From a0a405633952bcc7075a9728cd826dffb26e94bc Mon Sep 17 00:00:00 2001 From: Kyle Spearrin Date: Fri, 3 Sep 2021 13:57:23 -0400 Subject: [PATCH] support for pkcs11 opensc provider --- src/CryptoAgent/CryptoAgentSettings.cs | 5 ++-- src/CryptoAgent/Dockerfile | 1 + .../Services/Pkcs11RsaKeyService.cs | 30 +++++++++++-------- 3 files changed, 22 insertions(+), 14 deletions(-) diff --git a/src/CryptoAgent/CryptoAgentSettings.cs b/src/CryptoAgent/CryptoAgentSettings.cs index 5bceea6..eade82f 100644 --- a/src/CryptoAgent/CryptoAgentSettings.cs +++ b/src/CryptoAgent/CryptoAgentSettings.cs @@ -58,7 +58,9 @@ public string AwsRegion { get; set; } public string AwsKeyId { get; set; } // pkcs11 - // yubihsm2 + // Providers: + // yubihsm2 + // opensc public string Pkcs11Provider { get; set; } public string Pkcs11LibraryPath { get; set; } public string Pkcs11SlotTokenSerialNumber { get; set; } @@ -66,7 +68,6 @@ public string Pkcs11LoginPin { get; set; } public string Pkcs11PrivateKeyLabel { get; set; } public ulong? Pkcs11PrivateKeyId { get; set; } - // Other HSMs... } public class DatabaseSettings diff --git a/src/CryptoAgent/Dockerfile b/src/CryptoAgent/Dockerfile index c395d4f..7278628 100644 --- a/src/CryptoAgent/Dockerfile +++ b/src/CryptoAgent/Dockerfile @@ -7,6 +7,7 @@ RUN apt-get update \ gosu \ curl \ libc-dev \ + opensc \ && rm -rf /var/lib/apt/lists/* # Install YubiHSM2 SDK diff --git a/src/CryptoAgent/Services/Pkcs11RsaKeyService.cs b/src/CryptoAgent/Services/Pkcs11RsaKeyService.cs index 965de48..50c4985 100644 --- a/src/CryptoAgent/Services/Pkcs11RsaKeyService.cs +++ b/src/CryptoAgent/Services/Pkcs11RsaKeyService.cs @@ -54,7 +54,7 @@ namespace Bit.CryptoAgent.Services var mechanism = session.Factories.MechanismFactory.Create(CKM.CKM_RSA_PKCS_OAEP, mechanismParams); var plainData = session.Decrypt(mechanism, privateKey, data); - Cleanup(session, privateKey); + session.Logout(); return Task.FromResult(plainData); } @@ -72,7 +72,7 @@ namespace Bit.CryptoAgent.Services var mechanism = session.Factories.MechanismFactory.Create(CKM.CKM_SHA256_RSA_PKCS); var signature = session.Sign(mechanism, privateKey, data); - Cleanup(session, privateKey); + session.Logout(); return Task.FromResult(signature); } @@ -139,13 +139,25 @@ namespace Bit.CryptoAgent.Services var provider = _settings.RsaKey.Pkcs11Provider?.ToLowerInvariant(); if (provider == "yubihsm2") { - // TODO: Verify that this path works for Debian-installed YubiHSM SDKs libPath = "/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so"; } + else if (provider == "opensc") + { + libPath = "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so"; + } + else + { + throw new System.Exception("Please provide a library path or known provider."); + } } var factories = new Pkcs11InteropFactories(); - return factories.Pkcs11LibraryFactory.LoadPkcs11Library(factories, libPath, AppType.MultiThreaded); + var library = factories.Pkcs11LibraryFactory.LoadPkcs11Library(factories, libPath, AppType.MultiThreaded); + if (library == null) + { + throw new System.Exception("Cannot load library."); + } + return library; } private ISession CreateNewSession(IPkcs11Library library) @@ -158,7 +170,7 @@ namespace Bit.CryptoAgent.Services if (slotInfo.SlotFlags.TokenPresent) { var tokenInfo = slot.GetTokenInfo(); - if (tokenInfo.SerialNumber == _settings.RsaKey.Pkcs11SlotTokenSerialNumber) + if (tokenInfo?.SerialNumber == _settings.RsaKey.Pkcs11SlotTokenSerialNumber) { chosenSlot = slot; break; @@ -168,7 +180,7 @@ namespace Bit.CryptoAgent.Services if (chosenSlot == null) { - return null; + throw new System.Exception("Cannot locate token slot."); } var session = chosenSlot.OpenSession(SessionType.ReadWrite); @@ -187,11 +199,5 @@ namespace Bit.CryptoAgent.Services return session; } - - private void Cleanup(ISession session, IObjectHandle privateKey) - { - session.DestroyObject(privateKey); - session.Logout(); - } } }