[PATCH] lib: rsa: avoid overriding the object name when already specified
From: Jan Luebbe jlu@pengutronix.de
If "object=" is specified in "keydir" when using the pkcs11 engine do not append another "object=<key-name-hint>". This makes it possible to use object names other than the key name hint. These two string identifiers are not necessarily equal.
Signed-off-by: Jan Luebbe jlu@pengutronix.de Signed-off-by: Bastian Krause bst@pengutronix.de --- Note: we could also check if keydir starts with "pkcs11:" and append ";type=public|private". That would allow passing complete PKCS#11 URIs which is somewhat nicer. --- doc/uImage.FIT/signature.txt | 8 +++++--- lib/rsa/rsa-sign.c | 22 ++++++++++++++++------ 2 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index 3591225a6e..d4afd755e9 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed to openssl's default search paths.
PKCS11 engine support forms "key id" based on "keydir" and with -"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if -defined is used to define (prefix for) which PKCS11 source is being used for -lookup up for the key. +"key-name-hint". "key-name-hint" is used as "object" name (if not defined in +keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source +is being used for lookup up for the key.
PKCS11 engine key ids: "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>" +or, if keydir contains "object=" + "pkcs11:<keydir>;type=<public|private>" or "pkcs11:object=<key-name-hint>;type=<public|private>",
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index 580c744709..1914b96413 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
if (engine_id && !strcmp(engine_id, "pkcs11")) { if (keydir) - snprintf(key_id, sizeof(key_id), - "pkcs11:%s;object=%s;type=public", - keydir, name); + if (strstr(keydir, "object=")) + snprintf(key_id, sizeof(key_id), + "pkcs11:%s;type=public", + keydir); + else + snprintf(key_id, sizeof(key_id), + "pkcs11:%s;object=%s;type=public", + keydir, name); else snprintf(key_id, sizeof(key_id), "pkcs11:object=%s;type=public", @@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
if (engine_id && !strcmp(engine_id, "pkcs11")) { if (keydir) - snprintf(key_id, sizeof(key_id), - "pkcs11:%s;object=%s;type=private", - keydir, name); + if (strstr(keydir, "object=")) + snprintf(key_id, sizeof(key_id), + "pkcs11:%s;type=private", + keydir); + else + snprintf(key_id, sizeof(key_id), + "pkcs11:%s;object=%s;type=private", + keydir, name); else snprintf(key_id, sizeof(key_id), "pkcs11:object=%s;type=private",
On Wed, May 13, 2020 at 5:26 AM Bastian Krause bst@pengutronix.de wrote:
From: Jan Luebbe jlu@pengutronix.de
If "object=" is specified in "keydir" when using the pkcs11 engine do not append another "object=<key-name-hint>". This makes it possible to use object names other than the key name hint. These two string identifiers are not necessarily equal.
Signed-off-by: Jan Luebbe jlu@pengutronix.de Signed-off-by: Bastian Krause bst@pengutronix.de
Looks good to me.
Reviewed-by: George McCollister george.mccollister@gmail.com
Note: we could also check if keydir starts with "pkcs11:" and append ";type=public|private". That would allow passing complete PKCS#11 URIs which is somewhat nicer.
doc/uImage.FIT/signature.txt | 8 +++++--- lib/rsa/rsa-sign.c | 22 ++++++++++++++++------ 2 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index 3591225a6e..d4afd755e9 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed to openssl's default search paths.
PKCS11 engine support forms "key id" based on "keydir" and with -"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if -defined is used to define (prefix for) which PKCS11 source is being used for -lookup up for the key. +"key-name-hint". "key-name-hint" is used as "object" name (if not defined in +keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source +is being used for lookup up for the key.
PKCS11 engine key ids: "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>" +or, if keydir contains "object="
- "pkcs11:<keydir>;type=<public|private>"
or "pkcs11:object=<key-name-hint>;type=<public|private>",
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index 580c744709..1914b96413 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
if (engine_id && !strcmp(engine_id, "pkcs11")) { if (keydir)
snprintf(key_id, sizeof(key_id),"pkcs11:%s;object=%s;type=public",keydir, name);
if (strstr(keydir, "object="))snprintf(key_id, sizeof(key_id),"pkcs11:%s;type=public",keydir);elsesnprintf(key_id, sizeof(key_id),"pkcs11:%s;object=%s;type=public",keydir, name); else snprintf(key_id, sizeof(key_id), "pkcs11:object=%s;type=public",@@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
if (engine_id && !strcmp(engine_id, "pkcs11")) { if (keydir)
snprintf(key_id, sizeof(key_id),"pkcs11:%s;object=%s;type=private",keydir, name);
if (strstr(keydir, "object="))snprintf(key_id, sizeof(key_id),"pkcs11:%s;type=private",keydir);elsesnprintf(key_id, sizeof(key_id),"pkcs11:%s;object=%s;type=private",keydir, name); else snprintf(key_id, sizeof(key_id), "pkcs11:object=%s;type=private",-- 2.26.2
On Wed, May 13, 2020 at 12:26:24PM +0200, Bastian Krause wrote:
From: Jan Luebbe jlu@pengutronix.de
If "object=" is specified in "keydir" when using the pkcs11 engine do not append another "object=<key-name-hint>". This makes it possible to use object names other than the key name hint. These two string identifiers are not necessarily equal.
Signed-off-by: Jan Luebbe jlu@pengutronix.de Signed-off-by: Bastian Krause bst@pengutronix.de Reviewed-by: George McCollister george.mccollister@gmail.com
Applied to u-boot/master, thanks!
participants (3)
-
Bastian Krause -
George McCollister -
Tom Rini