// // Copyright (C) 2015 The Android Open Source Project // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // #ifndef ATTESTATION_SERVER_PKCS11_KEY_STORE_H_ #define ATTESTATION_SERVER_PKCS11_KEY_STORE_H_ #include "attestation/server/key_store.h" #include #include #include #include #include namespace attestation { // This class uses a PKCS #11 token as storage for key data. The key data is // stored in data objects with the following attributes: // CKA_CLASS - CKO_DATA // CKA_LABEL - A key name. // CKA_VALUE - Binary key data (opaque to this class and the PKCS #11 token). // CKA_APPLICATION - A constant value associated with this class. // CKA_TOKEN - True // CKA_PRIVATE - True // CKA_MODIFIABLE - False // There is no barrier between the objects created by this class and any other // objects residing in the same token. In practice, this means that any // component with access to the PKCS #11 token also has access to read or delete // key data. class Pkcs11KeyStore : public KeyStore { public: // Does not take ownership of pointers. explicit Pkcs11KeyStore(chaps::TokenManagerClient* token_manager); ~Pkcs11KeyStore() override; // KeyStore interface. bool Read(const std::string& username, const std::string& key_name, std::string* key_data) override; bool Write(const std::string& username, const std::string& key_name, const std::string& key_data) override; bool Delete(const std::string& username, const std::string& key_name) override; bool DeleteByPrefix(const std::string& username, const std::string& key_prefix) override; bool Register(const std::string& username, const std::string& label, KeyType key_type, KeyUsage key_usage, const std::string& private_key_blob, const std::string& public_key_der, const std::string& certificate) override; bool RegisterCertificate(const std::string& username, const std::string& certificate) override; private: using EnumObjectsCallback = base::Callback; // Searches for a PKCS #11 object for a given key name. If one exists, the // object handle is returned, otherwise CK_INVALID_HANDLE is returned. CK_OBJECT_HANDLE FindObject(CK_SESSION_HANDLE session_handle, const std::string& key_name); // Gets a slot for the given |username| if |is_user_specific| or the system // slot otherwise. Returns false if no appropriate slot is found. bool GetUserSlot(const std::string& username, CK_SLOT_ID_PTR slot); // Enumerates all PKCS #11 objects associated with keys. The |callback| is // called once for each object. bool EnumObjects(CK_SESSION_HANDLE session_handle, const EnumObjectsCallback& callback); // Looks up the key name for the given |object_handle| which is associated // with a key. Returns true on success. bool GetKeyName(CK_SESSION_HANDLE session_handle, CK_OBJECT_HANDLE object_handle, std::string* key_name); // An EnumObjectsCallback for use with DeleteByPrefix. Destroys the key // object identified by |object_handle| if |key_name| matches |key_prefix|. // Returns true on success. bool DeleteIfMatchesPrefix(CK_SESSION_HANDLE session_handle, const std::string& key_prefix, const std::string& key_name, CK_OBJECT_HANDLE object_handle); // Extracts the |subject|, |issuer|, and |serial_number| information from an // X.509 |certificate|. Returns false if the value cannot be determined. bool GetCertificateFields(const std::string& certificate, std::string* subject, std::string* issuer, std::string* serial_number); // Returns true iff the given certificate already exists in the token. bool DoesCertificateExist(CK_SESSION_HANDLE session_handle, const std::string& certificate); chaps::TokenManagerClient* token_manager_; DISALLOW_COPY_AND_ASSIGN(Pkcs11KeyStore); }; } // namespace attestation #endif // ATTESTATION_SERVER_PKCS11_KEY_STORE_H_