Introduce new helper functions to extract certificate metadata:
qcrypto_x509_check_cert_times() - validates the certificate's validity period against the current time
qcrypto_x509_get_pk_algorithm() - returns the public key algorithm used in the certificate
qcrypto_x509_get_cert_key_id() - extracts the key ID from the certificate
qcrypto_x509_check_ecc_curve_p521() - determines the ECC public key algorithm uses P-521 curve
These functions provide support for metadata extraction and validity checking
for X.509 certificates.
Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
Reviewed-by: Farhan Ali<alifm@linux.ibm.com>
---
crypto/x509-utils.c | 236 ++++++++++++++++++++++++++++++++++++
include/crypto/x509-utils.h | 51 ++++++++
2 files changed, 287 insertions(+)
diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c
index 2696d48155..906d5e5e87 100644
--- a/crypto/x509-utils.c
+++ b/crypto/x509-utils.c
@@ -27,6 +27,16 @@ static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = {
[QCRYPTO_HASH_ALGO_RIPEMD160] = GNUTLS_DIG_RMD160,
};
+static const int qcrypto_to_gnutls_keyid_flags_map[] = {
+ [QCRYPTO_HASH_ALGO_MD5] = -1,
+ [QCRYPTO_HASH_ALGO_SHA1] = GNUTLS_KEYID_USE_SHA1,
+ [QCRYPTO_HASH_ALGO_SHA224] = -1,
+ [QCRYPTO_HASH_ALGO_SHA256] = GNUTLS_KEYID_USE_SHA256,
+ [QCRYPTO_HASH_ALGO_SHA384] = -1,
+ [QCRYPTO_HASH_ALGO_SHA512] = GNUTLS_KEYID_USE_SHA512,
+ [QCRYPTO_HASH_ALGO_RIPEMD160] = -1,
+};
+
int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,
QCryptoHashAlgo alg,
uint8_t *result,
@@ -121,6 +131,210 @@ cleanup:
return ret;
}
+int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp)
+{
+ int rc;
+ int ret = -1;
+ gnutls_x509_crt_t crt;
+ gnutls_datum_t datum = {.data = cert, .size = size};
+ time_t now = time(NULL);
+ time_t exp_time;
+ time_t act_time;
+
+ if (now == ((time_t)-1)) {
+ error_setg_errno(errp, errno, "Cannot get current time");
+ return ret;
+ }
+
+ rc = gnutls_x509_crt_init(&crt);
+ if (rc < 0) {
+ error_setg(errp, "Failed to initialize certificate: %s", gnutls_strerror(rc));
+ return ret;
+ }
+
+ rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM);
+ if (rc != 0) {
+ error_setg(errp, "Failed to import certificate: %s", gnutls_strerror(rc));
+ goto cleanup;
+ }
+
+ exp_time = gnutls_x509_crt_get_expiration_time(crt);
+ if (exp_time == ((time_t)-1)) {
+ error_setg(errp, "Failed to get certificate expiration time");
+ goto cleanup;
+ }
+ if (exp_time < now) {
+ error_setg(errp, "The certificate has expired");
+ goto cleanup;
+ }
+
+ act_time = gnutls_x509_crt_get_activation_time(crt);
+ if (act_time == ((time_t)-1)) {
+ error_setg(errp, "Failed to get certificate activation time");
+ goto cleanup;
+ }
+ if (act_time > now) {
+ error_setg(errp, "The certificate is not yet active");
+ goto cleanup;
+ }
+
+ ret = 0;
+
+cleanup:
+ gnutls_x509_crt_deinit(crt);
+ return ret;
+}
+
+static int qcrypto_x509_get_pk_algorithm(uint8_t *cert, size_t size, Error **errp)
+{
+ int rc;
+ int ret = -1;
+ unsigned int bits;
+ gnutls_x509_crt_t crt;
+ gnutls_datum_t datum = {.data = cert, .size = size};
+
+ rc = gnutls_x509_crt_init(&crt);
+ if (rc < 0) {
+ error_setg(errp, "Failed to initialize certificate: %s", gnutls_strerror(rc));
+ return ret;
+ }
+
+ rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM);
+ if (rc != 0) {
+ error_setg(errp, "Failed to import certificate: %s", gnutls_strerror(rc));
+ goto cleanup;
+ }
+
+ rc = gnutls_x509_crt_get_pk_algorithm(crt, &bits);
+ if (rc < 0) {
+ error_setg(errp, "Unknown public key algorithm %d", rc);
+ goto cleanup;
+ }
+
+ ret = rc;
+
+cleanup:
+ gnutls_x509_crt_deinit(crt);
+ return ret;
+}
+
+int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size,
+ QCryptoHashAlgo hash_alg,
+ uint8_t **result,
+ size_t *resultlen,
+ Error **errp)
+{
+ int rc;
+ int ret = -1;
+ gnutls_x509_crt_t crt;
+ gnutls_datum_t datum = {.data = cert, .size = size};
+
+ if (hash_alg >= G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) {
+ error_setg(errp, "Unknown hash algorithm %d", hash_alg);
+ return ret;
+ }
+
+ if (hash_alg >= G_N_ELEMENTS(qcrypto_to_gnutls_keyid_flags_map) ||
+ qcrypto_to_gnutls_keyid_flags_map[hash_alg] == -1) {
+ error_setg(errp, "Unsupported key id flag %d", hash_alg);
+ return ret;
+ }
+
+ rc = gnutls_x509_crt_init(&crt);
+ if (rc < 0) {
+ error_setg(errp, "Failed to initialize certificate: %s", gnutls_strerror(rc));
+ return ret;
+ }
+
+ rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM);
+ if (rc != 0) {
+ error_setg(errp, "Failed to import certificate: %s", gnutls_strerror(rc));
+ goto cleanup;
+ }
+
+ *resultlen = gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[hash_alg]);
+ if (*resultlen == 0) {
+ error_setg(errp, "Failed to get hash algorithn length: %s", gnutls_strerror(rc));
+ goto cleanup;
+ }
+
+ *result = g_malloc0(*resultlen);
+ if (gnutls_x509_crt_get_key_id(crt,
+ qcrypto_to_gnutls_keyid_flags_map[hash_alg],
+ *result, resultlen) != 0) {
+ error_setg(errp, "Failed to get key ID from certificate");
+ g_clear_pointer(result, g_free);
+ goto cleanup;
+ }
+
+ ret = 0;
+
+cleanup:
+ gnutls_x509_crt_deinit(crt);
+ return ret;
+}
+
+static int qcrypto_x509_get_ecc_curve(uint8_t *cert, size_t size, Error **errp)
+{
+ int rc;
+ int ret = -1;
+ gnutls_x509_crt_t crt;
+ gnutls_datum_t datum = {.data = cert, .size = size};
+ gnutls_ecc_curve_t curve_id;
+ gnutls_datum_t x = {.data = NULL, .size = 0};
+ gnutls_datum_t y = {.data = NULL, .size = 0};
+
+ rc = gnutls_x509_crt_init(&crt);
+ if (rc < 0) {
+ error_setg(errp, "Failed to initialize certificate: %s", gnutls_strerror(rc));
+ return ret;
+ }
+
+ rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM);
+ if (rc != 0) {
+ error_setg(errp, "Failed to import certificate: %s", gnutls_strerror(rc));
+ goto cleanup;
+ }
+
+ rc = gnutls_x509_crt_get_pk_ecc_raw(crt, &curve_id, &x, &y);
+ if (rc != 0) {
+ error_setg(errp, "Failed to get ECC public key curve: %s", gnutls_strerror(rc));
+ goto cleanup;
+ }
+
+ ret = curve_id;
+
+cleanup:
+ gnutls_x509_crt_deinit(crt);
+ gnutls_free(x.data);
+ gnutls_free(y.data);
+ return ret;
+}
+
+int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **errp)
+{
+ int algo;
+ int curve_id;
+
+ algo = qcrypto_x509_get_pk_algorithm(cert, size, errp);
+ if (algo != GNUTLS_PK_ECDSA) {
+ return 0;
+ }
+
+ curve_id = qcrypto_x509_get_ecc_curve(cert, size, errp);
+ if (curve_id == -1) {
+ error_setg(errp, "Failed to get ECC curve");
+ return -1;
+ }
+
+ if (curve_id == GNUTLS_ECC_CURVE_INVALID) {
+ error_setg(errp, "Invalid ECC curve");
+ return -1;
+ }
+
+ return curve_id == GNUTLS_ECC_CURVE_SECP521R1;
+}
+
#else /* ! CONFIG_GNUTLS */
int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,
@@ -142,4 +356,26 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size,
return -1;
}
+int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp)
+{
+ error_setg(errp, "GNUTLS is required to get certificate times");
+ return -1;
+}
+
+int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size,
+ QCryptoHashAlgo hash_alg,
+ uint8_t **result,
+ size_t *resultlen,
+ Error **errp)
+{
+ error_setg(errp, "GNUTLS is required to get key ID");
+ return -1;
+}
+
+int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **errp)
+{
+ error_setg(errp, "GNUTLS is required to determine ecc curve");
+ return -1;
+}
+
#endif /* ! CONFIG_GNUTLS */
diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h
index 91ae79fb03..6040894a46 100644
--- a/include/crypto/x509-utils.h
+++ b/include/crypto/x509-utils.h
@@ -40,4 +40,55 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size,
size_t *resultlen,
Error **errp);
+/**
+ * qcrypto_x509_check_cert_times
+ * @cert: pointer to the raw certificate data
+ * @size: size of the certificate
+ * @errp: error pointer
+ *
+ * Check whether the activation and expiration times of @cert
+ * are valid at the current time.
+ *
+ * Returns: 0 if the certificate times are valid,
+ * -1 on error.
+ */
+int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp);
+
+/**
+ * qcrypto_x509_get_cert_key_id
+ * @cert: pointer to the raw certificate data
+ * @size: size of the certificate
+ * @hash_alg: the hash algorithm flag
+ * @result: output location for the allocated buffer for key ID
+ * (the function allocates memory which must be freed by the caller)
+ * @resultlen: pointer to the size of the buffer
+ * (will be updated with the actual size of key id)
+ * @errp: error pointer
+ *
+ * Retrieve the key ID from the @cert based on the specified @flag.
+ *
+ * Returns: 0 if key ID was successfully stored in @result,
+ * -1 on error.
+ */
+int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size,
+ QCryptoHashAlgo hash_alg,
+ uint8_t **result,
+ size_t *resultlen,
+ Error **errp);
+
+/**
+ * qcrypto_x509_check_ecc_curve_p521
+ * @cert: pointer to the raw certificate data
+ * @size: size of the certificate
+ * @errp: error pointer
+ *
+ * Determine whether the ECC public key in the given certificate uses the P-521
+ * curve.
+ *
+ * Returns: 0 if ECC public key does not use P521 curve.
+ * 1 if ECC public key uses P521 curve.
+ * -1 on error.
+ */
+int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **errp);
+
#endif
--
2.52.0On 12/02/2026 21.43, Zhuoying Cai wrote:
> Introduce new helper functions to extract certificate metadata:
>
> qcrypto_x509_check_cert_times() - validates the certificate's validity period against the current time
> qcrypto_x509_get_pk_algorithm() - returns the public key algorithm used in the certificate
> qcrypto_x509_get_cert_key_id() - extracts the key ID from the certificate
> qcrypto_x509_check_ecc_curve_p521() - determines the ECC public key algorithm uses P-521 curve
>
> These functions provide support for metadata extraction and validity checking
> for X.509 certificates.
>
> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
> Reviewed-by: Farhan Ali<alifm@linux.ibm.com>
> ---
> crypto/x509-utils.c | 236 ++++++++++++++++++++++++++++++++++++
> include/crypto/x509-utils.h | 51 ++++++++
> 2 files changed, 287 insertions(+)
>
> diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c
> index 2696d48155..906d5e5e87 100644
> --- a/crypto/x509-utils.c
> +++ b/crypto/x509-utils.c
> @@ -27,6 +27,16 @@ static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = {
> [QCRYPTO_HASH_ALGO_RIPEMD160] = GNUTLS_DIG_RMD160,
So there is a mapping for RIPEMD160 - everything else will be mapped to 0,
which is GNUTLS_DIG_UNKNOWN if I got the gnutls.h header right ...
> };
...
> +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size,
> + QCryptoHashAlgo hash_alg,
> + uint8_t **result,
> + size_t *resultlen,
> + Error **errp)
... and in patch 09/30, you call this function with:
+ rc = qcrypto_x509_get_cert_key_id(cert->raw, cert->size,
+ QCRYPTO_HASH_ALGO_SHA256,
+ &key_id_data, &key_id_len, &err);
i.e. hash_alg is QCRYPTO_HASH_ALGO_SHA256...
> +{
> + int rc;
> + int ret = -1;
> + gnutls_x509_crt_t crt;
> + gnutls_datum_t datum = {.data = cert, .size = size};
> +
> + if (hash_alg >= G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) {
> + error_setg(errp, "Unknown hash algorithm %d", hash_alg);
> + return ret;
> + }
> +
> + if (hash_alg >= G_N_ELEMENTS(qcrypto_to_gnutls_keyid_flags_map) ||
> + qcrypto_to_gnutls_keyid_flags_map[hash_alg] == -1) {
> + error_setg(errp, "Unsupported key id flag %d", hash_alg);
> + return ret;
> + }
> +
> + rc = gnutls_x509_crt_init(&crt);
> + if (rc < 0) {
> + error_setg(errp, "Failed to initialize certificate: %s", gnutls_strerror(rc));
> + return ret;
> + }
> +
> + rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM);
> + if (rc != 0) {
> + error_setg(errp, "Failed to import certificate: %s", gnutls_strerror(rc));
> + goto cleanup;
> + }
> +
> + *resultlen = gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[hash_alg]);
... so qcrypto_to_gnutls_hash_alg_map[hash_alg] should result in
GNUTLS_DIG_UNKNOWN as far as I can see. How is this supposed to work? Is
this code used at all? Or is the error simply ignored somewhere up in the
call chain? Or did I miss something?
Thomas
> + if (*resultlen == 0) {
> + error_setg(errp, "Failed to get hash algorithn length: %s", gnutls_strerror(rc));
> + goto cleanup;
> + }
> +
> + *result = g_malloc0(*resultlen);
> + if (gnutls_x509_crt_get_key_id(crt,
> + qcrypto_to_gnutls_keyid_flags_map[hash_alg],
> + *result, resultlen) != 0) {
> + error_setg(errp, "Failed to get key ID from certificate");
> + g_clear_pointer(result, g_free);
> + goto cleanup;
> + }
> +
> + ret = 0;
> +
> +cleanup:
> + gnutls_x509_crt_deinit(crt);
> + return ret;
> +}
Thomas
On 2/28/26 8:43 AM, Thomas Huth wrote:
> On 12/02/2026 21.43, Zhuoying Cai wrote:
>> Introduce new helper functions to extract certificate metadata:
>>
>> qcrypto_x509_check_cert_times() - validates the certificate's validity period against the current time
>> qcrypto_x509_get_pk_algorithm() - returns the public key algorithm used in the certificate
>> qcrypto_x509_get_cert_key_id() - extracts the key ID from the certificate
>> qcrypto_x509_check_ecc_curve_p521() - determines the ECC public key algorithm uses P-521 curve
>>
>> These functions provide support for metadata extraction and validity checking
>> for X.509 certificates.
>>
>> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
>> Reviewed-by: Farhan Ali<alifm@linux.ibm.com>
>> ---
>> crypto/x509-utils.c | 236 ++++++++++++++++++++++++++++++++++++
>> include/crypto/x509-utils.h | 51 ++++++++
>> 2 files changed, 287 insertions(+)
>>
>> diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c
>> index 2696d48155..906d5e5e87 100644
>> --- a/crypto/x509-utils.c
>> +++ b/crypto/x509-utils.c
>> @@ -27,6 +27,16 @@ static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = {
>> [QCRYPTO_HASH_ALGO_RIPEMD160] = GNUTLS_DIG_RMD160,
>
> So there is a mapping for RIPEMD160 - everything else will be mapped to 0,
> which is GNUTLS_DIG_UNKNOWN if I got the gnutls.h header right ...
>
>> };
> ...
>> +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size,
>> + QCryptoHashAlgo hash_alg,
>> + uint8_t **result,
>> + size_t *resultlen,
>> + Error **errp)
>
> ... and in patch 09/30, you call this function with:
>
> + rc = qcrypto_x509_get_cert_key_id(cert->raw, cert->size,
> + QCRYPTO_HASH_ALGO_SHA256,
> + &key_id_data, &key_id_len, &err);
>
> i.e. hash_alg is QCRYPTO_HASH_ALGO_SHA256...
>
>> +{
>> + int rc;
>> + int ret = -1;
>> + gnutls_x509_crt_t crt;
>> + gnutls_datum_t datum = {.data = cert, .size = size};
>> +
>> + if (hash_alg >= G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) {
>> + error_setg(errp, "Unknown hash algorithm %d", hash_alg);
>> + return ret;
>> + }
>> +
>> + if (hash_alg >= G_N_ELEMENTS(qcrypto_to_gnutls_keyid_flags_map) ||
>> + qcrypto_to_gnutls_keyid_flags_map[hash_alg] == -1) {
>> + error_setg(errp, "Unsupported key id flag %d", hash_alg);
>> + return ret;
>> + }
>> +
>> + rc = gnutls_x509_crt_init(&crt);
>> + if (rc < 0) {
>> + error_setg(errp, "Failed to initialize certificate: %s", gnutls_strerror(rc));
>> + return ret;
>> + }
>> +
>> + rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM);
>> + if (rc != 0) {
>> + error_setg(errp, "Failed to import certificate: %s", gnutls_strerror(rc));
>> + goto cleanup;
>> + }
>> +
>> + *resultlen = gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[hash_alg]);
>
> ... so qcrypto_to_gnutls_hash_alg_map[hash_alg] should result in
> GNUTLS_DIG_UNKNOWN as far as I can see. How is this supposed to work? Is
> this code used at all? Or is the error simply ignored somewhere up in the
> call chain? Or did I miss something?
>
> Thomas
>
>
Thanks for the review!
To clarify: the diff context only showed the RIPEMD160 line, but the
existing qcrypto_to_gnutls_hash_alg_map[] also includes SHA256 in
x509-utils.c.
static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = {
[QCRYPTO_HASH_ALGO_MD5] = GNUTLS_DIG_MD5,
[QCRYPTO_HASH_ALGO_SHA1] = GNUTLS_DIG_SHA1,
[QCRYPTO_HASH_ALGO_SHA224] = GNUTLS_DIG_SHA224,
[QCRYPTO_HASH_ALGO_SHA256] = GNUTLS_DIG_SHA256,
[QCRYPTO_HASH_ALGO_SHA384] = GNUTLS_DIG_SHA384,
[QCRYPTO_HASH_ALGO_SHA512] = GNUTLS_DIG_SHA512,
[QCRYPTO_HASH_ALGO_RIPEMD160] = GNUTLS_DIG_RMD160,
};
For the call in patch 09/30, hash_alg is QCRYPTO_HASH_ALGO_SHA256, so
qcrypto_to_gnutls_hash_alg_map[hash_alg] resolves to GNUTLS_DIG_SHA256
(value 6), and gnutls_hash_get_len(...) returns 32 as expected.
>> + if (*resultlen == 0) {
>> + error_setg(errp, "Failed to get hash algorithn length: %s", gnutls_strerror(rc));
>> + goto cleanup;
>> + }
>> +
>> + *result = g_malloc0(*resultlen);
>> + if (gnutls_x509_crt_get_key_id(crt,
>> + qcrypto_to_gnutls_keyid_flags_map[hash_alg],
>> + *result, resultlen) != 0) {
>> + error_setg(errp, "Failed to get key ID from certificate");
>> + g_clear_pointer(result, g_free);
>> + goto cleanup;
>> + }
>> +
>> + ret = 0;
>> +
>> +cleanup:
>> + gnutls_x509_crt_deinit(crt);
>> + return ret;
>> +}
>
> Thomas
>
On 03/03/2026 22.02, Zhuoying Cai wrote:
> On 2/28/26 8:43 AM, Thomas Huth wrote:
>> On 12/02/2026 21.43, Zhuoying Cai wrote:
>>> Introduce new helper functions to extract certificate metadata:
>>>
>>> qcrypto_x509_check_cert_times() - validates the certificate's validity period against the current time
>>> qcrypto_x509_get_pk_algorithm() - returns the public key algorithm used in the certificate
>>> qcrypto_x509_get_cert_key_id() - extracts the key ID from the certificate
>>> qcrypto_x509_check_ecc_curve_p521() - determines the ECC public key algorithm uses P-521 curve
>>>
>>> These functions provide support for metadata extraction and validity checking
>>> for X.509 certificates.
>>>
>>> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
>>> Reviewed-by: Farhan Ali<alifm@linux.ibm.com>
>>> ---
>>> crypto/x509-utils.c | 236 ++++++++++++++++++++++++++++++++++++
>>> include/crypto/x509-utils.h | 51 ++++++++
>>> 2 files changed, 287 insertions(+)
>>>
>>> diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c
>>> index 2696d48155..906d5e5e87 100644
>>> --- a/crypto/x509-utils.c
>>> +++ b/crypto/x509-utils.c
>>> @@ -27,6 +27,16 @@ static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = {
>>> [QCRYPTO_HASH_ALGO_RIPEMD160] = GNUTLS_DIG_RMD160,
>>
>> So there is a mapping for RIPEMD160 - everything else will be mapped to 0,
>> which is GNUTLS_DIG_UNKNOWN if I got the gnutls.h header right ...
>>
>>> };
>> ...
>>> +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size,
>>> + QCryptoHashAlgo hash_alg,
>>> + uint8_t **result,
>>> + size_t *resultlen,
>>> + Error **errp)
>>
>> ... and in patch 09/30, you call this function with:
>>
>> + rc = qcrypto_x509_get_cert_key_id(cert->raw, cert->size,
>> + QCRYPTO_HASH_ALGO_SHA256,
>> + &key_id_data, &key_id_len, &err);
>>
>> i.e. hash_alg is QCRYPTO_HASH_ALGO_SHA256...
>>
>>> +{
>>> + int rc;
>>> + int ret = -1;
>>> + gnutls_x509_crt_t crt;
>>> + gnutls_datum_t datum = {.data = cert, .size = size};
>>> +
>>> + if (hash_alg >= G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) {
>>> + error_setg(errp, "Unknown hash algorithm %d", hash_alg);
>>> + return ret;
>>> + }
>>> +
>>> + if (hash_alg >= G_N_ELEMENTS(qcrypto_to_gnutls_keyid_flags_map) ||
>>> + qcrypto_to_gnutls_keyid_flags_map[hash_alg] == -1) {
>>> + error_setg(errp, "Unsupported key id flag %d", hash_alg);
>>> + return ret;
>>> + }
>>> +
>>> + rc = gnutls_x509_crt_init(&crt);
>>> + if (rc < 0) {
>>> + error_setg(errp, "Failed to initialize certificate: %s", gnutls_strerror(rc));
>>> + return ret;
>>> + }
>>> +
>>> + rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM);
>>> + if (rc != 0) {
>>> + error_setg(errp, "Failed to import certificate: %s", gnutls_strerror(rc));
>>> + goto cleanup;
>>> + }
>>> +
>>> + *resultlen = gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[hash_alg]);
>>
>> ... so qcrypto_to_gnutls_hash_alg_map[hash_alg] should result in
>> GNUTLS_DIG_UNKNOWN as far as I can see. How is this supposed to work? Is
>> this code used at all? Or is the error simply ignored somewhere up in the
>> call chain? Or did I miss something?
>>
>> Thomas
>
> Thanks for the review!
>
> To clarify: the diff context only showed the RIPEMD160 line, but the
> existing qcrypto_to_gnutls_hash_alg_map[] also includes SHA256 in
> x509-utils.c.
>
> static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = {
> [QCRYPTO_HASH_ALGO_MD5] = GNUTLS_DIG_MD5,
> [QCRYPTO_HASH_ALGO_SHA1] = GNUTLS_DIG_SHA1,
> [QCRYPTO_HASH_ALGO_SHA224] = GNUTLS_DIG_SHA224,
> [QCRYPTO_HASH_ALGO_SHA256] = GNUTLS_DIG_SHA256,
> [QCRYPTO_HASH_ALGO_SHA384] = GNUTLS_DIG_SHA384,
> [QCRYPTO_HASH_ALGO_SHA512] = GNUTLS_DIG_SHA512,
> [QCRYPTO_HASH_ALGO_RIPEMD160] = GNUTLS_DIG_RMD160,
> };
>
> For the call in patch 09/30, hash_alg is QCRYPTO_HASH_ALGO_SHA256, so
> qcrypto_to_gnutls_hash_alg_map[hash_alg] resolves to GNUTLS_DIG_SHA256
> (value 6), and gnutls_hash_get_len(...) returns 32 as expected.
Ooops, sorry, I've been fooled by the line wrapping of my e-mail client.
It broke the lines like this:
diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c
index 2696d48155..906d5e5e87 100644
--- a/crypto/x509-utils.c
+++ b/crypto/x509-utils.c
@@ -27,6 +27,16 @@ static const int
qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = {
[QCRYPTO_HASH_ALGO_RIPEMD160] = GNUTLS_DIG_RMD160,
};
So without having a real close look, it indeed looked like there is only one
entry in the array here :-/
Sorry for the noise!
Thomas
© 2016 - 2026 Red Hat, Inc.