| Message ID | 20240816214436.1877263-25-raymond.mao@linaro.org |
|---|---|
| State | Changes Requested |
| Delegated to: | Tom Rini |
| Headers | show |
| Series | Integrate MbedTLS v3.6 LTS with U-Boot | expand |
On Sat, 17 Aug 2024 at 00:54, Raymond Mao <raymond.mao@linaro.org> wrote: > > Add RSA helper layer on top on MbedTLS PK and RSA library. > Introduce _LEGACY and _MBEDTLS kconfigs for RSA helper legacy and > MbedTLS implementations respectively. > > Signed-off-by: Raymond Mao <raymond.mao@linaro.org> > --- > Changes in v2 > - Initial patch. > Changes in v3 > - None. > Changes in v4 > - Introduce _LEGACY and _MBEDTLS kconfigs for RSA helper legacy and > MbedTLS implementations respectively. > - Remove unnecessary type casting. > Changes in v5 > - Correct header file include directories. > - Correct kconfig dependence. > - Kconfig rename. > - Refactored MbedTLS makefile. > Changes in v6 > - None. > > lib/mbedtls/Kconfig | 36 +++++++++++++++ > lib/mbedtls/Makefile | 3 +- > lib/mbedtls/rsa_helper.c | 95 ++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 133 insertions(+), 1 deletion(-) > create mode 100644 lib/mbedtls/rsa_helper.c > > diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig > index ecdf4d3008f..797da0df938 100644 > --- a/lib/mbedtls/Kconfig > +++ b/lib/mbedtls/Kconfig > @@ -119,11 +119,13 @@ config LEGACY_CRYPTO_CERT > bool "legacy certificate libraries" > select ASYMMETRIC_PUBLIC_KEY_LEGACY if \ > ASYMMETRIC_PUBLIC_KEY_SUBTYPE > + select RSA_PUBLIC_KEY_PARSER_LEGACY if RSA_PUBLIC_KEY_PARSER > select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER > select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER > select MSCODE_PARSER_LEGACY if MSCODE_PARSER > select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ > SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE > + select SPL_RSA_PUBLIC_KEY_PARSER_LEGACY if SPL_RSA_PUBLIC_KEY_PARSER > help > Enable legacy certificate libraries. > > @@ -136,6 +138,14 @@ config ASYMMETRIC_PUBLIC_KEY_LEGACY > This option chooses legacy certificate library for asymmetric public > key crypto algorithm. > > +config RSA_PUBLIC_KEY_PARSER_LEGACY > + bool "RSA public key parser with legacy certificate library" > + depends on ASYMMETRIC_PUBLIC_KEY_LEGACY > + select ASN1_DECODER_LEGACY > + help > + This option chooses legacy certificate library for RSA public key > + parser. > + > config X509_CERTIFICATE_PARSER_LEGACY > bool "X.509 certificate parser with legacy certificate library" > depends on ASYMMETRIC_PUBLIC_KEY_LEGACY > @@ -169,6 +179,14 @@ config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY > This option chooses legacy certificate library for asymmetric public > key crypto algorithm in SPL. > > +config SPL_RSA_PUBLIC_KEY_PARSER_LEGACY > + bool "RSA public key parser with legacy certificate library in SPL" > + depends on SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY > + select SPL_ASN1_DECODER_LEGACY > + help > + This option chooses legacy certificate library for RSA public key > + parser in SPL. > + > endif # SPL > > endif # LEGACY_CRYPTO_CERT > @@ -301,11 +319,13 @@ config MBEDTLS_LIB_X509 > bool "MbedTLS certificate libraries" > select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ > ASYMMETRIC_PUBLIC_KEY_SUBTYPE > + select RSA_PUBLIC_KEY_PARSER_MBEDTLS if RSA_PUBLIC_KEY_PARSER > select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER > select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER > select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER > select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ > SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE > + select SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS if SPL_RSA_PUBLIC_KEY_PARSER > help > Enable MbedTLS certificate libraries. > > @@ -318,6 +338,14 @@ config ASYMMETRIC_PUBLIC_KEY_MBEDTLS > This option chooses MbedTLS certificate library for asymmetric public > key crypto algorithm. > > +config RSA_PUBLIC_KEY_PARSER_MBEDTLS > + bool "RSA public key parser with MbedTLS certificate library" > + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS > + select ASN1_DECODER_MBEDTLS > + help > + This option chooses MbedTLS certificate library for RSA public key > + parser. > + > config X509_CERTIFICATE_PARSER_MBEDTLS > bool "X.509 certificate parser with MbedTLS certificate library" > depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS > @@ -351,6 +379,14 @@ config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS > This option chooses MbedTLS certificate library for asymmetric public > key crypto algorithm in SPL. > > +config SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS > + bool "RSA public key parser with MbedTLS certificate library in SPL" > + depends on SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS > + select SPL_ASN1_DECODER_MBEDTLS > + help > + This option chooses MbedTLS certificate library for RSA public key > + parser in SPL. > + > endif # SPL > > endif # MBEDTLS_LIB_X509 > diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile > index 83333b1b6a5..40031994708 100644 > --- a/lib/mbedtls/Makefile > +++ b/lib/mbedtls/Makefile > @@ -18,6 +18,7 @@ obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ > x509_cert_parser.o > obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o > obj-$(CONFIG_$(SPL_)MSCODE_PARSER_MBEDTLS) += mscode_parser.o > +obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_MBEDTLS) += rsa_helper.o > > # MbedTLS crypto library > obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o > @@ -39,7 +40,7 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)ASN1_DECODER) += \ > $(MBEDTLS_LIB_DIR)/asn1parse.o \ > $(MBEDTLS_LIB_DIR)/asn1write.o \ > $(MBEDTLS_LIB_DIR)/oid.o > -mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += \ > +mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_MBEDTLS) += \ > $(MBEDTLS_LIB_DIR)/bignum.o \ > $(MBEDTLS_LIB_DIR)/bignum_core.o \ > $(MBEDTLS_LIB_DIR)/rsa.o \ > diff --git a/lib/mbedtls/rsa_helper.c b/lib/mbedtls/rsa_helper.c > new file mode 100644 > index 00000000000..3d94eee9954 > --- /dev/null > +++ b/lib/mbedtls/rsa_helper.c > @@ -0,0 +1,95 @@ > +// SPDX-License-Identifier: GPL-2.0+ > +/* > + * RSA helper functions using MbedTLS > + * > + * Copyright (c) 2024 Linaro Limited > + * Author: Raymond Mao <raymond.mao@linaro.org> > + */ > + > +#include <linux/err.h> > +#include <crypto/internal/rsa.h> > +#include <library/common.h> > +#include <mbedtls/pk.h> > +#include <mbedtls/rsa.h> > +#include <mbedtls/asn1.h> > + > +/** > + * rsa_parse_pub_key() - decodes the BER encoded buffer and stores in the > + * provided struct rsa_key, pointers to the raw key as is, > + * so that the caller can copy it or MPI parse it, etc. > + * > + * @rsa_key: struct rsa_key key representation > + * @key: key in BER format > + * @key_len: length of key > + * > + * Return: 0 on success or error code in case of error > + */ > +int rsa_parse_pub_key(struct rsa_key *rsa_key, const void *key, > + unsigned int key_len) > +{ > + int ret = 0; > + mbedtls_pk_context pk; > + mbedtls_rsa_context *rsa; > + > + mbedtls_pk_init(&pk); > + > + ret = mbedtls_pk_parse_public_key(&pk, (const unsigned char *)key, > + key_len); > + if (ret) { > + pr_err("Failed to parse public key, ret:-0x%04x\n", -ret); > + ret = -EINVAL; > + goto clean_pubkey; > + } > + > + /* Ensure that it is a RSA key */ > + if (mbedtls_pk_get_type(&pk) != MBEDTLS_PK_RSA) { > + pr_err("Non-RSA keys are not supported\n"); > + ret = -EKEYREJECTED; > + goto clean_pubkey; > + } > + > + /* Get RSA key context */ > + rsa = mbedtls_pk_rsa(pk); > + if (!rsa) { > + pr_err("Failed to get RSA key context, ret:-0x%04x\n", -ret); > + ret = -EINVAL; > + goto clean_pubkey; > + } > + > + /* Parse modulus (n) */ > + rsa_key->n_sz = mbedtls_mpi_size(&rsa->N); > + rsa_key->n = kzalloc(rsa_key->n_sz, GFP_KERNEL); > + if (!rsa_key->n) { > + ret = -ENOMEM; > + goto clean_pubkey; > + } > + ret = mbedtls_mpi_write_binary(&rsa->N, (unsigned char *)rsa_key->n, > + rsa_key->n_sz); > + if (ret) { > + pr_err("Failed to parse modulus (n), ret:-0x%04x\n", -ret); > + ret = -EINVAL; > + goto clean_modulus; > + } > + > + /* Parse public exponent (e) */ > + rsa_key->e_sz = mbedtls_mpi_size(&rsa->E); > + rsa_key->e = kzalloc(rsa_key->e_sz, GFP_KERNEL); > + if (!rsa_key->e) { > + ret = -ENOMEM; > + goto clean_modulus; > + } > + ret = mbedtls_mpi_write_binary(&rsa->E, (unsigned char *)rsa_key->e, > + rsa_key->e_sz); > + if (!ret) > + return 0; > + > + pr_err("Failed to parse public exponent (e), ret:-0x%04x\n", -ret); > + ret = -EINVAL; > + > + kfree(rsa_key->e); > +clean_modulus: > + kfree(rsa_key->n); > +clean_pubkey: > + mbedtls_pk_free(&pk); > + return ret; > +} > -- > 2.25.1 > Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index ecdf4d3008f..797da0df938 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -119,11 +119,13 @@ config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" select ASYMMETRIC_PUBLIC_KEY_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select RSA_PUBLIC_KEY_PARSER_LEGACY if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_LEGACY if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_RSA_PUBLIC_KEY_PARSER_LEGACY if SPL_RSA_PUBLIC_KEY_PARSER help Enable legacy certificate libraries. @@ -136,6 +138,14 @@ config ASYMMETRIC_PUBLIC_KEY_LEGACY This option chooses legacy certificate library for asymmetric public key crypto algorithm. +config RSA_PUBLIC_KEY_PARSER_LEGACY + bool "RSA public key parser with legacy certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_LEGACY + select ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for RSA public key + parser. + config X509_CERTIFICATE_PARSER_LEGACY bool "X.509 certificate parser with legacy certificate library" depends on ASYMMETRIC_PUBLIC_KEY_LEGACY @@ -169,6 +179,14 @@ config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY This option chooses legacy certificate library for asymmetric public key crypto algorithm in SPL. +config SPL_RSA_PUBLIC_KEY_PARSER_LEGACY + bool "RSA public key parser with legacy certificate library in SPL" + depends on SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY + select SPL_ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for RSA public key + parser in SPL. + endif # SPL endif # LEGACY_CRYPTO_CERT @@ -301,11 +319,13 @@ config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select RSA_PUBLIC_KEY_PARSER_MBEDTLS if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS if SPL_RSA_PUBLIC_KEY_PARSER help Enable MbedTLS certificate libraries. @@ -318,6 +338,14 @@ config ASYMMETRIC_PUBLIC_KEY_MBEDTLS This option chooses MbedTLS certificate library for asymmetric public key crypto algorithm. +config RSA_PUBLIC_KEY_PARSER_MBEDTLS + bool "RSA public key parser with MbedTLS certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS + select ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for RSA public key + parser. + config X509_CERTIFICATE_PARSER_MBEDTLS bool "X.509 certificate parser with MbedTLS certificate library" depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS @@ -351,6 +379,14 @@ config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS This option chooses MbedTLS certificate library for asymmetric public key crypto algorithm in SPL. +config SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS + bool "RSA public key parser with MbedTLS certificate library in SPL" + depends on SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS + select SPL_ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for RSA public key + parser in SPL. + endif # SPL endif # MBEDTLS_LIB_X509 diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 83333b1b6a5..40031994708 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -18,6 +18,7 @@ obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ x509_cert_parser.o obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o obj-$(CONFIG_$(SPL_)MSCODE_PARSER_MBEDTLS) += mscode_parser.o +obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_MBEDTLS) += rsa_helper.o # MbedTLS crypto library obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o @@ -39,7 +40,7 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)ASN1_DECODER) += \ $(MBEDTLS_LIB_DIR)/asn1parse.o \ $(MBEDTLS_LIB_DIR)/asn1write.o \ $(MBEDTLS_LIB_DIR)/oid.o -mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += \ +mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/bignum.o \ $(MBEDTLS_LIB_DIR)/bignum_core.o \ $(MBEDTLS_LIB_DIR)/rsa.o \ diff --git a/lib/mbedtls/rsa_helper.c b/lib/mbedtls/rsa_helper.c new file mode 100644 index 00000000000..3d94eee9954 --- /dev/null +++ b/lib/mbedtls/rsa_helper.c @@ -0,0 +1,95 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * RSA helper functions using MbedTLS + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao <raymond.mao@linaro.org> + */ + +#include <linux/err.h> +#include <crypto/internal/rsa.h> +#include <library/common.h> +#include <mbedtls/pk.h> +#include <mbedtls/rsa.h> +#include <mbedtls/asn1.h> + +/** + * rsa_parse_pub_key() - decodes the BER encoded buffer and stores in the + * provided struct rsa_key, pointers to the raw key as is, + * so that the caller can copy it or MPI parse it, etc. + * + * @rsa_key: struct rsa_key key representation + * @key: key in BER format + * @key_len: length of key + * + * Return: 0 on success or error code in case of error + */ +int rsa_parse_pub_key(struct rsa_key *rsa_key, const void *key, + unsigned int key_len) +{ + int ret = 0; + mbedtls_pk_context pk; + mbedtls_rsa_context *rsa; + + mbedtls_pk_init(&pk); + + ret = mbedtls_pk_parse_public_key(&pk, (const unsigned char *)key, + key_len); + if (ret) { + pr_err("Failed to parse public key, ret:-0x%04x\n", -ret); + ret = -EINVAL; + goto clean_pubkey; + } + + /* Ensure that it is a RSA key */ + if (mbedtls_pk_get_type(&pk) != MBEDTLS_PK_RSA) { + pr_err("Non-RSA keys are not supported\n"); + ret = -EKEYREJECTED; + goto clean_pubkey; + } + + /* Get RSA key context */ + rsa = mbedtls_pk_rsa(pk); + if (!rsa) { + pr_err("Failed to get RSA key context, ret:-0x%04x\n", -ret); + ret = -EINVAL; + goto clean_pubkey; + } + + /* Parse modulus (n) */ + rsa_key->n_sz = mbedtls_mpi_size(&rsa->N); + rsa_key->n = kzalloc(rsa_key->n_sz, GFP_KERNEL); + if (!rsa_key->n) { + ret = -ENOMEM; + goto clean_pubkey; + } + ret = mbedtls_mpi_write_binary(&rsa->N, (unsigned char *)rsa_key->n, + rsa_key->n_sz); + if (ret) { + pr_err("Failed to parse modulus (n), ret:-0x%04x\n", -ret); + ret = -EINVAL; + goto clean_modulus; + } + + /* Parse public exponent (e) */ + rsa_key->e_sz = mbedtls_mpi_size(&rsa->E); + rsa_key->e = kzalloc(rsa_key->e_sz, GFP_KERNEL); + if (!rsa_key->e) { + ret = -ENOMEM; + goto clean_modulus; + } + ret = mbedtls_mpi_write_binary(&rsa->E, (unsigned char *)rsa_key->e, + rsa_key->e_sz); + if (!ret) + return 0; + + pr_err("Failed to parse public exponent (e), ret:-0x%04x\n", -ret); + ret = -EINVAL; + + kfree(rsa_key->e); +clean_modulus: + kfree(rsa_key->n); +clean_pubkey: + mbedtls_pk_free(&pk); + return ret; +}
Add RSA helper layer on top on MbedTLS PK and RSA library. Introduce _LEGACY and _MBEDTLS kconfigs for RSA helper legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for RSA helper legacy and MbedTLS implementations respectively. - Remove unnecessary type casting. Changes in v5 - Correct header file include directories. - Correct kconfig dependence. - Kconfig rename. - Refactored MbedTLS makefile. Changes in v6 - None. lib/mbedtls/Kconfig | 36 +++++++++++++++ lib/mbedtls/Makefile | 3 +- lib/mbedtls/rsa_helper.c | 95 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 lib/mbedtls/rsa_helper.c