[PATCH] lib: rsa: avoid overriding the object name when already specified

George McCollister george.mccollister at gmail.com
Wed May 13 15:02:07 CEST 2020


On Wed, May 13, 2020 at 5:26 AM Bastian Krause <bst at pengutronix.de> wrote:
>
> From: Jan Luebbe <jlu at pengutronix.de>
>
> If "object=" is specified in "keydir" when using the pkcs11 engine do
> not append another "object=<key-name-hint>". This makes it possible to
> use object names other than the key name hint. These two string
> identifiers are not necessarily equal.
>
> Signed-off-by: Jan Luebbe <jlu at pengutronix.de>
> Signed-off-by: Bastian Krause <bst at pengutronix.de>

Looks good to me.

Reviewed-by: George McCollister <george.mccollister at gmail.com>

> ---
> Note: we could also check if keydir starts with "pkcs11:" and append
> ";type=public|private". That would allow passing complete PKCS#11 URIs
> which is somewhat nicer.
> ---
>  doc/uImage.FIT/signature.txt |  8 +++++---
>  lib/rsa/rsa-sign.c           | 22 ++++++++++++++++------
>  2 files changed, 21 insertions(+), 9 deletions(-)
>
> diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
> index 3591225a6e..d4afd755e9 100644
> --- a/doc/uImage.FIT/signature.txt
> +++ b/doc/uImage.FIT/signature.txt
> @@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed
>  to openssl's default search paths.
>
>  PKCS11 engine support forms "key id" based on "keydir" and with
> -"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if
> -defined is used to define (prefix for) which PKCS11 source is being used for
> -lookup up for the key.
> +"key-name-hint". "key-name-hint" is used as "object" name (if not defined in
> +keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source
> +is being used for lookup up for the key.
>
>  PKCS11 engine key ids:
>     "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>"
> +or, if keydir contains "object="
> +   "pkcs11:<keydir>;type=<public|private>"
>  or
>     "pkcs11:object=<key-name-hint>;type=<public|private>",
>
> diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
> index 580c744709..1914b96413 100644
> --- a/lib/rsa/rsa-sign.c
> +++ b/lib/rsa/rsa-sign.c
> @@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
>
>         if (engine_id && !strcmp(engine_id, "pkcs11")) {
>                 if (keydir)
> -                       snprintf(key_id, sizeof(key_id),
> -                                "pkcs11:%s;object=%s;type=public",
> -                                keydir, name);
> +                       if (strstr(keydir, "object="))
> +                               snprintf(key_id, sizeof(key_id),
> +                                        "pkcs11:%s;type=public",
> +                                        keydir);
> +                       else
> +                               snprintf(key_id, sizeof(key_id),
> +                                        "pkcs11:%s;object=%s;type=public",
> +                                        keydir, name);
>                 else
>                         snprintf(key_id, sizeof(key_id),
>                                  "pkcs11:object=%s;type=public",
> @@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
>
>         if (engine_id && !strcmp(engine_id, "pkcs11")) {
>                 if (keydir)
> -                       snprintf(key_id, sizeof(key_id),
> -                                "pkcs11:%s;object=%s;type=private",
> -                                keydir, name);
> +                       if (strstr(keydir, "object="))
> +                               snprintf(key_id, sizeof(key_id),
> +                                        "pkcs11:%s;type=private",
> +                                        keydir);
> +                       else
> +                               snprintf(key_id, sizeof(key_id),
> +                                        "pkcs11:%s;object=%s;type=private",
> +                                        keydir, name);
>                 else
>                         snprintf(key_id, sizeof(key_id),
>                                  "pkcs11:object=%s;type=private",
> --
> 2.26.2
>


More information about the U-Boot mailing list