* [PATCH] lib: rsa: avoid overriding the object name when already specified
@ 2020-05-13 10:26 Bastian Krause
2020-05-13 13:02 ` George McCollister
2020-05-15 20:54 ` Tom Rini
0 siblings, 2 replies; 3+ messages in thread
From: Bastian Krause @ 2020-05-13 10:26 UTC (permalink / raw)
To: u-boot
From: Jan Luebbe <jlu@pengutronix.de>
If "object=" is specified in "keydir" when using the pkcs11 engine do
not append another "object=<key-name-hint>". This makes it possible to
use object names other than the key name hint. These two string
identifiers are not necessarily equal.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
Note: we could also check if keydir starts with "pkcs11:" and append
";type=public|private". That would allow passing complete PKCS#11 URIs
which is somewhat nicer.
---
doc/uImage.FIT/signature.txt | 8 +++++---
lib/rsa/rsa-sign.c | 22 ++++++++++++++++------
2 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
index 3591225a6e..d4afd755e9 100644
--- a/doc/uImage.FIT/signature.txt
+++ b/doc/uImage.FIT/signature.txt
@@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed
to openssl's default search paths.
PKCS11 engine support forms "key id" based on "keydir" and with
-"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if
-defined is used to define (prefix for) which PKCS11 source is being used for
-lookup up for the key.
+"key-name-hint". "key-name-hint" is used as "object" name (if not defined in
+keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source
+is being used for lookup up for the key.
PKCS11 engine key ids:
"pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>"
+or, if keydir contains "object="
+ "pkcs11:<keydir>;type=<public|private>"
or
"pkcs11:object=<key-name-hint>;type=<public|private>",
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
index 580c744709..1914b96413 100644
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
if (engine_id && !strcmp(engine_id, "pkcs11")) {
if (keydir)
- snprintf(key_id, sizeof(key_id),
- "pkcs11:%s;object=%s;type=public",
- keydir, name);
+ if (strstr(keydir, "object="))
+ snprintf(key_id, sizeof(key_id),
+ "pkcs11:%s;type=public",
+ keydir);
+ else
+ snprintf(key_id, sizeof(key_id),
+ "pkcs11:%s;object=%s;type=public",
+ keydir, name);
else
snprintf(key_id, sizeof(key_id),
"pkcs11:object=%s;type=public",
@@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
if (engine_id && !strcmp(engine_id, "pkcs11")) {
if (keydir)
- snprintf(key_id, sizeof(key_id),
- "pkcs11:%s;object=%s;type=private",
- keydir, name);
+ if (strstr(keydir, "object="))
+ snprintf(key_id, sizeof(key_id),
+ "pkcs11:%s;type=private",
+ keydir);
+ else
+ snprintf(key_id, sizeof(key_id),
+ "pkcs11:%s;object=%s;type=private",
+ keydir, name);
else
snprintf(key_id, sizeof(key_id),
"pkcs11:object=%s;type=private",
--
2.26.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH] lib: rsa: avoid overriding the object name when already specified
2020-05-13 10:26 [PATCH] lib: rsa: avoid overriding the object name when already specified Bastian Krause
@ 2020-05-13 13:02 ` George McCollister
2020-05-15 20:54 ` Tom Rini
1 sibling, 0 replies; 3+ messages in thread
From: George McCollister @ 2020-05-13 13:02 UTC (permalink / raw)
To: u-boot
On Wed, May 13, 2020 at 5:26 AM Bastian Krause <bst@pengutronix.de> wrote:
>
> From: Jan Luebbe <jlu@pengutronix.de>
>
> If "object=" is specified in "keydir" when using the pkcs11 engine do
> not append another "object=<key-name-hint>". This makes it possible to
> use object names other than the key name hint. These two string
> identifiers are not necessarily equal.
>
> Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
Looks good to me.
Reviewed-by: George McCollister <george.mccollister@gmail.com>
> ---
> Note: we could also check if keydir starts with "pkcs11:" and append
> ";type=public|private". That would allow passing complete PKCS#11 URIs
> which is somewhat nicer.
> ---
> doc/uImage.FIT/signature.txt | 8 +++++---
> lib/rsa/rsa-sign.c | 22 ++++++++++++++++------
> 2 files changed, 21 insertions(+), 9 deletions(-)
>
> diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
> index 3591225a6e..d4afd755e9 100644
> --- a/doc/uImage.FIT/signature.txt
> +++ b/doc/uImage.FIT/signature.txt
> @@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed
> to openssl's default search paths.
>
> PKCS11 engine support forms "key id" based on "keydir" and with
> -"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if
> -defined is used to define (prefix for) which PKCS11 source is being used for
> -lookup up for the key.
> +"key-name-hint". "key-name-hint" is used as "object" name (if not defined in
> +keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source
> +is being used for lookup up for the key.
>
> PKCS11 engine key ids:
> "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>"
> +or, if keydir contains "object="
> + "pkcs11:<keydir>;type=<public|private>"
> or
> "pkcs11:object=<key-name-hint>;type=<public|private>",
>
> diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
> index 580c744709..1914b96413 100644
> --- a/lib/rsa/rsa-sign.c
> +++ b/lib/rsa/rsa-sign.c
> @@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
>
> if (engine_id && !strcmp(engine_id, "pkcs11")) {
> if (keydir)
> - snprintf(key_id, sizeof(key_id),
> - "pkcs11:%s;object=%s;type=public",
> - keydir, name);
> + if (strstr(keydir, "object="))
> + snprintf(key_id, sizeof(key_id),
> + "pkcs11:%s;type=public",
> + keydir);
> + else
> + snprintf(key_id, sizeof(key_id),
> + "pkcs11:%s;object=%s;type=public",
> + keydir, name);
> else
> snprintf(key_id, sizeof(key_id),
> "pkcs11:object=%s;type=public",
> @@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
>
> if (engine_id && !strcmp(engine_id, "pkcs11")) {
> if (keydir)
> - snprintf(key_id, sizeof(key_id),
> - "pkcs11:%s;object=%s;type=private",
> - keydir, name);
> + if (strstr(keydir, "object="))
> + snprintf(key_id, sizeof(key_id),
> + "pkcs11:%s;type=private",
> + keydir);
> + else
> + snprintf(key_id, sizeof(key_id),
> + "pkcs11:%s;object=%s;type=private",
> + keydir, name);
> else
> snprintf(key_id, sizeof(key_id),
> "pkcs11:object=%s;type=private",
> --
> 2.26.2
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH] lib: rsa: avoid overriding the object name when already specified
2020-05-13 10:26 [PATCH] lib: rsa: avoid overriding the object name when already specified Bastian Krause
2020-05-13 13:02 ` George McCollister
@ 2020-05-15 20:54 ` Tom Rini
1 sibling, 0 replies; 3+ messages in thread
From: Tom Rini @ 2020-05-15 20:54 UTC (permalink / raw)
To: u-boot
On Wed, May 13, 2020 at 12:26:24PM +0200, Bastian Krause wrote:
> From: Jan Luebbe <jlu@pengutronix.de>
>
> If "object=" is specified in "keydir" when using the pkcs11 engine do
> not append another "object=<key-name-hint>". This makes it possible to
> use object names other than the key name hint. These two string
> identifiers are not necessarily equal.
>
> Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
> Signed-off-by: Bastian Krause <bst@pengutronix.de>
> Reviewed-by: George McCollister <george.mccollister@gmail.com>
Applied to u-boot/master, thanks!
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20200515/f2ac7af7/attachment.sig>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-05-15 20:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-13 10:26 [PATCH] lib: rsa: avoid overriding the object name when already specified Bastian Krause
2020-05-13 13:02 ` George McCollister
2020-05-15 20:54 ` Tom Rini
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.