From d6eeb9039f64d03dc53638a974ca4a76350d5df9 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Fri, 19 Dec 2025 14:43:56 +0000 Subject: [PATCH] [crypto] Add OID-identified algorithms for ECDSA with SHA2 hash family Signed-off-by: Michael Brown --- src/config/config_crypto.c | 20 ++++++++++++ src/config/crypto.h | 3 ++ src/crypto/mishmash/ecdsa_sha224.c | 51 ++++++++++++++++++++++++++++++ src/crypto/mishmash/ecdsa_sha256.c | 51 ++++++++++++++++++++++++++++++ src/crypto/mishmash/ecdsa_sha384.c | 51 ++++++++++++++++++++++++++++++ src/crypto/mishmash/ecdsa_sha512.c | 51 ++++++++++++++++++++++++++++++ src/include/ipxe/asn1.h | 24 ++++++++++++++ src/include/ipxe/tls.h | 1 + 8 files changed, 252 insertions(+) create mode 100644 src/crypto/mishmash/ecdsa_sha224.c create mode 100644 src/crypto/mishmash/ecdsa_sha256.c create mode 100644 src/crypto/mishmash/ecdsa_sha384.c create mode 100644 src/crypto/mishmash/ecdsa_sha512.c diff --git a/src/config/config_crypto.c b/src/config/config_crypto.c index 19d6d032e..c49d8d662 100644 --- a/src/config/config_crypto.c +++ b/src/config/config_crypto.c @@ -215,3 +215,23 @@ REQUIRE_OBJECT ( ecdhe_rsa_aes_gcm_sha256 ); defined ( CRYPTO_CIPHER_AES_GCM ) && defined ( CRYPTO_DIGEST_SHA384 ) REQUIRE_OBJECT ( ecdhe_rsa_aes_gcm_sha384 ); #endif + +/* ECDSA and SHA-224 */ +#if defined ( CRYPTO_PUBKEY_ECDSA ) && defined ( CRYPTO_DIGEST_SHA224 ) +REQUIRE_OBJECT ( ecdsa_sha224 ); +#endif + +/* ECDSA and SHA-256 */ +#if defined ( CRYPTO_PUBKEY_ECDSA ) && defined ( CRYPTO_DIGEST_SHA256 ) +REQUIRE_OBJECT ( ecdsa_sha256 ); +#endif + +/* ECDSA and SHA-384 */ +#if defined ( CRYPTO_PUBKEY_ECDSA ) && defined ( CRYPTO_DIGEST_SHA384 ) +REQUIRE_OBJECT ( ecdsa_sha384 ); +#endif + +/* ECDSA and SHA-512 */ +#if defined ( CRYPTO_PUBKEY_ECDSA ) && defined ( CRYPTO_DIGEST_SHA512 ) +REQUIRE_OBJECT ( ecdsa_sha512 ); +#endif diff --git a/src/config/crypto.h b/src/config/crypto.h index f2ee9fd0d..a0774390b 100644 --- a/src/config/crypto.h +++ b/src/config/crypto.h @@ -24,6 +24,9 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); /** RSA public-key algorithm */ #define CRYPTO_PUBKEY_RSA +/** ECDSA public-key algorithm */ +#define CRYPTO_PUBKEY_ECDSA + /** AES-CBC block cipher */ #define CRYPTO_CIPHER_AES_CBC diff --git a/src/crypto/mishmash/ecdsa_sha224.c b/src/crypto/mishmash/ecdsa_sha224.c new file mode 100644 index 000000000..ab42658cb --- /dev/null +++ b/src/crypto/mishmash/ecdsa_sha224.c @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2025 Michael Brown . + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include +#include +#include +#include + +/** "ecdsa-with-SHA224" object identifier */ +static uint8_t oid_ecdsa_with_sha224[] = { ASN1_OID_ECDSA_WITH_SHA224 }; + +/** "ecdsa-with-SHA224" OID-identified algorithm */ +struct asn1_algorithm ecdsa_with_sha224_algorithm __asn1_algorithm = { + .name = "ecdsaWithSHA224", + .pubkey = &ecdsa_algorithm, + .digest = &sha224_algorithm, + .oid = ASN1_CURSOR ( oid_ecdsa_with_sha224 ), +}; + +/** ECDSA with SHA-224 signature hash algorithm */ +struct tls_signature_hash_algorithm +tls_ecdsa_sha224 __tls_sig_hash_algorithm = { + .code = { + .signature = TLS_ECDSA_ALGORITHM, + .hash = TLS_SHA224_ALGORITHM, + }, + .pubkey = &ecdsa_algorithm, + .digest = &sha224_algorithm, +}; diff --git a/src/crypto/mishmash/ecdsa_sha256.c b/src/crypto/mishmash/ecdsa_sha256.c new file mode 100644 index 000000000..12cbec80c --- /dev/null +++ b/src/crypto/mishmash/ecdsa_sha256.c @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2025 Michael Brown . + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include +#include +#include +#include + +/** "ecdsa-with-SHA256" object identifier */ +static uint8_t oid_ecdsa_with_sha256[] = { ASN1_OID_ECDSA_WITH_SHA256 }; + +/** "ecdsa-with-SHA256" OID-identified algorithm */ +struct asn1_algorithm ecdsa_with_sha256_algorithm __asn1_algorithm = { + .name = "ecdsaWithSHA256", + .pubkey = &ecdsa_algorithm, + .digest = &sha256_algorithm, + .oid = ASN1_CURSOR ( oid_ecdsa_with_sha256 ), +}; + +/** ECDSA with SHA-256 signature hash algorithm */ +struct tls_signature_hash_algorithm +tls_ecdsa_sha256 __tls_sig_hash_algorithm = { + .code = { + .signature = TLS_ECDSA_ALGORITHM, + .hash = TLS_SHA256_ALGORITHM, + }, + .pubkey = &ecdsa_algorithm, + .digest = &sha256_algorithm, +}; diff --git a/src/crypto/mishmash/ecdsa_sha384.c b/src/crypto/mishmash/ecdsa_sha384.c new file mode 100644 index 000000000..b52621311 --- /dev/null +++ b/src/crypto/mishmash/ecdsa_sha384.c @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2025 Michael Brown . + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include +#include +#include +#include + +/** "ecdsa-with-SHA384" object identifier */ +static uint8_t oid_ecdsa_with_sha384[] = { ASN1_OID_ECDSA_WITH_SHA384 }; + +/** "ecdsa-with-SHA384" OID-identified algorithm */ +struct asn1_algorithm ecdsa_with_sha384_algorithm __asn1_algorithm = { + .name = "ecdsaWithSHA384", + .pubkey = &ecdsa_algorithm, + .digest = &sha384_algorithm, + .oid = ASN1_CURSOR ( oid_ecdsa_with_sha384 ), +}; + +/** ECDSA with SHA-384 signature hash algorithm */ +struct tls_signature_hash_algorithm +tls_ecdsa_sha384 __tls_sig_hash_algorithm = { + .code = { + .signature = TLS_ECDSA_ALGORITHM, + .hash = TLS_SHA384_ALGORITHM, + }, + .pubkey = &ecdsa_algorithm, + .digest = &sha384_algorithm, +}; diff --git a/src/crypto/mishmash/ecdsa_sha512.c b/src/crypto/mishmash/ecdsa_sha512.c new file mode 100644 index 000000000..420c685e7 --- /dev/null +++ b/src/crypto/mishmash/ecdsa_sha512.c @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2025 Michael Brown . + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + * + * You can also choose to distribute this program under the terms of + * the Unmodified Binary Distribution Licence (as given in the file + * COPYING.UBDL), provided that you have satisfied its requirements. + */ + +FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + +#include +#include +#include +#include + +/** "ecdsa-with-SHA512" object identifier */ +static uint8_t oid_ecdsa_with_sha512[] = { ASN1_OID_ECDSA_WITH_SHA512 }; + +/** "ecdsa-with-SHA512" OID-identified algorithm */ +struct asn1_algorithm ecdsa_with_sha512_algorithm __asn1_algorithm = { + .name = "ecdsaWithSHA512", + .pubkey = &ecdsa_algorithm, + .digest = &sha512_algorithm, + .oid = ASN1_CURSOR ( oid_ecdsa_with_sha512 ), +}; + +/** ECDSA with SHA-512 signature hash algorithm */ +struct tls_signature_hash_algorithm +tls_ecdsa_sha512 __tls_sig_hash_algorithm = { + .code = { + .signature = TLS_ECDSA_ALGORITHM, + .hash = TLS_SHA512_ALGORITHM, + }, + .pubkey = &ecdsa_algorithm, + .digest = &sha512_algorithm, +}; diff --git a/src/include/ipxe/asn1.h b/src/include/ipxe/asn1.h index 086e9873a..86ebb890f 100644 --- a/src/include/ipxe/asn1.h +++ b/src/include/ipxe/asn1.h @@ -139,6 +139,30 @@ struct asn1_builder_header { ASN1_OID_DOUBLE ( 10045 ), ASN1_OID_SINGLE ( 3 ), \ ASN1_OID_SINGLE ( 1 ), ASN1_OID_SINGLE ( 7 ) +/** ASN.1 OID for ecdsa-with-SHA224 (1.2.840.10045.4.3.1) */ +#define ASN1_OID_ECDSA_WITH_SHA224 \ + ASN1_OID_INITIAL ( 1, 2 ), ASN1_OID_DOUBLE ( 840 ), \ + ASN1_OID_DOUBLE ( 10045 ), ASN1_OID_SINGLE ( 4 ), \ + ASN1_OID_SINGLE ( 3 ), ASN1_OID_SINGLE ( 1 ) + +/** ASN.1 OID for ecdsa-with-SHA256 (1.2.840.10045.4.3.2) */ +#define ASN1_OID_ECDSA_WITH_SHA256 \ + ASN1_OID_INITIAL ( 1, 2 ), ASN1_OID_DOUBLE ( 840 ), \ + ASN1_OID_DOUBLE ( 10045 ), ASN1_OID_SINGLE ( 4 ), \ + ASN1_OID_SINGLE ( 3 ), ASN1_OID_SINGLE ( 2 ) + +/** ASN.1 OID for ecdsa-with-SHA384 (1.2.840.10045.4.3.3) */ +#define ASN1_OID_ECDSA_WITH_SHA384 \ + ASN1_OID_INITIAL ( 1, 2 ), ASN1_OID_DOUBLE ( 840 ), \ + ASN1_OID_DOUBLE ( 10045 ), ASN1_OID_SINGLE ( 4 ), \ + ASN1_OID_SINGLE ( 3 ), ASN1_OID_SINGLE ( 3 ) + +/** ASN.1 OID for ecdsa-with-SHA512 (1.2.840.10045.4.3.4) */ +#define ASN1_OID_ECDSA_WITH_SHA512 \ + ASN1_OID_INITIAL ( 1, 2 ), ASN1_OID_DOUBLE ( 840 ), \ + ASN1_OID_DOUBLE ( 10045 ), ASN1_OID_SINGLE ( 4 ), \ + ASN1_OID_SINGLE ( 3 ), ASN1_OID_SINGLE ( 4 ) + /** ASN.1 OID for rsaEncryption (1.2.840.113549.1.1.1) */ #define ASN1_OID_RSAENCRYPTION \ ASN1_OID_INITIAL ( 1, 2 ), ASN1_OID_DOUBLE ( 840 ), \ diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h index 8ddc9c1be..9c1ab9edf 100644 --- a/src/include/ipxe/tls.h +++ b/src/include/ipxe/tls.h @@ -113,6 +113,7 @@ struct tls_header { /* TLS signature algorithm identifiers */ #define TLS_RSA_ALGORITHM 1 +#define TLS_ECDSA_ALGORITHM 3 /* TLS server name extension */ #define TLS_SERVER_NAME 0