From: Yu Watanabe Date: Sun, 26 Oct 2025 09:27:51 +0000 (+0900) Subject: repart: load x509 certificate and private key after Context is allocated X-Git-Tag: v259-rc1~186^2~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0158eabb01d19b6901b5c3af7d8863b73e93dc73;p=thirdparty%2Fsystemd.git repart: load x509 certificate and private key after Context is allocated This splits out context_load_keys() from parse_argv(). No functional change, just refactoring. --- diff --git a/src/repart/repart.c b/src/repart/repart.c index a04fa1bf6a6..3089c46baab 100644 --- a/src/repart/repart.c +++ b/src/repart/repart.c @@ -852,11 +852,7 @@ static Context* context_new( char **definitions, EmptyMode empty, bool dry_run, - sd_id128_t seed, - X509 *certificate, - EVP_PKEY *private_key) { - - /* Note: This function takes ownership of the certificate and private_key arguments. */ + sd_id128_t seed) { _cleanup_strv_free_ char **d = NULL; if (!strv_isempty(definitions)) { @@ -875,8 +871,6 @@ static Context* context_new( .end = UINT64_MAX, .total = UINT64_MAX, .seed = seed, - .certificate = certificate, - .private_key = private_key, .empty = empty, .dry_run = dry_run, .backing_fd = -EBADF, @@ -8684,6 +8678,55 @@ static int context_minimize(Context *context) { return 0; } +static int context_load_keys(Context *context) { + int r; + + assert(context); + + if (arg_certificate) { + if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) { + r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate); + if (r < 0) + return r; + } + + r = openssl_load_x509_certificate( + arg_certificate_source_type, + arg_certificate_source, + arg_certificate, + &context->certificate); + if (r < 0) + return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate); + } + + if (arg_private_key) { + if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) { + r = parse_path_argument(arg_private_key, /*suppress_root=*/ false, &arg_private_key); + if (r < 0) + return r; + } + + r = openssl_load_private_key( + arg_private_key_source_type, + arg_private_key_source, + arg_private_key, + &(AskPasswordRequest) { + .tty_fd = -EBADF, + .id = "repart-private-key-pin", + .keyring = arg_private_key, + .credential = "repart.private-key-pin", + .until = USEC_INFINITY, + .hup_fd = -EBADF, + }, + &context->private_key, + /* ret_user_interface= */ NULL); + if (r < 0) + return log_error_errno(r, "Failed to load private key from %s: %m", arg_private_key); + } + + return 0; +} + static int parse_partition_types(const char *p, GptPartitionType **partitions, size_t *n_partitions) { int r; @@ -8888,13 +8931,7 @@ static int help(void) { return 0; } -static int parse_argv( - int argc, - char *argv[], - X509 **ret_certificate, - EVP_PKEY **ret_private_key, - OpenSSLAskPasswordUI **ret_ui) { - +static int parse_argv(int argc, char *argv[]) { enum { ARG_VERSION = 0x100, ARG_NO_PAGER, @@ -8993,17 +9030,11 @@ static int parse_argv( {} }; - _cleanup_(X509_freep) X509 *certificate = NULL; - _cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL; - _cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL; bool auto_public_key_pcr_mask = true, auto_pcrlock = true; int c, r; assert(argc >= 0); assert(argv); - assert(ret_certificate); - assert(ret_private_key); - assert(ret_ui); while ((c = getopt_long(argc, argv, "hs:SCP", options, NULL)) >= 0) @@ -9544,47 +9575,6 @@ static int parse_argv( *p = gpt_partition_type_override_architecture(*p, arg_architecture); } - if (arg_certificate) { - if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) { - r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate); - if (r < 0) - return r; - } - - r = openssl_load_x509_certificate( - arg_certificate_source_type, - arg_certificate_source, - arg_certificate, - &certificate); - if (r < 0) - return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate); - } - - if (arg_private_key) { - if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) { - r = parse_path_argument(arg_private_key, /*suppress_root=*/ false, &arg_private_key); - if (r < 0) - return r; - } - - r = openssl_load_private_key( - arg_private_key_source_type, - arg_private_key_source, - arg_private_key, - &(AskPasswordRequest) { - .tty_fd = -EBADF, - .id = "repart-private-key-pin", - .keyring = arg_private_key, - .credential = "repart.private-key-pin", - .until = USEC_INFINITY, - .hup_fd = -EBADF, - }, - &private_key, - &ui); - if (r < 0) - return log_error_errno(r, "Failed to load private key from %s: %m", arg_private_key); - } - if (arg_append_fstab && !arg_generate_fstab) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No --generate-fstab= specified for --append-fstab=%s.", append_mode_to_string(arg_append_fstab)); @@ -9596,10 +9586,6 @@ static int parse_argv( arg_pager_flags |= PAGER_DISABLE; } - *ret_certificate = TAKE_PTR(certificate); - *ret_private_key = TAKE_PTR(private_key); - *ret_ui = TAKE_PTR(ui); - return 1; } @@ -10220,9 +10206,7 @@ static int vl_method_run( p.definitions, p.empty, p.dry_run, - p.seed, - /* certificate= */ NULL, - /* private_key= */ NULL); + p.seed); if (!context) return log_oom(); @@ -10361,9 +10345,6 @@ static int vl_server(void) { } static int run(int argc, char *argv[]) { - _cleanup_(X509_freep) X509 *certificate = NULL; - _cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL; - _cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL; _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL; _cleanup_(umount_and_freep) char *mounted_dir = NULL; _cleanup_(context_freep) Context* context = NULL; @@ -10372,7 +10353,7 @@ static int run(int argc, char *argv[]) { log_setup(); - r = parse_argv(argc, argv, &certificate, &private_key, &ui); + r = parse_argv(argc, argv); if (r <= 0) return r; @@ -10438,14 +10419,13 @@ static int run(int argc, char *argv[]) { arg_definitions, arg_empty, arg_dry_run, - arg_seed, - certificate, - private_key); + arg_seed); if (!context) return log_oom(); - TAKE_PTR(certificate); - TAKE_PTR(private_key); + r = context_load_keys(context); + if (r < 0) + return r; context->defer_partitions_empty = arg_defer_partitions_empty; context->defer_partitions_factory_reset = arg_defer_partitions_factory_reset;