swtpm_localca: Introduce --key as more generic alias for --ek
swtpm_localca may also receive the key parameters of other keys than
the ek, therefore introduce the --key alias for --ek and rename the
variable ekparmas to key_params throughout the code.
Extend the man page to describe the --key option as an alias that
is to be used for other public key parameters than specifically those
of an ek.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/man/man8/swtpm_localca.pod b/man/man8/swtpm_localca.pod
index eeb4a5c..0db185d 100644
--- a/man/man8/swtpm_localca.pod
+++ b/man/man8/swtpm_localca.pod
@@ -49,11 +49,14 @@
The EK certificate is stored in this directory under the name
ek.cert and the platform certificate under the name platform.cert.
-=item B<--ek ek>
+=item B<--ek ek> or B<--key key>
This parameter indicates the modulus of the public key of the endorsement key
(EK). The public key is provided as a sequence of ASCII hex digits.
+The --key option is an alias for --ek and should be used if key parameters
+for another key than an endorsement key are passed.
+
In case ECC (elliptic curve crypography) keys are used, the parameter must
have the format --ek x=<hex digits>,y=<hex digits>,id=<curve id>. The
id=<curve id> part is optional and only necessary for ECC curves other
diff --git a/src/swtpm_localca/swtpm_localca.c b/src/swtpm_localca/swtpm_localca.c
index 48777e6..eb75b83 100644
--- a/src/swtpm_localca/swtpm_localca.c
+++ b/src/swtpm_localca/swtpm_localca.c
@@ -253,7 +253,7 @@
* This function returns 1 on error, 2 if the ECC parameters could be extracted
* and 0 if no parameters could be extracted (likely a modulus).
*/
-static gboolean extract_ecc_params(const gchar *ekparams, gchar **ecc_x, gchar **ecc_y, gchar **ecc_curveid)
+static gboolean extract_ecc_params(const gchar *key_params, gchar **ecc_x, gchar **ecc_y, gchar **ecc_curveid)
{
regmatch_t pmatch[5];
regex_t preg;
@@ -266,13 +266,13 @@
}
ret = 0;
- if (regexec(&preg, ekparams, 5, pmatch, 0) == 0) {
- *ecc_x = g_strndup(&ekparams[pmatch[1].rm_so],
+ if (regexec(&preg, key_params, 5, pmatch, 0) == 0) {
+ *ecc_x = g_strndup(&key_params[pmatch[1].rm_so],
pmatch[1].rm_eo - pmatch[1].rm_so);
- *ecc_y = g_strndup(&ekparams[pmatch[2].rm_so],
+ *ecc_y = g_strndup(&key_params[pmatch[2].rm_so],
pmatch[2].rm_eo - pmatch[2].rm_so);
if (pmatch[4].rm_so > 0 && pmatch[4].rm_eo > 0)
- *ecc_curveid = g_strndup(&ekparams[pmatch[4].rm_so],
+ *ecc_curveid = g_strndup(&key_params[pmatch[4].rm_so],
pmatch[4].rm_eo - pmatch[4].rm_so);
ret = 2;
}
@@ -326,7 +326,7 @@
/* Create a TPM 1.2 or TPM 2 EK or platform cert */
static int create_cert(unsigned long flags, const gchar *typ, const gchar *directory,
- gchar *ekparams, const gchar *vmid, gchar **tpm_spec_params,
+ gchar *key_params, const gchar *vmid, gchar **tpm_spec_params,
gchar **tpm_attr_params, const gchar *signkey,
const gchar *signkey_password, const gchar *issuercert,
const gchar *parentkey_password, gchar **swtpm_cert_env,
@@ -409,7 +409,7 @@
options = concat_arrays(options, (gchar *[]){"--decryption", NULL}, TRUE);
}
- switch (extract_ecc_params(ekparams, &ecc_x, &ecc_y, &ecc_curveid)) {
+ switch (extract_ecc_params(key_params, &ecc_x, &ecc_y, &ecc_curveid)) {
case 1:
goto error;
case 2:
@@ -428,7 +428,7 @@
break;
case 0:
keyparams = concat_arrays((gchar *[]){
- "--modulus", ekparams,
+ "--modulus", key_params,
NULL},
NULL, FALSE);
break;
@@ -540,6 +540,7 @@
"\n"
"--type type The type of certificate to create: 'ek' or 'platform'\n"
"--ek key-param The modulus of an RSA key or x=...,y=,... for an EC key\n"
+ "--key key-param Alias for --ek\n"
"--dir directory The directory to write the resulting certificate into\n"
"--vmid vmid The ID of the virtual machine\n"
"--optsfile file A file containing options to pass to swtpm_cert\n"
@@ -570,6 +571,7 @@
static const struct option long_options[] = {
{"type", required_argument, NULL, 't'},
{"ek", required_argument, NULL, 'e'},
+ {"key", required_argument, NULL, 'e'}, /* alias for --ek */
{"dir", required_argument, NULL, 'd'},
{"vmid", required_argument, NULL, 'v'},
{"optsfile", required_argument, NULL, 'o'},
@@ -593,7 +595,7 @@
g_autofree gchar *configfile = NULL;
unsigned long flags = 0;
g_autofree gchar *typ =g_strdup("");
- g_autofree gchar *ekparams = g_strdup("");
+ g_autofree gchar *key_params = g_strdup("");
g_autofree gchar *directory = g_strdup("."); /* default to current directory */
g_autofree gchar *vmid = NULL;
g_autofree gchar *lockfile = NULL;
@@ -625,9 +627,9 @@
g_free(typ);
typ = g_strdup(optarg);
break;
- case 'e': /* --ek */
- g_free(ekparams);
- ekparams = g_strdup(optarg);
+ case 'e': /* --ek or --key */
+ g_free(key_params);
+ key_params = g_strdup(optarg);
break;
case 'd': /* --dir */
g_free(directory);
@@ -864,7 +866,7 @@
goto error;
}
- ret = create_cert(flags, typ, directory, ekparams, vmid, tpm_spec_params, tpm_attr_params,
+ ret = create_cert(flags, typ, directory, key_params, vmid, tpm_spec_params, tpm_attr_params,
signkey, signkey_password, issuercert, parentkey_password, swtpm_cert_env,
certserial, lockfile, optsfile);