pkcs11: Instead of a mutex use a new session to do multipart operations.
[strongswan.git] / src / libstrongswan / plugins / pkcs11 / pkcs11_public_key.c
1 /*
2 * Copyright (C) 2011 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2010 Martin Willi
6 * Copyright (C) 2010 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "pkcs11_public_key.h"
20
21 #include "pkcs11.h"
22 #include "pkcs11_private_key.h"
23 #include "pkcs11_manager.h"
24
25 #include <debug.h>
26
27 typedef struct private_pkcs11_public_key_t private_pkcs11_public_key_t;
28
29 /**
30 * Private data of an pkcs11_public_key_t object.
31 */
32 struct private_pkcs11_public_key_t {
33
34 /**
35 * Public pkcs11_public_key_t interface.
36 */
37 pkcs11_public_key_t public;
38
39 /**
40 * Type of the key
41 */
42 key_type_t type;
43
44 /**
45 * Key size in bytes
46 */
47 size_t k;
48
49 /**
50 * PKCS#11 library this key uses
51 */
52 pkcs11_library_t *lib;
53
54 /**
55 * Slot the token is in
56 */
57 CK_SLOT_ID slot;
58
59 /**
60 * Session we use
61 */
62 CK_SESSION_HANDLE session;
63
64 /**
65 * Object handle to the key
66 */
67 CK_OBJECT_HANDLE object;
68
69 /**
70 * References to this key
71 */
72 refcount_t ref;
73 };
74
75 METHOD(public_key_t, get_type, key_type_t,
76 private_pkcs11_public_key_t *this)
77 {
78 return this->type;
79 }
80
81 METHOD(public_key_t, get_keysize, int,
82 private_pkcs11_public_key_t *this)
83 {
84 return this->k * 8;
85 }
86
87 METHOD(public_key_t, verify, bool,
88 private_pkcs11_public_key_t *this, signature_scheme_t scheme,
89 chunk_t data, chunk_t sig)
90 {
91 CK_MECHANISM_PTR mechanism;
92 CK_SESSION_HANDLE session;
93 CK_RV rv;
94
95 mechanism = pkcs11_signature_scheme_to_mech(scheme);
96 if (!mechanism)
97 {
98 DBG1(DBG_LIB, "signature scheme %N not supported",
99 signature_scheme_names, scheme);
100 return FALSE;
101 }
102 if (sig.len && sig.ptr[0] == 0)
103 { /* trim leading zero byte in sig */
104 sig = chunk_skip(sig, 1);
105 }
106 rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION, NULL, NULL,
107 &session);
108 if (rv != CKR_OK)
109 {
110 DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv);
111 return FALSE;
112 }
113 rv = this->lib->f->C_VerifyInit(session, mechanism, this->object);
114 if (rv != CKR_OK)
115 {
116 this->lib->f->C_CloseSession(session);
117 DBG1(DBG_LIB, "C_VerifyInit() failed: %N", ck_rv_names, rv);
118 return FALSE;
119 }
120 rv = this->lib->f->C_Verify(session, data.ptr, data.len, sig.ptr, sig.len);
121 this->lib->f->C_CloseSession(session);
122 if (rv != CKR_OK)
123 {
124 DBG1(DBG_LIB, "C_Verify() failed: %N", ck_rv_names, rv);
125 return FALSE;
126 }
127 return TRUE;
128 }
129
130 METHOD(public_key_t, encrypt, bool,
131 private_pkcs11_public_key_t *this, encryption_scheme_t scheme,
132 chunk_t plain, chunk_t *crypt)
133 {
134 CK_MECHANISM_PTR mechanism;
135 CK_SESSION_HANDLE session;
136 CK_BYTE_PTR buf;
137 CK_ULONG len;
138 CK_RV rv;
139
140 mechanism = pkcs11_encryption_scheme_to_mech(scheme);
141 if (!mechanism)
142 {
143 DBG1(DBG_LIB, "encryption scheme %N not supported",
144 encryption_scheme_names, scheme);
145 return FALSE;
146 }
147 rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION, NULL, NULL,
148 &session);
149 if (rv != CKR_OK)
150 {
151 DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv);
152 return FALSE;
153 }
154 rv = this->lib->f->C_EncryptInit(session, mechanism, this->object);
155 if (rv != CKR_OK)
156 {
157 this->lib->f->C_CloseSession(session);
158 DBG1(DBG_LIB, "C_EncryptInit() failed: %N", ck_rv_names, rv);
159 return FALSE;
160 }
161 len = (get_keysize(this) + 7) / 8;
162 buf = malloc(len);
163 rv = this->lib->f->C_Encrypt(session, plain.ptr, plain.len, buf, &len);
164 this->lib->f->C_CloseSession(session);
165 if (rv != CKR_OK)
166 {
167 DBG1(DBG_LIB, "C_Encrypt() failed: %N", ck_rv_names, rv);
168 free(buf);
169 return FALSE;
170 }
171 *crypt = chunk_create(buf, len);
172 return TRUE;
173 }
174
175 /**
176 * Encode RSA key using a given encoding type
177 */
178 static bool encode_rsa(private_pkcs11_public_key_t *this,
179 cred_encoding_type_t type, void *cache, chunk_t *encoding)
180 {
181 CK_RV rv;
182 bool success = FALSE;
183 chunk_t n, e;
184 CK_ATTRIBUTE attr[] = {
185 {CKA_MODULUS, NULL, 0},
186 {CKA_PUBLIC_EXPONENT, NULL, 0},
187 };
188
189 rv = this->lib->f->C_GetAttributeValue(this->session, this->object,
190 attr, countof(attr));
191 if (rv != CKR_OK ||
192 attr[0].ulValueLen == 0 || attr[0].ulValueLen == -1 ||
193 attr[1].ulValueLen == 0 || attr[1].ulValueLen == -1)
194 {
195 return FALSE;
196 }
197 attr[0].pValue = malloc(attr[0].ulValueLen);
198 attr[1].pValue = malloc(attr[1].ulValueLen);
199 rv = this->lib->f->C_GetAttributeValue(this->session, this->object,
200 attr, countof(attr));
201 if (rv == CKR_OK)
202 {
203 n = chunk_create(attr[0].pValue, attr[0].ulValueLen);
204 e = chunk_create(attr[1].pValue, attr[1].ulValueLen);
205 success = lib->encoding->encode(lib->encoding, type, cache, encoding,
206 CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END);
207 }
208 free(attr[0].pValue);
209 free(attr[1].pValue);
210 return success;
211 }
212
213 METHOD(public_key_t, get_encoding, bool,
214 private_pkcs11_public_key_t *this, cred_encoding_type_t type,
215 chunk_t *encoding)
216 {
217 switch (this->type)
218 {
219 case KEY_RSA:
220 return encode_rsa(this, type, NULL, encoding);
221 default:
222 return FALSE;
223 }
224 }
225
226 METHOD(public_key_t, get_fingerprint, bool,
227 private_pkcs11_public_key_t *this, cred_encoding_type_t type, chunk_t *fp)
228 {
229 if (lib->encoding->get_cache(lib->encoding, type, this, fp))
230 {
231 return TRUE;
232 }
233 switch (this->type)
234 {
235 case KEY_RSA:
236 return encode_rsa(this, type, this, fp);
237 default:
238 return FALSE;
239 }
240 }
241
242 METHOD(public_key_t, get_ref, public_key_t*,
243 private_pkcs11_public_key_t *this)
244 {
245 ref_get(&this->ref);
246 return &this->public.key;
247 }
248
249 METHOD(public_key_t, destroy, void,
250 private_pkcs11_public_key_t *this)
251 {
252 if (ref_put(&this->ref))
253 {
254 lib->encoding->clear_cache(lib->encoding, this);
255 this->lib->f->C_CloseSession(this->session);
256 free(this);
257 }
258 }
259
260 /**
261 * Create an empty PKCS#11 public key
262 */
263 static private_pkcs11_public_key_t *create(key_type_t type, size_t k,
264 pkcs11_library_t *p11, CK_SLOT_ID slot,
265 CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object)
266 {
267 private_pkcs11_public_key_t *this;
268
269 INIT(this,
270 .public = {
271 .key = {
272 .get_type = _get_type,
273 .verify = _verify,
274 .encrypt = _encrypt,
275 .equals = public_key_equals,
276 .get_keysize = _get_keysize,
277 .get_fingerprint = _get_fingerprint,
278 .has_fingerprint = public_key_has_fingerprint,
279 .get_encoding = _get_encoding,
280 .get_ref = _get_ref,
281 .destroy = _destroy,
282 },
283 },
284 .type = type,
285 .k = k,
286 .lib = p11,
287 .slot = slot,
288 .session = session,
289 .object = object,
290 .ref = 1,
291 );
292
293 return this;
294 }
295
296 /**
297 * Find a key object, including PKCS11 library and slot
298 */
299 static private_pkcs11_public_key_t* find_rsa_key(chunk_t n, chunk_t e)
300 {
301 private_pkcs11_public_key_t *this = NULL;
302 pkcs11_manager_t *manager;
303 enumerator_t *enumerator, *keys;
304 pkcs11_library_t *p11;
305 CK_SLOT_ID slot;
306
307 manager = lib->get(lib, "pkcs11-manager");
308 if (!manager)
309 {
310 return NULL;
311 }
312
313 enumerator = manager->create_token_enumerator(manager);
314 while (enumerator->enumerate(enumerator, &p11, &slot))
315 {
316 CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
317 CK_KEY_TYPE type = CKK_RSA;
318 CK_ATTRIBUTE tmpl[] = {
319 {CKA_CLASS, &class, sizeof(class)},
320 {CKA_KEY_TYPE, &type, sizeof(type)},
321 {CKA_MODULUS, n.ptr, n.len},
322 {CKA_PUBLIC_EXPONENT, e.ptr, e.len},
323 };
324 CK_OBJECT_HANDLE object;
325 CK_SESSION_HANDLE session;
326 CK_RV rv;
327
328 rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL,
329 &session);
330 if (rv != CKR_OK)
331 {
332 DBG1(DBG_CFG, "opening PKCS#11 session failed: %N", ck_rv_names, rv);
333 continue;
334 }
335 keys = p11->create_object_enumerator(p11, session,
336 tmpl, countof(tmpl), NULL, 0);
337 if (keys->enumerate(keys, &object))
338 {
339 this = create(KEY_RSA, n.len, p11, slot, session, object);
340 keys->destroy(keys);
341 break;
342 }
343 keys->destroy(keys);
344 p11->f->C_CloseSession(session);
345 }
346 enumerator->destroy(enumerator);
347 return this;
348 }
349
350 /**
351 * Create a key object in a suitable token session
352 */
353 static private_pkcs11_public_key_t* create_rsa_key(chunk_t n, chunk_t e)
354 {
355 private_pkcs11_public_key_t *this = NULL;
356 pkcs11_manager_t *manager;
357 enumerator_t *enumerator, *mechs;
358 pkcs11_library_t *p11;
359 CK_SLOT_ID slot;
360
361 manager = lib->get(lib, "pkcs11-manager");
362 if (!manager)
363 {
364 return NULL;
365 }
366
367 enumerator = manager->create_token_enumerator(manager);
368 while (enumerator->enumerate(enumerator, &p11, &slot))
369 {
370 CK_MECHANISM_TYPE mech;
371 CK_MECHANISM_INFO info;
372 CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
373 CK_KEY_TYPE type = CKK_RSA;
374 CK_ATTRIBUTE tmpl[] = {
375 {CKA_CLASS, &class, sizeof(class)},
376 {CKA_KEY_TYPE, &type, sizeof(type)},
377 {CKA_MODULUS, n.ptr, n.len},
378 {CKA_PUBLIC_EXPONENT, e.ptr, e.len}
379 };
380 CK_OBJECT_HANDLE object;
381 CK_SESSION_HANDLE session;
382 CK_RV rv;
383
384 mechs = p11->create_mechanism_enumerator(p11, slot);
385 while (mechs->enumerate(mechs, &mech, &info))
386 {
387 if (!(info.flags & CKF_VERIFY))
388 {
389 continue;
390 }
391 switch (mech)
392 {
393 case CKM_RSA_PKCS:
394 case CKM_SHA1_RSA_PKCS:
395 case CKM_SHA256_RSA_PKCS:
396 case CKM_SHA384_RSA_PKCS:
397 case CKM_SHA512_RSA_PKCS:
398 case CKM_MD5_RSA_PKCS:
399 break;
400 default:
401 continue;
402 }
403 rv = p11->f->C_OpenSession(slot, CKF_SERIAL_SESSION, NULL, NULL,
404 &session);
405 if (rv != CKR_OK)
406 {
407 DBG1(DBG_CFG, "opening PKCS#11 session failed: %N",
408 ck_rv_names, rv);
409 continue;
410 }
411 rv = p11->f->C_CreateObject(session, tmpl, countof(tmpl), &object);
412 if (rv == CKR_OK)
413 {
414 this = create(KEY_RSA, n.len, p11, slot, session, object);
415 DBG2(DBG_CFG, "created RSA public key on token '%s':%d ",
416 p11->get_name(p11), slot);
417 break;
418 }
419 else
420 {
421 DBG1(DBG_CFG, "creating RSA public key on token '%s':%d "
422 "failed: %N", p11->get_name(p11), slot, ck_rv_names, rv);
423 p11->f->C_CloseSession(session);
424 }
425 }
426 mechs->destroy(mechs);
427 if (this)
428 {
429 break;
430 }
431 }
432 enumerator->destroy(enumerator);
433 return this;
434 }
435
436 /**
437 * See header
438 */
439 pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args)
440 {
441 private_pkcs11_public_key_t *this;
442 chunk_t n, e;
443
444 n = e = chunk_empty;
445 while (TRUE)
446 {
447 switch (va_arg(args, builder_part_t))
448 {
449 case BUILD_RSA_MODULUS:
450 n = va_arg(args, chunk_t);
451 continue;
452 case BUILD_RSA_PUB_EXP:
453 e = va_arg(args, chunk_t);
454 continue;
455 case BUILD_END:
456 break;
457 default:
458 return NULL;
459 }
460 break;
461 }
462 if (type == KEY_RSA && e.ptr && n.ptr)
463 {
464 if (n.len && n.ptr[0] == 0)
465 { /* trim leading zero byte in modulus */
466 n = chunk_skip(n, 1);
467 }
468 this = find_rsa_key(n, e);
469 if (this)
470 {
471 return &this->public;
472 }
473 this = create_rsa_key(n, e);
474 if (this)
475 {
476 return &this->public;
477 }
478 }
479 return NULL;
480 }
481