pkcs11 support (#2222)

* Refs 11914. Move CA and PK load to abstraction depending on the URI

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. Add dependency with libp11 in linux

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. PKCS11 provider for PK load

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. PKIDH using PKCS11 provider depending on URI

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. Create a fake UI method for PKCS11 provider

Otherwise, if no PIN is given on environment nor URI,
the default behavior of the wrapper library is to prompt
the user on the console... And we do not want that

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. linters

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. Do not make libp11 requiredwq

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. Adding test

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. Create token and keys inside test

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. Refactor test

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. Avoid singleton and make the provider destroy with plugin

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. Conditional compile with libP11

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. Changes requested on review

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. uncrustify

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. Suggestions on tests

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. Update dependencies on README

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. update fastrtps API pubsubreader

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. Remove unused parameter

Signed-off-by: Iker Luengo <ikerluengo@eprosima.com>

* Refs 11914. Update CMake framework

Signed-off-by: Miguel Barro <miguelbarro@eprosima.com>

* Refs 11914. Make p11 windows installer friendly

Signed-off-by: Miguel Barro <miguelbarro@eprosima.com>

* Refs 11914. Make test grep independent on windows

Signed-off-by: Miguel Barro <miguelbarro@eprosima.com>

* Refs 11914. Ignore pkcs11 tests if not available.

Signed-off-by: Miguel Barro <miguelbarro@eprosima.com>

* Refs 11914. Update system calls on windows

Signed-off-by: Miguel Barro <miguelbarro@eprosima.com>

* Refs 11914. Linux ci fixes.

Signed-off-by: Miguel Barro <miguelbarro@eprosima.com>

* Refs 11914. Make CMake hint openssl config to blackbox tests on windows

Signed-off-by: Miguel Barro <miguelbarro@eprosima.com>

* Refs 11914. Rebase fixes.

Signed-off-by: Miguel Barro <miguelbarro@eprosima.com>

* Refs 11914. Linter.

Signed-off-by: Miguel Barro <miguelbarro@eprosima.com>

* Refs 11914. Address reviewers comments.

Signed-off-by: Miguel Barro <miguelbarro@eprosima.com>

* Refs 11914. Address reviewers comments.

Signed-off-by: Miguel Barro <miguelbarro@eprosima.com>

* Refs 11914. Disable pkcs11 windows testing till ci is reviewed

Signed-off-by: Miguel Barro <miguelbarro@eprosima.com>

Co-authored-by: Miguel Barro <miguelbarro@eprosima.com>

CMakeLists.txt

@@ -165,6 +165,7 @@ if(SECURITY)
 else()
     find_package(OpenSSL)
 endif()
+find_package(LibP11)
 
 if(OPENSSL_FOUND)
     message(STATUS "OpenSSL library ${OPENSSL_VERSION} found...")

README.md

@@ -93,6 +93,22 @@ choco install -y -s <PATH\TO\DOWNLOADS\> asio tinyxml2
 
 Please replace `<PATH\TO\DOWNLOADS>` with the folder you downloaded the packages to.
 
+##### Libp11 library
+
+Libp11 provides PKCS#11 support for openSSL. This is an optional dependency,
+that is needed only when *eprosima Fast DDS* is used with security and PKCS#11 URLs.
+
+On Linux, you can install libp11 using the package manager of your Linux distribution.
+For example, on Ubuntu you can install them by using its package manager with the next command.
+
+```bash
+sudo apt install libp11-dev libengine-pkcs11-openssl
+```
+
+On Windows, you can download and compile the library from this
+[ROS2 Github repository](https://github.com/OpenSC/libp11).
+Follow the instructions on the repository to compile it on your platform.
+
 #### Colcon installation
 
 [colcon](https://colcon.readthedocs.io) is a command line tool to build sets of software packages.

cmake/modules/FindLibP11.cmake

@@ -0,0 +1,43 @@
+# FindLibP11
+#
+# Generates an imported target associated to an available pksc11 library:
+#
+#   + On linux relies on the apt package libp11-dev
+#
+#   + On Windows the library must be build from sources available at https://github.com/OpenSC/libp11.git
+#     Given that each user must build its own binaries the following environment variables must be set to hint
+#     where to locate headers and binaries (semicolon-separated list see https://cmake.org/cmake/help/v3.22/variable/PackageName_ROOT.html):
+#       + LibP11_ROOT_32 -> to reference sources and 32 bit binaries location
+#       + LibP11_ROOT_64 -> to reference sources and 64 bit binaries location
+
+if(TARGET eProsima_p11)
+    return()
+endif()
+
+if(CMAKE_SIZEOF_VOID_P EQUAL 4)
+    set(LibP11_ROOT "$ENV{LibP11_ROOT_32}")
+else()
+    set(LibP11_ROOT "$ENV{LibP11_ROOT_64}")
+endif()
+
+find_path(LIBP11_INCLUDE_DIR NAMES libp11.h HINTS ${LibP11_ROOT})
+find_library(LIBP11_LIBRARY NAMES libp11.a libp11.lib HINTS ${LibP11_ROOT})
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(LibP11 DEFAULT_MSG LIBP11_LIBRARY LIBP11_INCLUDE_DIR)
+
+if(LibP11_FOUND)
+    # add the target
+    add_library(eProsima_p11 STATIC IMPORTED)
+
+    # update the properties
+    set_target_properties(eProsima_p11 PROPERTIES
+        IMPORTED_LOCATION "${LIBP11_LIBRARY}"
+        INTERFACE_INCLUDE_DIRECTORIES "${LIBP11_INCLUDE_DIR}"
+    )
+endif()
+
+# clean local variables
+unset(LIBP11_INCLUDE_DIR)
+unset(LIBP11_LIBRARY)
+unset(LibP11_ROOT)

include/fastrtps/config.h.in

@@ -25,87 +25,91 @@
 // C++20 support defines
 #ifndef HAVE_CXX20
 #define HAVE_CXX20 @HAVE_CXX20@
-#endif
+#endif /* ifndef HAVE_CXX20 */
 
 // C++17 support defines
 #ifndef HAVE_CXX17
 #define HAVE_CXX17 @HAVE_CXX17@
-#endif
+#endif /* ifndef HAVE_CXX17 */
 
 // C++14 support defines
 #ifndef HAVE_CXX14
 #define HAVE_CXX14 @HAVE_CXX14@
-#endif
+#endif /* ifndef HAVE_CXX14 */
 
 // C++1Y support defines
 #ifndef HAVE_CXX1Y
 #define HAVE_CXX1Y @HAVE_CXX1Y@
-#endif
+#endif /* ifndef HAVE_CXX1Y */
 
 // C++11 support defines
 #ifndef HAVE_CXX11
 #define HAVE_CXX11 @HAVE_CXX11@
-#endif
+#endif /* ifndef HAVE_CXX11 */
 
 // C++0x support defines
 #ifndef HAVE_CXX0X
 #define HAVE_CXX0X @HAVE_CXX0X@
-#endif
+#endif /* ifndef HAVE_CXX0X */
 
 // C++ constexpr support
 #ifndef HAVE_CXX_CONSTEXPR
 #define HAVE_CXX_CONSTEXPR @HAVE_CXX_CONSTEXPR@
-#endif
+#endif /* ifndef HAVE_CXX_CONSTEXPR */
 
 #if HAVE_CXX_CONSTEXPR
 #define CONSTEXPR constexpr
 #else
 #define CONSTEXPR const
-#endif
+#endif /* if HAVE_CXX_CONSTEXPR */
 
 // Endianness defines
 #ifndef FASTDDS_IS_BIG_ENDIAN_TARGET
 #define FASTDDS_IS_BIG_ENDIAN_TARGET @FASTDDS_IS_BIG_ENDIAN_TARGET@
-#endif
+#endif /* ifndef FASTDDS_IS_BIG_ENDIAN_TARGET */
 
 // Security
 #ifndef HAVE_SECURITY
 #define HAVE_SECURITY @HAVE_SECURITY@
-#endif
+#endif /* ifndef HAVE_SECURITY */
+
+#ifndef HAVE_LIBP11
+#define HAVE_LIBP11 @HAVE_LIBP11@
+#endif /* ifndef HAVE_LIBP11 */
 
 //Sqlite3 support
 #ifndef HAVE_SQLITE3
 #define HAVE_SQLITE3 @HAVE_SQLITE3@
-#endif
+#endif /* ifndef HAVE_SQLITE3 */
 
 
 // TLS support
 #ifndef TLS_FOUND
 #define TLS_FOUND @TLS_FOUND@
-#endif
+#endif /* ifndef TLS_FOUND */
 
 // Strict real-time
 #ifndef HAVE_STRICT_REALTIME
 #define HAVE_STRICT_REALTIME @HAVE_STRICT_REALTIME@
-#endif
+#endif /* ifndef HAVE_STRICT_REALTIME */
 
 /* Log Macros */
 
 // Log Info
 #cmakedefine FASTDDS_ENFORCE_LOG_INFO
 #ifndef HAVE_LOG_NO_INFO
 #define HAVE_LOG_NO_INFO @HAVE_LOG_NO_INFO@
-#endif
+#endif /* ifndef HAVE_LOG_NO_INFO */
 
 // Log Warning
 #ifndef HAVE_LOG_NO_WARNING
 #define HAVE_LOG_NO_WARNING @HAVE_LOG_NO_WARNING@
-#endif
+#endif /* ifndef HAVE_LOG_NO_WARNING */
 
 // Log Error
 #ifndef HAVE_LOG_NO_ERROR
 #define HAVE_LOG_NO_ERROR @HAVE_LOG_NO_ERROR@
-#endif
+#endif /* ifndef HAVE_LOG_NO_ERROR */
 
 // Statistics
 #cmakedefine FASTDDS_STATISTICS
@@ -119,7 +123,7 @@
 #define FASTRTPS_DEPRECATED(msg) __declspec(deprecated(msg))
 #else
 #define FASTRTPS_DEPRECATED(msg)
-#endif
+#endif /* if __cplusplus >= 201402L */
 
 // Deprecation with version
 #define FASTDDS_DEPRECATED_UNTIL(major, entity_name, msg)                                                           \
@@ -128,7 +132,7 @@
 
 #define FASTDDS_TODO_BEFORE(major, minor, msg)                                          \
     static_assert((FASTRTPS_VERSION_MAJOR < major) ||                                   \
-                  (FASTRTPS_VERSION_MAJOR == major && FASTRTPS_VERSION_MINOR < minor),  \
-                  "TODO before version " #major "." #minor " : " #msg);
+            (FASTRTPS_VERSION_MAJOR == major && FASTRTPS_VERSION_MINOR < minor),  \
+            "TODO before version " #major "." #minor " : " #msg);
 
 #endif // _FASTRTPS_CONFIG_H_

src/cpp/CMakeLists.txt

@@ -296,15 +296,23 @@ set(${PROJECT_NAME}_security_source_files
     security/accesscontrol/GovernanceParser.cpp
     security/accesscontrol/PermissionsParser.cpp
     security/logging/LogTopic.cpp
+    security/artifact_providers/FileProvider.cpp
+    security/artifact_providers/Pkcs11Provider.cpp
     )
 
 if(SECURITY)
     list(APPEND ${PROJECT_NAME}_source_files
         ${${PROJECT_NAME}_security_source_files}
         )
     set(HAVE_SECURITY 1)
+    if(LIBP11_FOUND)
+        set(HAVE_LIBP11 1)
+    else()
+        set(HAVE_LIBP11 0)
+    endif()
 else()
     set(HAVE_SECURITY 0)
+    set(HAVE_LIBP11 0)
 endif()
 
 if(WIN32 AND (MSVC OR MSVC_IDE))
@@ -437,6 +445,7 @@ target_link_libraries(${PROJECT_NAME} ${PRIVACY} fastcdr foonathan_memory
     $<$<BOOL:${WIN32}>:iphlpapi$<SEMICOLON>Shlwapi>
     ${THIRDPARTY_BOOST_LINK_LIBS}
     PRIVATE eProsima_atomic
+    $<$<BOOL:${LibP11_FOUND}>:eProsima_p11>  # $<TARGET_NAME_IF_EXISTS:eProsima_p11>
     )
 
 if(MSVC OR MSVC_IDE)

src/cpp/security/accesscontrol/Permissions.cpp

@@ -43,6 +43,8 @@
 #include <openssl/err.h>
 #include <openssl/obj_mac.h>
 
+#include <security/artifact_providers/FileProvider.hpp>
+
 #include <cassert>
 #include <fstream>
 
@@ -351,105 +353,13 @@ static X509_STORE* load_permissions_ca(
         std::string& ca_algo,
         SecurityException& exception)
 {
-    X509_STORE* store = X509_STORE_new();
-
-    if (store != nullptr)
-    {
-        if (permissions_ca.size() >= 7 && permissions_ca.compare(0, 7, "file://") == 0)
-        {
-            BIO* in = BIO_new(BIO_s_file());
-
-            if (in != nullptr)
-            {
-                if (BIO_read_filename(in, permissions_ca.substr(7).c_str()) > 0)
-                {
-                    STACK_OF(X509_INFO) * inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
-
-                    if (inf != nullptr)
-                    {
-                        int i, count = 0;
-                        there_are_crls = false;
-
-                        for (i = 0; i < sk_X509_INFO_num(inf); i++)
-                        {
-                            X509_INFO* itmp = sk_X509_INFO_value(inf, i);
-
-                            if (itmp->x509)
-                            {
-                                // Retrieve subject name for future use.
-                                if (ca_sn.empty())
-                                {
-                                    X509_NAME* ca_subject_name = X509_get_subject_name(itmp->x509);
-                                    assert(ca_subject_name != nullptr);
-                                    char* ca_subject_name_str = X509_NAME_oneline(ca_subject_name, 0, 0);
-                                    assert(ca_subject_name_str != nullptr);
-                                    ca_sn = ca_subject_name_str;
-                                    OPENSSL_free(ca_subject_name_str);
-                                }
-
-                                // Retrieve signature algorithm
-                                if (ca_algo.empty())
-                                {
-                                    if (get_signature_algorithm(itmp->x509, ca_algo, exception))
-                                    {
-                                        X509_STORE_add_cert(store, itmp->x509);
-                                        count++;
-                                    }
-                                }
-                                else
-                                {
-                                    X509_STORE_add_cert(store, itmp->x509);
-                                    count++;
-                                }
-                            }
-                            if (itmp->crl)
-                            {
-                                X509_STORE_add_crl(store, itmp->crl);
-                                there_are_crls = true;
-                            }
-                        }
-
-                        sk_X509_INFO_pop_free(inf, X509_INFO_free);
-
-                        if (count > 0)
-                        {
-                            BIO_free(in);
-
-                            return store;
-                        }
-                    }
-                    else
-                    {
-                        exception = _SecurityException_(std::string(
-                                            "OpenSSL library cannot read X509 info in file ") +
-                                        permissions_ca.substr(7));
-                    }
-                }
-                else
-                {
-                    exception = _SecurityException_(std::string(
-                                        "OpenSSL library cannot read file ") + permissions_ca.substr(7));
-                }
-
-                BIO_free(in);
-            }
-            else
-            {
-                exception = _SecurityException_("OpenSSL library cannot allocate file");
-            }
-        }
-        else
-        {
-            exception = _SecurityException_("Unsupported permissions_ca format");
-        }
-
-        X509_STORE_free(store);
-    }
-    else
+    if (permissions_ca.size() >= 7 && permissions_ca.compare(0, 7, "file://") == 0)
     {
-        exception = _SecurityException_("Creation of X509 storage");
+        return detail::FileProvider::load_ca(permissions_ca, there_are_crls, ca_sn, ca_algo, get_signature_algorithm,
+                       exception);
     }
 
+    exception = _SecurityException_(std::string("Unsupported URI format ") + permissions_ca);
     return nullptr;
 }