* [PATCH 1/2] lib: rsa: Fix PKCS11 URI if one is not given in `keydir`
@ 2024-01-05 14:08 Csókás Bence
2024-01-05 14:08 ` [PATCH 2/2] lib: rsa: Allow legacy URI specification without "pkcs11:" Csókás Bence
2024-01-19 16:09 ` [PATCH 1/2] lib: rsa: Fix PKCS11 URI if one is not given in `keydir` Tom Rini
0 siblings, 2 replies; 4+ messages in thread
From: Csókás Bence @ 2024-01-05 14:08 UTC (permalink / raw)
To: u-boot; +Cc: Tom Rini, Ayoub Zaki, Csókás Bence
If `keydir` is not present, we need to build a PKCS11 URI
from just the key name. In this case, we *do* need 'pkcs11:'
Fixes: ece85cc020 rsa: use pkcs11 uri as defined in rfc7512
Signed-off-by: Csókás Bence <csokas.bence@prolan.hu>
---
lib/rsa/rsa-sign.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
index 858ad92a6f..fd587d8deb 100644
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -124,7 +124,7 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
keydir, name);
else
snprintf(key_id, sizeof(key_id),
- "object=%s;type=public",
+ "pkcs11:object=%s;type=public",
name);
} else if (engine_id) {
if (keydir)
@@ -246,7 +246,7 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
keydir, name);
else
snprintf(key_id, sizeof(key_id),
- "object=%s;type=private",
+ "pkcs11:object=%s;type=private",
name);
} else if (engine_id) {
if (keydir && name)
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] lib: rsa: Allow legacy URI specification without "pkcs11:"
2024-01-05 14:08 [PATCH 1/2] lib: rsa: Fix PKCS11 URI if one is not given in `keydir` Csókás Bence
@ 2024-01-05 14:08 ` Csókás Bence
2024-01-19 16:09 ` Tom Rini
2024-01-19 16:09 ` [PATCH 1/2] lib: rsa: Fix PKCS11 URI if one is not given in `keydir` Tom Rini
1 sibling, 1 reply; 4+ messages in thread
From: Csókás Bence @ 2024-01-05 14:08 UTC (permalink / raw)
To: u-boot; +Cc: Tom Rini, Ayoub Zaki, Csókás Bence
But emit a warning for it. Then we can remove support when
everyone had time to update their scripts, docs, CI etc.
Fixes: ece85cc020 rsa: use pkcs11 uri as defined in rfc7512
Signed-off-by: Csókás Bence <csokas.bence@prolan.hu>
---
lib/rsa/rsa-sign.c | 42 ++++++++++++++++++++++++++++++------------
1 file changed, 30 insertions(+), 12 deletions(-)
diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
index fd587d8deb..2304030e32 100644
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -104,6 +104,8 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
const char *engine_id;
char key_id[1024];
EVP_PKEY *key = NULL;
+ const char *const pkcs11_schema = "pkcs11:";
+ const char *pkcs11_uri_prepend = "";
if (!evpp)
return -EINVAL;
@@ -113,19 +115,26 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name,
engine_id = ENGINE_get_id(engine);
if (engine_id && !strcmp(engine_id, "pkcs11")) {
- if (keydir)
+ if (keydir) {
+ // Check for legacy keydir spec and prepend
+ if (strncmp(pkcs11_schema, keydir, strlen(pkcs11_schema))) {
+ pkcs11_uri_prepend = pkcs11_schema;
+ fprintf(stderr, "WARNING: Legacy URI specified. Please add '%s'.\n", pkcs11_schema);
+ }
+
if (strstr(keydir, "object="))
snprintf(key_id, sizeof(key_id),
- "%s;type=public",
- keydir);
+ "%s%s;type=public",
+ pkcs11_uri_prepend, keydir);
else
snprintf(key_id, sizeof(key_id),
- "%s;object=%s;type=public",
- keydir, name);
- else
+ "%s%s;object=%s;type=public",
+ pkcs11_uri_prepend, keydir, name);
+ } else {
snprintf(key_id, sizeof(key_id),
"pkcs11:object=%s;type=public",
name);
+ }
} else if (engine_id) {
if (keydir)
snprintf(key_id, sizeof(key_id),
@@ -224,6 +233,8 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
const char *engine_id;
char key_id[1024];
EVP_PKEY *key = NULL;
+ const char *const pkcs11_schema = "pkcs11:";
+ const char *pkcs11_uri_prepend = "";
if (!evpp)
return -EINVAL;
@@ -235,19 +246,26 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name,
fprintf(stderr, "Please use 'keydir' with PKCS11\n");
return -EINVAL;
}
- if (keydir)
+ if (keydir) {
+ // Check for legacy keydir spec and prepend
+ if (strncmp(pkcs11_schema, keydir, strlen(pkcs11_schema))) {
+ pkcs11_uri_prepend = pkcs11_schema;
+ fprintf(stderr, "WARNING: Legacy URI specified. Please add '%s'.\n", pkcs11_schema);
+ }
+
if (strstr(keydir, "object="))
snprintf(key_id, sizeof(key_id),
- "%s;type=private",
- keydir);
+ "%s%s;type=private",
+ pkcs11_uri_prepend, keydir);
else
snprintf(key_id, sizeof(key_id),
- "%s;object=%s;type=private",
- keydir, name);
- else
+ "%s%s;object=%s;type=private",
+ pkcs11_uri_prepend, keydir, name);
+ } else {
snprintf(key_id, sizeof(key_id),
"pkcs11:object=%s;type=private",
name);
+ }
} else if (engine_id) {
if (keydir && name)
snprintf(key_id, sizeof(key_id),
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] lib: rsa: Fix PKCS11 URI if one is not given in `keydir`
2024-01-05 14:08 [PATCH 1/2] lib: rsa: Fix PKCS11 URI if one is not given in `keydir` Csókás Bence
2024-01-05 14:08 ` [PATCH 2/2] lib: rsa: Allow legacy URI specification without "pkcs11:" Csókás Bence
@ 2024-01-19 16:09 ` Tom Rini
1 sibling, 0 replies; 4+ messages in thread
From: Tom Rini @ 2024-01-19 16:09 UTC (permalink / raw)
To: Csókás Bence; +Cc: u-boot, Ayoub Zaki
[-- Attachment #1: Type: text/plain, Size: 366 bytes --]
On Fri, Jan 05, 2024 at 03:08:03PM +0100, Csókás Bence wrote:
> If `keydir` is not present, we need to build a PKCS11 URI
> from just the key name. In this case, we *do* need 'pkcs11:'
>
> Fixes: ece85cc020 rsa: use pkcs11 uri as defined in rfc7512
>
> Signed-off-by: Csókás Bence <csokas.bence@prolan.hu>
Applied to u-boot/master, thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] lib: rsa: Allow legacy URI specification without "pkcs11:"
2024-01-05 14:08 ` [PATCH 2/2] lib: rsa: Allow legacy URI specification without "pkcs11:" Csókás Bence
@ 2024-01-19 16:09 ` Tom Rini
0 siblings, 0 replies; 4+ messages in thread
From: Tom Rini @ 2024-01-19 16:09 UTC (permalink / raw)
To: Csókás Bence; +Cc: u-boot, Ayoub Zaki
[-- Attachment #1: Type: text/plain, Size: 363 bytes --]
On Fri, Jan 05, 2024 at 03:08:04PM +0100, Csókás Bence wrote:
> But emit a warning for it. Then we can remove support when
> everyone had time to update their scripts, docs, CI etc.
>
> Fixes: ece85cc020 rsa: use pkcs11 uri as defined in rfc7512
>
> Signed-off-by: Csókás Bence <csokas.bence@prolan.hu>
Applied to u-boot/master, thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-01-19 16:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-05 14:08 [PATCH 1/2] lib: rsa: Fix PKCS11 URI if one is not given in `keydir` Csókás Bence
2024-01-05 14:08 ` [PATCH 2/2] lib: rsa: Allow legacy URI specification without "pkcs11:" Csókás Bence
2024-01-19 16:09 ` Tom Rini
2024-01-19 16:09 ` [PATCH 1/2] lib: rsa: Fix PKCS11 URI if one is not given in `keydir` Tom Rini
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox