Mimi,
On Mon, Jul 05, 2021 at 03:59:02PM -0400, Mimi Zohar wrote:
> On Thu, 2021-07-01 at 04:13 +0300, Vitaly Chikunov wrote:
>
> > @@ -2805,6 +2811,14 @@ int main(int argc, char *argv[])
> > }
> > imaevm_params.keyid = keyid;
> > break;
> > + case 145:
> > + keyid = imaevm_read_keyid(optarg);
> > + if (keyid == 0) {
>
> The function comment indicates zero is returned on error, which is
> normally true, but -1 is returned to indicate reading the cert failed.
Ah, bug.
Thanks!
>
> > + log_err("Error reading keyid.\n");
> > + exit(1);
> > + }
> > + imaevm_params.keyid = keyid;
>
> As a result, imaevm_params.keyid is set to -1, which the "--keyid="
> case would detect, but isn't detected here.
>
> > + break;
> > case '?':
> > exit(1);
> > break;
> > diff --git a/src/imaevm.h b/src/imaevm.h
> > index fe244f1..491f136 100644
> > --- a/src/imaevm.h
> > +++ b/src/imaevm.h
> >
> > +/**
>
> kernel doc? :)
>
> > + * imaevm_read_keyid() - Read 32-bit keyid from the cert file
> > + * @certfile: File with certificate in PEM or DER form.
> > + *
> > + * Try to read keyid from Subject Key Identifier (SKID) of x509 certificate.
> > + * Autodetect if cert is in PEM (tried first) or DER encoding.
> > + *
> > + * Return: 0 on error, logged error message;
> > + * 32-bit keyid in host order.
>
> As mentioned above, -1 could be returned.
>
> > + */
> > +uint32_t imaevm_read_keyid(const char *certfile)
> > +{
> > + uint32_t keyid_be = 0;
> > + X509 *x;
> > +
> > + /* true: to load in DER form too. */
> > + if (!(x = read_cert(certfile, true)))
> > + return -1;
> > + extract_keyid(&keyid_be, x, certfile);
> > + /* On error keyid_be will not be set, returning 0. */
>
> Ok
>
> thanks,
>
> Mimi
>
> > + X509_free(x);
> > + return ntohl(keyid_be);
> > +}
> > +
> > static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
> > {
> > FILE *fp;
