WIP: Feature/pkcs11 token #461
Draft
+3,177
−17
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
b99a779 to
cb36751
Compare
quitschbo
reviewed
Apr 19, 2024
daemon/c_smartcard.c
Outdated
| if (smartcard->token_type == CONTAINER_TOKEN_TYPE_PKCS11) { | ||
| if (NULL == container_get_pkcs11_module(smartcard->container)) { | ||
| ERROR("PKCS#11 module missing in container config. Abort creation of container"); | ||
| mem_free0(smartcard); |
quitschbo
reviewed
Apr 19, 2024
daemon/c_smartcard.c
Outdated
| smartcard->success_cb = NULL; | ||
| smartcard->err_cb = NULL; | ||
| smartcard->err_cbdata = NULL; | ||
|
|
||
| smartcard->sock = sock_unix_create_and_connect(SOCK_SEQPACKET, scd_sock_path); | ||
| if (smartcard->sock < 0) { | ||
| mem_free0(smartcard); | ||
| mem_free0(smartcard); //? potential mem_leak for usbtoken |
There was a problem hiding this comment.
yes smartcard->token_serial may be allocated here. Thus should be freed, same counts for smartcard->pkcs11_module. May instead of return NULL in error cases. We introduce a jump mark err:
and do cleanup there
quitschbo
reviewed
Apr 19, 2024
quitschbo
reviewed
Apr 19, 2024
scd/p11token.h
Outdated
| #include "pkcs11-lib/pkcs11.h" | ||
| #include <stddef.h> | ||
|
|
||
| // todo: move to c-file -> hide implementation details to user |
quitschbo
reviewed
Apr 19, 2024
scd/p11token.h
Outdated
| #define P11TOKEN_H | ||
|
|
||
| #include <stdbool.h> | ||
| #include "pkcs11-lib/pkcs11.h" |
There was a problem hiding this comment.
I think this header is not used here, -> move this to p11token.c
There was a problem hiding this comment.
Correct, header was only needed for struct p11token which is now defined in p11token.c. Will be moved.
quitschbo
reviewed
Apr 19, 2024
scd/p11token.c
Outdated
| CK_UTF8CHAR label[32]; | ||
| unsigned int wrong_unlock_attempts; | ||
| CK_FUNCTION_LIST_PTR ctx; | ||
| CK_SESSION_HANDLE_PTR sh; |
There was a problem hiding this comment.
could we use the "GNU" typedefs of pkcs11.h? would be much better to read. (in the whole p11token.c)
e.g.:
ck_function_list_t *ctx;
ck_session_handle_t *sh;
quitschbo
reviewed
Apr 19, 2024
scd/scd.c
Outdated
| @@ -481,13 +483,17 @@ scd_token_new(const DaemonToToken *msg) | |||
|
|
|||
| create_data.type = scd_proto_to_tokentype(msg); | |||
|
|
|||
| // ? why no switch statement here | |||
There was a problem hiding this comment.
yes a "switch" would look nicer here for me, too :)
quitschbo
reviewed
Apr 19, 2024
| new_token->reset_auth = int_reset_auth_p11; | ||
| new_token->get_atr = int_get_atr_p11; | ||
| new_token->send_apdu = int_send_apdu_p11; | ||
| break; |
There was a problem hiding this comment.
For a followup refactoring, we should consider to introduce a struct for all those functions and hide
the token specific functions in the corresponding p11token.c/usbtoken.c files (analogues to the compartment_module_t)
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
14e15bd to
20f9bb3
Compare
MPeisl
force-pushed
the
feature/pkcs11-token
branch
2 times, most recently
from
eb35e2b to
2c49d9f
Compare
quitschbo
reviewed
Dec 3, 2024
scd/pkcs11-lib/libpkcs11.c
Outdated
| #include <stdio.h> | ||
| #include <string.h> | ||
|
|
||
| #include "libscdl.h" |
There was a problem hiding this comment.
get rid of this wrapper lib, we do not need win32 compat.
directly call dlopen, dlsym and dlclose in the following.
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
2c49d9f to
28e753e
Compare
MPeisl
force-pushed
the
feature/pkcs11-token
branch
2 times, most recently
from
5e8f238 to
f8c7d67
Compare
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
f8c7d67 to
5e8f238
Compare
* pkcs11.h: Definitions of PKCS#11-API source: https://github.com/p11-glue/p11-kit/blob/master/common/pkcs11.h * libpkcs11 + libscdl: Helper libraries which enable dynamic PKCS#11-module loading source: https://github.com/OpenSC/OpenSC/tree/master/src/common Signed-off-by: Maximilian Peisl <[email protected]>
Add support for PKCS#11-based tokens to scd. Signed-off-by: Maximilian Peisl <[email protected]>
Add unit tests for PKCS#11-token backend. Signed-off-by: Maximilian Peisl <[email protected]>
Introduces new PKCS11 token-type which is available in the scd. Signed-off-by: Maximilian Peisl <[email protected]>
* Switched to GNU style pkcs11-header definitions * several code enhancments in p11token: improved variable and function naming, fixed several potential memory leaks * p11test: check for null-ptr in wrap/unwrap unit test Signed-off-by: Maximilian Peisl <[email protected]>
Replaced if-else chain with more readable switch-statement. Signed-off-by: Maximilian Peisl <[email protected]>
Fixed some memory-leaks and streamlined error-handling and cleanup by introducing error-jump label. Signed-off-by: Maximilian Peisl <[email protected]>
Added documentation for container_get_pkcs11_module. Signed-off-by: Maximilian Peisl <[email protected]>
Signed-off-by: Maximilian Peisl <[email protected]>
Removed libscdl: wrapping of dl* functions unnecessary in our usage context as we only target linux systems. Signed-off-by: Maximilian Peisl <[email protected]>
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
643aa00 to
3a80617
Compare
Signed-off-by: Maximilian Peisl <[email protected]> Adjustments to meet upstream changes Signed-off-by: Maximilian Peisl <[email protected]>
MPeisl
force-pushed
the
feature/pkcs11-token
branch
from
3a80617 to
da880e5
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Support for generic PKCS#11 tokens:
TODO: integration in daemonTODO: integration testing
TODO before merging: squash commits