From 0eadb2b2da9ef7fccd39b22487a1de581f37330a Mon Sep 17 00:00:00 2001 From: Thomas Perrot Date: Mon, 19 Jul 2021 16:04:44 +0200 Subject: lib: rsa: rsa-verify: Fix a typo in a debug message Signed-off-by: Thomas Perrot --- lib/rsa/rsa-verify.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c index bb8cc61d94b..3840764e420 100644 --- a/lib/rsa/rsa-verify.c +++ b/lib/rsa/rsa-verify.c @@ -556,7 +556,7 @@ int rsa_verify(struct image_sign_info *info, */ if (info->checksum->checksum_len > info->crypto->key_len) { - debug("%s: invlaid checksum-algorithm %s for %s\n", + debug("%s: invalid checksum-algorithm %s for %s\n", __func__, info->checksum->name, info->crypto->name); return -EINVAL; } -- cgit v1.3.1 From 6d59ace988fdc1bb9f52ab70e21af0d40380c3f3 Mon Sep 17 00:00:00 2001 From: "Chan, Donald" Date: Mon, 19 Jul 2021 09:18:54 -0700 Subject: lib: rsa: rsa-sign: Minor bug in debug message *sig_size isn't set until later so use the correct variables. Signed-off-by: Donald Chan Reviewed-by: Simon Glass --- lib/rsa/rsa-sign.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index f4ed11e74a4..c64deac31f4 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -473,7 +473,7 @@ static int rsa_sign_with_key(EVP_PKEY *pkey, struct padding_algo *padding_algo, #endif EVP_MD_CTX_destroy(context); - debug("Got signature: %d bytes, expected %zu\n", *sig_size, size); + debug("Got signature: %zu bytes, expected %d\n", size, EVP_PKEY_size(pkey)); *sigp = sig; *sig_size = size; -- cgit v1.3.1 From 62b27a561c2868d95445905ad554297e43cc0f2b Mon Sep 17 00:00:00 2001 From: Marc Kleine-Budde Date: Fri, 23 Jul 2021 22:17:50 +0200 Subject: mkimage: use environment variable MKIMAGE_SIGN_PIN to set pin for OpenSSL Engine This patch adds the possibility to pass the PIN the OpenSSL Engine used during signing via the environment variable MKIMAGE_SIGN_PIN. This follows the approach used during kernel module signing ("KBUILD_SIGN_PIN") or UBIFS image signing ("MKIMAGE_SIGN_PIN"). Signed-off-by: Marc Kleine-Budde --- doc/uImage.FIT/signature.txt | 4 ++-- lib/rsa/rsa-sign.c | 11 +++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) (limited to 'lib') diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt index 7cb1c15e5e1..61a72db3c74 100644 --- a/doc/uImage.FIT/signature.txt +++ b/doc/uImage.FIT/signature.txt @@ -533,8 +533,8 @@ Generic engine key ids: or "" -As mkimage does not at this time support prompting for passwords HSM may need -key preloading wrapper to be used when invoking mkimage. +In order to set the pin in the HSM, an environment variable "MKIMAGE_SIGN_PIN" +can be specified. The following examples use the Nitrokey Pro using pkcs11 engine. Instructions for other devices may vary. diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index c64deac31f4..085dc89bf7b 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -338,6 +338,7 @@ static int rsa_init(void) static int rsa_engine_init(const char *engine_id, ENGINE **pe) { + const char *key_pass; ENGINE *e; int ret; @@ -362,10 +363,20 @@ static int rsa_engine_init(const char *engine_id, ENGINE **pe) goto err_set_rsa; } + key_pass = getenv("MKIMAGE_SIGN_PIN"); + if (key_pass) { + if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) { + fprintf(stderr, "Couldn't set PIN\n"); + ret = -1; + goto err_set_pin; + } + } + *pe = e; return 0; +err_set_pin: err_set_rsa: ENGINE_finish(e); err_engine_init: -- cgit v1.3.1