From 9ee3285957f99dae00a3045d5a1542946461e01d Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Tue, 20 Feb 2018 08:19:30 +0200 Subject: [PATCH] pkcs11signers: Support separate public key label At least Yubikey NEO has separate private and public key labels so support providing both when necessary. --- pdns/dnssecinfra.cc | 5 ++++- pdns/pdnsutil.cc | 10 +++++++-- pdns/pkcs11signers.cc | 50 +++++++++++++++++++++++++------------------ pdns/pkcs11signers.hh | 1 + 4 files changed, 42 insertions(+), 24 deletions(-) diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc index d37a0465c..5f662d188 100644 --- a/pdns/dnssecinfra.cc +++ b/pdns/dnssecinfra.cc @@ -96,6 +96,9 @@ shared_ptr DNSCryptoKeyEngine::makeFromISCString(DNSKEYRecor } else if (pdns_iequals(key,"label")) { stormap["label"]=value; continue; + } else if (pdns_iequals(key,"publabel")) { + stormap["publabel"]=value; + continue; } else if(pdns_iequals(key, "Private-key-format")) continue; @@ -131,7 +134,7 @@ std::string DNSCryptoKeyEngine::convertToISC() const for(const stormap_t::value_type& value : stormap) { if(value.first != "Algorithm" && value.first != "PIN" && value.first != "Slot" && value.first != "Engine" && - value.first != "Label") + value.first != "Label" && value.first != "PubLabel") ret< keys; if (cmds.size() < 9) { - std::cout << "Usage: pdnsutil hsm assign ZONE ALGORITHM {ksk|zsk} MODULE TOKEN PIN LABEL" << std::endl; + std::cout << "Usage: pdnsutil hsm assign ZONE ALGORITHM {ksk|zsk} MODULE TOKEN PIN LABEL (PUBLABEL)" << std::endl; return 1; } @@ -2931,6 +2931,11 @@ try string slot = cmds[6]; string pin = cmds[7]; string label = cmds[8]; + string pub_label; + if (cmds.size() > 9) + pub_label = cmds[9]; + else + pub_label = label; std::ostringstream iscString; iscString << "Private-key-format: v1.2" << std::endl << @@ -2938,7 +2943,8 @@ try "Engine: " << module << std::endl << "Slot: " << slot << std::endl << "PIN: " << pin << std::endl << - "Label: " << label << std::endl; + "Label: " << label << std::endl << + "PubLabel: " << pub_label << std::endl; DNSKEYRecordContent drc; DNSSECPrivateKey dpk; diff --git a/pdns/pkcs11signers.cc b/pdns/pkcs11signers.cc index 2ebe42e14..bec5d4b2d 100644 --- a/pdns/pkcs11signers.cc +++ b/pdns/pkcs11signers.cc @@ -279,6 +279,8 @@ class Pkcs11Token { std::string d_ecdsa_params; std::string d_label; + std::string d_pub_label; + bool d_loaded; CK_RV d_err; @@ -290,7 +292,7 @@ class Pkcs11Token { } public: - Pkcs11Token(const std::shared_ptr& slot, const std::string& label); + Pkcs11Token(const std::shared_ptr& slot, const std::string& label, const std::string& pub_label); ~Pkcs11Token(); bool Login(const std::string& pin) { @@ -325,10 +327,10 @@ class Pkcs11Token { attr.clear(); attr.push_back(P11KitAttribute(CKA_CLASS, (unsigned long)CKO_PUBLIC_KEY)); // attr.push_back(P11KitAttribute(CKA_VERIFY, (char)CK_TRUE)); - attr.push_back(P11KitAttribute(CKA_LABEL, d_label)); + attr.push_back(P11KitAttribute(CKA_LABEL, d_pub_label)); FindObjects2(attr, key, 1); if (key.size() == 0) { - L< GetToken(const std::string& module, const string& tokenId, const std::string& label); + static std::shared_ptr GetToken(const std::string& module, const string& tokenId, const std::string& label, const std::string& pub_label); }; static std::map > pkcs11_slots; @@ -720,7 +722,7 @@ std::shared_ptr Pkcs11Slot::GetSlot(const std::string& module, const return pkcs11_slots[sidx]; } -std::shared_ptr Pkcs11Token::GetToken(const std::string& module, const string& tokenId, const std::string& label) { +std::shared_ptr Pkcs11Token::GetToken(const std::string& module, const string& tokenId, const std::string& label, const std::string& pub_label) { // see if we can find module std::string tidx = module; tidx.append("|"); @@ -731,15 +733,16 @@ std::shared_ptr Pkcs11Token::GetToken(const std::string& module, co if ((tokenIter = pkcs11_tokens.find(tidx)) != pkcs11_tokens.end()) return tokenIter->second; std::shared_ptr slot = Pkcs11Slot::GetSlot(module, tokenId); - pkcs11_tokens[tidx] = std::make_shared(slot, label); + pkcs11_tokens[tidx] = std::make_shared(slot, label, pub_label); return pkcs11_tokens[tidx]; } -Pkcs11Token::Pkcs11Token(const std::shared_ptr& slot, const std::string& label) { +Pkcs11Token::Pkcs11Token(const std::shared_ptr& slot, const std::string& label, const std::string& pub_label) { // open a session this->d_bits = 0; this->d_slot = slot; this->d_label = label; + this->d_pub_label = pub_label; this->d_err = 0; this->d_loaded = false; if (this->d_slot->LoggedIn()) LoadAttributes(); @@ -767,7 +770,7 @@ void PKCS11DNSCryptoKeyEngine::create(unsigned int bits) { CK_OBJECT_HANDLE pubKey, privKey; CK_RV rv; std::shared_ptr d_slot; - d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label); + d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label, d_pub_label); if (d_slot->LoggedIn() == false) if (d_slot->Login(d_pin) == false) throw PDNSException("Not logged in to token"); @@ -782,7 +785,7 @@ void PKCS11DNSCryptoKeyEngine::create(unsigned int bits) { pubAttr.push_back(P11KitAttribute(CKA_WRAP, (char)CK_TRUE)); pubAttr.push_back(P11KitAttribute(CKA_MODULUS_BITS, (unsigned long)bits)); pubAttr.push_back(P11KitAttribute(CKA_PUBLIC_EXPONENT, pubExp)); - pubAttr.push_back(P11KitAttribute(CKA_LABEL, d_label)); + pubAttr.push_back(P11KitAttribute(CKA_LABEL, d_pub_label)); privAttr.push_back(P11KitAttribute(CKA_CLASS, (unsigned long)CKO_PRIVATE_KEY)); privAttr.push_back(P11KitAttribute(CKA_KEY_TYPE, (unsigned long)CKK_RSA)); @@ -808,7 +811,7 @@ void PKCS11DNSCryptoKeyEngine::create(unsigned int bits) { std::string PKCS11DNSCryptoKeyEngine::sign(const std::string& msg) const { std::string result; std::shared_ptr d_slot; - d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label); + d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label, d_pub_label); if (d_slot->LoggedIn() == false) if (d_slot->Login(d_pin) == false) throw PDNSException("Not logged in to token"); @@ -833,7 +836,7 @@ std::string PKCS11DNSCryptoKeyEngine::hash(const std::string& msg) const { mech.pParameter = NULL; mech.ulParameterLen = 0; std::shared_ptr d_slot; - d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label); + d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label, d_pub_label); if (d_slot->LoggedIn() == false) if (d_slot->Login(d_pin) == false) throw PDNSException("Not logged in to token"); @@ -864,7 +867,7 @@ std::string PKCS11DNSCryptoKeyEngine::hash(const std::string& msg) const { bool PKCS11DNSCryptoKeyEngine::verify(const std::string& msg, const std::string& signature) const { std::shared_ptr d_slot; - d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label); + d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label, d_pub_label); if (d_slot->LoggedIn() == false) if (d_slot->Login(d_pin) == false) throw PDNSException("Not logged in to token"); @@ -883,7 +886,7 @@ bool PKCS11DNSCryptoKeyEngine::verify(const std::string& msg, const std::string& std::string PKCS11DNSCryptoKeyEngine::getPubKeyHash() const { // find us a public key std::shared_ptr d_slot; - d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label); + d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label, d_pub_label); if (d_slot->LoggedIn() == false) if (d_slot->Login(d_pin) == false) throw PDNSException("Not logged in to token"); @@ -896,7 +899,7 @@ std::string PKCS11DNSCryptoKeyEngine::getPubKeyHash() const { std::string PKCS11DNSCryptoKeyEngine::getPublicKeyString() const { std::string result(""); std::shared_ptr d_slot; - d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label); + d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label, d_pub_label); if (d_slot->LoggedIn() == false) if (d_slot->Login(d_pin) == false) throw PDNSException("Not logged in to token"); @@ -919,7 +922,7 @@ std::string PKCS11DNSCryptoKeyEngine::getPublicKeyString() const { int PKCS11DNSCryptoKeyEngine::getBits() const { std::shared_ptr d_slot; - d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label); + d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label, d_pub_label); if (d_slot->LoggedIn() == false) if (d_slot->Login(d_pin) == false) throw PDNSException("Not logged in to token"); @@ -937,7 +940,8 @@ DNSCryptoKeyEngine::storvector_t PKCS11DNSCryptoKeyEngine::convertToISCVector() (make_pair("Engine", d_module)) (make_pair("Slot", d_slot_id)) (make_pair("PIN", d_pin)) - (make_pair("Label", d_label)); + (make_pair("Label", d_label)) + (make_pair("PubLabel", d_pub_label)); return storvect; }; @@ -948,10 +952,14 @@ void PKCS11DNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, stormap_t& s boost::trim(d_slot_id); d_pin = stormap["pin"]; d_label = stormap["label"]; + if (stormap.find("publabel") != stormap.end()) + d_pub_label = stormap["publabel"]; + else + d_pub_label = d_label; // validate parameters std::shared_ptr d_slot; - d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label); + d_slot = Pkcs11Token::GetToken(d_module, d_slot_id, d_label, d_pub_label); if (d_pin != "" && d_slot->LoggedIn() == false) if (d_slot->Login(d_pin) == false) throw PDNSException("Could not log in to token (PIN wrong?)"); diff --git a/pdns/pkcs11signers.hh b/pdns/pkcs11signers.hh index bf9d48011..094eddf81 100644 --- a/pdns/pkcs11signers.hh +++ b/pdns/pkcs11signers.hh @@ -29,6 +29,7 @@ class PKCS11DNSCryptoKeyEngine : public DNSCryptoKeyEngine std::string d_slot_id; std::string d_pin; std::string d_label; + std::string d_pub_label; public: PKCS11DNSCryptoKeyEngine(unsigned int algorithm); -- 2.40.0