Having multiple "object=" occurrences in a single PKCS#11 URI does not work for all cases, at least not for opensc-pkcs11. Thus u-boot's PKCS#11 handling was patched to avoid overriding the object name when it is already specified. The patch was sent upstream.
Signed-off-by: Bastian Krause <[email protected]> --- ...erriding-the-object-name-when-alread.patch | 81 +++++++++++++++++++ patches/u-boot-2020.04/series | 4 + scripts/lib/ptxd_make_fit_image.sh | 4 +- 3 files changed, 86 insertions(+), 3 deletions(-) create mode 100644 patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch create mode 100644 patches/u-boot-2020.04/series diff --git a/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch new file mode 100644 index 000000000..5ba930fb5 --- /dev/null +++ b/patches/u-boot-2020.04/0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch @@ -0,0 +1,81 @@ +From: Jan Luebbe <[email protected]> +Date: Mon, 16 Mar 2020 11:45:22 +0100 +Subject: [PATCH] lib: rsa: avoid overriding the object name when already + specified + +If "object=" is specified in "keydir" when using the pkcs11 engine do +not append another "object=<key-name-hint>". This makes it possible to +use object names other than the key name hint. These two string +identifiers are not necessarily equal. + +Signed-off-by: Jan Luebbe <[email protected]> +Signed-off-by: Bastian Krause <[email protected]> +Reviewed-by: George McCollister <[email protected]> +Forwarded: https://lists.denx.de/pipermail/u-boot/2020-May/411892.html +--- + doc/uImage.FIT/signature.txt | 8 +++++--- + lib/rsa/rsa-sign.c | 22 ++++++++++++++++------ + 2 files changed, 21 insertions(+), 9 deletions(-) + +diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt +index 3591225a6edd..d4afd755e9fc 100644 +--- a/doc/uImage.FIT/signature.txt ++++ b/doc/uImage.FIT/signature.txt +@@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if engine is not installed + to openssl's default search paths. + + PKCS11 engine support forms "key id" based on "keydir" and with +-"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if +-defined is used to define (prefix for) which PKCS11 source is being used for +-lookup up for the key. ++"key-name-hint". "key-name-hint" is used as "object" name (if not defined in ++keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 source ++is being used for lookup up for the key. + + PKCS11 engine key ids: + "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>" ++or, if keydir contains "object=" ++ "pkcs11:<keydir>;type=<public|private>" + or + "pkcs11:object=<key-name-hint>;type=<public|private>", + +diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c +index 580c74470939..1914b9641312 100644 +--- a/lib/rsa/rsa-sign.c ++++ b/lib/rsa/rsa-sign.c +@@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name, + + if (engine_id && !strcmp(engine_id, "pkcs11")) { + if (keydir) +- snprintf(key_id, sizeof(key_id), +- "pkcs11:%s;object=%s;type=public", +- keydir, name); ++ if (strstr(keydir, "object=")) ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;type=public", ++ keydir); ++ else ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;object=%s;type=public", ++ keydir, name); + else + snprintf(key_id, sizeof(key_id), + "pkcs11:object=%s;type=public", +@@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name, + + if (engine_id && !strcmp(engine_id, "pkcs11")) { + if (keydir) +- snprintf(key_id, sizeof(key_id), +- "pkcs11:%s;object=%s;type=private", +- keydir, name); ++ if (strstr(keydir, "object=")) ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;type=private", ++ keydir); ++ else ++ snprintf(key_id, sizeof(key_id), ++ "pkcs11:%s;object=%s;type=private", ++ keydir, name); + else + snprintf(key_id, sizeof(key_id), + "pkcs11:object=%s;type=private", diff --git a/patches/u-boot-2020.04/series b/patches/u-boot-2020.04/series new file mode 100644 index 000000000..02db98548 --- /dev/null +++ b/patches/u-boot-2020.04/series @@ -0,0 +1,4 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +0001-lib-rsa-avoid-overriding-the-object-name-when-alread.patch +# d5b0f03c362d4c4e9d26f37173d666d6 - git-ptx-patches magic diff --git a/scripts/lib/ptxd_make_fit_image.sh b/scripts/lib/ptxd_make_fit_image.sh index 041c5b803..c2725ab3d 100644 --- a/scripts/lib/ptxd_make_fit_image.sh +++ b/scripts/lib/ptxd_make_fit_image.sh @@ -106,9 +106,7 @@ ptxd_make_image_fit() { # # It would have been too simple for mkimage to just take a # PKCS#11 URI. We must drop the "pkcs11:" prefix which U-Boot - # then adds again. Also mkimage adds "object=<key_name_hint>" - # to the URI which our URI already has. Well having it twice - # doesn't seem to hurt at least SoftHSM. + # then adds again. # pkcs11_uri=$(echo "${pkcs11_uri}" | sed "s/pkcs11://") sign_args=( -k "${pkcs11_uri}" ) -- 2.26.2 _______________________________________________ ptxdist mailing list [email protected]
