From 6e1523b0e77785c263bcb639b87a862ae59731a4 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Mon, 1 Feb 2021 10:19:09 -0500 Subject: [PATCH] x509: Add support for parsing x509 certs with ECDSA keys This patch adds support for parsing of x509 certificates that contain ECDSA keys, such as NIST P256, that have been signed by a CA using any of the current SHA hash algorithms. Signed-off-by: Stefan Berger Cc: David Howells Cc: keyrings@vger.kernel.org --- crypto/asymmetric_keys/public_key.c | 19 ++++++++++++++ crypto/asymmetric_keys/x509_cert_parser.c | 32 ++++++++++++++++++++++- include/linux/oid_registry.h | 2 ++ 3 files changed, 52 insertions(+), 1 deletion(-) diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c index 8892908ad58ce4..7dae61b79d5a62 100644 --- a/crypto/asymmetric_keys/public_key.c +++ b/crypto/asymmetric_keys/public_key.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include #include @@ -90,6 +91,24 @@ int software_key_determine_akcipher(const char *encoding, return 0; } + if (strcmp(encoding, "x962") == 0) { + enum OID oid; + + if (parse_OID(pkey->params, pkey->paramlen, &oid) != 0) + return -EBADMSG; + + switch (oid) { + case OID_id_prime192v1: + strcpy(alg_name, "ecdsa-nist-p192"); + return 0; + case OID_id_prime256v1: + strcpy(alg_name, "ecdsa-nist-p256"); + return 0; + default: + return -EINVAL; + } + } + return -ENOPKG; } diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 1621ceaf5c9522..0aff4e584b11e9 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -227,6 +227,26 @@ int x509_note_pkey_algo(void *context, size_t hdrlen, ctx->cert->sig->hash_algo = "sha224"; goto rsa_pkcs1; + case OID_id_ecdsa_with_sha1: + ctx->cert->sig->hash_algo = "sha1"; + goto ecdsa; + + case OID_id_ecdsa_with_sha224: + ctx->cert->sig->hash_algo = "sha224"; + goto ecdsa; + + case OID_id_ecdsa_with_sha256: + ctx->cert->sig->hash_algo = "sha256"; + goto ecdsa; + + case OID_id_ecdsa_with_sha384: + ctx->cert->sig->hash_algo = "sha384"; + goto ecdsa; + + case OID_id_ecdsa_with_sha512: + ctx->cert->sig->hash_algo = "sha512"; + goto ecdsa; + case OID_gost2012Signature256: ctx->cert->sig->hash_algo = "streebog256"; goto ecrdsa; @@ -255,6 +275,11 @@ int x509_note_pkey_algo(void *context, size_t hdrlen, ctx->cert->sig->encoding = "raw"; ctx->algo_oid = ctx->last_oid; return 0; +ecdsa: + ctx->cert->sig->pkey_algo = "ecdsa"; + ctx->cert->sig->encoding = "x962"; + ctx->algo_oid = ctx->last_oid; + return 0; } /* @@ -276,7 +301,8 @@ int x509_note_signature(void *context, size_t hdrlen, if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0 || strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0 || - strcmp(ctx->cert->sig->pkey_algo, "sm2") == 0) { + strcmp(ctx->cert->sig->pkey_algo, "sm2") == 0 || + strcmp(ctx->cert->sig->pkey_algo, "ecdsa") == 0) { /* Discard the BIT STRING metadata */ if (vlen < 1 || *(const u8 *)value != 0) return -EBADMSG; @@ -478,6 +504,10 @@ int x509_extract_key_data(void *context, size_t hdrlen, case OID_sm2: ctx->cert->pub->pkey_algo = "sm2"; break; + case OID_id_prime192v1: + case OID_id_prime256v1: + ctx->cert->pub->pkey_algo = "ecdsa"; + break; default: return -ENOPKG; } diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h index f3b2c097c886b4..ff3cad9f8c1f3a 100644 --- a/include/linux/oid_registry.h +++ b/include/linux/oid_registry.h @@ -21,6 +21,8 @@ enum OID { OID_id_dsa, /* 1.2.840.10040.4.1 */ OID_id_ecdsa_with_sha1, /* 1.2.840.10045.4.1 */ OID_id_ecPublicKey, /* 1.2.840.10045.2.1 */ + OID_id_prime192v1, /* 1.2.840.10045.3.1.1 */ + OID_id_prime256v1, /* 1.2.840.10045.3.1.7 */ OID_id_ecdsa_with_sha224, /* 1.2.840.10045.4.3.1 */ OID_id_ecdsa_with_sha256, /* 1.2.840.10045.4.3.2 */ OID_id_ecdsa_with_sha384, /* 1.2.840.10045.4.3.3 */