[PATCH 3/5] rsatoc: support extracting RSA public key from X.509 SPKI format

Ahmad Fatoum a.fatoum at pengutronix.de
Thu Sep 21 03:23:08 PDT 2023


In addition to PKCS#11 URIs, rsatoc supports extracting RSA public keys
out of x.509 PEM certificats, which is a base64-encoded format that begins
with the header `-----BEGIN CERTIFICATE-----'.

Another popular format for RSA public keys is the X.509 SPKI format,
which starts with the header `-----BEGIN PUBLIC KEY-----'. As public
keys are the only thing rsatoc is interested in, add support for the latter
as well.

Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
 scripts/rsatoc.c | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/scripts/rsatoc.c b/scripts/rsatoc.c
index d7f6dad7f01e..f5b0ba27f9bc 100644
--- a/scripts/rsatoc.c
+++ b/scripts/rsatoc.c
@@ -58,17 +58,21 @@ static int rsa_pem_get_pub_key(const char *path, RSA **rsap)
 	/* Read the certificate */
 	cert = NULL;
 	if (!PEM_read_X509(f, &cert, NULL, NULL)) {
-		rsa_err("Couldn't read certificate");
-		ret = -EINVAL;
-		goto err_cert;
-	}
-
-	/* Get the public key from the certificate. */
-	key = X509_get_pubkey(cert);
-	if (!key) {
-		rsa_err("Couldn't read public key\n");
-		ret = -EINVAL;
-		goto err_pubkey;
+		rewind(f);
+		key = PEM_read_PUBKEY(f, NULL, NULL, NULL);
+		if (!key) {
+			rsa_err("Couldn't read certificate");
+			ret = -EINVAL;
+			goto err_cert;
+		}
+	} else {
+		/* Get the public key from the certificate. */
+		key = X509_get_pubkey(cert);
+		if (!key) {
+			rsa_err("Couldn't read public key\n");
+			ret = -EINVAL;
+			goto err_pubkey;
+		}
 	}
 
 	/* Convert to a RSA_style key. */
-- 
2.39.2




More information about the barebox mailing list