/src/FreeRDP/winpr/libwinpr/ncrypt/ncrypt_pkcs11.c
Line | Count | Source |
1 | | /** |
2 | | * WinPR: Windows Portable Runtime |
3 | | * NCrypt pkcs11 provider |
4 | | * |
5 | | * Copyright 2021 David Fort <contact@hardening-consulting.com> |
6 | | * |
7 | | * Licensed under the Apache License, Version 2.0 (the "License"); |
8 | | * you may not use this file except in compliance with the License. |
9 | | * You may obtain a copy of the License at |
10 | | * |
11 | | * http://www.apache.org/licenses/LICENSE-2.0 |
12 | | * |
13 | | * Unless required by applicable law or agreed to in writing, software |
14 | | * distributed under the License is distributed on an "AS IS" BASIS, |
15 | | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
16 | | * See the License for the specific language governing permissions and |
17 | | * limitations under the License. |
18 | | */ |
19 | | |
20 | | #include <stdlib.h> |
21 | | |
22 | | #include <winpr/library.h> |
23 | | #include <winpr/assert.h> |
24 | | #include <winpr/spec.h> |
25 | | #include <winpr/smartcard.h> |
26 | | #include <winpr/asn1.h> |
27 | | |
28 | | #include "../log.h" |
29 | | #include "ncrypt.h" |
30 | | |
31 | | /* https://github.com/latchset/pkcs11-headers/blob/main/public-domain/3.1/pkcs11.h */ |
32 | | #include "pkcs11-headers/pkcs11.h" |
33 | | |
34 | | #define TAG WINPR_TAG("ncryptp11") |
35 | | |
36 | 0 | #define MAX_SLOTS 64 |
37 | | #define MAX_KEYS 64 |
38 | | #define MAX_KEYS_PER_SLOT 64 |
39 | | |
40 | | /** @brief ncrypt provider handle */ |
41 | | typedef struct |
42 | | { |
43 | | NCryptBaseProvider baseProvider; |
44 | | |
45 | | HANDLE library; |
46 | | CK_FUNCTION_LIST_PTR p11; |
47 | | char* modulePath; |
48 | | } NCryptP11ProviderHandle; |
49 | | |
50 | | /** @brief a handle returned by NCryptOpenKey */ |
51 | | typedef struct |
52 | | { |
53 | | NCryptBaseHandle base; |
54 | | NCryptP11ProviderHandle* provider; |
55 | | CK_SLOT_ID slotId; |
56 | | CK_BYTE keyCertId[64]; |
57 | | CK_ULONG keyCertIdLen; |
58 | | } NCryptP11KeyHandle; |
59 | | |
60 | | typedef struct |
61 | | { |
62 | | CK_SLOT_ID slotId; |
63 | | CK_SLOT_INFO slotInfo; |
64 | | CK_KEY_TYPE keyType; |
65 | | CK_CHAR keyLabel[256]; |
66 | | CK_ULONG idLen; |
67 | | CK_BYTE id[64]; |
68 | | } NCryptKeyEnum; |
69 | | |
70 | | typedef struct |
71 | | { |
72 | | CK_ULONG nslots; |
73 | | CK_SLOT_ID slots[MAX_SLOTS]; |
74 | | CK_ULONG nKeys; |
75 | | NCryptKeyEnum keys[MAX_KEYS]; |
76 | | CK_ULONG keyIndex; |
77 | | } P11EnumKeysState; |
78 | | |
79 | | typedef struct |
80 | | { |
81 | | const char* label; |
82 | | BYTE tag[3]; |
83 | | } piv_cert_tags_t; |
84 | | static const piv_cert_tags_t piv_cert_tags[] = { |
85 | | { "X.509 Certificate for PIV Authentication", { 0x5F, 0xC1, 0x05 } }, |
86 | | { "X.509 Certificate for Digital Signature", { 0x5F, 0xC1, 0x0A } }, |
87 | | { "X.509 Certificate for Key Management", { 0x5F, 0xC1, 0x0B } }, |
88 | | { "X.509 Certificate for Card Authentication", { 0x5F, 0xC1, 0x01 } }, |
89 | | |
90 | | { "Certificate for PIV Authentication", { 0x5F, 0xC1, 0x05 } }, |
91 | | { "Certificate for Digital Signature", { 0x5F, 0xC1, 0x0A } }, |
92 | | { "Certificate for Key Management", { 0x5F, 0xC1, 0x0B } }, |
93 | | { "Certificate for Card Authentication", { 0x5F, 0xC1, 0x01 } }, |
94 | | |
95 | | { "Retired Certificate for Key Management 1", { 0x5F, 0xC1, 0x0D } }, |
96 | | { "Retired Certificate for Key Management 2", { 0x5F, 0xC1, 0x0E } }, |
97 | | { "Retired Certificate for Key Management 3", { 0x5F, 0xC1, 0x0F } }, |
98 | | { "Retired Certificate for Key Management 4", { 0x5F, 0xC1, 0x10 } }, |
99 | | { "Retired Certificate for Key Management 5", { 0x5F, 0xC1, 0x11 } }, |
100 | | { "Retired Certificate for Key Management 6", { 0x5F, 0xC1, 0x12 } }, |
101 | | { "Retired Certificate for Key Management 7", { 0x5F, 0xC1, 0x13 } }, |
102 | | { "Retired Certificate for Key Management 8", { 0x5F, 0xC1, 0x14 } }, |
103 | | { "Retired Certificate for Key Management 9", { 0x5F, 0xC1, 0x15 } }, |
104 | | { "Retired Certificate for Key Management 10", { 0x5F, 0xC1, 0x16 } }, |
105 | | { "Retired Certificate for Key Management 11", { 0x5F, 0xC1, 0x17 } }, |
106 | | { "Retired Certificate for Key Management 12", { 0x5F, 0xC1, 0x18 } }, |
107 | | { "Retired Certificate for Key Management 13", { 0x5F, 0xC1, 0x19 } }, |
108 | | { "Retired Certificate for Key Management 14", { 0x5F, 0xC1, 0x1A } }, |
109 | | { "Retired Certificate for Key Management 15", { 0x5F, 0xC1, 0x1B } }, |
110 | | { "Retired Certificate for Key Management 16", { 0x5F, 0xC1, 0x1C } }, |
111 | | { "Retired Certificate for Key Management 17", { 0x5F, 0xC1, 0x1D } }, |
112 | | { "Retired Certificate for Key Management 18", { 0x5F, 0xC1, 0x1E } }, |
113 | | { "Retired Certificate for Key Management 19", { 0x5F, 0xC1, 0x1F } }, |
114 | | { "Retired Certificate for Key Management 20", { 0x5F, 0xC1, 0x20 } }, |
115 | | }; |
116 | | |
117 | | static const BYTE APDU_PIV_SELECT_AID[] = { 0x00, 0xA4, 0x04, 0x00, 0x09, 0xA0, 0x00, 0x00, |
118 | | 0x03, 0x08, 0x00, 0x00, 0x10, 0x00, 0x00 }; |
119 | | static const BYTE APDU_PIV_GET_CHUID[] = { 0x00, 0xCB, 0x3F, 0xFF, 0x05, 0x5C, |
120 | | 0x03, 0x5F, 0xC1, 0x02, 0x00 }; |
121 | | static const BYTE APDU_PIV_GET_MSCMAP[] = { 0x00, 0xCB, 0x3F, 0xFF, 0x05, 0x5C, |
122 | | 0x03, 0x5F, 0xFF, 0x10, 0x00 }; |
123 | | static const BYTE APDU_GET_RESPONSE[] = { 0x00, 0xC0, 0x00, 0x00, 0x00 }; |
124 | | |
125 | 0 | #define PIV_CONTAINER_NAME_LEN 36 |
126 | 0 | #define MAX_CONTAINER_NAME_LEN 39 |
127 | 0 | #define MSCMAP_RECORD_SIZE 107 |
128 | 0 | #define MSCMAP_SLOT_OFFSET 80 |
129 | | |
130 | | /* PIV certificate tag to PIV slot byte mapping */ |
131 | | typedef struct |
132 | | { |
133 | | BYTE tag[3]; |
134 | | BYTE slot; |
135 | | } piv_tag_to_slot_t; |
136 | | |
137 | | static const piv_tag_to_slot_t piv_tag_to_slot[] = { |
138 | | { { 0x5F, 0xC1, 0x05 }, 0x9A }, /* PIV Auth */ |
139 | | { { 0x5F, 0xC1, 0x0A }, 0x9C }, /* Digital Sig */ |
140 | | { { 0x5F, 0xC1, 0x0B }, 0x9D }, /* Key Mgmt */ |
141 | | { { 0x5F, 0xC1, 0x01 }, 0x9E }, /* Card Auth */ |
142 | | { { 0x5F, 0xC1, 0x0D }, 0x82 }, /* Retired KM 1 */ |
143 | | { { 0x5F, 0xC1, 0x0E }, 0x83 }, /* Retired KM 2 */ |
144 | | { { 0x5F, 0xC1, 0x0F }, 0x84 }, /* Retired KM 3 */ |
145 | | { { 0x5F, 0xC1, 0x10 }, 0x85 }, /* Retired KM 4 */ |
146 | | { { 0x5F, 0xC1, 0x11 }, 0x86 }, /* Retired KM 5 */ |
147 | | { { 0x5F, 0xC1, 0x12 }, 0x87 }, /* Retired KM 6 */ |
148 | | { { 0x5F, 0xC1, 0x13 }, 0x88 }, /* Retired KM 7 */ |
149 | | { { 0x5F, 0xC1, 0x14 }, 0x89 }, /* Retired KM 8 */ |
150 | | { { 0x5F, 0xC1, 0x15 }, 0x8A }, /* Retired KM 9 */ |
151 | | { { 0x5F, 0xC1, 0x16 }, 0x8B }, /* Retired KM 10 */ |
152 | | { { 0x5F, 0xC1, 0x17 }, 0x8C }, /* Retired KM 11 */ |
153 | | { { 0x5F, 0xC1, 0x18 }, 0x8D }, /* Retired KM 12 */ |
154 | | { { 0x5F, 0xC1, 0x19 }, 0x8E }, /* Retired KM 13 */ |
155 | | { { 0x5F, 0xC1, 0x1A }, 0x8F }, /* Retired KM 14 */ |
156 | | { { 0x5F, 0xC1, 0x1B }, 0x90 }, /* Retired KM 15 */ |
157 | | { { 0x5F, 0xC1, 0x1C }, 0x91 }, /* Retired KM 16 */ |
158 | | { { 0x5F, 0xC1, 0x1D }, 0x92 }, /* Retired KM 17 */ |
159 | | { { 0x5F, 0xC1, 0x1E }, 0x93 }, /* Retired KM 18 */ |
160 | | { { 0x5F, 0xC1, 0x1F }, 0x94 }, /* Retired KM 19 */ |
161 | | { { 0x5F, 0xC1, 0x20 }, 0x95 }, /* Retired KM 20 */ |
162 | | }; |
163 | | |
164 | | static CK_OBJECT_CLASS object_class_public_key = CKO_PUBLIC_KEY; |
165 | | static CK_BBOOL object_verify = CK_TRUE; |
166 | | |
167 | | static CK_ATTRIBUTE public_key_filter[] = { { CKA_CLASS, &object_class_public_key, |
168 | | sizeof(object_class_public_key) }, |
169 | | { CKA_VERIFY, &object_verify, sizeof(object_verify) } }; |
170 | | |
171 | | static const char* CK_RV_error_string(CK_RV rv); |
172 | | |
173 | | static SECURITY_STATUS NCryptP11StorageProvider_dtor(NCRYPT_HANDLE handle) |
174 | 0 | { |
175 | 0 | NCryptP11ProviderHandle* provider = (NCryptP11ProviderHandle*)handle; |
176 | 0 | CK_RV rv = CKR_OK; |
177 | |
|
178 | 0 | if (provider) |
179 | 0 | { |
180 | 0 | if (provider->p11 && provider->p11->C_Finalize) |
181 | 0 | rv = provider->p11->C_Finalize(nullptr); |
182 | 0 | if (rv != CKR_OK) |
183 | 0 | WLog_WARN(TAG, "C_Finalize failed with %s [0x%08lx]", CK_RV_error_string(rv), rv); |
184 | |
|
185 | 0 | free(provider->modulePath); |
186 | |
|
187 | 0 | if (provider->library) |
188 | 0 | FreeLibrary(provider->library); |
189 | 0 | } |
190 | |
|
191 | 0 | return winpr_NCryptDefault_dtor(handle); |
192 | 0 | } |
193 | | |
194 | | static void fix_padded_string(char* str, size_t maxlen) |
195 | 0 | { |
196 | 0 | if (maxlen == 0) |
197 | 0 | return; |
198 | | |
199 | 0 | WINPR_ASSERT(str); |
200 | 0 | char* ptr = &str[maxlen - 1]; |
201 | |
|
202 | 0 | while ((ptr > str) && (*ptr == ' ')) |
203 | 0 | { |
204 | 0 | *ptr = '\0'; |
205 | 0 | ptr--; |
206 | 0 | } |
207 | 0 | } |
208 | | |
209 | | static BOOL attributes_have_unallocated_buffers(CK_ATTRIBUTE_PTR attributes, CK_ULONG count) |
210 | 0 | { |
211 | 0 | for (CK_ULONG i = 0; i < count; i++) |
212 | 0 | { |
213 | 0 | if (!attributes[i].pValue && (attributes[i].ulValueLen != CK_UNAVAILABLE_INFORMATION)) |
214 | 0 | return TRUE; |
215 | 0 | } |
216 | | |
217 | 0 | return FALSE; |
218 | 0 | } |
219 | | |
220 | | static BOOL attribute_allocate_attribute_array(CK_ATTRIBUTE_PTR attribute) |
221 | 0 | { |
222 | 0 | WINPR_ASSERT(attribute); |
223 | 0 | attribute->pValue = calloc(attribute->ulValueLen, sizeof(void*)); |
224 | 0 | return !!attribute->pValue; |
225 | 0 | } |
226 | | |
227 | | static BOOL attribute_allocate_ulong_array(CK_ATTRIBUTE_PTR attribute) |
228 | 0 | { |
229 | 0 | attribute->pValue = calloc(attribute->ulValueLen, sizeof(CK_ULONG)); |
230 | 0 | return !!attribute->pValue; |
231 | 0 | } |
232 | | |
233 | | static BOOL attribute_allocate_buffer(CK_ATTRIBUTE_PTR attribute) |
234 | 0 | { |
235 | 0 | attribute->pValue = calloc(attribute->ulValueLen, 1); |
236 | 0 | return !!attribute->pValue; |
237 | 0 | } |
238 | | |
239 | | static BOOL attributes_allocate_buffers(CK_ATTRIBUTE_PTR attributes, CK_ULONG count) |
240 | 0 | { |
241 | 0 | BOOL ret = TRUE; |
242 | |
|
243 | 0 | for (CK_ULONG i = 0; i < count; i++) |
244 | 0 | { |
245 | 0 | if (attributes[i].pValue || (attributes[i].ulValueLen == CK_UNAVAILABLE_INFORMATION)) |
246 | 0 | continue; |
247 | | |
248 | 0 | switch (attributes[i].type) |
249 | 0 | { |
250 | 0 | case CKA_WRAP_TEMPLATE: |
251 | 0 | case CKA_UNWRAP_TEMPLATE: |
252 | 0 | ret &= attribute_allocate_attribute_array(&attributes[i]); |
253 | 0 | break; |
254 | | |
255 | 0 | case CKA_ALLOWED_MECHANISMS: |
256 | 0 | ret &= attribute_allocate_ulong_array(&attributes[i]); |
257 | 0 | break; |
258 | | |
259 | 0 | default: |
260 | 0 | ret &= attribute_allocate_buffer(&attributes[i]); |
261 | 0 | break; |
262 | 0 | } |
263 | 0 | } |
264 | | |
265 | 0 | return ret; |
266 | 0 | } |
267 | | |
268 | | static CK_RV object_load_attributes(NCryptP11ProviderHandle* provider, CK_SESSION_HANDLE session, |
269 | | CK_OBJECT_HANDLE object, CK_ATTRIBUTE_PTR attributes, |
270 | | CK_ULONG count) |
271 | 0 | { |
272 | 0 | WINPR_ASSERT(provider); |
273 | 0 | WINPR_ASSERT(provider->p11); |
274 | 0 | WINPR_ASSERT(provider->p11->C_GetAttributeValue); |
275 | |
|
276 | 0 | CK_RV rv = provider->p11->C_GetAttributeValue(session, object, attributes, count); |
277 | |
|
278 | 0 | switch (rv) |
279 | 0 | { |
280 | 0 | case CKR_OK: |
281 | 0 | if (!attributes_have_unallocated_buffers(attributes, count)) |
282 | 0 | return rv; |
283 | | /* fallthrough */ |
284 | 0 | WINPR_FALLTHROUGH |
285 | 0 | case CKR_ATTRIBUTE_SENSITIVE: |
286 | 0 | case CKR_ATTRIBUTE_TYPE_INVALID: |
287 | 0 | case CKR_BUFFER_TOO_SMALL: |
288 | | /* attributes need some buffers for the result value */ |
289 | 0 | if (!attributes_allocate_buffers(attributes, count)) |
290 | 0 | return CKR_HOST_MEMORY; |
291 | | |
292 | 0 | rv = provider->p11->C_GetAttributeValue(session, object, attributes, count); |
293 | 0 | if (rv != CKR_OK) |
294 | 0 | WLog_WARN(TAG, "C_GetAttributeValue failed with %s [0x%08lx]", |
295 | 0 | CK_RV_error_string(rv), rv); |
296 | 0 | break; |
297 | 0 | default: |
298 | 0 | WLog_WARN(TAG, "C_GetAttributeValue failed with %s [0x%08lx]", CK_RV_error_string(rv), |
299 | 0 | rv); |
300 | 0 | return rv; |
301 | 0 | } |
302 | | |
303 | 0 | switch (rv) |
304 | 0 | { |
305 | 0 | case CKR_ATTRIBUTE_SENSITIVE: |
306 | 0 | case CKR_ATTRIBUTE_TYPE_INVALID: |
307 | 0 | case CKR_BUFFER_TOO_SMALL: |
308 | 0 | WLog_ERR(TAG, |
309 | 0 | "C_GetAttributeValue failed with %s [0x%08lx] even after buffer allocation", |
310 | 0 | CK_RV_error_string(rv), rv); |
311 | 0 | break; |
312 | 0 | default: |
313 | 0 | break; |
314 | 0 | } |
315 | 0 | return rv; |
316 | 0 | } |
317 | | |
318 | | static const char* CK_RV_error_string(CK_RV rv) |
319 | 0 | { |
320 | 0 | static char generic_buffer[200]; |
321 | 0 | #define ERR_ENTRY(X) \ |
322 | 0 | case X: \ |
323 | 0 | return #X |
324 | |
|
325 | 0 | switch (rv) |
326 | 0 | { |
327 | 0 | ERR_ENTRY(CKR_OK); |
328 | 0 | ERR_ENTRY(CKR_CANCEL); |
329 | 0 | ERR_ENTRY(CKR_HOST_MEMORY); |
330 | 0 | ERR_ENTRY(CKR_SLOT_ID_INVALID); |
331 | 0 | ERR_ENTRY(CKR_GENERAL_ERROR); |
332 | 0 | ERR_ENTRY(CKR_FUNCTION_FAILED); |
333 | 0 | ERR_ENTRY(CKR_ARGUMENTS_BAD); |
334 | 0 | ERR_ENTRY(CKR_NO_EVENT); |
335 | 0 | ERR_ENTRY(CKR_NEED_TO_CREATE_THREADS); |
336 | 0 | ERR_ENTRY(CKR_CANT_LOCK); |
337 | 0 | ERR_ENTRY(CKR_ATTRIBUTE_READ_ONLY); |
338 | 0 | ERR_ENTRY(CKR_ATTRIBUTE_SENSITIVE); |
339 | 0 | ERR_ENTRY(CKR_ATTRIBUTE_TYPE_INVALID); |
340 | 0 | ERR_ENTRY(CKR_ATTRIBUTE_VALUE_INVALID); |
341 | 0 | ERR_ENTRY(CKR_DATA_INVALID); |
342 | 0 | ERR_ENTRY(CKR_DATA_LEN_RANGE); |
343 | 0 | ERR_ENTRY(CKR_DEVICE_ERROR); |
344 | 0 | ERR_ENTRY(CKR_DEVICE_MEMORY); |
345 | 0 | ERR_ENTRY(CKR_DEVICE_REMOVED); |
346 | 0 | ERR_ENTRY(CKR_ENCRYPTED_DATA_INVALID); |
347 | 0 | ERR_ENTRY(CKR_ENCRYPTED_DATA_LEN_RANGE); |
348 | 0 | ERR_ENTRY(CKR_FUNCTION_CANCELED); |
349 | 0 | ERR_ENTRY(CKR_FUNCTION_NOT_PARALLEL); |
350 | 0 | ERR_ENTRY(CKR_FUNCTION_NOT_SUPPORTED); |
351 | 0 | ERR_ENTRY(CKR_KEY_HANDLE_INVALID); |
352 | 0 | ERR_ENTRY(CKR_KEY_SIZE_RANGE); |
353 | 0 | ERR_ENTRY(CKR_KEY_TYPE_INCONSISTENT); |
354 | 0 | ERR_ENTRY(CKR_KEY_NOT_NEEDED); |
355 | 0 | ERR_ENTRY(CKR_KEY_CHANGED); |
356 | 0 | ERR_ENTRY(CKR_KEY_NEEDED); |
357 | 0 | ERR_ENTRY(CKR_KEY_INDIGESTIBLE); |
358 | 0 | ERR_ENTRY(CKR_KEY_FUNCTION_NOT_PERMITTED); |
359 | 0 | ERR_ENTRY(CKR_KEY_NOT_WRAPPABLE); |
360 | 0 | ERR_ENTRY(CKR_KEY_UNEXTRACTABLE); |
361 | 0 | ERR_ENTRY(CKR_MECHANISM_INVALID); |
362 | 0 | ERR_ENTRY(CKR_MECHANISM_PARAM_INVALID); |
363 | 0 | ERR_ENTRY(CKR_OBJECT_HANDLE_INVALID); |
364 | 0 | ERR_ENTRY(CKR_OPERATION_ACTIVE); |
365 | 0 | ERR_ENTRY(CKR_OPERATION_NOT_INITIALIZED); |
366 | 0 | ERR_ENTRY(CKR_PIN_INCORRECT); |
367 | 0 | ERR_ENTRY(CKR_PIN_INVALID); |
368 | 0 | ERR_ENTRY(CKR_PIN_LEN_RANGE); |
369 | 0 | ERR_ENTRY(CKR_PIN_EXPIRED); |
370 | 0 | ERR_ENTRY(CKR_PIN_LOCKED); |
371 | 0 | ERR_ENTRY(CKR_SESSION_CLOSED); |
372 | 0 | ERR_ENTRY(CKR_SESSION_COUNT); |
373 | 0 | ERR_ENTRY(CKR_SESSION_HANDLE_INVALID); |
374 | 0 | ERR_ENTRY(CKR_SESSION_PARALLEL_NOT_SUPPORTED); |
375 | 0 | ERR_ENTRY(CKR_SESSION_READ_ONLY); |
376 | 0 | ERR_ENTRY(CKR_SESSION_EXISTS); |
377 | 0 | ERR_ENTRY(CKR_SESSION_READ_ONLY_EXISTS); |
378 | 0 | ERR_ENTRY(CKR_SESSION_READ_WRITE_SO_EXISTS); |
379 | 0 | ERR_ENTRY(CKR_SIGNATURE_INVALID); |
380 | 0 | ERR_ENTRY(CKR_SIGNATURE_LEN_RANGE); |
381 | 0 | ERR_ENTRY(CKR_TEMPLATE_INCOMPLETE); |
382 | 0 | ERR_ENTRY(CKR_TEMPLATE_INCONSISTENT); |
383 | 0 | ERR_ENTRY(CKR_TOKEN_NOT_PRESENT); |
384 | 0 | ERR_ENTRY(CKR_TOKEN_NOT_RECOGNIZED); |
385 | 0 | ERR_ENTRY(CKR_TOKEN_WRITE_PROTECTED); |
386 | 0 | ERR_ENTRY(CKR_UNWRAPPING_KEY_HANDLE_INVALID); |
387 | 0 | ERR_ENTRY(CKR_UNWRAPPING_KEY_SIZE_RANGE); |
388 | 0 | ERR_ENTRY(CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT); |
389 | 0 | ERR_ENTRY(CKR_USER_ALREADY_LOGGED_IN); |
390 | 0 | ERR_ENTRY(CKR_USER_NOT_LOGGED_IN); |
391 | 0 | ERR_ENTRY(CKR_USER_PIN_NOT_INITIALIZED); |
392 | 0 | ERR_ENTRY(CKR_USER_TYPE_INVALID); |
393 | 0 | ERR_ENTRY(CKR_USER_ANOTHER_ALREADY_LOGGED_IN); |
394 | 0 | ERR_ENTRY(CKR_USER_TOO_MANY_TYPES); |
395 | 0 | ERR_ENTRY(CKR_WRAPPED_KEY_INVALID); |
396 | 0 | ERR_ENTRY(CKR_WRAPPED_KEY_LEN_RANGE); |
397 | 0 | ERR_ENTRY(CKR_WRAPPING_KEY_HANDLE_INVALID); |
398 | 0 | ERR_ENTRY(CKR_WRAPPING_KEY_SIZE_RANGE); |
399 | 0 | ERR_ENTRY(CKR_WRAPPING_KEY_TYPE_INCONSISTENT); |
400 | 0 | ERR_ENTRY(CKR_RANDOM_SEED_NOT_SUPPORTED); |
401 | 0 | ERR_ENTRY(CKR_RANDOM_NO_RNG); |
402 | 0 | ERR_ENTRY(CKR_DOMAIN_PARAMS_INVALID); |
403 | 0 | ERR_ENTRY(CKR_BUFFER_TOO_SMALL); |
404 | 0 | ERR_ENTRY(CKR_SAVED_STATE_INVALID); |
405 | 0 | ERR_ENTRY(CKR_INFORMATION_SENSITIVE); |
406 | 0 | ERR_ENTRY(CKR_STATE_UNSAVEABLE); |
407 | 0 | ERR_ENTRY(CKR_CRYPTOKI_NOT_INITIALIZED); |
408 | 0 | ERR_ENTRY(CKR_CRYPTOKI_ALREADY_INITIALIZED); |
409 | 0 | ERR_ENTRY(CKR_MUTEX_BAD); |
410 | 0 | ERR_ENTRY(CKR_MUTEX_NOT_LOCKED); |
411 | 0 | ERR_ENTRY(CKR_FUNCTION_REJECTED); |
412 | 0 | default: |
413 | 0 | (void)snprintf(generic_buffer, sizeof(generic_buffer), "unknown 0x%lx", rv); |
414 | 0 | return generic_buffer; |
415 | 0 | } |
416 | 0 | #undef ERR_ENTRY |
417 | 0 | } |
418 | | |
419 | | #define loge(tag, msg, rv, index, slot) \ |
420 | 0 | log_((tag), (msg), (rv), (index), (slot), __FILE__, __func__, __LINE__) |
421 | | static void log_(const char* tag, const char* msg, CK_RV rv, CK_ULONG index, CK_SLOT_ID slot, |
422 | | const char* file, const char* fkt, size_t line) |
423 | 0 | { |
424 | 0 | const DWORD log_level = WLOG_ERROR; |
425 | 0 | static wLog* log_cached_ptr = nullptr; |
426 | 0 | if (!log_cached_ptr) |
427 | 0 | log_cached_ptr = WLog_Get(tag); |
428 | 0 | if (!WLog_IsLevelActive(log_cached_ptr, log_level)) |
429 | 0 | return; |
430 | | |
431 | 0 | WLog_PrintTextMessage(log_cached_ptr, log_level, line, file, fkt, |
432 | 0 | "%s for slot #%lu(%lu), rv=%s", msg, index, slot, CK_RV_error_string(rv)); |
433 | 0 | } |
434 | | |
435 | | static SECURITY_STATUS collect_keys(NCryptP11ProviderHandle* provider, P11EnumKeysState* state) |
436 | 0 | { |
437 | 0 | CK_OBJECT_HANDLE slotObjects[MAX_KEYS_PER_SLOT] = WINPR_C_ARRAY_INIT; |
438 | |
|
439 | 0 | WINPR_ASSERT(provider); |
440 | |
|
441 | 0 | CK_FUNCTION_LIST_PTR p11 = provider->p11; |
442 | 0 | WINPR_ASSERT(p11); |
443 | |
|
444 | 0 | WLog_DBG(TAG, "checking %lx slots for valid keys...", state->nslots); |
445 | 0 | state->nKeys = 0; |
446 | 0 | for (CK_ULONG i = 0; i < state->nslots; i++) |
447 | 0 | { |
448 | 0 | CK_SESSION_HANDLE session = 0; |
449 | 0 | CK_SLOT_INFO slotInfo = WINPR_C_ARRAY_INIT; |
450 | 0 | CK_TOKEN_INFO tokenInfo = WINPR_C_ARRAY_INIT; |
451 | |
|
452 | 0 | WINPR_ASSERT(p11->C_GetSlotInfo); |
453 | 0 | CK_RV rv = p11->C_GetSlotInfo(state->slots[i], &slotInfo); |
454 | 0 | if (rv != CKR_OK) |
455 | 0 | { |
456 | 0 | loge(TAG, "unable to retrieve information", rv, i, state->slots[i]); |
457 | 0 | continue; |
458 | 0 | } |
459 | | |
460 | 0 | fix_padded_string((char*)slotInfo.slotDescription, sizeof(slotInfo.slotDescription)); |
461 | 0 | WLog_DBG(TAG, "collecting keys for slot #%lx(%lu) descr='%s' flags=0x%lx", i, |
462 | 0 | state->slots[i], slotInfo.slotDescription, slotInfo.flags); |
463 | | |
464 | | /* this is a safety guard as we're supposed to have listed only readers with tokens in them |
465 | | */ |
466 | 0 | if (!(slotInfo.flags & CKF_TOKEN_PRESENT)) |
467 | 0 | { |
468 | 0 | WLog_INFO(TAG, "token not present for slot #%lu(%lu)", i, state->slots[i]); |
469 | 0 | continue; |
470 | 0 | } |
471 | | |
472 | 0 | WINPR_ASSERT(p11->C_GetTokenInfo); |
473 | 0 | rv = p11->C_GetTokenInfo(state->slots[i], &tokenInfo); |
474 | 0 | if (rv != CKR_OK) |
475 | 0 | loge(TAG, "unable to retrieve token info", rv, i, state->slots[i]); |
476 | 0 | else |
477 | 0 | { |
478 | 0 | fix_padded_string((char*)tokenInfo.label, sizeof(tokenInfo.label)); |
479 | 0 | WLog_DBG(TAG, "token, label='%s' flags=0x%lx", tokenInfo.label, tokenInfo.flags); |
480 | 0 | } |
481 | |
|
482 | 0 | WINPR_ASSERT(p11->C_OpenSession); |
483 | 0 | rv = p11->C_OpenSession(state->slots[i], CKF_SERIAL_SESSION, nullptr, nullptr, &session); |
484 | 0 | if (rv != CKR_OK) |
485 | 0 | { |
486 | 0 | WLog_ERR(TAG, "unable to openSession for slot #%lu(%lu), session=%p rv=%s", i, |
487 | 0 | state->slots[i], WINPR_CXX_COMPAT_CAST(const void*, session), |
488 | 0 | CK_RV_error_string(rv)); |
489 | 0 | continue; |
490 | 0 | } |
491 | | |
492 | 0 | WINPR_ASSERT(p11->C_FindObjectsInit); |
493 | 0 | rv = p11->C_FindObjectsInit(session, public_key_filter, ARRAYSIZE(public_key_filter)); |
494 | 0 | if (rv != CKR_OK) |
495 | 0 | { |
496 | | // TODO: shall it be fatal ? |
497 | 0 | loge(TAG, "unable to initiate search", rv, i, state->slots[i]); |
498 | 0 | goto cleanup_FindObjectsInit; |
499 | 0 | } |
500 | | |
501 | 0 | { |
502 | 0 | CK_ULONG nslotObjects = 0; |
503 | 0 | WINPR_ASSERT(p11->C_FindObjects); |
504 | 0 | rv = |
505 | 0 | p11->C_FindObjects(session, &slotObjects[0], ARRAYSIZE(slotObjects), &nslotObjects); |
506 | 0 | if (rv != CKR_OK) |
507 | 0 | { |
508 | 0 | loge(TAG, "unable to findObjects", rv, i, state->slots[i]); |
509 | 0 | goto cleanup_FindObjects; |
510 | 0 | } |
511 | | |
512 | 0 | WLog_DBG(TAG, "slot has %lu objects", nslotObjects); |
513 | 0 | for (CK_ULONG j = 0; j < nslotObjects; j++) |
514 | 0 | { |
515 | 0 | NCryptKeyEnum* key = &state->keys[state->nKeys]; |
516 | 0 | CK_OBJECT_CLASS dataClass = CKO_PUBLIC_KEY; |
517 | 0 | CK_ATTRIBUTE key_or_certAttrs[] = { |
518 | 0 | { CKA_ID, &key->id, sizeof(key->id) }, |
519 | 0 | { CKA_CLASS, &dataClass, sizeof(dataClass) }, |
520 | 0 | { CKA_LABEL, &key->keyLabel, sizeof(key->keyLabel) }, |
521 | 0 | { CKA_KEY_TYPE, &key->keyType, sizeof(key->keyType) } |
522 | 0 | }; |
523 | |
|
524 | 0 | rv = object_load_attributes(provider, session, slotObjects[j], key_or_certAttrs, |
525 | 0 | ARRAYSIZE(key_or_certAttrs)); |
526 | 0 | if (rv != CKR_OK) |
527 | 0 | { |
528 | 0 | WLog_ERR(TAG, "error getting attributes, rv=%s", CK_RV_error_string(rv)); |
529 | 0 | continue; |
530 | 0 | } |
531 | | |
532 | 0 | key->idLen = key_or_certAttrs[0].ulValueLen; |
533 | 0 | key->slotId = state->slots[i]; |
534 | 0 | key->slotInfo = slotInfo; |
535 | 0 | state->nKeys++; |
536 | 0 | } |
537 | 0 | } |
538 | | |
539 | 0 | cleanup_FindObjects: |
540 | 0 | WINPR_ASSERT(p11->C_FindObjectsFinal); |
541 | 0 | rv = p11->C_FindObjectsFinal(session); |
542 | 0 | if (rv != CKR_OK) |
543 | 0 | loge(TAG, "error during C_FindObjectsFinal", rv, i, state->slots[i]); |
544 | 0 | cleanup_FindObjectsInit: |
545 | 0 | WINPR_ASSERT(p11->C_CloseSession); |
546 | 0 | rv = p11->C_CloseSession(session); |
547 | 0 | if (rv != CKR_OK) |
548 | 0 | loge(TAG, "error closing session", rv, i, state->slots[i]); |
549 | 0 | } |
550 | | |
551 | 0 | return ERROR_SUCCESS; |
552 | 0 | } |
553 | | |
554 | | static BOOL convertKeyType(CK_KEY_TYPE k, LPWSTR dest, DWORD len, DWORD* outlen) |
555 | 0 | { |
556 | 0 | const WCHAR* r = nullptr; |
557 | 0 | size_t retLen = 0; |
558 | |
|
559 | 0 | #define ALGO_CASE(V, S) \ |
560 | 0 | case V: \ |
561 | 0 | r = S; \ |
562 | 0 | retLen = _wcsnlen((S), ARRAYSIZE((S))); \ |
563 | 0 | break |
564 | 0 | switch (k) |
565 | 0 | { |
566 | 0 | ALGO_CASE(CKK_RSA, BCRYPT_RSA_ALGORITHM); |
567 | 0 | ALGO_CASE(CKK_DSA, BCRYPT_DSA_ALGORITHM); |
568 | 0 | ALGO_CASE(CKK_DH, BCRYPT_DH_ALGORITHM); |
569 | 0 | ALGO_CASE(CKK_EC, BCRYPT_ECDSA_ALGORITHM); |
570 | 0 | ALGO_CASE(CKK_RC2, BCRYPT_RC2_ALGORITHM); |
571 | 0 | ALGO_CASE(CKK_RC4, BCRYPT_RC4_ALGORITHM); |
572 | 0 | ALGO_CASE(CKK_DES, BCRYPT_DES_ALGORITHM); |
573 | 0 | ALGO_CASE(CKK_DES3, BCRYPT_3DES_ALGORITHM); |
574 | 0 | case CKK_DES2: |
575 | 0 | case CKK_X9_42_DH: |
576 | 0 | case CKK_KEA: |
577 | 0 | case CKK_GENERIC_SECRET: |
578 | 0 | case CKK_CAST: |
579 | 0 | case CKK_CAST3: |
580 | 0 | case CKK_CAST128: |
581 | 0 | case CKK_RC5: |
582 | 0 | case CKK_IDEA: |
583 | 0 | case CKK_SKIPJACK: |
584 | 0 | case CKK_BATON: |
585 | 0 | case CKK_JUNIPER: |
586 | 0 | case CKK_CDMF: |
587 | 0 | case CKK_AES: |
588 | 0 | case CKK_BLOWFISH: |
589 | 0 | case CKK_TWOFISH: |
590 | 0 | default: |
591 | 0 | break; |
592 | 0 | } |
593 | 0 | #undef ALGO_CASE |
594 | | |
595 | 0 | if (retLen > UINT32_MAX) |
596 | 0 | return FALSE; |
597 | | |
598 | 0 | if (outlen) |
599 | 0 | *outlen = (UINT32)retLen; |
600 | |
|
601 | 0 | if (!r) |
602 | 0 | { |
603 | 0 | if (dest && len > 0) |
604 | 0 | dest[0] = 0; |
605 | 0 | return FALSE; |
606 | 0 | } |
607 | | |
608 | 0 | if (dest) |
609 | 0 | { |
610 | 0 | if (retLen + 1 > len) |
611 | 0 | { |
612 | 0 | WLog_ERR(TAG, "target buffer is too small for algo name"); |
613 | 0 | return FALSE; |
614 | 0 | } |
615 | | |
616 | 0 | memcpy(dest, r, sizeof(WCHAR) * retLen); |
617 | 0 | dest[retLen] = 0; |
618 | 0 | } |
619 | | |
620 | 0 | return TRUE; |
621 | 0 | } |
622 | | |
623 | | static void wprintKeyName(LPWSTR str, CK_SLOT_ID slotId, CK_BYTE* id, CK_ULONG idLen) |
624 | 0 | { |
625 | 0 | char asciiName[128] = WINPR_C_ARRAY_INIT; |
626 | 0 | char* ptr = asciiName; |
627 | 0 | const CK_BYTE* bytePtr = nullptr; |
628 | |
|
629 | 0 | *ptr = '\\'; |
630 | 0 | ptr++; |
631 | |
|
632 | 0 | bytePtr = ((CK_BYTE*)&slotId); |
633 | 0 | for (CK_ULONG i = 0; i < sizeof(slotId); i++, bytePtr++, ptr += 2) |
634 | 0 | (void)snprintf(ptr, 3, "%.2x", *bytePtr); |
635 | |
|
636 | 0 | *ptr = '\\'; |
637 | 0 | ptr++; |
638 | |
|
639 | 0 | for (CK_ULONG i = 0; i < idLen; i++, id++, ptr += 2) |
640 | 0 | (void)snprintf(ptr, 3, "%.2x", *id); |
641 | |
|
642 | 0 | (void)ConvertUtf8NToWChar(asciiName, ARRAYSIZE(asciiName), str, |
643 | 0 | strnlen(asciiName, ARRAYSIZE(asciiName)) + 1); |
644 | 0 | } |
645 | | |
646 | | static size_t parseHex(const char* str, const char* end, CK_BYTE* target) |
647 | 0 | { |
648 | 0 | size_t ret = 0; |
649 | |
|
650 | 0 | for (; str != end && *str; str++, ret++, target++) |
651 | 0 | { |
652 | 0 | int v = 0; |
653 | 0 | if (*str <= '9' && *str >= '0') |
654 | 0 | { |
655 | 0 | v = (*str - '0'); |
656 | 0 | } |
657 | 0 | else if (*str <= 'f' && *str >= 'a') |
658 | 0 | { |
659 | 0 | v = (10 + *str - 'a'); |
660 | 0 | } |
661 | 0 | else if (*str <= 'F' && *str >= 'A') |
662 | 0 | { |
663 | 0 | v |= (10 + *str - 'A'); |
664 | 0 | } |
665 | 0 | else |
666 | 0 | { |
667 | 0 | return 0; |
668 | 0 | } |
669 | 0 | v <<= 4; |
670 | 0 | str++; |
671 | |
|
672 | 0 | if (!*str || str == end) |
673 | 0 | return 0; |
674 | | |
675 | 0 | if (*str <= '9' && *str >= '0') |
676 | 0 | { |
677 | 0 | v |= (*str - '0'); |
678 | 0 | } |
679 | 0 | else if (*str <= 'f' && *str >= 'a') |
680 | 0 | { |
681 | 0 | v |= (10 + *str - 'a'); |
682 | 0 | } |
683 | 0 | else if (*str <= 'F' && *str >= 'A') |
684 | 0 | { |
685 | 0 | v |= (10 + *str - 'A'); |
686 | 0 | } |
687 | 0 | else |
688 | 0 | { |
689 | 0 | return 0; |
690 | 0 | } |
691 | | |
692 | 0 | *target = v & 0xFF; |
693 | 0 | } |
694 | 0 | return ret; |
695 | 0 | } |
696 | | |
697 | | static SECURITY_STATUS parseKeyName(LPCWSTR pszKeyName, CK_SLOT_ID* slotId, CK_BYTE* id, |
698 | | CK_ULONG* idLen) |
699 | 0 | { |
700 | 0 | char asciiKeyName[128] = WINPR_C_ARRAY_INIT; |
701 | 0 | char* pos = nullptr; |
702 | |
|
703 | 0 | if (ConvertWCharToUtf8(pszKeyName, asciiKeyName, ARRAYSIZE(asciiKeyName)) < 0) |
704 | 0 | return NTE_BAD_KEY; |
705 | | |
706 | 0 | if (*asciiKeyName != '\\') |
707 | 0 | return NTE_BAD_KEY; |
708 | | |
709 | 0 | pos = strchr(&asciiKeyName[1], '\\'); |
710 | 0 | if (!pos) |
711 | 0 | return NTE_BAD_KEY; |
712 | | |
713 | 0 | if ((size_t)(pos - &asciiKeyName[1]) > sizeof(CK_SLOT_ID) * 2ull) |
714 | 0 | return NTE_BAD_KEY; |
715 | | |
716 | 0 | *slotId = (CK_SLOT_ID)0; |
717 | 0 | if (parseHex(&asciiKeyName[1], pos, (CK_BYTE*)slotId) != sizeof(CK_SLOT_ID)) |
718 | 0 | return NTE_BAD_KEY; |
719 | | |
720 | 0 | *idLen = parseHex(pos + 1, nullptr, id); |
721 | 0 | if (!*idLen) |
722 | 0 | return NTE_BAD_KEY; |
723 | | |
724 | 0 | return ERROR_SUCCESS; |
725 | 0 | } |
726 | | |
727 | | static SECURITY_STATUS NCryptP11EnumKeys(NCRYPT_PROV_HANDLE hProvider, LPCWSTR pszScope, |
728 | | NCryptKeyName** ppKeyName, PVOID* ppEnumState, |
729 | | WINPR_ATTR_UNUSED DWORD dwFlags) |
730 | 0 | { |
731 | 0 | NCryptP11ProviderHandle* provider = (NCryptP11ProviderHandle*)hProvider; |
732 | 0 | P11EnumKeysState* state = (P11EnumKeysState*)*ppEnumState; |
733 | 0 | CK_RV rv = WINPR_C_ARRAY_INIT; |
734 | 0 | CK_SLOT_ID currentSlot = WINPR_C_ARRAY_INIT; |
735 | 0 | CK_SESSION_HANDLE currentSession = 0; |
736 | 0 | char slotFilterBuffer[65] = WINPR_C_ARRAY_INIT; |
737 | 0 | char* slotFilter = nullptr; |
738 | 0 | size_t slotFilterLen = 0; |
739 | |
|
740 | 0 | SECURITY_STATUS ret = checkNCryptHandle((NCRYPT_HANDLE)hProvider, WINPR_NCRYPT_PROVIDER); |
741 | 0 | if (ret != ERROR_SUCCESS) |
742 | 0 | return ret; |
743 | | |
744 | 0 | if (pszScope) |
745 | 0 | { |
746 | | /* |
747 | | * check whether pszScope is of the form \\.\<reader name>\ for filtering by |
748 | | * card reader |
749 | | */ |
750 | 0 | char asciiScope[128 + 6 + 1] = WINPR_C_ARRAY_INIT; |
751 | 0 | size_t asciiScopeLen = 0; |
752 | |
|
753 | 0 | if (ConvertWCharToUtf8(pszScope, asciiScope, ARRAYSIZE(asciiScope) - 1) < 0) |
754 | 0 | { |
755 | 0 | WLog_WARN(TAG, "Invalid scope"); |
756 | 0 | return NTE_INVALID_PARAMETER; |
757 | 0 | } |
758 | | |
759 | 0 | if (strstr(asciiScope, "\\\\.\\") != asciiScope) |
760 | 0 | { |
761 | 0 | WLog_WARN(TAG, "Invalid scope '%s'", asciiScope); |
762 | 0 | return NTE_INVALID_PARAMETER; |
763 | 0 | } |
764 | | |
765 | 0 | asciiScopeLen = strnlen(asciiScope, ARRAYSIZE(asciiScope)); |
766 | 0 | if ((asciiScopeLen < 1) || (asciiScope[asciiScopeLen - 1] != '\\')) |
767 | 0 | { |
768 | 0 | WLog_WARN(TAG, "Invalid scope '%s'", asciiScope); |
769 | 0 | return NTE_INVALID_PARAMETER; |
770 | 0 | } |
771 | | |
772 | 0 | asciiScope[asciiScopeLen - 1] = 0; |
773 | |
|
774 | 0 | strncpy(slotFilterBuffer, &asciiScope[4], sizeof(slotFilterBuffer)); |
775 | 0 | slotFilter = slotFilterBuffer; |
776 | 0 | slotFilterLen = asciiScopeLen - 5; |
777 | 0 | } |
778 | | |
779 | 0 | if (!state) |
780 | 0 | { |
781 | 0 | state = (P11EnumKeysState*)calloc(1, sizeof(*state)); |
782 | 0 | if (!state) |
783 | 0 | return NTE_NO_MEMORY; |
784 | | |
785 | 0 | WINPR_ASSERT(provider->p11->C_GetSlotList); |
786 | 0 | rv = provider->p11->C_GetSlotList(CK_TRUE, nullptr, &state->nslots); |
787 | 0 | if (rv != CKR_OK) |
788 | 0 | { |
789 | 0 | free(state); |
790 | | /* TODO: perhaps convert rv to NTE_*** errors */ |
791 | 0 | WLog_WARN(TAG, "C_GetSlotList failed with %s [0x%08lx]", CK_RV_error_string(rv), rv); |
792 | 0 | return NTE_FAIL; |
793 | 0 | } |
794 | | |
795 | 0 | if (state->nslots > MAX_SLOTS) |
796 | 0 | state->nslots = MAX_SLOTS; |
797 | |
|
798 | 0 | rv = provider->p11->C_GetSlotList(CK_TRUE, state->slots, &state->nslots); |
799 | 0 | if (rv != CKR_OK) |
800 | 0 | { |
801 | 0 | free(state); |
802 | | /* TODO: perhaps convert rv to NTE_*** errors */ |
803 | 0 | WLog_WARN(TAG, "C_GetSlotList failed with %s [0x%08lx]", CK_RV_error_string(rv), rv); |
804 | 0 | return NTE_FAIL; |
805 | 0 | } |
806 | | |
807 | 0 | ret = collect_keys(provider, state); |
808 | 0 | if (ret != ERROR_SUCCESS) |
809 | 0 | { |
810 | 0 | free(state); |
811 | 0 | return ret; |
812 | 0 | } |
813 | | |
814 | 0 | *ppEnumState = state; |
815 | 0 | } |
816 | | |
817 | 0 | for (; state->keyIndex < state->nKeys; state->keyIndex++) |
818 | 0 | { |
819 | 0 | NCryptKeyName* keyName = nullptr; |
820 | 0 | NCryptKeyEnum* key = &state->keys[state->keyIndex]; |
821 | 0 | CK_OBJECT_CLASS oclass = CKO_CERTIFICATE; |
822 | 0 | CK_CERTIFICATE_TYPE ctype = CKC_X_509; |
823 | 0 | CK_ATTRIBUTE certificateFilter[] = { { CKA_CLASS, &oclass, sizeof(oclass) }, |
824 | 0 | { CKA_CERTIFICATE_TYPE, &ctype, sizeof(ctype) }, |
825 | 0 | { CKA_ID, key->id, key->idLen } }; |
826 | 0 | CK_ULONG ncertObjects = 0; |
827 | 0 | CK_OBJECT_HANDLE certObject = 0; |
828 | | |
829 | | /* check the reader filter if any */ |
830 | 0 | if (slotFilter && memcmp(key->slotInfo.slotDescription, slotFilter, slotFilterLen) != 0) |
831 | 0 | continue; |
832 | | |
833 | 0 | if (!currentSession || (currentSlot != key->slotId)) |
834 | 0 | { |
835 | | /* if the current session doesn't match the current key's slot, open a new one |
836 | | */ |
837 | 0 | if (currentSession) |
838 | 0 | { |
839 | 0 | WINPR_ASSERT(provider->p11->C_CloseSession); |
840 | 0 | rv = provider->p11->C_CloseSession(currentSession); |
841 | 0 | if (rv != CKR_OK) |
842 | 0 | WLog_WARN(TAG, "C_CloseSession failed with %s [0x%08lx]", |
843 | 0 | CK_RV_error_string(rv), rv); |
844 | 0 | currentSession = 0; |
845 | 0 | } |
846 | |
|
847 | 0 | WINPR_ASSERT(provider->p11->C_OpenSession); |
848 | 0 | rv = provider->p11->C_OpenSession(key->slotId, CKF_SERIAL_SESSION, nullptr, nullptr, |
849 | 0 | ¤tSession); |
850 | 0 | if (rv != CKR_OK) |
851 | 0 | { |
852 | 0 | WLog_ERR(TAG, "C_OpenSession failed with %s [0x%08lx] for slot %lu", |
853 | 0 | CK_RV_error_string(rv), rv, key->slotId); |
854 | 0 | continue; |
855 | 0 | } |
856 | 0 | currentSlot = key->slotId; |
857 | 0 | } |
858 | | |
859 | | /* look if we can find a certificate that matches the key's id */ |
860 | 0 | WINPR_ASSERT(provider->p11->C_FindObjectsInit); |
861 | 0 | rv = provider->p11->C_FindObjectsInit(currentSession, certificateFilter, |
862 | 0 | ARRAYSIZE(certificateFilter)); |
863 | 0 | if (rv != CKR_OK) |
864 | 0 | { |
865 | 0 | WLog_ERR(TAG, "C_FindObjectsInit failed with %s [0x%08lx] for slot %lu", |
866 | 0 | CK_RV_error_string(rv), rv, key->slotId); |
867 | 0 | continue; |
868 | 0 | } |
869 | | |
870 | 0 | WINPR_ASSERT(provider->p11->C_FindObjects); |
871 | 0 | rv = provider->p11->C_FindObjects(currentSession, &certObject, 1, &ncertObjects); |
872 | 0 | if (rv != CKR_OK) |
873 | 0 | { |
874 | 0 | WLog_ERR(TAG, "C_FindObjects failed with %s [0x%08lx] for slot %lu", |
875 | 0 | CK_RV_error_string(rv), rv, currentSlot); |
876 | 0 | goto cleanup_FindObjects; |
877 | 0 | } |
878 | | |
879 | 0 | if (ncertObjects) |
880 | 0 | { |
881 | | /* sizeof keyName struct + "\<slotId>\<certId>" + keyName->pszAlgid */ |
882 | 0 | DWORD algoSz = 0; |
883 | 0 | size_t KEYNAME_SZ = (1ull + (sizeof(key->slotId) * 2ull) /*slotId*/ + 1ull + |
884 | 0 | (key->idLen * 2ull) + 1ull) * |
885 | 0 | sizeof(WCHAR); |
886 | |
|
887 | 0 | convertKeyType(key->keyType, nullptr, 0, &algoSz); |
888 | 0 | KEYNAME_SZ += (1ULL + algoSz) * sizeof(WCHAR); |
889 | |
|
890 | 0 | keyName = calloc(1, sizeof(*keyName) + KEYNAME_SZ); |
891 | 0 | if (!keyName) |
892 | 0 | { |
893 | 0 | WLog_ERR(TAG, "unable to allocate keyName"); |
894 | 0 | goto cleanup_FindObjects; |
895 | 0 | } |
896 | 0 | keyName->dwLegacyKeySpec = AT_KEYEXCHANGE | AT_SIGNATURE; |
897 | 0 | keyName->dwFlags = NCRYPT_MACHINE_KEY_FLAG; |
898 | 0 | keyName->pszName = (LPWSTR)(keyName + 1); |
899 | 0 | wprintKeyName(keyName->pszName, key->slotId, key->id, key->idLen); |
900 | |
|
901 | 0 | keyName->pszAlgid = keyName->pszName + _wcslen(keyName->pszName) + 1; |
902 | 0 | convertKeyType(key->keyType, keyName->pszAlgid, algoSz + 1, nullptr); |
903 | 0 | } |
904 | | |
905 | 0 | cleanup_FindObjects: |
906 | 0 | WINPR_ASSERT(provider->p11->C_FindObjectsFinal); |
907 | 0 | rv = provider->p11->C_FindObjectsFinal(currentSession); |
908 | 0 | if (rv != CKR_OK) |
909 | 0 | WLog_ERR(TAG, "C_FindObjectsFinal failed with %s [0x%08lx]", CK_RV_error_string(rv), |
910 | 0 | rv); |
911 | |
|
912 | 0 | if (keyName) |
913 | 0 | { |
914 | 0 | *ppKeyName = keyName; |
915 | 0 | state->keyIndex++; |
916 | 0 | return ERROR_SUCCESS; |
917 | 0 | } |
918 | 0 | } |
919 | | |
920 | 0 | return NTE_NO_MORE_ITEMS; |
921 | 0 | } |
922 | | |
923 | | static BOOL piv_check_sw(DWORD buf_len, const BYTE* buf, size_t bufsize, BYTE expected_sw1) |
924 | 0 | { |
925 | 0 | return (buf_len >= 2) && (buf_len <= bufsize) && (buf[buf_len - 2] == expected_sw1); |
926 | 0 | } |
927 | | |
928 | | static BOOL piv_check_sw_success(DWORD buf_len, const BYTE* buf, size_t bufsize) |
929 | 0 | { |
930 | 0 | return (buf_len >= 2) && (buf_len <= bufsize) && (buf[buf_len - 2] == 0x90) && |
931 | 0 | (buf[buf_len - 1] == 0x00); |
932 | 0 | } |
933 | | |
934 | | static SECURITY_STATUS get_piv_container_name_from_mscmap(SCARDHANDLE card, |
935 | | const SCARD_IO_REQUEST* pci, |
936 | | const BYTE* piv_tag, BYTE* output, |
937 | | size_t output_len) |
938 | 0 | { |
939 | 0 | BYTE buf[258] = WINPR_C_ARRAY_INIT; |
940 | 0 | BYTE mscmap_buf[2148] = WINPR_C_ARRAY_INIT; |
941 | 0 | DWORD buf_len = sizeof(buf); |
942 | 0 | DWORD mscmap_total = 0; |
943 | |
|
944 | 0 | if (SCardTransmit(card, pci, APDU_PIV_GET_MSCMAP, sizeof(APDU_PIV_GET_MSCMAP), nullptr, buf, |
945 | 0 | &buf_len) != SCARD_S_SUCCESS) |
946 | 0 | return NTE_NOT_FOUND; |
947 | | |
948 | 0 | if (piv_check_sw_success(buf_len, buf, sizeof(buf))) |
949 | 0 | { |
950 | 0 | mscmap_total = buf_len - 2; |
951 | 0 | if (mscmap_total > sizeof(mscmap_buf)) |
952 | 0 | return NTE_NOT_FOUND; |
953 | 0 | memcpy(mscmap_buf, buf, mscmap_total); |
954 | 0 | } |
955 | 0 | else if (piv_check_sw(buf_len, buf, sizeof(buf), 0x61)) |
956 | 0 | { |
957 | 0 | mscmap_total = buf_len - 2; |
958 | 0 | if (mscmap_total <= sizeof(mscmap_buf)) |
959 | 0 | memcpy(mscmap_buf, buf, mscmap_total); |
960 | |
|
961 | 0 | while (piv_check_sw(buf_len, buf, sizeof(buf), 0x61) && mscmap_total < sizeof(mscmap_buf)) |
962 | 0 | { |
963 | 0 | BYTE get_resp[5] = { 0x00, 0xC0, 0x00, 0x00, buf[buf_len - 1] }; |
964 | 0 | buf_len = sizeof(buf); |
965 | |
|
966 | 0 | const SECURITY_STATUS status = |
967 | 0 | SCardTransmit(card, pci, get_resp, sizeof(get_resp), nullptr, buf, &buf_len); |
968 | 0 | if (status != SCARD_S_SUCCESS) |
969 | 0 | return NTE_NOT_FOUND; |
970 | | |
971 | 0 | DWORD chunk = 0; |
972 | 0 | if (piv_check_sw_success(buf_len, buf, sizeof(buf)) || |
973 | 0 | piv_check_sw(buf_len, buf, sizeof(buf), 0x61)) |
974 | 0 | chunk = buf_len - 2; |
975 | 0 | if (chunk == 0 || mscmap_total + chunk > sizeof(mscmap_buf)) |
976 | 0 | break; |
977 | 0 | memcpy(mscmap_buf + mscmap_total, buf, chunk); |
978 | 0 | mscmap_total += chunk; |
979 | 0 | } |
980 | 0 | if (!piv_check_sw_success(buf_len, buf, sizeof(buf))) |
981 | 0 | return NTE_NOT_FOUND; |
982 | 0 | } |
983 | 0 | else |
984 | 0 | return NTE_NOT_FOUND; |
985 | | |
986 | | /* Strip TLV wrappers: outer tag 0x53, inner tag 0x81 */ |
987 | 0 | const BYTE* mscmap_data = mscmap_buf; |
988 | 0 | DWORD mscmap_data_len = mscmap_total; |
989 | |
|
990 | 0 | for (int tlv_pass = 0; tlv_pass < 2; tlv_pass++) |
991 | 0 | { |
992 | 0 | if (mscmap_data_len < 2) |
993 | 0 | break; |
994 | 0 | BYTE tlv_tag = mscmap_data[0]; |
995 | 0 | if (tlv_tag != 0x53 && tlv_tag != 0x81) |
996 | 0 | break; |
997 | 0 | size_t hdr = 2; |
998 | 0 | if (mscmap_data[1] == 0x82 && mscmap_data_len > 4) |
999 | 0 | hdr = 4; |
1000 | 0 | else if (mscmap_data[1] == 0x81 && mscmap_data_len > 3) |
1001 | 0 | hdr = 3; |
1002 | 0 | mscmap_data += hdr; |
1003 | 0 | mscmap_data_len -= (DWORD)hdr; |
1004 | 0 | } |
1005 | | |
1006 | | /* Map PIV tag to slot byte */ |
1007 | 0 | BYTE target_slot = 0; |
1008 | 0 | for (size_t i = 0; i < ARRAYSIZE(piv_tag_to_slot); i++) |
1009 | 0 | { |
1010 | 0 | if (memcmp(piv_tag, piv_tag_to_slot[i].tag, 3) == 0) |
1011 | 0 | { |
1012 | 0 | target_slot = piv_tag_to_slot[i].slot; |
1013 | 0 | break; |
1014 | 0 | } |
1015 | 0 | } |
1016 | 0 | if (target_slot == 0) |
1017 | 0 | return NTE_NOT_FOUND; |
1018 | | |
1019 | | /* Search MSCMAP records (107 bytes each) for matching slot */ |
1020 | 0 | size_t num_records = mscmap_data_len / MSCMAP_RECORD_SIZE; |
1021 | 0 | for (size_t i = 0; i < num_records; i++) |
1022 | 0 | { |
1023 | 0 | const BYTE* record = mscmap_data + (i * MSCMAP_RECORD_SIZE); |
1024 | 0 | if (record[MSCMAP_SLOT_OFFSET] == target_slot) |
1025 | 0 | { |
1026 | 0 | size_t copy_len = (MAX_CONTAINER_NAME_LEN + 1) * sizeof(WCHAR); |
1027 | 0 | if (copy_len > output_len) |
1028 | 0 | copy_len = output_len; |
1029 | 0 | memcpy(output, record, copy_len); |
1030 | 0 | return ERROR_SUCCESS; |
1031 | 0 | } |
1032 | 0 | } |
1033 | 0 | return NTE_NOT_FOUND; |
1034 | 0 | } |
1035 | | |
1036 | | static SECURITY_STATUS get_piv_container_name_from_chuid(SCARDHANDLE card, |
1037 | | const SCARD_IO_REQUEST* pci, |
1038 | | const BYTE* piv_tag, BYTE* output, |
1039 | | size_t output_len) |
1040 | 0 | { |
1041 | 0 | BYTE buf[258] = WINPR_C_ARRAY_INIT; |
1042 | 0 | DWORD buf_len = sizeof(buf); |
1043 | 0 | char container_name[PIV_CONTAINER_NAME_LEN + 1] = WINPR_C_ARRAY_INIT; |
1044 | |
|
1045 | 0 | if (SCardTransmit(card, pci, APDU_PIV_GET_CHUID, sizeof(APDU_PIV_GET_CHUID), nullptr, buf, |
1046 | 0 | &buf_len) != SCARD_S_SUCCESS) |
1047 | 0 | return NTE_BAD_KEY; |
1048 | 0 | if (!piv_check_sw_success(buf_len, buf, sizeof(buf)) && |
1049 | 0 | !piv_check_sw(buf_len, buf, sizeof(buf), 0x61)) |
1050 | 0 | return NTE_BAD_KEY; |
1051 | | |
1052 | 0 | WinPrAsn1Decoder dec = WinPrAsn1Decoder_init(); |
1053 | 0 | WinPrAsn1Decoder dec2 = WinPrAsn1Decoder_init(); |
1054 | 0 | size_t len = 0; |
1055 | 0 | BYTE tag = 0; |
1056 | |
|
1057 | 0 | WinPrAsn1Decoder_InitMem(&dec, WINPR_ASN1_BER, buf, buf_len); |
1058 | 0 | if (!WinPrAsn1DecReadTagAndLen(&dec, &tag, &len) || tag != 0x53) |
1059 | 0 | return NTE_BAD_KEY; |
1060 | 0 | while (WinPrAsn1DecReadTagLenValue(&dec, &tag, &len, &dec2) && tag != 0x34) |
1061 | 0 | ; |
1062 | 0 | if (tag != 0x34 || len != 16) |
1063 | 0 | return NTE_BAD_KEY; |
1064 | | |
1065 | 0 | wStream s = WinPrAsn1DecGetStream(&dec2); |
1066 | 0 | BYTE* p = Stream_Buffer(&s); |
1067 | |
|
1068 | 0 | (void)snprintf(container_name, PIV_CONTAINER_NAME_LEN + 1, |
1069 | 0 | "%.2x%.2x%.2x%.2x-%.2x%.2x-%.2x%.2x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x", p[3], |
1070 | 0 | p[2], p[1], p[0], p[5], p[4], p[7], p[6], p[8], p[9], p[10], p[11], p[12], |
1071 | 0 | piv_tag[0], piv_tag[1], piv_tag[2]); |
1072 | |
|
1073 | 0 | union |
1074 | 0 | { |
1075 | 0 | WCHAR* wc; |
1076 | 0 | BYTE* b; |
1077 | 0 | } cnv; |
1078 | 0 | cnv.b = output; |
1079 | 0 | if (ConvertUtf8NToWChar(container_name, ARRAYSIZE(container_name), cnv.wc, |
1080 | 0 | output_len / sizeof(WCHAR)) > 0) |
1081 | 0 | return ERROR_SUCCESS; |
1082 | 0 | return NTE_BAD_KEY; |
1083 | 0 | } |
1084 | | |
1085 | | static SECURITY_STATUS get_piv_container_name(NCryptP11KeyHandle* key, const BYTE* piv_tag, |
1086 | | BYTE* output, size_t output_len) |
1087 | 0 | { |
1088 | 0 | CK_SLOT_INFO slot_info = WINPR_C_ARRAY_INIT; |
1089 | 0 | CK_FUNCTION_LIST_PTR p11 = nullptr; |
1090 | 0 | WCHAR* reader = nullptr; |
1091 | 0 | SCARDCONTEXT context = 0; |
1092 | 0 | SCARDHANDLE card = 0; |
1093 | 0 | DWORD proto = 0; |
1094 | 0 | const SCARD_IO_REQUEST* pci = nullptr; |
1095 | 0 | BYTE buf[258] = WINPR_C_ARRAY_INIT; |
1096 | 0 | DWORD buf_len = 0; |
1097 | 0 | SECURITY_STATUS ret = NTE_BAD_KEY; |
1098 | |
|
1099 | 0 | WINPR_ASSERT(key); |
1100 | 0 | WINPR_ASSERT(piv_tag); |
1101 | |
|
1102 | 0 | WINPR_ASSERT(key->provider); |
1103 | 0 | p11 = key->provider->p11; |
1104 | 0 | WINPR_ASSERT(p11); |
1105 | |
|
1106 | 0 | WINPR_ASSERT(p11->C_GetSlotInfo); |
1107 | 0 | if (p11->C_GetSlotInfo(key->slotId, &slot_info) != CKR_OK) |
1108 | 0 | return NTE_BAD_KEY; |
1109 | | |
1110 | 0 | fix_padded_string((char*)slot_info.slotDescription, sizeof(slot_info.slotDescription)); |
1111 | 0 | reader = ConvertUtf8NToWCharAlloc((char*)slot_info.slotDescription, |
1112 | 0 | ARRAYSIZE(slot_info.slotDescription), nullptr); |
1113 | 0 | ret = NTE_NO_MEMORY; |
1114 | 0 | if (!reader) |
1115 | 0 | goto out; |
1116 | | |
1117 | 0 | ret = NTE_BAD_KEY; |
1118 | 0 | if (SCardEstablishContext(SCARD_SCOPE_USER, nullptr, nullptr, &context) != SCARD_S_SUCCESS) |
1119 | 0 | goto out; |
1120 | | |
1121 | 0 | if (SCardConnectW(context, reader, SCARD_SHARE_SHARED, SCARD_PROTOCOL_Tx, &card, &proto) != |
1122 | 0 | SCARD_S_SUCCESS) |
1123 | 0 | goto out; |
1124 | 0 | pci = (proto == SCARD_PROTOCOL_T0) ? SCARD_PCI_T0 : SCARD_PCI_T1; |
1125 | |
|
1126 | 0 | buf_len = sizeof(buf); |
1127 | 0 | if (SCardTransmit(card, pci, APDU_PIV_SELECT_AID, sizeof(APDU_PIV_SELECT_AID), nullptr, buf, |
1128 | 0 | &buf_len) != SCARD_S_SUCCESS) |
1129 | 0 | goto out; |
1130 | 0 | if (!piv_check_sw_success(buf_len, buf, sizeof(buf)) && |
1131 | 0 | !piv_check_sw(buf_len, buf, sizeof(buf), 0x61)) |
1132 | 0 | goto out; |
1133 | | |
1134 | | /* Try MSCMAP first, fall back to CHUID */ |
1135 | 0 | ret = get_piv_container_name_from_mscmap(card, pci, piv_tag, output, output_len); |
1136 | 0 | if (ret != ERROR_SUCCESS) |
1137 | 0 | ret = get_piv_container_name_from_chuid(card, pci, piv_tag, output, output_len); |
1138 | |
|
1139 | 0 | out: |
1140 | 0 | free(reader); |
1141 | 0 | if (card) |
1142 | 0 | SCardDisconnect(card, SCARD_LEAVE_CARD); |
1143 | 0 | if (context) |
1144 | 0 | SCardReleaseContext(context); |
1145 | 0 | return ret; |
1146 | 0 | } |
1147 | | |
1148 | | static SECURITY_STATUS check_for_piv_container_name(NCryptP11KeyHandle* key, BYTE* pbOutput, |
1149 | | DWORD cbOutput, DWORD* pcbResult, char* label, |
1150 | | size_t label_len) |
1151 | 0 | { |
1152 | 0 | for (size_t i = 0; i < ARRAYSIZE(piv_cert_tags); i++) |
1153 | 0 | { |
1154 | 0 | const piv_cert_tags_t* cur = &piv_cert_tags[i]; |
1155 | 0 | if (strncmp(label, cur->label, label_len) == 0) |
1156 | 0 | { |
1157 | 0 | *pcbResult = (MAX_CONTAINER_NAME_LEN + 1) * sizeof(WCHAR); |
1158 | 0 | if (!pbOutput) |
1159 | 0 | return ERROR_SUCCESS; |
1160 | 0 | else if (cbOutput < (MAX_CONTAINER_NAME_LEN + 1) * sizeof(WCHAR)) |
1161 | 0 | return NTE_NO_MEMORY; |
1162 | 0 | else |
1163 | 0 | return get_piv_container_name(key, cur->tag, pbOutput, cbOutput); |
1164 | 0 | } |
1165 | 0 | } |
1166 | 0 | return NTE_NOT_FOUND; |
1167 | 0 | } |
1168 | | |
1169 | | static SECURITY_STATUS NCryptP11KeyGetProperties(NCryptP11KeyHandle* keyHandle, |
1170 | | NCryptKeyGetPropertyEnum property, PBYTE pbOutput, |
1171 | | DWORD cbOutput, DWORD* pcbResult, |
1172 | | WINPR_ATTR_UNUSED DWORD dwFlags) |
1173 | 0 | { |
1174 | 0 | SECURITY_STATUS ret = NTE_FAIL; |
1175 | 0 | CK_RV rv = 0; |
1176 | 0 | CK_SESSION_HANDLE session = 0; |
1177 | 0 | CK_OBJECT_HANDLE objectHandle = 0; |
1178 | 0 | CK_ULONG objectCount = 0; |
1179 | 0 | NCryptP11ProviderHandle* provider = nullptr; |
1180 | 0 | CK_OBJECT_CLASS oclass = CKO_CERTIFICATE; |
1181 | 0 | CK_CERTIFICATE_TYPE ctype = CKC_X_509; |
1182 | 0 | CK_ATTRIBUTE certificateFilter[] = { { CKA_CLASS, &oclass, sizeof(oclass) }, |
1183 | 0 | { CKA_CERTIFICATE_TYPE, &ctype, sizeof(ctype) }, |
1184 | 0 | { CKA_ID, keyHandle->keyCertId, |
1185 | 0 | keyHandle->keyCertIdLen } }; |
1186 | 0 | CK_ATTRIBUTE* objectFilter = certificateFilter; |
1187 | 0 | CK_ULONG objectFilterLen = ARRAYSIZE(certificateFilter); |
1188 | |
|
1189 | 0 | WINPR_ASSERT(keyHandle); |
1190 | 0 | provider = keyHandle->provider; |
1191 | 0 | WINPR_ASSERT(provider); |
1192 | |
|
1193 | 0 | switch (property) |
1194 | |
|
1195 | 0 | { |
1196 | 0 | case NCRYPT_PROPERTY_CERTIFICATE: |
1197 | 0 | case NCRYPT_PROPERTY_NAME: |
1198 | 0 | break; |
1199 | 0 | case NCRYPT_PROPERTY_READER: |
1200 | 0 | { |
1201 | 0 | CK_SLOT_INFO slotInfo; |
1202 | |
|
1203 | 0 | WINPR_ASSERT(provider->p11->C_GetSlotInfo); |
1204 | 0 | rv = provider->p11->C_GetSlotInfo(keyHandle->slotId, &slotInfo); |
1205 | 0 | if (rv != CKR_OK) |
1206 | 0 | return NTE_BAD_KEY; |
1207 | | |
1208 | 0 | #define SLOT_DESC_SZ sizeof(slotInfo.slotDescription) |
1209 | 0 | fix_padded_string((char*)slotInfo.slotDescription, SLOT_DESC_SZ); |
1210 | 0 | const size_t len = 2ULL * (strnlen((char*)slotInfo.slotDescription, SLOT_DESC_SZ) + 1); |
1211 | 0 | if (len > UINT32_MAX) |
1212 | 0 | return NTE_BAD_DATA; |
1213 | 0 | *pcbResult = (UINT32)len; |
1214 | 0 | if (pbOutput) |
1215 | 0 | { |
1216 | 0 | union |
1217 | 0 | { |
1218 | 0 | WCHAR* wc; |
1219 | 0 | BYTE* b; |
1220 | 0 | } cnv; |
1221 | 0 | cnv.b = pbOutput; |
1222 | 0 | if (cbOutput < *pcbResult) |
1223 | 0 | return NTE_NO_MEMORY; |
1224 | | |
1225 | 0 | if (ConvertUtf8NToWChar((char*)slotInfo.slotDescription, SLOT_DESC_SZ, cnv.wc, |
1226 | 0 | cbOutput / sizeof(WCHAR)) < 0) |
1227 | 0 | return NTE_NO_MEMORY; |
1228 | 0 | } |
1229 | 0 | return ERROR_SUCCESS; |
1230 | 0 | } |
1231 | 0 | case NCRYPT_PROPERTY_SLOTID: |
1232 | 0 | { |
1233 | 0 | *pcbResult = 4; |
1234 | 0 | if (pbOutput) |
1235 | 0 | { |
1236 | 0 | UINT32* ptr = (UINT32*)pbOutput; |
1237 | |
|
1238 | 0 | if (cbOutput < 4) |
1239 | 0 | return NTE_NO_MEMORY; |
1240 | 0 | if (keyHandle->slotId > UINT32_MAX) |
1241 | 0 | { |
1242 | 0 | ret = NTE_BAD_DATA; |
1243 | 0 | goto out_final; |
1244 | 0 | } |
1245 | 0 | *ptr = (UINT32)keyHandle->slotId; |
1246 | 0 | } |
1247 | 0 | return ERROR_SUCCESS; |
1248 | 0 | } |
1249 | 0 | case NCRYPT_PROPERTY_UNKNOWN: |
1250 | 0 | default: |
1251 | 0 | return NTE_NOT_SUPPORTED; |
1252 | 0 | } |
1253 | | |
1254 | 0 | WINPR_ASSERT(provider->p11->C_OpenSession); |
1255 | 0 | rv = provider->p11->C_OpenSession(keyHandle->slotId, CKF_SERIAL_SESSION, nullptr, nullptr, |
1256 | 0 | &session); |
1257 | 0 | if (rv != CKR_OK) |
1258 | 0 | { |
1259 | 0 | WLog_ERR(TAG, "error opening session on slot %lu", keyHandle->slotId); |
1260 | 0 | return NTE_FAIL; |
1261 | 0 | } |
1262 | | |
1263 | 0 | WINPR_ASSERT(provider->p11->C_FindObjectsInit); |
1264 | 0 | rv = provider->p11->C_FindObjectsInit(session, objectFilter, objectFilterLen); |
1265 | 0 | if (rv != CKR_OK) |
1266 | 0 | { |
1267 | 0 | WLog_ERR(TAG, "unable to initiate search for slot %lu", keyHandle->slotId); |
1268 | 0 | goto out; |
1269 | 0 | } |
1270 | | |
1271 | 0 | WINPR_ASSERT(provider->p11->C_FindObjects); |
1272 | 0 | rv = provider->p11->C_FindObjects(session, &objectHandle, 1, &objectCount); |
1273 | 0 | if (rv != CKR_OK) |
1274 | 0 | { |
1275 | 0 | WLog_ERR(TAG, "unable to findObjects for slot %lu", keyHandle->slotId); |
1276 | 0 | goto out_final; |
1277 | 0 | } |
1278 | 0 | if (!objectCount) |
1279 | 0 | { |
1280 | 0 | ret = NTE_NOT_FOUND; |
1281 | 0 | goto out_final; |
1282 | 0 | } |
1283 | | |
1284 | 0 | switch (property) |
1285 | 0 | { |
1286 | 0 | case NCRYPT_PROPERTY_CERTIFICATE: |
1287 | 0 | { |
1288 | 0 | CK_ATTRIBUTE certValue = { CKA_VALUE, pbOutput, cbOutput }; |
1289 | |
|
1290 | 0 | WINPR_ASSERT(provider->p11->C_GetAttributeValue); |
1291 | 0 | rv = provider->p11->C_GetAttributeValue(session, objectHandle, &certValue, 1); |
1292 | 0 | if (rv != CKR_OK) |
1293 | 0 | { |
1294 | | // TODO: do a kind of translation from CKR_* to NTE_* |
1295 | 0 | } |
1296 | |
|
1297 | 0 | if (certValue.ulValueLen > UINT32_MAX) |
1298 | 0 | { |
1299 | 0 | ret = NTE_BAD_DATA; |
1300 | 0 | goto out_final; |
1301 | 0 | } |
1302 | 0 | *pcbResult = (UINT32)certValue.ulValueLen; |
1303 | 0 | ret = ERROR_SUCCESS; |
1304 | 0 | break; |
1305 | 0 | } |
1306 | 0 | case NCRYPT_PROPERTY_NAME: |
1307 | 0 | { |
1308 | 0 | CK_ATTRIBUTE attr = { CKA_LABEL, nullptr, 0 }; |
1309 | 0 | char* label = nullptr; |
1310 | |
|
1311 | 0 | WINPR_ASSERT(provider->p11->C_GetAttributeValue); |
1312 | 0 | rv = provider->p11->C_GetAttributeValue(session, objectHandle, &attr, 1); |
1313 | 0 | if (rv == CKR_OK) |
1314 | 0 | { |
1315 | 0 | label = calloc(1, attr.ulValueLen); |
1316 | 0 | if (!label) |
1317 | 0 | { |
1318 | 0 | ret = NTE_NO_MEMORY; |
1319 | 0 | break; |
1320 | 0 | } |
1321 | | |
1322 | 0 | attr.pValue = label; |
1323 | 0 | rv = provider->p11->C_GetAttributeValue(session, objectHandle, &attr, 1); |
1324 | 0 | } |
1325 | | |
1326 | 0 | if (rv == CKR_OK) |
1327 | 0 | { |
1328 | | /* Check if we have a PIV card */ |
1329 | 0 | ret = check_for_piv_container_name(keyHandle, pbOutput, cbOutput, pcbResult, label, |
1330 | 0 | attr.ulValueLen); |
1331 | | |
1332 | | /* Otherwise, at least for GIDS cards the label will be the correct value */ |
1333 | 0 | if (ret == NTE_NOT_FOUND) |
1334 | 0 | { |
1335 | 0 | union |
1336 | 0 | { |
1337 | 0 | WCHAR* wc; |
1338 | 0 | BYTE* b; |
1339 | 0 | } cnv; |
1340 | 0 | const size_t olen = pbOutput ? cbOutput / sizeof(WCHAR) : 0; |
1341 | 0 | cnv.b = pbOutput; |
1342 | 0 | SSIZE_T size = ConvertUtf8NToWChar(label, attr.ulValueLen, cnv.wc, olen); |
1343 | 0 | if (size < 0) |
1344 | 0 | ret = ERROR_CONVERT_TO_LARGE; |
1345 | 0 | else |
1346 | 0 | { |
1347 | 0 | *pcbResult = (UINT32)size * sizeof(WCHAR); |
1348 | 0 | ret = ERROR_SUCCESS; |
1349 | 0 | } |
1350 | 0 | } |
1351 | 0 | } |
1352 | |
|
1353 | 0 | free(label); |
1354 | 0 | break; |
1355 | 0 | } |
1356 | 0 | default: |
1357 | 0 | ret = NTE_NOT_SUPPORTED; |
1358 | 0 | break; |
1359 | 0 | } |
1360 | | |
1361 | 0 | out_final: |
1362 | 0 | WINPR_ASSERT(provider->p11->C_FindObjectsFinal); |
1363 | 0 | rv = provider->p11->C_FindObjectsFinal(session); |
1364 | 0 | if (rv != CKR_OK) |
1365 | 0 | { |
1366 | 0 | WLog_ERR(TAG, "error in C_FindObjectsFinal() for slot %lu", keyHandle->slotId); |
1367 | 0 | } |
1368 | 0 | out: |
1369 | 0 | WINPR_ASSERT(provider->p11->C_CloseSession); |
1370 | 0 | rv = provider->p11->C_CloseSession(session); |
1371 | 0 | if (rv != CKR_OK) |
1372 | 0 | { |
1373 | 0 | WLog_ERR(TAG, "error in C_CloseSession() for slot %lu", keyHandle->slotId); |
1374 | 0 | } |
1375 | 0 | return ret; |
1376 | 0 | } |
1377 | | |
1378 | | static SECURITY_STATUS NCryptP11GetProperty(NCRYPT_HANDLE hObject, NCryptKeyGetPropertyEnum prop, |
1379 | | PBYTE pbOutput, DWORD cbOutput, DWORD* pcbResult, |
1380 | | DWORD dwFlags) |
1381 | 0 | { |
1382 | 0 | NCryptBaseHandle* base = (NCryptBaseHandle*)hObject; |
1383 | |
|
1384 | 0 | WINPR_ASSERT(base); |
1385 | 0 | switch (base->type) |
1386 | 0 | { |
1387 | 0 | case WINPR_NCRYPT_PROVIDER: |
1388 | 0 | return ERROR_CALL_NOT_IMPLEMENTED; |
1389 | 0 | case WINPR_NCRYPT_KEY: |
1390 | 0 | return NCryptP11KeyGetProperties((NCryptP11KeyHandle*)hObject, prop, pbOutput, cbOutput, |
1391 | 0 | pcbResult, dwFlags); |
1392 | 0 | default: |
1393 | 0 | return ERROR_INVALID_HANDLE; |
1394 | 0 | } |
1395 | 0 | return ERROR_SUCCESS; |
1396 | 0 | } |
1397 | | |
1398 | | static SECURITY_STATUS NCryptP11OpenKey(NCRYPT_PROV_HANDLE hProvider, NCRYPT_KEY_HANDLE* phKey, |
1399 | | LPCWSTR pszKeyName, WINPR_ATTR_UNUSED DWORD dwLegacyKeySpec, |
1400 | | WINPR_ATTR_UNUSED DWORD dwFlags) |
1401 | 0 | { |
1402 | 0 | SECURITY_STATUS ret = 0; |
1403 | 0 | CK_SLOT_ID slotId = 0; |
1404 | 0 | CK_BYTE keyCertId[64] = WINPR_C_ARRAY_INIT; |
1405 | 0 | CK_ULONG keyCertIdLen = 0; |
1406 | 0 | NCryptP11KeyHandle* keyHandle = nullptr; |
1407 | |
|
1408 | 0 | ret = parseKeyName(pszKeyName, &slotId, keyCertId, &keyCertIdLen); |
1409 | 0 | if (ret != ERROR_SUCCESS) |
1410 | 0 | return ret; |
1411 | | |
1412 | 0 | keyHandle = (NCryptP11KeyHandle*)ncrypt_new_handle( |
1413 | 0 | WINPR_NCRYPT_KEY, sizeof(*keyHandle), NCryptP11GetProperty, winpr_NCryptDefault_dtor); |
1414 | 0 | if (!keyHandle) |
1415 | 0 | return NTE_NO_MEMORY; |
1416 | | |
1417 | 0 | keyHandle->provider = (NCryptP11ProviderHandle*)hProvider; |
1418 | 0 | keyHandle->slotId = slotId; |
1419 | 0 | memcpy(keyHandle->keyCertId, keyCertId, sizeof(keyCertId)); |
1420 | 0 | keyHandle->keyCertIdLen = keyCertIdLen; |
1421 | 0 | *phKey = (NCRYPT_KEY_HANDLE)keyHandle; |
1422 | 0 | return ERROR_SUCCESS; |
1423 | 0 | } |
1424 | | |
1425 | | static SECURITY_STATUS initialize_pkcs11(HANDLE handle, |
1426 | | CK_RV (*c_get_function_list)(CK_FUNCTION_LIST_PTR_PTR), |
1427 | | NCRYPT_PROV_HANDLE* phProvider) |
1428 | 0 | { |
1429 | 0 | SECURITY_STATUS status = ERROR_SUCCESS; |
1430 | 0 | NCryptP11ProviderHandle* ret = nullptr; |
1431 | 0 | CK_RV rv = 0; |
1432 | |
|
1433 | 0 | WINPR_ASSERT(c_get_function_list); |
1434 | 0 | WINPR_ASSERT(phProvider); |
1435 | |
|
1436 | 0 | ret = (NCryptP11ProviderHandle*)ncrypt_new_handle( |
1437 | 0 | WINPR_NCRYPT_PROVIDER, sizeof(*ret), NCryptP11GetProperty, NCryptP11StorageProvider_dtor); |
1438 | 0 | if (!ret) |
1439 | 0 | return NTE_NO_MEMORY; |
1440 | | |
1441 | 0 | ret->library = handle; |
1442 | 0 | ret->baseProvider.enumKeysFn = NCryptP11EnumKeys; |
1443 | 0 | ret->baseProvider.openKeyFn = NCryptP11OpenKey; |
1444 | |
|
1445 | 0 | rv = c_get_function_list(&ret->p11); |
1446 | 0 | if (rv != CKR_OK) |
1447 | 0 | { |
1448 | 0 | status = NTE_PROVIDER_DLL_FAIL; |
1449 | 0 | goto fail; |
1450 | 0 | } |
1451 | | |
1452 | 0 | WINPR_ASSERT(ret->p11); |
1453 | 0 | WINPR_ASSERT(ret->p11->C_Initialize); |
1454 | 0 | rv = ret->p11->C_Initialize(nullptr); |
1455 | 0 | if (rv != CKR_OK) |
1456 | 0 | { |
1457 | 0 | status = NTE_PROVIDER_DLL_FAIL; |
1458 | 0 | goto fail; |
1459 | 0 | } |
1460 | | |
1461 | 0 | *phProvider = (NCRYPT_PROV_HANDLE)ret; |
1462 | |
|
1463 | 0 | fail: |
1464 | 0 | if (status != ERROR_SUCCESS) |
1465 | 0 | ret->baseProvider.baseHandle.releaseFn((NCRYPT_HANDLE)ret); |
1466 | 0 | return status; |
1467 | 0 | } |
1468 | | |
1469 | | SECURITY_STATUS NCryptOpenP11StorageProviderEx(NCRYPT_PROV_HANDLE* phProvider, |
1470 | | WINPR_ATTR_UNUSED LPCWSTR pszProviderName, |
1471 | | WINPR_ATTR_UNUSED DWORD dwFlags, LPCSTR* modulePaths) |
1472 | 0 | { |
1473 | 0 | SECURITY_STATUS status = ERROR_INVALID_PARAMETER; |
1474 | 0 | LPCSTR defaultPaths[] = { "p11-kit-proxy.so", "opensc-pkcs11.so", nullptr }; |
1475 | |
|
1476 | 0 | if (!phProvider) |
1477 | 0 | return ERROR_INVALID_PARAMETER; |
1478 | | |
1479 | 0 | if (!modulePaths) |
1480 | 0 | modulePaths = defaultPaths; |
1481 | |
|
1482 | 0 | while (*modulePaths) |
1483 | 0 | { |
1484 | 0 | const char* modulePath = *modulePaths++; |
1485 | 0 | HANDLE library = LoadLibrary(modulePath); |
1486 | 0 | typedef CK_RV (*c_get_function_list_t)(CK_FUNCTION_LIST_PTR_PTR); |
1487 | 0 | NCryptP11ProviderHandle* provider = nullptr; |
1488 | |
|
1489 | 0 | WLog_DBG(TAG, "Trying pkcs11 module '%s'", modulePath); |
1490 | 0 | if (!library) |
1491 | 0 | { |
1492 | 0 | status = NTE_PROV_DLL_NOT_FOUND; |
1493 | 0 | goto out_load_library; |
1494 | 0 | } |
1495 | | |
1496 | 0 | { |
1497 | 0 | c_get_function_list_t c_get_function_list = |
1498 | 0 | GetProcAddressAs(library, "C_GetFunctionList", c_get_function_list_t); |
1499 | |
|
1500 | 0 | if (!c_get_function_list) |
1501 | 0 | { |
1502 | 0 | status = NTE_PROV_TYPE_ENTRY_BAD; |
1503 | 0 | goto out_load_library; |
1504 | 0 | } |
1505 | | |
1506 | 0 | status = initialize_pkcs11(library, c_get_function_list, phProvider); |
1507 | 0 | } |
1508 | 0 | if (status != ERROR_SUCCESS) |
1509 | 0 | { |
1510 | 0 | status = NTE_PROVIDER_DLL_FAIL; |
1511 | 0 | goto out_load_library; |
1512 | 0 | } |
1513 | | |
1514 | 0 | provider = (NCryptP11ProviderHandle*)*phProvider; |
1515 | 0 | provider->modulePath = _strdup(modulePath); |
1516 | 0 | if (!provider->modulePath) |
1517 | 0 | { |
1518 | 0 | status = NTE_NO_MEMORY; |
1519 | 0 | goto out_load_library; |
1520 | 0 | } |
1521 | | |
1522 | 0 | WLog_DBG(TAG, "module '%s' loaded", modulePath); |
1523 | 0 | return ERROR_SUCCESS; |
1524 | | |
1525 | 0 | out_load_library: |
1526 | 0 | if (library) |
1527 | 0 | FreeLibrary(library); |
1528 | 0 | } |
1529 | | |
1530 | 0 | return status; |
1531 | 0 | } |
1532 | | |
1533 | | const char* NCryptGetModulePath(NCRYPT_PROV_HANDLE phProvider) |
1534 | 0 | { |
1535 | 0 | NCryptP11ProviderHandle* provider = (NCryptP11ProviderHandle*)phProvider; |
1536 | |
|
1537 | 0 | WINPR_ASSERT(provider); |
1538 | |
|
1539 | 0 | return provider->modulePath; |
1540 | 0 | } |