From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932487AbbESOqc (ORCPT ); Tue, 19 May 2015 10:46:32 -0400 Received: from bombadil.infradead.org ([198.137.202.9]:43798 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932132AbbESOqa (ORCPT ); Tue, 19 May 2015 10:46:30 -0400 Message-ID: <1432046777.3277.37.camel@infradead.org> Subject: [PATCH 11/8] modsign: Allow signing key to be PKCS#11 From: David Woodhouse To: dhowells@redhat.com Cc: rusty@rustcorp.com.au, mmarek@suse.cz, mjg59@srcf.ucam.org, keyrings@linux-nfs.org, dmitry.kasatkin@gmail.com, mcgrof@suse.com, linux-kernel@vger.kernel.org, dhowells@redhat.com, seth.forshee@canonical.com, linux-security-module@vger.kernel.org Date: Tue, 19 May 2015 15:46:17 +0100 In-Reply-To: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> References: <20150515123513.16723.96340.stgit@warthog.procyon.org.uk> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-SRS-Rewrite: SMTP reverse-path rewritten from by bombadil.infradead.org See http://www.infradead.org/rpr.html Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is only the key; the corresponding *cert* still needs to be in $(topdir)/signing_key.x509. And there's no way to actually use this from the build system yet. Signed-off-by: David Woodhouse --- scripts/sign-file.c | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/scripts/sign-file.c b/scripts/sign-file.c index 720b9bc..ad0aa21 100755 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -22,6 +22,7 @@ #include #include #include +#include struct module_signature { uint8_t algo; /* Public-key crypto algorithm [0] */ @@ -154,11 +155,29 @@ int main(int argc, char **argv) /* Read the private key and the X.509 cert the PKCS#7 message * will point to. */ - b = BIO_new_file(private_key_name, "rb"); - ERR(!b, "%s", private_key_name); - private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL); - ERR(!private_key, "%s", private_key_name); - BIO_free(b); + if (!strncmp(private_key_name, "pkcs11:", 7)) { + ENGINE *e; + + ENGINE_load_builtin_engines(); + drain_openssl_errors(); + e = ENGINE_by_id("pkcs11"); + ERR(!e, "Load PKCS#11 ENGINE"); + if (ENGINE_init(e)) + drain_openssl_errors(); + else + ERR(1, "ENGINE_init"); + if (key_pass) + ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); + private_key = ENGINE_load_private_key(e, private_key_name, NULL, + NULL); + ERR(!private_key, "%s", private_key_name); + } else { + b = BIO_new_file(private_key_name, "rb"); + ERR(!b, "%s", private_key_name); + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL); + ERR(!private_key, "%s", private_key_name); + BIO_free(b); + } b = BIO_new_file(x509_name, "rb"); ERR(!b, "%s", x509_name); -- 2.4.0 -- David Woodhouse Open Source Technology Centre David.Woodhouse@intel.com Intel Corporation