From d14066e924dd553936a8539055f1ea45bdb90603 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Fri, 19 Dec 2025 15:24:47 +0000 Subject: [PATCH] [crypto] Allow ecPublicKey to be identified as a public-key algorithm Add a public-key algorithm to the definition of the "ecPublicKey" OID-identified algorithm, and move this definition to ecdsa.c to avoid unconditionally dragging in ECDSA support. Signed-off-by: Michael Brown --- src/crypto/asn1.c | 23 ++++++----------------- src/crypto/ecdsa.c | 17 ++++++++++++++++- src/include/ipxe/asn1.h | 1 + 3 files changed, 23 insertions(+), 18 deletions(-) diff --git a/src/crypto/asn1.c b/src/crypto/asn1.c index 819a8aadb..21029f6f6 100644 --- a/src/crypto/asn1.c +++ b/src/crypto/asn1.c @@ -83,19 +83,6 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #define EINFO_ENOTTY_ALGORITHM \ __einfo_uniqify ( EINFO_ENOTTY, 0x01, "Inappropriate algorithm" ) -/** "ecPublicKey" object identifier */ -static uint8_t oid_ecpublickey[] = { ASN1_OID_ECPUBLICKEY }; - -/** Generic elliptic curve container algorithm - * - * The actual curve to be used is identified via the algorithm - * parameters, rather than the top-level OID. - */ -struct asn1_algorithm ecpubkey_algorithm __asn1_algorithm = { - .name = "ecPublicKey", - .oid = ASN1_CURSOR ( oid_ecpublickey ), -}; - /** * Start parsing ASN.1 object * @@ -664,22 +651,24 @@ int asn1_signature_algorithm ( const struct asn1_cursor *cursor, * Parse ASN.1 OID-identified elliptic curve algorithm * * @v cursor ASN.1 object cursor + * @v wrapper Optional wrapper algorithm, or NULL * @ret algorithm Algorithm * @ret rc Return status code */ int asn1_curve_algorithm ( const struct asn1_cursor *cursor, + struct asn1_algorithm *wrapper, struct asn1_algorithm **algorithm ) { struct asn1_cursor curve; /* Elliptic curves are identified as either: * - * - the algorithm "id-ecPublicKey" with the actual curve - * specified in the algorithm parameters, or + * - a wrapper algorithm "id-ecPublicKey" with the actual + * curve specified in the algorithm parameters, or * * - a standalone object identifier for the curve */ - if ( asn1_check_algorithm ( cursor, &ecpubkey_algorithm, - &curve ) != 0 ) { + if ( wrapper && asn1_check_algorithm ( cursor, wrapper, + &curve ) != 0 ) { memcpy ( &curve, cursor, sizeof ( curve ) ); } diff --git a/src/crypto/ecdsa.c b/src/crypto/ecdsa.c index 1e0571c7f..cd06d5578 100644 --- a/src/crypto/ecdsa.c +++ b/src/crypto/ecdsa.c @@ -63,6 +63,20 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #define EINFO_EINVAL_SIGNATURE \ __einfo_uniqify ( EINFO_EINVAL, 0x05, "Invalid signature" ) +/** "ecPublicKey" object identifier */ +static uint8_t oid_ecpublickey[] = { ASN1_OID_ECPUBLICKEY }; + +/** Generic elliptic curve container algorithm + * + * The actual curve to be used is identified via the algorithm + * parameters, rather than the top-level OID. + */ +struct asn1_algorithm ecpubkey_algorithm __asn1_algorithm = { + .name = "ecPublicKey", + .oid = ASN1_CURSOR ( oid_ecpublickey ), + .pubkey = &ecdsa_algorithm, +}; + /** An ECDSA key */ struct ecdsa_key { /** Elliptic curve */ @@ -197,7 +211,8 @@ static int ecdsa_parse_key ( struct ecdsa_key *key, asn1_enter_bits ( &cursor, NULL ); /* Identify curve */ - if ( ( rc = asn1_curve_algorithm ( &curve, &algorithm ) ) != 0 ) { + if ( ( rc = asn1_curve_algorithm ( &curve, &ecpubkey_algorithm, + &algorithm ) ) != 0 ) { DBGC ( key, "ECDSA %p unknown curve: %s\n", key, strerror ( rc ) ); DBGC_HDA ( key, 0, raw->data, raw->len ); diff --git a/src/include/ipxe/asn1.h b/src/include/ipxe/asn1.h index 914d42f57..086e9873a 100644 --- a/src/include/ipxe/asn1.h +++ b/src/include/ipxe/asn1.h @@ -506,6 +506,7 @@ extern int asn1_cipher_algorithm ( const struct asn1_cursor *cursor, extern int asn1_signature_algorithm ( const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm ); extern int asn1_curve_algorithm ( const struct asn1_cursor *cursor, + struct asn1_algorithm *wrapper, struct asn1_algorithm **algorithm ); extern int asn1_check_algorithm ( const struct asn1_cursor *cursor, struct asn1_algorithm *expected,