On Wed, May 13, 2020 at 5:26 AM Bastian Krause <[email protected]> wrote: > > From: Jan Luebbe <[email protected]> > > If "object=" is specified in "keydir" when using the pkcs11 engine do > not append another "object=<key-name-hint>". This makes it possible to > use object names other than the key name hint. These two string > identifiers are not necessarily equal. > > Signed-off-by: Jan Luebbe <[email protected]> > Signed-off-by: Bastian Krause <[email protected]>
Looks good to me. Reviewed-by: George McCollister <[email protected]> > --- > Note: we could also check if keydir starts with "pkcs11:" and append > ";type=public|private". That would allow passing complete PKCS#11 URIs > which is somewhat nicer. > --- > doc/uImage.FIT/signature.txt | 8 +++++--- > lib/rsa/rsa-sign.c | 22 ++++++++++++++++------ > 2 files changed, 21 insertions(+), 9 deletions(-) > > diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt > index 3591225a6e..d4afd755e9 100644 > --- a/doc/uImage.FIT/signature.txt > +++ b/doc/uImage.FIT/signature.txt > @@ -481,12 +481,14 @@ openssl. This may require setting up LD_LIBRARY_PATH if > engine is not installed > to openssl's default search paths. > > PKCS11 engine support forms "key id" based on "keydir" and with > -"key-name-hint". "key-name-hint" is used as "object" name and "keydir" if > -defined is used to define (prefix for) which PKCS11 source is being used for > -lookup up for the key. > +"key-name-hint". "key-name-hint" is used as "object" name (if not defined in > +keydir). "keydir" (if defined) is used to define (prefix for) which PKCS11 > source > +is being used for lookup up for the key. > > PKCS11 engine key ids: > "pkcs11:<keydir>;object=<key-name-hint>;type=<public|private>" > +or, if keydir contains "object=" > + "pkcs11:<keydir>;type=<public|private>" > or > "pkcs11:object=<key-name-hint>;type=<public|private>", > > diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c > index 580c744709..1914b96413 100644 > --- a/lib/rsa/rsa-sign.c > +++ b/lib/rsa/rsa-sign.c > @@ -135,9 +135,14 @@ static int rsa_engine_get_pub_key(const char *keydir, > const char *name, > > if (engine_id && !strcmp(engine_id, "pkcs11")) { > if (keydir) > - snprintf(key_id, sizeof(key_id), > - "pkcs11:%s;object=%s;type=public", > - keydir, name); > + if (strstr(keydir, "object=")) > + snprintf(key_id, sizeof(key_id), > + "pkcs11:%s;type=public", > + keydir); > + else > + snprintf(key_id, sizeof(key_id), > + "pkcs11:%s;object=%s;type=public", > + keydir, name); > else > snprintf(key_id, sizeof(key_id), > "pkcs11:object=%s;type=public", > @@ -255,9 +260,14 @@ static int rsa_engine_get_priv_key(const char *keydir, > const char *name, > > if (engine_id && !strcmp(engine_id, "pkcs11")) { > if (keydir) > - snprintf(key_id, sizeof(key_id), > - "pkcs11:%s;object=%s;type=private", > - keydir, name); > + if (strstr(keydir, "object=")) > + snprintf(key_id, sizeof(key_id), > + "pkcs11:%s;type=private", > + keydir); > + else > + snprintf(key_id, sizeof(key_id), > + "pkcs11:%s;object=%s;type=private", > + keydir, name); > else > snprintf(key_id, sizeof(key_id), > "pkcs11:object=%s;type=private", > -- > 2.26.2 >
