Blame SOURCES/0034-rpmsign-Adopting-PKCS11-opaque-keys-support-in-libfsverity-for-fsverity-signatures.patch

567c22
From aee5af8e4fe7908df90649eb699c3a1decf06b0c Mon Sep 17 00:00:00 2001
567c22
From: Yu Wu <wuyu@fb.com>
567c22
Date: Wed, 3 Nov 2021 23:13:15 -0700
567c22
Subject: [PATCH 1/2] rpmsign: Adopting PKCS#11 opaque keys support in
567c22
 libfsverity for fsverity signatures
567c22
567c22
---
567c22
 rpmsign.c            | 29 ++++++++++++++++++++----
567c22
 sign/rpmgensig.c     | 53 +++++++++++++++++++++++++++++++++++++++-----
567c22
 sign/rpmsignverity.c | 24 +++++++++++++-------
567c22
 sign/rpmsignverity.h |  9 +++++---
567c22
 4 files changed, 94 insertions(+), 21 deletions(-)
567c22
567c22
diff --git a/rpmsign.c b/rpmsign.c
567c22
index 12299379ce..63b8616382 100644
567c22
--- a/rpmsign.c
567c22
+++ b/rpmsign.c
567c22
@@ -24,6 +24,9 @@ static int fskpass = 0;
567c22
 static char * fileSigningKey = NULL;
567c22
 #endif
567c22
 #ifdef WITH_FSVERITY
567c22
+static char * pkcs11Engine = NULL;
567c22
+static char * pkcs11Module = NULL;
567c22
+static char * pkcs11KeyId = NULL;
567c22
 static char * fileSigningCert = NULL;
567c22
 static char * verityAlgorithm = NULL;
567c22
 #endif
567c22
@@ -59,6 +62,15 @@ static struct poptOption signOptsTable[] = {
567c22
     { "certpath", '\0', POPT_ARG_STRING, &fileSigningCert, 0,
567c22
 	N_("use file signing cert <cert>"),
567c22
 	N_("<cert>") },
567c22
+    { "pkcs11_engine", '\0', POPT_ARG_STRING, &pkcs11Engine, 0,
567c22
+	N_("use pkcs#11 token for fsverity signing key with openssl engine <pkcs11_engine>"),
567c22
+	N_("<pkcs11_engine>") },
567c22
+    { "pkcs11_module", '\0', POPT_ARG_STRING, &pkcs11Module, 0,
567c22
+	N_("use pkcs#11 token for fsverity signing key with openssl module <pkcs11_module>"),
567c22
+	N_("<pkcs11_module>") },
567c22
+    { "pkcs11_keyid", '\0', POPT_ARG_STRING, &pkcs11KeyId, 0,
567c22
+	N_("use pkcs#11 token for fsverity signing key with keyid <pkcs11_keyid>"),
567c22
+	N_("<pkcs11_keyid>") },
567c22
 #endif
567c22
 #if defined(WITH_IMAEVM) || defined(WITH_FSVERITY)
567c22
     { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0,
567c22
@@ -139,6 +151,15 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
567c22
     }
567c22
 
567c22
 #ifdef WITH_FSVERITY
567c22
+    if (pkcs11Engine) {
567c22
+    rpmPushMacro(NULL, "_pkcs11_engine", NULL, pkcs11Engine, RMIL_GLOBAL);
567c22
+    }
567c22
+    if (pkcs11Module) {
567c22
+    rpmPushMacro(NULL, "_pkcs11_module", NULL, pkcs11Module, RMIL_GLOBAL);
567c22
+    }
567c22
+    if (pkcs11KeyId) {
567c22
+    rpmPushMacro(NULL, "_pkcs11_keyid", NULL, pkcs11KeyId, RMIL_GLOBAL);
567c22
+    }
567c22
     if (fileSigningCert) {
567c22
 	rpmPushMacro(NULL, "_file_signing_cert", NULL, fileSigningCert, RMIL_GLOBAL);
567c22
     }
567c22
@@ -149,9 +170,9 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
567c22
 
567c22
     if (flags_sign_files(sargs->signflags)) {
567c22
 	char *fileSigningKeyPassword = NULL;
567c22
-	char *key = rpmExpand("%{?_file_signing_key}", NULL);
567c22
-	if (rstreq(key, "")) {
567c22
-	    fprintf(stderr, _("You must set \"%%_file_signing_key\" in your macro file or on the command line with --fskpath\n"));
567c22
+	char *cert = rpmExpand("%{?_file_signing_cert}", NULL);
567c22
+	if (rstreq(cert, "")) {
567c22
+	    fprintf(stderr, _("You must set \"%%_file_signing_cert\" in your macro file or on the command line with --certpath\n"));
567c22
 	    goto exit;
567c22
 	}
567c22
 
567c22
@@ -166,7 +187,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
567c22
 	    free(fileSigningKeyPassword);
567c22
 	}
567c22
 
567c22
-	free(key);
567c22
+	free(cert);
567c22
     }
567c22
 #endif
567c22
 
567c22
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
567c22
index d8c84e9377..cb264679b6 100644
567c22
--- a/sign/rpmgensig.c
567c22
+++ b/sign/rpmgensig.c
567c22
@@ -461,15 +461,56 @@ static rpmRC includeVeritySignatures(FD_t fd, Header *sigp, Header *hdrp)
567c22
     rpmRC rc = RPMRC_OK;
567c22
     char *key = rpmExpand("%{?_file_signing_key}", NULL);
567c22
     char *keypass = rpmExpand("%{?_file_signing_key_password}", NULL);
567c22
+    char *pkcs11_engine = rpmExpand("%{?_pkcs11_engine}", NULL);
567c22
+    char *pkcs11_module = rpmExpand("%{?_pkcs11_module}", NULL);
567c22
+    char *pkcs11_keyid = rpmExpand("%{?_pkcs11_keyid}", NULL);
567c22
     char *cert = rpmExpand("%{?_file_signing_cert}", NULL);
567c22
     char *algorithm = rpmExpand("%{?_verity_algorithm}", NULL);
567c22
     uint16_t algo = 0;
567c22
 
567c22
+    if (rstreq(key, "")) {
567c22
+	free(key);
567c22
+	key = NULL;
567c22
+    }
567c22
+
567c22
+    if (rstreq(pkcs11_engine, "")) {
567c22
+	free(pkcs11_engine);
567c22
+	pkcs11_engine = NULL;
567c22
+    }
567c22
+
567c22
+    if (rstreq(pkcs11_module, "")) {
567c22
+	free(pkcs11_module);
567c22
+	pkcs11_module = NULL;
567c22
+    }
567c22
+
567c22
+    if (rstreq(pkcs11_keyid, "")) {
567c22
+	free(pkcs11_keyid);
567c22
+	pkcs11_keyid = NULL;
567c22
+    }
567c22
+
567c22
     if (rstreq(keypass, "")) {
567c22
 	free(keypass);
567c22
 	keypass = NULL;
567c22
     }
567c22
 
567c22
+    if (key) {
567c22
+        if (pkcs11_engine || pkcs11_module || pkcs11_keyid) {
567c22
+            rpmlog(
567c22
+                RPMLOG_ERR,
567c22
+                _("fsverity signatures require a key specified either by file or by PKCS#11 token, not both\n"));
567c22
+            rc = RPMRC_FAIL;
567c22
+            goto out;
567c22
+        }
567c22
+    } else {
567c22
+        if (!pkcs11_engine || !pkcs11_module) {
567c22
+            rpmlog(
567c22
+                RPMLOG_ERR,
567c22
+                _("fsverity signatures require both PKCS#11 engine and module to use PKCS#11 token\n"));
567c22
+            rc = RPMRC_FAIL;
567c22
+            goto out;
567c22
+        }
567c22
+    }
567c22
+
567c22
     if (algorithm && strlen(algorithm) > 0) {
567c22
 	    algo = libfsverity_find_hash_alg_by_name(algorithm);
567c22
 	    rpmlog(RPMLOG_DEBUG, _("Searching for algorithm %s got %i\n"),
567c22
@@ -481,16 +522,16 @@ static rpmRC includeVeritySignatures(FD_t fd, Header *sigp, Header *hdrp)
567c22
 		    goto out;
567c22
 	    }
567c22
     }
567c22
-    if (key && cert) {
567c22
-	    rc = rpmSignVerity(fd, *sigp, *hdrp, key, keypass, cert, algo);
567c22
-    } else {
567c22
-	rpmlog(RPMLOG_ERR, _("fsverity signatures requires a key and a cert\n"));
567c22
-	rc = RPMRC_FAIL;
567c22
-    }
567c22
+
567c22
+    rc = rpmSignVerity(fd, *sigp, *hdrp, key, keypass,
567c22
+                pkcs11_engine, pkcs11_module, pkcs11_keyid, cert, algo);
567c22
 
567c22
  out:
567c22
     free(keypass);
567c22
     free(key);
567c22
+    free(pkcs11_engine);
567c22
+    free(pkcs11_module);
567c22
+    free(pkcs11_keyid);
567c22
     free(cert);
567c22
     return rc;
567c22
 #else
567c22
diff --git a/sign/rpmsignverity.c b/sign/rpmsignverity.c
567c22
index e6c830cdcb..b7924e7ad1 100644
567c22
--- a/sign/rpmsignverity.c
567c22
+++ b/sign/rpmsignverity.c
567c22
@@ -34,8 +34,9 @@ static int rpmVerityRead(void *opaque, void *buf, size_t size)
567c22
 	return retval;
567c22
 }
567c22
 
567c22
-static char *rpmVeritySignFile(rpmfi fi, size_t *sig_size, char *key,
567c22
-			       char *keypass, char *cert, uint16_t algo)
567c22
+static char *rpmVeritySignFile(rpmfi fi, size_t *sig_size, char *key, char *keypass,
567c22
+			    char *pkcs11_engine, char *pkcs11_module, char *pkcs11_keyid,
567c22
+			    char *cert, uint16_t algo)
567c22
 {
567c22
     struct libfsverity_merkle_tree_params params;
567c22
     struct libfsverity_signature_params sig_params;
567c22
@@ -76,6 +77,9 @@ static char *rpmVeritySignFile(rpmfi fi, size_t *sig_size, char *key,
567c22
 
567c22
     memset(&sig_params, 0, sizeof(struct libfsverity_signature_params));
567c22
     sig_params.keyfile = key;
567c22
+    sig_params.pkcs11_engine = pkcs11_engine;
567c22
+    sig_params.pkcs11_module = pkcs11_module;
567c22
+    sig_params.pkcs11_keyid = pkcs11_keyid;
567c22
     sig_params.certfile = cert;
567c22
     if (libfsverity_sign_digest(digest, &sig_params, &sig, sig_size)) {
567c22
 	rpmlog(RPMLOG_DEBUG, _("failed to sign digest\n"));
567c22
@@ -94,8 +98,9 @@ static char *rpmVeritySignFile(rpmfi fi, size_t *sig_size, char *key,
567c22
     return sig_base64;
567c22
 }
567c22
 
567c22
-rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
567c22
-		    char *keypass, char *cert, uint16_t algo)
567c22
+rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key, char *keypass,
567c22
+	        char *pkcs11_engine, char *pkcs11_module, char *pkcs11_keyid,
567c22
+	        char *cert, uint16_t algo)
567c22
 {
567c22
     int rc;
567c22
     FD_t gzdi;
567c22
@@ -125,6 +130,9 @@ rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
567c22
     }
567c22
 
567c22
     rpmlog(RPMLOG_DEBUG, _("key: %s\n"), key);
567c22
+    rpmlog(RPMLOG_DEBUG, _("pkcs11_engine: %s\n"), pkcs11_engine);
567c22
+    rpmlog(RPMLOG_DEBUG, _("pkcs11_module: %s\n"), pkcs11_module);
567c22
+    rpmlog(RPMLOG_DEBUG, _("pkcs11_keyid: %s\n"), pkcs11_keyid);
567c22
     rpmlog(RPMLOG_DEBUG, _("cert: %s\n"), cert);
567c22
 
567c22
     compr = headerGetString(h, RPMTAG_PAYLOADCOMPRESSOR);
567c22
@@ -164,16 +172,16 @@ rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
567c22
     while (rpmfiNext(fi) >= 0) {
567c22
 	idx = rpmfiFX(fi);
567c22
 
567c22
-	signatures[idx] = rpmVeritySignFile(fi, &sig_size, key, keypass, cert,
567c22
-					    algo);
567c22
+	signatures[idx] = rpmVeritySignFile(fi, &sig_size, key, keypass, pkcs11_engine,
567c22
+					    pkcs11_module, pkcs11_keyid, cert, algo);
567c22
     }
567c22
 
567c22
     while (rpmfiNext(hfi) >= 0) {
567c22
 	idx = rpmfiFX(hfi);
567c22
 	if (signatures[idx])
567c22
 	    continue;
567c22
-	signatures[idx] = rpmVeritySignFile(hfi, &sig_size, key, keypass, cert,
567c22
-					    algo);
567c22
+	signatures[idx] = rpmVeritySignFile(fi, &sig_size, key, keypass, pkcs11_engine,
567c22
+					    pkcs11_module, pkcs11_keyid, cert, algo);
567c22
     }
567c22
 
567c22
     rpmtdReset(&td);
567c22
diff --git a/sign/rpmsignverity.h b/sign/rpmsignverity.h
567c22
index d869e8d8e8..32d2d6359a 100644
567c22
--- a/sign/rpmsignverity.h
567c22
+++ b/sign/rpmsignverity.h
567c22
@@ -22,12 +22,15 @@ extern "C" {
567c22
  * @param h		package header
567c22
  * @param key		signing key
567c22
  * @param keypass	signing key password
567c22
+ * @param pkcs11_engine		PKCS#11 engine to use PKCS#11 token support for signing key
567c22
+ * @param pkcs11_module		PKCS#11 module to use PKCS#11 token support for signing key
567c22
+ * @param pkcs11_keyid		PKCS#11 key identifier
567c22
  * @param cert		signing cert
567c22
  * @return		RPMRC_OK on success
567c22
  */
567c22
-RPM_GNUC_INTERNAL
567c22
-rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
567c22
-		    char *keypass, char *cert, uint16_t algo);
567c22
+rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key, char *keypass,
567c22
+		    char *pkcs11_engine, char *pkcs11_module, char *pkcs11_keyid,
567c22
+		    char *cert, uint16_t algo);
567c22
 
567c22
 #ifdef _cplusplus
567c22
 }