Stefan,
On Tue, May 04, 2021 at 09:04:44PM -0400, Stefan Berger wrote:
> On 5/4/21 6:27 PM, Vitaly Chikunov wrote:
> > On Tue, May 04, 2021 at 09:38:06AM -0400, Stefan Berger wrote:
> > > On 5/4/21 12:33 AM, Vitaly Chikunov wrote:
> > > > Allow to have certificate appended to the private key of `--key'
> > > > specified (PEM) file (for v2 signing) to facilitate reading of keyid
> > > > from the associated cert. This will allow users to have private and
> > > > public key as a single file. There is no check that public key form the
> > > > cert matches associated private key.
> > > >
> > > > Signed-off-by: Vitaly Chikunov <vt@xxxxxxxxxxxx>
> > > > ---
> > > > README | 2 ++
> > > > src/libimaevm.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++---
> > > > 2 files changed, 49 insertions(+), 3 deletions(-)
> > > >
> > > > diff --git a/README b/README
> > > > index 0e1f6ba..2c21ba6 100644
> > > > --- a/README
> > > > +++ b/README
> > > > @@ -127,6 +127,8 @@ for signing and importing the key.
> > > > Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
> > > > in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
> > > > +For v2 signatures x509 certificate with the public key could be appended to the private
> > > > +key (both are in PEM format) to properly determine its Subject Key Identifier SKID.
> > > > Integrity keyrings
> > > > ----------------
> > > > diff --git a/src/libimaevm.c b/src/libimaevm.c
> > > > index 481d29d..3607a76 100644
> > > > --- a/src/libimaevm.c
> > > > +++ b/src/libimaevm.c
> > > > @@ -57,6 +57,7 @@
> > > > #include <openssl/pem.h>
> > > > #include <openssl/evp.h>
> > > > #include <openssl/x509.h>
> > > > +#include <openssl/x509v3.h>
> > > > #include <openssl/err.h>
> > > > #include "imaevm.h"
> > > > @@ -748,6 +749,47 @@ void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey)
> > > > X509_PUBKEY_free(pk);
> > > > }
> > > > +/* Try to read keyid from key file (in case it have appended cert). */
> > > > +static int read_keyid(const char *keyfile, uint32_t *keyid)
> > > > +{
> > > So the private key is assumed to be in PEM format.
> > Yes, even though README says something different.
> >
> > > I suppose if there's an
> > > appended X509 in the private key file as well then only one function should
> > > be necessary to extract the x509 cert from the files. That function should
> > > be able to handle PEM and DER format at the same time. Have you tried
> > > extracting the x509 cert from the private key file using that other function
> > > in 2/3 yet?
> > Excuse me, I don't understand what you talking about in this note.
> > 2/3 does not read private keys. Where and why should be one function?
> > And what other function?
>
> It should be possible to combine your functions extract_keyid (2/3) and
> read_keyid (3/3) into a single function that can handle PEM files containing
> X509 certs as well as DER files. It's two times very similar code and the
> function that can handle DER and PEM should be able to handle PEM files with
> private keys + X509 certs.
I see. There should be very generic function that can read fd, FILE,
bio, and memory region, also can parse DER, PEM, and combined PEMs.
Thanks,
