picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

homed: split out code that determines suitable LUKS passphrase size from RSA key 

We can use this in cryptenroll later on, hence let's make this generic.
This commit is contained in:
Lennart Poettering 2020-11-24 15:29:03 +01:00
parent 2289a78473
commit d041e4fc4a
3 changed files with 41 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/home/homectl-pkcs11.c
View File

@ -148,8 +148,7 @@ int identity_add_pkcs11_key_data(JsonVariant **v, const char *uri) {
size_t decrypted_key_size, encrypted_key_size;
_cleanup_(X509_freep) X509 *cert = NULL;
EVP_PKEY *pkey;
int bits, r;
RSA *rsa;
int r;
assert(v);
@ -161,22 +160,9 @@ int identity_add_pkcs11_key_data(JsonVariant **v, const char *uri) {
if (!pkey)
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to extract public key from X.509 certificate.");
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA)
return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "X.509 certificate does not refer to RSA key.");
rsa = EVP_PKEY_get0_RSA(pkey);
if (!rsa)
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to acquire RSA public key from X.509 certificate.");
bits = RSA_bits(rsa);
log_debug("Bits in RSA key: %i", bits);
/* We use PKCS#1 padding for the RSA cleartext, hence let's leave some extra space for it, hence only
* generate a random key half the size of the RSA length */
decrypted_key_size = bits / 8 / 2;
if (decrypted_key_size < 1)
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Uh, RSA key size too short?");
r = rsa_pkey_to_suitable_key_size(pkey, &decrypted_key_size);
if (r < 0)
return log_error_errno(r, "Failed to extract RSA key size from X509 certificate.");
log_debug("Generating %zu bytes random key.", decrypted_key_size);

35
src/shared/openssl-util.c
View File

@ -38,4 +38,39 @@ int rsa_encrypt_bytes(
return 0;
}
int rsa_pkey_to_suitable_key_size(
EVP_PKEY *pkey,
size_t *ret_suitable_key_size) {
size_t suitable_key_size;
RSA *rsa;
int bits;
assert_se(pkey);
assert_se(ret_suitable_key_size);
/* Analyzes the specified public key and that it is RSA. If so, will return a suitable size for a
* disk encryption key to encrypt with RSA for use in PKCS#11 security token schemes. */
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_RSA)
return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "X.509 certificate does not refer to RSA key.");
rsa = EVP_PKEY_get0_RSA(pkey);
if (!rsa)
return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Failed to acquire RSA public key from X.509 certificate.");
bits = RSA_bits(rsa);
log_debug("Bits in RSA key: %i", bits);
/* We use PKCS#1 padding for the RSA cleartext, hence let's leave some extra space for it, hence only
* generate a random key half the size of the RSA length */
suitable_key_size = bits / 8 / 2;
if (suitable_key_size < 1)
return log_debug_errno(SYNTHETIC_ERRNO(EIO), "Uh, RSA key size too short?");
*ret_suitable_key_size = suitable_key_size;
return 0;
}
#endif

2
src/shared/openssl-util.h
View File

@ -13,4 +13,6 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free);
int rsa_encrypt_bytes(EVP_PKEY *pkey, const void *decrypted_key, size_t decrypted_key_size, void **ret_encrypt_key, size_t *ret_encrypt_key_size);
int rsa_pkey_to_suitable_key_size(EVP_PKEY *pkey, size_t *ret_suitable_key_size);
#endif