// SPDX-License-Identifier: GPL-2.0-or-later /* Signature verification with an asymmetric key * * See Documentation/crypto/asymmetric-keys.rst * * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. * Written by David Howells (dhowells@redhat.com) */ #define pr_fmt(fmt) "SIG: "fmt #include <keys/asymmetric-subtype.h> #include <linux/export.h> #include <linux/err.h> #include <linux/slab.h> #include <linux/keyctl.h> #include <crypto/public_key.h> #include <keys/user-type.h> #include "asymmetric_keys.h" /* * Destroy a public key signature. */ void public_key_signature_free(struct public_key_signature *sig) { int i; if (sig) { for (i = 0; i < ARRAY_SIZE(sig->auth_ids); i++) kfree(sig->auth_ids[i]); kfree(sig->s); kfree(sig->digest); kfree(sig); } } EXPORT_SYMBOL_GPL(public_key_signature_free); /** * query_asymmetric_key - Get information about an asymmetric key. * @params: Various parameters. * @info: Where to put the information. */ int query_asymmetric_key(const struct kernel_pkey_params *params, struct kernel_pkey_query *info) { const struct asymmetric_key_subtype *subtype; struct key *key = params->key; int ret; pr_devel("==>%s()\n", __func__); if (key->type != &key_type_asymmetric) return -EINVAL; subtype = asymmetric_key_subtype(key); if (!subtype || !key->payload.data[0]) return -EINVAL; if (!subtype->query) return -ENOTSUPP; ret = subtype->query(params, info); pr_devel("<==%s() = %d\n", __func__, ret); return ret; } EXPORT_SYMBOL_GPL(query_asymmetric_key); /** * encrypt_blob - Encrypt data using an asymmetric key * @params: Various parameters * @data: Data blob to be encrypted, length params->data_len * @enc: Encrypted data buffer, length params->enc_len * * Encrypt the specified data blob using the private key specified by * params->key. The encrypted data is wrapped in an encoding if * params->encoding is specified (eg. "pkcs1"). * * Returns the length of the data placed in the encrypted data buffer or an * error. */ int encrypt_blob(struct kernel_pkey_params *params, const void *data, void *enc) { params->op = kernel_pkey_encrypt; return asymmetric_key_eds_op(params, data, enc); } EXPORT_SYMBOL_GPL(encrypt_blob); /** * decrypt_blob - Decrypt data using an asymmetric key * @params: Various parameters * @enc: Encrypted data to be decrypted, length params->enc_len * @data: Decrypted data buffer, length params->data_len * * Decrypt the specified data blob using the private key specified by * params->key. The decrypted data is wrapped in an encoding if * params->encoding is specified (eg. "pkcs1"). * * Returns the length of the data placed in the decrypted data buffer or an * error. */ int decrypt_blob(struct kernel_pkey_params *params, const void *enc, void *data) { params->op = kernel_pkey_decrypt; return asymmetric_key_eds_op(params, enc, data); } EXPORT_SYMBOL_GPL(decrypt_blob); /** * create_signature - Sign some data using an asymmetric key * @params: Various parameters * @data: Data blob to be signed, length params->data_len * @enc: Signature buffer, length params->enc_len * * Sign the specified data blob using the private key specified by params->key. * The signature is wrapped in an encoding if params->encoding is specified * (eg. "pkcs1"). If the encoding needs to know the digest type, this can be * passed through params->hash_algo (eg. "sha1"). * * Returns the length of the data placed in the signature buffer or an error. */ int create_signature(struct kernel_pkey_params *params, const void *data, void *enc) { params->op = kernel_pkey_sign; return asymmetric_key_eds_op(params, data, enc); } EXPORT_SYMBOL_GPL(create_signature); /** * verify_signature - Initiate the use of an asymmetric key to verify a signature * @key: The asymmetric key to verify against * @sig: The signature to check * * Returns 0 if successful or else an error. */ int verify_signature(const struct key *key, const struct public_key_signature *sig) { const struct asymmetric_key_subtype *subtype; int ret; pr_devel("==>%s()\n", __func__); if (key->type != &key_type_asymmetric) return -EINVAL; subtype = asymmetric_key_subtype(key); if (!subtype || !key->payload.data[0]) return -EINVAL; if (!subtype->verify_signature) return -ENOTSUPP; ret = subtype->verify_signature(key, sig); pr_devel("<==%s() = %d\n", __func__, ret); return ret; } EXPORT_SYMBOL_GPL