eProsima · MiguelCompany · Dec 22, 2021 · Sep 21, 2021 · Sep 22, 2021 · Sep 22, 2021
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -165,6 +165,7 @@ if(SECURITY)
 else()
     find_package(OpenSSL)
 endif()
+find_package(LibP11)
 
 if(OPENSSL_FOUND)
     message(STATUS "OpenSSL library ${OPENSSL_VERSION} found...")

diff --git a/README.md b/README.md
@@ -93,6 +93,22 @@ choco install -y -s <PATH\TO\DOWNLOADS\> asio tinyxml2
 
 Please replace `<PATH\TO\DOWNLOADS>` with the folder you downloaded the packages to.
 
+##### Libp11 library
+
+Libp11 provides PKCS#11 support for openSSL. This is an optional dependency,
+that is needed only when *eprosima Fast DDS* is used with security and PKCS#11 URLs.
+
+On Linux, you can install libp11 using the package manager of your Linux distribution.
+For example, on Ubuntu you can install them by using its package manager with the next command.
+
+```bash
+sudo apt install libp11-dev libengine-pkcs11-openssl
+```
+
+On Windows, you can download and compile the library from this
+[ROS2 Github repository](https://github.com/OpenSC/libp11).
+Follow the instructions on the repository to compile it on your platform.
+
 #### Colcon installation
 
 [colcon](https://colcon.readthedocs.io) is a command line tool to build sets of software packages.

diff --git a/cmake/modules/FindLibP11.cmake b/cmake/modules/FindLibP11.cmake
@@ -0,0 +1,43 @@
+# FindLibP11
+#
+# Generates an imported target associated to an available pksc11 library:
+#
+#   + On linux relies on the apt package libp11-dev
+#
+#   + On Windows the library must be build from sources available at https://github.com/OpenSC/libp11.git
+#     Given that each user must build its own binaries the following environment variables must be set to hint
+#     where to locate headers and binaries (semicolon-separated list see https://cmake.org/cmake/help/v3.22/variable/PackageName_ROOT.html):
+#       + LibP11_ROOT_32 -> to reference sources and 32 bit binaries location
+#       + LibP11_ROOT_64 -> to reference sources and 64 bit binaries location
+
+if(TARGET eProsima_p11)
+    return()
+endif()
+
+if(CMAKE_SIZEOF_VOID_P EQUAL 4)
+    set(LibP11_ROOT "$ENV{LibP11_ROOT_32}")
+else()
+    set(LibP11_ROOT "$ENV{LibP11_ROOT_64}")
+endif()
+
+find_path(LIBP11_INCLUDE_DIR NAMES libp11.h HINTS ${LibP11_ROOT})
+find_library(LIBP11_LIBRARY NAMES libp11.a libp11.lib HINTS ${LibP11_ROOT})
+
+include(FindPackageHandleStandardArgs)
+find_package_handle_standard_args(LibP11 DEFAULT_MSG LIBP11_LIBRARY LIBP11_INCLUDE_DIR)
+
+if(LibP11_FOUND)
+    # add the target
+    add_library(eProsima_p11 STATIC IMPORTED)
+
+    # update the properties
+    set_target_properties(eProsima_p11 PROPERTIES
+        IMPORTED_LOCATION "${LIBP11_LIBRARY}"
+        INTERFACE_INCLUDE_DIRECTORIES "${LIBP11_INCLUDE_DIR}"
+    )
+endif()
+
+# clean local variables
+unset(LIBP11_INCLUDE_DIR)
+unset(LIBP11_LIBRARY)
+unset(LibP11_ROOT)
diff --git a/include/fastrtps/config.h.in b/include/fastrtps/config.h.in
@@ -25,87 +25,91 @@
 // C++20 support defines
 #ifndef HAVE_CXX20
 #define HAVE_CXX20 @HAVE_CXX20@
-#endif
+#endif /* ifndef HAVE_CXX20 */
 
 // C++17 support defines
 #ifndef HAVE_CXX17
 #define HAVE_CXX17 @HAVE_CXX17@
-#endif
+#endif /* ifndef HAVE_CXX17 */
 
 // C++14 support defines
 #ifndef HAVE_CXX14
 #define HAVE_CXX14 @HAVE_CXX14@
-#endif
+#endif /* ifndef HAVE_CXX14 */
 
 // C++1Y support defines
 #ifndef HAVE_CXX1Y
 #define HAVE_CXX1Y @HAVE_CXX1Y@
-#endif
+#endif /* ifndef HAVE_CXX1Y */
 
 // C++11 support defines
 #ifndef HAVE_CXX11
 #define HAVE_CXX11 @HAVE_CXX11@
-#endif
+#endif /* ifndef HAVE_CXX11 */
 
 // C++0x support defines
 #ifndef HAVE_CXX0X
 #define HAVE_CXX0X @HAVE_CXX0X@
-#endif
+#endif /* ifndef HAVE_CXX0X */
 
 // C++ constexpr support
 #ifndef HAVE_CXX_CONSTEXPR
 #define HAVE_CXX_CONSTEXPR @HAVE_CXX_CONSTEXPR@
-#endif
+#endif /* ifndef HAVE_CXX_CONSTEXPR */
 
 #if HAVE_CXX_CONSTEXPR
 #define CONSTEXPR constexpr
 #else
 #define CONSTEXPR const
-#endif
+#endif /* if HAVE_CXX_CONSTEXPR */
 
 // Endianness defines
 #ifndef FASTDDS_IS_BIG_ENDIAN_TARGET
 #define FASTDDS_IS_BIG_ENDIAN_TARGET @FASTDDS_IS_BIG_ENDIAN_TARGET@
-#endif
+#endif /* ifndef FASTDDS_IS_BIG_ENDIAN_TARGET */
 
 // Security
 #ifndef HAVE_SECURITY
 #define HAVE_SECURITY @HAVE_SECURITY@
-#endif
+#endif /* ifndef HAVE_SECURITY */
+
+#ifndef HAVE_LIBP11
+#define HAVE_LIBP11 @HAVE_LIBP11@
+#endif /* ifndef HAVE_LIBP11 */
 
 //Sqlite3 support
 #ifndef HAVE_SQLITE3
 #define HAVE_SQLITE3 @HAVE_SQLITE3@
-#endif
+#endif /* ifndef HAVE_SQLITE3 */
 
 
 // TLS support
 #ifndef TLS_FOUND
 #define TLS_FOUND @TLS_FOUND@
-#endif
+#endif /* ifndef TLS_FOUND */
 
 // Strict real-time
 #ifndef HAVE_STRICT_REALTIME
 #define HAVE_STRICT_REALTIME @HAVE_STRICT_REALTIME@
-#endif
+#endif /* ifndef HAVE_STRICT_REALTIME */
 
 /* Log Macros */
 
 // Log Info
 #cmakedefine FASTDDS_ENFORCE_LOG_INFO
 #ifndef HAVE_LOG_NO_INFO
 #define HAVE_LOG_NO_INFO @HAVE_LOG_NO_INFO@
-#endif
+#endif /* ifndef HAVE_LOG_NO_INFO */
 
 // Log Warning
 #ifndef HAVE_LOG_NO_WARNING
 #define HAVE_LOG_NO_WARNING @HAVE_LOG_NO_WARNING@
-#endif
+#endif /* ifndef HAVE_LOG_NO_WARNING */
 
 // Log Error
 #ifndef HAVE_LOG_NO_ERROR
 #define HAVE_LOG_NO_ERROR @HAVE_LOG_NO_ERROR@
-#endif
+#endif /* ifndef HAVE_LOG_NO_ERROR */
 
 // Statistics
 #cmakedefine FASTDDS_STATISTICS
@@ -119,7 +123,7 @@
 #define FASTRTPS_DEPRECATED(msg) __declspec(deprecated(msg))
 #else
 #define FASTRTPS_DEPRECATED(msg)
-#endif
+#endif /* if __cplusplus >= 201402L */
 
 // Deprecation with version
 #define FASTDDS_DEPRECATED_UNTIL(major, entity_name, msg)                                                           \
@@ -128,7 +132,7 @@
 
 #define FASTDDS_TODO_BEFORE(major, minor, msg)                                          \
     static_assert((FASTRTPS_VERSION_MAJOR < major) ||                                   \
-                  (FASTRTPS_VERSION_MAJOR == major && FASTRTPS_VERSION_MINOR < minor),  \
-                  "TODO before version " #major "." #minor " : " #msg);
+            (FASTRTPS_VERSION_MAJOR == major && FASTRTPS_VERSION_MINOR < minor),  \
+            "TODO before version " #major "." #minor " : " #msg);
 
 #endif // _FASTRTPS_CONFIG_H_
diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt
@@ -296,15 +296,23 @@ set(${PROJECT_NAME}_security_source_files
     security/accesscontrol/GovernanceParser.cpp
     security/accesscontrol/PermissionsParser.cpp
     security/logging/LogTopic.cpp
+    security/artifact_providers/FileProvider.cpp
+    security/artifact_providers/Pkcs11Provider.cpp
     )
 
 if(SECURITY)
     list(APPEND ${PROJECT_NAME}_source_files
         ${${PROJECT_NAME}_security_source_files}
         )
     set(HAVE_SECURITY 1)
+    if(LIBP11_FOUND)
+        set(HAVE_LIBP11 1)
+    else()
+        set(HAVE_LIBP11 0)
+    endif()
 else()
     set(HAVE_SECURITY 0)
+    set(HAVE_LIBP11 0)
 endif()
 
 if(WIN32 AND (MSVC OR MSVC_IDE))
@@ -437,6 +445,7 @@ target_link_libraries(${PROJECT_NAME} ${PRIVACY} fastcdr foonathan_memory
     $<$<BOOL:${WIN32}>:iphlpapi$<SEMICOLON>Shlwapi>
     ${THIRDPARTY_BOOST_LINK_LIBS}
     PRIVATE eProsima_atomic
+    $<$<BOOL:${LibP11_FOUND}>:eProsima_p11>  # $<TARGET_NAME_IF_EXISTS:eProsima_p11>
     )
 
 if(MSVC OR MSVC_IDE)

diff --git a/src/cpp/security/accesscontrol/Permissions.cpp b/src/cpp/security/accesscontrol/Permissions.cpp
@@ -43,6 +43,8 @@
 #include <openssl/err.h>
 #include <openssl/obj_mac.h>
 
+#include <security/artifact_providers/FileProvider.hpp>
+
 #include <cassert>
 #include <fstream>
 
@@ -351,105 +353,13 @@ static X509_STORE* load_permissions_ca(
         std::string& ca_algo,
         SecurityException& exception)
 {
-    X509_STORE* store = X509_STORE_new();
-
-    if (store != nullptr)
-    {
-        if (permissions_ca.size() >= 7 && permissions_ca.compare(0, 7, "file://") == 0)
-        {
-            BIO* in = BIO_new(BIO_s_file());
-
-            if (in != nullptr)
-            {
-                if (BIO_read_filename(in, permissions_ca.substr(7).c_str()) > 0)
-                {
-                    STACK_OF(X509_INFO) * inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
-
-                    if (inf != nullptr)
-                    {
-                        int i, count = 0;
-                        there_are_crls = false;
-
-                        for (i = 0; i < sk_X509_INFO_num(inf); i++)
-                        {
-                            X509_INFO* itmp = sk_X509_INFO_value(inf, i);
-
-                            if (itmp->x509)
-                            {
-                                // Retrieve subject name for future use.
-                                if (ca_sn.empty())
-                                {
-                                    X509_NAME* ca_subject_name = X509_get_subject_name(itmp->x509);
-                                    assert(ca_subject_name != nullptr);
-                                    char* ca_subject_name_str = X509_NAME_oneline(ca_subject_name, 0, 0);
-                                    assert(ca_subject_name_str != nullptr);
-                                    ca_sn = ca_subject_name_str;
-                                    OPENSSL_free(ca_subject_name_str);
-                                }
-
-                                // Retrieve signature algorithm
-                                if (ca_algo.empty())
-                                {
-                                    if (get_signature_algorithm(itmp->x509, ca_algo, exception))
-                                    {
-                                        X509_STORE_add_cert(store, itmp->x509);
-                                        count++;
-                                    }
-                                }
-                                else
-                                {
-                                    X509_STORE_add_cert(store, itmp->x509);
-                                    count++;
-                                }
-                            }
-                            if (itmp->crl)
-                            {
-                                X509_STORE_add_crl(store, itmp->crl);
-                                there_are_crls = true;
-                            }
-                        }
-
-                        sk_X509_INFO_pop_free(inf, X509_INFO_free);
-
-                        if (count > 0)
-                        {
-                            BIO_free(in);
-
-                            return store;
-                        }
-                    }
-                    else
-                    {
-                        exception = _SecurityException_(std::string(
-                                            "OpenSSL library cannot read X509 info in file ") +
-                                        permissions_ca.substr(7));
-                    }
-                }
-                else
-                {
-                    exception = _SecurityException_(std::string(
-                                        "OpenSSL library cannot read file ") + permissions_ca.substr(7));
-                }
-
-                BIO_free(in);
-            }
-            else
-            {
-                exception = _SecurityException_("OpenSSL library cannot allocate file");
-            }
-        }
-        else
-        {
-            exception = _SecurityException_("Unsupported permissions_ca format");
-        }
-
-        X509_STORE_free(store);
-    }
-    else
+    if (permissions_ca.size() >= 7 && permissions_ca.compare(0, 7, "file://") == 0)
     {
-        exception = _SecurityException_("Creation of X509 storage");
+        return detail::FileProvider::load_ca(permissions_ca, there_are_crls, ca_sn, ca_algo, get_signature_algorithm,
+                       exception);
     }
 
+    exception = _SecurityException_(std::string("Unsupported URI format ") + permissions_ca);
     return nullptr;
 }