diff options
Diffstat (limited to 'patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch')
-rw-r--r-- | patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch new file mode 100644 index 000000000..5ba930fb5 --- /dev/null +++ b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch @@ -0,0 +1,81 @@ +From: Jan Luebbe <jlu@pengutronix.de> +Date: Mon, 16 Mar 2020 11:45:22 +0100 +Subject: [PATCH] lib: rsa: avoid overriding the object name when already + specified + +If "object=" is specified in "keydir" when using the pkcs11 engine do +not append another "object=<key-name-hint>". This makes it possible to +use object names other than the key name hint. These two string +identifiers are not necessarily equal. + +Signed-off-by: Jan Luebbe <jlu@pengutronix.de> +Signed-off-by: Bastian Krause <bst@pengutronix.de> +Reviewed-by: George McCollister <george.mccollister@gmail.com> +Forwarded: https://lists.denx.de/pipermail/u-boot/2020-May/411892.html +--- + doc/uImage.FIT/signature.txt | 8 +++++--- + lib/rsa/rsa-sign.c | 22 ++++++++++++++++------ + 2 files changed, 21 insertions(+), 9 deletions(-) + +diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt +index 3591225a6edd..d4afd755e9fc 100644 +--- a/doc/uImage.FIT/signature.txt ++++ b/doc/uImage.FIT/signature.txt +@@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed + to openssl's default search paths. + + PKCS11 engine support forms "key id" based on "keydir" and with +-"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if +-defined is used to define (prefix for) which PKCS11 source is being used for +-lookup up for the key. ++"key-name-hint". "key-name-hint" is used as "object" name (if not defined in ++keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source ++is being used for lookup up for the key. + + PKCS11 engine key ids: + "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>" ++or, if keydir contains "object=" ++ "pkcs11:<keydir>;type=<public|private>" + or + "pkcs11:object=<key-name-hint>;type=<public|private>", + +diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c +index 580c74470939..1914b9641312 100644 +--- a/lib/rsa/rsa-sign.c ++++ b/lib/rsa/rsa-sign.c +@@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name, + + if (engine_id && !strcmp(engine_id, "pkcs11")) { + if (keydir) +- snprintf(key_id, sizeof(key_id), +- "pkcs11:%s;object=%s;type=public", +- keydir, name); ++ if (strstr(keydir, "object=")) ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;type=public", ++ keydir); ++ else ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;object=%s;type=public", ++ keydir, name); + else + snprintf(key_id, sizeof(key_id), + "pkcs11:object=%s;type=public", +@@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name, + + if (engine_id && !strcmp(engine_id, "pkcs11")) { + if (keydir) +- snprintf(key_id, sizeof(key_id), +- "pkcs11:%s;object=%s;type=private", +- keydir, name); ++ if (strstr(keydir, "object=")) ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;type=private", ++ keydir); ++ else ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;object=%s;type=private", ++ keydir, name); + else + snprintf(key_id, sizeof(key_id), + "pkcs11:object=%s;type=private", |