Commit 299f561a authored by Stefan Berger's avatar Stefan Berger Committed by Herbert Xu
Browse files

x509: Add support for parsing x509 certs with ECDSA keys 



Add support for parsing of x509 certificates that contain ECDSA keys,
such as NIST P256, that have been signed by a CA using any of the
current SHA hash algorithms.

Cc: David Howells <dhowells@redhat.com>
Cc: keyrings@vger.kernel.org
Signed-off-by: default avatarStefan Berger <stefanb@linux.ibm.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent d1a303e8

crypto/asymmetric_keys/public_key.c

+3 −1
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ 
#include <linux/slab.h>

#include <linux/seq_file.h>

#include <linux/scatterlist.h>

#include <linux/asn1.h>

#include <keys/asymmetric-subtype.h>

#include <crypto/public_key.h>

#include <crypto/akcipher.h>
@@ -85,7 +86,8 @@ int software_key_determine_akcipher(const char *encoding, 
		return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0;

	}



	if (strcmp(encoding, "raw") == 0) {

	if (strcmp(encoding, "raw") == 0 ||

	    strcmp(encoding, "x962") == 0) {

		strcpy(alg_name, pkey->pkey_algo);

		return 0;

	}

crypto/asymmetric_keys/x509_cert_parser.c

+33 −1
Original line number Diff line number Diff line
@@ -227,6 +227,26 @@ int x509_note_pkey_algo(void *context, size_t hdrlen, 
		ctx->cert->sig->hash_algo = "sha224";

		goto rsa_pkcs1;



	case OID_id_ecdsa_with_sha1:

		ctx->cert->sig->hash_algo = "sha1";

		goto ecdsa;



	case OID_id_ecdsa_with_sha224:

		ctx->cert->sig->hash_algo = "sha224";

		goto ecdsa;



	case OID_id_ecdsa_with_sha256:

		ctx->cert->sig->hash_algo = "sha256";

		goto ecdsa;



	case OID_id_ecdsa_with_sha384:

		ctx->cert->sig->hash_algo = "sha384";

		goto ecdsa;



	case OID_id_ecdsa_with_sha512:

		ctx->cert->sig->hash_algo = "sha512";

		goto ecdsa;



	case OID_gost2012Signature256:

		ctx->cert->sig->hash_algo = "streebog256";

		goto ecrdsa;
@@ -255,6 +275,11 @@ int x509_note_pkey_algo(void *context, size_t hdrlen, 
	ctx->cert->sig->encoding = "raw";

	ctx->algo_oid = ctx->last_oid;

	return 0;

ecdsa:

	ctx->cert->sig->pkey_algo = "ecdsa";

	ctx->cert->sig->encoding = "x962";

	ctx->algo_oid = ctx->last_oid;

	return 0;

}



/*
@@ -276,7 +301,8 @@ int x509_note_signature(void *context, size_t hdrlen, 


	if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0 ||

	    strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0 ||

	    strcmp(ctx->cert->sig->pkey_algo, "sm2") == 0) {

	    strcmp(ctx->cert->sig->pkey_algo, "sm2") == 0 ||

	    strcmp(ctx->cert->sig->pkey_algo, "ecdsa") == 0) {

		/* Discard the BIT STRING metadata */

		if (vlen < 1 || *(const u8 *)value != 0)

			return -EBADMSG;
@@ -478,6 +504,12 @@ int x509_extract_key_data(void *context, size_t hdrlen, 
		case OID_sm2:

			ctx->cert->pub->pkey_algo = "sm2";

			break;

		case OID_id_prime192v1:

			ctx->cert->pub->pkey_algo = "ecdsa-nist-p192";

			break;

		case OID_id_prime256v1:

			ctx->cert->pub->pkey_algo = "ecdsa-nist-p256";

			break;

		default:

			return -ENOPKG;

		}

crypto/asymmetric_keys/x509_public_key.c

+3 −1
Original line number Diff line number Diff line
@@ -129,7 +129,9 @@ int x509_check_for_self_signed(struct x509_certificate *cert) 
	}



	ret = -EKEYREJECTED;

	if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0)

	if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0 &&

	    (strncmp(cert->pub->pkey_algo, "ecdsa-", 6) != 0 ||

	     strcmp(cert->sig->pkey_algo, "ecdsa") != 0))

		goto out;



	ret = public_key_verify_signature(cert->pub, cert->sig);

include/linux/oid_registry.h

+2 −0
Original line number Diff line number Diff line
@@ -20,6 +20,8 @@ enum OID { 
	OID_id_dsa_with_sha1,		/* 1.2.840.10030.4.3 */

	OID_id_dsa,			/* 1.2.840.10040.4.1 */

	OID_id_ecPublicKey,		/* 1.2.840.10045.2.1 */

	OID_id_prime192v1,		/* 1.2.840.10045.3.1.1 */

	OID_id_prime256v1,		/* 1.2.840.10045.3.1.7 */

	OID_id_ecdsa_with_sha1,		/* 1.2.840.10045.4.1 */

	OID_id_ecdsa_with_sha224,	/* 1.2.840.10045.4.3.1 */

	OID_id_ecdsa_with_sha256,	/* 1.2.840.10045.4.3.2 */