Add support for passing the private key password to sign_hash()

evmctl defines the "--pass | -p" command line option for providing the private key's password. The password is then stored in a global variable accessible by the sign_hash_XXXX() functions. This patch modifies the arguments to the library sign_hash() function to include the password, allowing callers to specify the private key password. Changelog: - add library init to call OpenSSL_add_all_algorithms Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
2015-07-03 09:13:58 -04:00 · 2015-07-03 09:13:58 -04:00 · 6a712b3b38
commit 6a712b3b38
parent 17f49a1881
3 changed files with 25 additions and 10 deletions
--- a/src/evmctl.c
+++ b/src/evmctl.c
@ -448,7 +448,7 @@ static int sign_evm(const char *file, const char *key)
 	if (len <= 1)
 		return len;
-	len = sign_hash("sha1", hash, len, key, sig + 1);
+	len = sign_hash("sha1", hash, len, key, NULL, sig + 1);
 	if (len <= 1)
 		return len;
@ -521,7 +521,7 @@ static int sign_ima(const char *file, const char *key)
 	if (len <= 1)
 		return len;
-	len = sign_hash(params.hash_algo, hash, len, key, sig + 1);
+	len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
 	if (len <= 1)
 		return len;
@ -644,7 +644,7 @@ static int cmd_sign_hash(struct command *cmd)
 		hex2bin(hash, line, hashlen);
 		siglen = sign_hash(params.hash_algo, hash, hashlen/2,
-				 key, sig + 1);
+				 key, NULL, sig + 1);
 		if (siglen <= 1)
 			return siglen;
@ -1586,9 +1586,6 @@ int main(int argc, char *argv[])
 		}
 	}
 	OpenSSL_add_all_algorithms();
 	ERR_load_crypto_strings();
 	if (argv[optind] == NULL)
 		usage();
 	else
--- a/src/imaevm.h
+++ b/src/imaevm.h
@ -201,7 +201,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
 void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key);
 int key2bin(RSA *key, unsigned char *pub);
-int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig);
+int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, char *keypass, unsigned char *sig);
 int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen);
 int ima_verify_signature(const char *file, unsigned char *sig, int siglen);
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@ -53,6 +53,7 @@
 #include <openssl/pem.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/err.h>
 #include "imaevm.h"
@ -130,6 +131,8 @@ struct libevm_params params = {
 	.hash_algo = "sha1",
 };
 static void __attribute__ ((constructor)) libinit(void);
 void do_dump(FILE *fp, const void *ptr, int len, bool cr)
 {
 	int i;
@ -618,9 +621,14 @@ static RSA *read_priv_key(const char *keyfile, char *keypass)
 		log_err("Failed to open keyfile: %s\n", keyfile);
 		return NULL;
 	}
 	ERR_load_crypto_strings();
 	key = PEM_read_RSAPrivateKey(fp, NULL, NULL, keypass);
-	if (!key)
+	if (!key) {
-		log_err("PEM_read_RSAPrivateKey() failed\n");
+		char str[256];
 		ERR_error_string(ERR_get_error(), str);
 		log_err("PEM_read_RSAPrivateKey() failed: %s\n", str);
 	}
 	fclose(fp);
 	return key;
@ -786,8 +794,18 @@ out:
 	return len;
 }
-int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig)
+
 int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, char *keypass, unsigned char *sig)
 {
 	if (keypass)
 		params.keypass = keypass;
 	return params.x509 ? sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
 			     sign_hash_v1(hashalgo, hash, size, keyfile, sig);
 }
 static void libinit()
 {
 	OpenSSL_add_all_algorithms();
 	ERR_load_crypto_strings();
 }