Stefan,
On Tue, May 04, 2021 at 09:38:06AM -0400, Stefan Berger wrote:
> On 5/4/21 12:33 AM, Vitaly Chikunov wrote:
> > Allow to have certificate appended to the private key of `--key'
> > specified (PEM) file (for v2 signing) to facilitate reading of keyid
> > from the associated cert. This will allow users to have private and
> > public key as a single file. There is no check that public key form the
> > cert matches associated private key.
> >
> > Signed-off-by: Vitaly Chikunov <vt@xxxxxxxxxxxx>
> > ---
> > README | 2 ++
> > src/libimaevm.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++---
> > 2 files changed, 49 insertions(+), 3 deletions(-)
> >
> > diff --git a/README b/README
> > index 0e1f6ba..2c21ba6 100644
> > --- a/README
> > +++ b/README
> > @@ -127,6 +127,8 @@ for signing and importing the key.
> > Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
> > in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
> > +For v2 signatures x509 certificate with the public key could be appended to the private
> > +key (both are in PEM format) to properly determine its Subject Key Identifier SKID.
> > Integrity keyrings
> > ----------------
> > diff --git a/src/libimaevm.c b/src/libimaevm.c
> > index 481d29d..3607a76 100644
> > --- a/src/libimaevm.c
> > +++ b/src/libimaevm.c
> > @@ -57,6 +57,7 @@
> > #include <openssl/pem.h>
> > #include <openssl/evp.h>
> > #include <openssl/x509.h>
> > +#include <openssl/x509v3.h>
> > #include <openssl/err.h>
> > #include "imaevm.h"
> > @@ -748,6 +749,47 @@ void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey)
> > X509_PUBKEY_free(pk);
> > }
> > +/* Try to read keyid from key file (in case it have appended cert). */
> > +static int read_keyid(const char *keyfile, uint32_t *keyid)
> > +{
>
> So the private key is assumed to be in PEM format.
Yes, even though README says something different.
> I suppose if there's an
> appended X509 in the private key file as well then only one function should
> be necessary to extract the x509 cert from the files. That function should
> be able to handle PEM and DER format at the same time. Have you tried
> extracting the x509 cert from the private key file using that other function
> in 2/3 yet?
Excuse me, I don't understand what you talking about in this note.
2/3 does not read private keys. Where and why should be one function?
And what other function?
Thanks,
