Re: [PATCH] lib: rsa: Extract public key from private key if keyfile argument is used

From: Tom Rini <trini@konsulko.com>
To: "Chan, Donald" <hoiho@lab126.com>
Cc: u-boot@lists.denx.de, Alexandru Gagniuc <mr.nuke.me@gmail.com>,
	Simon Glass <sjg@chromium.org>
Subject: Re: [PATCH] lib: rsa: Extract public key from private key if keyfile argument is used
Date: Wed, 28 Jul 2021 14:33:25 -0400	[thread overview]
Message-ID: <20210728183325.GW9379@bill-the-cat> (raw)
In-Reply-To: <CA0975DB-96AE-491F-BEA4-2D1E494D492B@lab126.com>

[-- Attachment #1: Type: text/plain, Size: 3032 bytes --]

On Sun, Jul 18, 2021 at 09:52:03AM -0700, Chan, Donald wrote:

> If the 'keyfile' (-G) argument is used, there is little value to require
> 'keydir' (-k) argument since the public key can also be extracted from the
> private key itself.
> 
> Signed-off-by: Donald Chan <hoiho@lab126.com>
> ---
>  lib/rsa/rsa-sign.c | 28 +++++++++++++++++++++-------
>  1 file changed, 21 insertions(+), 7 deletions(-)
> 
> diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
> index f4ed11e74a..f70f352311 100644
> --- a/lib/rsa/rsa-sign.c
> +++ b/lib/rsa/rsa-sign.c
> @@ -49,16 +49,16 @@ static int rsa_err(const char *msg)
>  }
> 
>  /**
> - * rsa_pem_get_pub_key() - read a public key from a .crt file
> + * rsa_pem_get_pub_key() - read a public key from a private key file or
> .crt file
>   *
> - * @keydir:	Directory containins the key
> - * @name	Name of key file (will have a .crt extension)
> + * @keydir:	Directory containing the key, can be NULL
> + * @name	Name of key file (will apply a .crt extension if keydir is not
> NULL)
>   * @evpp	Returns EVP_PKEY object, or NULL on failure
>   * @return 0 if ok, -ve on error (in which case *evpp will be set to NULL)
>   */
>  static int rsa_pem_get_pub_key(const char *keydir, const char *name,
> EVP_PKEY **evpp)
>  {
> -	char path[1024];
> +	char path[1024] = {0};
>  	EVP_PKEY *key = NULL;
>  	X509 *cert;
>  	FILE *f;
> @@ -68,7 +68,10 @@ static int rsa_pem_get_pub_key(const char *keydir, const
> char *name, EVP_PKEY **
>  		return -EINVAL;
> 
>  	*evpp = NULL;
> -	snprintf(path, sizeof(path), "%s/%s.crt", keydir, name);
> +	if (keydir && name)
> +		snprintf(path, sizeof(path), "%s/%s.crt", keydir, name);
> +	else if (name)
> +		snprintf(path, sizeof(path), "%s", name);
>  	f = fopen(path, "r");
>  	if (!f) {
>  		fprintf(stderr, "Couldn't open RSA certificate: '%s': %s\n",
> @@ -76,7 +79,13 @@ static int rsa_pem_get_pub_key(const char *keydir, const
> char *name, EVP_PKEY **
>  		return -EACCES;
>  	}
> 
> -	/* Read the certificate */
> +	/* See if it contains a PEM private key? */
> +	if (PEM_read_PrivateKey(f, evpp, NULL, path)) {
> +		fclose(f);
> +		return 0;
> +	}
> +
> +	/* Not a PEM private key, read the certificate */
>  	cert = NULL;
>  	if (!PEM_read_X509(f, &cert, NULL, NULL)) {
>  		rsa_err("Couldn't read certificate");
> @@ -672,7 +681,12 @@ int rsa_add_verify_data(struct image_sign_info *info,
> void *keydest)
>  		if (ret)
>  			return ret;
>  	}
> -	ret = rsa_get_pub_key(info->keydir, info->keyname, e, &pkey);
> +	if (info->keydir && info->keyname)
> +		ret = rsa_get_pub_key(info->keydir, info->keyname, e, &pkey);
> +	else if (info->keyfile)
> +		ret = rsa_get_pub_key(NULL, info->keyfile, e, &pkey);
> +	else
> +		ret = -EINVAL;
>  	if (ret)
>  		goto err_get_pub_key;
>  #if OPENSSL_VERSION_NUMBER < 0x10100000L || \

This seems reasonable, but the formatting of the patch was destroyed
somewhere along the way, can you please resend?  Thanks.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]