Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(828)

Unified Diff: utility/vbutil_keyblock.c

Issue 3124004: Changes to allow user-signed kernels to be generated. (Closed) Base URL: ssh://gitrw.chromium.org/vboot_reference.git
Patch Set: Respond to feedback Created 10 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « utility/vbutil_kernel.c ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: utility/vbutil_keyblock.c
diff --git a/utility/vbutil_keyblock.c b/utility/vbutil_keyblock.c
index 7c3f027957ec984f7826e4afb9785c99097b4692..a540ab59d20d5885d2874526c75398ed2a064afc 100644
--- a/utility/vbutil_keyblock.c
+++ b/utility/vbutil_keyblock.c
@@ -46,16 +46,19 @@ static int PrintHelp(char *progname) {
"\n"
"For '--pack <file>', required OPTIONS are:\n"
" --datapubkey <file> Data public key in .vbpubk format\n"
- " --signprivate <file>"
- " Signing private key in .vbprivk format\n"
"\n"
"Optional OPTIONS are:\n"
- " --flags <number> Flags\n"
+ " --signprivate <file>"
+ " Signing private key in .vbprivk format. Without this arg,\n"
+ " the keyblock will not be signed.\n"
+ " --flags <number> Specifies allowed use conditions.\n"
"\n"
- "For '--unpack <file>', required OPTIONS are:\n"
- " --signpubkey <file> Signing public key in .vbpubk format\n"
- "Optional OPTIONS are:\n"
- " --datapubkey <file> Data public key output file\n",
+ "For '--unpack <file>', optional OPTIONS are:\n"
+ " --signpubkey <file>"
+ " Signing public key in .vbpubk format. This is required to\n"
+ " verify a signed keyblock.\n"
+ " --datapubkey <file>"
+ " Write the data public key to this file.\n",
progname);
return 1;
}
@@ -65,15 +68,15 @@ static int PrintHelp(char *progname) {
static int Pack(const char* outfile, const char* datapubkey,
const char* signprivate, uint64_t flags) {
VbPublicKey* data_key;
- VbPrivateKey* signing_key;
+ VbPrivateKey* signing_key = NULL;
VbKeyBlockHeader* block;
if (!outfile) {
- fprintf(stderr, "vbutil_keyblock: Must specify output filename\n");
+ fprintf(stderr, "vbutil_keyblock: Must specify output filename.\n");
return 1;
}
- if (!datapubkey || !signprivate) {
- fprintf(stderr, "vbutil_keyblock: Must specify all keys\n");
+ if (!datapubkey) {
+ fprintf(stderr, "vbutil_keyblock: Must specify data public key.\n");
return 1;
}
@@ -82,15 +85,19 @@ static int Pack(const char* outfile, const char* datapubkey,
fprintf(stderr, "vbutil_keyblock: Error reading data key.\n");
return 1;
}
- signing_key = PrivateKeyRead(signprivate);
- if (!signing_key) {
- fprintf(stderr, "vbutil_keyblock: Error reading signing key.\n");
- return 1;
+
+ if (signprivate) {
+ signing_key = PrivateKeyRead(signprivate);
+ if (!signing_key) {
+ fprintf(stderr, "vbutil_keyblock: Error reading signing key.\n");
+ return 1;
+ }
}
block = KeyBlockCreate(data_key, signing_key, flags);
Free(data_key);
- Free(signing_key);
+ if (signing_key)
+ Free(signing_key);
if (0 != KeyBlockWrite(outfile, block)) {
fprintf(stderr, "vbutil_keyblock: Error writing key block.\n");
@@ -104,17 +111,11 @@ static int Pack(const char* outfile, const char* datapubkey,
static int Unpack(const char* infile, const char* datapubkey,
const char* signpubkey) {
VbPublicKey* data_key;
- VbPublicKey* sign_key;
+ VbPublicKey* sign_key = NULL;
VbKeyBlockHeader* block;
- if (!infile || !signpubkey) {
- fprintf(stderr, "vbutil_keyblock: Must specify filename and signpubkey\n");
- return 1;
- }
-
- sign_key = PublicKeyRead(signpubkey);
- if (!sign_key) {
- fprintf(stderr, "vbutil_keyblock: Error reading signpubkey.\n");
+ if (!infile) {
+ fprintf(stderr, "vbutil_keyblock: Must specify filename\n");
return 1;
}
@@ -123,27 +124,48 @@ static int Unpack(const char* infile, const char* datapubkey,
fprintf(stderr, "vbutil_keyblock: Error reading key block.\n");
return 1;
}
- /* Verify the block with the signing public key, since
- * KeyBlockRead() only verified the hash. */
- /* TODO: should just print a warning, since self-signed key blocks
- * won't have a public key; signpubkey should also be an optional
- * argument. */
- if (0 != KeyBlockVerify(block, block->key_block_size, sign_key)) {
- fprintf(stderr, "vbutil_keyblock: Error verifying key block.\n");
- return 1;
+
+ /* If the block is signed, then verify it with the signing public key, since
+ KeyBlockRead() only verified the hash. */
+ if (block->key_block_signature.sig_size) {
+ if (!signpubkey) {
+ fprintf(stderr,
+ "vbutil_keyblock: keyblock requires public key to verify\n");
+ return 1;
+ }
+ sign_key = PublicKeyRead(signpubkey);
+ if (!sign_key) {
+ fprintf(stderr, "vbutil_keyblock: Error reading signpubkey.\n");
+ return 1;
+ }
+ if (0 != KeyBlockVerify(block, block->key_block_size, sign_key)) {
+ fprintf(stderr, "vbutil_keyblock: Error verifying key block.\n");
+ return 1;
+ }
+ printf("Signature algorithm: %" PRIu64 " %s\n", sign_key->algorithm,
+ (sign_key->algorithm < kNumAlgorithms ?
+ algo_strings[sign_key->algorithm] : "(invalid)"));
+ Free(sign_key);
+ } else {
+ printf("Signature Algorithm: <none>\n");
}
- Free(sign_key);
- printf("Key block file: %s\n", infile);
- printf("Flags: %" PRIu64 "\n", block->key_block_flags);
+ printf("Key block file: %s\n", infile);
+ printf("Flags: %" PRIu64 "\n", block->key_block_flags);
data_key = &block->data_key;
- printf("Data key algorithm: %" PRIu64 " %s\n", data_key->algorithm,
+ printf("Data key algorithm: %" PRIu64 " %s\n", data_key->algorithm,
(data_key->algorithm < kNumAlgorithms ?
algo_strings[data_key->algorithm] : "(invalid)"));
- printf("Data key version: %" PRIu64 "\n", data_key->key_version);
+ printf("Data key version: %" PRIu64 "\n", data_key->key_version);
- /* TODO: write key data, if output file specified */
+ if (datapubkey) {
+ if (0 != PublicKeyWrite(datapubkey, data_key)) {
+ fprintf(stderr,
+ "vbutil_keyblock: unable to write public key\n");
+ return 1;
+ }
+ }
Free(block);
return 0;
« no previous file with comments | « utility/vbutil_kernel.c ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698