mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

Merge branch 'ondrej/remove-OpenSSL-engine-specification-in-label' into 'master'

Browse Source 
Cleanup support for specifying PKCS#11 engine as part of the label

See merge request isc-projects/bind9!2943
This commit is contained in:
Ondřej Surý
2020-02-10 16:02:23 +00:00
parent 497c797762 33fa3d5eb1
commit c72d37f3d5
2 changed files with 16 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
bin/dnssec/dnssec-keyfromlabel.docbook
View File

@@ -173,9 +173,7 @@
<para> <para>
When <acronym>BIND</acronym> 9 is built with OpenSSL-based When <acronym>BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an identifies a particular key.
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<replaceable>keylabel</replaceable>".
</para> </para>
<para> <para>
When <acronym>BIND</acronym> 9 is built with native PKCS#11 When <acronym>BIND</acronym> 9 is built with native PKCS#11

36
lib/dns/opensslrsa_link.c
View File

@@ -1024,58 +1024,52 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
isc_result_t ret; isc_result_t ret;
EVP_PKEY *pkey = NULL; EVP_PKEY *pkey = NULL;
RSA *rsa = NULL, *pubrsa = NULL; RSA *rsa = NULL, *pubrsa = NULL;
char *colon, *tmpengine = NULL;
const BIGNUM *ex = NULL; const BIGNUM *ex = NULL;
UNUSED(pin); UNUSED(pin);
if (engine == NULL) { if (engine == NULL) {
if (strchr(label, ':') == NULL) DST_RET(DST_R_NOENGINE);
DST_RET(DST_R_NOENGINE);
tmpengine = isc_mem_strdup(key->mctx, label);
colon = strchr(tmpengine, ':');
INSIST(colon != NULL);
*colon = '\0';
} }
e = dst__openssl_getengine(engine); e = dst__openssl_getengine(engine);
if (e == NULL) if (e == NULL) {
DST_RET(DST_R_NOENGINE); DST_RET(DST_R_NOENGINE);
}
pkey = ENGINE_load_public_key(e, label, NULL, NULL); pkey = ENGINE_load_public_key(e, label, NULL, NULL);
if (pkey != NULL) { if (pkey != NULL) {
pubrsa = EVP_PKEY_get1_RSA(pkey); pubrsa = EVP_PKEY_get1_RSA(pkey);
EVP_PKEY_free(pkey); EVP_PKEY_free(pkey);
if (pubrsa == NULL) if (pubrsa == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
} }
pkey = ENGINE_load_private_key(e, label, NULL, NULL); pkey = ENGINE_load_private_key(e, label, NULL, NULL);
if (pkey == NULL) if (pkey == NULL) {
DST_RET(dst__openssl_toresult2("ENGINE_load_private_key", DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
ISC_R_NOTFOUND)); ISC_R_NOTFOUND));
if (tmpengine != NULL) {
key->engine = tmpengine;
tmpengine = NULL;
} else {
key->engine = isc_mem_strdup(key->mctx, engine);
} }
key->engine = isc_mem_strdup(key->mctx, engine);
key->label = isc_mem_strdup(key->mctx, label); key->label = isc_mem_strdup(key->mctx, label);
rsa = EVP_PKEY_get1_RSA(pkey); rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL) if (rsa == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) }
if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) {
DST_RET(DST_R_INVALIDPRIVATEKEY); DST_RET(DST_R_INVALIDPRIVATEKEY);
}
RSA_get0_key(rsa, NULL, &ex, NULL); RSA_get0_key(rsa, NULL, &ex, NULL);
if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) {
DST_RET(ISC_R_RANGE); DST_RET(ISC_R_RANGE);
if (pubrsa != NULL) }
if (pubrsa != NULL) {
RSA_free(pubrsa); RSA_free(pubrsa);
}
key->key_size = EVP_PKEY_bits(pkey); key->key_size = EVP_PKEY_bits(pkey);
key->keydata.pkey = pkey; key->keydata.pkey = pkey;
RSA_free(rsa); RSA_free(rsa);
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
err: err:
if (tmpengine != NULL)
isc_mem_free(key->mctx, tmpengine);
if (rsa != NULL) if (rsa != NULL)
RSA_free(rsa); RSA_free(rsa);
if (pubrsa != NULL) if (pubrsa != NULL)