1 | /* SPDX-License-Identifier: GPL-2.0-or-later */ |
2 | /* Asymmetric Public-key cryptography key type interface |
3 | * |
4 | * See Documentation/crypto/asymmetric-keys.rst |
5 | * |
6 | * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. |
7 | * Written by David Howells (dhowells@redhat.com) |
8 | */ |
9 | |
10 | #ifndef _KEYS_ASYMMETRIC_TYPE_H |
11 | #define _KEYS_ASYMMETRIC_TYPE_H |
12 | |
13 | #include <linux/key-type.h> |
14 | #include <linux/verification.h> |
15 | |
16 | extern struct key_type key_type_asymmetric; |
17 | |
18 | /* |
19 | * The key payload is four words. The asymmetric-type key uses them as |
20 | * follows: |
21 | */ |
22 | enum asymmetric_payload_bits { |
23 | asym_crypto, /* The data representing the key */ |
24 | asym_subtype, /* Pointer to an asymmetric_key_subtype struct */ |
25 | asym_key_ids, /* Pointer to an asymmetric_key_ids struct */ |
26 | asym_auth /* The key's authorisation (signature, parent key ID) */ |
27 | }; |
28 | |
29 | /* |
30 | * Identifiers for an asymmetric key ID. We have three ways of looking up a |
31 | * key derived from an X.509 certificate: |
32 | * |
33 | * (1) Serial Number & Issuer. Non-optional. This is the only valid way to |
34 | * map a PKCS#7 signature to an X.509 certificate. |
35 | * |
36 | * (2) Issuer & Subject Unique IDs. Optional. These were the original way to |
37 | * match X.509 certificates, but have fallen into disuse in favour of (3). |
38 | * |
39 | * (3) Auth & Subject Key Identifiers. Optional. SKIDs are only provided on |
40 | * CA keys that are intended to sign other keys, so don't appear in end |
41 | * user certificates unless forced. |
42 | * |
43 | * We could also support an PGP key identifier, which is just a SHA1 sum of the |
44 | * public key and certain parameters, but since we don't support PGP keys at |
45 | * the moment, we shall ignore those. |
46 | * |
47 | * What we actually do is provide a place where binary identifiers can be |
48 | * stashed and then compare against them when checking for an id match. |
49 | */ |
50 | struct asymmetric_key_id { |
51 | unsigned short len; |
52 | unsigned char data[]; |
53 | }; |
54 | |
55 | struct asymmetric_key_ids { |
56 | void *id[3]; |
57 | }; |
58 | |
59 | extern bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1, |
60 | const struct asymmetric_key_id *kid2); |
61 | |
62 | extern bool asymmetric_key_id_partial(const struct asymmetric_key_id *kid1, |
63 | const struct asymmetric_key_id *kid2); |
64 | |
65 | extern struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1, |
66 | size_t len_1, |
67 | const void *val_2, |
68 | size_t len_2); |
69 | static inline |
70 | const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key) |
71 | { |
72 | return key->payload.data[asym_key_ids]; |
73 | } |
74 | |
75 | static inline |
76 | const struct public_key *asymmetric_key_public_key(const struct key *key) |
77 | { |
78 | return key->payload.data[asym_crypto]; |
79 | } |
80 | |
81 | extern struct key *find_asymmetric_key(struct key *keyring, |
82 | const struct asymmetric_key_id *id_0, |
83 | const struct asymmetric_key_id *id_1, |
84 | const struct asymmetric_key_id *id_2, |
85 | bool partial); |
86 | |
87 | int x509_load_certificate_list(const u8 cert_list[], const unsigned long list_size, |
88 | const struct key *keyring); |
89 | |
90 | /* |
91 | * The payload is at the discretion of the subtype. |
92 | */ |
93 | |
94 | #endif /* _KEYS_ASYMMETRIC_TYPE_H */ |
95 | |