From: Tobias Olausson Date: Thu, 26 Jun 2025 06:54:20 +0000 (+0200) Subject: lib/rsa: allow matching pkcs11 path by object id X-Git-Tag: v2025.10-rc1~127 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0707f73a8ba26f5aeaeada6f5942d003bf67ce06;p=thirdparty%2Fu-boot.git lib/rsa: allow matching pkcs11 path by object id The object= part matches against the label that the pkcs11 token uses for that object, but in some cases, specifically with a Yubikey using ykcs11, where the keys have been imported, the labels differ between the private and public keys [1], making the object= matching useless. These keys will have the same id however, so matching against that works for both the private and public part. [1]: https://github.com/Yubico/yubico-piv-tool/blob/master/doc/YKCS11/Functions_and_values.adoc#key-alias-per-slot-and-object-type Signed-off-by: Tobias Olausson --- diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c index fa9e143b4ca..92b9d7876e5 100644 --- a/lib/rsa/rsa-sign.c +++ b/lib/rsa/rsa-sign.c @@ -122,7 +122,7 @@ static int rsa_engine_get_pub_key(const char *keydir, const char *name, fprintf(stderr, "WARNING: Legacy URI specified. Please add '%s'.\n", pkcs11_schema); } - if (strstr(keydir, "object=")) + if (strstr(keydir, "object=") || strstr(keydir, "id=")) snprintf(key_id, sizeof(key_id), "%s%s;type=public", pkcs11_uri_prepend, keydir); @@ -253,7 +253,7 @@ static int rsa_engine_get_priv_key(const char *keydir, const char *name, fprintf(stderr, "WARNING: Legacy URI specified. Please add '%s'.\n", pkcs11_schema); } - if (strstr(keydir, "object=")) + if (strstr(keydir, "object=") || strstr(keydir, "id=")) snprintf(key_id, sizeof(key_id), "%s%s;type=private", pkcs11_uri_prepend, keydir);