pkcs11-util: clean up credential handling for PKCS11 PIN

similar as the previous commit, let's clean up the credential name we use. Use home.token-pin in case of homectl, and cryptenroll.pkcs11-pin in case of cryptenroll.
2026-04-14 16:37:19 +09:00 · 2024-02-19 17:44:01 +01:00
parent 7252be6083
commit a96c284f10
4 changed files with 18 additions and 15 deletions
--- a/src/cryptenroll/cryptenroll-pkcs11.c
+++ b/src/cryptenroll/cryptenroll-pkcs11.c
@@ -55,7 +55,7 @@ int enroll_pkcs11(

        assert_se(node = crypt_get_device_name(cd));

-        r = pkcs11_acquire_public_key(uri, "volume enrollment operation", "drive-harddisk", &pkey, NULL);
+        r = pkcs11_acquire_public_key(uri, "volume enrollment operation", "drive-harddisk", "cryptenroll.pkcs11-pin", &pkey, NULL);
        if (r < 0)
                return r;

--- a/src/home/homectl-pkcs11.c
+++ b/src/home/homectl-pkcs11.c
@@ -153,7 +153,7 @@ int identity_add_pkcs11_key_data(JsonVariant **v, const char *uri) {

        assert(v);

-        r = pkcs11_acquire_public_key(uri, "home directory operation", "user-home", &pkey, &pin);
+        r = pkcs11_acquire_public_key(uri, "home directory operation", "user-home", "home.token-pin", &pkey, &pin);
        if (r < 0)
                return r;

--- a/src/shared/pkcs11-util.c
+++ b/src/shared/pkcs11-util.c
@@ -291,9 +291,9 @@ int pkcs11_token_login(
                CK_SLOT_ID slotid,
                const CK_TOKEN_INFO *token_info,
                const char *friendly_name,
-                const char *icon_name,
-                const char *key_name,
-                const char *credential_name,
+                const char *askpw_icon,
+                const char *askpw_keyring,
+                const char *askpw_credential,
                usec_t until,
                AskPasswordFlags ask_password_flags,
                bool headless,
@@ -377,10 +377,10 @@ int pkcs11_token_login(

                        AskPasswordRequest req = {
                                .message = text,
-                                .icon = icon_name,
+                                .icon = askpw_icon,
                                .id = id,
-                                .keyring = key_name,
-                                .credential = credential_name,
+                                .keyring = askpw_keyring,
+                                .credential = askpw_credential,
                        };

                        /* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */
@@ -1651,7 +1651,7 @@ int pkcs11_find_token(
 struct pkcs11_acquire_public_key_callback_data {
        char *pin_used;
        EVP_PKEY *pkey;
-        const char *askpw_friendly_name, *askpw_icon_name;
+        const char *askpw_friendly_name, *askpw_icon, *askpw_credential;
        AskPasswordFlags askpw_flags;
        bool headless;
 };
@@ -1698,9 +1698,9 @@ static int pkcs11_acquire_public_key_callback(
                        slot_id,
                        token_info,
                        data->askpw_friendly_name,
-                        data->askpw_icon_name,
-                        "pkcs11-pin",
+                        data->askpw_icon,
                        "pkcs11-pin",
+                        data->askpw_credential,
                        UINT64_MAX,
                        data->askpw_flags,
                        data->headless,
@@ -1829,13 +1829,15 @@ success:
 int pkcs11_acquire_public_key(
                const char *uri,
                const char *askpw_friendly_name,
-                const char *askpw_icon_name,
+                const char *askpw_icon,
+                const char *askpw_credential,
                EVP_PKEY **ret_pkey,
                char **ret_pin_used) {

        _cleanup_(pkcs11_acquire_public_key_callback_data_release) struct pkcs11_acquire_public_key_callback_data data = {
                .askpw_friendly_name = askpw_friendly_name,
-                .askpw_icon_name = askpw_icon_name,
+                .askpw_icon = askpw_icon,
+                .askpw_credential = askpw_credential,
        };
        int r;

@@ -2040,7 +2042,7 @@ int pkcs11_crypt_device_callback(
                        data->friendly_name,
                        "drive-harddisk",
                        "pkcs11-pin",
-                        "cryptsetup.pkcs11-pin",
+                        data->askpw_credential,
                        data->until,
                        data->askpw_flags,
                        data->headless,
--- a/src/shared/pkcs11-util.h
+++ b/src/shared/pkcs11-util.h
@@ -71,7 +71,7 @@ typedef int (*pkcs11_find_token_callback_t)(CK_FUNCTION_LIST *m, CK_SESSION_HAND
 int pkcs11_find_token(const char *pkcs11_uri, pkcs11_find_token_callback_t callback, void *userdata);

 #if HAVE_OPENSSL
-int pkcs11_acquire_public_key(const char *uri, const char *askpw_friendly_name, const char *askpw_icon_name, EVP_PKEY **ret_pkey, char **ret_pin_used);
+int pkcs11_acquire_public_key(const char *uri, const char *askpw_friendly_name, const char *askpw_icon, const char *askpw_credential, EVP_PKEY **ret_pkey, char **ret_pin_used);
 #endif

 typedef struct {
@@ -83,6 +83,7 @@ typedef struct {
        size_t decrypted_key_size;
        bool free_encrypted_key;
        bool headless;
+        const char *askpw_credential;
        AskPasswordFlags askpw_flags;
 } pkcs11_crypt_device_callback_data;