[PATCH] lib: rsa: avoid overriding the object name when already specified

* [PATCH] lib: rsa: avoid overriding the object name when already specified
@ 2020-05-13 10:26 Bastian Krause
  2020-05-13 13:02 ` George McCollister
  2020-05-15 20:54 ` Tom Rini
  0 siblings, 2 replies; 3+ messages in thread
From: Bastian Krause @ 2020-05-13 10:26 UTC (permalink / raw)
  To: u-boot

From: Jan Luebbe <jlu@pengutronix.de>

If "object=" is specified in "keydir" when using the pkcs11 engine do
not append another "object=<key-name-hint>". This makes it possible to
use object names other than the key name hint. These two string
identifiers are not necessarily equal.

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Bastian Krause <bst@pengutronix.de>
---
Note: we could also check if keydir starts with "pkcs11:" and append
";type=public|private". That would allow passing complete PKCS#11 URIs
which is somewhat nicer.
---
 doc/uImage.FIT/signature.txt |  8 +++++---
 lib/rsa/rsa-sign.c           | 22 ++++++++++++++++------
 2 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
index 3591225a6e..d4afd755e9 100644
--- a/doc/uImage.FIT/signature.txt
+++ b/doc/uImage.FIT/signature.txt
@@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed
 to openssl's default search paths.
 
 PKCS11 engine support forms "key id" based on "keydir" and with
-"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if
-defined is used to define (prefix for) which PKCS11 source is being used for
-lookup up for the key.
+"key-name-hint". "key-name-hint" is used as "object" name (if not defined in
+keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source
+is being used for lookup up for the key.
 
 PKCS11 engine key ids:
    "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>"
+or, if keydir contains "object="
+   "pkcs11:<keydir>;type=<public|private>"
 or
    "pkcs11:object=<key-name-hint>;type=<public|private>",
 
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
index 580c744709..1914b96413 100644
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
 
 	if (engine_id && !strcmp(engine_id, "pkcs11")) {
 		if (keydir)
-			snprintf(key_id, sizeof(key_id),
-				 "pkcs11:%s;object=%s;type=public",
-				 keydir, name);
+			if (strstr(keydir, "object="))
+				snprintf(key_id, sizeof(key_id),
+					 "pkcs11:%s;type=public",
+					 keydir);
+			else
+				snprintf(key_id, sizeof(key_id),
+					 "pkcs11:%s;object=%s;type=public",
+					 keydir, name);
 		else
 			snprintf(key_id, sizeof(key_id),
 				 "pkcs11:object=%s;type=public",
@@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
 
 	if (engine_id && !strcmp(engine_id, "pkcs11")) {
 		if (keydir)
-			snprintf(key_id, sizeof(key_id),
-				 "pkcs11:%s;object=%s;type=private",
-				 keydir, name);
+			if (strstr(keydir, "object="))
+				snprintf(key_id, sizeof(key_id),
+					 "pkcs11:%s;type=private",
+					 keydir);
+			else
+				snprintf(key_id, sizeof(key_id),
+					 "pkcs11:%s;object=%s;type=private",
+					 keydir, name);
 		else
 			snprintf(key_id, sizeof(key_id),
 				 "pkcs11:object=%s;type=private",
-- 
2.26.2

^ permalink raw reply related	[flat|nested] 3+ messages in thread