Message ID | 20240816214436.1877263-17-raymond.mao@linaro.org |
---|---|
State | Changes Requested |
Delegated to: | Tom Rini |
Headers | show |
Series | Integrate MbedTLS v3.6 LTS with U-Boot | expand |
On Sat, 17 Aug 2024 at 00:51, Raymond Mao <raymond.mao@linaro.org> wrote: > > Add porting layer for public key on top of MbedTLS X509 library. > Introduce _LEGACY and _MBEDTLS kconfigs for public key legacy and > MbedTLS implementations respectively. > > Signed-off-by: Raymond Mao <raymond.mao@linaro.org> > --- > Changes in v2 > - Move the porting layer to MbedTLS dir. > Changes in v3 > - None. > Changes in v4 > - Introduce _LEGACY and _MBEDTLS kconfigs for public key legacy and > MbedTLS implementations respectively. > - Move common functions to helper. > Changes in v5 > - Correct kconfig dependence. > - Kconfig rename. > - Refactored MbedTLS makefile. > - Adjust a few inline comments. > Changes in v6 > - None. > > lib/mbedtls/Kconfig | 52 +++++++++++++++++++++++++ > lib/mbedtls/Makefile | 6 ++- > lib/mbedtls/public_key.c | 82 ++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 139 insertions(+), 1 deletion(-) > create mode 100644 lib/mbedtls/public_key.c > > diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig > index 0e22edf1b6c..dbbcdba8bc6 100644 > --- a/lib/mbedtls/Kconfig > +++ b/lib/mbedtls/Kconfig > @@ -117,9 +117,35 @@ endif # LEGACY_CRYPTO_BASIC > > config LEGACY_CRYPTO_CERT > bool "legacy certificate libraries" > + select ASYMMETRIC_PUBLIC_KEY_LEGACY if \ > + ASYMMETRIC_PUBLIC_KEY_SUBTYPE > + select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ > + SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE > help > Enable legacy certificate libraries. > > +if LEGACY_CRYPTO_CERT > + > +config ASYMMETRIC_PUBLIC_KEY_LEGACY > + bool "Asymmetric public key crypto with legacy certificate library" > + depends on LEGACY_CRYPTO_CERT && ASYMMETRIC_PUBLIC_KEY_SUBTYPE > + help > + This option chooses legacy certificate library for asymmetric public > + key crypto algorithm. > + > +if SPL > + > +config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY > + bool "Asymmetric public key crypto with legacy certificate library in SPL" > + depends on LEGACY_CRYPTO_CERT && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE > + help > + This option chooses legacy certificate library for asymmetric public > + key crypto algorithm in SPL. > + > +endif # SPL > + > +endif # LEGACY_CRYPTO_CERT > + > endif # LEGACY_CRYPTO > > if MBEDTLS_LIB > @@ -246,7 +272,33 @@ endif # MBEDTLS_LIB_CRYPTO > > config MBEDTLS_LIB_X509 > bool "MbedTLS certificate libraries" > + select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ > + ASYMMETRIC_PUBLIC_KEY_SUBTYPE > + select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ > + SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE > help > Enable MbedTLS certificate libraries. > > +if MBEDTLS_LIB_X509 > + > +config ASYMMETRIC_PUBLIC_KEY_MBEDTLS > + bool "Asymmetric public key crypto with MbedTLS certificate library" > + depends on MBEDTLS_LIB_X509 && ASYMMETRIC_PUBLIC_KEY_SUBTYPE > + help > + This option chooses MbedTLS certificate library for asymmetric public > + key crypto algorithm. > + > +if SPL > + > +config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS > + bool "Asymmetric public key crypto with MbedTLS certificate library in SPL" > + depends on MBEDTLS_LIB_X509 && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE > + help > + This option chooses MbedTLS certificate library for asymmetric public > + key crypto algorithm in SPL. > + > +endif # SPL > + > +endif # MBEDTLS_LIB_X509 > + > endif # MBEDTLS_LIB > diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile > index 50c1ba5f88e..2d2220dd4fd 100644 > --- a/lib/mbedtls/Makefile > +++ b/lib/mbedtls/Makefile > @@ -11,6 +11,10 @@ obj-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += sha1.o > obj-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += sha256.o > obj-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += sha512.o > > +# x509 libraries > +obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \ > + public_key.o > + > # MbedTLS crypto library > obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o > mbedtls_lib_crypto-y := \ > @@ -36,7 +40,7 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += \ > $(MBEDTLS_LIB_DIR)/bignum_core.o \ > $(MBEDTLS_LIB_DIR)/rsa.o \ > $(MBEDTLS_LIB_DIR)/rsa_alt_helpers.o > -mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \ > +mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \ > $(MBEDTLS_LIB_DIR)/pk.o \ > $(MBEDTLS_LIB_DIR)/pk_wrap.o \ > $(MBEDTLS_LIB_DIR)/pkparse.o > diff --git a/lib/mbedtls/public_key.c b/lib/mbedtls/public_key.c > new file mode 100644 > index 00000000000..5f73b99d4f2 > --- /dev/null > +++ b/lib/mbedtls/public_key.c > @@ -0,0 +1,82 @@ > +// SPDX-License-Identifier: GPL-2.0+ > +/* > + * Public key helper functions using MbedTLS X509 library > + * > + * Copyright (c) 2024 Linaro Limited > + * Author: Raymond Mao <raymond.mao@linaro.org> > + */ > + > +#include <linux/compat.h> > +#include <crypto/public_key.h> > + > +int public_key_verify_signature(const struct public_key *pkey, > + const struct public_key_signature *sig) > +{ > + mbedtls_md_type_t mb_hash_algo; > + mbedtls_pk_context pk_ctx; > + int ret; > + > + if (!pkey || !sig || pkey->key_is_private) > + return -EINVAL; > + > + /* > + * ECRDSA (Elliptic Curve Russian Digital Signature Algorithm) is not > + * supported by MbedTLS. > + */ > + if (strcmp(pkey->pkey_algo, "rsa")) { > + pr_err("Encryption is not RSA: %s\n", sig->pkey_algo); > + return -EINVAL; > + } > + > + /* > + * Can be pkcs1 or raw, but pkcs1 is expected. > + * This is just for argument checking, not necessarily passed to MbedTLS, > + * For RSA signatures, MbedTLS typically supports the PKCS#1 v1.5 > + * (aka. pkcs1) encoding by default. > + * The library internally handles the details of decoding and verifying > + * the signature according to the expected encoding for the specified algorithm. > + */ > + if (strcmp(sig->encoding, "pkcs1")) { > + pr_err("Encoding %s is not supported, only supports pkcs1\n", > + sig->encoding); > + return -EINVAL; > + } > + > + if (!strcmp(sig->hash_algo, "sha1")) > + mb_hash_algo = MBEDTLS_MD_SHA1; > + else if (!strcmp(sig->hash_algo, "sha224")) > + mb_hash_algo = MBEDTLS_MD_SHA224; > + else if (!strcmp(sig->hash_algo, "sha256")) > + mb_hash_algo = MBEDTLS_MD_SHA256; > + else if (!strcmp(sig->hash_algo, "sha384")) > + mb_hash_algo = MBEDTLS_MD_SHA384; > + else if (!strcmp(sig->hash_algo, "sha512")) > + mb_hash_algo = MBEDTLS_MD_SHA512; > + else /* Unknown or unsupported hash algorithm */ > + return -EINVAL; > + /* Initialize the mbedtls_pk_context with RSA key type */ > + mbedtls_pk_init(&pk_ctx); > + > + /* Parse the DER-encoded public key */ > + ret = mbedtls_pk_parse_public_key(&pk_ctx, pkey->key, pkey->keylen); > + if (ret) { > + pr_err("Failed to parse public key, ret:-0x%04x\n", -ret); > + ret = -EINVAL; > + goto err_key; > + } > + > + /* Ensure that it is a RSA key */ > + if (mbedtls_pk_get_type(&pk_ctx) != MBEDTLS_PK_RSA) { > + pr_err("Only RSA keys are supported\n"); > + ret = -EKEYREJECTED; > + goto err_key; > + } > + > + /* Verify the hash */ > + ret = mbedtls_pk_verify(&pk_ctx, mb_hash_algo, sig->digest, > + sig->digest_size, sig->s, sig->s_size); > + > +err_key: > + mbedtls_pk_free(&pk_ctx); > + return ret; > +} > -- > 2.25.1 > Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 0e22edf1b6c..dbbcdba8bc6 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -117,9 +117,35 @@ endif # LEGACY_CRYPTO_BASIC config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" + select ASYMMETRIC_PUBLIC_KEY_LEGACY if \ + ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ + SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE help Enable legacy certificate libraries. +if LEGACY_CRYPTO_CERT + +config ASYMMETRIC_PUBLIC_KEY_LEGACY + bool "Asymmetric public key crypto with legacy certificate library" + depends on LEGACY_CRYPTO_CERT && ASYMMETRIC_PUBLIC_KEY_SUBTYPE + help + This option chooses legacy certificate library for asymmetric public + key crypto algorithm. + +if SPL + +config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY + bool "Asymmetric public key crypto with legacy certificate library in SPL" + depends on LEGACY_CRYPTO_CERT && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE + help + This option chooses legacy certificate library for asymmetric public + key crypto algorithm in SPL. + +endif # SPL + +endif # LEGACY_CRYPTO_CERT + endif # LEGACY_CRYPTO if MBEDTLS_LIB @@ -246,7 +272,33 @@ endif # MBEDTLS_LIB_CRYPTO config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" + select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ + ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ + SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE help Enable MbedTLS certificate libraries. +if MBEDTLS_LIB_X509 + +config ASYMMETRIC_PUBLIC_KEY_MBEDTLS + bool "Asymmetric public key crypto with MbedTLS certificate library" + depends on MBEDTLS_LIB_X509 && ASYMMETRIC_PUBLIC_KEY_SUBTYPE + help + This option chooses MbedTLS certificate library for asymmetric public + key crypto algorithm. + +if SPL + +config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS + bool "Asymmetric public key crypto with MbedTLS certificate library in SPL" + depends on MBEDTLS_LIB_X509 && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE + help + This option chooses MbedTLS certificate library for asymmetric public + key crypto algorithm in SPL. + +endif # SPL + +endif # MBEDTLS_LIB_X509 + endif # MBEDTLS_LIB diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 50c1ba5f88e..2d2220dd4fd 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -11,6 +11,10 @@ obj-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += sha1.o obj-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += sha256.o obj-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += sha512.o +# x509 libraries +obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \ + public_key.o + # MbedTLS crypto library obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o mbedtls_lib_crypto-y := \ @@ -36,7 +40,7 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += \ $(MBEDTLS_LIB_DIR)/bignum_core.o \ $(MBEDTLS_LIB_DIR)/rsa.o \ $(MBEDTLS_LIB_DIR)/rsa_alt_helpers.o -mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \ +mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/pk.o \ $(MBEDTLS_LIB_DIR)/pk_wrap.o \ $(MBEDTLS_LIB_DIR)/pkparse.o diff --git a/lib/mbedtls/public_key.c b/lib/mbedtls/public_key.c new file mode 100644 index 00000000000..5f73b99d4f2 --- /dev/null +++ b/lib/mbedtls/public_key.c @@ -0,0 +1,82 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Public key helper functions using MbedTLS X509 library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao <raymond.mao@linaro.org> + */ + +#include <linux/compat.h> +#include <crypto/public_key.h> + +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + mbedtls_md_type_t mb_hash_algo; + mbedtls_pk_context pk_ctx; + int ret; + + if (!pkey || !sig || pkey->key_is_private) + return -EINVAL; + + /* + * ECRDSA (Elliptic Curve Russian Digital Signature Algorithm) is not + * supported by MbedTLS. + */ + if (strcmp(pkey->pkey_algo, "rsa")) { + pr_err("Encryption is not RSA: %s\n", sig->pkey_algo); + return -EINVAL; + } + + /* + * Can be pkcs1 or raw, but pkcs1 is expected. + * This is just for argument checking, not necessarily passed to MbedTLS, + * For RSA signatures, MbedTLS typically supports the PKCS#1 v1.5 + * (aka. pkcs1) encoding by default. + * The library internally handles the details of decoding and verifying + * the signature according to the expected encoding for the specified algorithm. + */ + if (strcmp(sig->encoding, "pkcs1")) { + pr_err("Encoding %s is not supported, only supports pkcs1\n", + sig->encoding); + return -EINVAL; + } + + if (!strcmp(sig->hash_algo, "sha1")) + mb_hash_algo = MBEDTLS_MD_SHA1; + else if (!strcmp(sig->hash_algo, "sha224")) + mb_hash_algo = MBEDTLS_MD_SHA224; + else if (!strcmp(sig->hash_algo, "sha256")) + mb_hash_algo = MBEDTLS_MD_SHA256; + else if (!strcmp(sig->hash_algo, "sha384")) + mb_hash_algo = MBEDTLS_MD_SHA384; + else if (!strcmp(sig->hash_algo, "sha512")) + mb_hash_algo = MBEDTLS_MD_SHA512; + else /* Unknown or unsupported hash algorithm */ + return -EINVAL; + /* Initialize the mbedtls_pk_context with RSA key type */ + mbedtls_pk_init(&pk_ctx); + + /* Parse the DER-encoded public key */ + ret = mbedtls_pk_parse_public_key(&pk_ctx, pkey->key, pkey->keylen); + if (ret) { + pr_err("Failed to parse public key, ret:-0x%04x\n", -ret); + ret = -EINVAL; + goto err_key; + } + + /* Ensure that it is a RSA key */ + if (mbedtls_pk_get_type(&pk_ctx) != MBEDTLS_PK_RSA) { + pr_err("Only RSA keys are supported\n"); + ret = -EKEYREJECTED; + goto err_key; + } + + /* Verify the hash */ + ret = mbedtls_pk_verify(&pk_ctx, mb_hash_algo, sig->digest, + sig->digest_size, sig->s, sig->s_size); + +err_key: + mbedtls_pk_free(&pk_ctx); + return ret; +}
Add porting layer for public key on top of MbedTLS X509 library. Introduce _LEGACY and _MBEDTLS kconfigs for public key legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for public key legacy and MbedTLS implementations respectively. - Move common functions to helper. Changes in v5 - Correct kconfig dependence. - Kconfig rename. - Refactored MbedTLS makefile. - Adjust a few inline comments. Changes in v6 - None. lib/mbedtls/Kconfig | 52 +++++++++++++++++++++++++ lib/mbedtls/Makefile | 6 ++- lib/mbedtls/public_key.c | 82 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 lib/mbedtls/public_key.c