Re: [PATCH 2/5] scripts: Add rsatoc tool

2019-10-15 Thread Ahmad Fatoum 
On 10/15/19 3:15 PM, Sascha Hauer wrote:
> On Tue, Oct 15, 2019 at 12:21:31PM +0200, Ahmad Fatoum wrote:
>> Hello Sascha,
>>
>> On 10/15/19 9:55 AM, Sascha Hauer wrote:
>>> The rsatoc tool converts rsa public keys into C structs suitable to
>>> compile with barebox. Most of the openssl rsa related stuff has been
>>> taken from the U-Boot mkimage tool.
>>
>> I don't have any FIT image or RSA options enabled, yet my build fails now 
>> with:
>>
>>   RSAKEY  crypto/rsa-keys.h  
>>
>> /bin/sh: 1: ./scripts/rsatoc: not found   
>> ./crypto/Makefile:27: recipe for target 'crypto/rsa-keys.h' failed
>> make[2]: *** [crypto/rsa-keys.h] Error 127   
>>
>> ./Makefile:802: recipe for target 'crypto' failed 
>> make[1]: *** [crypto] Error 2
>>   
> 
> Try again.

Works, thanks.

> 
> Sascha
> 


-- 
Pengutronix e.K.   | |
Industrial Linux Solutions | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0|
Amtsgericht Hildesheim, HRA 2686   | Fax:   +49-5121-206917- |

___
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH 2/5] scripts: Add rsatoc tool

2019-10-15 Thread Sascha Hauer 
On Tue, Oct 15, 2019 at 12:21:31PM +0200, Ahmad Fatoum wrote:
> Hello Sascha,
> 
> On 10/15/19 9:55 AM, Sascha Hauer wrote:
> > The rsatoc tool converts rsa public keys into C structs suitable to
> > compile with barebox. Most of the openssl rsa related stuff has been
> > taken from the U-Boot mkimage tool.
> 
> I don't have any FIT image or RSA options enabled, yet my build fails now 
> with:
> 
>   RSAKEY  crypto/rsa-keys.h   
>   
> /bin/sh: 1: ./scripts/rsatoc: not found   
> ./crypto/Makefile:27: recipe for target 'crypto/rsa-keys.h' failed
> make[2]: *** [crypto/rsa-keys.h] Error 127
>   
> ./Makefile:802: recipe for target 'crypto' failed 
> make[1]: *** [crypto] Error 2 
>  

Try again.

Sascha

-- 
Pengutronix e.K.   | |
Industrial Linux Solutions | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0|
Amtsgericht Hildesheim, HRA 2686   | Fax:   +49-5121-206917- |

___
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH 2/5] scripts: Add rsatoc tool

2019-10-15 Thread Ahmad Fatoum 
Hello Sascha,

On 10/15/19 9:55 AM, Sascha Hauer wrote:
> The rsatoc tool converts rsa public keys into C structs suitable to
> compile with barebox. Most of the openssl rsa related stuff has been
> taken from the U-Boot mkimage tool.

I don't have any FIT image or RSA options enabled, yet my build fails now with:

  RSAKEY  crypto/rsa-keys.h 

/bin/sh: 1: ./scripts/rsatoc: not found   
./crypto/Makefile:27: recipe for target 'crypto/rsa-keys.h' failed
make[2]: *** [crypto/rsa-keys.h] Error 127  

./Makefile:802: recipe for target 'crypto' failed 
make[1]: *** [crypto] Error 2   


Cheers
Ahmad

> 
> Signed-off-by: Sascha Hauer 
> ---
>  scripts/.gitignore |   1 +
>  scripts/Makefile   |   3 +
>  scripts/rsatoc.c   | 445 +
>  3 files changed, 449 insertions(+)
>  create mode 100644 scripts/rsatoc.c
> 
> diff --git a/scripts/.gitignore b/scripts/.gitignore
> index 45c81bf8f4..76ea271abb 100644
> --- a/scripts/.gitignore
> +++ b/scripts/.gitignore
> @@ -29,3 +29,4 @@ mxs-usb-loader
>  omap4_usbboot
>  omap3-usb-loader
>  mips-relocs
> +rsatoc
> diff --git a/scripts/Makefile b/scripts/Makefile
> index dffab53c73..81d1a501b0 100644
> --- a/scripts/Makefile
> +++ b/scripts/Makefile
> @@ -10,6 +10,9 @@ hostprogs-y  += fix_size
>  hostprogs-y  += bareboxenv
>  hostprogs-y  += bareboxcrc32
>  hostprogs-y  += kernel-install
> +hostprogs-$(CONFIG_CRYPTO_RSA_BUILTIN_KEYS) += rsatoc
> +HOSTCFLAGS_rsatoc = `pkg-config --cflags openssl`
> +HOSTLDLIBS_rsatoc = `pkg-config --libs openssl`
>  hostprogs-$(CONFIG_IMD)  += bareboximd
>  hostprogs-$(CONFIG_KALLSYMS) += kallsyms
>  hostprogs-$(CONFIG_MIPS) += mips-relocs
> diff --git a/scripts/rsatoc.c b/scripts/rsatoc.c
> new file mode 100644
> index 00..f853691908
> --- /dev/null
> +++ b/scripts/rsatoc.c
> @@ -0,0 +1,445 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * rsatoc - utility to convert an RSA key to a C struct
> + *
> + * This tool converts an RSA key given as file or PKCS#11
> + * URI to a C struct suitable to compile with barebox.
> + */
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +
> +static int rsa_err(const char *msg)
> +{
> + unsigned long sslErr = ERR_get_error();
> +
> + fprintf(stderr, "%s", msg);
> + fprintf(stderr, ": %s\n",
> + ERR_error_string(sslErr, 0));
> +
> + return -1;
> +}
> +
> +/**
> + * rsa_pem_get_pub_key() - read a public key from a .crt file
> + *
> + * @keydir:  Directory containins the key
> + * @name Name of key file (will have a .crt extension)
> + * @rsap Returns RSA object, or NULL on failure
> + * @return 0 if ok, -ve on error (in which case *rsap will be set to NULL)
> + */
> +static int rsa_pem_get_pub_key(const char *path, RSA **rsap)
> +{
> + EVP_PKEY *key;
> + X509 *cert;
> + RSA *rsa;
> + FILE *f;
> + int ret;
> +
> + *rsap = NULL;
> + f = fopen(path, "r");
> + if (!f) {
> + fprintf(stderr, "Couldn't open RSA certificate: '%s': %s\n",
> + path, strerror(errno));
> + return -EACCES;
> + }
> +
> + /* Read the certificate */
> + cert = NULL;
> + if (!PEM_read_X509(f, &cert, NULL, NULL)) {
> + rsa_err("Couldn't read certificate");
> + ret = -EINVAL;
> + goto err_cert;
> + }
> +
> + /* Get the public key from the certificate. */
> + key = X509_get_pubkey(cert);
> + if (!key) {
> + rsa_err("Couldn't read public key\n");
> + ret = -EINVAL;
> + goto err_pubkey;
> + }
> +
> + /* Convert to a RSA_style key. */
> + rsa = EVP_PKEY_get1_RSA(key);
> + if (!rsa) {
> + rsa_err("Couldn't convert to a RSA style key");
> + ret = -EINVAL;
> + goto err_rsa;
> + }
> + fclose(f);
> + EVP_PKEY_free(key);
> + X509_free(cert);
> + *rsap = rsa;
> +
> + return 0;
> +
> +err_rsa:
> + EVP_PKEY_free(key);
> +err_pubkey:
> + X509_free(cert);
> +err_cert:
> + fclose(f);
> + return ret;
> +}
> +
> +/**
> + * rsa_engine_get_pub_key() - read a public key from given engine
> + *
> + * @keydir:  Key prefix
> + * @name Name of key
> + * @engine   Engine to use
> + * @rsap Returns RSA object, or NULL on failure
> + * @return 0 if ok, -ve on error (in which case *rsap will be set to NULL)
> + */
> +static int rsa_engine_get_pub_key(const char *key_id,
> +   ENGINE *engine, RSA **rsap)
> +{
> + EVP_PKEY *key;
> + R