|
 |
954474 |
From b6b0611704047b8632b328d48502f3b3f9fe4fe2 Mon Sep 17 00:00:00 2001
|
|
|
954474 |
From: Stefan Berger <stefanb@linux.ibm.com>
|
|
|
954474 |
Date: Tue, 1 Feb 2022 12:40:06 -0500
|
|
|
954474 |
Subject: [PATCH] swtpm_localca: Test for available issuercert before creating
|
|
|
954474 |
CA
|
|
|
954474 |
|
|
|
954474 |
Avoid trying to create TPM certificates while the issuer certificate has
|
|
|
954474 |
not been created, yet (in a 2nd step).
|
|
|
954474 |
|
|
|
954474 |
To resolve this do not just test for availability of the signing key, which
|
|
|
954474 |
is created first, but also test for the issuer certifcate, which is created
|
|
|
954474 |
in a 2nd step when the local CA is created. If either one is missing,
|
|
|
954474 |
attempt to create the CA.
|
|
|
954474 |
|
|
|
954474 |
Resolves: https://github.com/stefanberger/swtpm/issues/644
|
|
|
954474 |
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
|
|
|
954474 |
---
|
|
|
954474 |
src/swtpm_localca/swtpm_localca.c | 17 ++++++++++++++++-
|
|
|
954474 |
1 file changed, 16 insertions(+), 1 deletion(-)
|
|
|
954474 |
|
|
|
954474 |
diff --git a/src/swtpm_localca/swtpm_localca.c b/src/swtpm_localca/swtpm_localca.c
|
|
|
954474 |
index 037bfd5266bb..089e4e0db4ce 100644
|
|
|
954474 |
--- a/src/swtpm_localca/swtpm_localca.c
|
|
|
954474 |
+++ b/src/swtpm_localca/swtpm_localca.c
|
|
|
954474 |
@@ -117,7 +117,7 @@ static int create_localca_cert(const gchar *lockfile, const gchar *statedir,
|
|
|
954474 |
goto error;
|
|
|
954474 |
}
|
|
|
954474 |
|
|
|
954474 |
- if (access(signkey, R_OK) != 0) {
|
|
|
954474 |
+ if (access(signkey, R_OK) != 0 || access(issuercert, R_OK) != 0) {
|
|
|
954474 |
g_autofree gchar *directory = g_path_get_dirname(signkey);
|
|
|
954474 |
g_autofree gchar *cakey = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-privkey.pem", NULL);
|
|
|
954474 |
g_autofree gchar *cacert = g_strjoin(G_DIR_SEPARATOR_S, directory, "swtpm-localca-rootca-cert.pem", NULL);
|
|
|
954474 |
@@ -808,13 +808,28 @@ int main(int argc, char *argv[])
|
|
|
954474 |
if (ret != 0)
|
|
|
954474 |
goto error;
|
|
|
954474 |
} else {
|
|
|
954474 |
+ int create_certs = 0;
|
|
|
954474 |
+
|
|
|
954474 |
+ /* create certificate if either the signing key or issuer cert are missing */
|
|
|
954474 |
if (access(signkey, R_OK) != 0) {
|
|
|
954474 |
if (stat(signkey, &statbuf) == 0) {
|
|
|
954474 |
logerr(gl_LOGFILE, "Need read rights on signing key %s for user %s.\n",
|
|
|
954474 |
signkey, curr_user ? curr_user->pw_name : "<unknown>");
|
|
|
954474 |
goto error;
|
|
|
954474 |
}
|
|
|
954474 |
+ create_certs = 1;
|
|
|
954474 |
+ }
|
|
|
954474 |
+
|
|
|
954474 |
+ if (access(issuercert, R_OK) != 0) {
|
|
|
954474 |
+ if (stat(issuercert, &statbuf) == 0) {
|
|
|
954474 |
+ logerr(gl_LOGFILE, "Need read rights on issuer certificate %s for user %s.\n",
|
|
|
954474 |
+ issuercert, curr_user ? curr_user->pw_name : "<unknown>");
|
|
|
954474 |
+ goto error;
|
|
|
954474 |
+ }
|
|
|
954474 |
+ create_certs = 1;
|
|
|
954474 |
+ }
|
|
|
954474 |
|
|
|
954474 |
+ if (create_certs) {
|
|
|
954474 |
logit(gl_LOGFILE, "Creating root CA and a local CA's signing key and issuer cert.\n");
|
|
|
954474 |
if (create_localca_cert(lockfile, statedir, signkey, signkey_password,
|
|
|
954474 |
issuercert) != 0) {
|
|
|
954474 |
--
|
|
|
954474 |
2.37.0.rc0
|
|
|
954474 |
|