| Index: utility/vbutil_keyblock.c
|
| diff --git a/utility/vbutil_keyblock.c b/utility/vbutil_keyblock.c
|
| index 7c3f027957ec984f7826e4afb9785c99097b4692..a540ab59d20d5885d2874526c75398ed2a064afc 100644
|
| --- a/utility/vbutil_keyblock.c
|
| +++ b/utility/vbutil_keyblock.c
|
| @@ -46,16 +46,19 @@ static int PrintHelp(char *progname) {
|
| "\n"
|
| "For '--pack <file>', required OPTIONS are:\n"
|
| " --datapubkey <file> Data public key in .vbpubk format\n"
|
| - " --signprivate <file>"
|
| - " Signing private key in .vbprivk format\n"
|
| "\n"
|
| "Optional OPTIONS are:\n"
|
| - " --flags <number> Flags\n"
|
| + " --signprivate <file>"
|
| + " Signing private key in .vbprivk format. Without this arg,\n"
|
| + " the keyblock will not be signed.\n"
|
| + " --flags <number> Specifies allowed use conditions.\n"
|
| "\n"
|
| - "For '--unpack <file>', required OPTIONS are:\n"
|
| - " --signpubkey <file> Signing public key in .vbpubk format\n"
|
| - "Optional OPTIONS are:\n"
|
| - " --datapubkey <file> Data public key output file\n",
|
| + "For '--unpack <file>', optional OPTIONS are:\n"
|
| + " --signpubkey <file>"
|
| + " Signing public key in .vbpubk format. This is required to\n"
|
| + " verify a signed keyblock.\n"
|
| + " --datapubkey <file>"
|
| + " Write the data public key to this file.\n",
|
| progname);
|
| return 1;
|
| }
|
| @@ -65,15 +68,15 @@ static int PrintHelp(char *progname) {
|
| static int Pack(const char* outfile, const char* datapubkey,
|
| const char* signprivate, uint64_t flags) {
|
| VbPublicKey* data_key;
|
| - VbPrivateKey* signing_key;
|
| + VbPrivateKey* signing_key = NULL;
|
| VbKeyBlockHeader* block;
|
|
|
| if (!outfile) {
|
| - fprintf(stderr, "vbutil_keyblock: Must specify output filename\n");
|
| + fprintf(stderr, "vbutil_keyblock: Must specify output filename.\n");
|
| return 1;
|
| }
|
| - if (!datapubkey || !signprivate) {
|
| - fprintf(stderr, "vbutil_keyblock: Must specify all keys\n");
|
| + if (!datapubkey) {
|
| + fprintf(stderr, "vbutil_keyblock: Must specify data public key.\n");
|
| return 1;
|
| }
|
|
|
| @@ -82,15 +85,19 @@ static int Pack(const char* outfile, const char* datapubkey,
|
| fprintf(stderr, "vbutil_keyblock: Error reading data key.\n");
|
| return 1;
|
| }
|
| - signing_key = PrivateKeyRead(signprivate);
|
| - if (!signing_key) {
|
| - fprintf(stderr, "vbutil_keyblock: Error reading signing key.\n");
|
| - return 1;
|
| +
|
| + if (signprivate) {
|
| + signing_key = PrivateKeyRead(signprivate);
|
| + if (!signing_key) {
|
| + fprintf(stderr, "vbutil_keyblock: Error reading signing key.\n");
|
| + return 1;
|
| + }
|
| }
|
|
|
| block = KeyBlockCreate(data_key, signing_key, flags);
|
| Free(data_key);
|
| - Free(signing_key);
|
| + if (signing_key)
|
| + Free(signing_key);
|
|
|
| if (0 != KeyBlockWrite(outfile, block)) {
|
| fprintf(stderr, "vbutil_keyblock: Error writing key block.\n");
|
| @@ -104,17 +111,11 @@ static int Pack(const char* outfile, const char* datapubkey,
|
| static int Unpack(const char* infile, const char* datapubkey,
|
| const char* signpubkey) {
|
| VbPublicKey* data_key;
|
| - VbPublicKey* sign_key;
|
| + VbPublicKey* sign_key = NULL;
|
| VbKeyBlockHeader* block;
|
|
|
| - if (!infile || !signpubkey) {
|
| - fprintf(stderr, "vbutil_keyblock: Must specify filename and signpubkey\n");
|
| - return 1;
|
| - }
|
| -
|
| - sign_key = PublicKeyRead(signpubkey);
|
| - if (!sign_key) {
|
| - fprintf(stderr, "vbutil_keyblock: Error reading signpubkey.\n");
|
| + if (!infile) {
|
| + fprintf(stderr, "vbutil_keyblock: Must specify filename\n");
|
| return 1;
|
| }
|
|
|
| @@ -123,27 +124,48 @@ static int Unpack(const char* infile, const char* datapubkey,
|
| fprintf(stderr, "vbutil_keyblock: Error reading key block.\n");
|
| return 1;
|
| }
|
| - /* Verify the block with the signing public key, since
|
| - * KeyBlockRead() only verified the hash. */
|
| - /* TODO: should just print a warning, since self-signed key blocks
|
| - * won't have a public key; signpubkey should also be an optional
|
| - * argument. */
|
| - if (0 != KeyBlockVerify(block, block->key_block_size, sign_key)) {
|
| - fprintf(stderr, "vbutil_keyblock: Error verifying key block.\n");
|
| - return 1;
|
| +
|
| + /* If the block is signed, then verify it with the signing public key, since
|
| + KeyBlockRead() only verified the hash. */
|
| + if (block->key_block_signature.sig_size) {
|
| + if (!signpubkey) {
|
| + fprintf(stderr,
|
| + "vbutil_keyblock: keyblock requires public key to verify\n");
|
| + return 1;
|
| + }
|
| + sign_key = PublicKeyRead(signpubkey);
|
| + if (!sign_key) {
|
| + fprintf(stderr, "vbutil_keyblock: Error reading signpubkey.\n");
|
| + return 1;
|
| + }
|
| + if (0 != KeyBlockVerify(block, block->key_block_size, sign_key)) {
|
| + fprintf(stderr, "vbutil_keyblock: Error verifying key block.\n");
|
| + return 1;
|
| + }
|
| + printf("Signature algorithm: %" PRIu64 " %s\n", sign_key->algorithm,
|
| + (sign_key->algorithm < kNumAlgorithms ?
|
| + algo_strings[sign_key->algorithm] : "(invalid)"));
|
| + Free(sign_key);
|
| + } else {
|
| + printf("Signature Algorithm: <none>\n");
|
| }
|
| - Free(sign_key);
|
|
|
| - printf("Key block file: %s\n", infile);
|
| - printf("Flags: %" PRIu64 "\n", block->key_block_flags);
|
| + printf("Key block file: %s\n", infile);
|
| + printf("Flags: %" PRIu64 "\n", block->key_block_flags);
|
|
|
| data_key = &block->data_key;
|
| - printf("Data key algorithm: %" PRIu64 " %s\n", data_key->algorithm,
|
| + printf("Data key algorithm: %" PRIu64 " %s\n", data_key->algorithm,
|
| (data_key->algorithm < kNumAlgorithms ?
|
| algo_strings[data_key->algorithm] : "(invalid)"));
|
| - printf("Data key version: %" PRIu64 "\n", data_key->key_version);
|
| + printf("Data key version: %" PRIu64 "\n", data_key->key_version);
|
|
|
| - /* TODO: write key data, if output file specified */
|
| + if (datapubkey) {
|
| + if (0 != PublicKeyWrite(datapubkey, data_key)) {
|
| + fprintf(stderr,
|
| + "vbutil_keyblock: unable to write public key\n");
|
| + return 1;
|
| + }
|
| + }
|
|
|
| Free(block);
|
| return 0;
|
|
|
Chromium Code Reviews
Issue 3124004:
Changes to allow user-signed kernels to be generated. (Closed)
Base URL: ssh://gitrw.chromium.org/vboot_reference.git