lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1431708842.4727.12.camel@infradead.org>
Date:	Fri, 15 May 2015 17:54:02 +0100
From:	David Woodhouse <David.Woodhouse@...el.com>
To:	dhowells@...hat.com
Cc:	rusty@...tcorp.com.au, mmarek@...e.cz, mjg59@...f.ucam.org,
	keyrings@...ux-nfs.org, dmitry.kasatkin@...il.com, mcgrof@...e.com,
	linux-kernel@...r.kernel.org, dhowells@...hat.com,
	seth.forshee@...onical.com, linux-security-module@...r.kernel.org
Subject: [PATCH 4/4] modsign: Allow signing key to be PKCS#11

This is only the key; the corresponding *cert* still needs to be in
$(topdir)/signing_key.x509

Signed-off-by: David Woodhouse <David.Woodhouse@...el.com>
---
 scripts/sign-file.c | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 9a54acc..3a923e4 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -22,6 +22,7 @@
 #include <openssl/pem.h>
 #include <openssl/pkcs7.h>
 #include <openssl/err.h>
+#include <openssl/engine.h>
 
 struct module_signature {
        uint8_t         algo;           /* Public-key crypto algorithm [0] */
@@ -166,11 +167,29 @@ int main(int argc, char **argv)
        /* Read the private key and the X.509 cert the PKCS#7 message
         * will point to.
         */
-       b = BIO_new_file(private_key_name, "rb");
-       ERR(!b, "%s", private_key_name);
-       private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL);
-       ERR(!private_key, "%s", private_key_name);
-       BIO_free(b);
+       if (!strncmp(private_key_name, "pkcs11:", 7)) {
+               ENGINE *e;
+
+               ENGINE_load_builtin_engines();
+               drain_openssl_errors();
+               e = ENGINE_by_id("pkcs11");
+               ERR(!e, "Load PKCS#11 ENGINE");
+               if (ENGINE_init(e))
+                       drain_openssl_errors();
+               else
+                       ERR(1, "ENGINE_init");
+               if (key_pass)
+                       ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
+               private_key = ENGINE_load_private_key(e, private_key_name, NULL,
+                                                     NULL);
+               ERR(!private_key, "%s", private_key_name);
+       } else {
+               b = BIO_new_file(private_key_name, "rb");
+               ERR(!b, "%s", private_key_name);
+               private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL);
+               ERR(!private_key, "%s", private_key_name);
+               BIO_free(b);
+       }
 
        b = BIO_new_file(x509_name, "rb");
        ERR(!b, "%s", x509_name);
-- 
2.4.0

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@...el.com                              Intel Corporation

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5691 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ