1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 */
24
25 /**
26 * @file PKCS #11 mbed TLS backend
27 */
28
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #elif defined(_MSC_VER)
32 #include "config-msvc.h"
33 #endif
34
35 #include "syshead.h"
36
37 #if defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_MBEDTLS)
38
39 #include "errlevel.h"
40 #include "pkcs11_backend.h"
41 #include "ssl_verify_backend.h"
42 #include <mbedtls/x509.h>
43
44 static bool
pkcs11_get_x509_cert(pkcs11h_certificate_t pkcs11_cert,mbedtls_x509_crt * cert)45 pkcs11_get_x509_cert(pkcs11h_certificate_t pkcs11_cert, mbedtls_x509_crt *cert)
46 {
47 unsigned char *cert_blob = NULL;
48 size_t cert_blob_size = 0;
49 bool ret = false;
50
51 if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, NULL,
52 &cert_blob_size) != CKR_OK)
53 {
54 msg(M_WARN, "PKCS#11: Cannot retrieve certificate object size");
55 goto cleanup;
56 }
57
58 check_malloc_return((cert_blob = calloc(1, cert_blob_size)));
59 if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, cert_blob,
60 &cert_blob_size) != CKR_OK)
61 {
62 msg(M_WARN, "PKCS#11: Cannot retrieve certificate object");
63 goto cleanup;
64 }
65
66 if (!mbed_ok(mbedtls_x509_crt_parse(cert, cert_blob, cert_blob_size)))
67 {
68 msg(M_WARN, "PKCS#11: Could not parse certificate");
69 goto cleanup;
70 }
71
72 ret = true;
73 cleanup:
74 free(cert_blob);
75 return ret;
76 }
77
78 static bool
pkcs11_sign(void * pkcs11_cert,const void * src,size_t src_len,void * dst,size_t dst_len)79 pkcs11_sign(void *pkcs11_cert, const void *src, size_t src_len,
80 void *dst, size_t dst_len)
81 {
82 return CKR_OK == pkcs11h_certificate_signAny(pkcs11_cert, CKM_RSA_PKCS,
83 src, src_len, dst, &dst_len);
84 }
85
86 int
pkcs11_init_tls_session(pkcs11h_certificate_t certificate,struct tls_root_ctx * const ssl_ctx)87 pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
88 struct tls_root_ctx *const ssl_ctx)
89 {
90 ASSERT(NULL != ssl_ctx);
91
92 ssl_ctx->pkcs11_cert = certificate;
93
94 ALLOC_OBJ_CLEAR(ssl_ctx->crt_chain, mbedtls_x509_crt);
95 if (!pkcs11_get_x509_cert(certificate, ssl_ctx->crt_chain))
96 {
97 msg(M_WARN, "PKCS#11: Cannot initialize certificate");
98 return 1;
99 }
100
101 if (tls_ctx_use_external_signing_func(ssl_ctx, pkcs11_sign, certificate))
102 {
103 msg(M_WARN, "PKCS#11: Cannot register signing function");
104 return 1;
105 }
106
107 return 0;
108 }
109
110 char *
pkcs11_certificate_dn(pkcs11h_certificate_t cert,struct gc_arena * gc)111 pkcs11_certificate_dn(pkcs11h_certificate_t cert, struct gc_arena *gc)
112 {
113 char *ret = NULL;
114 mbedtls_x509_crt mbed_crt = { 0 };
115
116 if (!pkcs11_get_x509_cert(cert, &mbed_crt))
117 {
118 msg(M_WARN, "PKCS#11: Cannot retrieve mbed TLS certificate object");
119 goto cleanup;
120 }
121
122 if (!(ret = x509_get_subject(&mbed_crt, gc)))
123 {
124 msg(M_WARN, "PKCS#11: mbed TLS cannot parse subject");
125 goto cleanup;
126 }
127
128 cleanup:
129 mbedtls_x509_crt_free(&mbed_crt);
130
131 return ret;
132 }
133
134 int
pkcs11_certificate_serial(pkcs11h_certificate_t cert,char * serial,size_t serial_len)135 pkcs11_certificate_serial(pkcs11h_certificate_t cert, char *serial,
136 size_t serial_len)
137 {
138 int ret = 1;
139 mbedtls_x509_crt mbed_crt = { 0 };
140
141 if (!pkcs11_get_x509_cert(cert, &mbed_crt))
142 {
143 msg(M_WARN, "PKCS#11: Cannot retrieve mbed TLS certificate object");
144 goto cleanup;
145 }
146
147 if (mbedtls_x509_serial_gets(serial, serial_len, &mbed_crt.serial) < 0)
148 {
149 msg(M_WARN, "PKCS#11: mbed TLS cannot parse serial");
150 goto cleanup;
151 }
152
153 ret = 0;
154 cleanup:
155 mbedtls_x509_crt_free(&mbed_crt);
156
157 return ret;
158 }
159 #endif /* defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_MBEDTLS) */
160