Add helper functions for x509 certificate which will be used in the next
patch for DIAG 320 subcode 2.
Signed-off-by: Zhuoying Cai <zy...@linux.ibm.com>
---
crypto/x509-utils.c | 190 +++++++++++++++++++++++++++++++++++-
include/crypto/x509-utils.h | 63 ++++++++++++
qapi/crypto.json | 20 ++++
3 files changed, 272 insertions(+), 1 deletion(-)
diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c
index 7a7f12c111..dd8137210c 100644
--- a/crypto/x509-utils.c
+++ b/crypto/x509-utils.c
@@ -60,6 +60,14 @@ static const int
gnutls_to_qcrypto_sig_alg_map[QCRYPTO_SIG_ALGO__MAX] = {
[GNUTLS_SIGN_ECDSA_SHA512] = QCRYPTO_SIG_ALGO_ECDSA_SHA512,
};
+static const int gnutls_to_qcrypto_pk_alg_map[QCRYPTO_PK_ALGO__MAX] = {
+ [GNUTLS_PK_UNKNOWN] = QCRYPTO_PK_ALGO_UNKNOWN,
+ [GNUTLS_PK_RSA] = QCRYPTO_PK_ALGO_RSA,
+ [GNUTLS_PK_DSA] = QCRYPTO_PK_ALGO_DSA,
+ [GNUTLS_PK_DH] = QCRYPTO_PK_ALGO_DH,
+ [GNUTLS_PK_ECDSA] = QCRYPTO_PK_ALGO_ECDSA,
+};
+
int qcrypto_check_x509_cert_fmt(uint8_t *cert, size_t size,
QCryptoCertFmt fmt, Error **errp)
{
@@ -153,7 +161,7 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t
size,
gnutls_x509_crt_init(&crt);
- if (gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM) != 0) {
+ if (qcrypto_import_x509_cert(crt, &datum) != 0) {
error_setg(errp, "Failed to import certificate");
goto cleanup;
}
@@ -204,6 +212,158 @@ cleanup:
return rc;
}
+int qcrypto_get_x509_cert_version(uint8_t *cert, size_t size, Error **errp)
+{
+ int rc = -1;
+ gnutls_x509_crt_t crt;
+ gnutls_datum_t datum = {.data = cert, .size = size};
+
+ if (gnutls_x509_crt_init(&crt) < 0) {
+ error_setg(errp, "Failed to initialize certificate");
+ return rc;
+ }
+
+ if (qcrypto_import_x509_cert(crt, &datum) != 0) {
+ error_setg(errp, "Failed to import certificate");
+ goto cleanup;
+ }
+
+ rc = gnutls_x509_crt_get_version(crt);
+
+cleanup:
+ gnutls_x509_crt_deinit(crt);
+ return rc;
+}
+
+int qcrypto_check_x509_cert_times(uint8_t *cert, size_t size, Error **errp)
+{
+ int rc = -1;
+ gnutls_x509_crt_t crt;
+ gnutls_datum_t datum = {.data = cert, .size = size};
+ time_t now = time(0);
+ time_t exp_time;
+ time_t act_time;
+
+ if (now == ((time_t)-1)) {
+ error_setg_errno(errp, errno, "Cannot get current time");
+ return rc;
+ }
+
+ if (gnutls_x509_crt_init(&crt) < 0) {
+ error_setg(errp, "Failed to initialize certificate");
+ return rc;
+ }
+
+ if (qcrypto_import_x509_cert(crt, &datum) != 0) {
+ error_setg(errp, "Failed to import certificate");
+ goto cleanup;
+ }
+
+ exp_time = gnutls_x509_crt_get_expiration_time(crt);
+ if (exp_time == ((time_t)-1)) {
+ error_setg(errp, "Failed to get certificate expiration time");
+ goto cleanup;
+ }
+ if (exp_time < now) {
+ error_setg(errp, "The certificate has expired");
+ goto cleanup;
+ }
+
+ act_time = gnutls_x509_crt_get_activation_time(crt);
+ if (act_time == ((time_t)-1)) {
+ error_setg(errp, "Failed to get certificate activation time");
+ goto cleanup;
+ }
+ if (act_time > now) {
+ error_setg(errp, "The certificate is not yet active");
+ goto cleanup;
+ }
+
+ rc = 0;
+
+cleanup:
+ gnutls_x509_crt_deinit(crt);
+ return rc;
+}
+
+int qcrypto_get_x509_pk_algorithm(uint8_t *cert, size_t size, Error **errp)
+{
+ int rc = -1;
+ unsigned int bits;
+ gnutls_x509_crt_t crt;
+ gnutls_datum_t datum = {.data = cert, .size = size};
+
+ if (gnutls_x509_crt_init(&crt) < 0) {
+ error_setg(errp, "Failed to initialize certificate");
+ return rc;
+ }
+
+ if (qcrypto_import_x509_cert(crt, &datum) != 0) {
+ error_setg(errp, "Failed to import certificate");
+ goto cleanup;
+ }
+
+ rc = gnutls_x509_crt_get_pk_algorithm(crt, &bits);
+ rc = gnutls_to_qcrypto_pk_alg_map[rc];
+
+cleanup:
+ gnutls_x509_crt_deinit(crt);
+ return rc;
+}
+
+int qcrypto_get_x509_cert_key_id(uint8_t *cert, size_t size,
+ QCryptoKeyidFlags flag,
+ uint8_t *result,
+ size_t *resultlen,
+ Error **errp)
+{
+ int ret = -1;
+ int keyid_len;
+ gnutls_x509_crt_t crt;
+ gnutls_datum_t datum = {.data = cert, .size = size};
+
+ if (flag >= G_N_ELEMENTS(qcrypto_to_gnutls_keyid_flags_map)) {
+ error_setg(errp, "Unknown key id flag");
+ return -1;
+ }
+
+ if (result == NULL) {
+ error_setg(errp, "No valid buffer given");
+ return -1;
+ }
+
+ if (gnutls_x509_crt_init(&crt)) {
+ error_setg(errp, "Failed to initialize certificate");
+ return -1;
+ }
+
+ if (qcrypto_import_x509_cert(crt, &datum) != 0) {
+ error_setg(errp, "Failed to import certificate");
+ goto cleanup;
+ }
+
+ keyid_len =
qcrypto_get_x509_keyid_len(qcrypto_to_gnutls_keyid_flags_map[flag]);
+ if (*resultlen < keyid_len) {
+ error_setg(errp,
+ "Result buffer size %zu is smaller than key id %d",
+ *resultlen, keyid_len);
+ goto cleanup;
+ }
+
+ if (gnutls_x509_crt_get_key_id(crt,
+ qcrypto_to_gnutls_keyid_flags_map[flag],
+ result, resultlen) != 0) {
+ error_setg(errp, "Failed to get fingerprint from certificate");
+ goto cleanup;
+ }
+
+ ret = 0;
+
+cleanup:
+ gnutls_x509_crt_deinit(crt);
+ return ret;
+}
+
#else /* ! CONFIG_GNUTLS */
int qcrypto_check_x509_cert_fmt(uint8_t *cert, size_t size,
@@ -239,4 +399,32 @@ int qcrypto_get_x509_signature_algorithm(uint8_t *cert,
size_t size, Error **err
return -ENOTSUP;
}
+int qcrypto_get_x509_cert_version(uint8_t *cert, size_t size, Error **errp)
+{
+ error_setg(errp, "GNUTLS is required to get certificate version");
+ return -ENOTSUP;
+}
+
+int qcrypto_check_x509_cert_times(uint8_t *cert, size_t size, Error **errp)
+{
+ error_setg(errp, "GNUTLS is required to get certificate times")
+ return -ENOTSUP;
+}
+
+int qcrypto_get_x509_pk_algorithm(uint8_t *cert, size_t size, Error **errp)
+{
+ error_setg(errp, "GNUTLS is required to get public key algorithm");
+ return -ENOTSUP;
+}
+
+int qcrypto_get_x509_cert_key_id(uint8_t *cert, size_t size,
+ QCryptoKeyidFlags flag,
+ uint8_t *result,
+ size_t *resultlen,
+ Error **errp)
+{
+ error_setg(errp, "GNUTLS is required to get key ID");
+ return -ENOTSUP;
+}
+
#endif /* ! CONFIG_GNUTLS */
diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h
index d7be57c8ce..4a9941b33d 100644
--- a/include/crypto/x509-utils.h
+++ b/include/crypto/x509-utils.h
@@ -73,4 +73,67 @@ int qcrypto_get_x509_keyid_len(QCryptoKeyidFlags flag);
*/
int qcrypto_get_x509_signature_algorithm(uint8_t *cert, size_t size, Error
**errp);
+/**
+ * qcrypto_get_x509_cert_version
+ * @cert: pointer to the raw certiricate data
+ * @size: size of the certificate
+ * @errp: error pointer
+ *
+ * Determine the version of the @cert.
+ *
+ * Returns: version of certificate on success,
+ * negative error code on error,
+ * -ENOTSUP if GNUTLS is not enabled.
+ */
+int qcrypto_get_x509_cert_version(uint8_t *cert, size_t size, Error **errp);
+
+/**
+ * qcrypto_check_x509_cert_times
+ * @cert: pointer to the raw certiricate data
+ * @size: size of the certificate
+ * @errp: error pointer
+ *
+ * Check whether the @cert activation and expiration times are valid at the
current time.
+ *
+ * Returns: 0 if the certificate times are valid,
+ * -1 on error,
+ * -ENOTSUP if GNUTLS is not enabled.
+ */
+int qcrypto_check_x509_cert_times(uint8_t *cert, size_t size, Error **errp);
+
+/**
+ * qcrypto_get_x509_pk_algorithm
+ * @cert: pointer to the raw certiricate data
+ * @size: size of the certificate
+ * @errp: error pointer
+ *
+ * Determine the public key algorithm of the @cert.
+ *
+ * Returns: a value from the QCryptoPkAlgo enum on success,
+ * -1 on error,
+ * -ENOTSUP if GNUTLS is not enabled.
+ */
+int qcrypto_get_x509_pk_algorithm(uint8_t *cert, size_t size, Error **errp);
+
+/**
+ * qcrypto_get_x509_cert_key_id
+ * @cert: pointer to the raw certiricate data
+ * @size: size of the certificate
+ * @flag: the key ID flag
+ * @result: pointer to a buffer to store output key ID (may not be null)
+ * @resultlen: pointer to the size of the buffer
+ * @errp: error pointer
+ *
+ * Retrieve the key ID from the @cert based on the specified @flag.
+ *
+ * Returns: 0 if key ID was successfully stored in @result,
+ * -1 on error,
+ * -ENOTSUP if GNUTLS is not enabled.
+ */
+int qcrypto_get_x509_cert_key_id(uint8_t *cert, size_t size,
+ QCryptoKeyidFlags flag,
+ uint8_t *result,
+ size_t *resultlen,
+ Error **errp);
+
#endif
diff --git a/qapi/crypto.json b/qapi/crypto.json
index af487dcecd..0262ccee34 100644
--- a/qapi/crypto.json
+++ b/qapi/crypto.json
@@ -692,3 +692,23 @@
'rsa-sha256', 'rsa-sha384', 'rsa-sha512', 'rsa-sha224',
'dsa-sha224', 'dsa-sha256',
'ecdsa-sha1', 'ecdsa-sha224', 'ecdsa-sha256', 'ecdsa-sha384',
'ecdsa-sha512']}
+
+##
+# @QCryptoPkAlgo:
+#
+# Algorithms for public-key
+#
+# @unknown: UNKNOWN
+#
+# @rsa: RSA
+#
+# @dsa: DSA
+#
+# @dh: DH
+#
+# @ecdsa: ECDSA
+#
+# Since: 10.1
+##
+{ 'enum': 'QCryptoPkAlgo',
+ 'data': ['unknown', 'rsa', 'dsa', 'dh', 'ecdsa']}
--
2.49.0
