[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20170203013118.14634-1-antony@vennard.ch>
Date: Fri, 3 Feb 2017 02:31:17 +0100
From: Antony Vennard <antony@...nard.ch>
To: David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>
Cc: keyrings@...r.kernel.org, linux-kernel@...r.kernel.org,
Antony Vennard <antony@...nard.ch>
Subject: [PATCH 0/1] Load OpenSSL config if present in sign-file.c
sign-file documentation on kernel.org advertises the fact that
sign-file can use OpenSSL loadable engine support using pkcs#11 uri
syntax (rfc 7512) for loading private keys from hardware tokens, if
openssl loadable engine support is present.
Unfortunately, if openssl configuration files are not loaded there is
no way (to my knowledge) for openssl to load third party pkcs#11
libraries as specified by openssl configuration.
This patch enables loading of openssl configuration files such that,
with an appropriate OPENSSL_CONF environment variable, an openssl
config snippet such as:
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_cardos
[pkcs11_cardos]
engine_id = pkcs11
dynamic_path = /usr/lib64/openssl/engines/libpkcs11.so
MODULE_PATH = /path/to/pkcs11.so
Can be used to utilize any third party PKCS#11 library for
any available hardware token. Any other engine configuration
customizations should also work. An end-user can either specify this
particular snippet with OPENSSL_CONF=/path/to/file, or they may
edit their distribution's ssl configuration file located at, for
example, /etc/pki/tls/openssl.cnf (Redhat derivatives).
Notes for reviewers:
* OPENSSL_Conf(NULL) is marked in current documentation as deprecated.
As such I used CONF_modules_load_file in the manner OPENSSL_Conf does.
* It seemed to me that "ignore no config file, but fail if
file found and there are parsing errors" was the most logical choice
- this is CONF_MFLAGS_IGNORE_MISSING_FILE.
* CONF_MFLAGS_DEFAULT_SECTION and appname=NULL require the config file
have an openssl_conf = something section as in the sample above.
This makes sign-file act exactly like the standalone openssl utility.
I chose this as the path of least resistance but it could be easily
dropped not require an explicit "openssl_conf=?" line, or we could
select an app name.
Since the certificate handling git repo appears out of date, this patch
was based on Torvald's linux.git. If this is incorrect please let me know
and I will resubmit.
Antony Vennard (1):
Load OpenSSL config if present in sign-file.c
scripts/sign-file.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--
2.9.3
Powered by blists - more mailing lists