mkimage: use environment variable MKIMAGE_SIGN_PIN to set pin for OpenSSL Engine

This patch adds the possibility to pass the PIN the OpenSSL Engine
used during signing via the environment variable MKIMAGE_SIGN_PIN.
This follows the approach used during kernel module
signing ("KBUILD_SIGN_PIN") or UBIFS image
signing ("MKIMAGE_SIGN_PIN").

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>

diff --git a/doc/uImage.FIT/signature.txt b/doc/uImage.FIT/signature.txt
index 7cb1c15e5e1586c561f6845fd5a81900a17b454e..61a72db3c74fb078237f46ab9ffcca92624373b5 100644 (file)
--- a/doc/uImage.FIT/signature.txt
+++ b/doc/uImage.FIT/signature.txt
@@ -533,8 +533,8 @@ Generic engine key ids:
 or
   "<key-name-hint>"
 
-As mkimage does not at this time support prompting for passwords HSM may need
-key preloading wrapper to be used when invoking mkimage.
+In order to set the pin in the HSM, an environment variable "MKIMAGE_SIGN_PIN"
+can be specified.
 
 The following examples use the Nitrokey Pro using pkcs11 engine. Instructions
 for other devices may vary.

diff --git a/lib/rsa/rsa-sign.c b/lib/rsa/rsa-sign.c
index c64deac31f4868912a7086c22cb776db375efd2e..085dc89bf7bb3d30a0de6e81d930f017b4ec019f 100644 (file)
--- a/lib/rsa/rsa-sign.c
+++ b/lib/rsa/rsa-sign.c
@@ -338,6 +338,7 @@ static int rsa_init(void)
 
 static int rsa_engine_init(const char *engine_id, ENGINE **pe)
 {
+       const char *key_pass;
        ENGINE *e;
        int ret;
 
@@ -362,10 +363,20 @@ static int rsa_engine_init(const char *engine_id, ENGINE **pe)
                goto err_set_rsa;
        }
 
+       key_pass = getenv("MKIMAGE_SIGN_PIN");
+       if (key_pass) {
+               if (!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0)) {
+                       fprintf(stderr, "Couldn't set PIN\n");
+                       ret = -1;
+                       goto err_set_pin;
+               }
+       }
+
        *pe = e;
 
        return 0;
 
+err_set_pin:
 err_set_rsa:
        ENGINE_finish(e);
 err_engine_init: