diff options
author | Raymond Mao <raymond.mao@linaro.org> | 2024-04-16 12:00:13 -0700 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2024-04-16 13:10:05 -0600 |
commit | 751f2b7af441dfc7173c770fdbce75bfe0125657 (patch) | |
tree | 0c4fb3535618156a844162f15af02603cd1f455f | |
parent | cd1b3b41e688f83f48b19774eb27ecfd98aef64a (diff) | |
download | u-boot-751f2b7af441dfc7173c770fdbce75bfe0125657.zip u-boot-751f2b7af441dfc7173c770fdbce75bfe0125657.tar.gz u-boot-751f2b7af441dfc7173c770fdbce75bfe0125657.tar.bz2 |
lib/crypto: Port public_key on MbedTLS
Integrate function public_key_verify_signature on top of MbedTLS
pk library.
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
-rw-r--r-- | include/crypto/public_key.h | 6 | ||||
-rw-r--r-- | lib/crypto/asymmetric_type.c | 2 | ||||
-rw-r--r-- | lib/crypto/public_key.c | 75 |
3 files changed, 82 insertions, 1 deletions
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 3ba90fc..55cd4c2 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -12,6 +12,12 @@ #ifdef __UBOOT__ #include <linux/types.h> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include <external/mbedtls/library/common.h> +#include <external/mbedtls/include/mbedtls/pk.h> +#include <external/mbedtls/include/mbedtls/x509_crt.h> +#include <external/mbedtls/include/mbedtls/md.h> +#endif #else #include <linux/keyctl.h> #endif diff --git a/lib/crypto/asymmetric_type.c b/lib/crypto/asymmetric_type.c index 24c2d15..95b82cd 100644 --- a/lib/crypto/asymmetric_type.c +++ b/lib/crypto/asymmetric_type.c @@ -12,7 +12,6 @@ #include <keys/asymmetric-subtype.h> #include <keys/asymmetric-parser.h> #endif -#include <crypto/public_key.h> #ifdef __UBOOT__ #include <linux/bug.h> #include <linux/compat.h> @@ -26,6 +25,7 @@ #include <linux/slab.h> #include <linux/ctype.h> #endif +#include <crypto/public_key.h> #ifdef __UBOOT__ #include <keys/asymmetric-type.h> #else diff --git a/lib/crypto/public_key.c b/lib/crypto/public_key.c index 6efe951..2957668 100644 --- a/lib/crypto/public_key.c +++ b/lib/crypto/public_key.c @@ -94,6 +94,80 @@ EXPORT_SYMBOL_GPL(public_key_signature_free); * * Return: 0 - verified, non-zero error code - otherwise */ +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + mbedtls_md_type_t mb_hash_algo; + mbedtls_pk_context pk_ctx; + int ret; + + if (!pkey || !sig || pkey->key_is_private) + return -EINVAL; + + /* + * ECRDSA (Elliptic Curve RedDSA) from Red Hat is not supported by + * MbedTLS + */ + if (strcmp(pkey->pkey_algo, "rsa")) { + pr_err("Encryption is not RSA: %s\n", sig->pkey_algo); + return -EINVAL; + } + + /* + * Can be pkcs1 or raw, but pkcs1 is expected. + * This is just for argument checking, not necessarily passed to MbedTLS, + * For RSA signatures, MbedTLS typically supports the PKCS#1 v1.5 + * (aka. pkcs1) encoding by default. + * The library internally handles the details of decoding and verifying + * the signature according to the expected encoding for the specified algorithm. + */ + if (strcmp(sig->encoding, "pkcs1")) { + pr_err("Encoding %s is not supported, only supports pkcs1\n", + sig->encoding); + return -EINVAL; + } + + if (!strcmp(sig->hash_algo, "sha1")) + mb_hash_algo = MBEDTLS_MD_SHA1; + else if (!strcmp(sig->hash_algo, "sha224")) + mb_hash_algo = MBEDTLS_MD_SHA224; + else if (!strcmp(sig->hash_algo, "sha256")) + mb_hash_algo = MBEDTLS_MD_SHA256; + else if (!strcmp(sig->hash_algo, "sha384")) + mb_hash_algo = MBEDTLS_MD_SHA384; + else if (!strcmp(sig->hash_algo, "sha512")) + mb_hash_algo = MBEDTLS_MD_SHA512; + else /* Unknown or unsupported hash algorithm */ + return -EINVAL; + /* Initialize the mbedtls_pk_context with RSA key type */ + mbedtls_pk_init(&pk_ctx); + + /* Parse the DER-encoded public key */ + ret = mbedtls_pk_parse_public_key(&pk_ctx, pkey->key, pkey->keylen); + if (ret) { + pr_err("Failed to parse public key, ret:-0x%04x\n", + (unsigned int)-ret); + ret = -EINVAL; + goto err_key; + } + + /* Ensure that it is a RSA key */ + if (mbedtls_pk_get_type(&pk_ctx) != MBEDTLS_PK_RSA) { + pr_err("Only RSA keys are supported\n"); + ret = -EKEYREJECTED; + goto err_key; + } + + /* Verify the hash */ + ret = mbedtls_pk_verify(&pk_ctx, mb_hash_algo, sig->digest, + sig->digest_size, sig->s, sig->s_size); + +err_key: + mbedtls_pk_free(&pk_ctx); + return ret; +} +#else /* !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) */ int public_key_verify_signature(const struct public_key *pkey, const struct public_key_signature *sig) { @@ -142,6 +216,7 @@ int public_key_verify_signature(const struct public_key *pkey, pr_devel("<==%s() = %d\n", __func__, ret); return ret; } +#endif /* CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) */ #else /* * Destroy a public key algorithm key. |