From 40b74c9bace6d9abe632c3071220bdde04749d8c Mon Sep 17 00:00:00 2001 From: vkarpenk Date: Fri, 19 Jan 2024 11:59:26 +0000 Subject: [PATCH] client and server tls UPDATE add pkcs11 engine support --- src/session_client_tls.c | 63 ++++++++++++++++++++++++++++++++++++---- src/session_server_tls.c | 59 +++++++++++++++++++++++++++++++++---- 2 files changed, 111 insertions(+), 11 deletions(-) diff --git a/src/session_client_tls.c b/src/session_client_tls.c index bf5dcdb7..a9a7794b 100644 --- a/src/session_client_tls.c +++ b/src/session_client_tls.c @@ -27,6 +27,7 @@ #include #include #include +#include #include "config.h" #include "log_p.h" @@ -387,6 +388,9 @@ nc_client_tls_update_opts(struct nc_client_tls_opts *opts, const char *peername) char *key; X509_LOOKUP *lookup; X509_VERIFY_PARAM *vpm = NULL; + EVP_PKEY *pkey = NULL; + ENGINE *pkcs11 = NULL; + const char* pin = getenv("DEFAULT_USER_PIN"); if (!opts->tls_ctx || opts->tls_ctx_change) { SSL_CTX_free(opts->tls_ctx); @@ -412,11 +416,54 @@ nc_client_tls_update_opts(struct nc_client_tls_opts *opts, const char *peername) } else { key = opts->key_path; } - if (SSL_CTX_use_PrivateKey_file(opts->tls_ctx, key, SSL_FILETYPE_PEM) != 1) { - ERR(NULL, "Loading the client private key from \'%s\' failed (%s).", key, - ERR_reason_error_string(ERR_get_error())); - rc = -1; - goto cleanup; + + ENGINE_load_dynamic(); + pkcs11 = ENGINE_by_id("pkcs11"); + if (!pkcs11) + { + if (SSL_CTX_use_PrivateKey_file(opts->tls_ctx, key, SSL_FILETYPE_PEM) != 1) { + ERR(NULL, "Loading the client private key from \'%s\' failed (%s).", key, + ERR_reason_error_string(ERR_get_error())); + rc = -1; + goto cleanup; + } + } else { + if (!pin) { + ERR(NULL, "DEFAULT_USER_PIN is not set. Loading private key using pkcs11 engine failed."); + rc -1; + goto cleanup; + } + + if (!ENGINE_init(pkcs11)) + { + ERR(NULL, "Initializing the pkcs11 engine failed (%s).", ERR_reason_error_string(ERR_get_error())); + rc = -1; + goto cleanup; + } + + if (!ENGINE_ctrl_cmd_string(pkcs11, "PIN", pin, 0)) + { + ERR(NULL, "Setting pin failed (%s).", ERR_reason_error_string(ERR_get_error())); + rc = -1; + goto cleanup; + } + + /* load server key using pkcs11 engine*/ + pkey = ENGINE_load_private_key(pkcs11, key, NULL, NULL); + if (!pkey) + { + ERR(NULL, "Reading the private key failed (%s).", ERR_reason_error_string(ERR_get_error())); + rc = -1; + goto cleanup; + } + + /* set server key */ + if ((SSL_CTX_use_PrivateKey(opts->tls_ctx, pkey) != 1)) + { + ERR(NULL, "Loading the client private key failed (%s).", ERR_reason_error_string(ERR_get_error())); + rc = -1; + goto cleanup; + } } if (!SSL_CTX_load_verify_locations(opts->tls_ctx, opts->ca_file, opts->ca_dir)) { @@ -481,6 +528,12 @@ nc_client_tls_update_opts(struct nc_client_tls_opts *opts, const char *peername) } cleanup: + if (pkcs11) { + ENGINE_free(pkcs11); + } + if (pkey){ + EVP_PKEY_free(pkey); + } X509_VERIFY_PARAM_free(vpm); return rc; } diff --git a/src/session_server_tls.c b/src/session_server_tls.c index 1649588a..f8508abb 100644 --- a/src/session_server_tls.c +++ b/src/session_server_tls.c @@ -30,6 +30,7 @@ #include #include #include +#include #include "compat.h" #include "config.h" @@ -862,6 +863,9 @@ nc_tls_ctx_set_server_cert_key(SSL_CTX *tls_ctx, struct nc_server_tls_opts *opts NC_PRIVKEY_FORMAT privkey_type; X509 *cert = NULL; EVP_PKEY *pkey = NULL; + ENGINE *pkcs11 = NULL; + const char* uri = getenv("TOKEN_KEY_URI"); + const char* pin = getenv("DEFAULT_USER_PIN"); NC_CHECK_ARG_RET(NULL, tls_ctx, opts, -1); @@ -896,12 +900,52 @@ nc_tls_ctx_set_server_cert_key(SSL_CTX *tls_ctx, struct nc_server_tls_opts *opts goto cleanup; } - /* load the private key */ - pkey = base64der_to_privatekey(privkey_data, nc_privkey_format_to_str(privkey_type)); - if (!pkey) { - ERR(NULL, "Converting private key data to private key format failed."); - ret = -1; - goto cleanup; + ENGINE_load_dynamic(); + pkcs11 = ENGINE_by_id("pkcs11"); + if (!pkcs11) + { + /* load the private key */ + pkey = base64der_to_privatekey(privkey_data, nc_privkey_format_to_str(privkey_type)); + if (!pkey) { + ERR(NULL, "Converting private key data to private key format failed."); + ret = -1; + goto cleanup; + } + } else { + if (!uri) { + ERR(NULL, "TOKEN_KEY_URI is not set. Loading private key using pkcs11 engine failed."); + ret = -1; + goto cleanup; + } + + if (!pin) { + ERR(NULL, "DEFAULT_USER_PIN is not set. Loading private key using pkcs11 engine failed."); + ret = -1; + goto cleanup; + } + + if (!ENGINE_init(pkcs11)) + { + ERR(NULL, "Initializing the pkcs11 engine failed (%s).", ERR_reason_error_string(ERR_get_error())); + ret = -1; + goto cleanup; + } + + if (!ENGINE_ctrl_cmd_string(pkcs11, "PIN", pin, 0)) + { + ERR(NULL, "Setting pin failed (%s).", ERR_reason_error_string(ERR_get_error())); + ret = -1; + goto cleanup; + } + + /* load server key using pkcs11 engine*/ + pkey = ENGINE_load_private_key(pkcs11, uri, NULL, NULL); + if (!pkey) + { + ERR(NULL, "Reading the private key failed (%s).", ERR_reason_error_string(ERR_get_error())); + ret = -1; + goto cleanup; + } } /* set server key */ @@ -917,6 +961,9 @@ nc_tls_ctx_set_server_cert_key(SSL_CTX *tls_ctx, struct nc_server_tls_opts *opts cleanup: X509_free(cert); EVP_PKEY_free(pkey); + if (pkcs11) { + ENGINE_free(pkcs11); + } return ret; }