mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 14:35:26 +00:00
Merge branch 'ondrej/remove-OpenSSL-engine-specification-in-label' into 'master'
Cleanup support for specifying PKCS#11 engine as part of the label See merge request isc-projects/bind9!2943
This commit is contained in:
@@ -173,9 +173,7 @@
|
|||||||
<para>
|
<para>
|
||||||
When <acronym>BIND</acronym> 9 is built with OpenSSL-based
|
When <acronym>BIND</acronym> 9 is built with OpenSSL-based
|
||||||
PKCS#11 support, the label is an arbitrary string that
|
PKCS#11 support, the label is an arbitrary string that
|
||||||
identifies a particular key. It may be preceded by an
|
identifies a particular key.
|
||||||
optional OpenSSL engine name, followed by a colon, as in
|
|
||||||
"pkcs11:<replaceable>keylabel</replaceable>".
|
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
When <acronym>BIND</acronym> 9 is built with native PKCS#11
|
When <acronym>BIND</acronym> 9 is built with native PKCS#11
|
||||||
|
@@ -1024,58 +1024,52 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
|||||||
isc_result_t ret;
|
isc_result_t ret;
|
||||||
EVP_PKEY *pkey = NULL;
|
EVP_PKEY *pkey = NULL;
|
||||||
RSA *rsa = NULL, *pubrsa = NULL;
|
RSA *rsa = NULL, *pubrsa = NULL;
|
||||||
char *colon, *tmpengine = NULL;
|
|
||||||
const BIGNUM *ex = NULL;
|
const BIGNUM *ex = NULL;
|
||||||
|
|
||||||
UNUSED(pin);
|
UNUSED(pin);
|
||||||
|
|
||||||
if (engine == NULL) {
|
if (engine == NULL) {
|
||||||
if (strchr(label, ':') == NULL)
|
DST_RET(DST_R_NOENGINE);
|
||||||
DST_RET(DST_R_NOENGINE);
|
|
||||||
tmpengine = isc_mem_strdup(key->mctx, label);
|
|
||||||
colon = strchr(tmpengine, ':');
|
|
||||||
INSIST(colon != NULL);
|
|
||||||
*colon = '\0';
|
|
||||||
}
|
}
|
||||||
e = dst__openssl_getengine(engine);
|
e = dst__openssl_getengine(engine);
|
||||||
if (e == NULL)
|
if (e == NULL) {
|
||||||
DST_RET(DST_R_NOENGINE);
|
DST_RET(DST_R_NOENGINE);
|
||||||
|
}
|
||||||
pkey = ENGINE_load_public_key(e, label, NULL, NULL);
|
pkey = ENGINE_load_public_key(e, label, NULL, NULL);
|
||||||
if (pkey != NULL) {
|
if (pkey != NULL) {
|
||||||
pubrsa = EVP_PKEY_get1_RSA(pkey);
|
pubrsa = EVP_PKEY_get1_RSA(pkey);
|
||||||
EVP_PKEY_free(pkey);
|
EVP_PKEY_free(pkey);
|
||||||
if (pubrsa == NULL)
|
if (pubrsa == NULL) {
|
||||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
|
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
|
||||||
if (pkey == NULL)
|
if (pkey == NULL) {
|
||||||
DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
|
DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
|
||||||
ISC_R_NOTFOUND));
|
ISC_R_NOTFOUND));
|
||||||
if (tmpengine != NULL) {
|
|
||||||
key->engine = tmpengine;
|
|
||||||
tmpengine = NULL;
|
|
||||||
} else {
|
|
||||||
key->engine = isc_mem_strdup(key->mctx, engine);
|
|
||||||
}
|
}
|
||||||
|
key->engine = isc_mem_strdup(key->mctx, engine);
|
||||||
key->label = isc_mem_strdup(key->mctx, label);
|
key->label = isc_mem_strdup(key->mctx, label);
|
||||||
rsa = EVP_PKEY_get1_RSA(pkey);
|
rsa = EVP_PKEY_get1_RSA(pkey);
|
||||||
if (rsa == NULL)
|
if (rsa == NULL) {
|
||||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||||
if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
|
}
|
||||||
|
if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) {
|
||||||
DST_RET(DST_R_INVALIDPRIVATEKEY);
|
DST_RET(DST_R_INVALIDPRIVATEKEY);
|
||||||
|
}
|
||||||
RSA_get0_key(rsa, NULL, &ex, NULL);
|
RSA_get0_key(rsa, NULL, &ex, NULL);
|
||||||
if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS)
|
if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) {
|
||||||
DST_RET(ISC_R_RANGE);
|
DST_RET(ISC_R_RANGE);
|
||||||
if (pubrsa != NULL)
|
}
|
||||||
|
if (pubrsa != NULL) {
|
||||||
RSA_free(pubrsa);
|
RSA_free(pubrsa);
|
||||||
|
}
|
||||||
key->key_size = EVP_PKEY_bits(pkey);
|
key->key_size = EVP_PKEY_bits(pkey);
|
||||||
key->keydata.pkey = pkey;
|
key->keydata.pkey = pkey;
|
||||||
RSA_free(rsa);
|
RSA_free(rsa);
|
||||||
return (ISC_R_SUCCESS);
|
return (ISC_R_SUCCESS);
|
||||||
|
|
||||||
err:
|
err:
|
||||||
if (tmpengine != NULL)
|
|
||||||
isc_mem_free(key->mctx, tmpengine);
|
|
||||||
if (rsa != NULL)
|
if (rsa != NULL)
|
||||||
RSA_free(rsa);
|
RSA_free(rsa);
|
||||||
if (pubrsa != NULL)
|
if (pubrsa != NULL)
|
||||||
|
Reference in New Issue
Block a user