From d6a751d6155dca50b17150fffb731530c3ab8e6c Mon Sep 17 00:00:00 2001
From: Bastian Krause <bst@pengutronix.de>
Date: Fri, 15 May 2020 16:26:35 +0200
Subject: u-boot/ptxd_make_fit_image: avoid overriding object name

Having multiple "object=" occurrences in a single PKCS#11 URI does not
work for all cases, at least not for opensc-pkcs11. Thus u-boot's
PKCS#11 handling was patched to avoid overriding the object name when
it is already specified. The patch was sent upstream.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
Message-Id: <20200515142641.812-10-bst@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
---
 ...id-overriding-the-object-name-when-alread.patch | 81 ++++++++++++++++++++++
 patches/u-boot-2020.04/series                      |  4 ++
 scripts/lib/ptxd_make_fit_image.sh                 |  4 +-
 3 files changed, 86 insertions(+), 3 deletions(-)
 create mode 100644 patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
 create mode 100644 patches/u-boot-2020.04/series

diff --git a/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
new file mode 100644
index 000000000..5ba930fb5
--- /dev/null
+++ b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
@@ -0,0 +1,81 @@
+From: Jan Luebbe <jlu@pengutronix.de>
+Date: Mon, 16 Mar 2020 11:45:22 +0100
+Subject: [PATCH] lib: rsa: avoid overriding the object name when already
+ specified
+
+If "object=" is specified in "keydir" when using the pkcs11 engine do
+not append another "object=<key-name-hint>". This makes it possible to
+use object names other than the key name hint. These two string
+identifiers are not necessarily equal.
+
+Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
+Signed-off-by: Bastian Krause <bst@pengutronix.de>
+Reviewed-by: George McCollister <george.mccollister@gmail.com>
+Forwarded: https://lists.denx.de/pipermail/u-boot/2020-May/411892.html
+---
+ doc/uImage.FIT/signature.txt |  8 +++++---
+ lib/rsa/rsa-sign.c           | 22 ++++++++++++++++------
+ 2 files changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
+index 3591225a6edd..d4afd755e9fc 100644
+--- a/doc/uImage.FIT/signature.txt
++++ b/doc/uImage.FIT/signature.txt
+@@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed
+ to openssl's default search paths.
+ 
+ PKCS11 engine support forms "key id" based on "keydir" and with
+-"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if
+-defined is used to define (prefix for) which PKCS11 source is being used for
+-lookup up for the key.
++"key-name-hint". "key-name-hint" is used as "object" name (if not defined in
++keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source
++is being used for lookup up for the key.
+ 
+ PKCS11 engine key ids:
+    "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>"
++or, if keydir contains "object="
++   "pkcs11:<keydir>;type=<public|private>"
+ or
+    "pkcs11:object=<key-name-hint>;type=<public|private>",
+ 
+diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
+index 580c74470939..1914b9641312 100644
+--- a/lib/rsa/rsa-sign.c
++++ b/lib/rsa/rsa-sign.c
+@@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
+ 
+ 	if (engine_id && !strcmp(engine_id, "pkcs11")) {
+ 		if (keydir)
+-			snprintf(key_id, sizeof(key_id),
+-				 "pkcs11:%s;object=%s;type=public",
+-				 keydir, name);
++			if (strstr(keydir, "object="))
++				snprintf(key_id, sizeof(key_id),
++					 "pkcs11:%s;type=public",
++					 keydir);
++			else
++				snprintf(key_id, sizeof(key_id),
++					 "pkcs11:%s;object=%s;type=public",
++					 keydir, name);
+ 		else
+ 			snprintf(key_id, sizeof(key_id),
+ 				 "pkcs11:object=%s;type=public",
+@@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
+ 
+ 	if (engine_id && !strcmp(engine_id, "pkcs11")) {
+ 		if (keydir)
+-			snprintf(key_id, sizeof(key_id),
+-				 "pkcs11:%s;object=%s;type=private",
+-				 keydir, name);
++			if (strstr(keydir, "object="))
++				snprintf(key_id, sizeof(key_id),
++					 "pkcs11:%s;type=private",
++					 keydir);
++			else
++				snprintf(key_id, sizeof(key_id),
++					 "pkcs11:%s;object=%s;type=private",
++					 keydir, name);
+ 		else
+ 			snprintf(key_id, sizeof(key_id),
+ 				 "pkcs11:object=%s;type=private",
diff --git a/patches/u-boot-2020.04/series b/patches/u-boot-2020.04/series
new file mode 100644
index 000000000..02db98548
--- /dev/null
+++ b/patches/u-boot-2020.04/series
@@ -0,0 +1,4 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch
+# d5b0f03c362d4c4e9d26f37173d666d6  - git-ptx-patches magic
diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh
index 041c5b803..c2725ab3d 100644
--- a/scripts/lib/ptxd_make_fit_image.sh
+++ b/scripts/lib/ptxd_make_fit_image.sh
@@ -106,9 +106,7 @@ ptxd_make_image_fit() {
 	#
 	# It would have been too simple for mkimage to just take a
 	# PKCS#11 URI. We must drop the "pkcs11:" prefix which U-Boot
-	# then adds again. Also mkimage adds "object=<key_name_hint>"
-	# to the URI which our URI already has. Well having it twice
-	# doesn't seem to hurt at least SoftHSM.
+	# then adds again.
 	#
 	pkcs11_uri=$(echo "${pkcs11_uri}" | sed "s/pkcs11://")
 	sign_args=( -k "${pkcs11_uri}" )
-- 
cgit v1.2.3