All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Vitaly Chikunov <vt@altlinux.org>,
	Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	linux-integrity@vger.kernel.org
Subject: Re: [PATCH v4 3/5] ima-avm-utils: Change read_priv_key to use EVP_PKEY API
Date: Mon, 17 Jun 2019 09:33:17 -0400	[thread overview]
Message-ID: <1560778397.4072.79.camel@linux.ibm.com> (raw)
In-Reply-To: <20190614015410.26039-4-vt@altlinux.org>

On Fri, 2019-06-14 at 04:54 +0300, Vitaly Chikunov wrote:
> Introduce read_priv_pkey() to read keys using EVP_PKEY, and change
> read_priv_key() to be wrapper for it.
> 
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> ---
>  src/libimaevm.c | 32 +++++++++++++++++++++++++++-----
>  1 file changed, 27 insertions(+), 5 deletions(-)
> 
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index da0f422..c620c1e 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -753,10 +753,10 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
>  	free(pkey);
>  }
> 
> -static RSA *read_priv_key(const char *keyfile, const char *keypass)
> +static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
>  {
>  	FILE *fp
> -	RSA *key;
> +	EVP_PKEY *key;

In read_pub_pkey() EVP_PKEY is named pkey, not key.

> 
>  	fp = fopen(keyfile, "r");
>  	if (!fp) {
> @@ -764,18 +764,40 @@ static RSA *read_priv_key(const char *keyfile, const char *keypass)
>  		return NULL;
>  	}
>  	ERR_load_crypto_strings();
> -	key = PEM_read_RSAPrivateKey(fp, NULL, NULL, (void *)keypass);
> +	key = PEM_read_PrivateKey(fp, NULL, NULL, (void *)keypass);
>  	if (!key) {
>  		char str[256];
> 
> -		ERR_error_string(ERR_get_error(), str);
> -		log_err("PEM_read_RSAPrivateKey() failed: %s\n", str);
> +		ERR_error_string(ERR_peek_error(), str);
> +		log_err("PEM_read_PrivateKey() failed: %s\n", str);
> +#ifdef USE_FPRINTF
> +		ERR_print_errors_fp(stderr);
> +#else
> +		ERR_clear_error();
> +#endif

Why is this additional print needed?  Are you expecting multiple
errors?  By calling both log_err() and ERR_print_errors_fp() won't the
same error message be duplicated?  If calling "ERR_print_errors_fp()"
is indeed needed, please make this change as a separate patch, with an
appropriate patch description.

>  	}
> 
>  	fclose(fp);
>  	return key;
>  }
> 
> +static RSA *read_priv_key(const char *keyfile, const char *keypass)
> +{
> +	EVP_PKEY *pkey;
> +	RSA *key;
> +
> +	pkey = read_priv_pkey(keyfile, keypass);
> +	if (!pkey)
> +		return NULL;
> +	key = EVP_PKEY_get1_RSA(pkey);
> +	EVP_PKEY_free(pkey);
> +	if (!key) {
> +		log_err("sign_hash_v1: unsupported key type\n");
> +		return NULL;
> +	}

At least at this point in the patch series, failing to get the private
key isn't limited to sign_hash_v1.  Perhaps that might be true later.

Mimi

> +	return key;
> +}
> +
>  static int get_hash_algo_v1(const char *algo)
>  {
> 


  reply	other threads:[~2019-06-17 13:33 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-14  1:54 [PATCH v4 0/5] ima-avm-utils: Convert sign v2 from RSA to EVP_PKEY API Vitaly Chikunov
2019-06-14  1:54 ` [PATCH v4 1/5] ima-avm-utils: Make sure sig buffer is always MAX_SIGNATURE_SIZE Vitaly Chikunov
2019-06-17 13:32   ` Mimi Zohar
2019-06-14  1:54 ` [PATCH v4 2/5] ima-avm-utils: Change read_pub_key to use EVP_PKEY API Vitaly Chikunov
2019-06-14  1:54 ` [PATCH v4 3/5] ima-avm-utils: Change read_priv_key " Vitaly Chikunov
2019-06-17 13:33   ` Mimi Zohar [this message]
2019-06-14  1:54 ` [PATCH v4 4/5] ima-evm-utils: Convert sign v2 from RSA to " Vitaly Chikunov
2019-06-17 13:34   ` Mimi Zohar
2019-06-17 14:42     ` Vitaly Chikunov
2019-06-17 15:10       ` Mimi Zohar
2019-06-14  1:54 ` [PATCH v4 5/5] ima-avm-utils: Remove RSA_ASN1_templates Vitaly Chikunov
2019-06-14  1:59 ` [PATCH v4 0/5] ima-avm-utils: Convert sign v2 from RSA to EVP_PKEY API Vitaly Chikunov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1560778397.4072.79.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=vt@altlinux.org \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.