mirror of
https://github.com/openharmony/third_party_fsverity-utils.git
synced 2026-07-01 10:05:35 -04:00
66b1d8a276
PKCS#11 API allows us to use opaque keys confined in hardware security
modules (HSMs) and similar hardware tokens without direct access to the
key material, providing logical separation of the keys from the
cryptographic operations performed using them.
This commit allows using the popular libp11 pkcs11 module for the
OpenSSL library with `fsverity` so that direct access to a private key
file isn't necessary to sign files.
The user needs to supply the path to the engine shared library
(typically the libp11 shared object file) and the PKCS#11 module library
(a shared object file specific to the given hardware token). The user
may also supply a token-specific key identifier.
Test evidence with a hardware PKCS#11 token:
$ echo test > dummy
$ ./fsverity sign dummy dummy.sig \
--pkcs11-engine=/usr/lib64/engines-1.1/libpkcs11.so \
--pkcs11-module=/usr/local/lib64/pkcs11_module.so \
--cert=test-pkcs11-cert.pem && echo OK;
Signed file 'dummy'
(sha256:c497326752e21b3992b57f7eff159102d474a97d972dc2c2d99d23e0f5fbdb65)
OK
Test evidence for regression check (checking that regular file-based key
signing still works):
$ ./fsverity sign dummy dummy.sig --key=key.pem --cert=cert.pem && \
echo OK;
Signed file 'dummy'
(sha256:c497326752e21b3992b57f7eff159102d474a97d972dc2c2d99d23e0f5fbdb65)
OK
Signed-off-by: Aleksander Adamowski <olo@fb.com>
[EB: Avoided overloading the --key option and keyfile field, clarified
the documentation, removed logic from cmd_sign.c that libfsverity
already handles, and many other improvements.]
Link: https://lore.kernel.org/r/20210909212731.1151190-1-olo@fb.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
159 lines
4.0 KiB
C
159 lines
4.0 KiB
C
// SPDX-License-Identifier: MIT
|
|
/*
|
|
* The 'fsverity sign' command
|
|
*
|
|
* Copyright 2018 Google LLC
|
|
*
|
|
* Use of this source code is governed by an MIT-style
|
|
* license that can be found in the LICENSE file or at
|
|
* https://opensource.org/licenses/MIT.
|
|
*/
|
|
|
|
#include "fsverity.h"
|
|
|
|
#include <fcntl.h>
|
|
#include <getopt.h>
|
|
|
|
static bool write_signature(const char *filename, const u8 *sig, u32 sig_size)
|
|
{
|
|
struct filedes file;
|
|
bool ok;
|
|
|
|
if (!open_file(&file, filename, O_WRONLY|O_CREAT|O_TRUNC, 0644))
|
|
return false;
|
|
ok = full_write(&file, sig, sig_size);
|
|
ok &= filedes_close(&file);
|
|
return ok;
|
|
}
|
|
|
|
static const struct option longopts[] = {
|
|
{"key", required_argument, NULL, OPT_KEY},
|
|
{"cert", required_argument, NULL, OPT_CERT},
|
|
{"pkcs11-engine", required_argument, NULL, OPT_PKCS11_ENGINE},
|
|
{"pkcs11-module", required_argument, NULL, OPT_PKCS11_MODULE},
|
|
{"pkcs11-keyid", required_argument, NULL, OPT_PKCS11_KEYID},
|
|
{"hash-alg", required_argument, NULL, OPT_HASH_ALG},
|
|
{"block-size", required_argument, NULL, OPT_BLOCK_SIZE},
|
|
{"salt", required_argument, NULL, OPT_SALT},
|
|
{"out-merkle-tree", required_argument, NULL, OPT_OUT_MERKLE_TREE},
|
|
{"out-descriptor", required_argument, NULL, OPT_OUT_DESCRIPTOR},
|
|
{NULL, 0, NULL, 0}
|
|
};
|
|
|
|
/* Sign a file for fs-verity by computing its digest, then signing it. */
|
|
int fsverity_cmd_sign(const struct fsverity_command *cmd,
|
|
int argc, char *argv[])
|
|
{
|
|
struct filedes file = { .fd = -1 };
|
|
struct libfsverity_merkle_tree_params tree_params = { .version = 1 };
|
|
struct libfsverity_signature_params sig_params = {};
|
|
struct libfsverity_digest *digest = NULL;
|
|
char digest_hex[FS_VERITY_MAX_DIGEST_SIZE * 2 + 1];
|
|
u8 *sig = NULL;
|
|
size_t sig_size;
|
|
int status;
|
|
int c;
|
|
|
|
while ((c = getopt_long(argc, argv, "", longopts, NULL)) != -1) {
|
|
switch (c) {
|
|
case OPT_KEY:
|
|
if (sig_params.keyfile != NULL) {
|
|
error_msg("--key can only be specified once");
|
|
goto out_usage;
|
|
}
|
|
sig_params.keyfile = optarg;
|
|
break;
|
|
case OPT_CERT:
|
|
if (sig_params.certfile != NULL) {
|
|
error_msg("--cert can only be specified once");
|
|
goto out_usage;
|
|
}
|
|
sig_params.certfile = optarg;
|
|
break;
|
|
case OPT_PKCS11_ENGINE:
|
|
if (sig_params.pkcs11_engine != NULL) {
|
|
error_msg("--pkcs11-engine can only be specified once");
|
|
goto out_usage;
|
|
}
|
|
sig_params.pkcs11_engine = optarg;
|
|
break;
|
|
case OPT_PKCS11_MODULE:
|
|
if (sig_params.pkcs11_module != NULL) {
|
|
error_msg("--pkcs11-module can only be specified once");
|
|
goto out_usage;
|
|
}
|
|
sig_params.pkcs11_module = optarg;
|
|
break;
|
|
case OPT_PKCS11_KEYID:
|
|
if (sig_params.pkcs11_keyid != NULL) {
|
|
error_msg("--pkcs11-keyid can only be specified once");
|
|
goto out_usage;
|
|
}
|
|
sig_params.pkcs11_keyid = optarg;
|
|
break;
|
|
case OPT_HASH_ALG:
|
|
case OPT_BLOCK_SIZE:
|
|
case OPT_SALT:
|
|
case OPT_OUT_MERKLE_TREE:
|
|
case OPT_OUT_DESCRIPTOR:
|
|
if (!parse_tree_param(c, optarg, &tree_params))
|
|
goto out_usage;
|
|
break;
|
|
default:
|
|
goto out_usage;
|
|
}
|
|
}
|
|
|
|
argv += optind;
|
|
argc -= optind;
|
|
|
|
if (argc != 2)
|
|
goto out_usage;
|
|
|
|
if (sig_params.certfile == NULL)
|
|
sig_params.certfile = sig_params.keyfile;
|
|
|
|
if (!open_file(&file, argv[0], O_RDONLY, 0))
|
|
goto out_err;
|
|
|
|
if (!get_file_size(&file, &tree_params.file_size))
|
|
goto out_err;
|
|
|
|
if (libfsverity_compute_digest(&file, read_callback,
|
|
&tree_params, &digest) != 0) {
|
|
error_msg("failed to compute digest");
|
|
goto out_err;
|
|
}
|
|
|
|
if (libfsverity_sign_digest(digest, &sig_params,
|
|
&sig, &sig_size) != 0) {
|
|
error_msg("failed to sign digest");
|
|
goto out_err;
|
|
}
|
|
|
|
if (!write_signature(argv[1], sig, sig_size))
|
|
goto out_err;
|
|
|
|
ASSERT(digest->digest_size <= FS_VERITY_MAX_DIGEST_SIZE);
|
|
bin2hex(digest->digest, digest->digest_size, digest_hex);
|
|
printf("Signed file '%s' (%s:%s)\n", argv[0],
|
|
libfsverity_get_hash_name(digest->digest_algorithm), digest_hex);
|
|
status = 0;
|
|
out:
|
|
filedes_close(&file);
|
|
if (!destroy_tree_params(&tree_params) && status == 0)
|
|
status = 1;
|
|
free(digest);
|
|
free(sig);
|
|
return status;
|
|
|
|
out_err:
|
|
status = 1;
|
|
goto out;
|
|
|
|
out_usage:
|
|
usage(cmd, stderr);
|
|
status = 2;
|
|
goto out;
|
|
}
|