[crypto] Allow private key to be specified as a TLS connection parameter

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2025-12-28 18:42:53 +03:00 · 2020-12-15 16:11:34 +00:00
parent 6a8664d9ec
commit f43a8f8b9f
8 changed files with 103 additions and 21 deletions
--- a/src/crypto/certstore.c
+++ b/src/crypto/certstore.c
@@ -116,13 +116,13 @@ struct x509_certificate * certstore_find ( struct asn1_cursor *raw ) {
 * @v key		Private key
 * @ret cert		X.509 certificate, or NULL if not found
 */
-struct x509_certificate * certstore_find_key ( struct asn1_cursor *key ) {
+struct x509_certificate * certstore_find_key ( struct private_key *key ) {
 	struct x509_certificate *cert;

 	/* Search for certificate within store */
 	list_for_each_entry ( cert, &certstore.links, store.list ) {
 		if ( pubkey_match ( cert->signature_algorithm->pubkey,
-				    key->data, key->len,
+				    key->builder.data, key->builder.len,
 				    cert->subject.public_key.raw.data,
 				    cert->subject.public_key.raw.len ) == 0 )
 			return certstore_found ( cert );
--- a/src/crypto/privkey.c
+++ b/src/crypto/privkey.c
@@ -64,9 +64,12 @@ __asm__ ( ".section \".rodata\", \"a\", " PROGBITS "\n\t"
 	  ".previous\n\t" );

 /** Private key */
-struct asn1_cursor private_key = {
-	.data = private_key_data,
-	.len = ( ( size_t ) private_key_len ),
+struct private_key private_key = {
+	.refcnt = REF_INIT ( ref_no_free ),
+	.builder = {
+		.data = private_key_data,
+		.len = ( ( size_t ) private_key_len ),
+	},
 };

 /** Default private key */
@@ -83,6 +86,19 @@ static struct setting privkey_setting __setting ( SETTING_CRYPTO, privkey ) = {
 	.type = &setting_type_hex,
 };

+/**
+ * Free private key
+ *
+ * @v refcnt		Reference counter
+ */
+void privkey_free ( struct refcnt *refcnt ) {
+	struct private_key *key =
+		container_of ( refcnt, struct private_key, refcnt );
+
+	free ( key->builder.data );
+	free ( key );
+}
+
 /**
 * Apply private key configuration settings
 *
@@ -98,23 +114,24 @@ static int privkey_apply_settings ( void ) {
 	if ( ALLOW_KEY_OVERRIDE ) {

 		/* Restore default private key */
-		memcpy ( &private_key, &default_private_key,
-			 sizeof ( private_key ) );
+		memcpy ( &private_key.builder, &default_private_key,
+			 sizeof ( private_key.builder ) );

 		/* Fetch new private key, if any */
 		free ( key_data );
 		if ( ( len = fetch_raw_setting_copy ( NULL, &privkey_setting,
 						      &key_data ) ) >= 0 ) {
-			private_key.data = key_data;
-			private_key.len = len;
+			private_key.builder.data = key_data;
+			private_key.builder.len = len;
 		}
 	}

 	/* Debug */
-	if ( private_key.len ) {
+	if ( private_key.builder.len ) {
 		DBGC ( &private_key, "PRIVKEY using %s private key:\n",
 		       ( key_data ? "external" : "built-in" ) );
-		DBGC_HDA ( &private_key, 0, private_key.data, private_key.len );
+		DBGC_HDA ( &private_key, 0, private_key.builder.data,
+			   private_key.builder.len );
 	} else {
 		DBGC ( &private_key, "PRIVKEY has no private key\n" );
 	}