1306 lines
36 KiB
C
1306 lines
36 KiB
C
/**
|
|
* WinPR: Windows Portable Runtime
|
|
* NCrypt pkcs11 provider
|
|
*
|
|
* Copyright 2021 David Fort <contact@hardening-consulting.com>
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <winpr/library.h>
|
|
#include <winpr/assert.h>
|
|
#include <winpr/spec.h>
|
|
#include <winpr/smartcard.h>
|
|
#include <winpr/asn1.h>
|
|
|
|
#include "../log.h"
|
|
#include "ncrypt.h"
|
|
|
|
/* https://github.com/latchset/pkcs11-headers/blob/main/public-domain/3.1/pkcs11.h */
|
|
#include "pkcs11-headers/pkcs11.h"
|
|
|
|
#define TAG WINPR_TAG("ncryptp11")
|
|
|
|
#define MAX_SLOTS 64
|
|
#define MAX_KEYS 64
|
|
#define MAX_KEYS_PER_SLOT 64
|
|
|
|
/** @brief ncrypt provider handle */
|
|
typedef struct
|
|
{
|
|
NCryptBaseProvider baseProvider;
|
|
|
|
HANDLE library;
|
|
CK_FUNCTION_LIST_PTR p11;
|
|
char* modulePath;
|
|
} NCryptP11ProviderHandle;
|
|
|
|
/** @brief a handle returned by NCryptOpenKey */
|
|
typedef struct
|
|
{
|
|
NCryptBaseHandle base;
|
|
NCryptP11ProviderHandle* provider;
|
|
CK_SLOT_ID slotId;
|
|
CK_BYTE keyCertId[64];
|
|
CK_ULONG keyCertIdLen;
|
|
} NCryptP11KeyHandle;
|
|
|
|
typedef struct
|
|
{
|
|
CK_SLOT_ID slotId;
|
|
CK_SLOT_INFO slotInfo;
|
|
CK_KEY_TYPE keyType;
|
|
CK_CHAR keyLabel[256];
|
|
CK_ULONG idLen;
|
|
CK_BYTE id[64];
|
|
} NCryptKeyEnum;
|
|
|
|
typedef struct
|
|
{
|
|
CK_ULONG nslots;
|
|
CK_SLOT_ID slots[MAX_SLOTS];
|
|
CK_ULONG nKeys;
|
|
NCryptKeyEnum keys[MAX_KEYS];
|
|
CK_ULONG keyIndex;
|
|
} P11EnumKeysState;
|
|
|
|
typedef struct
|
|
{
|
|
const char* label;
|
|
BYTE tag[3];
|
|
} piv_cert_tags_t;
|
|
static const piv_cert_tags_t piv_cert_tags[] = {
|
|
{ "Certificate for PIV Authentication", "\x5F\xC1\x05" },
|
|
{ "Certificate for Digital Signature", "\x5F\xC1\x0A" },
|
|
{ "Certificate for Key Management", "\x5F\xC1\x0B" },
|
|
{ "Certificate for Card Authentication", "\x5F\xC1\x01" },
|
|
};
|
|
|
|
static const BYTE APDU_PIV_SELECT_AID[] = { 0x00, 0xA4, 0x04, 0x00, 0x09, 0xA0, 0x00, 0x00,
|
|
0x03, 0x08, 0x00, 0x00, 0x10, 0x00, 0x00 };
|
|
static const BYTE APDU_PIV_GET_CHUID[] = { 0x00, 0xCB, 0x3F, 0xFF, 0x05, 0x5C,
|
|
0x03, 0x5F, 0xC1, 0x02, 0x00 };
|
|
#define PIV_CONTAINER_NAME_LEN 36
|
|
|
|
static CK_OBJECT_CLASS object_class_public_key = CKO_PUBLIC_KEY;
|
|
static CK_BBOOL object_verify = CK_TRUE;
|
|
static CK_KEY_TYPE object_ktype_rsa = CKK_RSA;
|
|
|
|
static CK_ATTRIBUTE public_key_filter[] = {
|
|
{ CKA_CLASS, &object_class_public_key, sizeof(object_class_public_key) },
|
|
{ CKA_VERIFY, &object_verify, sizeof(object_verify) },
|
|
{ CKA_KEY_TYPE, &object_ktype_rsa, sizeof(object_ktype_rsa) }
|
|
};
|
|
|
|
static SECURITY_STATUS NCryptP11StorageProvider_dtor(NCRYPT_HANDLE handle)
|
|
{
|
|
NCryptP11ProviderHandle* provider = (NCryptP11ProviderHandle*)handle;
|
|
CK_RV rv = CKR_OK;
|
|
|
|
if (provider)
|
|
{
|
|
if (provider->p11 && provider->p11->C_Finalize)
|
|
rv = provider->p11->C_Finalize(NULL);
|
|
if (rv != CKR_OK)
|
|
{
|
|
}
|
|
|
|
free(provider->modulePath);
|
|
|
|
if (provider->library)
|
|
FreeLibrary(provider->library);
|
|
}
|
|
|
|
return winpr_NCryptDefault_dtor(handle);
|
|
}
|
|
|
|
static void fix_padded_string(char* str, size_t maxlen)
|
|
{
|
|
char* ptr = str + maxlen - 1;
|
|
|
|
while (ptr > str && *ptr == ' ')
|
|
ptr--;
|
|
ptr++;
|
|
*ptr = 0;
|
|
}
|
|
|
|
static BOOL attributes_have_unallocated_buffers(CK_ATTRIBUTE_PTR attributes, CK_ULONG count)
|
|
{
|
|
for (CK_ULONG i = 0; i < count; i++)
|
|
{
|
|
if (!attributes[i].pValue && (attributes[i].ulValueLen != CK_UNAVAILABLE_INFORMATION))
|
|
return TRUE;
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
static BOOL attribute_allocate_attribute_array(CK_ATTRIBUTE_PTR attribute)
|
|
{
|
|
WINPR_ASSERT(attribute);
|
|
attribute->pValue = calloc(attribute->ulValueLen, sizeof(void*));
|
|
return !!attribute->pValue;
|
|
}
|
|
|
|
static BOOL attribute_allocate_ulong_array(CK_ATTRIBUTE_PTR attribute)
|
|
{
|
|
attribute->pValue = calloc(attribute->ulValueLen, sizeof(CK_ULONG));
|
|
return !!attribute->pValue;
|
|
}
|
|
|
|
static BOOL attribute_allocate_buffer(CK_ATTRIBUTE_PTR attribute)
|
|
{
|
|
attribute->pValue = calloc(attribute->ulValueLen, 1);
|
|
return !!attribute->pValue;
|
|
}
|
|
|
|
static BOOL attributes_allocate_buffers(CK_ATTRIBUTE_PTR attributes, CK_ULONG count)
|
|
{
|
|
BOOL ret = TRUE;
|
|
|
|
for (CK_ULONG i = 0; i < count; i++)
|
|
{
|
|
if (attributes[i].pValue || (attributes[i].ulValueLen == CK_UNAVAILABLE_INFORMATION))
|
|
continue;
|
|
|
|
switch (attributes[i].type)
|
|
{
|
|
case CKA_WRAP_TEMPLATE:
|
|
case CKA_UNWRAP_TEMPLATE:
|
|
ret &= attribute_allocate_attribute_array(&attributes[i]);
|
|
break;
|
|
|
|
case CKA_ALLOWED_MECHANISMS:
|
|
ret &= attribute_allocate_ulong_array(&attributes[i]);
|
|
break;
|
|
|
|
default:
|
|
ret &= attribute_allocate_buffer(&attributes[i]);
|
|
break;
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
static CK_RV object_load_attributes(NCryptP11ProviderHandle* provider, CK_SESSION_HANDLE session,
|
|
CK_OBJECT_HANDLE object, CK_ATTRIBUTE_PTR attributes,
|
|
CK_ULONG count)
|
|
{
|
|
CK_RV rv = 0;
|
|
|
|
WINPR_ASSERT(provider);
|
|
WINPR_ASSERT(provider->p11);
|
|
WINPR_ASSERT(provider->p11->C_GetAttributeValue);
|
|
|
|
rv = provider->p11->C_GetAttributeValue(session, object, attributes, count);
|
|
|
|
switch (rv)
|
|
{
|
|
case CKR_OK:
|
|
if (!attributes_have_unallocated_buffers(attributes, count))
|
|
return rv;
|
|
/* fallthrough */
|
|
WINPR_FALLTHROUGH
|
|
case CKR_ATTRIBUTE_SENSITIVE:
|
|
case CKR_ATTRIBUTE_TYPE_INVALID:
|
|
case CKR_BUFFER_TOO_SMALL:
|
|
/* attributes need some buffers for the result value */
|
|
if (!attributes_allocate_buffers(attributes, count))
|
|
return CKR_HOST_MEMORY;
|
|
|
|
rv = provider->p11->C_GetAttributeValue(session, object, attributes, count);
|
|
break;
|
|
default:
|
|
return rv;
|
|
}
|
|
|
|
switch (rv)
|
|
{
|
|
case CKR_ATTRIBUTE_SENSITIVE:
|
|
case CKR_ATTRIBUTE_TYPE_INVALID:
|
|
case CKR_BUFFER_TOO_SMALL:
|
|
WLog_ERR(TAG, "C_GetAttributeValue return %d even after buffer allocation", rv);
|
|
break;
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
static const char* CK_RV_error_string(CK_RV rv)
|
|
{
|
|
static char generic_buffer[200];
|
|
#define ERR_ENTRY(X) \
|
|
case X: \
|
|
return #X
|
|
|
|
switch (rv)
|
|
{
|
|
ERR_ENTRY(CKR_OK);
|
|
ERR_ENTRY(CKR_CANCEL);
|
|
ERR_ENTRY(CKR_HOST_MEMORY);
|
|
ERR_ENTRY(CKR_SLOT_ID_INVALID);
|
|
ERR_ENTRY(CKR_GENERAL_ERROR);
|
|
ERR_ENTRY(CKR_FUNCTION_FAILED);
|
|
ERR_ENTRY(CKR_ARGUMENTS_BAD);
|
|
ERR_ENTRY(CKR_NO_EVENT);
|
|
ERR_ENTRY(CKR_NEED_TO_CREATE_THREADS);
|
|
ERR_ENTRY(CKR_CANT_LOCK);
|
|
ERR_ENTRY(CKR_ATTRIBUTE_READ_ONLY);
|
|
ERR_ENTRY(CKR_ATTRIBUTE_SENSITIVE);
|
|
ERR_ENTRY(CKR_ATTRIBUTE_TYPE_INVALID);
|
|
ERR_ENTRY(CKR_ATTRIBUTE_VALUE_INVALID);
|
|
ERR_ENTRY(CKR_DATA_INVALID);
|
|
ERR_ENTRY(CKR_DATA_LEN_RANGE);
|
|
ERR_ENTRY(CKR_DEVICE_ERROR);
|
|
ERR_ENTRY(CKR_DEVICE_MEMORY);
|
|
ERR_ENTRY(CKR_DEVICE_REMOVED);
|
|
ERR_ENTRY(CKR_ENCRYPTED_DATA_INVALID);
|
|
ERR_ENTRY(CKR_ENCRYPTED_DATA_LEN_RANGE);
|
|
ERR_ENTRY(CKR_FUNCTION_CANCELED);
|
|
ERR_ENTRY(CKR_FUNCTION_NOT_PARALLEL);
|
|
ERR_ENTRY(CKR_FUNCTION_NOT_SUPPORTED);
|
|
ERR_ENTRY(CKR_KEY_HANDLE_INVALID);
|
|
ERR_ENTRY(CKR_KEY_SIZE_RANGE);
|
|
ERR_ENTRY(CKR_KEY_TYPE_INCONSISTENT);
|
|
ERR_ENTRY(CKR_KEY_NOT_NEEDED);
|
|
ERR_ENTRY(CKR_KEY_CHANGED);
|
|
ERR_ENTRY(CKR_KEY_NEEDED);
|
|
ERR_ENTRY(CKR_KEY_INDIGESTIBLE);
|
|
ERR_ENTRY(CKR_KEY_FUNCTION_NOT_PERMITTED);
|
|
ERR_ENTRY(CKR_KEY_NOT_WRAPPABLE);
|
|
ERR_ENTRY(CKR_KEY_UNEXTRACTABLE);
|
|
ERR_ENTRY(CKR_MECHANISM_INVALID);
|
|
ERR_ENTRY(CKR_MECHANISM_PARAM_INVALID);
|
|
ERR_ENTRY(CKR_OBJECT_HANDLE_INVALID);
|
|
ERR_ENTRY(CKR_OPERATION_ACTIVE);
|
|
ERR_ENTRY(CKR_OPERATION_NOT_INITIALIZED);
|
|
ERR_ENTRY(CKR_PIN_INCORRECT);
|
|
ERR_ENTRY(CKR_PIN_INVALID);
|
|
ERR_ENTRY(CKR_PIN_LEN_RANGE);
|
|
ERR_ENTRY(CKR_PIN_EXPIRED);
|
|
ERR_ENTRY(CKR_PIN_LOCKED);
|
|
ERR_ENTRY(CKR_SESSION_CLOSED);
|
|
ERR_ENTRY(CKR_SESSION_COUNT);
|
|
ERR_ENTRY(CKR_SESSION_HANDLE_INVALID);
|
|
ERR_ENTRY(CKR_SESSION_PARALLEL_NOT_SUPPORTED);
|
|
ERR_ENTRY(CKR_SESSION_READ_ONLY);
|
|
ERR_ENTRY(CKR_SESSION_EXISTS);
|
|
ERR_ENTRY(CKR_SESSION_READ_ONLY_EXISTS);
|
|
ERR_ENTRY(CKR_SESSION_READ_WRITE_SO_EXISTS);
|
|
ERR_ENTRY(CKR_SIGNATURE_INVALID);
|
|
ERR_ENTRY(CKR_SIGNATURE_LEN_RANGE);
|
|
ERR_ENTRY(CKR_TEMPLATE_INCOMPLETE);
|
|
ERR_ENTRY(CKR_TEMPLATE_INCONSISTENT);
|
|
ERR_ENTRY(CKR_TOKEN_NOT_PRESENT);
|
|
ERR_ENTRY(CKR_TOKEN_NOT_RECOGNIZED);
|
|
ERR_ENTRY(CKR_TOKEN_WRITE_PROTECTED);
|
|
ERR_ENTRY(CKR_UNWRAPPING_KEY_HANDLE_INVALID);
|
|
ERR_ENTRY(CKR_UNWRAPPING_KEY_SIZE_RANGE);
|
|
ERR_ENTRY(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT);
|
|
ERR_ENTRY(CKR_USER_ALREADY_LOGGED_IN);
|
|
ERR_ENTRY(CKR_USER_NOT_LOGGED_IN);
|
|
ERR_ENTRY(CKR_USER_PIN_NOT_INITIALIZED);
|
|
ERR_ENTRY(CKR_USER_TYPE_INVALID);
|
|
ERR_ENTRY(CKR_USER_ANOTHER_ALREADY_LOGGED_IN);
|
|
ERR_ENTRY(CKR_USER_TOO_MANY_TYPES);
|
|
ERR_ENTRY(CKR_WRAPPED_KEY_INVALID);
|
|
ERR_ENTRY(CKR_WRAPPED_KEY_LEN_RANGE);
|
|
ERR_ENTRY(CKR_WRAPPING_KEY_HANDLE_INVALID);
|
|
ERR_ENTRY(CKR_WRAPPING_KEY_SIZE_RANGE);
|
|
ERR_ENTRY(CKR_WRAPPING_KEY_TYPE_INCONSISTENT);
|
|
ERR_ENTRY(CKR_RANDOM_SEED_NOT_SUPPORTED);
|
|
ERR_ENTRY(CKR_RANDOM_NO_RNG);
|
|
ERR_ENTRY(CKR_DOMAIN_PARAMS_INVALID);
|
|
ERR_ENTRY(CKR_BUFFER_TOO_SMALL);
|
|
ERR_ENTRY(CKR_SAVED_STATE_INVALID);
|
|
ERR_ENTRY(CKR_INFORMATION_SENSITIVE);
|
|
ERR_ENTRY(CKR_STATE_UNSAVEABLE);
|
|
ERR_ENTRY(CKR_CRYPTOKI_NOT_INITIALIZED);
|
|
ERR_ENTRY(CKR_CRYPTOKI_ALREADY_INITIALIZED);
|
|
ERR_ENTRY(CKR_MUTEX_BAD);
|
|
ERR_ENTRY(CKR_MUTEX_NOT_LOCKED);
|
|
ERR_ENTRY(CKR_FUNCTION_REJECTED);
|
|
default:
|
|
(void)snprintf(generic_buffer, sizeof(generic_buffer), "unknown 0x%lx", rv);
|
|
return generic_buffer;
|
|
}
|
|
#undef ERR_ENTRY
|
|
}
|
|
|
|
#define loge(tag, msg, rv, index, slot) \
|
|
log_((tag), (msg), (rv), (index), (slot), __FILE__, __func__, __LINE__)
|
|
static void log_(const char* tag, const char* msg, CK_RV rv, CK_ULONG index, CK_SLOT_ID slot,
|
|
const char* file, const char* fkt, size_t line)
|
|
{
|
|
const DWORD log_level = WLOG_ERROR;
|
|
static wLog* log_cached_ptr = NULL;
|
|
if (!log_cached_ptr)
|
|
log_cached_ptr = WLog_Get(tag);
|
|
if (!WLog_IsLevelActive(log_cached_ptr, log_level))
|
|
return;
|
|
|
|
WLog_PrintMessage(log_cached_ptr, WLOG_MESSAGE_TEXT, log_level, line, file, fkt,
|
|
"%s for slot #%" PRIu32 "(%" PRIu32 "), rv=%s", msg, index, slot,
|
|
CK_RV_error_string(rv));
|
|
}
|
|
|
|
static SECURITY_STATUS collect_keys(NCryptP11ProviderHandle* provider, P11EnumKeysState* state)
|
|
{
|
|
CK_OBJECT_HANDLE slotObjects[MAX_KEYS_PER_SLOT] = { 0 };
|
|
|
|
WINPR_ASSERT(provider);
|
|
|
|
CK_FUNCTION_LIST_PTR p11 = provider->p11;
|
|
WINPR_ASSERT(p11);
|
|
|
|
WLog_DBG(TAG, "checking %" PRIu32 " slots for valid keys...", state->nslots);
|
|
state->nKeys = 0;
|
|
for (CK_ULONG i = 0; i < state->nslots; i++)
|
|
{
|
|
CK_SESSION_HANDLE session = (CK_SESSION_HANDLE)NULL;
|
|
CK_SLOT_INFO slotInfo = { 0 };
|
|
CK_TOKEN_INFO tokenInfo = { 0 };
|
|
|
|
WINPR_ASSERT(p11->C_GetSlotInfo);
|
|
CK_RV rv = p11->C_GetSlotInfo(state->slots[i], &slotInfo);
|
|
if (rv != CKR_OK)
|
|
{
|
|
loge(TAG, "unable to retrieve information", rv, i, state->slots[i]);
|
|
continue;
|
|
}
|
|
|
|
fix_padded_string((char*)slotInfo.slotDescription, sizeof(slotInfo.slotDescription));
|
|
WLog_DBG(TAG, "collecting keys for slot #%" PRIu32 "(%" PRIu32 ") descr='%s' flags=0x%x", i,
|
|
state->slots[i], slotInfo.slotDescription, slotInfo.flags);
|
|
|
|
/* this is a safety guard as we're supposed to have listed only readers with tokens in them
|
|
*/
|
|
if (!(slotInfo.flags & CKF_TOKEN_PRESENT))
|
|
{
|
|
WLog_INFO(TAG, "token not present for slot #%" PRIu32 "(%" PRIu32 ")", i,
|
|
state->slots[i]);
|
|
continue;
|
|
}
|
|
|
|
WINPR_ASSERT(p11->C_GetTokenInfo);
|
|
rv = p11->C_GetTokenInfo(state->slots[i], &tokenInfo);
|
|
if (rv != CKR_OK)
|
|
loge(TAG, "unable to retrieve token info", rv, i, state->slots[i]);
|
|
else
|
|
{
|
|
fix_padded_string((char*)tokenInfo.label, sizeof(tokenInfo.label));
|
|
WLog_DBG(TAG, "token, label='%s' flags=0x%x", tokenInfo.label, tokenInfo.flags);
|
|
}
|
|
|
|
WINPR_ASSERT(p11->C_OpenSession);
|
|
rv = p11->C_OpenSession(state->slots[i], CKF_SERIAL_SESSION, NULL, NULL, &session);
|
|
if (rv != CKR_OK)
|
|
{
|
|
WLog_ERR(TAG,
|
|
"unable to openSession for slot #%" PRIu32 "(%" PRIu32 "), session=%p rv=%s",
|
|
i, state->slots[i], session, CK_RV_error_string(rv));
|
|
continue;
|
|
}
|
|
|
|
WINPR_ASSERT(p11->C_FindObjectsInit);
|
|
rv = p11->C_FindObjectsInit(session, public_key_filter, ARRAYSIZE(public_key_filter));
|
|
if (rv != CKR_OK)
|
|
{
|
|
// TODO: shall it be fatal ?
|
|
loge(TAG, "unable to initiate search", rv, i, state->slots[i]);
|
|
goto cleanup_FindObjectsInit;
|
|
}
|
|
|
|
CK_ULONG nslotObjects = 0;
|
|
WINPR_ASSERT(p11->C_FindObjects);
|
|
rv = p11->C_FindObjects(session, &slotObjects[0], ARRAYSIZE(slotObjects), &nslotObjects);
|
|
if (rv != CKR_OK)
|
|
{
|
|
loge(TAG, "unable to findObjects", rv, i, state->slots[i]);
|
|
goto cleanup_FindObjects;
|
|
}
|
|
|
|
WLog_DBG(TAG, "slot has %d objects", nslotObjects);
|
|
for (CK_ULONG j = 0; j < nslotObjects; j++)
|
|
{
|
|
NCryptKeyEnum* key = &state->keys[state->nKeys];
|
|
CK_OBJECT_CLASS dataClass = CKO_PUBLIC_KEY;
|
|
CK_ATTRIBUTE key_or_certAttrs[] = {
|
|
{ CKA_ID, &key->id, sizeof(key->id) },
|
|
{ CKA_CLASS, &dataClass, sizeof(dataClass) },
|
|
{ CKA_LABEL, &key->keyLabel, sizeof(key->keyLabel) },
|
|
{ CKA_KEY_TYPE, &key->keyType, sizeof(key->keyType) }
|
|
};
|
|
|
|
rv = object_load_attributes(provider, session, slotObjects[j], key_or_certAttrs,
|
|
ARRAYSIZE(key_or_certAttrs));
|
|
if (rv != CKR_OK)
|
|
{
|
|
WLog_ERR(TAG, "error getting attributes, rv=%s", CK_RV_error_string(rv));
|
|
continue;
|
|
}
|
|
|
|
key->idLen = key_or_certAttrs[0].ulValueLen;
|
|
key->slotId = state->slots[i];
|
|
key->slotInfo = slotInfo;
|
|
state->nKeys++;
|
|
}
|
|
|
|
cleanup_FindObjects:
|
|
WINPR_ASSERT(p11->C_FindObjectsFinal);
|
|
rv = p11->C_FindObjectsFinal(session);
|
|
if (rv != CKR_OK)
|
|
loge(TAG, "error during C_FindObjectsFinal", rv, i, state->slots[i]);
|
|
cleanup_FindObjectsInit:
|
|
WINPR_ASSERT(p11->C_CloseSession);
|
|
rv = p11->C_CloseSession(session);
|
|
if (rv != CKR_OK)
|
|
loge(TAG, "error closing session", rv, i, state->slots[i]);
|
|
}
|
|
|
|
return ERROR_SUCCESS;
|
|
}
|
|
|
|
static BOOL convertKeyType(CK_KEY_TYPE k, LPWSTR dest, DWORD len, DWORD* outlen)
|
|
{
|
|
DWORD retLen = 0;
|
|
const WCHAR* r = NULL;
|
|
|
|
#define ALGO_CASE(V, S) \
|
|
case V: \
|
|
r = S; \
|
|
break
|
|
switch (k)
|
|
{
|
|
ALGO_CASE(CKK_RSA, BCRYPT_RSA_ALGORITHM);
|
|
ALGO_CASE(CKK_DSA, BCRYPT_DSA_ALGORITHM);
|
|
ALGO_CASE(CKK_DH, BCRYPT_DH_ALGORITHM);
|
|
ALGO_CASE(CKK_EC, BCRYPT_ECDSA_ALGORITHM);
|
|
ALGO_CASE(CKK_RC2, BCRYPT_RC2_ALGORITHM);
|
|
ALGO_CASE(CKK_RC4, BCRYPT_RC4_ALGORITHM);
|
|
ALGO_CASE(CKK_DES, BCRYPT_DES_ALGORITHM);
|
|
ALGO_CASE(CKK_DES3, BCRYPT_3DES_ALGORITHM);
|
|
case CKK_DES2:
|
|
case CKK_X9_42_DH:
|
|
case CKK_KEA:
|
|
case CKK_GENERIC_SECRET:
|
|
case CKK_CAST:
|
|
case CKK_CAST3:
|
|
case CKK_CAST128:
|
|
case CKK_RC5:
|
|
case CKK_IDEA:
|
|
case CKK_SKIPJACK:
|
|
case CKK_BATON:
|
|
case CKK_JUNIPER:
|
|
case CKK_CDMF:
|
|
case CKK_AES:
|
|
case CKK_BLOWFISH:
|
|
case CKK_TWOFISH:
|
|
default:
|
|
break;
|
|
}
|
|
#undef ALGO_CASE
|
|
|
|
retLen = _wcslen(r);
|
|
if (outlen)
|
|
*outlen = retLen;
|
|
|
|
if (!r)
|
|
{
|
|
if (dest && len > 0)
|
|
dest[0] = 0;
|
|
return FALSE;
|
|
}
|
|
else
|
|
{
|
|
if (retLen + 1 < len)
|
|
{
|
|
WLog_ERR(TAG, "target buffer is too small for algo name");
|
|
return FALSE;
|
|
}
|
|
|
|
if (dest)
|
|
{
|
|
memcpy(dest, r, sizeof(WCHAR) * retLen);
|
|
dest[retLen] = 0;
|
|
}
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
static void wprintKeyName(LPWSTR str, CK_SLOT_ID slotId, CK_BYTE* id, CK_ULONG idLen)
|
|
{
|
|
char asciiName[128] = { 0 };
|
|
char* ptr = asciiName;
|
|
const CK_BYTE* bytePtr = NULL;
|
|
|
|
*ptr = '\\';
|
|
ptr++;
|
|
|
|
bytePtr = ((CK_BYTE*)&slotId);
|
|
for (CK_ULONG i = 0; i < sizeof(slotId); i++, bytePtr++, ptr += 2)
|
|
(void)snprintf(ptr, 3, "%.2x", *bytePtr);
|
|
|
|
*ptr = '\\';
|
|
ptr++;
|
|
|
|
for (CK_ULONG i = 0; i < idLen; i++, id++, ptr += 2)
|
|
(void)snprintf(ptr, 3, "%.2x", *id);
|
|
|
|
ConvertUtf8NToWChar(asciiName, ARRAYSIZE(asciiName), str,
|
|
strnlen(asciiName, ARRAYSIZE(asciiName)) + 1);
|
|
}
|
|
|
|
static size_t parseHex(const char* str, const char* end, CK_BYTE* target)
|
|
{
|
|
int ret = 0;
|
|
|
|
for (; str != end && *str; str++, ret++, target++)
|
|
{
|
|
CK_BYTE v = 0;
|
|
if (*str <= '9' && *str >= '0')
|
|
{
|
|
v = (*str - '0');
|
|
}
|
|
else if (*str <= 'f' && *str >= 'a')
|
|
{
|
|
v = (10 + *str - 'a');
|
|
}
|
|
else if (*str <= 'F' && *str >= 'A')
|
|
{
|
|
v |= (10 + *str - 'A');
|
|
}
|
|
else
|
|
{
|
|
return 0;
|
|
}
|
|
v <<= 4;
|
|
str++;
|
|
|
|
if (!*str || str == end)
|
|
return 0;
|
|
|
|
if (*str <= '9' && *str >= '0')
|
|
{
|
|
v |= (*str - '0');
|
|
}
|
|
else if (*str <= 'f' && *str >= 'a')
|
|
{
|
|
v |= (10 + *str - 'a');
|
|
}
|
|
else if (*str <= 'F' && *str >= 'A')
|
|
{
|
|
v |= (10 + *str - 'A');
|
|
}
|
|
else
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
*target = v;
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
static SECURITY_STATUS parseKeyName(LPCWSTR pszKeyName, CK_SLOT_ID* slotId, CK_BYTE* id,
|
|
CK_ULONG* idLen)
|
|
{
|
|
char asciiKeyName[128] = { 0 };
|
|
char* pos = NULL;
|
|
|
|
if (ConvertWCharToUtf8(pszKeyName, asciiKeyName, ARRAYSIZE(asciiKeyName)) < 0)
|
|
return NTE_BAD_KEY;
|
|
|
|
if (*asciiKeyName != '\\')
|
|
return NTE_BAD_KEY;
|
|
|
|
pos = strchr(&asciiKeyName[1], '\\');
|
|
if (!pos)
|
|
return NTE_BAD_KEY;
|
|
|
|
if ((size_t)(pos - &asciiKeyName[1]) > sizeof(CK_SLOT_ID) * 2ull)
|
|
return NTE_BAD_KEY;
|
|
|
|
*slotId = (CK_SLOT_ID)0;
|
|
if (parseHex(&asciiKeyName[1], pos, (CK_BYTE*)slotId) != sizeof(CK_SLOT_ID))
|
|
return NTE_BAD_KEY;
|
|
|
|
*idLen = parseHex(pos + 1, NULL, id);
|
|
if (!*idLen)
|
|
return NTE_BAD_KEY;
|
|
|
|
return ERROR_SUCCESS;
|
|
}
|
|
|
|
static SECURITY_STATUS NCryptP11EnumKeys(NCRYPT_PROV_HANDLE hProvider, LPCWSTR pszScope,
|
|
NCryptKeyName** ppKeyName, PVOID* ppEnumState,
|
|
DWORD dwFlags)
|
|
{
|
|
NCryptP11ProviderHandle* provider = (NCryptP11ProviderHandle*)hProvider;
|
|
P11EnumKeysState* state = (P11EnumKeysState*)*ppEnumState;
|
|
CK_RV rv = { 0 };
|
|
CK_SLOT_ID currentSlot = { 0 };
|
|
CK_SESSION_HANDLE currentSession = (CK_SESSION_HANDLE)NULL;
|
|
char slotFilterBuffer[65] = { 0 };
|
|
char* slotFilter = NULL;
|
|
size_t slotFilterLen = 0;
|
|
|
|
SECURITY_STATUS ret = checkNCryptHandle((NCRYPT_HANDLE)hProvider, WINPR_NCRYPT_PROVIDER);
|
|
if (ret != ERROR_SUCCESS)
|
|
return ret;
|
|
|
|
if (pszScope)
|
|
{
|
|
/*
|
|
* check whether pszScope is of the form \\.\<reader name>\ for filtering by
|
|
* card reader
|
|
*/
|
|
char asciiScope[128 + 6 + 1] = { 0 };
|
|
size_t asciiScopeLen = 0;
|
|
|
|
if (ConvertWCharToUtf8(pszScope, asciiScope, ARRAYSIZE(asciiScope) - 1) < 0)
|
|
{
|
|
WLog_WARN(TAG, "Invalid scope");
|
|
return NTE_INVALID_PARAMETER;
|
|
}
|
|
|
|
if (strstr(asciiScope, "\\\\.\\") != asciiScope)
|
|
{
|
|
WLog_WARN(TAG, "Invalid scope '%s'", asciiScope);
|
|
return NTE_INVALID_PARAMETER;
|
|
}
|
|
|
|
asciiScopeLen = strnlen(asciiScope, ARRAYSIZE(asciiScope));
|
|
if ((asciiScopeLen < 1) || (asciiScope[asciiScopeLen - 1] != '\\'))
|
|
{
|
|
WLog_WARN(TAG, "Invalid scope '%s'", asciiScope);
|
|
return NTE_INVALID_PARAMETER;
|
|
}
|
|
|
|
asciiScope[asciiScopeLen - 1] = 0;
|
|
|
|
strncpy(slotFilterBuffer, &asciiScope[4], sizeof(slotFilterBuffer));
|
|
slotFilter = slotFilterBuffer;
|
|
slotFilterLen = asciiScopeLen - 5;
|
|
}
|
|
|
|
if (!state)
|
|
{
|
|
state = (P11EnumKeysState*)calloc(1, sizeof(*state));
|
|
if (!state)
|
|
return NTE_NO_MEMORY;
|
|
|
|
WINPR_ASSERT(provider->p11->C_GetSlotList);
|
|
rv = provider->p11->C_GetSlotList(CK_TRUE, NULL, &state->nslots);
|
|
if (rv != CKR_OK)
|
|
{
|
|
/* TODO: perhaps convert rv to NTE_*** errors */
|
|
WLog_WARN(TAG, "C_GetSlotList failed with %u", rv);
|
|
return NTE_FAIL;
|
|
}
|
|
|
|
if (state->nslots > MAX_SLOTS)
|
|
state->nslots = MAX_SLOTS;
|
|
|
|
rv = provider->p11->C_GetSlotList(CK_TRUE, state->slots, &state->nslots);
|
|
if (rv != CKR_OK)
|
|
{
|
|
free(state);
|
|
/* TODO: perhaps convert rv to NTE_*** errors */
|
|
WLog_WARN(TAG, "C_GetSlotList failed with %u", rv);
|
|
return NTE_FAIL;
|
|
}
|
|
|
|
ret = collect_keys(provider, state);
|
|
if (ret != ERROR_SUCCESS)
|
|
{
|
|
free(state);
|
|
return ret;
|
|
}
|
|
|
|
*ppEnumState = state;
|
|
}
|
|
|
|
for (; state->keyIndex < state->nKeys; state->keyIndex++)
|
|
{
|
|
NCryptKeyName* keyName = NULL;
|
|
NCryptKeyEnum* key = &state->keys[state->keyIndex];
|
|
CK_OBJECT_CLASS oclass = CKO_CERTIFICATE;
|
|
CK_CERTIFICATE_TYPE ctype = CKC_X_509;
|
|
CK_ATTRIBUTE certificateFilter[] = { { CKA_CLASS, &oclass, sizeof(oclass) },
|
|
{ CKA_CERTIFICATE_TYPE, &ctype, sizeof(ctype) },
|
|
{ CKA_ID, key->id, key->idLen } };
|
|
CK_ULONG ncertObjects = 0;
|
|
CK_OBJECT_HANDLE certObject = 0;
|
|
|
|
/* check the reader filter if any */
|
|
if (slotFilter && memcmp(key->slotInfo.slotDescription, slotFilter, slotFilterLen) != 0)
|
|
continue;
|
|
|
|
if (!currentSession || (currentSlot != key->slotId))
|
|
{
|
|
/* if the current session doesn't match the current key's slot, open a new one
|
|
*/
|
|
if (currentSession)
|
|
{
|
|
WINPR_ASSERT(provider->p11->C_CloseSession);
|
|
rv = provider->p11->C_CloseSession(currentSession);
|
|
currentSession = (CK_SESSION_HANDLE)NULL;
|
|
}
|
|
|
|
WINPR_ASSERT(provider->p11->C_OpenSession);
|
|
rv = provider->p11->C_OpenSession(key->slotId, CKF_SERIAL_SESSION, NULL, NULL,
|
|
¤tSession);
|
|
if (rv != CKR_OK)
|
|
{
|
|
WLog_ERR(TAG, "unable to openSession for slot %d", key->slotId);
|
|
continue;
|
|
}
|
|
currentSlot = key->slotId;
|
|
}
|
|
|
|
/* look if we can find a certificate that matches the key's id */
|
|
WINPR_ASSERT(provider->p11->C_FindObjectsInit);
|
|
rv = provider->p11->C_FindObjectsInit(currentSession, certificateFilter,
|
|
ARRAYSIZE(certificateFilter));
|
|
if (rv != CKR_OK)
|
|
{
|
|
WLog_ERR(TAG, "unable to initiate search for slot %d", key->slotId);
|
|
continue;
|
|
}
|
|
|
|
WINPR_ASSERT(provider->p11->C_FindObjects);
|
|
rv = provider->p11->C_FindObjects(currentSession, &certObject, 1, &ncertObjects);
|
|
if (rv != CKR_OK)
|
|
{
|
|
WLog_ERR(TAG, "unable to findObjects for slot %d", currentSlot);
|
|
goto cleanup_FindObjects;
|
|
}
|
|
|
|
if (ncertObjects)
|
|
{
|
|
/* sizeof keyName struct + "\<slotId>\<certId>" + keyName->pszAlgid */
|
|
DWORD algoSz = 0;
|
|
size_t KEYNAME_SZ =
|
|
(1 + (sizeof(key->slotId) * 2) /*slotId*/ + 1 + (key->idLen * 2) + 1) * 2;
|
|
|
|
convertKeyType(key->keyType, NULL, 0, &algoSz);
|
|
KEYNAME_SZ += (1ULL + algoSz) * 2ULL;
|
|
|
|
keyName = calloc(1, sizeof(*keyName) + KEYNAME_SZ);
|
|
if (!keyName)
|
|
{
|
|
WLog_ERR(TAG, "unable to allocate keyName");
|
|
goto cleanup_FindObjects;
|
|
}
|
|
keyName->dwLegacyKeySpec = AT_KEYEXCHANGE | AT_SIGNATURE;
|
|
keyName->dwFlags = NCRYPT_MACHINE_KEY_FLAG;
|
|
keyName->pszName = (LPWSTR)(keyName + 1);
|
|
wprintKeyName(keyName->pszName, key->slotId, key->id, key->idLen);
|
|
|
|
keyName->pszAlgid = keyName->pszName + _wcslen(keyName->pszName) + 1;
|
|
convertKeyType(key->keyType, keyName->pszAlgid, algoSz + 1, NULL);
|
|
}
|
|
|
|
cleanup_FindObjects:
|
|
WINPR_ASSERT(provider->p11->C_FindObjectsFinal);
|
|
rv = provider->p11->C_FindObjectsFinal(currentSession);
|
|
|
|
if (keyName)
|
|
{
|
|
*ppKeyName = keyName;
|
|
state->keyIndex++;
|
|
return ERROR_SUCCESS;
|
|
}
|
|
}
|
|
|
|
return NTE_NO_MORE_ITEMS;
|
|
}
|
|
|
|
static SECURITY_STATUS get_piv_container_name(NCryptP11KeyHandle* key, const BYTE* piv_tag,
|
|
BYTE* output, size_t output_len)
|
|
{
|
|
CK_SLOT_INFO slot_info = { 0 };
|
|
CK_FUNCTION_LIST_PTR p11 = NULL;
|
|
WCHAR* reader = NULL;
|
|
SCARDCONTEXT context = 0;
|
|
SCARDHANDLE card = 0;
|
|
DWORD proto = 0;
|
|
const SCARD_IO_REQUEST* pci = NULL;
|
|
BYTE buf[258] = { 0 };
|
|
char container_name[PIV_CONTAINER_NAME_LEN + 1] = { 0 };
|
|
DWORD buf_len = 0;
|
|
SECURITY_STATUS ret = NTE_BAD_KEY;
|
|
WinPrAsn1Decoder dec = { 0 };
|
|
WinPrAsn1Decoder dec2 = { 0 };
|
|
size_t len = 0;
|
|
BYTE tag = 0;
|
|
BYTE* p = NULL;
|
|
wStream s = { 0 };
|
|
|
|
WINPR_ASSERT(key);
|
|
WINPR_ASSERT(piv_tag);
|
|
|
|
WINPR_ASSERT(key->provider);
|
|
p11 = key->provider->p11;
|
|
WINPR_ASSERT(p11);
|
|
|
|
/* Get the reader the card is in */
|
|
WINPR_ASSERT(p11->C_GetSlotInfo);
|
|
if (p11->C_GetSlotInfo(key->slotId, &slot_info) != CKR_OK)
|
|
return NTE_BAD_KEY;
|
|
|
|
fix_padded_string((char*)slot_info.slotDescription, sizeof(slot_info.slotDescription));
|
|
reader = ConvertUtf8NToWCharAlloc((char*)slot_info.slotDescription,
|
|
ARRAYSIZE(slot_info.slotDescription), NULL);
|
|
ret = NTE_NO_MEMORY;
|
|
if (!reader)
|
|
goto out;
|
|
|
|
ret = NTE_BAD_KEY;
|
|
if (SCardEstablishContext(SCARD_SCOPE_USER, NULL, NULL, &context) != SCARD_S_SUCCESS)
|
|
goto out;
|
|
|
|
if (SCardConnectW(context, reader, SCARD_SHARE_SHARED, SCARD_PROTOCOL_Tx, &card, &proto) !=
|
|
SCARD_S_SUCCESS)
|
|
goto out;
|
|
pci = (proto == SCARD_PROTOCOL_T0) ? SCARD_PCI_T0 : SCARD_PCI_T1;
|
|
|
|
buf_len = sizeof(buf);
|
|
if (SCardTransmit(card, pci, APDU_PIV_SELECT_AID, sizeof(APDU_PIV_SELECT_AID), NULL, buf,
|
|
&buf_len) != SCARD_S_SUCCESS)
|
|
goto out;
|
|
if ((buf[buf_len - 2] != 0x90 || buf[buf_len - 1] != 0) && buf[buf_len - 2] != 0x61)
|
|
goto out;
|
|
|
|
buf_len = sizeof(buf);
|
|
if (SCardTransmit(card, pci, APDU_PIV_GET_CHUID, sizeof(APDU_PIV_GET_CHUID), NULL, buf,
|
|
&buf_len) != SCARD_S_SUCCESS)
|
|
goto out;
|
|
if ((buf[buf_len - 2] != 0x90 || buf[buf_len - 1] != 0) && buf[buf_len - 2] != 0x61)
|
|
goto out;
|
|
|
|
/* Find the GUID field in the CHUID data object */
|
|
WinPrAsn1Decoder_InitMem(&dec, WINPR_ASN1_BER, buf, buf_len);
|
|
if (!WinPrAsn1DecReadTagAndLen(&dec, &tag, &len) || tag != 0x53)
|
|
goto out;
|
|
while (WinPrAsn1DecReadTagLenValue(&dec, &tag, &len, &dec2) && tag != 0x34)
|
|
;
|
|
if (tag != 0x34 || len != 16)
|
|
goto out;
|
|
|
|
s = WinPrAsn1DecGetStream(&dec2);
|
|
p = Stream_Buffer(&s);
|
|
|
|
/* Construct the value Windows would use for a PIV key's container name */
|
|
(void)snprintf(container_name, PIV_CONTAINER_NAME_LEN + 1,
|
|
"%.2x%.2x%.2x%.2x-%.2x%.2x-%.2x%.2x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x", p[3],
|
|
p[2], p[1], p[0], p[5], p[4], p[7], p[6], p[8], p[9], p[10], p[11], p[12],
|
|
piv_tag[0], piv_tag[1], piv_tag[2]);
|
|
|
|
/* And convert it to UTF-16 */
|
|
union
|
|
{
|
|
WCHAR* wc;
|
|
BYTE* b;
|
|
} cnv;
|
|
cnv.b = output;
|
|
if (ConvertUtf8NToWChar(container_name, ARRAYSIZE(container_name), cnv.wc,
|
|
output_len / sizeof(WCHAR)) > 0)
|
|
ret = ERROR_SUCCESS;
|
|
|
|
out:
|
|
free(reader);
|
|
if (card)
|
|
SCardDisconnect(card, SCARD_LEAVE_CARD);
|
|
if (context)
|
|
SCardReleaseContext(context);
|
|
return ret;
|
|
}
|
|
|
|
static SECURITY_STATUS check_for_piv_container_name(NCryptP11KeyHandle* key, BYTE* pbOutput,
|
|
DWORD cbOutput, DWORD* pcbResult, char* label,
|
|
size_t label_len)
|
|
{
|
|
for (size_t i = 0; i < ARRAYSIZE(piv_cert_tags); i++)
|
|
{
|
|
const piv_cert_tags_t* cur = &piv_cert_tags[i];
|
|
if (strncmp(label, cur->label, label_len) == 0)
|
|
{
|
|
*pcbResult = (PIV_CONTAINER_NAME_LEN + 1) * sizeof(WCHAR);
|
|
if (!pbOutput)
|
|
return ERROR_SUCCESS;
|
|
else if (cbOutput < (PIV_CONTAINER_NAME_LEN + 1) * sizeof(WCHAR))
|
|
return NTE_NO_MEMORY;
|
|
else
|
|
return get_piv_container_name(key, cur->tag, pbOutput, cbOutput);
|
|
}
|
|
}
|
|
return NTE_NOT_FOUND;
|
|
}
|
|
|
|
static SECURITY_STATUS NCryptP11KeyGetProperties(NCryptP11KeyHandle* keyHandle,
|
|
NCryptKeyGetPropertyEnum property, PBYTE pbOutput,
|
|
DWORD cbOutput, DWORD* pcbResult, DWORD dwFlags)
|
|
{
|
|
SECURITY_STATUS ret = NTE_FAIL;
|
|
CK_RV rv = 0;
|
|
CK_SESSION_HANDLE session = 0;
|
|
CK_OBJECT_HANDLE objectHandle = 0;
|
|
CK_ULONG objectCount = 0;
|
|
NCryptP11ProviderHandle* provider = NULL;
|
|
CK_OBJECT_CLASS oclass = CKO_CERTIFICATE;
|
|
CK_CERTIFICATE_TYPE ctype = CKC_X_509;
|
|
CK_ATTRIBUTE certificateFilter[] = { { CKA_CLASS, &oclass, sizeof(oclass) },
|
|
{ CKA_CERTIFICATE_TYPE, &ctype, sizeof(ctype) },
|
|
{ CKA_ID, keyHandle->keyCertId,
|
|
keyHandle->keyCertIdLen } };
|
|
CK_ATTRIBUTE* objectFilter = certificateFilter;
|
|
CK_ULONG objectFilterLen = ARRAYSIZE(certificateFilter);
|
|
|
|
WINPR_ASSERT(keyHandle);
|
|
provider = keyHandle->provider;
|
|
WINPR_ASSERT(provider);
|
|
|
|
switch (property)
|
|
|
|
{
|
|
case NCRYPT_PROPERTY_CERTIFICATE:
|
|
case NCRYPT_PROPERTY_NAME:
|
|
break;
|
|
case NCRYPT_PROPERTY_READER:
|
|
{
|
|
CK_SLOT_INFO slotInfo;
|
|
|
|
WINPR_ASSERT(provider->p11->C_GetSlotInfo);
|
|
rv = provider->p11->C_GetSlotInfo(keyHandle->slotId, &slotInfo);
|
|
if (rv != CKR_OK)
|
|
return NTE_BAD_KEY;
|
|
|
|
#define SLOT_DESC_SZ sizeof(slotInfo.slotDescription)
|
|
fix_padded_string((char*)slotInfo.slotDescription, SLOT_DESC_SZ);
|
|
*pcbResult = 2 * (strnlen((char*)slotInfo.slotDescription, SLOT_DESC_SZ) + 1);
|
|
if (pbOutput)
|
|
{
|
|
union
|
|
{
|
|
WCHAR* wc;
|
|
BYTE* b;
|
|
} cnv;
|
|
cnv.b = pbOutput;
|
|
if (cbOutput < *pcbResult)
|
|
return NTE_NO_MEMORY;
|
|
|
|
if (ConvertUtf8ToWChar((char*)slotInfo.slotDescription, cnv.wc,
|
|
cbOutput / sizeof(WCHAR)) < 0)
|
|
return NTE_NO_MEMORY;
|
|
}
|
|
return ERROR_SUCCESS;
|
|
}
|
|
case NCRYPT_PROPERTY_SLOTID:
|
|
{
|
|
*pcbResult = 4;
|
|
if (pbOutput)
|
|
{
|
|
UINT32* ptr = (UINT32*)pbOutput;
|
|
|
|
if (cbOutput < 4)
|
|
return NTE_NO_MEMORY;
|
|
|
|
*ptr = keyHandle->slotId;
|
|
}
|
|
return ERROR_SUCCESS;
|
|
}
|
|
case NCRYPT_PROPERTY_UNKNOWN:
|
|
default:
|
|
return NTE_NOT_SUPPORTED;
|
|
}
|
|
|
|
WINPR_ASSERT(provider->p11->C_OpenSession);
|
|
rv = provider->p11->C_OpenSession(keyHandle->slotId, CKF_SERIAL_SESSION, NULL, NULL, &session);
|
|
if (rv != CKR_OK)
|
|
{
|
|
WLog_ERR(TAG, "error opening session on slot %d", keyHandle->slotId);
|
|
return NTE_FAIL;
|
|
}
|
|
|
|
WINPR_ASSERT(provider->p11->C_FindObjectsInit);
|
|
rv = provider->p11->C_FindObjectsInit(session, objectFilter, objectFilterLen);
|
|
if (rv != CKR_OK)
|
|
{
|
|
WLog_ERR(TAG, "unable to initiate search for slot %d", keyHandle->slotId);
|
|
goto out;
|
|
}
|
|
|
|
WINPR_ASSERT(provider->p11->C_FindObjects);
|
|
rv = provider->p11->C_FindObjects(session, &objectHandle, 1, &objectCount);
|
|
if (rv != CKR_OK)
|
|
{
|
|
WLog_ERR(TAG, "unable to findObjects for slot %d", keyHandle->slotId);
|
|
goto out_final;
|
|
}
|
|
if (!objectCount)
|
|
{
|
|
ret = NTE_NOT_FOUND;
|
|
goto out_final;
|
|
}
|
|
|
|
switch (property)
|
|
{
|
|
case NCRYPT_PROPERTY_CERTIFICATE:
|
|
{
|
|
CK_ATTRIBUTE certValue = { CKA_VALUE, pbOutput, cbOutput };
|
|
|
|
WINPR_ASSERT(provider->p11->C_GetAttributeValue);
|
|
rv = provider->p11->C_GetAttributeValue(session, objectHandle, &certValue, 1);
|
|
if (rv != CKR_OK)
|
|
{
|
|
// TODO: do a kind of translation from CKR_* to NTE_*
|
|
}
|
|
|
|
*pcbResult = certValue.ulValueLen;
|
|
ret = ERROR_SUCCESS;
|
|
break;
|
|
}
|
|
case NCRYPT_PROPERTY_NAME:
|
|
{
|
|
CK_ATTRIBUTE attr = { CKA_LABEL, NULL, 0 };
|
|
char* label = NULL;
|
|
|
|
WINPR_ASSERT(provider->p11->C_GetAttributeValue);
|
|
rv = provider->p11->C_GetAttributeValue(session, objectHandle, &attr, 1);
|
|
if (rv == CKR_OK)
|
|
{
|
|
label = calloc(1, attr.ulValueLen);
|
|
if (!label)
|
|
{
|
|
ret = NTE_NO_MEMORY;
|
|
break;
|
|
}
|
|
|
|
attr.pValue = label;
|
|
rv = provider->p11->C_GetAttributeValue(session, objectHandle, &attr, 1);
|
|
}
|
|
|
|
if (rv == CKR_OK)
|
|
{
|
|
/* Check if we have a PIV card */
|
|
ret = check_for_piv_container_name(keyHandle, pbOutput, cbOutput, pcbResult, label,
|
|
attr.ulValueLen);
|
|
|
|
/* Otherwise, at least for GIDS cards the label will be the correct value */
|
|
if (ret == NTE_NOT_FOUND)
|
|
{
|
|
union
|
|
{
|
|
WCHAR* wc;
|
|
BYTE* b;
|
|
} cnv;
|
|
const size_t olen = pbOutput ? cbOutput / sizeof(WCHAR) : 0;
|
|
cnv.b = pbOutput;
|
|
SSIZE_T size = ConvertUtf8NToWChar(label, attr.ulValueLen, cnv.wc, olen);
|
|
if (size < 0)
|
|
ret = ERROR_CONVERT_TO_LARGE;
|
|
else
|
|
ret = ERROR_SUCCESS;
|
|
}
|
|
}
|
|
|
|
free(label);
|
|
break;
|
|
}
|
|
default:
|
|
ret = NTE_NOT_SUPPORTED;
|
|
break;
|
|
}
|
|
|
|
out_final:
|
|
WINPR_ASSERT(provider->p11->C_FindObjectsFinal);
|
|
rv = provider->p11->C_FindObjectsFinal(session);
|
|
if (rv != CKR_OK)
|
|
{
|
|
WLog_ERR(TAG, "error in C_FindObjectsFinal() for slot %d", keyHandle->slotId);
|
|
}
|
|
out:
|
|
WINPR_ASSERT(provider->p11->C_CloseSession);
|
|
rv = provider->p11->C_CloseSession(session);
|
|
if (rv != CKR_OK)
|
|
{
|
|
WLog_ERR(TAG, "error in C_CloseSession() for slot %d", keyHandle->slotId);
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
static SECURITY_STATUS NCryptP11GetProperty(NCRYPT_HANDLE hObject, NCryptKeyGetPropertyEnum prop,
|
|
PBYTE pbOutput, DWORD cbOutput, DWORD* pcbResult,
|
|
DWORD dwFlags)
|
|
{
|
|
NCryptBaseHandle* base = (NCryptBaseHandle*)hObject;
|
|
|
|
WINPR_ASSERT(base);
|
|
switch (base->type)
|
|
{
|
|
case WINPR_NCRYPT_PROVIDER:
|
|
return ERROR_CALL_NOT_IMPLEMENTED;
|
|
case WINPR_NCRYPT_KEY:
|
|
return NCryptP11KeyGetProperties((NCryptP11KeyHandle*)hObject, prop, pbOutput, cbOutput,
|
|
pcbResult, dwFlags);
|
|
default:
|
|
return ERROR_INVALID_HANDLE;
|
|
}
|
|
return ERROR_SUCCESS;
|
|
}
|
|
|
|
static SECURITY_STATUS NCryptP11OpenKey(NCRYPT_PROV_HANDLE hProvider, NCRYPT_KEY_HANDLE* phKey,
|
|
LPCWSTR pszKeyName, DWORD dwLegacyKeySpec, DWORD dwFlags)
|
|
{
|
|
SECURITY_STATUS ret = 0;
|
|
CK_SLOT_ID slotId = 0;
|
|
CK_BYTE keyCertId[64] = { 0 };
|
|
CK_ULONG keyCertIdLen = 0;
|
|
NCryptP11KeyHandle* keyHandle = NULL;
|
|
|
|
ret = parseKeyName(pszKeyName, &slotId, keyCertId, &keyCertIdLen);
|
|
if (ret != ERROR_SUCCESS)
|
|
return ret;
|
|
|
|
keyHandle = (NCryptP11KeyHandle*)ncrypt_new_handle(
|
|
WINPR_NCRYPT_KEY, sizeof(*keyHandle), NCryptP11GetProperty, winpr_NCryptDefault_dtor);
|
|
if (!keyHandle)
|
|
return NTE_NO_MEMORY;
|
|
|
|
keyHandle->provider = (NCryptP11ProviderHandle*)hProvider;
|
|
keyHandle->slotId = slotId;
|
|
memcpy(keyHandle->keyCertId, keyCertId, sizeof(keyCertId));
|
|
keyHandle->keyCertIdLen = keyCertIdLen;
|
|
*phKey = (NCRYPT_KEY_HANDLE)keyHandle;
|
|
return ERROR_SUCCESS;
|
|
}
|
|
|
|
static SECURITY_STATUS initialize_pkcs11(HANDLE handle,
|
|
CK_RV (*c_get_function_list)(CK_FUNCTION_LIST_PTR_PTR),
|
|
NCRYPT_PROV_HANDLE* phProvider)
|
|
{
|
|
SECURITY_STATUS status = ERROR_SUCCESS;
|
|
NCryptP11ProviderHandle* ret = NULL;
|
|
CK_RV rv = 0;
|
|
|
|
WINPR_ASSERT(c_get_function_list);
|
|
WINPR_ASSERT(phProvider);
|
|
|
|
ret = (NCryptP11ProviderHandle*)ncrypt_new_handle(
|
|
WINPR_NCRYPT_PROVIDER, sizeof(*ret), NCryptP11GetProperty, NCryptP11StorageProvider_dtor);
|
|
if (!ret)
|
|
return NTE_NO_MEMORY;
|
|
|
|
ret->library = handle;
|
|
ret->baseProvider.enumKeysFn = NCryptP11EnumKeys;
|
|
ret->baseProvider.openKeyFn = NCryptP11OpenKey;
|
|
|
|
rv = c_get_function_list(&ret->p11);
|
|
if (rv != CKR_OK)
|
|
{
|
|
status = NTE_PROVIDER_DLL_FAIL;
|
|
goto fail;
|
|
}
|
|
|
|
WINPR_ASSERT(ret->p11);
|
|
WINPR_ASSERT(ret->p11->C_Initialize);
|
|
rv = ret->p11->C_Initialize(NULL);
|
|
if (rv != CKR_OK)
|
|
{
|
|
status = NTE_PROVIDER_DLL_FAIL;
|
|
goto fail;
|
|
}
|
|
|
|
*phProvider = (NCRYPT_PROV_HANDLE)ret;
|
|
|
|
fail:
|
|
if (status != ERROR_SUCCESS)
|
|
ret->baseProvider.baseHandle.releaseFn((NCRYPT_HANDLE)ret);
|
|
return status;
|
|
}
|
|
|
|
SECURITY_STATUS NCryptOpenP11StorageProviderEx(NCRYPT_PROV_HANDLE* phProvider,
|
|
LPCWSTR pszProviderName, DWORD dwFlags,
|
|
LPCSTR* modulePaths)
|
|
{
|
|
SECURITY_STATUS status = ERROR_INVALID_PARAMETER;
|
|
LPCSTR defaultPaths[] = { "p11-kit-proxy.so", "opensc-pkcs11.so", NULL };
|
|
|
|
if (!phProvider)
|
|
return ERROR_INVALID_PARAMETER;
|
|
|
|
if (!modulePaths)
|
|
modulePaths = defaultPaths;
|
|
|
|
while (*modulePaths)
|
|
{
|
|
const char* modulePath = *modulePaths++;
|
|
HANDLE library = LoadLibrary(modulePath);
|
|
typedef CK_RV (*c_get_function_list_t)(CK_FUNCTION_LIST_PTR_PTR);
|
|
c_get_function_list_t c_get_function_list = NULL;
|
|
NCryptP11ProviderHandle* provider = NULL;
|
|
|
|
WLog_DBG(TAG, "Trying pkcs11 module '%s'", modulePath);
|
|
if (!library)
|
|
{
|
|
status = NTE_PROV_DLL_NOT_FOUND;
|
|
goto out_load_library;
|
|
}
|
|
|
|
c_get_function_list = (c_get_function_list_t)GetProcAddress(library, "C_GetFunctionList");
|
|
if (!c_get_function_list)
|
|
{
|
|
status = NTE_PROV_TYPE_ENTRY_BAD;
|
|
goto out_load_library;
|
|
}
|
|
|
|
status = initialize_pkcs11(library, c_get_function_list, phProvider);
|
|
if (status != ERROR_SUCCESS)
|
|
{
|
|
status = NTE_PROVIDER_DLL_FAIL;
|
|
goto out_load_library;
|
|
}
|
|
|
|
provider = (NCryptP11ProviderHandle*)*phProvider;
|
|
provider->modulePath = _strdup(modulePath);
|
|
if (!provider->modulePath)
|
|
{
|
|
status = NTE_NO_MEMORY;
|
|
goto out_load_library;
|
|
}
|
|
|
|
WLog_DBG(TAG, "module '%s' loaded", modulePath);
|
|
return ERROR_SUCCESS;
|
|
|
|
out_load_library:
|
|
if (library)
|
|
FreeLibrary(library);
|
|
}
|
|
|
|
return status;
|
|
}
|
|
|
|
const char* NCryptGetModulePath(NCRYPT_PROV_HANDLE phProvider)
|
|
{
|
|
NCryptP11ProviderHandle* provider = (NCryptP11ProviderHandle*)phProvider;
|
|
|
|
WINPR_ASSERT(provider);
|
|
|
|
return provider->modulePath;
|
|
}
|