[thirdparty/u-boot.git] / include / keys / asymmetric-type.h

/* SPDX-License-Identifier: GPL-2.0-or-later */
/* Asymmetric Public-key cryptography key type interface
 *
 * See Documentation/crypto/asymmetric-keys.txt
 *
 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
 */

#ifndef _KEYS_ASYMMETRIC_TYPE_H
#define _KEYS_ASYMMETRIC_TYPE_H

#ifndef __UBOOT__
#include <linux/key-type.h>
#include <linux/verification.h>

extern struct key_type key_type_asymmetric;

/*
 * The key payload is four words.  The asymmetric-type key uses them as
 * follows:
 */
enum asymmetric_payload_bits {
	asym_crypto,		/* The data representing the key */
	asym_subtype,		/* Pointer to an asymmetric_key_subtype struct */
	asym_key_ids,		/* Pointer to an asymmetric_key_ids struct */
	asym_auth		/* The key's authorisation (signature, parent key ID) */
};
#endif /* !__UBOOT__ */

/*
 * Identifiers for an asymmetric key ID.  We have three ways of looking up a
 * key derived from an X.509 certificate:
 *
 * (1) Serial Number & Issuer.  Non-optional.  This is the only valid way to
 *     map a PKCS#7 signature to an X.509 certificate.
 *
 * (2) Issuer & Subject Unique IDs.  Optional.  These were the original way to
 *     match X.509 certificates, but have fallen into disuse in favour of (3).
 *
 * (3) Auth & Subject Key Identifiers.  Optional.  SKIDs are only provided on
 *     CA keys that are intended to sign other keys, so don't appear in end
 *     user certificates unless forced.
 *
 * We could also support an PGP key identifier, which is just a SHA1 sum of the
 * public key and certain parameters, but since we don't support PGP keys at
 * the moment, we shall ignore those.
 *
 * What we actually do is provide a place where binary identifiers can be
 * stashed and then compare against them when checking for an id match.
 */
struct asymmetric_key_id {
	unsigned short	len;
	unsigned char	data[];
};

struct asymmetric_key_ids {
	void		*id[2];
};

extern bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1,
				   const struct asymmetric_key_id *kid2);

extern bool asymmetric_key_id_partial(const struct asymmetric_key_id *kid1,
				      const struct asymmetric_key_id *kid2);

extern struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1,
							    size_t len_1,
							    const void *val_2,
							    size_t len_2);
#ifndef __UBOOT__
static inline
const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key)
{
	return key->payload.data[asym_key_ids];
}

extern struct key *find_asymmetric_key(struct key *keyring,
				       const struct asymmetric_key_id *id_0,
				       const struct asymmetric_key_id *id_1,
				       bool partial);
#endif

/*
 * The payload is at the discretion of the subtype.
 */

#endif /* _KEYS_ASYMMETRIC_TYPE_H */
Commit	Line	Data
c4e961ec AT	1	/* SPDX-License-Identifier: GPL-2.0-or-later */
	2	/* Asymmetric Public-key cryptography key type interface
	3	*
	4	* See Documentation/crypto/asymmetric-keys.txt
	5	*
	6	* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
	7	* Written by David Howells (dhowells@redhat.com)
	8	*/
	9
	10	#ifndef _KEYS_ASYMMETRIC_TYPE_H
	11	#define _KEYS_ASYMMETRIC_TYPE_H
	12
	13	#ifndef __UBOOT__
	14	#include <linux/key-type.h>
	15	#include <linux/verification.h>
	16
	17	extern struct key_type key_type_asymmetric;
	18
	19	/*
	20	* The key payload is four words. The asymmetric-type key uses them as
	21	* follows:
	22	*/
	23	enum asymmetric_payload_bits {
	24	asym_crypto, /* The data representing the key */
	25	asym_subtype, /* Pointer to an asymmetric_key_subtype struct */
	26	asym_key_ids, /* Pointer to an asymmetric_key_ids struct */
	27	asym_auth /* The key's authorisation (signature, parent key ID) */
	28	};
	29	#endif /* !__UBOOT__ */
	30
	31	/*
	32	* Identifiers for an asymmetric key ID. We have three ways of looking up a
	33	* key derived from an X.509 certificate:
	34	*
	35	* (1) Serial Number & Issuer. Non-optional. This is the only valid way to
	36	* map a PKCS#7 signature to an X.509 certificate.
	37	*
	38	* (2) Issuer & Subject Unique IDs. Optional. These were the original way to
	39	* match X.509 certificates, but have fallen into disuse in favour of (3).
	40	*
	41	* (3) Auth & Subject Key Identifiers. Optional. SKIDs are only provided on
	42	* CA keys that are intended to sign other keys, so don't appear in end
	43	* user certificates unless forced.
	44	*
	45	* We could also support an PGP key identifier, which is just a SHA1 sum of the
	46	* public key and certain parameters, but since we don't support PGP keys at
	47	* the moment, we shall ignore those.
	48	*
	49	* What we actually do is provide a place where binary identifiers can be
	50	* stashed and then compare against them when checking for an id match.
	51	*/
	52	struct asymmetric_key_id {
	53	unsigned short len;
	54	unsigned char data[];
	55	};
	56
	57	struct asymmetric_key_ids {
	58	void *id[2];
	59	};
	60
	61	extern bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1,
	62	const struct asymmetric_key_id *kid2);
	63
	64	extern bool asymmetric_key_id_partial(const struct asymmetric_key_id *kid1,
65	const struct asymmetric_key_id *kid2);
66
67	extern struct asymmetric_key_id asymmetric_key_generate_id(const void val_1,
68	size_t len_1,
69	const void *val_2,
70	size_t len_2);
71	#ifndef __UBOOT__
72	static inline
73	const struct asymmetric_key_ids asymmetric_key_ids(const struct key key)
74	{
75	return key->payload.data[asym_key_ids];
76	}
77
78	extern struct key find_asymmetric_key(struct key keyring,
79	const struct asymmetric_key_id *id_0,
80	const struct asymmetric_key_id *id_1,
81	bool partial);
82	#endif
83
84	/*
85	* The payload is at the discretion of the subtype.
86	*/
87
88	#endif /* _KEYS_ASYMMETRIC_TYPE_H */