include/keys/asymmetric-type.h

0001 /* SPDX-License-Identifier: GPL-2.0-or-later */
0002 /* Asymmetric Public-key cryptography key type interface
0003  *
0004  * See Documentation/crypto/asymmetric-keys.rst
0005  *
0006  * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
0007  * Written by David Howells (dhowells@redhat.com)
0008  */
0009
0010 #ifndef _KEYS_ASYMMETRIC_TYPE_H
0011 #define _KEYS_ASYMMETRIC_TYPE_H
0012
0013 #include <linux/key-type.h>
0014 #include <linux/verification.h>
0015
0016 extern struct key_type key_type_asymmetric;
0017
0018 /*
0019  * The key payload is four words.  The asymmetric-type key uses them as
0020  * follows:
0021  */
0022 enum asymmetric_payload_bits {
0023     asym_crypto,        /* The data representing the key */
0024     asym_subtype,       /* Pointer to an asymmetric_key_subtype struct */
0025     asym_key_ids,       /* Pointer to an asymmetric_key_ids struct */
0026     asym_auth       /* The key's authorisation (signature, parent key ID) */
0027 };
0028
0029 /*
0030  * Identifiers for an asymmetric key ID.  We have three ways of looking up a
0031  * key derived from an X.509 certificate:
0032  *
0033  * (1) Serial Number & Issuer.  Non-optional.  This is the only valid way to
0034  *     map a PKCS#7 signature to an X.509 certificate.
0035  *
0036  * (2) Issuer & Subject Unique IDs.  Optional.  These were the original way to
0037  *     match X.509 certificates, but have fallen into disuse in favour of (3).
0038  *
0039  * (3) Auth & Subject Key Identifiers.  Optional.  SKIDs are only provided on
0040  *     CA keys that are intended to sign other keys, so don't appear in end
0041  *     user certificates unless forced.
0042  *
0043  * We could also support an PGP key identifier, which is just a SHA1 sum of the
0044  * public key and certain parameters, but since we don't support PGP keys at
0045  * the moment, we shall ignore those.
0046  *
0047  * What we actually do is provide a place where binary identifiers can be
0048  * stashed and then compare against them when checking for an id match.
0049  */
0050 struct asymmetric_key_id {
0051     unsigned short  len;
0052     unsigned char   data[];
0053 };
0054
0055 struct asymmetric_key_ids {
0056     void        *id[3];
0057 };
0058
0059 extern bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1,
0060                    const struct asymmetric_key_id *kid2);
0061
0062 extern bool asymmetric_key_id_partial(const struct asymmetric_key_id *kid1,
0063                       const struct asymmetric_key_id *kid2);
0064
0065 extern struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1,
0066                                 size_t len_1,
0067                                 const void *val_2,
0068                                 size_t len_2);
0069 static inline
0070 const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key)
0071 {
0072     return key->payload.data[asym_key_ids];
0073 }
0074
0075 static inline
0076 const struct public_key *asymmetric_key_public_key(const struct key *key)
0077 {
0078     return key->payload.data[asym_crypto];
0079 }
0080
0081 extern struct key *find_asymmetric_key(struct key *keyring,
0082                        const struct asymmetric_key_id *id_0,
0083                        const struct asymmetric_key_id *id_1,
0084                        const struct asymmetric_key_id *id_2,
0085                        bool partial);
0086
0087 int x509_load_certificate_list(const u8 cert_list[], const unsigned long list_size,
0088                    const struct key *keyring);
0089
0090 /*
0091  * The payload is at the discretion of the subtype.
0092  */
0093
0094 #endif /* _KEYS_ASYMMETRIC_TYPE_H */