[crypto] Pass asymmetric keys as ASN.1 cursors

Asymmetric keys are invariably encountered within ASN.1 structures such as X.509 certificates, and the various large integers within an RSA key are themselves encoded using ASN.1. Simplify all code handling asymmetric keys by passing keys as a single ASN.1 cursor, rather than separate data and length pointers. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-02-11 13:49:51 +03:00 · 2024-08-18 10:43:52 +01:00
parent 950f6b5861
commit 53f089b723
10 changed files with 74 additions and 112 deletions
--- a/src/crypto/cms.c
+++ b/src/crypto/cms.c
@@ -621,8 +621,7 @@ static int cms_verify_digest ( struct cms_message *cms,
 	cms_digest ( cms, part, data, len, digest_out );

 	/* Initialise public-key algorithm */
-	if ( ( rc = pubkey_init ( pubkey, ctx, public_key->raw.data,
-				  public_key->raw.len ) ) != 0 ) {
+	if ( ( rc = pubkey_init ( pubkey, ctx, &public_key->raw ) ) != 0 ) {
 		DBGC ( cms, "CMS %p/%p could not initialise public key: %s\n",
 		       cms, part, strerror ( rc ) );
 		goto err_init;
--- a/src/crypto/crypto_null.c
+++ b/src/crypto/crypto_null.c
@@ -93,8 +93,8 @@ struct cipher_algorithm cipher_null = {
 	.auth = cipher_null_auth,
 };

-int pubkey_null_init ( void *ctx __unused, const void *key __unused,
-		       size_t key_len __unused ) {
+int pubkey_null_init ( void *ctx __unused,
+		       const struct asn1_cursor *key __unused ) {
 	return 0;
 }

--- a/src/crypto/ocsp.c
+++ b/src/crypto/ocsp.c
@@ -857,8 +857,8 @@ static int ocsp_check_signature ( struct ocsp_check *ocsp,
 	digest_final ( digest, digest_ctx, digest_out );

 	/* Initialise public-key algorithm */
-	if ( ( rc = pubkey_init ( pubkey, pubkey_ctx, public_key->raw.data,
-				  public_key->raw.len ) ) != 0 ) {
+	if ( ( rc = pubkey_init ( pubkey, pubkey_ctx,
+				  &public_key->raw ) ) != 0 ) {
 		DBGC ( ocsp, "OCSP %p \"%s\" could not initialise public key: "
 		       "%s\n", ocsp, x509_name ( ocsp->cert ), strerror ( rc ));
 		goto err_init;
--- a/src/crypto/rsa.c
+++ b/src/crypto/rsa.c
@@ -233,27 +233,21 @@ static int rsa_parse_mod_exp ( struct asn1_cursor *modulus,
 *
 * @v ctx		RSA context
 * @v key		Key
- * @v key_len		Length of key
 * @ret rc		Return status code
 */
-static int rsa_init ( void *ctx, const void *key, size_t key_len ) {
+static int rsa_init ( void *ctx, const struct asn1_cursor *key ) {
 	struct rsa_context *context = ctx;
 	struct asn1_cursor modulus;
 	struct asn1_cursor exponent;
-	struct asn1_cursor cursor;
 	int rc;

 	/* Initialise context */
 	memset ( context, 0, sizeof ( *context ) );

-	/* Initialise cursor */
-	cursor.data = key;
-	cursor.len = key_len;
-
 	/* Parse modulus and exponent */
-	if ( ( rc = rsa_parse_mod_exp ( &modulus, &exponent, &cursor ) ) != 0 ){
+	if ( ( rc = rsa_parse_mod_exp ( &modulus, &exponent, key ) ) != 0 ){
 		DBGC ( context, "RSA %p invalid modulus/exponent:\n", context );
-		DBGC_HDA ( context, 0, cursor.data, cursor.len );
+		DBGC_HDA ( context, 0, key->data, key->len );
 		goto err_parse;
 	}

@@ -592,33 +586,23 @@ static void rsa_final ( void *ctx ) {
 * Check for matching RSA public/private key pair
 *
 * @v private_key	Private key
- * @v private_key_len	Private key length
 * @v public_key	Public key
- * @v public_key_len	Public key length
 * @ret rc		Return status code
 */
-static int rsa_match ( const void *private_key, size_t private_key_len,
-		       const void *public_key, size_t public_key_len ) {
+static int rsa_match ( const struct asn1_cursor *private_key,
+		       const struct asn1_cursor *public_key ) {
 	struct asn1_cursor private_modulus;
 	struct asn1_cursor private_exponent;
-	struct asn1_cursor private_cursor;
 	struct asn1_cursor public_modulus;
 	struct asn1_cursor public_exponent;
-	struct asn1_cursor public_cursor;
 	int rc;

-	/* Initialise cursors */
-	private_cursor.data = private_key;
-	private_cursor.len = private_key_len;
-	public_cursor.data = public_key;
-	public_cursor.len = public_key_len;
-
 	/* Parse moduli and exponents */
 	if ( ( rc = rsa_parse_mod_exp ( &private_modulus, &private_exponent,
-					&private_cursor ) ) != 0 )
+					private_key ) ) != 0 )
 		return rc;
 	if ( ( rc = rsa_parse_mod_exp ( &public_modulus, &public_exponent,
-					&public_cursor ) ) != 0 )
+					public_key ) ) != 0 )
 		return rc;

 	/* Compare moduli */
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -1149,8 +1149,8 @@ static int x509_check_signature ( struct x509_certificate *cert,
 	}

 	/* Verify signature using signer's public key */
-	if ( ( rc = pubkey_init ( pubkey, pubkey_ctx, public_key->raw.data,
-				  public_key->raw.len ) ) != 0 ) {
+	if ( ( rc = pubkey_init ( pubkey, pubkey_ctx,
+				  &public_key->raw ) ) != 0 ) {
 		DBGC ( cert, "X509 %p \"%s\" cannot initialise public key: "
 		       "%s\n", cert, x509_name ( cert ), strerror ( rc ) );
 		goto err_pubkey_init;
@@ -1842,9 +1842,8 @@ struct x509_certificate * x509_find_key ( struct x509_chain *store,
 		/* Check public key */
 		cert = link->cert;
 		if ( pubkey_match ( cert->signature_algorithm->pubkey,
-				    key->builder.data, key->builder.len,
-				    cert->subject.public_key.raw.data,
-				    cert->subject.public_key.raw.len ) == 0 )
+				    privkey_cursor ( key ),
+				    &cert->subject.public_key.raw ) == 0 )
 			return x509_found ( store, cert );
 	}