIR("data", JSON_BUILD_BASE64(encrypted_key, encrypted_key_size)),
+ JSON_BUILD_PAIR("hashedPassword", JSON_BUILD_STRING(hashed))));
if (r < 0)
- return log_oom();
-
- strv_uniq(pins);
+ return log_error_errno(r, "Failed to build encrypted JSON key object: %m");
- l = json_variant_unref(l);
+ w = json_variant_ref(json_variant_by_key(*v, "privileged"));
+ l = json_variant_ref(json_variant_by_key(w, "pkcs11EncryptedKey"));
- r = json_variant_new_array_strv(&l, pins);
+ r = json_variant_append_array(&l, e);
if (r < 0)
- return log_error_errno(r, "Failed to allocate new PIN array JSON: %m");
-
- json_variant_sensitive(l);
+ return log_error_errno(r, "Failed append PKCS#11 encrypted key: %m");
- r = json_variant_set_field(&w, "tokenPin", l);
+ r = json_variant_set_field(&w, "pkcs11EncryptedKey", l);
if (r < 0)
- return log_error_errno(r, "Failed to update PIN field: %m");
+ return log_error_errno(r, "Failed to set PKCS#11 encrypted key: %m");
- r = json_variant_set_field(v, "secret", w);
+ r = json_variant_set_field(v, "privileged", w);
if (r < 0)
- return log_error_errno(r, "Failed to update secret object: %m");
-
- return 1;
-}
+ return log_error_errno(r, "Failed to update privileged field: %m");
-static int acquire_pkcs11_certificate(
- const char *uri,
- const char *askpw_friendly_name,
- const char *askpw_icon_name,
- X509 **ret_cert,
- char **ret_pin_used) {
-#if HAVE_P11KIT
- return pkcs11_acquire_certificate(uri, askpw_friendly_name, askpw_icon_name, ret_cert, ret_pin_used);
-#else
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "PKCS#11 tokens not supported on this build.");
-#endif
+ return 0;
}
int identity_add_pkcs11_key_data(JsonVariant **v, const char *uri) {
- _cleanup_(erase_and_freep) void *decrypted_key = NULL, *encrypted_key = NULL;
+ _cleanup_(erase_and_freep) void *decrypted_key = NULL, *saved_key = NULL;
_cleanup_(erase_and_freep) char *pin = NULL;
- size_t decrypted_key_size, encrypted_key_size;
- _cleanup_(X509_freep) X509 *cert = NULL;
- EVP_PKEY *pkey;
+ size_t decrypted_key_size, saved_key_size;
+ _cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL;
int r;
assert(v);
- r = acquire_pkcs11_certificate(uri, "home directory operation", "user-home", &cert, &pin);
+ r = pkcs11_acquire_public_key(
+ uri,
+ "home directory operation",
+ "user-home",
+ "home.token-pin",
+ /* askpw_flags= */ 0,
+ &pkey,
+ &pin);
if (r < 0)
return r;
- pkey = X509_get0_pubkey(cert);
- if (!pkey)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to extract public key from X.509 certificate.");
-
- r = rsa_pkey_to_suitable_key_size(pkey, &decrypted_key_size);
+ r = pkey_generate_volume_keys(pkey, &decrypted_key, &decrypted_key_size, &saved_key, &saved_key_size);
if (r < 0)
- return log_error_errno(r, "Failed to extract RSA key size from X509 certificate.");
-
- log_debug("Generating %zu bytes random key.", decrypted_key_size);
-
- decrypted_key = malloc(decrypted_key_size);
- if (!decrypted_key)
- return log_oom();
-
- r = crypto_random_bytes(decrypted_key, decrypted_key_size);
- if (r < 0)
- return log_error_errno(r, "Failed to generate random key: %m");
-
- r = rsa_encrypt_bytes(pkey, decrypted_key, decrypted_key_size, &encrypted_key, &encrypted_key_size);
- if (r < 0)
- return log_error_errno(r, "Failed to encrypt key: %m");
+ return log_error_errno(r, "Failed to generate volume keys: %m");
/* Add the token URI to the public part of the record. */
r = add_pkcs11_token_uri(v, uri);
@@ -202,7 +177,7 @@ int identity_add_pkcs11_key_data(JsonVariant **v, const char *uri) {
r = add_pkcs11_encrypted_key(
v,
uri,
- encrypted_key, encrypted_key_size,
+ saved_key, saved_key_size,
decrypted_key, decrypted_key_size);
if (r < 0)
return r;
@@ -216,3 +191,5 @@ int identity_add_pkcs11_key_data(JsonVariant **v, const char *uri) {
return 0;
}
+
+#endif
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-15 20:11:27 +0000