From: Jes Sorensen <jsorensen@xxxxxx>
This splits cmd_sign() into a gen_digest() and a sign_digest()
function, and fixes fsverity.c to use them appropriately.
---
cmd_sign.c | 50 +++++++++++++++++++++++++++++++++-----------------
fsverity.c | 8 ++++++--
fsverity.h | 13 ++++++++-----
3 files changed, 47 insertions(+), 24 deletions(-)
diff --git a/cmd_sign.c b/cmd_sign.c
index a0bd168..ba68243 100644
--- a/cmd_sign.c
+++ b/cmd_sign.c
@@ -481,12 +481,11 @@ out:
return ok;
}
-/* Sign a file for fs-verity by computing its measurement, then signing it. */
-int fsverity_cmd_sign(char *filename, const struct fsverity_hash_alg *hash_alg,
- u32 block_size, u8 *salt, u32 salt_size,
- const char *keyfile, const char *certfile,
- struct fsverity_signed_digest **retdigest,
- u8 **sig, u32 *sig_size)
+/* Generate the fsverity digest computing its measurement. */
+int fsverity_cmd_gen_digest(char *filename,
+ const struct fsverity_hash_alg *hash_alg,
+ u32 block_size, u8 *salt, u32 salt_size,
+ struct fsverity_signed_digest **retdigest)
{
struct fsverity_signed_digest *digest = NULL;
int status;
@@ -499,13 +498,6 @@ int fsverity_cmd_sign(char *filename, const struct fsverity_hash_alg *hash_alg,
if (block_size == 0)
block_size = fsverity_get_default_block_size();
- if (keyfile == NULL) {
- status = -EINVAL;
- goto out;
- }
- if (certfile == NULL)
- certfile = keyfile;
-
digest = xzalloc(sizeof(*digest) + hash_alg->digest_size);
memcpy(digest->magic, "FSVerity", 8);
digest->digest_algorithm = cpu_to_le16(hash_alg - fsverity_hash_algs);
@@ -515,10 +507,6 @@ int fsverity_cmd_sign(char *filename, const struct fsverity_hash_alg *hash_alg,
salt, salt_size, digest->digest))
goto out_err;
- if (!sign_data(digest, sizeof(*digest) + hash_alg->digest_size,
- keyfile, certfile, hash_alg, sig, sig_size))
- goto out_err;
-
*retdigest = digest;
status = 0;
out:
@@ -529,3 +517,31 @@ out_err:
goto out;
}
+
+/* Sign a pre-generated fsverity_signed_digest structure */
+int fsverity_cmd_sign_digest(struct fsverity_signed_digest *digest,
+ const struct fsverity_hash_alg *hash_alg,
+ const char *keyfile, const char *certfile,
+ u8 **sig, u32 *sig_size)
+{
+ int status;
+
+ if (keyfile == NULL) {
+ status = -EINVAL;
+ goto out;
+ }
+ if (certfile == NULL)
+ certfile = keyfile;
+
+ if (!sign_data(digest, sizeof(*digest) + hash_alg->digest_size,
+ keyfile, certfile, hash_alg, sig, sig_size))
+ goto out_err;
+
+ status = 0;
+ out:
+ return status;
+
+ out_err:
+ status = 1;
+ goto out;
+}
diff --git a/fsverity.c b/fsverity.c
index 45bf0cc..3fcafcb 100644
--- a/fsverity.c
+++ b/fsverity.c
@@ -188,8 +188,12 @@ int wrap_cmd_sign(const struct fsverity_command *cmd, int argc, char *argv[])
if (argc != 2)
goto out_usage;
- status = fsverity_cmd_sign(argv[0], hash_alg, block_size, salt, salt_size,
- keyfile, certfile, &digest, &sig, &sig_size);
+ status = fsverity_cmd_gen_digest(argv[0], hash_alg, block_size,
+ salt, salt_size, &digest);
+ if (status)
+ goto out_usage;
+ status = fsverity_cmd_sign_digest(digest, hash_alg, keyfile, certfile,
+ &sig, &sig_size);
if (status == -EINVAL)
goto out_usage;
if (status != 0)
diff --git a/fsverity.h b/fsverity.h
index bb2f337..695bdac 100644
--- a/fsverity.h
+++ b/fsverity.h
@@ -26,10 +26,13 @@ u32 fsverity_get_default_block_size(void);
int fsverity_cmd_enable(char *filename, struct fsverity_enable_arg *arg);
int fsverity_cmd_measure(char *filename, struct fsverity_digest *d);
-int fsverity_cmd_sign(char *filename, const struct fsverity_hash_alg *hash_alg,
- u32 block_size, u8 *salt, u32 salt_size,
- const char *keyfile, const char *certfile,
- struct fsverity_signed_digest **retdigest,
- u8 **sig, u32 *sig_size);
+int fsverity_cmd_gen_digest(char *filename,
+ const struct fsverity_hash_alg *hash_alg,
+ u32 block_size, u8 *salt, u32 salt_size,
+ struct fsverity_signed_digest **retdigest);
+int fsverity_cmd_sign_digest(struct fsverity_signed_digest *digest,
+ const struct fsverity_hash_alg *hash_alg,
+ const char *keyfile, const char *certfile,
+ u8 **sig, u32 *sig_size);
#endif /* COMMANDS_H */
--
2.24.1
|