From aee5af8e4fe7908df90649eb699c3a1decf06b0c Mon Sep 17 00:00:00 2001
From: Yu Wu <wuyu@fb.com>
Date: Wed, 3 Nov 2021 23:13:15 -0700
Subject: [PATCH 1/2] rpmsign: Adopting PKCS#11 opaque keys support in
 libfsverity for fsverity signatures

---
 rpmsign.c            | 29 ++++++++++++++++++++----
 sign/rpmgensig.c     | 53 +++++++++++++++++++++++++++++++++++++++-----
 sign/rpmsignverity.c | 24 +++++++++++++-------
 sign/rpmsignverity.h |  9 +++++---
 4 files changed, 94 insertions(+), 21 deletions(-)

diff --git a/rpmsign.c b/rpmsign.c
index 12299379ce..63b8616382 100644
--- a/rpmsign.c
+++ b/rpmsign.c
@@ -24,6 +24,9 @@ static int fskpass = 0;
 static char * fileSigningKey = NULL;
 #endif
 #ifdef WITH_FSVERITY
+static char * pkcs11Engine = NULL;
+static char * pkcs11Module = NULL;
+static char * pkcs11KeyId = NULL;
 static char * fileSigningCert = NULL;
 static char * verityAlgorithm = NULL;
 #endif
@@ -59,6 +62,15 @@ static struct poptOption signOptsTable[] = {
     { "certpath", '\0', POPT_ARG_STRING, &fileSigningCert, 0,
 	N_("use file signing cert <cert>"),
 	N_("<cert>") },
+    { "pkcs11_engine", '\0', POPT_ARG_STRING, &pkcs11Engine, 0,
+	N_("use pkcs#11 token for fsverity signing key with openssl engine <pkcs11_engine>"),
+	N_("<pkcs11_engine>") },
+    { "pkcs11_module", '\0', POPT_ARG_STRING, &pkcs11Module, 0,
+	N_("use pkcs#11 token for fsverity signing key with openssl module <pkcs11_module>"),
+	N_("<pkcs11_module>") },
+    { "pkcs11_keyid", '\0', POPT_ARG_STRING, &pkcs11KeyId, 0,
+	N_("use pkcs#11 token for fsverity signing key with keyid <pkcs11_keyid>"),
+	N_("<pkcs11_keyid>") },
 #endif
 #if defined(WITH_IMAEVM) || defined(WITH_FSVERITY)
     { "fskpath", '\0', POPT_ARG_STRING, &fileSigningKey, 0,
@@ -139,6 +151,15 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
     }
 
 #ifdef WITH_FSVERITY
+    if (pkcs11Engine) {
+    rpmPushMacro(NULL, "_pkcs11_engine", NULL, pkcs11Engine, RMIL_GLOBAL);
+    }
+    if (pkcs11Module) {
+    rpmPushMacro(NULL, "_pkcs11_module", NULL, pkcs11Module, RMIL_GLOBAL);
+    }
+    if (pkcs11KeyId) {
+    rpmPushMacro(NULL, "_pkcs11_keyid", NULL, pkcs11KeyId, RMIL_GLOBAL);
+    }
     if (fileSigningCert) {
 	rpmPushMacro(NULL, "_file_signing_cert", NULL, fileSigningCert, RMIL_GLOBAL);
     }
@@ -149,9 +170,9 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
 
     if (flags_sign_files(sargs->signflags)) {
 	char *fileSigningKeyPassword = NULL;
-	char *key = rpmExpand("%{?_file_signing_key}", NULL);
-	if (rstreq(key, "")) {
-	    fprintf(stderr, _("You must set \"%%_file_signing_key\" in your macro file or on the command line with --fskpath\n"));
+	char *cert = rpmExpand("%{?_file_signing_cert}", NULL);
+	if (rstreq(cert, "")) {
+	    fprintf(stderr, _("You must set \"%%_file_signing_cert\" in your macro file or on the command line with --certpath\n"));
 	    goto exit;
 	}
 
@@ -166,7 +187,7 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
 	    free(fileSigningKeyPassword);
 	}
 
-	free(key);
+	free(cert);
     }
 #endif
 
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
index d8c84e9377..cb264679b6 100644
--- a/sign/rpmgensig.c
+++ b/sign/rpmgensig.c
@@ -461,15 +461,56 @@ static rpmRC includeVeritySignatures(FD_t fd, Header *sigp, Header *hdrp)
     rpmRC rc = RPMRC_OK;
     char *key = rpmExpand("%{?_file_signing_key}", NULL);
     char *keypass = rpmExpand("%{?_file_signing_key_password}", NULL);
+    char *pkcs11_engine = rpmExpand("%{?_pkcs11_engine}", NULL);
+    char *pkcs11_module = rpmExpand("%{?_pkcs11_module}", NULL);
+    char *pkcs11_keyid = rpmExpand("%{?_pkcs11_keyid}", NULL);
     char *cert = rpmExpand("%{?_file_signing_cert}", NULL);
     char *algorithm = rpmExpand("%{?_verity_algorithm}", NULL);
     uint16_t algo = 0;
 
+    if (rstreq(key, "")) {
+	free(key);
+	key = NULL;
+    }
+
+    if (rstreq(pkcs11_engine, "")) {
+	free(pkcs11_engine);
+	pkcs11_engine = NULL;
+    }
+
+    if (rstreq(pkcs11_module, "")) {
+	free(pkcs11_module);
+	pkcs11_module = NULL;
+    }
+
+    if (rstreq(pkcs11_keyid, "")) {
+	free(pkcs11_keyid);
+	pkcs11_keyid = NULL;
+    }
+
     if (rstreq(keypass, "")) {
 	free(keypass);
 	keypass = NULL;
     }
 
+    if (key) {
+        if (pkcs11_engine || pkcs11_module || pkcs11_keyid) {
+            rpmlog(
+                RPMLOG_ERR,
+                _("fsverity signatures require a key specified either by file or by PKCS#11 token, not both\n"));
+            rc = RPMRC_FAIL;
+            goto out;
+        }
+    } else {
+        if (!pkcs11_engine || !pkcs11_module) {
+            rpmlog(
+                RPMLOG_ERR,
+                _("fsverity signatures require both PKCS#11 engine and module to use PKCS#11 token\n"));
+            rc = RPMRC_FAIL;
+            goto out;
+        }
+    }
+
     if (algorithm && strlen(algorithm) > 0) {
 	    algo = libfsverity_find_hash_alg_by_name(algorithm);
 	    rpmlog(RPMLOG_DEBUG, _("Searching for algorithm %s got %i\n"),
@@ -481,16 +522,16 @@ static rpmRC includeVeritySignatures(FD_t fd, Header *sigp, Header *hdrp)
 		    goto out;
 	    }
     }
-    if (key && cert) {
-	    rc = rpmSignVerity(fd, *sigp, *hdrp, key, keypass, cert, algo);
-    } else {
-	rpmlog(RPMLOG_ERR, _("fsverity signatures requires a key and a cert\n"));
-	rc = RPMRC_FAIL;
-    }
+
+    rc = rpmSignVerity(fd, *sigp, *hdrp, key, keypass,
+                pkcs11_engine, pkcs11_module, pkcs11_keyid, cert, algo);
 
  out:
     free(keypass);
     free(key);
+    free(pkcs11_engine);
+    free(pkcs11_module);
+    free(pkcs11_keyid);
     free(cert);
     return rc;
 #else
diff --git a/sign/rpmsignverity.c b/sign/rpmsignverity.c
index e6c830cdcb..b7924e7ad1 100644
--- a/sign/rpmsignverity.c
+++ b/sign/rpmsignverity.c
@@ -34,8 +34,9 @@ static int rpmVerityRead(void *opaque, void *buf, size_t size)
 	return retval;
 }
 
-static char *rpmVeritySignFile(rpmfi fi, size_t *sig_size, char *key,
-			       char *keypass, char *cert, uint16_t algo)
+static char *rpmVeritySignFile(rpmfi fi, size_t *sig_size, char *key, char *keypass,
+			    char *pkcs11_engine, char *pkcs11_module, char *pkcs11_keyid,
+			    char *cert, uint16_t algo)
 {
     struct libfsverity_merkle_tree_params params;
     struct libfsverity_signature_params sig_params;
@@ -76,6 +77,9 @@ static char *rpmVeritySignFile(rpmfi fi, size_t *sig_size, char *key,
 
     memset(&sig_params, 0, sizeof(struct libfsverity_signature_params));
     sig_params.keyfile = key;
+    sig_params.pkcs11_engine = pkcs11_engine;
+    sig_params.pkcs11_module = pkcs11_module;
+    sig_params.pkcs11_keyid = pkcs11_keyid;
     sig_params.certfile = cert;
     if (libfsverity_sign_digest(digest, &sig_params, &sig, sig_size)) {
 	rpmlog(RPMLOG_DEBUG, _("failed to sign digest\n"));
@@ -94,8 +98,9 @@ static char *rpmVeritySignFile(rpmfi fi, size_t *sig_size, char *key,
     return sig_base64;
 }
 
-rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
-		    char *keypass, char *cert, uint16_t algo)
+rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key, char *keypass,
+	        char *pkcs11_engine, char *pkcs11_module, char *pkcs11_keyid,
+	        char *cert, uint16_t algo)
 {
     int rc;
     FD_t gzdi;
@@ -125,6 +130,9 @@ rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
     }
 
     rpmlog(RPMLOG_DEBUG, _("key: %s\n"), key);
+    rpmlog(RPMLOG_DEBUG, _("pkcs11_engine: %s\n"), pkcs11_engine);
+    rpmlog(RPMLOG_DEBUG, _("pkcs11_module: %s\n"), pkcs11_module);
+    rpmlog(RPMLOG_DEBUG, _("pkcs11_keyid: %s\n"), pkcs11_keyid);
     rpmlog(RPMLOG_DEBUG, _("cert: %s\n"), cert);
 
     compr = headerGetString(h, RPMTAG_PAYLOADCOMPRESSOR);
@@ -164,16 +172,16 @@ rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
     while (rpmfiNext(fi) >= 0) {
 	idx = rpmfiFX(fi);
 
-	signatures[idx] = rpmVeritySignFile(fi, &sig_size, key, keypass, cert,
-					    algo);
+	signatures[idx] = rpmVeritySignFile(fi, &sig_size, key, keypass, pkcs11_engine,
+					    pkcs11_module, pkcs11_keyid, cert, algo);
     }
 
     while (rpmfiNext(hfi) >= 0) {
 	idx = rpmfiFX(hfi);
 	if (signatures[idx])
 	    continue;
-	signatures[idx] = rpmVeritySignFile(hfi, &sig_size, key, keypass, cert,
-					    algo);
+	signatures[idx] = rpmVeritySignFile(fi, &sig_size, key, keypass, pkcs11_engine,
+					    pkcs11_module, pkcs11_keyid, cert, algo);
     }
 
     rpmtdReset(&td);
diff --git a/sign/rpmsignverity.h b/sign/rpmsignverity.h
index d869e8d8e8..32d2d6359a 100644
--- a/sign/rpmsignverity.h
+++ b/sign/rpmsignverity.h
@@ -22,12 +22,15 @@ extern "C" {
  * @param h		package header
  * @param key		signing key
  * @param keypass	signing key password
+ * @param pkcs11_engine		PKCS#11 engine to use PKCS#11 token support for signing key
+ * @param pkcs11_module		PKCS#11 module to use PKCS#11 token support for signing key
+ * @param pkcs11_keyid		PKCS#11 key identifier
  * @param cert		signing cert
  * @return		RPMRC_OK on success
  */
-RPM_GNUC_INTERNAL
-rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key,
-		    char *keypass, char *cert, uint16_t algo);
+rpmRC rpmSignVerity(FD_t fd, Header sigh, Header h, char *key, char *keypass,
+		    char *pkcs11_engine, char *pkcs11_module, char *pkcs11_keyid,
+		    char *cert, uint16_t algo);
 
 #ifdef _cplusplus
 }