PKCS#11 URI from Fedora

* Print PKCS#11 URIs from ssh-keygen * Accept PKCS#11 URIs in -i argument to ssh * Allow PKCS#11 URI specification in ssh_config * Fallback to p11-kit-proxy * PKCS#11 URI support for ssh-add and ssh-agent * internal representation is URI * Allow to specify pin-value in URI to avoid interactive prompts Currently recognized and used parts of PKCS#11 URI: * path (optional) * token * id * manufacturer * (library-manufacturer) * query (optional) * module-path * pin-value Unit test for PKCS#11 URIs * test PKCS#11 URI parser, generator * test percent_encodeer and decoder Regression tests for PKCS#11 URI support * soft-pkcs11.so from people.su.se/~lha/soft-pkcs11 * Return correct CKR for unknown attributes * Adjust and build it with regress tests (allowing agent-pkcs11 test) * Test PKCS#11 URIs support with soft-pkcs11 * Direct usage from commandline (URI, provider and combination) * Usage from configuration files * Usage in ssh-agent (add, sign, remove) * Make sure it is built with correct paths
Jakuje · Feb 13, 2020 · ed3eaf7 · ed3eaf7
1 parent 72f0ce3
commit ed3eaf7
Show file tree

Hide file tree

Showing 17 changed files with 1,970 additions and 243 deletions.
diff --git a/Makefile.in b/Makefile.in
@@ -102,7 +102,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \
 	ssh-ed25519-sk.o ssh-rsa.o dh.o \
 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
-	ssh-pkcs11.o smult_curve25519_ref.o \
+	ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \
 	poly1305.o chacha.o cipher-chachapoly.o \
 	ssh-ed25519.o digest-openssl.o digest-libc.o \
 	hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
@@ -289,6 +289,8 @@ clean:	regressclean
 	rm -f regress/unittests/match/test_match$(EXEEXT)
 	rm -f regress/unittests/utf8/*.o
 	rm -f regress/unittests/utf8/test_utf8$(EXEEXT)
+	rm -f regress/unittests/pkcs11/*.o
+	rm -f regress/unittests/pkcs11/test_pkcs11$(EXEEXT)
 	rm -f regress/misc/kexfuzz/*.o
 	rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
 	rm -f regress/misc/sk-dummy/*.o
@@ -322,6 +324,8 @@ distclean:	regressclean
 	rm -f regress/unittests/match/test_match
 	rm -f regress/unittests/utf8/*.o
 	rm -f regress/unittests/utf8/test_utf8
+	rm -f regress/unittests/pkcs11/*.o
+	rm -f regress/unittests/pkcs11/test_pkcs11
 	rm -f regress/misc/kexfuzz/*.o
 	rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
 	(cd openbsd-compat && $(MAKE) distclean)
@@ -490,6 +494,7 @@ regress-prep:
 	$(MKDIR_P) `pwd`/regress/unittests/kex
 	$(MKDIR_P) `pwd`/regress/unittests/match
 	$(MKDIR_P) `pwd`/regress/unittests/utf8
+	$(MKDIR_P) `pwd`/regress/unittests/pkcs11
 	$(MKDIR_P) `pwd`/regress/misc/kexfuzz
 	$(MKDIR_P) `pwd`/regress/misc/sk-dummy
 	[ -f `pwd`/regress/Makefile ] || \
@@ -617,6 +622,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT): \
 	    regress/unittests/test_helper/libtest_helper.a \
 	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 
+UNITTESTS_TEST_PKCS11_OBJS=\
+	regress/unittests/pkcs11/tests.o
+
+regress/unittests/pkcs11/test_pkcs11$(EXEEXT): \
+    ${UNITTESTS_TEST_PKCS11_OBJS} \
+    regress/unittests/test_helper/libtest_helper.a libssh.a
+	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_PKCS11_OBJS) \
+	    regress/unittests/test_helper/libtest_helper.a \
+	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
 MISC_KEX_FUZZ_OBJS=\
 	regress/misc/kexfuzz/kexfuzz.o \
 	$(SKOBJS)
@@ -655,6 +670,7 @@ regress-unit-binaries: regress-prep $(REGRESSLIBS) \
 	regress/unittests/kex/test_kex$(EXEEXT) \
 	regress/unittests/match/test_match$(EXEEXT) \
 	regress/unittests/utf8/test_utf8$(EXEEXT) \
+	regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \
 	regress/misc/kexfuzz/kexfuzz$(EXEEXT)
 
 tests:	file-tests t-exec interop-tests unit

diff --git a/configure.ac b/configure.ac
@@ -1911,12 +1911,14 @@ AC_LINK_IFELSE(
 	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
 ])
 
+SCARD_MSG="yes"
 disable_pkcs11=
 AC_ARG_ENABLE([pkcs11],
 	[  --disable-pkcs11        disable PKCS#11 support code [no]],
 	[
 		if test "x$enableval" = "xno" ; then
 			disable_pkcs11=1
+			SCARD_MSG="no"
 		fi
 	]
 )
@@ -1945,6 +1947,40 @@ AC_SEARCH_LIBS([dlopen], [dl])
 AC_CHECK_FUNCS([dlopen])
 AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])
 
+# Check whether we have a p11-kit, we got default provider on command line
+DEFAULT_PKCS11_PROVIDER_MSG="no"
+AC_ARG_WITH([default-pkcs11-provider],
+	[  --with-default-pkcs11-provider[[=PATH]]   Use default pkcs11 provider (p11-kit detected by default)],
+	[ if test "x$withval" != "xno" && test "x$disable_pkcs11" = "x"; then
+		if test "x$withval" = "xyes" ; then
+			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+			if test "x$PKGCONFIG" != "xno"; then
+				AC_MSG_CHECKING([if $PKGCONFIG knows about p11-kit])
+				if "$PKGCONFIG" "p11-kit-1"; then
+					AC_MSG_RESULT([yes])
+					use_pkgconfig_for_p11kit=yes
+				else
+					AC_MSG_RESULT([no])
+				fi
+			fi
+		else
+			PKCS11_PATH="${withval}"
+		fi
+		if test "x$use_pkgconfig_for_p11kit" = "xyes"; then
+			PKCS11_PATH=`$PKGCONFIG --variable=proxy_module p11-kit-1`
+		fi
+		AC_CHECK_FILE("$PKCS11_PATH",
+			[ AC_DEFINE_UNQUOTED([PKCS11_DEFAULT_PROVIDER], ["$PKCS11_PATH"], [Path to default PKCS#11 provider (p11-kit proxy)])
+			  DEFAULT_PKCS11_PROVIDER_MSG="$PKCS11_PATH"
+			],
+			[ AC_MSG_ERROR([Requested PKCS11 provided not found]) ]
+		)
+	else
+		AC_MSG_WARN([Needs PKCS11 support to enable default pkcs11 provider])
+	fi ]
+)
+
+
 # IRIX has a const char return value for gai_strerror()
 AC_CHECK_FUNCS([gai_strerror], [
 	AC_DEFINE([HAVE_GAI_STRERROR])
@@ -5401,6 +5437,7 @@ echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
 echo "             Privsep sandbox style: $SANDBOX_STYLE"
 echo "                   PKCS#11 support: $enable_pkcs11"
+echo "          Default PKCS#11 provider: $DEFAULT_PKCS11_PROVIDER_MSG"
 echo "                  U2F/FIDO support: $enable_sk"
 
 echo ""

diff --git a/regress/Makefile b/regress/Makefile
@@ -116,7 +116,8 @@ CLEANFILES=	*.core actual agent-key.* authorized_keys_${USERNAME} \
 		known_hosts known_hosts-cert known_hosts.* krl-* ls.copy \
 		modpipe netcat no_identity_config \
 		pidfile putty.rsa2 ready regress.log remote_pid \
-		revoked-* rsa rsa-agent rsa-agent.pub rsa.pub rsa_ssh2_cr.prv \
+		revoked-* rsa rsa-agent rsa-agent.pub rsa-agent-cert.pub \
+		rsa.pub rsa_ssh2_cr.prv pkcs11*.crt pkcs11*.key pkcs11.info \
 		rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
 		scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
 		sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
@@ -246,6 +247,7 @@ unit:
 		V="" ; \
 		test "x${USE_VALGRIND}" = "x" || \
 		    V=${.CURDIR}/valgrind-unit.sh ; \
+		$$V ${.OBJDIR}/unittests/pkcs11/test_pkcs11 ; \
 		$$V ${.OBJDIR}/unittests/sshbuf/test_sshbuf ; \
 		$$V ${.OBJDIR}/unittests/sshkey/test_sshkey \
 			-d ${.CURDIR}/unittests/sshkey/testdata ; \

diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh
@@ -113,7 +113,7 @@ else
 	done
 
 	trace "remove pkcs11 keys"
-	echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
+	${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
 	r=$?
 	if [ $r -ne 0 ]; then
 		fail "ssh-add -e failed: exit code $r"