Re: [PATCH] lib: rsa: Extract public key from private key if keyfile argument is used

Hi Donald,

On Wed, 28 Jul 2021 at 18:35, Donald Chan hoiho@lab126.com wrote:

If the 'keyfile' (-G) argument is used, there is little value to require 'keydir' (-k) argument since the public key can also be extracted from the private key itself.

Signed-off-by: Donald Chan hoiho@lab126.com

lib/rsa/rsa-sign.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index f4ed11e74a..f70f352311 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -49,16 +49,16 @@ static int rsa_err(const char *msg) }

/**

• • rsa_pem_get_pub_key() - read a public key from a .crt file

• • rsa_pem_get_pub_key() - read a public key from a private key file or .crt file

• • @keydir: Directory containins the key
• • @name Name of key file (will have a .crt extension)

• • @keydir: Directory containing the key, can be NULL
• • @name Name of key file (will apply a .crt extension if keydir is not NULL)
  • @evpp Returns EVP_PKEY object, or NULL on failure
  • @return 0 if ok, -ve on error (in which case *evpp will be set to NULL)
  */

static int rsa_pem_get_pub_key(const char *keydir, const char *name, EVP_PKEY **evpp) {

•   char path[1024];
  

•   char path[1024] = {0};
    EVP_PKEY *key = NULL;
    X509 *cert;
    FILE *f;
  

@@ -68,7 +68,10 @@ static int rsa_pem_get_pub_key(const char *keydir, const char *name, EVP_PKEY ** return -EINVAL;

    *evpp = NULL;

•   snprintf(path, sizeof(path), "%s/%s.crt", keydir, name);
  

•   if (keydir && name)
  

•           snprintf(path, sizeof(path), "%s/%s.crt", keydir, name);
  

•   else if (name)
  

•           snprintf(path, sizeof(path), "%s", name);
    f = fopen(path, "r");
    if (!f) {
            fprintf(stderr, "Couldn't open RSA certificate: '%s': %s\n",
  

@@ -76,7 +79,13 @@ static int rsa_pem_get_pub_key(const char *keydir, const char *name, EVP_PKEY ** return -EACCES; }

•   /* Read the certificate */
  

•   /* See if it contains a PEM private key? */
  

•   if (PEM_read_PrivateKey(f, evpp, NULL, path)) {
  

•           fclose(f);
  

•           return 0;
  

•   }
  

•   /* Not a PEM private key, read the certificate */
    cert = NULL;
    if (!PEM_read_X509(f, &cert, NULL, NULL)) {
            rsa_err("Couldn't read certificate");
  

@@ -672,7 +681,12 @@ int rsa_add_verify_data(struct image_sign_info *info, void *keydest) if (ret) return ret; }

•   ret = rsa_get_pub_key(info->keydir, info->keyname, e, &pkey);
  

•   if (info->keydir && info->keyname)
  

•           ret = rsa_get_pub_key(info->keydir, info->keyname, e, &pkey);
  

•   else if (info->keyfile)
  

•           ret = rsa_get_pub_key(NULL, info->keyfile, e, &pkey);
  

•   else
  

•           ret = -EINVAL;
    if (ret)
            goto err_get_pub_key;
  

#if OPENSSL_VERSION_NUMBER < 0x10100000L || \

2.16.6

Can we work this into a test somehow? The normal test is test_vboot.py - you could modify that or add a new test into that file perhaps?

Regards, Simon