mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-29 13:53:33 +00:00
x509: Add support for parsing x509 certs with ECDSA keys
Add support for parsing of x509 certificates that contain ECDSA keys, such as NIST P256, that have been signed by a CA using any of the current SHA hash algorithms. Cc: David Howells <dhowells@redhat.com> Cc: keyrings@vger.kernel.org Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This commit is contained in:
parent
d1a303e861
commit
299f561a66
4 changed files with 41 additions and 3 deletions
|
@ -14,6 +14,7 @@
|
||||||
#include <linux/slab.h>
|
#include <linux/slab.h>
|
||||||
#include <linux/seq_file.h>
|
#include <linux/seq_file.h>
|
||||||
#include <linux/scatterlist.h>
|
#include <linux/scatterlist.h>
|
||||||
|
#include <linux/asn1.h>
|
||||||
#include <keys/asymmetric-subtype.h>
|
#include <keys/asymmetric-subtype.h>
|
||||||
#include <crypto/public_key.h>
|
#include <crypto/public_key.h>
|
||||||
#include <crypto/akcipher.h>
|
#include <crypto/akcipher.h>
|
||||||
|
@ -85,7 +86,8 @@ int software_key_determine_akcipher(const char *encoding,
|
||||||
return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0;
|
return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (strcmp(encoding, "raw") == 0) {
|
if (strcmp(encoding, "raw") == 0 ||
|
||||||
|
strcmp(encoding, "x962") == 0) {
|
||||||
strcpy(alg_name, pkey->pkey_algo);
|
strcpy(alg_name, pkey->pkey_algo);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
|
@ -227,6 +227,26 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
|
||||||
ctx->cert->sig->hash_algo = "sha224";
|
ctx->cert->sig->hash_algo = "sha224";
|
||||||
goto rsa_pkcs1;
|
goto rsa_pkcs1;
|
||||||
|
|
||||||
|
case OID_id_ecdsa_with_sha1:
|
||||||
|
ctx->cert->sig->hash_algo = "sha1";
|
||||||
|
goto ecdsa;
|
||||||
|
|
||||||
|
case OID_id_ecdsa_with_sha224:
|
||||||
|
ctx->cert->sig->hash_algo = "sha224";
|
||||||
|
goto ecdsa;
|
||||||
|
|
||||||
|
case OID_id_ecdsa_with_sha256:
|
||||||
|
ctx->cert->sig->hash_algo = "sha256";
|
||||||
|
goto ecdsa;
|
||||||
|
|
||||||
|
case OID_id_ecdsa_with_sha384:
|
||||||
|
ctx->cert->sig->hash_algo = "sha384";
|
||||||
|
goto ecdsa;
|
||||||
|
|
||||||
|
case OID_id_ecdsa_with_sha512:
|
||||||
|
ctx->cert->sig->hash_algo = "sha512";
|
||||||
|
goto ecdsa;
|
||||||
|
|
||||||
case OID_gost2012Signature256:
|
case OID_gost2012Signature256:
|
||||||
ctx->cert->sig->hash_algo = "streebog256";
|
ctx->cert->sig->hash_algo = "streebog256";
|
||||||
goto ecrdsa;
|
goto ecrdsa;
|
||||||
|
@ -255,6 +275,11 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
|
||||||
ctx->cert->sig->encoding = "raw";
|
ctx->cert->sig->encoding = "raw";
|
||||||
ctx->algo_oid = ctx->last_oid;
|
ctx->algo_oid = ctx->last_oid;
|
||||||
return 0;
|
return 0;
|
||||||
|
ecdsa:
|
||||||
|
ctx->cert->sig->pkey_algo = "ecdsa";
|
||||||
|
ctx->cert->sig->encoding = "x962";
|
||||||
|
ctx->algo_oid = ctx->last_oid;
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -276,7 +301,8 @@ int x509_note_signature(void *context, size_t hdrlen,
|
||||||
|
|
||||||
if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0 ||
|
if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0 ||
|
||||||
strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0 ||
|
strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0 ||
|
||||||
strcmp(ctx->cert->sig->pkey_algo, "sm2") == 0) {
|
strcmp(ctx->cert->sig->pkey_algo, "sm2") == 0 ||
|
||||||
|
strcmp(ctx->cert->sig->pkey_algo, "ecdsa") == 0) {
|
||||||
/* Discard the BIT STRING metadata */
|
/* Discard the BIT STRING metadata */
|
||||||
if (vlen < 1 || *(const u8 *)value != 0)
|
if (vlen < 1 || *(const u8 *)value != 0)
|
||||||
return -EBADMSG;
|
return -EBADMSG;
|
||||||
|
@ -478,6 +504,12 @@ int x509_extract_key_data(void *context, size_t hdrlen,
|
||||||
case OID_sm2:
|
case OID_sm2:
|
||||||
ctx->cert->pub->pkey_algo = "sm2";
|
ctx->cert->pub->pkey_algo = "sm2";
|
||||||
break;
|
break;
|
||||||
|
case OID_id_prime192v1:
|
||||||
|
ctx->cert->pub->pkey_algo = "ecdsa-nist-p192";
|
||||||
|
break;
|
||||||
|
case OID_id_prime256v1:
|
||||||
|
ctx->cert->pub->pkey_algo = "ecdsa-nist-p256";
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
return -ENOPKG;
|
return -ENOPKG;
|
||||||
}
|
}
|
||||||
|
|
|
@ -129,7 +129,9 @@ int x509_check_for_self_signed(struct x509_certificate *cert)
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = -EKEYREJECTED;
|
ret = -EKEYREJECTED;
|
||||||
if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0)
|
if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0 &&
|
||||||
|
(strncmp(cert->pub->pkey_algo, "ecdsa-", 6) != 0 ||
|
||||||
|
strcmp(cert->sig->pkey_algo, "ecdsa") != 0))
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
ret = public_key_verify_signature(cert->pub, cert->sig);
|
ret = public_key_verify_signature(cert->pub, cert->sig);
|
||||||
|
|
|
@ -20,6 +20,8 @@ enum OID {
|
||||||
OID_id_dsa_with_sha1, /* 1.2.840.10030.4.3 */
|
OID_id_dsa_with_sha1, /* 1.2.840.10030.4.3 */
|
||||||
OID_id_dsa, /* 1.2.840.10040.4.1 */
|
OID_id_dsa, /* 1.2.840.10040.4.1 */
|
||||||
OID_id_ecPublicKey, /* 1.2.840.10045.2.1 */
|
OID_id_ecPublicKey, /* 1.2.840.10045.2.1 */
|
||||||
|
OID_id_prime192v1, /* 1.2.840.10045.3.1.1 */
|
||||||
|
OID_id_prime256v1, /* 1.2.840.10045.3.1.7 */
|
||||||
OID_id_ecdsa_with_sha1, /* 1.2.840.10045.4.1 */
|
OID_id_ecdsa_with_sha1, /* 1.2.840.10045.4.1 */
|
||||||
OID_id_ecdsa_with_sha224, /* 1.2.840.10045.4.3.1 */
|
OID_id_ecdsa_with_sha224, /* 1.2.840.10045.4.3.1 */
|
||||||
OID_id_ecdsa_with_sha256, /* 1.2.840.10045.4.3.2 */
|
OID_id_ecdsa_with_sha256, /* 1.2.840.10045.4.3.2 */
|
||||||
|
|
Loading…
Reference in a new issue