[PATCH 1/2] lib: rsa: Fix PKCS11 URI if one is not given in `keydir`
If `keydir` is not present, we need to build a PKCS11 URI from just the key name. In this case, we *do* need 'pkcs11:'
Fixes: ece85cc020 rsa: use pkcs11 uri as defined in rfc7512
Signed-off-by: Csókás Bence csokas.bence@prolan.hu --- lib/rsa/rsa-sign.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index 858ad92a6f..fd587d8deb 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -124,7 +124,7 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name, keydir, name); else snprintf(key_id, sizeof(key_id), - "object=%s;type=public", + "pkcs11:object=%s;type=public", name); } else if (engine_id) { if (keydir) @@ -246,7 +246,7 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name, keydir, name); else snprintf(key_id, sizeof(key_id), - "object=%s;type=private", + "pkcs11:object=%s;type=private", name); } else if (engine_id) { if (keydir && name)
But emit a warning for it. Then we can remove support when everyone had time to update their scripts, docs, CI etc.
Fixes: ece85cc020 rsa: use pkcs11 uri as defined in rfc7512
Signed-off-by: Csókás Bence csokas.bence@prolan.hu --- lib/rsa/rsa-sign.c | 42 ++++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 12 deletions(-)
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index fd587d8deb..2304030e32 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -104,6 +104,8 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name, const char *engine_id; char key_id[1024]; EVP_PKEY *key = NULL; + const char *const pkcs11_schema = "pkcs11:"; + const char *pkcs11_uri_prepend = "";
if (!evpp) return -EINVAL; @@ -113,19 +115,26 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name, engine_id = ENGINE_get_id(engine);
if (engine_id && !strcmp(engine_id, "pkcs11")) { - if (keydir) + if (keydir) { + // Check for legacy keydir spec and prepend + if (strncmp(pkcs11_schema, keydir, strlen(pkcs11_schema))) { + pkcs11_uri_prepend = pkcs11_schema; + fprintf(stderr, "WARNING: Legacy URI specified. Please add '%s'.\n", pkcs11_schema); + } + if (strstr(keydir, "object=")) snprintf(key_id, sizeof(key_id), - "%s;type=public", - keydir); + "%s%s;type=public", + pkcs11_uri_prepend, keydir); else snprintf(key_id, sizeof(key_id), - "%s;object=%s;type=public", - keydir, name); - else + "%s%s;object=%s;type=public", + pkcs11_uri_prepend, keydir, name); + } else { snprintf(key_id, sizeof(key_id), "pkcs11:object=%s;type=public", name); + } } else if (engine_id) { if (keydir) snprintf(key_id, sizeof(key_id), @@ -224,6 +233,8 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name, const char *engine_id; char key_id[1024]; EVP_PKEY *key = NULL; + const char *const pkcs11_schema = "pkcs11:"; + const char *pkcs11_uri_prepend = "";
if (!evpp) return -EINVAL; @@ -235,19 +246,26 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name, fprintf(stderr, "Please use 'keydir' with PKCS11\n"); return -EINVAL; } - if (keydir) + if (keydir) { + // Check for legacy keydir spec and prepend + if (strncmp(pkcs11_schema, keydir, strlen(pkcs11_schema))) { + pkcs11_uri_prepend = pkcs11_schema; + fprintf(stderr, "WARNING: Legacy URI specified. Please add '%s'.\n", pkcs11_schema); + } + if (strstr(keydir, "object=")) snprintf(key_id, sizeof(key_id), - "%s;type=private", - keydir); + "%s%s;type=private", + pkcs11_uri_prepend, keydir); else snprintf(key_id, sizeof(key_id), - "%s;object=%s;type=private", - keydir, name); - else + "%s%s;object=%s;type=private", + pkcs11_uri_prepend, keydir, name); + } else { snprintf(key_id, sizeof(key_id), "pkcs11:object=%s;type=private", name); + } } else if (engine_id) { if (keydir && name) snprintf(key_id, sizeof(key_id),
On Fri, Jan 05, 2024 at 03:08:04PM +0100, Csókás Bence wrote:
But emit a warning for it. Then we can remove support when everyone had time to update their scripts, docs, CI etc.
Fixes: ece85cc020 rsa: use pkcs11 uri as defined in rfc7512
Signed-off-by: Csókás Bence csokas.bence@prolan.hu
Applied to u-boot/master, thanks!
On Fri, Jan 05, 2024 at 03:08:03PM +0100, Csókás Bence wrote:
If `keydir` is not present, we need to build a PKCS11 URI from just the key name. In this case, we *do* need 'pkcs11:'
Fixes: ece85cc020 rsa: use pkcs11 uri as defined in rfc7512
Signed-off-by: Csókás Bence csokas.bence@prolan.hu
Applied to u-boot/master, thanks!
participants (2)
-
Csókás Bence -
Tom Rini