Commit c72d37f3 authored by Ondřej Surý's avatar Ondřej Surý

Merge branch 'ondrej/remove-OpenSSL-engine-specification-in-label' into 'master'

Cleanup support for specifying PKCS#11 engine as part of the label

See merge request !2943
parents 497c7977 33fa3d5e
Pipeline #33584 failed with stages
in 46 minutes and 48 seconds
......@@ -173,9 +173,7 @@
<para>
When <acronym>BIND</acronym> 9 is built with OpenSSL-based
PKCS#11 support, the label is an arbitrary string that
identifies a particular key. It may be preceded by an
optional OpenSSL engine name, followed by a colon, as in
"pkcs11:<replaceable>keylabel</replaceable>".
identifies a particular key.
</para>
<para>
When <acronym>BIND</acronym> 9 is built with native PKCS#11
......
......@@ -1024,58 +1024,52 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
isc_result_t ret;
EVP_PKEY *pkey = NULL;
RSA *rsa = NULL, *pubrsa = NULL;
char *colon, *tmpengine = NULL;
const BIGNUM *ex = NULL;
UNUSED(pin);
if (engine == NULL) {
if (strchr(label, ':') == NULL)
DST_RET(DST_R_NOENGINE);
tmpengine = isc_mem_strdup(key->mctx, label);
colon = strchr(tmpengine, ':');
INSIST(colon != NULL);
*colon = '\0';
DST_RET(DST_R_NOENGINE);
}
e = dst__openssl_getengine(engine);
if (e == NULL)
if (e == NULL) {
DST_RET(DST_R_NOENGINE);
}
pkey = ENGINE_load_public_key(e, label, NULL, NULL);
if (pkey != NULL) {
pubrsa = EVP_PKEY_get1_RSA(pkey);
EVP_PKEY_free(pkey);
if (pubrsa == NULL)
if (pubrsa == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
}
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
if (pkey == NULL)
if (pkey == NULL) {
DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
ISC_R_NOTFOUND));
if (tmpengine != NULL) {
key->engine = tmpengine;
tmpengine = NULL;
} else {
key->engine = isc_mem_strdup(key->mctx, engine);
}
key->engine = isc_mem_strdup(key->mctx, engine);
key->label = isc_mem_strdup(key->mctx, label);
rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL)
if (rsa == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS)
}
if (rsa_check(rsa, pubrsa) != ISC_R_SUCCESS) {
DST_RET(DST_R_INVALIDPRIVATEKEY);
}
RSA_get0_key(rsa, NULL, &ex, NULL);
if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS)
if (BN_num_bits(ex) > RSA_MAX_PUBEXP_BITS) {
DST_RET(ISC_R_RANGE);
if (pubrsa != NULL)
}
if (pubrsa != NULL) {
RSA_free(pubrsa);
}
key->key_size = EVP_PKEY_bits(pkey);
key->keydata.pkey = pkey;
RSA_free(rsa);
return (ISC_R_SUCCESS);
err:
if (tmpengine != NULL)
isc_mem_free(key->mctx, tmpengine);
if (rsa != NULL)
RSA_free(rsa);
if (pubrsa != NULL)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment