[crypto] Use private data field for public-key algorithms

Following the example of commit 25072c1 ("[crypto] Use private data
field for key exchange algorithms"), extend the definition of a
public-key algorithm to include an opaque private data field, and use
this to eliminate the wrapper functions for PKCS#1 and RSA-PSS.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown
2026-06-19 14:53:03 +01:00
parent 2420211e7f
commit 846686325c
4 changed files with 89 additions and 107 deletions
+15 -4
View File
@@ -104,36 +104,47 @@ struct cipher_algorithm cipher_null = {
.auth = cipher_null_auth,
};
int pubkey_null_encrypt ( const struct asn1_cursor *key __unused,
int pubkey_null_encrypt ( struct pubkey_algorithm *pubkey __unused,
const struct asn1_cursor *key __unused,
const struct asn1_cursor *plaintext __unused,
struct asn1_builder *ciphertext __unused ) {
return -ENOTTY;
}
int pubkey_null_decrypt ( const struct asn1_cursor *key __unused,
int pubkey_null_decrypt ( struct pubkey_algorithm *pubkey __unused,
const struct asn1_cursor *key __unused,
const struct asn1_cursor *ciphertext __unused,
struct asn1_builder *plaintext __unused ) {
return -ENOTTY;
}
int pubkey_null_sign ( const struct asn1_cursor *key __unused,
int pubkey_null_sign ( struct pubkey_algorithm *pubkey __unused,
const struct asn1_cursor *key __unused,
struct digest_algorithm *digest __unused,
const void *value __unused,
struct asn1_builder *signature __unused ) {
return -ENOTTY;
}
int pubkey_null_verify ( const struct asn1_cursor *key __unused,
int pubkey_null_verify ( struct pubkey_algorithm *pubkey __unused,
const struct asn1_cursor *key __unused,
struct digest_algorithm *digest __unused,
const void *value __unused,
const struct asn1_cursor *signature __unused ) {
return -ENOTTY;
}
int pubkey_null_match ( struct pubkey_algorithm *pubkey __unused,
const struct asn1_cursor *private_key __unused,
const struct asn1_cursor *public_key __unused ) {
return -ENOTTY;
}
struct pubkey_algorithm pubkey_null = {
.name = "null",
.encrypt = pubkey_null_encrypt,
.decrypt = pubkey_null_decrypt,
.sign = pubkey_null_sign,
.verify = pubkey_null_verify,
.match = pubkey_null_match,
};
+16 -10
View File
@@ -768,13 +768,15 @@ static int ecdsa_verify_rs ( struct ecdsa_context *ctx ) {
/**
* Sign digest value using ECDSA
*
* @v pubkey Public-key algorithm
* @v key Key
* @v digest Digest algorithm
* @v value Digest value
* @v signature Signature
* @ret rc Return status code
*/
static int ecdsa_sign ( const struct asn1_cursor *key,
static int ecdsa_sign ( struct pubkey_algorithm *pubkey __unused,
const struct asn1_cursor *key,
struct digest_algorithm *digest, const void *value,
struct asn1_builder *signature ) {
struct ecdsa_context ctx;
@@ -824,13 +826,15 @@ static int ecdsa_sign ( const struct asn1_cursor *key,
/**
* Verify signed digest using ECDSA
*
* @v pubkey Public-key algorithm
* @v key Key
* @v digest Digest algorithm
* @v value Digest value
* @v signature Signature
* @ret rc Return status code
*/
static int ecdsa_verify ( const struct asn1_cursor *key,
static int ecdsa_verify ( struct pubkey_algorithm *pubkey __unused,
const struct asn1_cursor *key,
struct digest_algorithm *digest, const void *value,
const struct asn1_cursor *signature ) {
struct ecdsa_context ctx;
@@ -872,30 +876,32 @@ static int ecdsa_verify ( const struct asn1_cursor *key,
/**
* Check for matching ECDSA public/private key pair
*
* @v pubkey Public-key algorithm
* @v private_key Private key
* @v public_key Public key
* @ret rc Return status code
*/
static int ecdsa_match ( const struct asn1_cursor *private_key,
static int ecdsa_match ( struct pubkey_algorithm *pubkey __unused,
const struct asn1_cursor *private_key,
const struct asn1_cursor *public_key ) {
struct elliptic_curve *curve;
struct ecdsa_key privkey;
struct ecdsa_key pubkey;
struct ecdsa_key private;
struct ecdsa_key public;
int rc;
/* Parse keys */
if ( ( rc = ecdsa_parse_key ( &privkey, private_key ) ) != 0 )
if ( ( rc = ecdsa_parse_key ( &private, private_key ) ) != 0 )
return rc;
if ( ( rc = ecdsa_parse_key ( &pubkey, public_key ) ) != 0 )
if ( ( rc = ecdsa_parse_key ( &public, public_key ) ) != 0 )
return rc;
/* Compare curves */
if ( privkey.curve != pubkey.curve )
if ( private.curve != public.curve )
return -ENOTTY;
curve = privkey.curve;
curve = private.curve;
/* Compare public curve points */
if ( memcmp ( privkey.public, pubkey.public, curve->pointsize ) != 0 )
if ( memcmp ( private.public, public.public, curve->pointsize ) != 0 )
return -ENOTTY;
return 0;
+25 -79
View File
@@ -323,12 +323,14 @@ static void rsa_cipher ( struct rsa_context *context,
/**
* Encrypt using RSA PKCS#1
*
* @v pubkey Public-key algorithm
* @v key Key
* @v plaintext Plaintext
* @v ciphertext Ciphertext
* @ret ciphertext_len Length of ciphertext, or negative error
*/
static int rsa_pkcs1_encrypt ( const struct asn1_cursor *key,
static int rsa_pkcs1_encrypt ( struct pubkey_algorithm *pubkey __unused,
const struct asn1_cursor *key,
const struct asn1_cursor *plaintext,
struct asn1_builder *ciphertext ) {
struct rsa_context context;
@@ -400,12 +402,14 @@ static int rsa_pkcs1_encrypt ( const struct asn1_cursor *key,
/**
* Decrypt using RSA PKCS#1
*
* @v pubkey Public-key algorithm
* @v key Key
* @v ciphertext Ciphertext
* @v plaintext Plaintext
* @ret rc Return status code
*/
static int rsa_pkcs1_decrypt ( const struct asn1_cursor *key,
static int rsa_pkcs1_decrypt ( struct pubkey_algorithm *pubkey __unused,
const struct asn1_cursor *key,
const struct asn1_cursor *ciphertext,
struct asn1_builder *plaintext ) {
struct rsa_context context;
@@ -667,16 +671,18 @@ static int rsa_pss_encode ( struct rsa_context *context,
/**
* Sign digest value using RSA
*
* @v pubkey Public-key algorithm
* @v key Key
* @v digest Digest algorithm
* @v value Digest value
* @v signature Signature
* @v encode Encoding method
* @ret rc Return status code
*/
static int rsa_sign ( const struct asn1_cursor *key,
static int rsa_sign ( struct pubkey_algorithm *pubkey,
const struct asn1_cursor *key,
struct digest_algorithm *digest, const void *value,
struct asn1_builder *signature, rsa_encode_t *encode ) {
struct asn1_builder *signature ) {
rsa_encode_t *encode = pubkey->priv;
struct rsa_context context;
int rc;
@@ -717,17 +723,18 @@ static int rsa_sign ( const struct asn1_cursor *key,
/**
* Verify signed digest value using RSA
*
* @v pubkey Public-key algorithm
* @v key Key
* @v digest Digest algorithm
* @v value Digest value
* @v signature Signature
* @v encoding Encoding method
* @ret rc Return status code
*/
static int rsa_verify ( const struct asn1_cursor *key,
static int rsa_verify ( struct pubkey_algorithm *pubkey,
const struct asn1_cursor *key,
struct digest_algorithm *digest, const void *value,
const struct asn1_cursor *signature,
rsa_encode_t *encode ) {
const struct asn1_cursor *signature ) {
rsa_encode_t *encode = pubkey->priv;
struct rsa_context context;
void *temp;
void *expected;
@@ -792,79 +799,16 @@ static int rsa_verify ( const struct asn1_cursor *key,
return rc;
}
/**
* Sign digest value using RSA PKCS#1
*
* @v key Key
* @v digest Digest algorithm
* @v value Digest value
* @v signature Signature
* @ret rc Return status code
*/
static int rsa_pkcs1_sign ( const struct asn1_cursor *key,
struct digest_algorithm *digest, const void *value,
struct asn1_builder *signature ) {
return rsa_sign ( key, digest, value, signature, rsa_pkcs1_encode );
}
/**
* Verify signed digest value using RSA PKCS#1
*
* @v key Key
* @v digest Digest algorithm
* @v value Digest value
* @v signature Signature
* @ret rc Return status code
*/
static int rsa_pkcs1_verify ( const struct asn1_cursor *key,
struct digest_algorithm *digest,
const void *value,
const struct asn1_cursor *signature ) {
return rsa_verify ( key, digest, value, signature, rsa_pkcs1_encode );
}
/**
* Sign digest value using RSA PSS
*
* @v key Key
* @v digest Digest algorithm
* @v value Digest value
* @v signature Signature
* @ret rc Return status code
*/
static int rsa_pss_sign ( const struct asn1_cursor *key,
struct digest_algorithm *digest, const void *value,
struct asn1_builder *signature ) {
return rsa_sign ( key, digest, value, signature, rsa_pss_encode );
}
/**
* Verify signed digest value using RSA PSS
*
* @v key Key
* @v digest Digest algorithm
* @v value Digest value
* @v signature Signature
* @ret rc Return status code
*/
static int rsa_pss_verify ( const struct asn1_cursor *key,
struct digest_algorithm *digest, const void *value,
const struct asn1_cursor *signature ) {
return rsa_verify ( key, digest, value, signature, rsa_pss_encode );
}
/**
* Check for matching RSA public/private key pair
*
* @v pubkey Public-key algorithm
* @v private_key Private key
* @v public_key Public key
* @ret rc Return status code
*/
static int rsa_match ( const struct asn1_cursor *private_key,
static int rsa_match ( struct pubkey_algorithm *pubkey __unused,
const struct asn1_cursor *private_key,
const struct asn1_cursor *public_key ) {
struct asn1_cursor private_modulus;
struct asn1_cursor private_exponent;
@@ -892,9 +836,10 @@ struct pubkey_algorithm rsa_algorithm = {
.name = "rsa",
.encrypt = rsa_pkcs1_encrypt,
.decrypt = rsa_pkcs1_decrypt,
.sign = rsa_pkcs1_sign,
.verify = rsa_pkcs1_verify,
.sign = rsa_sign,
.verify = rsa_verify,
.match = rsa_match,
.priv = rsa_pkcs1_encode,
};
/** RSA-PSS public-key algorithm */
@@ -902,9 +847,10 @@ struct pubkey_algorithm rsa_pss_algorithm = {
.name = "rsa_pss",
.encrypt = pubkey_null_encrypt,
.decrypt = pubkey_null_decrypt,
.sign = rsa_pss_sign,
.verify = rsa_pss_verify,
.sign = rsa_sign,
.verify = rsa_verify,
.match = rsa_match,
.priv = rsa_pss_encode,
};
/* Drag in objects via rsa_algorithm */
+33 -14
View File
@@ -142,54 +142,66 @@ struct pubkey_algorithm {
const char *name;
/** Encrypt
*
* @v pubkey Public key algorithm
* @v key Key
* @v plaintext Plaintext
* @v ciphertext Ciphertext
* @ret rc Return status code
*/
int ( * encrypt ) ( const struct asn1_cursor *key,
int ( * encrypt ) ( struct pubkey_algorithm *pubkey,
const struct asn1_cursor *key,
const struct asn1_cursor *plaintext,
struct asn1_builder *ciphertext );
/** Decrypt
*
* @v pubkey Public key algorithm
* @v key Key
* @v ciphertext Ciphertext
* @v plaintext Plaintext
* @ret rc Return status code
*/
int ( * decrypt ) ( const struct asn1_cursor *key,
int ( * decrypt ) ( struct pubkey_algorithm *pubkey,
const struct asn1_cursor *key,
const struct asn1_cursor *ciphertext,
struct asn1_builder *plaintext );
/** Sign digest value
*
* @v pubkey Public key algorithm
* @v key Key
* @v digest Digest algorithm
* @v value Digest value
* @v signature Signature
* @ret rc Return status code
*/
int ( * sign ) ( const struct asn1_cursor *key,
int ( * sign ) ( struct pubkey_algorithm *pubkey,
const struct asn1_cursor *key,
struct digest_algorithm *digest, const void *value,
struct asn1_builder *builder );
/** Verify signed digest value
*
* @v pubkey Public key algorithm
* @v key Key
* @v digest Digest algorithm
* @v value Digest value
* @v signature Signature
* @ret rc Return status code
*/
int ( * verify ) ( const struct asn1_cursor *key,
int ( * verify ) ( struct pubkey_algorithm *pubkey,
const struct asn1_cursor *key,
struct digest_algorithm *digest, const void *value,
const struct asn1_cursor *signature );
/** Check that public key matches private key
*
* @v pubkey Public key algorithm
* @v private_key Private key
* @v public_key Public key
* @ret rc Return status code
*/
int ( * match ) ( const struct asn1_cursor *private_key,
int ( * match ) ( struct pubkey_algorithm *pubkey,
const struct asn1_cursor *private_key,
const struct asn1_cursor *public_key );
/** Algorithm private data */
void *priv;
};
/** A key exchange algorithm */
@@ -347,35 +359,35 @@ static inline __attribute__ (( always_inline )) int
pubkey_encrypt ( struct pubkey_algorithm *pubkey, const struct asn1_cursor *key,
const struct asn1_cursor *plaintext,
struct asn1_builder *ciphertext ) {
return pubkey->encrypt ( key, plaintext, ciphertext );
return pubkey->encrypt ( pubkey, key, plaintext, ciphertext );
}
static inline __attribute__ (( always_inline )) int
pubkey_decrypt ( struct pubkey_algorithm *pubkey, const struct asn1_cursor *key,
const struct asn1_cursor *ciphertext,
struct asn1_builder *plaintext ) {
return pubkey->decrypt ( key, ciphertext, plaintext );
return pubkey->decrypt ( pubkey, key, ciphertext, plaintext );
}
static inline __attribute__ (( always_inline )) int
pubkey_sign ( struct pubkey_algorithm *pubkey, const struct asn1_cursor *key,
struct digest_algorithm *digest, const void *value,
struct asn1_builder *signature ) {
return pubkey->sign ( key, digest, value, signature );
return pubkey->sign ( pubkey, key, digest, value, signature );
}
static inline __attribute__ (( always_inline )) int
pubkey_verify ( struct pubkey_algorithm *pubkey, const struct asn1_cursor *key,
struct digest_algorithm *digest, const void *value,
const struct asn1_cursor *signature ) {
return pubkey->verify ( key, digest, value, signature );
return pubkey->verify ( pubkey, key, digest, value, signature );
}
static inline __attribute__ (( always_inline )) int
pubkey_match ( struct pubkey_algorithm *pubkey,
const struct asn1_cursor *private_key,
const struct asn1_cursor *public_key ) {
return pubkey->match ( private_key, public_key );
return pubkey->match ( pubkey, private_key, public_key );
}
static inline __attribute__ (( always_inline )) void
@@ -424,20 +436,27 @@ extern void cipher_null_decrypt ( struct cipher_algorithm *cipher, void *ctx,
extern void cipher_null_auth ( struct cipher_algorithm *cipher, void *ctx,
void *auth );
extern int pubkey_null_encrypt ( const struct asn1_cursor *key,
extern int pubkey_null_encrypt ( struct pubkey_algorithm *pubkey,
const struct asn1_cursor *key,
const struct asn1_cursor *plaintext,
struct asn1_builder *ciphertext );
extern int pubkey_null_decrypt ( const struct asn1_cursor *key,
extern int pubkey_null_decrypt ( struct pubkey_algorithm *pubkey,
const struct asn1_cursor *key,
const struct asn1_cursor *ciphertext,
struct asn1_builder *plaintext );
extern int pubkey_null_sign ( const struct asn1_cursor *key,
extern int pubkey_null_sign ( struct pubkey_algorithm *pubkey,
const struct asn1_cursor *key,
struct digest_algorithm *digest,
const void *value,
struct asn1_builder *signature );
extern int pubkey_null_verify ( const struct asn1_cursor *key,
extern int pubkey_null_verify ( struct pubkey_algorithm *pubkey,
const struct asn1_cursor *key,
struct digest_algorithm *digest,
const void *value,
const struct asn1_cursor *signature );
extern int pubkey_null_match ( struct pubkey_algorithm *pubkey,
const struct asn1_cursor *private_key,
const struct asn1_cursor *public_key );
extern struct digest_algorithm digest_null;
extern struct cipher_algorithm cipher_null;