[mirror_ubuntu-focal-kernel.git] / include / keys / asymmetric-type.h

/* SPDX-License-Identifier: GPL-2.0-or-later */
/* Asymmetric Public-key cryptography key type interface
 *
 * See Documentation/crypto/asymmetric-keys.txt
 *
 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
 */

#ifndef _KEYS_ASYMMETRIC_TYPE_H
#define _KEYS_ASYMMETRIC_TYPE_H

#include <linux/key-type.h>
#include <linux/verification.h>

extern struct key_type key_type_asymmetric;

/*
 * The key payload is four words.  The asymmetric-type key uses them as
 * follows:
 */
enum asymmetric_payload_bits {
	asym_crypto,		/* The data representing the key */
	asym_subtype,		/* Pointer to an asymmetric_key_subtype struct */
	asym_key_ids,		/* Pointer to an asymmetric_key_ids struct */
	asym_auth		/* The key's authorisation (signature, parent key ID) */
};

/*
 * Identifiers for an asymmetric key ID.  We have three ways of looking up a
 * key derived from an X.509 certificate:
 *
 * (1) Serial Number & Issuer.  Non-optional.  This is the only valid way to
 *     map a PKCS#7 signature to an X.509 certificate.
 *
 * (2) Issuer & Subject Unique IDs.  Optional.  These were the original way to
 *     match X.509 certificates, but have fallen into disuse in favour of (3).
 *
 * (3) Auth & Subject Key Identifiers.  Optional.  SKIDs are only provided on
 *     CA keys that are intended to sign other keys, so don't appear in end
 *     user certificates unless forced.
 *
 * We could also support an PGP key identifier, which is just a SHA1 sum of the
 * public key and certain parameters, but since we don't support PGP keys at
 * the moment, we shall ignore those.
 *
 * What we actually do is provide a place where binary identifiers can be
 * stashed and then compare against them when checking for an id match.
 */
struct asymmetric_key_id {
	unsigned short	len;
	unsigned char	data[];
};

struct asymmetric_key_ids {
	void		*id[2];
};

extern bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1,
				   const struct asymmetric_key_id *kid2);

extern bool asymmetric_key_id_partial(const struct asymmetric_key_id *kid1,
				      const struct asymmetric_key_id *kid2);

extern struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1,
							    size_t len_1,
							    const void *val_2,
							    size_t len_2);
static inline
const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key)
{
	return key->payload.data[asym_key_ids];
}

extern struct key *find_asymmetric_key(struct key *keyring,
				       const struct asymmetric_key_id *id_0,
				       const struct asymmetric_key_id *id_1,
				       bool partial);

/*
 * The payload is at the discretion of the subtype.
 */

#endif /* _KEYS_ASYMMETRIC_TYPE_H */
Commit	Line	Data
b4d0d230	1	/* SPDX-License-Identifier: GPL-2.0-or-later */
964f3b3b DH	2	/* Asymmetric Public-key cryptography key type interface
964f3b3b DH	3	*
5fb94e9c	4	* See Documentation/crypto/asymmetric-keys.txt
964f3b3b DH	5	*
	6	* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
	7	* Written by David Howells (dhowells@redhat.com)
964f3b3b DH	8	*/
	9
	10	#ifndef _KEYS_ASYMMETRIC_TYPE_H
	11	#define _KEYS_ASYMMETRIC_TYPE_H
	12
	13	#include <linux/key-type.h>
e68503bd	14	#include <linux/verification.h>
964f3b3b DH	15
	16	extern struct key_type key_type_asymmetric;
	17
146aa8b1 DH	18	/*
	19	* The key payload is four words. The asymmetric-type key uses them as
	20	* follows:
	21	*/
	22	enum asymmetric_payload_bits {
3b764563 DH	23	asym_crypto, /* The data representing the key */
	24	asym_subtype, /* Pointer to an asymmetric_key_subtype struct */
	25	asym_key_ids, /* Pointer to an asymmetric_key_ids struct */
	26	asym_auth /* The key's authorisation (signature, parent key ID) */
146aa8b1 DH	27	};
146aa8b1 DH	28
7901c1a8 DH	29	/*
	30	* Identifiers for an asymmetric key ID. We have three ways of looking up a
	31	* key derived from an X.509 certificate:
	32	*
	33	* (1) Serial Number & Issuer. Non-optional. This is the only valid way to
	34	* map a PKCS#7 signature to an X.509 certificate.
	35	*
	36	* (2) Issuer & Subject Unique IDs. Optional. These were the original way to
	37	* match X.509 certificates, but have fallen into disuse in favour of (3).
	38	*
	39	* (3) Auth & Subject Key Identifiers. Optional. SKIDs are only provided on
	40	* CA keys that are intended to sign other keys, so don't appear in end
	41	* user certificates unless forced.
	42	*
	43	* We could also support an PGP key identifier, which is just a SHA1 sum of the
	44	* public key and certain parameters, but since we don't support PGP keys at
	45	* the moment, we shall ignore those.
	46	*
	47	* What we actually do is provide a place where binary identifiers can be
	48	* stashed and then compare against them when checking for an id match.
	49	*/
	50	struct asymmetric_key_id {
	51	unsigned short len;
	52	unsigned char data[];
	53	};
	54
	55	struct asymmetric_key_ids {
	56	void *id[2];
	57	};
	58
	59	extern bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1,
	60	const struct asymmetric_key_id *kid2);
	61
f1b731db DK	62	extern bool asymmetric_key_id_partial(const struct asymmetric_key_id *kid1,
	63	const struct asymmetric_key_id *kid2);
	64
7901c1a8 DH	65	extern struct asymmetric_key_id asymmetric_key_generate_id(const void val_1,
	66	size_t len_1,
	67	const void *val_2,
	68	size_t len_2);
146aa8b1 DH	69	static inline
	70	const struct asymmetric_key_ids asymmetric_key_ids(const struct key key)
	71	{
	72	return key->payload.data[asym_key_ids];
	73	}
7901c1a8	74
9eb02989 DH	75	extern struct key find_asymmetric_key(struct key keyring,
	76	const struct asymmetric_key_id *id_0,
	77	const struct asymmetric_key_id *id_1,
	78	bool partial);
983023f2	79
964f3b3b DH	80	/*
	81	* The payload is at the discretion of the subtype.
	82	*/
	83
	84	#endif /* _KEYS_ASYMMETRIC_TYPE_H */