@@ -481,12 +481,11 @@ out:
return ok;
}
-/* Sign a file for fs-verity by computing its measurement, then signing it. */
-int fsverity_cmd_sign(char *filename, const struct fsverity_hash_alg *hash_alg,
- u32 block_size, u8 *salt, u32 salt_size,
- const char *keyfile, const char *certfile,
- struct fsverity_signed_digest **retdigest,
- u8 **sig, u32 *sig_size)
+/* Generate the fsverity digest computing its measurement. */
+int fsverity_cmd_gen_digest(char *filename,
+ const struct fsverity_hash_alg *hash_alg,
+ u32 block_size, u8 *salt, u32 salt_size,
+ struct fsverity_signed_digest **retdigest)
{
struct fsverity_signed_digest *digest = NULL;
int status;
@@ -499,13 +498,6 @@ int fsverity_cmd_sign(char *filename, const struct fsverity_hash_alg *hash_alg,
if (block_size == 0)
block_size = fsverity_get_default_block_size();
- if (keyfile == NULL) {
- status = -EINVAL;
- goto out;
- }
- if (certfile == NULL)
- certfile = keyfile;
-
digest = xzalloc(sizeof(*digest) + hash_alg->digest_size);
memcpy(digest->magic, "FSVerity", 8);
digest->digest_algorithm = cpu_to_le16(hash_alg - fsverity_hash_algs);
@@ -515,10 +507,6 @@ int fsverity_cmd_sign(char *filename, const struct fsverity_hash_alg *hash_alg,
salt, salt_size, digest->digest))
goto out_err;
- if (!sign_data(digest, sizeof(*digest) + hash_alg->digest_size,
- keyfile, certfile, hash_alg, sig, sig_size))
- goto out_err;
-
*retdigest = digest;
status = 0;
out:
@@ -529,3 +517,31 @@ out_err:
goto out;
}
+
+/* Sign a pre-generated fsverity_signed_digest structure */
+int fsverity_cmd_sign_digest(struct fsverity_signed_digest *digest,
+ const struct fsverity_hash_alg *hash_alg,
+ const char *keyfile, const char *certfile,
+ u8 **sig, u32 *sig_size)
+{
+ int status;
+
+ if (keyfile == NULL) {
+ status = -EINVAL;
+ goto out;
+ }
+ if (certfile == NULL)
+ certfile = keyfile;
+
+ if (!sign_data(digest, sizeof(*digest) + hash_alg->digest_size,
+ keyfile, certfile, hash_alg, sig, sig_size))
+ goto out_err;
+
+ status = 0;
+ out:
+ return status;
+
+ out_err:
+ status = 1;
+ goto out;
+}
@@ -188,8 +188,12 @@ int wrap_cmd_sign(const struct fsverity_command *cmd, int argc, char *argv[])
if (argc != 2)
goto out_usage;
- status = fsverity_cmd_sign(argv[0], hash_alg, block_size, salt, salt_size,
- keyfile, certfile, &digest, &sig, &sig_size);
+ status = fsverity_cmd_gen_digest(argv[0], hash_alg, block_size,
+ salt, salt_size, &digest);
+ if (status)
+ goto out_usage;
+ status = fsverity_cmd_sign_digest(digest, hash_alg, keyfile, certfile,
+ &sig, &sig_size);
if (status == -EINVAL)
goto out_usage;
if (status != 0)
@@ -26,10 +26,13 @@ u32 fsverity_get_default_block_size(void);
int fsverity_cmd_enable(char *filename, struct fsverity_enable_arg *arg);
int fsverity_cmd_measure(char *filename, struct fsverity_digest *d);
-int fsverity_cmd_sign(char *filename, const struct fsverity_hash_alg *hash_alg,
- u32 block_size, u8 *salt, u32 salt_size,
- const char *keyfile, const char *certfile,
- struct fsverity_signed_digest **retdigest,
- u8 **sig, u32 *sig_size);
+int fsverity_cmd_gen_digest(char *filename,
+ const struct fsverity_hash_alg *hash_alg,
+ u32 block_size, u8 *salt, u32 salt_size,
+ struct fsverity_signed_digest **retdigest);
+int fsverity_cmd_sign_digest(struct fsverity_signed_digest *digest,
+ const struct fsverity_hash_alg *hash_alg,
+ const char *keyfile, const char *certfile,
+ u8 **sig, u32 *sig_size);
#endif /* COMMANDS_H */
From: Jes Sorensen <jsorensen@fb.com> This splits cmd_sign() into a gen_digest() and a sign_digest() function, and fixes fsverity.c to use them appropriately. --- cmd_sign.c | 50 +++++++++++++++++++++++++++++++++----------------- fsverity.c | 8 ++++++-- fsverity.h | 13 ++++++++----- 3 files changed, 47 insertions(+), 24 deletions(-)