Hello Sascha,
On 10/15/19 9:55 AM, Sascha Hauer wrote:
> The rsatoc tool converts rsa public keys into C structs suitable to
> compile with barebox. Most of the openssl rsa related stuff has been
> taken from the U-Boot mkimage tool.
I don't have any FIT image or RSA options enabled, yet my build fails now with:
RSAKEY crypto/rsa-keys.h
/bin/sh: 1: ./scripts/rsatoc: not found
./crypto/Makefile:27: recipe for target 'crypto/rsa-keys.h' failed
make[2]: *** [crypto/rsa-keys.h] Error 127
./Makefile:802: recipe for target 'crypto' failed
make[1]: *** [crypto] Error 2
Cheers
Ahmad
>
> Signed-off-by: Sascha Hauer
> ---
> scripts/.gitignore | 1 +
> scripts/Makefile | 3 +
> scripts/rsatoc.c | 445 +
> 3 files changed, 449 insertions(+)
> create mode 100644 scripts/rsatoc.c
>
> diff --git a/scripts/.gitignore b/scripts/.gitignore
> index 45c81bf8f4..76ea271abb 100644
> --- a/scripts/.gitignore
> +++ b/scripts/.gitignore
> @@ -29,3 +29,4 @@ mxs-usb-loader
> omap4_usbboot
> omap3-usb-loader
> mips-relocs
> +rsatoc
> diff --git a/scripts/Makefile b/scripts/Makefile
> index dffab53c73..81d1a501b0 100644
> --- a/scripts/Makefile
> +++ b/scripts/Makefile
> @@ -10,6 +10,9 @@ hostprogs-y += fix_size
> hostprogs-y += bareboxenv
> hostprogs-y += bareboxcrc32
> hostprogs-y += kernel-install
> +hostprogs-$(CONFIG_CRYPTO_RSA_BUILTIN_KEYS) += rsatoc
> +HOSTCFLAGS_rsatoc = `pkg-config --cflags openssl`
> +HOSTLDLIBS_rsatoc = `pkg-config --libs openssl`
> hostprogs-$(CONFIG_IMD) += bareboximd
> hostprogs-$(CONFIG_KALLSYMS) += kallsyms
> hostprogs-$(CONFIG_MIPS) += mips-relocs
> diff --git a/scripts/rsatoc.c b/scripts/rsatoc.c
> new file mode 100644
> index 00..f853691908
> --- /dev/null
> +++ b/scripts/rsatoc.c
> @@ -0,0 +1,445 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * rsatoc - utility to convert an RSA key to a C struct
> + *
> + * This tool converts an RSA key given as file or PKCS#11
> + * URI to a C struct suitable to compile with barebox.
> + */
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +
> +static int rsa_err(const char *msg)
> +{
> + unsigned long sslErr = ERR_get_error();
> +
> + fprintf(stderr, "%s", msg);
> + fprintf(stderr, ": %s\n",
> + ERR_error_string(sslErr, 0));
> +
> + return -1;
> +}
> +
> +/**
> + * rsa_pem_get_pub_key() - read a public key from a .crt file
> + *
> + * @keydir: Directory containins the key
> + * @name Name of key file (will have a .crt extension)
> + * @rsap Returns RSA object, or NULL on failure
> + * @return 0 if ok, -ve on error (in which case *rsap will be set to NULL)
> + */
> +static int rsa_pem_get_pub_key(const char *path, RSA **rsap)
> +{
> + EVP_PKEY *key;
> + X509 *cert;
> + RSA *rsa;
> + FILE *f;
> + int ret;
> +
> + *rsap = NULL;
> + f = fopen(path, "r");
> + if (!f) {
> + fprintf(stderr, "Couldn't open RSA certificate: '%s': %s\n",
> + path, strerror(errno));
> + return -EACCES;
> + }
> +
> + /* Read the certificate */
> + cert = NULL;
> + if (!PEM_read_X509(f, &cert, NULL, NULL)) {
> + rsa_err("Couldn't read certificate");
> + ret = -EINVAL;
> + goto err_cert;
> + }
> +
> + /* Get the public key from the certificate. */
> + key = X509_get_pubkey(cert);
> + if (!key) {
> + rsa_err("Couldn't read public key\n");
> + ret = -EINVAL;
> + goto err_pubkey;
> + }
> +
> + /* Convert to a RSA_style key. */
> + rsa = EVP_PKEY_get1_RSA(key);
> + if (!rsa) {
> + rsa_err("Couldn't convert to a RSA style key");
> + ret = -EINVAL;
> + goto err_rsa;
> + }
> + fclose(f);
> + EVP_PKEY_free(key);
> + X509_free(cert);
> + *rsap = rsa;
> +
> + return 0;
> +
> +err_rsa:
> + EVP_PKEY_free(key);
> +err_pubkey:
> + X509_free(cert);
> +err_cert:
> + fclose(f);
> + return ret;
> +}
> +
> +/**
> + * rsa_engine_get_pub_key() - read a public key from given engine
> + *
> + * @keydir: Key prefix
> + * @name Name of key
> + * @engine Engine to use
> + * @rsap Returns RSA object, or NULL on failure
> + * @return 0 if ok, -ve on error (in which case *rsap will be set to NULL)
> + */
> +static int rsa_engine_get_pub_key(const char *key_id,
> + ENGINE *engine, RSA **rsap)
> +{
> + EVP_PKEY *key;
> + R