Message ID | 9166086c-fced-fe3e-fb59-5ab17a6e1a94@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | Support pkcs11 URIs for sslkey and sslcert strings | expand |
On 07.02.23 15:41, Matt Wood wrote: > Parse sslkey and sslcert strings and set the curl ssl engine, > key type, and certtype if a valid pcks11 URI is found. This can be used > for Secure Elements or HSMs holding keys and certificates. > > Signed-off-by: Matt Wood <matt.wood@microchip.com> > --- > corelib/channel_curl.c | 34 +++++++++++++++++++++++++++++ > examples/configuration/swupdate.cfg | 6 +++-- > 2 files changed, 38 insertions(+), 2 deletions(-) > > diff --git a/corelib/channel_curl.c b/corelib/channel_curl.c > index 0435f15..c2d1f1a 100644 > --- a/corelib/channel_curl.c > +++ b/corelib/channel_curl.c > @@ -607,6 +607,40 @@ channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_da > goto cleanup; > } > > + /* Check if sslkey or sslcert strings contains a pkcs11 URI > + * and set curl engine and types accordingly > + */ > + int keyUri = strncasecmp(channel_data->sslkey, "pkcs11:", 7); > + int certUri = strncasecmp(channel_data->sslcert, "pkcs11:", 7); > + > + if ((keyUri == 0) || (certUri == 0)) { > + result = curl_easy_setopt(channel_curl->handle, CURLOPT_SSLENGINE, "pkcs11"); > + > + if (result != CURLE_OK) { > + ERROR("Error %d setting CURLOPT_SSLENGINE", result); > + result = CHANNEL_EINIT; > + goto cleanup; > + } > + > + if (keyUri == 0) { > + result = curl_easy_setopt(channel_curl->handle, CURLOPT_SSLKEYTYPE, "ENG"); > + if (result != CURLE_OK) { > + ERROR("Error %d setting CURLOPT_SSLKEYTYPE", result); > + result = CHANNEL_EINIT; > + goto cleanup; > + } > + } > + > + if (certUri == 0) { > + result = curl_easy_setopt(channel_curl->handle, CURLOPT_SSLCERTTYPE, "ENG"); > + if (result != CURLE_OK) { > + ERROR("Error %d setting CURLOPT_SSLCERTTYPE", result); > + result = CHANNEL_EINIT; > + goto cleanup; > + } > + } > + } > + > /* Only use cafile when set, otherwise let curl use > * the default system location for cacert bundle > */ > diff --git a/examples/configuration/swupdate.cfg b/examples/configuration/swupdate.cfg > index db63110..d8677a5 100644 > --- a/examples/configuration/swupdate.cfg > +++ b/examples/configuration/swupdate.cfg > @@ -161,9 +161,11 @@ identify : ( > # cafile : string > # File with Public Certificate Authority > # sslkey : string > -# path of the file containing the key for ssl connection > +# path of the file containing the key for SSL connection or pkcs11 URI > +# (ex. "pkcs11:model=ATECC608B;token=0ABC;serial=0123456789abcdef;object=device;type=private") > # sslcert : string > -# path of the file containing the certificate for SSL connection > +# path of the file containing the certificate for SSL connection or pkcs11 URI > + (ex. "pkcs11:model=ATECC608B;token=0ABC;serial=0123456789abcdef;object=device;type=cert") > # targettoken : string > # hawkBit target security token > # gatewaytoken : string Applied to -master, thanks ! Best regards, Stefano Babic
Hi, > On 07.02.23 15:41, Matt Wood wrote: > > Parse sslkey and sslcert strings and set the curl ssl engine, > > key type, and certtype if a valid pcks11 URI is found. This can be used > > for Secure Elements or HSMs holding keys and certificates. > > > > Signed-off-by: Matt Wood <matt.wood@microchip.com> > > --- > > corelib/channel_curl.c | 34 +++++++++++++++++++++++++++++ > > examples/configuration/swupdate.cfg | 6 +++-- > > 2 files changed, 38 insertions(+), 2 deletions(-) > > > > diff --git a/corelib/channel_curl.c b/corelib/channel_curl.c > > index 0435f15..c2d1f1a 100644 > > --- a/corelib/channel_curl.c > > +++ b/corelib/channel_curl.c > > @@ -607,6 +607,40 @@ channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_da > > goto cleanup; > > } > > + /* Check if sslkey or sslcert strings contains a pkcs11 URI > > + * and set curl engine and types accordingly > > + */ > > + int keyUri = strncasecmp(channel_data->sslkey, "pkcs11:", 7); > > + int certUri = strncasecmp(channel_data->sslcert, "pkcs11:", 7); It seems that here's a NULL check missing as SWUpdate SEGV-crashes if channel_data->sslkey is NULL. Same is probably true for channel_data->sslcert. libcurl handles this more gracefully a few lines above this change, (curl_easy_setopt(channel_curl->handle, CURLOPT_SSLKEY, channel_data->sslkey) != CURLE_OK) || doesn't SEGV. Kind regards, Christian
On 17.02.23 15:21, Christian Storm wrote: > Hi, > >> On 07.02.23 15:41, Matt Wood wrote: >>> Parse sslkey and sslcert strings and set the curl ssl engine, >>> key type, and certtype if a valid pcks11 URI is found. This can be used >>> for Secure Elements or HSMs holding keys and certificates. >>> >>> Signed-off-by: Matt Wood <matt.wood@microchip.com> >>> --- >>> corelib/channel_curl.c | 34 +++++++++++++++++++++++++++++ >>> examples/configuration/swupdate.cfg | 6 +++-- >>> 2 files changed, 38 insertions(+), 2 deletions(-) >>> >>> diff --git a/corelib/channel_curl.c b/corelib/channel_curl.c >>> index 0435f15..c2d1f1a 100644 >>> --- a/corelib/channel_curl.c >>> +++ b/corelib/channel_curl.c >>> @@ -607,6 +607,40 @@ channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_da >>> goto cleanup; >>> } >>> + /* Check if sslkey or sslcert strings contains a pkcs11 URI >>> + * and set curl engine and types accordingly >>> + */ >>> + int keyUri = strncasecmp(channel_data->sslkey, "pkcs11:", 7); >>> + int certUri = strncasecmp(channel_data->sslcert, "pkcs11:", 7); > > It seems that here's a NULL check missing as SWUpdate SEGV-crashes > if channel_data->sslkey is NULL. > Same is probably true for channel_data->sslcert. > > libcurl handles this more gracefully a few lines above this change, > (curl_easy_setopt(channel_curl->handle, > CURLOPT_SSLKEY, > channel_data->sslkey) != CURLE_OK) || > doesn't SEGV. Thanks, I send a patch. Regards, Stefano > > > Kind regards, > Christian >
diff --git a/corelib/channel_curl.c b/corelib/channel_curl.c index 0435f15..c2d1f1a 100644 --- a/corelib/channel_curl.c +++ b/corelib/channel_curl.c @@ -607,6 +607,40 @@ channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_da goto cleanup; } + /* Check if sslkey or sslcert strings contains a pkcs11 URI + * and set curl engine and types accordingly + */ + int keyUri = strncasecmp(channel_data->sslkey, "pkcs11:", 7); + int certUri = strncasecmp(channel_data->sslcert, "pkcs11:", 7); + + if ((keyUri == 0) || (certUri == 0)) { + result = curl_easy_setopt(channel_curl->handle, CURLOPT_SSLENGINE, "pkcs11"); + + if (result != CURLE_OK) { + ERROR("Error %d setting CURLOPT_SSLENGINE", result); + result = CHANNEL_EINIT; + goto cleanup; + } + + if (keyUri == 0) { + result = curl_easy_setopt(channel_curl->handle, CURLOPT_SSLKEYTYPE, "ENG"); + if (result != CURLE_OK) { + ERROR("Error %d setting CURLOPT_SSLKEYTYPE", result); + result = CHANNEL_EINIT; + goto cleanup; + } + } + + if (certUri == 0) { + result = curl_easy_setopt(channel_curl->handle, CURLOPT_SSLCERTTYPE, "ENG"); + if (result != CURLE_OK) { + ERROR("Error %d setting CURLOPT_SSLCERTTYPE", result); + result = CHANNEL_EINIT; + goto cleanup; + } + } + } + /* Only use cafile when set, otherwise let curl use * the default system location for cacert bundle */ diff --git a/examples/configuration/swupdate.cfg b/examples/configuration/swupdate.cfg index db63110..d8677a5 100644 --- a/examples/configuration/swupdate.cfg +++ b/examples/configuration/swupdate.cfg @@ -161,9 +161,11 @@ identify : ( # cafile : string # File with Public Certificate Authority # sslkey : string -# path of the file containing the key for ssl connection +# path of the file containing the key for SSL connection or pkcs11 URI +# (ex. "pkcs11:model=ATECC608B;token=0ABC;serial=0123456789abcdef;object=device;type=private") # sslcert : string -# path of the file containing the certificate for SSL connection +# path of the file containing the certificate for SSL connection or pkcs11 URI + (ex. "pkcs11:model=ATECC608B;token=0ABC;serial=0123456789abcdef;object=device;type=cert") # targettoken : string # hawkBit target security token # gatewaytoken : string
Parse sslkey and sslcert strings and set the curl ssl engine, key type, and certtype if a valid pcks11 URI is found. This can be used for Secure Elements or HSMs holding keys and certificates. Signed-off-by: Matt Wood <matt.wood@microchip.com> --- corelib/channel_curl.c | 34 +++++++++++++++++++++++++++++ examples/configuration/swupdate.cfg | 6 +++-- 2 files changed, 38 insertions(+), 2 deletions(-)