]> git.dujemihanovic.xyz Git - u-boot.git/commitdiff
x509: move common functions to x509 helper
authorRaymond Mao <raymond.mao@linaro.org>
Thu, 3 Oct 2024 21:50:26 +0000 (14:50 -0700)
committerTom Rini <trini@konsulko.com>
Mon, 14 Oct 2024 23:58:41 +0000 (17:58 -0600)
Move x509_check_for_self_signed as a common helper function
that can be shared by legacy crypto lib and MbedTLS implementation.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
lib/crypto/Makefile
lib/crypto/x509_helper.c [new file with mode: 0644]
lib/crypto/x509_public_key.c

index 4ad1849040da150ab044d8bddab496523ac3fb51..946cc3a7b5940ea8c8984b7514ba9efad83504db 100644 (file)
@@ -37,6 +37,7 @@ x509_key_parser-y := \
        x509.asn1.o \
        x509_akid.asn1.o \
        x509_cert_parser.o \
+       x509_helper.o \
        x509_public_key.o
 
 $(obj)/x509_cert_parser.o: \
diff --git a/lib/crypto/x509_helper.c b/lib/crypto/x509_helper.c
new file mode 100644 (file)
index 0000000..87e8ff6
--- /dev/null
@@ -0,0 +1,64 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * X509 helper functions
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ */
+#include <linux/err.h>
+#include <crypto/public_key.h>
+#include <crypto/x509_parser.h>
+
+/*
+ * Check for self-signedness in an X.509 cert and if found, check the signature
+ * immediately if we can.
+ */
+int x509_check_for_self_signed(struct x509_certificate *cert)
+{
+       int ret = 0;
+
+       if (cert->raw_subject_size != cert->raw_issuer_size ||
+           memcmp(cert->raw_subject, cert->raw_issuer,
+                  cert->raw_issuer_size))
+               goto not_self_signed;
+
+       if (cert->sig->auth_ids[0] || cert->sig->auth_ids[1]) {
+               /*
+                * If the AKID is present it may have one or two parts. If
+                * both are supplied, both must match.
+                */
+               bool a = asymmetric_key_id_same(cert->skid,
+                                               cert->sig->auth_ids[1]);
+               bool b = asymmetric_key_id_same(cert->id,
+                                               cert->sig->auth_ids[0]);
+
+               if (!a && !b)
+                       goto not_self_signed;
+
+               ret = -EKEYREJECTED;
+               if (((a && !b) || (b && !a)) &&
+                   cert->sig->auth_ids[0] && cert->sig->auth_ids[1])
+                       goto out;
+       }
+
+       ret = -EKEYREJECTED;
+       if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo))
+               goto out;
+
+       ret = public_key_verify_signature(cert->pub, cert->sig);
+       if (ret == -ENOPKG) {
+               cert->unsupported_sig = true;
+               goto not_self_signed;
+       }
+       if (ret < 0)
+               goto out;
+
+       pr_devel("Cert Self-signature verified");
+       cert->self_signed = true;
+
+out:
+       return ret;
+
+not_self_signed:
+       return 0;
+}
index a10145a7cdcf106ede0686f438d063f955e620f9..4ba13c1adc3a3590482666006063a8018f5f1ec9 100644 (file)
@@ -139,61 +139,7 @@ error:
        return ret;
 }
 
-/*
- * Check for self-signedness in an X.509 cert and if found, check the signature
- * immediately if we can.
- */
-int x509_check_for_self_signed(struct x509_certificate *cert)
-{
-       int ret = 0;
-
-       pr_devel("==>%s()\n", __func__);
-
-       if (cert->raw_subject_size != cert->raw_issuer_size ||
-           memcmp(cert->raw_subject, cert->raw_issuer,
-                  cert->raw_issuer_size) != 0)
-               goto not_self_signed;
-
-       if (cert->sig->auth_ids[0] || cert->sig->auth_ids[1]) {
-               /* If the AKID is present it may have one or two parts.  If
-                * both are supplied, both must match.
-                */
-               bool a = asymmetric_key_id_same(cert->skid, cert->sig->auth_ids[1]);
-               bool b = asymmetric_key_id_same(cert->id, cert->sig->auth_ids[0]);
-
-               if (!a && !b)
-                       goto not_self_signed;
-
-               ret = -EKEYREJECTED;
-               if (((a && !b) || (b && !a)) &&
-                   cert->sig->auth_ids[0] && cert->sig->auth_ids[1])
-                       goto out;
-       }
-
-       ret = -EKEYREJECTED;
-       if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0)
-               goto out;
-
-       ret = public_key_verify_signature(cert->pub, cert->sig);
-       if (ret < 0) {
-               if (ret == -ENOPKG) {
-                       cert->unsupported_sig = true;
-                       ret = 0;
-               }
-               goto out;
-       }
-
-       pr_devel("Cert Self-signature verified");
-       cert->self_signed = true;
-
-out:
-       pr_devel("<==%s() = %d\n", __func__, ret);
-       return ret;
-
-not_self_signed:
-       pr_devel("<==%s() = 0 [not]\n", __func__);
-       return 0;
-}
+#endif /* !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) */
 
 #ifndef __UBOOT__
 /*