mirror of
https://github.com/openharmony/third_party_fsverity-utils.git
synced 2026-07-01 10:05:35 -04:00
Implement PKCS#11 opaque keys support through OpenSSL pkcs11 engine
PKCS#11 API allows us to use opaque keys confined in hardware security
modules (HSMs) and similar hardware tokens without direct access to the
key material, providing logical separation of the keys from the
cryptographic operations performed using them.
This commit allows using the popular libp11 pkcs11 module for the
OpenSSL library with `fsverity` so that direct access to a private key
file isn't necessary to sign files.
The user needs to supply the path to the engine shared library
(typically the libp11 shared object file) and the PKCS#11 module library
(a shared object file specific to the given hardware token). The user
may also supply a token-specific key identifier.
Test evidence with a hardware PKCS#11 token:
$ echo test > dummy
$ ./fsverity sign dummy dummy.sig \
--pkcs11-engine=/usr/lib64/engines-1.1/libpkcs11.so \
--pkcs11-module=/usr/local/lib64/pkcs11_module.so \
--cert=test-pkcs11-cert.pem && echo OK;
Signed file 'dummy'
(sha256:c497326752e21b3992b57f7eff159102d474a97d972dc2c2d99d23e0f5fbdb65)
OK
Test evidence for regression check (checking that regular file-based key
signing still works):
$ ./fsverity sign dummy dummy.sig --key=key.pem --cert=cert.pem && \
echo OK;
Signed file 'dummy'
(sha256:c497326752e21b3992b57f7eff159102d474a97d972dc2c2d99d23e0f5fbdb65)
OK
Signed-off-by: Aleksander Adamowski <olo@fb.com>
[EB: Avoided overloading the --key option and keyfile field, clarified
the documentation, removed logic from cmd_sign.c that libfsverity
already handles, and many other improvements.]
Link: https://lore.kernel.org/r/20210909212731.1151190-1-olo@fb.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
This commit is contained in:
committed by
Eric Biggers
parent
9e082897d6
commit
66b1d8a276
+34
-14
@@ -27,13 +27,16 @@ static bool write_signature(const char *filename, const u8 *sig, u32 sig_size)
|
||||
}
|
||||
|
||||
static const struct option longopts[] = {
|
||||
{"key", required_argument, NULL, OPT_KEY},
|
||||
{"cert", required_argument, NULL, OPT_CERT},
|
||||
{"pkcs11-engine", required_argument, NULL, OPT_PKCS11_ENGINE},
|
||||
{"pkcs11-module", required_argument, NULL, OPT_PKCS11_MODULE},
|
||||
{"pkcs11-keyid", required_argument, NULL, OPT_PKCS11_KEYID},
|
||||
{"hash-alg", required_argument, NULL, OPT_HASH_ALG},
|
||||
{"block-size", required_argument, NULL, OPT_BLOCK_SIZE},
|
||||
{"salt", required_argument, NULL, OPT_SALT},
|
||||
{"out-merkle-tree", required_argument, NULL, OPT_OUT_MERKLE_TREE},
|
||||
{"out-descriptor", required_argument, NULL, OPT_OUT_DESCRIPTOR},
|
||||
{"key", required_argument, NULL, OPT_KEY},
|
||||
{"cert", required_argument, NULL, OPT_CERT},
|
||||
{NULL, 0, NULL, 0}
|
||||
};
|
||||
|
||||
@@ -53,14 +56,6 @@ int fsverity_cmd_sign(const struct fsverity_command *cmd,
|
||||
|
||||
while ((c = getopt_long(argc, argv, "", longopts, NULL)) != -1) {
|
||||
switch (c) {
|
||||
case OPT_HASH_ALG:
|
||||
case OPT_BLOCK_SIZE:
|
||||
case OPT_SALT:
|
||||
case OPT_OUT_MERKLE_TREE:
|
||||
case OPT_OUT_DESCRIPTOR:
|
||||
if (!parse_tree_param(c, optarg, &tree_params))
|
||||
goto out_usage;
|
||||
break;
|
||||
case OPT_KEY:
|
||||
if (sig_params.keyfile != NULL) {
|
||||
error_msg("--key can only be specified once");
|
||||
@@ -75,6 +70,35 @@ int fsverity_cmd_sign(const struct fsverity_command *cmd,
|
||||
}
|
||||
sig_params.certfile = optarg;
|
||||
break;
|
||||
case OPT_PKCS11_ENGINE:
|
||||
if (sig_params.pkcs11_engine != NULL) {
|
||||
error_msg("--pkcs11-engine can only be specified once");
|
||||
goto out_usage;
|
||||
}
|
||||
sig_params.pkcs11_engine = optarg;
|
||||
break;
|
||||
case OPT_PKCS11_MODULE:
|
||||
if (sig_params.pkcs11_module != NULL) {
|
||||
error_msg("--pkcs11-module can only be specified once");
|
||||
goto out_usage;
|
||||
}
|
||||
sig_params.pkcs11_module = optarg;
|
||||
break;
|
||||
case OPT_PKCS11_KEYID:
|
||||
if (sig_params.pkcs11_keyid != NULL) {
|
||||
error_msg("--pkcs11-keyid can only be specified once");
|
||||
goto out_usage;
|
||||
}
|
||||
sig_params.pkcs11_keyid = optarg;
|
||||
break;
|
||||
case OPT_HASH_ALG:
|
||||
case OPT_BLOCK_SIZE:
|
||||
case OPT_SALT:
|
||||
case OPT_OUT_MERKLE_TREE:
|
||||
case OPT_OUT_DESCRIPTOR:
|
||||
if (!parse_tree_param(c, optarg, &tree_params))
|
||||
goto out_usage;
|
||||
break;
|
||||
default:
|
||||
goto out_usage;
|
||||
}
|
||||
@@ -86,10 +110,6 @@ int fsverity_cmd_sign(const struct fsverity_command *cmd,
|
||||
if (argc != 2)
|
||||
goto out_usage;
|
||||
|
||||
if (sig_params.keyfile == NULL) {
|
||||
error_msg("Missing --key argument");
|
||||
goto out_usage;
|
||||
}
|
||||
if (sig_params.certfile == NULL)
|
||||
sig_params.certfile = sig_params.keyfile;
|
||||
|
||||
|
||||
+3
-2
@@ -58,10 +58,11 @@ static const struct fsverity_command {
|
||||
.func = fsverity_cmd_sign,
|
||||
.short_desc = "Sign a file for fs-verity",
|
||||
.usage_str =
|
||||
" fsverity sign FILE OUT_SIGFILE --key=KEYFILE\n"
|
||||
" fsverity sign FILE OUT_SIGFILE\n"
|
||||
" [--key=KEYFILE] [--cert=CERTFILE] [--pkcs11-engine=SOFILE]\n"
|
||||
" [--pkcs11-module=SOFILE] [--pkcs11-keyid=KEYID]\n"
|
||||
" [--hash-alg=HASH_ALG] [--block-size=BLOCK_SIZE] [--salt=SALT]\n"
|
||||
" [--out-merkle-tree=FILE] [--out-descriptor=FILE]\n"
|
||||
" [--cert=CERTFILE]\n"
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
@@ -31,6 +31,9 @@ enum {
|
||||
OPT_OFFSET,
|
||||
OPT_OUT_DESCRIPTOR,
|
||||
OPT_OUT_MERKLE_TREE,
|
||||
OPT_PKCS11_ENGINE,
|
||||
OPT_PKCS11_KEYID,
|
||||
OPT_PKCS11_MODULE,
|
||||
OPT_SALT,
|
||||
OPT_SIGNATURE,
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user