From a5c87d9d186e155553be0ae153bb50180f54fffd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Wed, 22 Jan 2020 10:16:22 +0100 Subject: [PATCH 1/2] Cleanup support for specifying PKCS#11 engine as part of the label The code for specifying OpenSSL PKCS#11 engine as part of the label (e.g. -l "pkcs11:token=..." instead of -E pkcs11 -l "token=...") was non-functional. This commit just cleans the related code. --- lib/dns/opensslrsa_link.c | 36 +++++++++++++++--------------------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index 0bd7558e5d..009ee454de 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -1024,58 +1024,52 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, isc_result_t ret; EVP_PKEY *pkey = NULL; RSA *rsa = NULL, *pubrsa = NULL; - char *colon, *tmpengine = NULL; const BIGNUM *ex = NULL; UNUSED(pin); if (engine == NULL) { - if (strchr(label, ':') == NULL) - DST_RET(DST_R_NOENGINE); - tmpengine = isc_mem_strdup(key->mctx, label); - colon = strchr(tmpengine, ':'); - INSIST(colon != NULL); - *colon = '\0'; + DST_RET(DST_R_NOENGINE); } e = dst__openssl_getengine(engine); - if (e == NULL) + if (e == NULL) { DST_RET(DST_R_NOENGINE); + } pkey = ENGINE_load_public_key(e, label, NULL, NULL); if (pkey != NULL) { pubrsa = EVP_PKEY_get1_RSA(pkey); EVP_PKEY_free(pkey); - if (pubrsa == NULL) + if (pubrsa == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); + } } pkey = ENGINE_load_private_key(e, label, NULL, NULL); - if (pkey == NULL) + if (pkey == NULL) { DST_RET(dst__openssl_toresult2("ENGINE_load_private_key", ISC_R_NOTFOUND)); - if (tmpengine != NULL) { - key->engine = tmpengine; - tmpengine = NULL; - } else { - key->engine = isc_mem_strdup(key->mctx, engine); } + key->engine = isc_mem_strdup(key->mctx, engine); key->label = isc_mem_strdup(key->mctx, label); rsa = EVP_PKEY_get1_RSA(pkey); - if (rsa == NULL) + if (rsa == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) + } + if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) { DST_RET(DST_R_INVALIDPRIVATEKEY); + } RSA_get0_key(rsa, NULL, &ex, NULL); - if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) + if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) { DST_RET(ISC_R_RANGE); - if (pubrsa != NULL) + } + if (pubrsa != NULL) { RSA_free(pubrsa); + } key->key_size = EVP_PKEY_bits(pkey); key->keydata.pkey = pkey; RSA_free(rsa); return (ISC_R_SUCCESS); err: - if (tmpengine != NULL) - isc_mem_free(key->mctx, tmpengine); if (rsa != NULL) RSA_free(rsa); if (pubrsa != NULL) From 33fa3d5eb1fb196739702c9b5131cd9ff4eefe1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Mon, 10 Feb 2020 07:29:43 -0800 Subject: [PATCH 2/2] Remove reference to prepending label with engine in manpage --- bin/dnssec/dnssec-keyfromlabel.docbook | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook index 0eb2dca40f..71ded9ec06 100644 --- a/bin/dnssec/dnssec-keyfromlabel.docbook +++ b/bin/dnssec/dnssec-keyfromlabel.docbook @@ -173,9 +173,7 @@ When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is an arbitrary string that - identifies a particular key. It may be preceded by an - optional OpenSSL engine name, followed by a colon, as in - "pkcs11:keylabel". + identifies a particular key. When BIND 9 is built with native PKCS#11