OpenVPN
pkcs11_openssl.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 */
24
30#ifdef HAVE_CONFIG_H
31#include "config.h"
32#endif
33
34#include "syshead.h"
35
36#if defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_OPENSSL)
37
38#include "errlevel.h"
39#include "pkcs11_backend.h"
40#include "ssl_verify.h"
41#include "xkey_common.h"
42#include <pkcs11-helper-1.0/pkcs11h-openssl.h>
43
44#ifdef HAVE_XKEY_PROVIDER
45static XKEY_EXTERNAL_SIGN_fn xkey_pkcs11h_sign;
46
47#if PKCS11H_VERSION > ((1<<16) | (27<<8)) /* version > 1.27 */
48
49/* Table linking OpenSSL digest NID with CKM and CKG constants in PKCS#11 */
50#define MD_TYPE(n) {NID_sha ## n, CKM_SHA ## n, CKG_MGF1_SHA ## n}
51static const struct
52{
53 int nid;
54 unsigned long ckm_id;
55 unsigned long mgf_id;
56} mdtypes[] = {MD_TYPE(224), MD_TYPE(256), MD_TYPE(384), MD_TYPE(512),
57 {NID_sha1, CKM_SHA_1, CKG_MGF1_SHA1}, /* SHA_1 naming is an oddity */
58 {NID_undef, 0, 0}};
59
60/* From sigalg, derive parameters for pss signature and fill in pss_params.
61 * Its of type CK_RSA_PKCS_PSS_PARAMS struct with three fields to be filled in:
62 * {enum hashAlg, enum mgf, ulong sLen}
63 * where hashAlg is CKM_SHA256 etc., mgf is CKG_MGF1_SHA256 etc.
64 */
65static int
66set_pss_params(CK_RSA_PKCS_PSS_PARAMS *pss_params, XKEY_SIGALG sigalg,
67 pkcs11h_certificate_t cert)
68{
69 int ret = 0;
70 X509 *x509 = NULL;
71 EVP_PKEY *pubkey = NULL;
72
73 if ((x509 = pkcs11h_openssl_getX509(cert)) == NULL
74 || (pubkey = X509_get0_pubkey(x509)) == NULL)
75 {
76 msg(M_WARN, "PKCS#11: Unable get public key");
77 goto cleanup;
78 }
79
80 /* map mdname to CKM and CKG constants for hash and mgf algorithms */
81 int i = 0;
82 int nid = OBJ_sn2nid(sigalg.mdname);
83 while (mdtypes[i].nid != NID_undef && mdtypes[i].nid != nid)
84 {
85 i++;
86 }
87 pss_params->hashAlg = mdtypes[i].ckm_id;
88 pss_params->mgf = mdtypes[i].mgf_id;
89
90 /* determine salt length */
91 const EVP_MD *md = EVP_get_digestbyname(sigalg.mdname);
92 if (!md)
93 {
94 msg(M_WARN, "WARN: set_pss_params: EVP_get_digestbyname returned NULL "
95 "for mdname = <%s>", sigalg.mdname);
96 goto cleanup;
97 }
98 int mdsize = EVP_MD_get_size(md);
99
100 int saltlen = -1;
101 if (!strcmp(sigalg.saltlen, "digest")) /* same as digest size */
102 {
103 saltlen = mdsize;
104 }
105 else if (!strcmp(sigalg.saltlen, "max")) /* maximum possible value */
106 {
107 saltlen = xkey_max_saltlen(EVP_PKEY_get_bits(pubkey), mdsize);
108 }
109
110 if (saltlen < 0 || pss_params->hashAlg == 0)
111 {
112 msg(M_WARN, "WARN: invalid RSA_PKCS1_PSS parameters: saltlen = <%s> "
113 "mdname = <%s>.", sigalg.saltlen, sigalg.mdname);
114 goto cleanup;
115 }
116 pss_params->sLen = (unsigned long) saltlen; /* saltlen >= 0 at this point */
117
118 msg(D_XKEY, "set_pss_params: sLen = %lu, hashAlg = %lu, mgf = %lu",
119 pss_params->sLen, pss_params->hashAlg, pss_params->mgf);
120
121 ret = 1;
122
123cleanup:
124 if (x509)
125 {
126 X509_free(x509);
127 }
128 return ret;
129}
130
131#else /* if PKCS11H_VERSION > ((1<<16) | (27<<8)) */
132
133/* Make set_pss_params a no-op that always succeeds */
134#define set_pss_params(...) (1)
135
136/* Use a wrapper for pkcs11h_certificate_signAny_ex() for versions < 1.28
137 * where its not available.
138 * We just call pkcs11h_certificate_signAny() unless the padding
139 * is PSS in which case we return an error.
140 */
141static CK_RV
142pkcs11h_certificate_signAny_ex(const pkcs11h_certificate_t cert,
143 const CK_MECHANISM *mech, const unsigned char *tbs,
144 size_t tbslen, unsigned char *sig, size_t *siglen)
145{
146 if (mech->mechanism == CKM_RSA_PKCS_PSS)
147 {
148 msg(M_NONFATAL, "PKCS#11: Error: PSS padding is not supported by "
149 "this version of pkcs11-helper library.");
150 return CKR_MECHANISM_INVALID;
151 }
152 return pkcs11h_certificate_signAny(cert, mech->mechanism, tbs, tbslen, sig, siglen);
153}
154#endif /* PKCS11H_VERSION > 1.27 */
155
161static int
162xkey_pkcs11h_sign(void *handle, unsigned char *sig,
163 size_t *siglen, const unsigned char *tbs, size_t tbslen, XKEY_SIGALG sigalg)
164{
165 pkcs11h_certificate_t cert = handle;
166 CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0}; /* default value */
167 CK_RSA_PKCS_PSS_PARAMS pss_params = {0};
168
169 unsigned char buf[EVP_MAX_MD_SIZE];
170 size_t buflen = 0;
171 size_t siglen_max = *siglen;
172
173 unsigned char enc[EVP_MAX_MD_SIZE + 32]; /* 32 bytes enough for DigestInfo header */
174 size_t enc_len = sizeof(enc);
175
176 if (!strcmp(sigalg.op, "DigestSign"))
177 {
178 msg(D_XKEY, "xkey_pkcs11h_sign: computing digest");
179 if (xkey_digest(tbs, tbslen, buf, &buflen, sigalg.mdname))
180 {
181 tbs = buf;
182 tbslen = (size_t) buflen;
183 sigalg.op = "Sign";
184 }
185 else
186 {
187 return 0;
188 }
189 }
190
191 if (!strcmp(sigalg.keytype, "EC"))
192 {
193 msg(D_XKEY, "xkey_pkcs11h_sign: signing with EC key");
194 mech.mechanism = CKM_ECDSA;
195 }
196 else if (!strcmp(sigalg.keytype, "RSA"))
197 {
198 msg(D_XKEY, "xkey_pkcs11h_sign: signing with RSA key: padmode = %s",
199 sigalg.padmode);
200 if (!strcmp(sigalg.padmode, "none"))
201 {
202 mech.mechanism = CKM_RSA_X_509;
203 }
204 else if (!strcmp(sigalg.padmode, "pss"))
205 {
206 mech.mechanism = CKM_RSA_PKCS_PSS;
207
208 if (!set_pss_params(&pss_params, sigalg, cert))
209 {
210 return 0;
211 }
212
213 mech.pParameter = &pss_params;
214 mech.ulParameterLen = sizeof(pss_params);
215 }
216 else if (!strcmp(sigalg.padmode, "pkcs1"))
217 {
218 /* CMA_RSA_PKCS needs pkcs1 encoded digest */
219
220 if (!encode_pkcs1(enc, &enc_len, sigalg.mdname, tbs, tbslen))
221 {
222 return 0;
223 }
224 tbs = enc;
225 tbslen = enc_len;
226 }
227 else /* should not happen */
228 {
229 msg(M_WARN, "PKCS#11: Unknown padmode <%s>", sigalg.padmode);
230 }
231 }
232 else
233 {
234 ASSERT(0); /* coding error -- we couldnt have created any such key */
235 }
236
237 if (CKR_OK != pkcs11h_certificate_signAny_ex(cert, &mech,
238 tbs, tbslen, sig, siglen))
239 {
240 return 0;
241 }
242 if (strcmp(sigalg.keytype, "EC"))
243 {
244 return 1;
245 }
246
247 /* For EC keys, pkcs11 returns signature as r|s: convert to der encoded */
248 int derlen = ecdsa_bin2der(sig, (int) *siglen, siglen_max);
249
250 if (derlen <= 0)
251 {
252 return 0;
253 }
254 *siglen = derlen;
255
256 return 1;
257}
258
259/* wrapper for handle free */
260static void
261xkey_handle_free(void *handle)
262{
263 pkcs11h_certificate_freeCertificate(handle);
264}
265
266
277static int
278xkey_load_from_pkcs11h(pkcs11h_certificate_t certificate,
279 struct tls_root_ctx *const ctx)
280{
281 int ret = 0;
282
283 X509 *x509 = pkcs11h_openssl_getX509(certificate);
284 if (!x509)
285 {
286 msg(M_WARN, "PKCS#11: Unable get x509 certificate object");
287 return 0;
288 }
289
290 EVP_PKEY *pubkey = X509_get0_pubkey(x509);
291
292 XKEY_PRIVKEY_FREE_fn *free_op = xkey_handle_free; /* it calls pkcs11h_..._freeCertificate() */
293 XKEY_EXTERNAL_SIGN_fn *sign_op = xkey_pkcs11h_sign;
294
295 EVP_PKEY *pkey = xkey_load_generic_key(tls_libctx, certificate, pubkey, sign_op, free_op);
296 if (!pkey)
297 {
298 msg(M_WARN, "PKCS#11: Failed to load private key into xkey provider");
299 goto cleanup;
300 }
301 /* provider took ownership of the pkcs11h certificate object -- do not free below */
302 certificate = NULL;
303
304 if (!SSL_CTX_use_cert_and_key(ctx->ctx, x509, pkey, NULL, 0))
305 {
306 crypto_print_openssl_errors(M_WARN);
307 msg(M_FATAL, "PKCS#11: Failed to set cert and private key for OpenSSL");
308 goto cleanup;
309 }
310 ret = 1;
311
312cleanup:
313 if (x509)
314 {
315 X509_free(x509);
316 }
317 if (pkey)
318 {
319 EVP_PKEY_free(pkey);
320 }
321 if (certificate)
322 {
323 pkcs11h_certificate_freeCertificate(certificate);
324 }
325 return ret;
326}
327#endif /* HAVE_XKEY_PROVIDER */
328
329int
330pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
331 struct tls_root_ctx *const ssl_ctx)
332{
333
334#ifdef HAVE_XKEY_PROVIDER
335 return (xkey_load_from_pkcs11h(certificate, ssl_ctx) == 0); /* inverts the return value */
336#else
337 int ret = 1;
338
339 X509 *x509 = NULL;
340 EVP_PKEY *evp = NULL;
341 pkcs11h_openssl_session_t openssl_session = NULL;
342
343 if ((openssl_session = pkcs11h_openssl_createSession(certificate)) == NULL)
344 {
345 msg(M_WARN, "PKCS#11: Cannot initialize openssl session");
346 goto cleanup;
347 }
348
349 /*
350 * Will be released by openssl_session
351 */
352 certificate = NULL;
353
354 if ((evp = pkcs11h_openssl_session_getEVP(openssl_session)) == NULL)
355 {
356 msg(M_WARN, "PKCS#11: Unable get evp object");
357 goto cleanup;
358 }
359
360 if ((x509 = pkcs11h_openssl_session_getX509(openssl_session)) == NULL)
361 {
362 msg(M_WARN, "PKCS#11: Unable get certificate object");
363 goto cleanup;
364 }
365
366 if (!SSL_CTX_use_PrivateKey(ssl_ctx->ctx, evp))
367 {
368 msg(M_WARN, "PKCS#11: Cannot set private key for openssl");
369 goto cleanup;
370 }
371
372 if (!SSL_CTX_use_certificate(ssl_ctx->ctx, x509))
373 {
374 crypto_print_openssl_errors(M_WARN);
375 msg(M_FATAL, "PKCS#11: Cannot set certificate for openssl");
376 goto cleanup;
377 }
378 ret = 0;
379
380cleanup:
381 /*
382 * Certificate freeing is usually handled by openssl_session.
383 * If something went wrong, creating the session we have to do it manually.
384 */
385 if (certificate != NULL)
386 {
387 pkcs11h_certificate_freeCertificate(certificate);
388 certificate = NULL;
389 }
390
391 /*
392 * openssl objects have reference
393 * count, so release them
394 */
395 X509_free(x509);
396 x509 = NULL;
397
398 EVP_PKEY_free(evp);
399 evp = NULL;
400
401 if (openssl_session != NULL)
402 {
403 pkcs11h_openssl_freeSession(openssl_session);
404 openssl_session = NULL;
405 }
406 return ret;
407#endif /* ifdef HAVE_XKEY_PROVIDER */
408}
409
410char *
411pkcs11_certificate_dn(pkcs11h_certificate_t certificate, struct gc_arena *gc)
412{
413 X509 *x509 = NULL;
414
415 char *dn = NULL;
416
417 if ((x509 = pkcs11h_openssl_getX509(certificate)) == NULL)
418 {
419 msg(M_FATAL, "PKCS#11: Cannot get X509");
420 goto cleanup;
421 }
422
423 dn = x509_get_subject(x509, gc);
424
425cleanup:
426 X509_free(x509);
427 x509 = NULL;
428
429 return dn;
430}
431
432int
433pkcs11_certificate_serial(pkcs11h_certificate_t certificate, char *serial,
434 size_t serial_len)
435{
436 X509 *x509 = NULL;
437 BIO *bio = NULL;
438 int ret = 1;
439 int n;
440
441 if ((x509 = pkcs11h_openssl_getX509(certificate)) == NULL)
442 {
443 msg(M_FATAL, "PKCS#11: Cannot get X509");
444 goto cleanup;
445 }
446
447 if ((bio = BIO_new(BIO_s_mem())) == NULL)
448 {
449 msg(M_FATAL, "PKCS#11: Cannot create BIO");
450 goto cleanup;
451 }
452
453 i2a_ASN1_INTEGER(bio, X509_get_serialNumber(x509));
454 n = BIO_read(bio, serial, serial_len-1);
455
456 if (n<0)
457 {
458 serial[0] = '\x0';
459 }
460 else
461 {
462 serial[n] = 0;
463 }
464
465 ret = 0;
466
467cleanup:
468 X509_free(x509);
469 x509 = NULL;
470
471 return ret;
472}
473#endif /* defined(ENABLE_PKCS11) && defined(ENABLE_OPENSSL) */
crypto_print_openssl_errors
void crypto_print_openssl_errors(const unsigned int flags)
Retrieve any occurred OpenSSL errors and print those errors.
Definition crypto_openssl.c:236
D_XKEY
#define D_XKEY
Definition errlevel.h:117
M_FATAL
#define M_FATAL
Definition error.h:89
M_NONFATAL
#define M_NONFATAL
Definition error.h:90
msg
#define msg(flags,...)
Definition error.h:144
ASSERT
#define ASSERT(x)
Definition error.h:195
M_WARN
#define M_WARN
Definition error.h:91
pkcs11_backend.h
PKCS #11 SSL library-specific backend.
tls_libctx
OSSL_LIB_CTX * tls_libctx
Definition ssl_openssl.c:79
ssl_verify.h
Control Channel Verification Module.
x509_get_subject
char * x509_get_subject(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Definition test_pkcs11.c:69
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117
tls_root_ctx
Structure that wraps the TLS context.
Definition ssl_mbedtls.h:107
tls_root_ctx::ctx
SSL_CTX * ctx
Definition ssl_openssl.h:41
cleanup
static int cleanup(void **state)
Definition test_pkcs11.c:290
gc
struct gc_arena gc
Definition test_ssl.c:155
xkey_common.h
Generated by doxygen 1.9.8