1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
From: Jan Luebbe <jlu@pengutronix.de>
Date: Mon, 16 Mar 2020 11:45:22 +0100
Subject: [PATCH] lib: rsa: avoid overriding the object name when already
specified
If "object=" is specified in "keydir" when using the pkcs11 engine do
not append another "object=<key-name-hint>". This makes it possible to
use object names other than the key name hint. These two string
identifiers are not necessarily equal.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Reviewed-by: George McCollister <george.mccollister@gmail.com>
Forwarded: https://lists.denx.de/pipermail/u-boot/2020-May/411892.html
---
doc/uImage.FIT/signature.txt | 8 +++++---
lib/rsa/rsa-sign.c | 22 ++++++++++++++++------
2 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
index 3591225a6edd..d4afd755e9fc 100644
--- a/doc/uImage.FIT/signature.txt
+++ b/doc/uImage.FIT/signature.txt
@@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed
to openssl's default search paths.
PKCS11 engine support forms "key id" based on "keydir" and with
-"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if
-defined is used to define (prefix for) which PKCS11 source is being used for
-lookup up for the key.
+"key-name-hint". "key-name-hint" is used as "object" name (if not defined in
+keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source
+is being used for lookup up for the key.
PKCS11 engine key ids:
"pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>"
+or, if keydir contains "object="
+ "pkcs11:<keydir>;type=<public|private>"
or
"pkcs11:object=<key-name-hint>;type=<public|private>",
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
index 580c74470939..1914b9641312 100644
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
if (engine_id && !strcmp(engine_id, "pkcs11")) {
if (keydir)
- snprintf(key_id, sizeof(key_id),
- "pkcs11:%s;object=%s;type=public",
- keydir, name);
+ if (strstr(keydir, "object="))
+ snprintf(key_id, sizeof(key_id),
+ "pkcs11:%s;type=public",
+ keydir);
+ else
+ snprintf(key_id, sizeof(key_id),
+ "pkcs11:%s;object=%s;type=public",
+ keydir, name);
else
snprintf(key_id, sizeof(key_id),
"pkcs11:object=%s;type=public",
@@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
if (engine_id && !strcmp(engine_id, "pkcs11")) {
if (keydir)
- snprintf(key_id, sizeof(key_id),
- "pkcs11:%s;object=%s;type=private",
- keydir, name);
+ if (strstr(keydir, "object="))
+ snprintf(key_id, sizeof(key_id),
+ "pkcs11:%s;type=private",
+ keydir);
+ else
+ snprintf(key_id, sizeof(key_id),
+ "pkcs11:%s;object=%s;type=private",
+ keydir, name);
else
snprintf(key_id, sizeof(key_id),
"pkcs11:object=%s;type=private",
|
