From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH v4 6/9] libimaevm: Add support for pkcs11 private keys for signing a v2 hash
Date: Mon, 13 Sep 2021 18:18:10 -0400 [thread overview]
Message-ID: <20210913221813.2554880-7-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20210913221813.2554880-1-stefanb@linux.ibm.com>
Add support for pkcs11 private keys for signing a v2 hash.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
README | 1 +
src/evmctl.c | 1 +
src/libimaevm.c | 47 ++++++++++++++++++++++++++++++++++++-----------
3 files changed, 38 insertions(+), 11 deletions(-)
diff --git a/README b/README
index 1cc027f..2bb363c 100644
--- a/README
+++ b/README
@@ -48,6 +48,7 @@ OPTIONS
--xattr-user store xattrs in user namespace (for testing purposes)
--rsa use RSA key type and signing scheme v1
-k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
+ or a pkcs11 URI
--keyid n overwrite signature keyid with a 32-bit value in hex (for signing)
--keyid-from-cert file
read keyid value from SKID of a x509 cert file
diff --git a/src/evmctl.c b/src/evmctl.c
index 5178643..0a54ac3 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -2503,6 +2503,7 @@ static void usage(void)
" --xattr-user store xattrs in user namespace (for testing purposes)\n"
" --rsa use RSA key type and signing scheme v1\n"
" -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n"
+ " or a pkcs11 URI\n"
" --keyid n overwrite signature keyid with a 32-bit value in hex (for signing)\n"
" --keyid-from-cert file\n"
" read keyid value from SKID of a x509 cert file\n"
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 8e96157..6855184 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -60,6 +60,7 @@
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
+#include <openssl/engine.h>
#include "imaevm.h"
#include "hash_info.h"
@@ -804,20 +805,44 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
FILE *fp;
EVP_PKEY *pkey;
- fp = fopen(keyfile, "r");
- if (!fp) {
- log_err("Failed to open keyfile: %s\n", keyfile);
- return NULL;
- }
- pkey = PEM_read_PrivateKey(fp, NULL, NULL, (void *)keypass);
- if (!pkey) {
- log_err("Failed to PEM_read_PrivateKey key file: %s\n",
- keyfile);
- output_openssl_errors();
+ if (!strncmp(keyfile, "pkcs11:", 7)) {
+ if (!imaevm_params.keyid) {
+ log_err("When using a pkcs11 URI you must provide the keyid with an option\n");
+ return NULL;
+ }
+
+ if (keypass) {
+ if (!ENGINE_ctrl_cmd_string(imaevm_params.eng, "PIN", keypass, 0)) {
+ log_err("Failed to set the PIN for the private key\n");
+ goto err_engine;
+ }
+ }
+ pkey = ENGINE_load_private_key(imaevm_params.eng, keyfile, NULL, NULL);
+ if (!pkey) {
+ log_err("Failed to load private key %s\n", keyfile);
+ goto err_engine;
+ }
+ } else {
+ fp = fopen(keyfile, "r");
+ if (!fp) {
+ log_err("Failed to open keyfile: %s\n", keyfile);
+ return NULL;
+ }
+ pkey = PEM_read_PrivateKey(fp, NULL, NULL, (void *)keypass);
+ if (!pkey) {
+ log_err("Failed to PEM_read_PrivateKey key file: %s\n",
+ keyfile);
+ output_openssl_errors();
+ }
+
+ fclose(fp);
}
- fclose(fp);
return pkey;
+
+err_engine:
+ output_openssl_errors();
+ return NULL;
}
static RSA *read_priv_key(const char *keyfile, const char *keypass)
--
2.31.1
next prev parent reply other threads:[~2021-09-13 22:18 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-13 22:18 [PATCH v4 0/9] ima-evm-utils: Add support for signing with pkcs11 URIs Stefan Berger
2021-09-13 22:18 ` [PATCH v4 1/9] evmctl: Implement support for EVMCTL_KEY_PASSWORD environment variable Stefan Berger
2021-09-13 22:18 ` [PATCH v4 2/9] evmctl: Handle failure to initialize the openssl engine Stefan Berger
2021-09-13 22:18 ` [PATCH v4 3/9] evmctl: Implement function for setting up an OpenSSL engine Stefan Berger
2021-09-13 22:18 ` [PATCH v4 4/9] evmctl: Define and use an ENGINE field in libimaevm_params Stefan Berger
2021-09-13 22:18 ` [PATCH v4 5/9] evmctl: use the pkcs11 engine for pkcs11: prefixed URIs Stefan Berger
2021-09-13 22:18 ` Stefan Berger [this message]
2021-09-13 22:18 ` [PATCH v4 7/9] tests: Import softhsm_setup script to enable pkcs11 test case Stefan Berger
2021-09-13 22:18 ` [PATCH v4 8/9] tests: Extend sign_verify test with pkcs11-specific test Stefan Berger
2021-09-13 22:18 ` [PATCH v4 9/9] tests: Get the packages for pkcs11 testing on the CI/CD system Stefan Berger
2021-09-14 15:24 ` [PATCH v4 0/9] ima-evm-utils: Add support for signing with pkcs11 URIs Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210913221813.2554880-7-stefanb@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).