scripts: Fix X.509 PEM support in sign-file
DER format works but it's easier if we can use PEM everywhere.
This commit is contained in:
parent
7b9f22feef
commit
76de9f06e0
|
@ -15,6 +15,7 @@ linux (4.5-1~exp2) UNRELEASED; urgency=medium
|
|||
- debian/control: Add build-dependencies on libssl-dev, openssl
|
||||
- debian/copyright: Note that extract-cert and sign-file are under LGPL 2.1
|
||||
- linux-kbuild: Add extract-cert and sign-file programs
|
||||
- scripts: Fix X.509 PEM support in sign-file
|
||||
* certs: Set SYSTEM_TRUSTED_KEYS to my own personal certificate to support
|
||||
initial testing of signed modules
|
||||
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Mon, 04 Apr 2016 12:53:35 +0100
|
||||
Subject: scripts: Fix X.509 PEM support in sign-file
|
||||
|
||||
sign-file originally required the X.509 certificate to be in DER
|
||||
format, but now has a fallback to PEM format. It expects BIO_reset()
|
||||
to return 1 on success, but:
|
||||
|
||||
BIO_reset() normally returns 1 for success and 0 or -1 for failure.
|
||||
File BIOs are an exception, they return 0 for success and -1 for
|
||||
failure.
|
||||
|
||||
BIO_reset() also prints accumulated error messages, which we don't
|
||||
want when we're about to try a fallback, so drain them first.
|
||||
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
--- a/scripts/sign-file.c
|
||||
+++ b/scripts/sign-file.c
|
||||
@@ -229,10 +229,14 @@ int main(int argc, char **argv)
|
||||
ERR(!b, "%s", x509_name);
|
||||
x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */
|
||||
if (!x509) {
|
||||
- ERR(BIO_reset(b) != 1, "%s", x509_name);
|
||||
+ /*
|
||||
+ * We want to hold onto the error messages in case
|
||||
+ * it's neither valid DER or PEM, but BIO_reset() will
|
||||
+ * print them immediately so we can't.
|
||||
+ */
|
||||
+ drain_openssl_errors();
|
||||
+ ERR(BIO_reset(b) != 0, "%s", x509_name);
|
||||
x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); /* PEM encoded X.509 */
|
||||
- if (x509)
|
||||
- drain_openssl_errors();
|
||||
}
|
||||
BIO_free(b);
|
||||
ERR(!x509, "%s", x509_name);
|
|
@ -133,3 +133,4 @@ bugfix/all/lockdep-add-missing-macros.patch
|
|||
bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
|
||||
bugfix/all/power-cpupower-fix-manpages-NAME.patch
|
||||
bugfix/all/tools-lib-traceevent-fix-use-of-uninitialized-variables.patch
|
||||
bugfix/all/scripts-fix-x.509-pem-support-in-sign-file.patch
|
||||
|
|
Loading…
Reference in New Issue