dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-28 06:33:36 +02:00
Code Releases Activity

libimaevm: Add support for pkcs11 private keys for signing a v2 hash

Browse Source 
Add support for pkcs11 private keys for signing a v2 hash.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Stefan Berger 2021-09-13 18:18:10 -04:00 committed by Mimi Zohar
parent 3b32acbc7d
commit 6350e014a8
3 changed files with 38 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README
View File

@ -48,6 +48,7 @@ OPTIONS
--xattr-user store xattrs in user namespace (for testing purposes) --xattr-user store xattrs in user namespace (for testing purposes)
--rsa use RSA key type and signing scheme v1 --rsa use RSA key type and signing scheme v1
-k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem) -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
or a pkcs11 URI
--keyid n overwrite signature keyid with a 32-bit value in hex (for signing) --keyid n overwrite signature keyid with a 32-bit value in hex (for signing)
--keyid-from-cert file --keyid-from-cert file
read keyid value from SKID of a x509 cert file read keyid value from SKID of a x509 cert file

1
src/evmctl.c
View File

@ -2507,6 +2507,7 @@ static void usage(void)
" --xattr-user store xattrs in user namespace (for testing purposes)\n" " --xattr-user store xattrs in user namespace (for testing purposes)\n"
" --rsa use RSA key type and signing scheme v1\n" " --rsa use RSA key type and signing scheme v1\n"
" -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n" " -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n"
" or a pkcs11 URI\n"
" --keyid n overwrite signature keyid with a 32-bit value in hex (for signing)\n" " --keyid n overwrite signature keyid with a 32-bit value in hex (for signing)\n"
" --keyid-from-cert file\n" " --keyid-from-cert file\n"
" read keyid value from SKID of a x509 cert file\n" " read keyid value from SKID of a x509 cert file\n"

25
src/libimaevm.c
View File

@ -60,6 +60,7 @@
#include <openssl/x509.h> #include <openssl/x509.h>
#include <openssl/x509v3.h> #include <openssl/x509v3.h>
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/engine.h>
#include "imaevm.h" #include "imaevm.h"
#include "hash_info.h" #include "hash_info.h"
@ -804,6 +805,24 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
FILE *fp; FILE *fp;
EVP_PKEY *pkey; EVP_PKEY *pkey;
if (!strncmp(keyfile, "pkcs11:", 7)) {
if (!imaevm_params.keyid) {
log_err("When using a pkcs11 URI you must provide the keyid with an option\n");
return NULL;
}
if (keypass) {
if (!ENGINE_ctrl_cmd_string(imaevm_params.eng, "PIN", keypass, 0)) {
log_err("Failed to set the PIN for the private key\n");
goto err_engine;
}
}
pkey = ENGINE_load_private_key(imaevm_params.eng, keyfile, NULL, NULL);
if (!pkey) {
log_err("Failed to load private key %s\n", keyfile);
goto err_engine;
}
} else {
fp = fopen(keyfile, "r"); fp = fopen(keyfile, "r");
if (!fp) { if (!fp) {
log_err("Failed to open keyfile: %s\n", keyfile); log_err("Failed to open keyfile: %s\n", keyfile);
@ -817,7 +836,13 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
} }
fclose(fp); fclose(fp);
}
return pkey; return pkey;
err_engine:
output_openssl_errors();
return NULL;
} }
static RSA *read_priv_key(const char *keyfile, const char *keypass) static RSA *read_priv_key(const char *keyfile, const char *keypass)