load container key from DER file [chromiumos/platform/imageloader : master]

19 views
Skip to first unread message

ChromeOS bot (Gerrit)

unread,
May 6, 2017, 10:56:01 PM5/6/17
to Mike Frysinger, ChromeOS Commit Bot, Greg Kerr, Eric Caruso

ChromeOS bot merged this change.

View Change

Approvals: Eric Caruso: Looks good to me, but someone else must approve Greg Kerr: Looks good to me, approved 
load container key from DER file

Since we're inserting the key into the rootfs in the DER format,
we can read it directly and avoid doing any parsing on it.

BUG=chromium:718184
TEST=mount_extension_image still works

Change-Id: If3b6ce915cfda58e5cddba113445324ec90bde5c
Reviewed-on: https://chromium-review.googlesource.com/497948
Commit-Ready: Mike Frysinger <vap...@chromium.org>
Tested-by: Mike Frysinger <vap...@chromium.org>
Reviewed-by: Greg Kerr <ker...@chromium.org>
Reviewed-by: Eric Caruso <ejca...@chromium.org>
---
M imageloader_main.cc
1 file changed, 10 insertions(+), 30 deletions(-)

diff --git a/imageloader_main.cc b/imageloader_main.cc
index 4b1b336..4791a1e 100644
--- a/imageloader_main.cc
+++ b/imageloader_main.cc
@@ -4,12 +4,11 @@
 
 #include <signal.h>
 
+#include <base/files/file_path.h>
+#include <base/files/file_util.h>
 #include <base/memory/ptr_util.h>
 #include <brillo/flag_helper.h>
 #include <brillo/syslog_logging.h>
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-#include <openssl/x509.h>
 
 #include "helper_process.h"
 #include "imageloader.h"
@@ -34,42 +33,23 @@
 constexpr char kMountPath[] = "/run/imageloader";
 // The location of the container public key.
 constexpr char kContainerPublicKeyPath[] =
-    "/usr/share/misc/oci-container-key-pub.pem";
-
-struct ScopedPubkeyCloser {
-  inline void operator()(EVP_PKEY* pubkey) {
-    if (pubkey)
-      EVP_PKEY_free(pubkey);
-  }
-};
-using ScopedPubkey = std::unique_ptr<EVP_PKEY, ScopedPubkeyCloser>;
+    "/usr/share/misc/oci-container-key-pub.der";
 
 bool LoadKeyFromFile(const std::string& file, std::vector<uint8_t>* key_out) {
   CHECK(key_out);
 
-  base::ScopedFILE key_file(fopen(file.c_str(), "r"));
-  if (!key_file) {
-    LOG(WARNING) << "Could not find key file " << file;
-    return false;
-  }
+  base::FilePath key_file(file);
+  std::string key_data;
 
-  ScopedPubkey pubkey(
-      PEM_read_PUBKEY(key_file.get(), nullptr, nullptr, nullptr));
-  if (!pubkey) {
-    LOG(WARNING) << "Key file " << file << " was not a public key";
-    return false;
-  }
-
-  uint8_t *der_key = nullptr;
-  int der_len = i2d_PUBKEY(pubkey.get(), &der_key);
-  if (der_len < 0) {
-    LOG(WARNING) << "Failed to export public key in DER format";
+  // The key should be pretty small.
+  if (!ReadFileToString(key_file, &key_data)) {
+    LOG(WARNING) << "Could not read key file " << key_file.value();
     return false;
   }
 
   key_out->clear();
-  key_out->insert(key_out->begin(), der_key, der_key + der_len);
-  OPENSSL_free(der_key);
+  key_out->insert(key_out->begin(), key_data.begin(), key_data.end());
+
   return true;
 }

To view, visit change 497948. To unsubscribe, visit settings.

Gerrit-Project: chromiumos/platform/imageloader
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: If3b6ce915cfda58e5cddba113445324ec90bde5c
Gerrit-Change-Number: 497948
Gerrit-PatchSet: 3
Gerrit-Owner: Mike Frysinger <vap...@chromium.org>
Gerrit-Reviewer: Eric Caruso <ejca...@chromium.org>
Gerrit-Reviewer: Greg Kerr <ker...@chromium.org>
Gerrit-Reviewer: Mike Frysinger <vap...@chromium.org>
Gerrit-CC: ChromeOS Commit Bot <chromeos-...@chromium.org>
Reply all
Reply to author
Forward
0 new messages