diff options
author | Bastian Krause <bst@pengutronix.de> | 2020-05-15 16:26:35 +0200 |
---|---|---|
committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2020-05-15 17:22:07 +0200 |
commit | d6a751d6155dca50b17150fffb731530c3ab8e6c (patch) | |
tree | 4b0b18132ead52fa0e36aaff52868fb5dcd50e55 /patches | |
parent | 339831586a10bc28de9a0cd41f4f658995ff9704 (diff) | |
download | ptxdist-d6a751d6155dca50b17150fffb731530c3ab8e6c.tar.gz ptxdist-d6a751d6155dca50b17150fffb731530c3ab8e6c.tar.xz |
u-boot/ptxd_make_fit_image: avoid overriding object name
Having multiple "object=" occurrences in a single PKCS#11 URI does not
work for all cases, at least not for opensc-pkcs11. Thus u-boot's
PKCS#11 handling was patched to avoid overriding the object name when
it is already specified. The patch was sent upstream.
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Message-Id: <20200515142641.812-10-bst@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Diffstat (limited to 'patches')
-rw-r--r-- | patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch | 81 | ||||
-rw-r--r-- | patches/u-boot-2020.04/series | 4 |
2 files changed, 85 insertions, 0 deletions
diff --git a/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch new file mode 100644 index 000000000..5ba930fb5 --- /dev/null +++ b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch @@ -0,0 +1,81 @@ +From: Jan Luebbe <jlu@pengutronix.de> +Date: Mon, 16 Mar 2020 11:45:22 +0100 +Subject: [PATCH] lib: rsa: avoid overriding the object name when already + specified + +If "object=" is specified in "keydir" when using the pkcs11 engine do +not append another "object=<key-name-hint>". This makes it possible to +use object names other than the key name hint. These two string +identifiers are not necessarily equal. + +Signed-off-by: Jan Luebbe <jlu@pengutronix.de> +Signed-off-by: Bastian Krause <bst@pengutronix.de> +Reviewed-by: George McCollister <george.mccollister@gmail.com> +Forwarded: https://lists.denx.de/pipermail/u-boot/2020-May/411892.html +--- + doc/uImage.FIT/signature.txt | 8 +++++--- + lib/rsa/rsa-sign.c | 22 ++++++++++++++++------ + 2 files changed, 21 insertions(+), 9 deletions(-) + +diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt +index 3591225a6edd..d4afd755e9fc 100644 +--- a/doc/uImage.FIT/signature.txt ++++ b/doc/uImage.FIT/signature.txt +@@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed + to openssl's default search paths. + + PKCS11 engine support forms "key id" based on "keydir" and with +-"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if +-defined is used to define (prefix for) which PKCS11 source is being used for +-lookup up for the key. ++"key-name-hint". "key-name-hint" is used as "object" name (if not defined in ++keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source ++is being used for lookup up for the key. + + PKCS11 engine key ids: + "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>" ++or, if keydir contains "object=" ++ "pkcs11:<keydir>;type=<public|private>" + or + "pkcs11:object=<key-name-hint>;type=<public|private>", + +diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c +index 580c74470939..1914b9641312 100644 +--- a/lib/rsa/rsa-sign.c ++++ b/lib/rsa/rsa-sign.c +@@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name, + + if (engine_id && !strcmp(engine_id, "pkcs11")) { + if (keydir) +- snprintf(key_id, sizeof(key_id), +- "pkcs11:%s;object=%s;type=public", +- keydir, name); ++ if (strstr(keydir, "object=")) ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;type=public", ++ keydir); ++ else ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;object=%s;type=public", ++ keydir, name); + else + snprintf(key_id, sizeof(key_id), + "pkcs11:object=%s;type=public", +@@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name, + + if (engine_id && !strcmp(engine_id, "pkcs11")) { + if (keydir) +- snprintf(key_id, sizeof(key_id), +- "pkcs11:%s;object=%s;type=private", +- keydir, name); ++ if (strstr(keydir, "object=")) ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;type=private", ++ keydir); ++ else ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;object=%s;type=private", ++ keydir, name); + else + snprintf(key_id, sizeof(key_id), + "pkcs11:object=%s;type=private", diff --git a/patches/u-boot-2020.04/series b/patches/u-boot-2020.04/series new file mode 100644 index 000000000..02db98548 --- /dev/null +++ b/patches/u-boot-2020.04/series @@ -0,0 +1,4 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch +# d5b0f03c362d4c4e9d26f37173d666d6 - git-ptx-patches magic |