#include "sd-json.h"
#include "alloc-util.h"
+#include "ask-password-api.h"
#include "build.h"
#include "efi-loader.h"
#include "fd-util.h"
static int verb_sign(int argc, char *argv[], void *userdata) {
_cleanup_(sd_json_variant_unrefp) sd_json_variant *v = NULL;
_cleanup_(pcr_state_free_all) PcrState *pcr_states = NULL;
+ _cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
_cleanup_(EVP_PKEY_freep) EVP_PKEY *privkey = NULL, *pubkey = NULL;
_cleanup_(X509_freep) X509 *certificate = NULL;
size_t n;
/* This must be done before openssl_load_key_from_token() otherwise it will get stuck */
if (arg_certificate) {
- _cleanup_(BIO_freep) BIO *cb = NULL;
- _cleanup_free_ char *crt = NULL;
-
- r = read_full_file_full(
- AT_FDCWD, arg_certificate, UINT64_MAX, SIZE_MAX,
- READ_FULL_FILE_CONNECT_SOCKET,
- /* bind_name= */ NULL,
- &crt, &n);
+ r = openssl_load_x509_certificate(arg_certificate, &certificate);
if (r < 0)
- return log_error_errno(r, "Failed to read certificate file '%s': %m", arg_certificate);
-
- cb = BIO_new_mem_buf(crt, n);
- if (!cb)
- return log_oom();
-
- certificate = PEM_read_bio_X509(cb, NULL, NULL, NULL);
- if (!certificate)
- return log_error_errno(
- SYNTHETIC_ERRNO(EBADMSG),
- "Failed to parse X.509 certificate: %s",
- ERR_error_string(ERR_get_error(), NULL));
+ return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
}
- if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
- _cleanup_fclose_ FILE *privkeyf = NULL;
- _cleanup_free_ char *resolved_pkey = NULL;
+ if (arg_private_key) {
+ if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
+ r = parse_path_argument(arg_private_key, /* suppress_root= */ false, &arg_private_key);
+ if (r < 0)
+ return log_error_errno(r, "Failed to parse private key path %s: %m", arg_private_key);
+ }
- r = parse_path_argument(arg_private_key, /* suppress_root= */ false, &resolved_pkey);
+ r = openssl_load_private_key(
+ arg_private_key_source_type,
+ arg_private_key_source,
+ arg_private_key,
+ &(AskPasswordRequest) {
+ .id = "measure-private-key-pin",
+ .keyring = arg_private_key,
+ .credential = "measure.private-key-pin",
+ },
+ &privkey,
+ &ui);
if (r < 0)
- return log_error_errno(r, "Failed to parse private key path %s: %m", arg_private_key);
-
- privkeyf = fopen(resolved_pkey, "re");
- if (!privkeyf)
- return log_error_errno(errno, "Failed to open private key file '%s': %m", resolved_pkey);
-
- privkey = PEM_read_PrivateKey(privkeyf, NULL, NULL, NULL);
- if (!privkey)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to parse private key '%s'.", resolved_pkey);
- } else if (arg_private_key_source &&
- IN_SET(arg_private_key_source_type, OPENSSL_KEY_SOURCE_ENGINE, OPENSSL_KEY_SOURCE_PROVIDER)) {
- r = openssl_load_key_from_token(
- arg_private_key_source_type, arg_private_key_source, arg_private_key, &privkey);
- if (r < 0)
- return log_error_errno(
- r,
- "Failed to load key '%s' from OpenSSL key source %s: %m",
- arg_private_key,
- arg_private_key_source);
+ return log_error_errno(r, "Failed to load private key from %s: %m", arg_private_key);
}
if (arg_public_key) {
#include "sd-json.h"
#include "alloc-util.h"
+#include "ask-password-api.h"
#include "blkid-util.h"
#include "blockdev-list.h"
#include "blockdev-util.h"
static bool arg_legend = true;
static void *arg_key = NULL;
static size_t arg_key_size = 0;
-static EVP_PKEY *arg_private_key = NULL;
+static char *arg_private_key = NULL;
static KeySourceType arg_private_key_source_type = OPENSSL_KEY_SOURCE_FILE;
static char *arg_private_key_source = NULL;
-static X509 *arg_certificate = NULL;
+static char *arg_certificate = NULL;
static char *arg_tpm2_device = NULL;
static uint32_t arg_tpm2_seal_key_handle = 0;
static char *arg_tpm2_device_key = NULL;
STATIC_DESTRUCTOR_REGISTER(arg_image, freep);
STATIC_DESTRUCTOR_REGISTER(arg_definitions, strv_freep);
STATIC_DESTRUCTOR_REGISTER(arg_key, erase_and_freep);
-STATIC_DESTRUCTOR_REGISTER(arg_private_key, EVP_PKEY_freep);
+STATIC_DESTRUCTOR_REGISTER(arg_private_key, freep);
STATIC_DESTRUCTOR_REGISTER(arg_private_key_source, freep);
-STATIC_DESTRUCTOR_REGISTER(arg_certificate, X509_freep);
+STATIC_DESTRUCTOR_REGISTER(arg_certificate, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device_key, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_hash_pcr_values, freep);
int backing_fd;
bool from_scratch;
+
+ X509 *certificate;
+ EVP_PKEY *private_key;
} Context;
static const char *empty_mode_table[_EMPTY_MODE_MAX] = {
DEFINE_TRIVIAL_CLEANUP_FUNC(Partition*, partition_free);
-static Context* context_new(sd_id128_t seed) {
+static Context* context_new(sd_id128_t seed, X509 *certificate, EVP_PKEY *private_key) {
Context *context;
+ /* Note: This function takes ownership of the certificate and private_key arguments. */
+
context = new(Context, 1);
if (!context)
return NULL;
.end = UINT64_MAX,
.total = UINT64_MAX,
.seed = seed,
+ .certificate = certificate,
+ .private_key = private_key,
};
return context;
else
free(context->node);
+ X509_free(context->certificate);
+ EVP_PKEY_free(context->private_key);
+
return mfree(context);
}
static int sign_verity_roothash(
const struct iovec *roothash,
+ X509 *certificate,
+ EVP_PKEY *private_key,
struct iovec *ret_signature) {
#if HAVE_OPENSSL
int sigsz;
assert(roothash);
+ assert(private_key);
assert(iovec_is_set(roothash));
assert(ret_signature);
if (!rb)
return log_oom();
- p7 = PKCS7_sign(arg_certificate, arg_private_key, NULL, rb, PKCS7_DETACHED|PKCS7_NOATTR|PKCS7_BINARY);
+ p7 = PKCS7_sign(certificate, private_key, NULL, rb, PKCS7_DETACHED|PKCS7_NOATTR|PKCS7_BINARY);
if (!p7)
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to calculate PKCS7 signature: %s",
ERR_error_string(ERR_get_error(), NULL));
assert_se(hp = p->siblings[VERITY_HASH]);
assert(!hp->dropped);
- assert(arg_certificate);
-
assert_se((whole_fd = fdisk_get_devfd(context->fdisk_context)) >= 0);
- r = sign_verity_roothash(&hp->roothash, &sig);
+ r = sign_verity_roothash(&hp->roothash, context->certificate, context->private_key, &sig);
if (r < 0)
return r;
- r = x509_fingerprint(arg_certificate, fp);
+ r = x509_fingerprint(context->certificate, fp);
if (r < 0)
return log_error_errno(r, "Unable to calculate X509 certificate fingerprint: %m");
return 0;
}
-static int parse_x509_certificate(const char *certificate, size_t certificate_size, X509 **ret) {
-#if HAVE_OPENSSL
- _cleanup_(X509_freep) X509 *cert = NULL;
- _cleanup_(BIO_freep) BIO *cb = NULL;
-
- assert(certificate);
- assert(certificate_size > 0);
- assert(ret);
-
- cb = BIO_new_mem_buf(certificate, certificate_size);
- if (!cb)
- return log_oom();
-
- cert = PEM_read_bio_X509(cb, NULL, NULL, NULL);
- if (!cert)
- return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Failed to parse X.509 certificate: %s",
- ERR_error_string(ERR_get_error(), NULL));
-
- if (ret)
- *ret = TAKE_PTR(cert);
-
- return 0;
-#else
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot parse X509 certificate.");
-#endif
-}
-
-static int parse_private_key(const char *key, size_t key_size, EVP_PKEY **ret) {
-#if HAVE_OPENSSL
- _cleanup_(BIO_freep) BIO *kb = NULL;
- _cleanup_(EVP_PKEY_freep) EVP_PKEY *pk = NULL;
-
- assert(key);
- assert(key_size > 0);
- assert(ret);
-
- kb = BIO_new_mem_buf(key, key_size);
- if (!kb)
- return log_oom();
-
- pk = PEM_read_bio_PrivateKey(kb, NULL, NULL, NULL);
- if (!pk)
- return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to parse PEM private key: %s",
- ERR_error_string(ERR_get_error(), NULL));
-
- if (ret)
- *ret = TAKE_PTR(pk);
-
- return 0;
-#else
- return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot parse private key.");
-#endif
-}
-
static int partition_acquire_uuid(Context *context, Partition *p, sd_id128_t *ret) {
struct {
sd_id128_t type_uuid;
return 0;
}
-static int parse_argv(int argc, char *argv[]) {
- _cleanup_free_ char *private_key = NULL;
-
+static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY **ret_private_key, OpenSSLAskPasswordUI **ret_ui) {
enum {
ARG_VERSION = 0x100,
ARG_NO_PAGER,
{}
};
+ _cleanup_(X509_freep) X509 *certificate = NULL;
+ _cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
+ _cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL;
bool auto_hash_pcr_values = true, auto_public_key_pcr_mask = true, auto_pcrlock = true;
int c, r;
assert(argc >= 0);
assert(argv);
+ assert(ret_certificate);
+ assert(ret_private_key);
+ assert(ret_ui);
while ((c = getopt_long(argc, argv, "hs:SCP", options, NULL)) >= 0)
}
case ARG_PRIVATE_KEY: {
- r = free_and_strdup_warn(&private_key, optarg);
+ r = free_and_strdup_warn(&arg_private_key, optarg);
if (r < 0)
return r;
break;
break;
case ARG_CERTIFICATE: {
- _cleanup_free_ char *cert = NULL;
- size_t n = 0;
-
- r = read_full_file_full(
- AT_FDCWD, optarg, UINT64_MAX, SIZE_MAX,
- READ_FULL_FILE_CONNECT_SOCKET,
- NULL,
- &cert, &n);
- if (r < 0)
- return log_error_errno(r, "Failed to read certificate file '%s': %m", optarg);
-
- X509_free(arg_certificate);
- arg_certificate = NULL;
- r = parse_x509_certificate(cert, n, &arg_certificate);
+ r = parse_path_argument(optarg, /*suppress_root=*/ false, &arg_certificate);
if (r < 0)
return r;
break;
*p = gpt_partition_type_override_architecture(*p, arg_architecture);
}
- if (private_key && arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
- _cleanup_(erase_and_freep) char *k = NULL;
- size_t n = 0;
-
- r = read_full_file_full(
- AT_FDCWD, private_key, UINT64_MAX, SIZE_MAX,
- READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE|READ_FULL_FILE_CONNECT_SOCKET,
- NULL,
- &k, &n);
+ if (arg_certificate) {
+ r = openssl_load_x509_certificate(arg_certificate, &certificate);
if (r < 0)
- return log_error_errno(r, "Failed to read key file '%s': %m", private_key);
+ return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
+ }
- r = parse_private_key(k, n, &arg_private_key);
- if (r < 0)
- return r;
- } else if (private_key &&
- IN_SET(arg_private_key_source_type, OPENSSL_KEY_SOURCE_ENGINE, OPENSSL_KEY_SOURCE_PROVIDER)) {
- /* This must happen after parse_x509_certificate() is called above, otherwise
- * signing later will get stuck as the parsed private key won't have the
- * certificate, so this block cannot be inline in ARG_PRIVATE_KEY. */
- r = openssl_load_key_from_token(
+ if (arg_private_key) {
+ if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
+ r = parse_path_argument(arg_private_key, /*suppress_root=*/ false, &arg_private_key);
+ if (r < 0)
+ return r;
+ }
+
+ r = openssl_load_private_key(
arg_private_key_source_type,
arg_private_key_source,
- private_key,
- &arg_private_key);
+ arg_private_key,
+ &(AskPasswordRequest) {
+ .id = "repart-private-key-pin",
+ .keyring = arg_private_key,
+ .credential = "repart.private-key-pin",
+ },
+ &private_key,
+ &ui);
if (r < 0)
- return log_error_errno(
- r,
- "Failed to load key '%s' from OpenSSL private key source %s: %m",
- private_key,
- arg_private_key_source);
+ return log_error_errno(r, "Failed to load private key from %s: %m", arg_private_key);
}
+ *ret_certificate = TAKE_PTR(certificate);
+ *ret_private_key = TAKE_PTR(private_key);
+ *ret_ui = TAKE_PTR(ui);
+
return 1;
}
}
static int run(int argc, char *argv[]) {
+ _cleanup_(X509_freep) X509 *certificate = NULL;
+ _cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
+ _cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL;
_cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL;
_cleanup_(umount_and_freep) char *mounted_dir = NULL;
_cleanup_(context_freep) Context* context = NULL;
log_setup();
- r = parse_argv(argc, argv);
+ r = parse_argv(argc, argv, &certificate, &private_key, &ui);
if (r <= 0)
return r;
return log_oom();
}
- context = context_new(arg_seed);
+ context = context_new(arg_seed, certificate, private_key);
if (!context)
return log_oom();
+ TAKE_PTR(certificate);
+ TAKE_PTR(private_key);
+
r = context_read_seed(context, arg_root);
if (r < 0)
return r;
#include <endian.h>
#include "alloc-util.h"
+#include "ask-password-api.h"
#include "fd-util.h"
+#include "fileio.h"
#include "hexdecoct.h"
#include "memory-util.h"
#include "openssl-util.h"
#include "random-util.h"
#include "string-util.h"
+#include "strv.h"
#if HAVE_OPENSSL
# include <openssl/rsa.h>
}
}
-static int load_key_from_provider(const char *provider, const char *private_key_uri, EVP_PKEY **ret) {
+static int load_key_from_provider(
+ const char *provider,
+ const char *private_key_uri,
+ OpenSSLAskPasswordUI *ui,
+ EVP_PKEY **ret) {
assert(provider);
assert(private_key_uri);
+ assert(ui);
assert(ret);
#if OPENSSL_VERSION_MAJOR >= 3
_cleanup_(OSSL_STORE_closep) OSSL_STORE_CTX *store = OSSL_STORE_open(
private_key_uri,
- /* ui_method= */ NULL,
- /* ui_data= */ NULL,
+ ui->method,
+ &ui->request,
/* post_process= */ NULL,
/* post_process_data= */ NULL);
if (!store)
#endif
}
-static int load_key_from_engine(const char *engine, const char *private_key_uri, EVP_PKEY **ret) {
-
+static int load_key_from_engine(const char *engine, const char *private_key_uri, OpenSSLAskPasswordUI *ui, EVP_PKEY **ret) {
assert(engine);
assert(private_key_uri);
+ assert(ui);
assert(ret);
#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
if (ENGINE_init(e) == 0)
return log_openssl_errors("Failed to initialize signing engine '%s'", engine);
- _cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = ENGINE_load_private_key(
- e,
- private_key_uri,
- /* ui_method= */ NULL,
- /* callback_data= */ NULL);
+ if (ENGINE_ctrl(e, ENGINE_CTRL_SET_USER_INTERFACE, /*i=*/ 0, ui->method, /*f=*/ NULL) <= 0)
+ return log_openssl_errors("Failed to set engine user interface");
+
+ if (ENGINE_ctrl(e, ENGINE_CTRL_SET_CALLBACK_DATA, /*i=*/ 0, &ui->request, /*f=*/ NULL) <= 0)
+ return log_openssl_errors("Failed to set engine user interface data");
+
+ _cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = ENGINE_load_private_key(e, private_key_uri, ui->method, &ui->request);
if (!private_key)
return log_openssl_errors("Failed to load private key from '%s'", private_key_uri);
REENABLE_WARNING;
KeySourceType private_key_source_type,
const char *private_key_source,
const char *private_key,
- EVP_PKEY **ret) {
+ OpenSSLAskPasswordUI *ui,
+ EVP_PKEY **ret_private_key) {
assert(IN_SET(private_key_source_type, OPENSSL_KEY_SOURCE_ENGINE, OPENSSL_KEY_SOURCE_PROVIDER));
assert(private_key_source);
+ assert(ui);
assert(private_key);
switch (private_key_source_type) {
case OPENSSL_KEY_SOURCE_ENGINE:
- return load_key_from_engine(private_key_source, private_key, ret);
+ return load_key_from_engine(private_key_source, private_key, ui, ret_private_key);
case OPENSSL_KEY_SOURCE_PROVIDER:
- return load_key_from_provider(private_key_source, private_key, ret);
+ return load_key_from_provider(private_key_source, private_key, ui, ret_private_key);
default:
assert_not_reached();
}
}
+
+static int openssl_ask_password_ui_read(UI *ui, UI_STRING *uis) {
+ int r;
+
+ switch(UI_get_string_type(uis)) {
+ case UIT_PROMPT: {
+ /* If no ask password request was configured use the default openssl UI. */
+ AskPasswordRequest *req = UI_get0_user_data(ui);
+ if (!req)
+ return (UI_method_get_reader(UI_OpenSSL()))(ui, uis);
+
+ req->message = UI_get0_output_string(uis);
+
+ _cleanup_(strv_freep) char **l = NULL;
+ r = ask_password_auto(req, /*until=*/ 0, ASK_PASSWORD_ACCEPT_CACHED|ASK_PASSWORD_PUSH_CACHE, &l);
+ if (r < 0) {
+ log_error_errno(r, "Failed to query for PIN: %m");
+ return 0;
+ }
+
+ if (strv_length(l) != 1) {
+ log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Expected only a single password/pin.");
+ return 0;
+ }
+
+ if (UI_set_result(ui, uis, *l) != 0) {
+ log_openssl_errors("Failed to set user interface result");
+ return 0;
+ }
+
+ return 1;
+ }
+ default:
+ return (UI_method_get_reader(UI_OpenSSL()))(ui, uis);
+ }
+}
#endif
+int openssl_ask_password_ui_new(OpenSSLAskPasswordUI **ret) {
+#if HAVE_OPENSSL
+ assert(ret);
+
+ _cleanup_(UI_destroy_methodp) UI_METHOD *method = UI_create_method("systemd-ask-password");
+ if (!method)
+ return log_openssl_errors("Failed to initialize openssl user interface");
+
+ if (UI_method_set_reader(method, openssl_ask_password_ui_read) != 0)
+ return log_openssl_errors("Failed to set openssl user interface reader");
+
+ OpenSSLAskPasswordUI *ui = new(OpenSSLAskPasswordUI, 1);
+ if (!ui)
+ return log_oom_debug();
+
+ *ui = (OpenSSLAskPasswordUI) {
+ .method = TAKE_PTR(method),
+ };
+
+ *ret = TAKE_PTR(ui);
+ return 0;
+#else
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot create ask-password user interface.");
+#endif
+}
+
int x509_fingerprint(X509 *cert, uint8_t buffer[static SHA256_DIGEST_SIZE]) {
#if HAVE_OPENSSL
_cleanup_free_ uint8_t *der = NULL;
#endif
}
+int openssl_load_x509_certificate(const char *path, X509 **ret) {
+#if HAVE_OPENSSL
+ _cleanup_free_ char *rawcert = NULL;
+ _cleanup_(X509_freep) X509 *cert = NULL;
+ _cleanup_(BIO_freep) BIO *cb = NULL;
+ size_t rawcertsz;
+ int r;
+
+ assert(path);
+ assert(ret);
+
+ r = read_full_file_full(
+ AT_FDCWD, path, UINT64_MAX, SIZE_MAX,
+ READ_FULL_FILE_CONNECT_SOCKET,
+ NULL,
+ &rawcert, &rawcertsz);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to read certificate file '%s': %m", path);
+
+ cb = BIO_new_mem_buf(rawcert, rawcertsz);
+ if (!cb)
+ return log_oom_debug();
+
+ cert = PEM_read_bio_X509(cb, NULL, NULL, NULL);
+ if (!cert)
+ return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "Failed to parse X.509 certificate: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+
+ if (ret)
+ *ret = TAKE_PTR(cert);
+
+ return 0;
+#else
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot load X509 certificate.");
+#endif
+}
+
+static int openssl_load_private_key_from_file(const char *path, EVP_PKEY **ret) {
+#if HAVE_OPENSSL
+ _cleanup_(erase_and_freep) char *rawkey = NULL;
+ _cleanup_(BIO_freep) BIO *kb = NULL;
+ _cleanup_(EVP_PKEY_freep) EVP_PKEY *pk = NULL;
+ size_t rawkeysz;
+ int r;
+
+ assert(path);
+ assert(ret);
+
+ r = read_full_file_full(
+ AT_FDCWD, path, UINT64_MAX, SIZE_MAX,
+ READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE|READ_FULL_FILE_CONNECT_SOCKET,
+ NULL,
+ &rawkey, &rawkeysz);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to read key file '%s': %m", path);
+
+ kb = BIO_new_mem_buf(rawkey, rawkeysz);
+ if (!kb)
+ return log_oom_debug();
+
+ pk = PEM_read_bio_PrivateKey(kb, NULL, NULL, NULL);
+ if (!pk)
+ return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to parse PEM private key: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+
+ if (ret)
+ *ret = TAKE_PTR(pk);
+
+ return 0;
+#else
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "OpenSSL is not supported, cannot load private key.");
+#endif
+}
+
+int openssl_load_private_key(
+ KeySourceType private_key_source_type,
+ const char *private_key_source,
+ const char *private_key,
+ const AskPasswordRequest *request,
+ EVP_PKEY **ret_private_key,
+ OpenSSLAskPasswordUI **ret_user_interface) {
+
+ int r;
+
+ assert(private_key);
+ assert(request);
+
+ if (private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
+ r = openssl_load_private_key_from_file(private_key, ret_private_key);
+ if (r < 0)
+ return r;
+
+ *ret_user_interface = NULL;
+ } else {
+ _cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
+ r = openssl_ask_password_ui_new(&ui);
+ if (r < 0)
+ return log_debug_errno(r, "Failed to allocate ask-password user interface: %m");
+
+ ui->request = *request;
+
+ r = openssl_load_key_from_token(
+ private_key_source_type,
+ private_key_source,
+ private_key,
+ ui,
+ ret_private_key);
+ if (r < 0)
+ return log_debug_errno(
+ r,
+ "Failed to load key '%s' from OpenSSL private key source %s: %m",
+ private_key,
+ private_key_source);
+
+ *ret_user_interface = TAKE_PTR(ui);
+ }
+
+ return 0;
+}
+
int parse_openssl_key_source_argument(
const char *argument,
char **private_key_source,
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
+#include "ask-password-api.h"
#include "iovec-util.h"
#include "macro.h"
#include "sha256.h"
_OPENSSL_KEY_SOURCE_INVALID = -EINVAL,
} KeySourceType;
+typedef struct OpenSSLAskPasswordUI OpenSSLAskPasswordUI;
+
int parse_openssl_key_source_argument(const char *argument, char **private_key_source, KeySourceType *private_key_source_type);
#define X509_FINGERPRINT_SIZE SHA256_DIGEST_SIZE
# include <openssl/opensslv.h>
# include <openssl/pkcs7.h>
# include <openssl/ssl.h>
+# include <openssl/ui.h>
# include <openssl/x509v3.h>
# ifndef OPENSSL_VERSION_MAJOR
/* OPENSSL_VERSION_MAJOR macro was added in OpenSSL 3. Thus, if it doesn't exist, we must be before OpenSSL 3. */
int digest_and_sign(const EVP_MD *md, EVP_PKEY *privkey, const void *data, size_t size, void **ret, size_t *ret_size);
-int openssl_load_key_from_token(KeySourceType private_key_source_type, const char *private_key_source, const char *private_key, EVP_PKEY **ret);
+int openssl_load_key_from_token(KeySourceType private_key_source_type, const char *private_key_source, const char *private_key, OpenSSLAskPasswordUI *ui, EVP_PKEY **ret_private_key);
#else
typedef struct X509 X509;
typedef struct EVP_PKEY EVP_PKEY;
+typedef struct UI_METHOD UI_METHOD;
static inline void *X509_free(X509 *p) {
assert(p == NULL);
return NULL;
}
+static inline void* UI_destroy_method(UI_METHOD *p) {
+ assert(p == NULL);
+ return NULL;
+}
+
static inline int openssl_load_key_from_token(
KeySourceType private_key_source_type,
const char *private_key_source,
const char *private_key,
- EVP_PKEY **ret) {
+ OpenSSLAskPasswordUI *ui,
+ EVP_PKEY **ret_private_key) {
return -EOPNOTSUPP;
}
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509*, X509_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY*, EVP_PKEY_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(UI_METHOD*, UI_destroy_method, NULL);
+
+struct OpenSSLAskPasswordUI {
+ AskPasswordRequest request;
+ UI_METHOD *method;
+};
+
+int openssl_ask_password_ui_new(OpenSSLAskPasswordUI **ret);
+
+static inline OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui) {
+ if (!ui)
+ return NULL;
+
+ UI_destroy_method(ui->method);
+ return mfree(ui);
+}
+
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OpenSSLAskPasswordUI*, openssl_ask_password_ui_free, NULL);
int x509_fingerprint(X509 *cert, uint8_t buffer[static X509_FINGERPRINT_SIZE]);
+int openssl_load_x509_certificate(const char *path, X509 **ret);
+
+int openssl_load_private_key(
+ KeySourceType private_key_source_type,
+ const char *private_key_source,
+ const char *private_key,
+ const AskPasswordRequest *request,
+ EVP_PKEY **ret_private_key,
+ OpenSSLAskPasswordUI **ret_user_interface);
+
#if PREFER_OPENSSL
/* The openssl definition */
typedef const EVP_MD* hash_md_t;
projects / thirdparty / systemd.git / commitdiff
