Blame 0034-rpmsign-Adopting-PKCS11-opaque-keys-support-in-libfsverity-for-fsverity-signatures.patch

d5e724
From aee5af8e4fe7908df90649eb699c3a1decf06b0c Mon Sep 17 00:00:00 2001
d5e724
From: Yu Wu <wuyu@fb.com>
d5e724
Date: Wed, 3 Nov 2021 23:13:15 -0700
d5e724
Subject: [PATCH 1/2] rpmsign: Adopting PKCS#11 opaque keys support in
d5e724
 libfsverity for fsverity signatures
d5e724
d5e724
---
d5e724
 rpmsign.c            | 29 ++++++++++++++++++++----
d5e724
 sign/rpmgensig.c     | 53 +++++++++++++++++++++++++++++++++++++++-----
d5e724
 sign/rpmsignverity.c | 24 +++++++++++++-------
d5e724
 sign/rpmsignverity.h |  9 +++++---
d5e724
 4 files changed, 94 insertions(+), 21 deletions(-)
d5e724
d5e724
diff --git a/rpmsign.c b/rpmsign.c
d5e724
index 12299379ce..63b8616382 100644
d5e724
--- a/rpmsign.c
d5e724
+++ b/rpmsign.c
d5e724
@@ -24,6 +24,9 @@ static int fskpass = 0;
d5e724
 static char * fileSigningKey = NULL;
d5e724
 #endif
d5e724
 #ifdef WITH_FSVERITY
d5e724
+static char * pkcs11Engine = NULL;
d5e724
+static char * pkcs11Module = NULL;
d5e724
+static char * pkcs11KeyId = NULL;
d5e724
 static char * fileSigningCert = NULL;
d5e724
 static char * verityAlgorithm = NULL;
d5e724
 #endif
d5e724
@@ -59,6 +62,15 @@ static struct poptOption signOptsTable[] = {
d5e724
     { "certpath", '\0', POPT_ARG_STRING, &fileSigningCert, 0,
d5e724
 	N_("use file signing cert <cert>"),
d5e724
 	N_("<cert>") },
d5e724
+    { "pkcs11_engine", '\0', POPT_ARG_STRING, &pkcs11Engine, 0,
d5e724
+	N_("use pkcs#11 token for fsverity signing key with openssl engine <pkcs11_engine>"),
d5e724
+	N_("<pkcs11_engine>") },
d5e724
+    { "pkcs11_module", '\0', POPT_ARG_STRING, &pkcs11Module, 0,
d5e724
+	N_("use pkcs#11 token for fsverity signing key with openssl module <pkcs11_module>"),
d5e724
+	N_("<pkcs11_module>") },
d5e724
+    { "pkcs11_keyid", '\0', POPT_ARG_STRING, &pkcs11KeyId, 0,
d5e724
+	N_("use pkcs#11 token for fsverity signing key with keyid <pkcs11_keyid>"),
d5e724
+	N_("<pkcs11_keyid>") },
d5e724
 #endif
d5e724
 #if defined(WITH_IMAEVM) || defined(WITH_FSVERITY)
d5e724
     { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0,
d5e724
@@ -139,6 +151,15 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
d5e724
     }
d5e724
 
d5e724
 #ifdef WITH_FSVERITY
d5e724
+    if (pkcs11Engine) {
d5e724
+    rpmPushMacro(NULL, "_pkcs11_engine", NULL, pkcs11Engine, RMIL_GLOBAL);
d5e724
+    }
d5e724
+    if (pkcs11Module) {
d5e724
+    rpmPushMacro(NULL, "_pkcs11_module", NULL, pkcs11Module, RMIL_GLOBAL);
d5e724
+    }
d5e724
+    if (pkcs11KeyId) {
d5e724
+    rpmPushMacro(NULL, "_pkcs11_keyid", NULL, pkcs11KeyId, RMIL_GLOBAL);
d5e724
+    }
d5e724
     if (fileSigningCert) {
d5e724
 	rpmPushMacro(NULL, "_file_signing_cert", NULL, fileSigningCert, RMIL_GLOBAL);
d5e724
     }
d5e724
@@ -149,9 +170,9 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
d5e724
 
d5e724
     if (flags_sign_files(sargs->signflags)) {
d5e724
 	char *fileSigningKeyPassword = NULL;
d5e724
-	char *key = rpmExpand("%{?_file_signing_key}", NULL);
d5e724
-	if (rstreq(key, "")) {
d5e724
-	    fprintf(stderr, _("You must set \"%%_file_signing_key\" in your macro file or on the command line with --fskpath\n"));
d5e724
+	char *cert = rpmExpand("%{?_file_signing_cert}", NULL);
d5e724
+	if (rstreq(cert, "")) {
d5e724
+	    fprintf(stderr, _("You must set \"%%_file_signing_cert\" in your macro file or on the command line with --certpath\n"));
d5e724
 	    goto exit;
d5e724
 	}
d5e724
 
d5e724
@@ -166,7 +187,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
d5e724
 	    free(fileSigningKeyPassword);
d5e724
 	}
d5e724
 
d5e724
-	free(key);
d5e724
+	free(cert);
d5e724
     }
d5e724
 #endif
d5e724
 
d5e724
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
d5e724
index d8c84e9377..cb264679b6 100644
d5e724
--- a/sign/rpmgensig.c
d5e724
+++ b/sign/rpmgensig.c
d5e724
@@ -461,15 +461,56 @@ static rpmRC includeVeritySignatures(FD_t fd, Header *sigp, Header *hdrp)
d5e724
     rpmRC rc = RPMRC_OK;
d5e724
     char *key = rpmExpand("%{?_file_signing_key}", NULL);
d5e724
     char *keypass = rpmExpand("%{?_file_signing_key_password}", NULL);
d5e724
+    char *pkcs11_engine = rpmExpand("%{?_pkcs11_engine}", NULL);
d5e724
+    char *pkcs11_module = rpmExpand("%{?_pkcs11_module}", NULL);
d5e724
+    char *pkcs11_keyid = rpmExpand("%{?_pkcs11_keyid}", NULL);
d5e724
     char *cert = rpmExpand("%{?_file_signing_cert}", NULL);
d5e724
     char *algorithm = rpmExpand("%{?_verity_algorithm}", NULL);
d5e724
     uint16_t algo = 0;
d5e724
 
d5e724
+    if (rstreq(key, "")) {
d5e724
+	free(key);
d5e724
+	key = NULL;
d5e724
+    }
d5e724
+
d5e724
+    if (rstreq(pkcs11_engine, "")) {
d5e724
+	free(pkcs11_engine);
d5e724
+	pkcs11_engine = NULL;
d5e724
+    }
d5e724
+
d5e724
+    if (rstreq(pkcs11_module, "")) {
d5e724
+	free(pkcs11_module);
d5e724
+	pkcs11_module = NULL;
d5e724
+    }
d5e724
+
d5e724
+    if (rstreq(pkcs11_keyid, "")) {
d5e724
+	free(pkcs11_keyid);
d5e724
+	pkcs11_keyid = NULL;
d5e724
+    }
d5e724
+
d5e724
     if (rstreq(keypass, "")) {
d5e724
 	free(keypass);
d5e724
 	keypass = NULL;
d5e724
     }
d5e724
 
d5e724
+    if (key) {
d5e724
+        if (pkcs11_engine || pkcs11_module || pkcs11_keyid) {
d5e724
+            rpmlog(
d5e724
+                RPMLOG_ERR,
d5e724
+                _("fsverity signatures require a key specified either by file or by PKCS#11 token, not both\n"));
d5e724
+            rc = RPMRC_FAIL;
d5e724
+            goto out;
d5e724
+        }
d5e724
+    } else {
d5e724
+        if (!pkcs11_engine || !pkcs11_module) {
d5e724
+            rpmlog(
d5e724
+                RPMLOG_ERR,
d5e724
+                _("fsverity signatures require both PKCS#11 engine and module to use PKCS#11 token\n"));
d5e724
+            rc = RPMRC_FAIL;
d5e724
+            goto out;
d5e724
+        }
d5e724
+    }
d5e724
+
d5e724
     if (algorithm && strlen(algorithm) > 0) {
d5e724
 	    algo = libfsverity_find_hash_alg_by_name(algorithm);
d5e724
 	    rpmlog(RPMLOG_DEBUG, _("Searching for algorithm %s got %i\n"),
d5e724
@@ -481,16 +522,16 @@ static rpmRC includeVeritySignatures(FD_t fd, Header *sigp, Header *hdrp)
d5e724
 		    goto out;
d5e724
 	    }
d5e724
     }
d5e724
-    if (key && cert) {
d5e724
-	    rc = rpmSignVerity(fd, *sigp, *hdrp, key, keypass, cert, algo);
d5e724
-    } else {
d5e724
-	rpmlog(RPMLOG_ERR, _("fsverity signatures requires a key and a cert\n"));
d5e724
-	rc = RPMRC_FAIL;
d5e724
-    }
d5e724
+
d5e724
+    rc = rpmSignVerity(fd, *sigp, *hdrp, key, keypass,
d5e724
+                pkcs11_engine, pkcs11_module, pkcs11_keyid, cert, algo);
d5e724
 
d5e724
  out:
d5e724
     free(keypass);
d5e724
     free(key);
d5e724
+    free(pkcs11_engine);
d5e724
+    free(pkcs11_module);
d5e724
+    free(pkcs11_keyid);
d5e724
     free(cert);
d5e724
     return rc;
d5e724
 #else
d5e724
diff --git a/sign/rpmsignverity.c b/sign/rpmsignverity.c
d5e724
index e6c830cdcb..b7924e7ad1 100644
d5e724
--- a/sign/rpmsignverity.c
d5e724
+++ b/sign/rpmsignverity.c
d5e724
@@ -34,8 +34,9 @@ static int rpmVerityRead(void *opaque, void *buf, size_t size)
d5e724
 	return retval;
d5e724
 }
d5e724
 
d5e724
-static char *rpmVeritySignFile(rpmfi fi, size_t *sig_size, char *key,
d5e724
-			       char *keypass, char *cert, uint16_t algo)
d5e724
+static char *rpmVeritySignFile(rpmfi fi, size_t *sig_size, char *key, char *keypass,
d5e724
+			    char *pkcs11_engine, char *pkcs11_module, char *pkcs11_keyid,
d5e724
+			    char *cert, uint16_t algo)
d5e724
 {
d5e724
     struct libfsverity_merkle_tree_params params;
d5e724
     struct libfsverity_signature_params sig_params;
d5e724
@@ -76,6 +77,9 @@ static char *rpmVeritySignFile(rpmfi fi, size_t *sig_size, char *key,
d5e724
 
d5e724
     memset(&sig_params, 0, sizeof(struct libfsverity_signature_params));
d5e724
     sig_params.keyfile = key;
d5e724
+    sig_params.pkcs11_engine = pkcs11_engine;
d5e724
+    sig_params.pkcs11_module = pkcs11_module;
d5e724
+    sig_params.pkcs11_keyid = pkcs11_keyid;
d5e724
     sig_params.certfile = cert;
d5e724
     if (libfsverity_sign_digest(digest, &sig_params, &sig, sig_size)) {
d5e724
 	rpmlog(RPMLOG_DEBUG, _("failed to sign digest\n"));
d5e724
@@ -94,8 +98,9 @@ static char *rpmVeritySignFile(rpmfi fi, size_t *sig_size, char *key,
d5e724
     return sig_base64;
d5e724
 }
d5e724
 
d5e724
-rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
d5e724
-		    char *keypass, char *cert, uint16_t algo)
d5e724
+rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key, char *keypass,
d5e724
+	        char *pkcs11_engine, char *pkcs11_module, char *pkcs11_keyid,
d5e724
+	        char *cert, uint16_t algo)
d5e724
 {
d5e724
     int rc;
d5e724
     FD_t gzdi;
d5e724
@@ -125,6 +130,9 @@ rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
d5e724
     }
d5e724
 
d5e724
     rpmlog(RPMLOG_DEBUG, _("key: %s\n"), key);
d5e724
+    rpmlog(RPMLOG_DEBUG, _("pkcs11_engine: %s\n"), pkcs11_engine);
d5e724
+    rpmlog(RPMLOG_DEBUG, _("pkcs11_module: %s\n"), pkcs11_module);
d5e724
+    rpmlog(RPMLOG_DEBUG, _("pkcs11_keyid: %s\n"), pkcs11_keyid);
d5e724
     rpmlog(RPMLOG_DEBUG, _("cert: %s\n"), cert);
d5e724
 
d5e724
     compr = headerGetString(h, RPMTAG_PAYLOADCOMPRESSOR);
d5e724
@@ -164,16 +172,16 @@ rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
d5e724
     while (rpmfiNext(fi) >= 0) {
d5e724
 	idx = rpmfiFX(fi);
d5e724
 
d5e724
-	signatures[idx] = rpmVeritySignFile(fi, &sig_size, key, keypass, cert,
d5e724
-					    algo);
d5e724
+	signatures[idx] = rpmVeritySignFile(fi, &sig_size, key, keypass, pkcs11_engine,
d5e724
+					    pkcs11_module, pkcs11_keyid, cert, algo);
d5e724
     }
d5e724
 
d5e724
     while (rpmfiNext(hfi) >= 0) {
d5e724
 	idx = rpmfiFX(hfi);
d5e724
 	if (signatures[idx])
d5e724
 	    continue;
d5e724
-	signatures[idx] = rpmVeritySignFile(hfi, &sig_size, key, keypass, cert,
d5e724
-					    algo);
d5e724
+	signatures[idx] = rpmVeritySignFile(fi, &sig_size, key, keypass, pkcs11_engine,
d5e724
+					    pkcs11_module, pkcs11_keyid, cert, algo);
d5e724
     }
d5e724
 
d5e724
     rpmtdReset(&td);
d5e724
diff --git a/sign/rpmsignverity.h b/sign/rpmsignverity.h
d5e724
index d869e8d8e8..32d2d6359a 100644
d5e724
--- a/sign/rpmsignverity.h
d5e724
+++ b/sign/rpmsignverity.h
d5e724
@@ -22,12 +22,15 @@ extern "C" {
d5e724
  * @param h		package header
d5e724
  * @param key		signing key
d5e724
  * @param keypass	signing key password
d5e724
+ * @param pkcs11_engine		PKCS#11 engine to use PKCS#11 token support for signing key
d5e724
+ * @param pkcs11_module		PKCS#11 module to use PKCS#11 token support for signing key
d5e724
+ * @param pkcs11_keyid		PKCS#11 key identifier
d5e724
  * @param cert		signing cert
d5e724
  * @return		RPMRC_OK on success
d5e724
  */
d5e724
-RPM_GNUC_INTERNAL
d5e724
-rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
d5e724
-		    char *keypass, char *cert, uint16_t algo);
d5e724
+rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key, char *keypass,
d5e724
+		    char *pkcs11_engine, char *pkcs11_module, char *pkcs11_keyid,
d5e724
+		    char *cert, uint16_t algo);
d5e724
 
d5e724
 #ifdef _cplusplus
d5e724
 }