From nobody Sat Nov 15 07:42:56 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1755553502; cv=none; d=zohomail.com; s=zohoarc; b=Q9nUxwv06NHs5/x/NW4/uYzQsrFuZNZzIXrU4dNmKNji8G5m5u7/qFVUfy6rNwbxhez0lD8VAKC1OXCTJJETgiC80FELUxrXaUzQ08mWNgUMib9mY7NFv/t0wPICONeQjXRn9Iw7p342fPGMEL3JFndmTj+vYMW9a33pnqjTiwA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1755553502; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=L+xqdLVpYgg9p5Lx1oPqwThkNwq5V6ZHqTAR5xJdNrM=; b=QSxUmvKPB6In9KpG7c3p2+j8VMaoslD38BQsppqFzYmSV2XvYua5bEgZ14X7ozK6gQhtFttIBvJGhNVjPjSU2I9FkAdW2JOMiUvVYQC0kPfrckHnk8B5q9Vs6S/SF6cPBFX2US30fd1SJr+MrfrCkZYc+EtXlVp7L8lRorCBRNE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1755553502559936.1321735820436; Mon, 18 Aug 2025 14:45:02 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uo7dq-0001gw-Np; Mon, 18 Aug 2025 17:43:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uo7dk-0001dW-6y; Mon, 18 Aug 2025 17:43:40 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uo7di-0003l1-8J; Mon, 18 Aug 2025 17:43:39 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 57IBaPXm007990; Mon, 18 Aug 2025 21:43:37 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 48jfdrujj4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Aug 2025 21:43:36 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 57IHBsii011695; Mon, 18 Aug 2025 21:43:35 GMT Received: from smtprelay03.dal12v.mail.ibm.com ([172.16.1.5]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 48k4au7r8a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Aug 2025 21:43:35 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay03.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 57ILhYr619858032 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 18 Aug 2025 21:43:34 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BA15D58058; Mon, 18 Aug 2025 21:43:34 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B844458057; Mon, 18 Aug 2025 21:43:33 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.98.172]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Mon, 18 Aug 2025 21:43:33 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=L+xqdLVpYgg9p5Lx1 oPqwThkNwq5V6ZHqTAR5xJdNrM=; b=HAPUGkY7UF4NhmclKE6m/1LKIdetq1U8S QPQd8EvnvXZrYh0Jgw5/143wsf+5W2Hjd5udDIKXK+KAEQLcTkUpc8Td//s5z3el ysTaWi+8dLbmB2qxQHKPiw+z2DYlFpGhKjesC7MLI2nFDuv4KG72qrpym5aSp6mb EN2xSG4sDHYKNejZtO9WD7FCcMgldjjERVGyVlQQMOkbfMhbuzEqZGFf4wjQ0W5U hBQCMhCy2tRQVkQ7MLlwLU1rynNSoFwkBxBg4U/SZjaRYoJBByNZA5N0xzJAxcpR 3FtR3RzroaGCJ+I5ZtfGaoA/WiaaWUizVmHfz/OVLlWJuQLqFoWdQ== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, alifm@linux.ibm.com, zycai@linux.ibm.com Subject: [PATCH v5 08/29] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Date: Mon, 18 Aug 2025 17:43:01 -0400 Message-ID: <20250818214323.529501-9-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250818214323.529501-1-zycai@linux.ibm.com> References: <20250818214323.529501-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: Odk_vX-gzRzsz3Nk8-tu74uhkFNJJLw2 X-Proofpoint-GUID: Odk_vX-gzRzsz3Nk8-tu74uhkFNJJLw2 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODE2MDAwMSBTYWx0ZWRfXyFamHn+W/YZh bLvxNUYOj7g3N+Yx+qI1Z6Ugv/3416TFB8WApyy6UmmdIIoxGf64GZF1haoyW3jEAKUnsnp5YJq npEX4R5L+ug0GZpM6uuLzafYeoy+7LJKumoUzagzz79e0LMBtX8qqetwrLOL/uz73O9TfuqF1Vr fjf/WwZW7M808SSA1V1FUoxLQGf674x4QFbvaDrptLdRvz3qBHL4hD/NOTtv5vGHLYfsI95hUSq 9GQf/KUK0iRrxQjlo1gZ2AOSPDa2v3F1+XJoFzklUrjxHnVIo7JtOSaFzJZLRWx/Y1XxpUwPo/g p5ryGZXW9yHjzhLpUTVtlubPB6QEXJ/C+3Fhx/zmaohexbkNH9TR2pZJk+EbXM3kW5C6lNYxPZi TaAJOhi5 X-Authority-Analysis: v=2.4 cv=GotC+l1C c=1 sm=1 tr=0 ts=68a39e88 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=2OwXVqhp2XgA:10 a=VnNF1IyMAAAA:8 a=m1npDw3cYSwZ3_DRQmoA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-18_06,2025-08-14_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 spamscore=0 adultscore=0 suspectscore=0 clxscore=1015 priorityscore=1501 malwarescore=0 bulkscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2508160001 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1755553505201124100 Content-Type: text/plain; charset="utf-8" Introduce new helper functions to extract certificate metadata needed for DIAG 320 subcode 2: qcrypto_x509_check_cert_times() - validates the certificate's validity peri= od against the current time qcrypto_x509_get_pk_algorithm() - returns the public key algorithm used in = the certificate qcrypto_x509_get_cert_key_id() - extracts the key ID from the certificate These functions provide support for metadata extraction and validity checki= ng for X.509 certificates. Signed-off-by: Zhuoying Cai --- crypto/x509-utils.c | 174 ++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 58 ++++++++++++ 2 files changed, 232 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 29d5146bb2..67b42aad1f 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -27,6 +27,21 @@ static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_= HASH_ALGO__MAX] =3D { [QCRYPTO_HASH_ALGO_RIPEMD160] =3D GNUTLS_DIG_RMD160, }; =20 +static const int gnutls_to_qcrypto_pk_alg_map[] =3D { + [GNUTLS_PK_RSA] =3D QCRYPTO_PK_ALGO_RSA, + [GNUTLS_PK_DSA] =3D QCRYPTO_PK_ALGO_DSA, + [GNUTLS_PK_ECDSA] =3D QCRYPTO_PK_ALGO_ECDSA, + [GNUTLS_PK_RSA_OAEP] =3D QCRYPTO_PK_ALGO_RSA_OAEP, + [GNUTLS_PK_EDDSA_ED25519] =3D QCRYPTO_PK_ALGO_ED25519, + [GNUTLS_PK_EDDSA_ED448] =3D QCRYPTO_PK_ALGO_ED448, +}; + +static const int qcrypto_to_gnutls_keyid_flags_map[] =3D { + [QCRYPTO_HASH_ALGO_SHA1] =3D GNUTLS_KEYID_USE_SHA1, + [QCRYPTO_HASH_ALGO_SHA256] =3D GNUTLS_KEYID_USE_SHA256, + [QCRYPTO_HASH_ALGO_SHA512] =3D GNUTLS_KEYID_USE_SHA512, +}; + int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, QCryptoHashAlgo alg, uint8_t *result, @@ -123,6 +138,143 @@ cleanup: return ret; } =20 +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + time_t now =3D time(0); + time_t exp_time; + time_t act_time; + + if (now =3D=3D ((time_t)-1)) { + error_setg_errno(errp, errno, "Cannot get current time"); + return ret; + } + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + exp_time =3D gnutls_x509_crt_get_expiration_time(crt); + if (exp_time =3D=3D ((time_t)-1)) { + error_setg(errp, "Failed to get certificate expiration time"); + goto cleanup; + } + if (exp_time < now) { + error_setg(errp, "The certificate has expired"); + goto cleanup; + } + + act_time =3D gnutls_x509_crt_get_activation_time(crt); + if (act_time =3D=3D ((time_t)-1)) { + error_setg(errp, "Failed to get certificate activation time"); + goto cleanup; + } + if (act_time > now) { + error_setg(errp, "The certificate is not yet active"); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +int qcrypto_x509_get_pk_algorithm(uint8_t *cert, size_t size, Error **errp) +{ + int rc; + int ret =3D -1; + unsigned int bits; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_get_pk_algorithm(crt, &bits); + if (rc >=3D G_N_ELEMENTS(gnutls_to_qcrypto_pk_alg_map)) { + error_setg(errp, "Unknown public key algorithm %d", rc); + goto cleanup; + } + + ret =3D gnutls_to_qcrypto_pk_alg_map[rc]; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + + if (hash_alg >=3D G_N_ELEMENTS(qcrypto_to_gnutls_keyid_flags_map)) { + error_setg(errp, "Unknow hash algorithm %d", hash_alg); + return ret; + } + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + *resultlen =3D gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[hash= _alg]); + if (*resultlen =3D=3D 0) { + error_setg(errp, "Failed to get hash algorithn length: %s", gnutls= _strerror(rc)); + goto cleanup; + } + + *result =3D g_malloc0(*resultlen); + if (gnutls_x509_crt_get_key_id(crt, + qcrypto_to_gnutls_keyid_flags_map[hash_= alg], + *result, resultlen) !=3D 0) { + error_setg(errp, "Failed to get key ID from certificate"); + g_clear_pointer(result, g_free); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -144,4 +296,26 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_= t size, return -1; } =20 +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp) +{ + error_setg(errp, "GNUTLS is required to get certificate times"); + return -1; +} + +int qcrypto_x509_get_pk_algorithm(uint8_t *cert, size_t size, Error **errp) +{ + error_setg(errp, "GNUTLS is required to get public key algorithm"); + return -1; +} + +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to get key ID"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index 4239e3e55a..f169df81cb 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -13,6 +13,15 @@ =20 #include "crypto/hash.h" =20 +typedef enum { + QCRYPTO_PK_ALGO_RSA, + QCRYPTO_PK_ALGO_DSA, + QCRYPTO_PK_ALGO_ECDSA, + QCRYPTO_PK_ALGO_RSA_OAEP, + QCRYPTO_PK_ALGO_ED25519, + QCRYPTO_PK_ALGO_ED448, +} QCryptoPkAlgo; + int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, QCryptoHashAlgo hash, uint8_t *result, @@ -39,4 +48,53 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t = size, size_t *resultlen, Error **errp); =20 +/** + * qcrypto_x509_check_cert_times + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @errp: error pointer + * + * Check whether the activation and expiration times of @cert + * are valid at the current time. + * + * Returns: 0 if the certificate times are valid, + * -1 on error. + */ +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp= ); + +/** + * qcrypto_x509_get_pk_algorithm + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @errp: error pointer + * + * Determine the public key algorithm of the @cert. + * + * Returns: a value from the QCryptoPkAlgo enum on success, + * -1 on error. + */ +int qcrypto_x509_get_pk_algorithm(uint8_t *cert, size_t size, Error **errp= ); + +/** + * qcrypto_x509_get_cert_key_id + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @hash_alg: the hash algorithm flag + * @result: output location for the allocated buffer for key ID + (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer + (will be updated with the actual size of key id) + * @errp: error pointer + * + * Retrieve the key ID from the @cert based on the specified @flag. + * + * Returns: 0 if key ID was successfully stored in @result, + * -1 on error. + */ +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp); + #endif --=20 2.50.1