openssl-util: Set expected object type to private keys

Configures the store to only try to fetch private keys and nothing else.
author: Daan De Meyer <daan.j.demeyer@gmail.com> 2024-11-06 18:07:11 +0100
committer: Daan De Meyer <daan.j.demeyer@gmail.com> 2024-11-07 20:24:59 +0100
commit: 5619a61829fa50063f53fe3d406683faf8f43900 (patch)
tree: d1ba9042cd4cb27911916126236dd2e9ae04821d /src/shared
parent: bootctl: Validate private key path (diff)
download: systemd-5619a61829fa50063f53fe3d406683faf8f43900.tar.xz
systemd-5619a61829fa50063f53fe3d406683faf8f43900.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c
index 5688d54114..914f30989b 100644
--- a/src/shared/openssl-util.c
+++ b/src/shared/openssl-util.c
@@ -1340,6 +1340,9 @@ static int load_key_from_provider(
         if (!store)
                 return log_openssl_errors("Failed to open OpenSSL store via '%s'", private_key_uri);
 
+        if (OSSL_STORE_expect(store, OSSL_STORE_INFO_PKEY) == 0)
+                return log_openssl_errors("Failed to filter store by private keys");
+
         _cleanup_(OSSL_STORE_INFO_freep) OSSL_STORE_INFO *info = OSSL_STORE_load(store);
         if (!info)
                 return log_openssl_errors("Failed to load OpenSSL store via '%s'", private_key_uri);
author	Daan De Meyer <daan.j.demeyer@gmail.com>	2024-11-06 18:07:11 +0100
committer	Daan De Meyer <daan.j.demeyer@gmail.com>	2024-11-07 20:24:59 +0100
commit	5619a61829fa50063f53fe3d406683faf8f43900 (patch)
tree	d1ba9042cd4cb27911916126236dd2e9ae04821d /src/shared
parent	bootctl: Validate private key path (diff)
download	systemd-5619a61829fa50063f53fe3d406683faf8f43900.tar.xz systemd-5619a61829fa50063f53fe3d406683faf8f43900.zip