| Message ID | 20210215162532.1077098-1-stefanb@linux.ibm.com |
|---|---|
| Headers | show |
| Series | Add support for x509 certs with NIST p256 and p192 keys | expand |
On 2/19/21 1:57 PM, Saulo Alessandre wrote: > From: Saulo Alessandre <saulo.alessandre@tse.jus.br> > > * crypto/ecdsa.c > - add ecdsa_nist_p384_init_tfm > - register and unregister p384 tfm > > * crypto/testmgr.c > - add test vector for p384 on vector of tests > > * crypto/testmgr.h > - add test vector params for p384(sha1, sha224, sha256, sha384 and sha512) > --- > crypto/asymmetric_keys/x509_cert_parser.c | 2 +- > crypto/ecc.c | 2 +- > crypto/ecc.h | 2 +- > crypto/ecdsa.c | 46 +++++-- > crypto/testmgr.c | 6 + > crypto/testmgr.h | 157 ++++++++++++++++++++++ > 6 files changed, 204 insertions(+), 11 deletions(-) > > diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c > index 03535bd8b8ef..1d94c23e9678 100644 > --- a/crypto/asymmetric_keys/x509_cert_parser.c > +++ b/crypto/asymmetric_keys/x509_cert_parser.c > @@ -278,7 +278,7 @@ int x509_note_pkey_algo(void *context, size_t hdrlen, > ecdsa: > ctx->cert->sig->pkey_algo = "ecdsa"; > ctx->cert->sig->encoding = "x962"; > - pr_info("Found stephan %s(%s) X509 certificate\n", ctx->cert->sig->pkey_algo, > + pr_info("Found %s(%s) X509 certificate\n", ctx->cert->sig->pkey_algo, > ctx->cert->sig->hash_algo); This patch doesn't apply on my tree because of this change. > ctx->algo_oid = ctx->last_oid; > return 0; > diff --git a/crypto/ecc.c b/crypto/ecc.c > index aab57dcf26c6..0f41ccc10ceb 100644 > --- a/crypto/ecc.c > +++ b/crypto/ecc.c > @@ -904,7 +904,7 @@ static bool vli_mmod_fast(u64 *result, u64 *product, > const unsigned int ndigits = curve->g.ndigits; > > /* Currently, all NIST have name nist_.* */ > - if (strncmp(curve->name, "nist_", 5) != 0) { > + if (curve && curve->name && strncmp(curve->name, "nist_", 5) != 0) { Can you actually call this function with curve = NULL? You already accessed 'curve' above by ndigits = curve->g.ndigits , so if that check was necessary it's too late to avoid a NULL pointer exception. > /* Try to handle Pseudo-Marsenne primes. */ > if (curve_prime[ndigits - 1] == -1ull) { > vli_mmod_special(result, product, curve_prime, > diff --git a/crypto/ecc.h b/crypto/ecc.h > index 861de67b538f..9a668594012b 100644 > --- a/crypto/ecc.h > +++ b/crypto/ecc.h > @@ -30,7 +30,7 @@ > #define ECC_CURVE_NIST_P192_DIGITS 3 > #define ECC_CURVE_NIST_P256_DIGITS 4 > #define ECC_CURVE_NIST_P384_DIGITS 6 > -#define ECC_MAX_DIGITS (ECC_CURVE_NIST_P384_DIGITS) > +#define ECC_MAX_DIGITS (512/64) > > #define ECC_DIGITS_TO_BYTES_SHIFT 3 > > diff --git a/crypto/ecdsa.c b/crypto/ecdsa.c > index 4b45230276b3..4dfbf8f32a0b 100644 > --- a/crypto/ecdsa.c > +++ b/crypto/ecdsa.c > @@ -101,7 +101,7 @@ int ecdsa_get_signature_r(void *context, size_t hdrlen, unsigned char tag, > struct ecdsa_signature_ctx *sig = context; > > return ecdsa_get_signature_rs(sig->r, hdrlen, tag, value, vlen, > - sig->curve->g.ndigits); > + sig->curve->g.ndigits); I don't think this reformatting and the ones below are necessary here. > } > > int ecdsa_get_signature_s(void *context, size_t hdrlen, unsigned char tag, > @@ -110,7 +110,7 @@ int ecdsa_get_signature_s(void *context, size_t hdrlen, unsigned char tag, > struct ecdsa_signature_ctx *sig = context; > > return ecdsa_get_signature_rs(sig->s, hdrlen, tag, value, vlen, > - sig->curve->g.ndigits); > + sig->curve->g.ndigits); > } > > static int _ecdsa_verify(struct ecc_ctx *ctx, const u64 *hash, > @@ -127,7 +127,7 @@ static int _ecdsa_verify(struct ecc_ctx *ctx, const u64 *hash, > > /* 0 < r < n and 0 < s < n */ > if (vli_is_zero(r, ndigits) || vli_cmp(r, curve->n, ndigits) >= 0 || > - vli_is_zero(s, ndigits) || vli_cmp(s, curve->n, ndigits) >= 0) > + vli_is_zero(s, ndigits) || vli_cmp(s, curve->n, ndigits) >= 0) > return -EBADMSG; > > /* hash is given */ > @@ -183,7 +183,7 @@ static int ecdsa_verify(struct akcipher_request *req) > buffer, req->src_len + req->dst_len, 0); > > ret = asn1_ber_decoder(&ecdsasignature_decoder, &sig_ctx, > - buffer, req->src_len); > + buffer, req->src_len); > if (ret < 0) > goto error; > > @@ -233,17 +233,19 @@ static int ecdsa_ecc_ctx_reset(struct ecc_ctx *ctx) > ret = ecdsa_ecc_ctx_init(ctx, curve_id); > if (ret == 0) > ctx->pub_key = ECC_POINT_INIT(ctx->x, ctx->y, > - ctx->curve->g.ndigits); > + ctx->curve->g.ndigits); > return ret; > } > > +#define UNPACKED_KEY_ID 0x04 > + > /* > * Set the public key given the raw uncompressed key data from an X509 > * certificate. The key data contain the concatenated X and Y coordinates of > * the public key. > */ > static int ecdsa_set_pub_key(struct crypto_akcipher *tfm, > - const void *key, unsigned int keylen) > + const void *key, unsigned int keylen) I don't that's necessary here. > { > struct ecc_ctx *ctx = akcipher_tfm_ctx(tfm); > const unsigned char *d = key; > @@ -258,7 +260,7 @@ static int ecdsa_set_pub_key(struct crypto_akcipher *tfm, > if (keylen < 1 || (((keylen - 1) >> 1) % sizeof(u64)) != 0) > return -EINVAL; > /* we only accept uncompressed format */ > - if (d[0] != 4) > + if (d[0] != UNPACKED_KEY_ID) > return -EINVAL; I should probably introduce a constant in my v8 then. > > keylen--; > @@ -289,6 +291,28 @@ static unsigned int ecdsa_max_size(struct crypto_akcipher *tfm) > return ctx->pub_key.ndigits << ECC_DIGITS_TO_BYTES_SHIFT; > } > > +static int ecdsa_nist_p384_init_tfm(struct crypto_akcipher *tfm) > +{ > + struct ecc_ctx *ctx = akcipher_tfm_ctx(tfm); > + > + return ecdsa_ecc_ctx_init(ctx, ECC_CURVE_NIST_P384); > +} > + > +static struct akcipher_alg ecdsa_nist_p384 = { > + .verify = ecdsa_verify, > + .set_pub_key = ecdsa_set_pub_key, > + .max_size = ecdsa_max_size, > + .init = ecdsa_nist_p384_init_tfm, > + .exit = ecdsa_exit_tfm, > + .base = { > + .cra_name = "ecdsa-nist-p384", > + .cra_driver_name = "ecdsa-nist-p384-generic", > + .cra_priority = 100, > + .cra_module = THIS_MODULE, > + .cra_ctxsize = sizeof(struct ecc_ctx), > + }, > +}; > + > static int ecdsa_nist_p256_init_tfm(struct crypto_akcipher *tfm) > { > struct ecc_ctx *ctx = akcipher_tfm_ctx(tfm); > @@ -342,7 +366,12 @@ static int ecdsa_init(void) > ret = crypto_register_akcipher(&ecdsa_nist_p192); > ecdsa_nist_p192_registered = ret == 0; > > - return crypto_register_akcipher(&ecdsa_nist_p256); > + ret = crypto_register_akcipher(&ecdsa_nist_p256); > + if (ret != 0) > + return ret; There is an existing bug in my v8. I have to unregister nist_p192 if nist_p256 registration fails. Let me fix this in a V9.
On 2/19/21 1:57 PM, Saulo Alessandre wrote: > From: Saulo Alessandre <saulo.alessandre@tse.jus.br> > > * crypto/ecc.c > - change ecc_get_curve to accept nist_p384 > - add vli_mmod_fast_384 > - change some routines to pass ecc_curve forward until vli_mmod_fast > > * crypto/ecc.h > - add ECC_CURVE_NIST_P384_DIGITS > - change ECC_MAX_DIGITS to P384 size > --- > crypto/ecc.c | 282 ++++++++++++++++++++++++++++++++++++--------------- > crypto/ecc.h | 3 +- > 2 files changed, 203 insertions(+), 82 deletions(-) > > diff --git a/crypto/ecc.c b/crypto/ecc.c > index 25e79fd70566..aab57dcf26c6 100644 > --- a/crypto/ecc.c > +++ b/crypto/ecc.c > @@ -50,6 +50,8 @@ const struct ecc_curve *ecc_get_curve(unsigned int curve_id) > return fips_enabled ? NULL : &nist_p192; > case ECC_CURVE_NIST_P256: > return &nist_p256; > + case ECC_CURVE_NIST_P384: > + return &nist_p384; > default: > return NULL; > } > @@ -776,18 +778,133 @@ static void vli_mmod_fast_256(u64 *result, const u64 *product, > } > } > > +#define SL32OR32(x32, y32) (((u64)x32 << 32) | y32) > +#define AND64H(x64) (x64 & 0xffFFffFF00000000ull) > +#define AND64L(x64) (x64 & 0x00000000ffFFffFFull) > + > +/* Computes result = product % curve_prime > + * from "Mathematical routines for the NIST prime elliptic curves" > + */ > +static void vli_mmod_fast_384(u64 *result, const u64 *product, > + const u64 *curve_prime, u64 *tmp) > +{ > + int carry; > + const unsigned int ndigits = 6; > + > + /* t */ > + vli_set(result, product, ndigits); > + > + /* s1 */ > + tmp[0] = 0; // 0 || 0 > + tmp[1] = 0; // 0 || 0 > + tmp[2] = SL32OR32(product[11], (product[10]>>32)); //a22||a21 > + tmp[3] = product[11]>>32; // 0 ||a23 > + tmp[4] = 0; // 0 || 0 > + tmp[5] = 0; // 0 || 0 > + carry = vli_lshift(tmp, tmp, 1, ndigits); > + carry += vli_add(result, result, tmp, ndigits); > + > + /* s2 */ > + tmp[0] = product[6]; //a13||a12 > + tmp[1] = product[7]; //a15||a14 > + tmp[2] = product[8]; //a17||a16 > + tmp[3] = product[9]; //a19||a18 > + tmp[4] = product[10]; //a21||a20 > + tmp[5] = product[11]; //a23||a22 > + carry += vli_add(result, result, tmp, ndigits); > + > + /* s3 */ > + tmp[0] = SL32OR32(product[11], (product[10]>>32)); //a22||a21 > + tmp[1] = SL32OR32(product[6], (product[11]>>32)); //a12||a23 > + tmp[2] = SL32OR32(product[7], (product[6])>>32); //a14||a13 > + tmp[3] = SL32OR32(product[8], (product[7]>>32)); //a16||a15 > + tmp[4] = SL32OR32(product[9], (product[8]>>32)); //a18||a17 > + tmp[5] = SL32OR32(product[10], (product[9]>>32)); //a20||a19 > + carry += vli_add(result, result, tmp, ndigits); > + > + /* s4 */ > + tmp[0] = AND64H(product[11]); //a23|| 0 > + tmp[1] = (product[10]<<32); //a20|| 0 > + tmp[2] = product[6]; //a13||a12 > + tmp[3] = product[7]; //a15||a14 > + tmp[4] = product[8]; //a17||a16 > + tmp[5] = product[9]; //a19||a18 > + carry += vli_add(result, result, tmp, ndigits); > + > + /* s5 */ > + tmp[0] = 0; // 0|| 0 > + tmp[1] = 0; // 0|| 0 > + tmp[2] = product[10]; //a21||a20 > + tmp[3] = product[11]; //a23||a22 > + tmp[4] = 0; // 0|| 0 > + tmp[5] = 0; // 0|| 0 > + carry += vli_add(result, result, tmp, ndigits); > + > + /* s6 */ > + tmp[0] = AND64L(product[10]); // 0 ||a20 > + tmp[1] = AND64H(product[10]); //a21|| 0 > + tmp[2] = product[11]; //a23||a22 > + tmp[3] = 0; // 0 || 0 > + tmp[4] = 0; // 0 || 0 > + tmp[5] = 0; // 0 || 0 > + carry += vli_add(result, result, tmp, ndigits); > + > + /* d1 */ > + tmp[0] = SL32OR32(product[6], (product[11]>>32)); //a12||a23 > + tmp[1] = SL32OR32(product[7], (product[6]>>32)); //a14||a13 > + tmp[2] = SL32OR32(product[8], (product[7]>>32)); //a16||a15 > + tmp[3] = SL32OR32(product[9], (product[8]>>32)); //a18||a17 > + tmp[4] = SL32OR32(product[10], (product[9]>>32)); //a20||a19 > + tmp[5] = SL32OR32(product[11], (product[10]>>32)); //a22||a21 > + carry -= vli_sub(result, result, tmp, ndigits); > + > + /* d2 */ > + tmp[0] = (product[10]<<32); //a20|| 0 > + tmp[1] = SL32OR32(product[11], (product[10]>>32)); //a22||a21 > + tmp[2] = (product[11]>>32); // 0 ||a23 > + tmp[3] = 0; // 0 || 0 > + tmp[4] = 0; // 0 || 0 > + tmp[5] = 0; // 0 || 0 > + carry -= vli_sub(result, result, tmp, ndigits); > + > + /* d3 */ > + tmp[0] = 0; // 0 || 0 > + tmp[1] = AND64H(product[11]); //a23|| 0 > + tmp[2] = product[11]>>32; // 0 ||a23 > + tmp[3] = 0; // 0 || 0 > + tmp[4] = 0; // 0 || 0 > + tmp[5] = 0; // 0 || 0 > + carry -= vli_sub(result, result, tmp, ndigits); > + > + if (carry < 0) { > + do { > + carry += vli_add(result, result, curve_prime, ndigits); > + } while (carry < 0); > + } else { > + while (carry || vli_cmp(curve_prime, result, ndigits) != 1) > + carry -= vli_sub(result, result, curve_prime, ndigits); > + } > + > +} > + > +#undef SL32OR32 > +#undef AND64H > +#undef AND64L > + > /* Computes result = product % curve_prime for different curve_primes. > * > * Note that curve_primes are distinguished just by heuristic check and > * not by complete conformance check. > */ > static bool vli_mmod_fast(u64 *result, u64 *product, > - const u64 *curve_prime, unsigned int ndigits) > + const struct ecc_curve *curve) I think for NIST P384 we should be able to keep the function signature as-is. For NIST p521 it may be necessary to change it and also introduce nbits because ndigits is too coarse for it in *some places*. > { > u64 tmp[2 * ECC_MAX_DIGITS]; > + const u64 *curve_prime = curve->p; > + const unsigned int ndigits = curve->g.ndigits; > > - /* Currently, both NIST primes have -1 in lowest qword. */ > - if (curve_prime[0] != -1ull) { > + /* Currently, all NIST have name nist_.* */ > + if (strncmp(curve->name, "nist_", 5) != 0) { > /* Try to handle Pseudo-Marsenne primes. */ > if (curve_prime[ndigits - 1] == -1ull) { > vli_mmod_special(result, product, curve_prime, > @@ -810,6 +927,9 @@ static bool vli_mmod_fast(u64 *result, u64 *product, > case 4: > vli_mmod_fast_256(result, product, curve_prime, tmp); > break; > + case 6: > + vli_mmod_fast_384(result, product, curve_prime, tmp); > + break; > default: > pr_err_ratelimited("ecc: unsupported digits size!\n"); > return false; > @@ -833,22 +953,22 @@ EXPORT_SYMBOL(vli_mod_mult_slow); > > /* Computes result = (left * right) % curve_prime. */ > static void vli_mod_mult_fast(u64 *result, const u64 *left, const u64 *right, > - const u64 *curve_prime, unsigned int ndigits) > + const struct ecc_curve *curve) > { > u64 product[2 * ECC_MAX_DIGITS]; > > - vli_mult(product, left, right, ndigits); > - vli_mmod_fast(result, product, curve_prime, ndigits); > + vli_mult(product, left, right, curve->g.ndigits); > + vli_mmod_fast(result, product, curve); > } > > /* Computes result = left^2 % curve_prime. */ > static void vli_mod_square_fast(u64 *result, const u64 *left, > - const u64 *curve_prime, unsigned int ndigits) > + const struct ecc_curve *curve) > { > u64 product[2 * ECC_MAX_DIGITS]; > > - vli_square(product, left, ndigits); > - vli_mmod_fast(result, product, curve_prime, ndigits); > + vli_square(product, left, curve->g.ndigits); > + vli_mmod_fast(result, product, curve); > } > > #define EVEN(vli) (!(vli[0] & 1)) > @@ -946,25 +1066,27 @@ static bool ecc_point_is_zero(const struct ecc_point *point) > > /* Double in place */ > static void ecc_point_double_jacobian(u64 *x1, u64 *y1, u64 *z1, > - u64 *curve_prime, unsigned int ndigits) > + const struct ecc_curve *curve) > { > /* t1 = x, t2 = y, t3 = z */ > u64 t4[ECC_MAX_DIGITS]; > u64 t5[ECC_MAX_DIGITS]; > + const u64 *curve_prime = curve->p; > + const unsigned int ndigits = curve->g.ndigits; > > if (vli_is_zero(z1, ndigits)) > return; > > /* t4 = y1^2 */ > - vli_mod_square_fast(t4, y1, curve_prime, ndigits); > + vli_mod_square_fast(t4, y1, curve); > /* t5 = x1*y1^2 = A */ > - vli_mod_mult_fast(t5, x1, t4, curve_prime, ndigits); > + vli_mod_mult_fast(t5, x1, t4, curve); > /* t4 = y1^4 */ > - vli_mod_square_fast(t4, t4, curve_prime, ndigits); > + vli_mod_square_fast(t4, t4, curve); > /* t2 = y1*z1 = z3 */ > - vli_mod_mult_fast(y1, y1, z1, curve_prime, ndigits); > + vli_mod_mult_fast(y1, y1, z1, curve); > /* t3 = z1^2 */ > - vli_mod_square_fast(z1, z1, curve_prime, ndigits); > + vli_mod_square_fast(z1, z1, curve); > > /* t1 = x1 + z1^2 */ > vli_mod_add(x1, x1, z1, curve_prime, ndigits); > @@ -973,7 +1095,7 @@ static void ecc_point_double_jacobian(u64 *x1, u64 *y1, u64 *z1, > /* t3 = x1 - z1^2 */ > vli_mod_sub(z1, x1, z1, curve_prime, ndigits); > /* t1 = x1^2 - z1^4 */ > - vli_mod_mult_fast(x1, x1, z1, curve_prime, ndigits); > + vli_mod_mult_fast(x1, x1, z1, curve); > > /* t3 = 2*(x1^2 - z1^4) */ > vli_mod_add(z1, x1, x1, curve_prime, ndigits); > @@ -990,7 +1112,7 @@ static void ecc_point_double_jacobian(u64 *x1, u64 *y1, u64 *z1, > /* t1 = 3/2*(x1^2 - z1^4) = B */ > > /* t3 = B^2 */ > - vli_mod_square_fast(z1, x1, curve_prime, ndigits); > + vli_mod_square_fast(z1, x1, curve); > /* t3 = B^2 - A */ > vli_mod_sub(z1, z1, t5, curve_prime, ndigits); > /* t3 = B^2 - 2A = x3 */ > @@ -998,7 +1120,7 @@ static void ecc_point_double_jacobian(u64 *x1, u64 *y1, u64 *z1, > /* t5 = A - x3 */ > vli_mod_sub(t5, t5, z1, curve_prime, ndigits); > /* t1 = B * (A - x3) */ > - vli_mod_mult_fast(x1, x1, t5, curve_prime, ndigits); > + vli_mod_mult_fast(x1, x1, t5, curve); > /* t4 = B * (A - x3) - y1^4 = y3 */ > vli_mod_sub(t4, x1, t4, curve_prime, ndigits); > > @@ -1008,23 +1130,22 @@ static void ecc_point_double_jacobian(u64 *x1, u64 *y1, u64 *z1, > } > > /* Modify (x1, y1) => (x1 * z^2, y1 * z^3) */ > -static void apply_z(u64 *x1, u64 *y1, u64 *z, u64 *curve_prime, > - unsigned int ndigits) > +static void apply_z(u64 *x1, u64 *y1, u64 *z, const struct ecc_curve *curve) > { > u64 t1[ECC_MAX_DIGITS]; > > - vli_mod_square_fast(t1, z, curve_prime, ndigits); /* z^2 */ > - vli_mod_mult_fast(x1, x1, t1, curve_prime, ndigits); /* x1 * z^2 */ > - vli_mod_mult_fast(t1, t1, z, curve_prime, ndigits); /* z^3 */ > - vli_mod_mult_fast(y1, y1, t1, curve_prime, ndigits); /* y1 * z^3 */ > + vli_mod_square_fast(t1, z, curve); /* z^2 */ > + vli_mod_mult_fast(x1, x1, t1, curve); /* x1 * z^2 */ > + vli_mod_mult_fast(t1, t1, z, curve); /* z^3 */ > + vli_mod_mult_fast(y1, y1, t1, curve); /* y1 * z^3 */ > } > > /* P = (x1, y1) => 2P, (x2, y2) => P' */ > static void xycz_initial_double(u64 *x1, u64 *y1, u64 *x2, u64 *y2, > - u64 *p_initial_z, u64 *curve_prime, > - unsigned int ndigits) > + u64 *p_initial_z, const struct ecc_curve *curve) > { > u64 z[ECC_MAX_DIGITS]; > + const unsigned int ndigits = curve->g.ndigits; > > vli_set(x2, x1, ndigits); > vli_set(y2, y1, ndigits); > @@ -1035,35 +1156,37 @@ static void xycz_initial_double(u64 *x1, u64 *y1, u64 *x2, u64 *y2, > if (p_initial_z) > vli_set(z, p_initial_z, ndigits); > > - apply_z(x1, y1, z, curve_prime, ndigits); > + apply_z(x1, y1, z, curve); > > - ecc_point_double_jacobian(x1, y1, z, curve_prime, ndigits); > + ecc_point_double_jacobian(x1, y1, z, curve); > > - apply_z(x2, y2, z, curve_prime, ndigits); > + apply_z(x2, y2, z, curve); > } > > /* Input P = (x1, y1, Z), Q = (x2, y2, Z) > * Output P' = (x1', y1', Z3), P + Q = (x3, y3, Z3) > * or P => P', Q => P + Q > */ > -static void xycz_add(u64 *x1, u64 *y1, u64 *x2, u64 *y2, u64 *curve_prime, > - unsigned int ndigits) > +static void xycz_add(u64 *x1, u64 *y1, u64 *x2, u64 *y2, > + const struct ecc_curve *curve) > { > /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */ > u64 t5[ECC_MAX_DIGITS]; > + const u64 *curve_prime = curve->p; > + const unsigned int ndigits = curve->g.ndigits; > > /* t5 = x2 - x1 */ > vli_mod_sub(t5, x2, x1, curve_prime, ndigits); > /* t5 = (x2 - x1)^2 = A */ > - vli_mod_square_fast(t5, t5, curve_prime, ndigits); > + vli_mod_square_fast(t5, t5, curve); > /* t1 = x1*A = B */ > - vli_mod_mult_fast(x1, x1, t5, curve_prime, ndigits); > + vli_mod_mult_fast(x1, x1, t5, curve); > /* t3 = x2*A = C */ > - vli_mod_mult_fast(x2, x2, t5, curve_prime, ndigits); > + vli_mod_mult_fast(x2, x2, t5, curve); > /* t4 = y2 - y1 */ > vli_mod_sub(y2, y2, y1, curve_prime, ndigits); > /* t5 = (y2 - y1)^2 = D */ > - vli_mod_square_fast(t5, y2, curve_prime, ndigits); > + vli_mod_square_fast(t5, y2, curve); > > /* t5 = D - B */ > vli_mod_sub(t5, t5, x1, curve_prime, ndigits); > @@ -1072,11 +1195,11 @@ static void xycz_add(u64 *x1, u64 *y1, u64 *x2, u64 *y2, u64 *curve_prime, > /* t3 = C - B */ > vli_mod_sub(x2, x2, x1, curve_prime, ndigits); > /* t2 = y1*(C - B) */ > - vli_mod_mult_fast(y1, y1, x2, curve_prime, ndigits); > + vli_mod_mult_fast(y1, y1, x2, curve); > /* t3 = B - x3 */ > vli_mod_sub(x2, x1, t5, curve_prime, ndigits); > /* t4 = (y2 - y1)*(B - x3) */ > - vli_mod_mult_fast(y2, y2, x2, curve_prime, ndigits); > + vli_mod_mult_fast(y2, y2, x2, curve); > /* t4 = y3 */ > vli_mod_sub(y2, y2, y1, curve_prime, ndigits); > > @@ -1087,22 +1210,24 @@ static void xycz_add(u64 *x1, u64 *y1, u64 *x2, u64 *y2, u64 *curve_prime, > * Output P + Q = (x3, y3, Z3), P - Q = (x3', y3', Z3) > * or P => P - Q, Q => P + Q > */ > -static void xycz_add_c(u64 *x1, u64 *y1, u64 *x2, u64 *y2, u64 *curve_prime, > - unsigned int ndigits) > +static void xycz_add_c(u64 *x1, u64 *y1, u64 *x2, u64 *y2, > + const struct ecc_curve *curve) > { > /* t1 = X1, t2 = Y1, t3 = X2, t4 = Y2 */ > u64 t5[ECC_MAX_DIGITS]; > u64 t6[ECC_MAX_DIGITS]; > u64 t7[ECC_MAX_DIGITS]; > + const u64 *curve_prime = curve->p; > + const unsigned int ndigits = curve->g.ndigits; > > /* t5 = x2 - x1 */ > vli_mod_sub(t5, x2, x1, curve_prime, ndigits); > /* t5 = (x2 - x1)^2 = A */ > - vli_mod_square_fast(t5, t5, curve_prime, ndigits); > + vli_mod_square_fast(t5, t5, curve); > /* t1 = x1*A = B */ > - vli_mod_mult_fast(x1, x1, t5, curve_prime, ndigits); > + vli_mod_mult_fast(x1, x1, t5, curve); > /* t3 = x2*A = C */ > - vli_mod_mult_fast(x2, x2, t5, curve_prime, ndigits); > + vli_mod_mult_fast(x2, x2, t5, curve); > /* t4 = y2 + y1 */ > vli_mod_add(t5, y2, y1, curve_prime, ndigits); > /* t4 = y2 - y1 */ > @@ -1111,29 +1236,29 @@ static void xycz_add_c(u64 *x1, u64 *y1, u64 *x2, u64 *y2, u64 *curve_prime, > /* t6 = C - B */ > vli_mod_sub(t6, x2, x1, curve_prime, ndigits); > /* t2 = y1 * (C - B) */ > - vli_mod_mult_fast(y1, y1, t6, curve_prime, ndigits); > + vli_mod_mult_fast(y1, y1, t6, curve); > /* t6 = B + C */ > vli_mod_add(t6, x1, x2, curve_prime, ndigits); > /* t3 = (y2 - y1)^2 */ > - vli_mod_square_fast(x2, y2, curve_prime, ndigits); > + vli_mod_square_fast(x2, y2, curve); > /* t3 = x3 */ > vli_mod_sub(x2, x2, t6, curve_prime, ndigits); > > /* t7 = B - x3 */ > vli_mod_sub(t7, x1, x2, curve_prime, ndigits); > /* t4 = (y2 - y1)*(B - x3) */ > - vli_mod_mult_fast(y2, y2, t7, curve_prime, ndigits); > + vli_mod_mult_fast(y2, y2, t7, curve); > /* t4 = y3 */ > vli_mod_sub(y2, y2, y1, curve_prime, ndigits); > > /* t7 = (y2 + y1)^2 = F */ > - vli_mod_square_fast(t7, t5, curve_prime, ndigits); > + vli_mod_square_fast(t7, t5, curve); > /* t7 = x3' */ > vli_mod_sub(t7, t7, t6, curve_prime, ndigits); > /* t6 = x3' - B */ > vli_mod_sub(t6, t7, x1, curve_prime, ndigits); > /* t6 = (y2 + y1)*(x3' - B) */ > - vli_mod_mult_fast(t6, t6, t5, curve_prime, ndigits); > + vli_mod_mult_fast(t6, t6, t5, curve); > /* t2 = y3' */ > vli_mod_sub(y1, t6, y1, curve_prime, ndigits); > > @@ -1163,41 +1288,37 @@ static void ecc_point_mult(struct ecc_point *result, > vli_set(rx[1], point->x, ndigits); > vli_set(ry[1], point->y, ndigits); > > - xycz_initial_double(rx[1], ry[1], rx[0], ry[0], initial_z, curve_prime, > - ndigits); > + xycz_initial_double(rx[1], ry[1], rx[0], ry[0], initial_z, curve); > > for (i = num_bits - 2; i > 0; i--) { > nb = !vli_test_bit(scalar, i); > - xycz_add_c(rx[1 - nb], ry[1 - nb], rx[nb], ry[nb], curve_prime, > - ndigits); > - xycz_add(rx[nb], ry[nb], rx[1 - nb], ry[1 - nb], curve_prime, > - ndigits); > + xycz_add_c(rx[1 - nb], ry[1 - nb], rx[nb], ry[nb], curve); > + xycz_add(rx[nb], ry[nb], rx[1 - nb], ry[1 - nb], curve); > } > > nb = !vli_test_bit(scalar, 0); > - xycz_add_c(rx[1 - nb], ry[1 - nb], rx[nb], ry[nb], curve_prime, > - ndigits); > + xycz_add_c(rx[1 - nb], ry[1 - nb], rx[nb], ry[nb], curve); > > /* Find final 1/Z value. */ > /* X1 - X0 */ > vli_mod_sub(z, rx[1], rx[0], curve_prime, ndigits); > /* Yb * (X1 - X0) */ > - vli_mod_mult_fast(z, z, ry[1 - nb], curve_prime, ndigits); > + vli_mod_mult_fast(z, z, ry[1 - nb], curve); > /* xP * Yb * (X1 - X0) */ > - vli_mod_mult_fast(z, z, point->x, curve_prime, ndigits); > + vli_mod_mult_fast(z, z, point->x, curve); > > /* 1 / (xP * Yb * (X1 - X0)) */ > vli_mod_inv(z, z, curve_prime, point->ndigits); > > /* yP / (xP * Yb * (X1 - X0)) */ > - vli_mod_mult_fast(z, z, point->y, curve_prime, ndigits); > + vli_mod_mult_fast(z, z, point->y, curve); > /* Xb * yP / (xP * Yb * (X1 - X0)) */ > - vli_mod_mult_fast(z, z, rx[1 - nb], curve_prime, ndigits); > + vli_mod_mult_fast(z, z, rx[1 - nb], curve); > /* End 1/Z calculation */ > > - xycz_add(rx[nb], ry[nb], rx[1 - nb], ry[1 - nb], curve_prime, ndigits); > + xycz_add(rx[nb], ry[nb], rx[1 - nb], ry[1 - nb], curve); > > - apply_z(rx[0], ry[0], z, curve_prime, ndigits); > + apply_z(rx[0], ry[0], z, curve); > > vli_set(result->x, rx[0], ndigits); > vli_set(result->y, ry[0], ndigits); > @@ -1218,9 +1339,9 @@ static void ecc_point_add(const struct ecc_point *result, > vli_mod_sub(z, result->x, p->x, curve->p, ndigits); > vli_set(px, p->x, ndigits); > vli_set(py, p->y, ndigits); > - xycz_add(px, py, result->x, result->y, curve->p, ndigits); > + xycz_add(px, py, result->x, result->y, curve); > vli_mod_inv(z, z, curve->p, ndigits); > - apply_z(result->x, result->y, z, curve->p, ndigits); > + apply_z(result->x, result->y, z, curve); > } > > /* Computes R = u1P + u2Q mod p using Shamir's trick. > @@ -1249,8 +1370,7 @@ void ecc_point_mult_shamir(const struct ecc_point *result, > points[2] = q; > points[3] = ∑ > > - num_bits = max(vli_num_bits(u1, ndigits), > - vli_num_bits(u2, ndigits)); > + num_bits = max(vli_num_bits(u1, ndigits), vli_num_bits(u2, ndigits)); > i = num_bits - 1; > idx = (!!vli_test_bit(u1, i)) | ((!!vli_test_bit(u2, i)) << 1); > point = points[idx]; > @@ -1261,7 +1381,7 @@ void ecc_point_mult_shamir(const struct ecc_point *result, > z[0] = 1; > > for (--i; i >= 0; i--) { > - ecc_point_double_jacobian(rx, ry, z, curve->p, ndigits); > + ecc_point_double_jacobian(rx, ry, z, curve); > idx = (!!vli_test_bit(u1, i)) | ((!!vli_test_bit(u2, i)) << 1); > point = points[idx]; > if (point) { > @@ -1271,19 +1391,19 @@ void ecc_point_mult_shamir(const struct ecc_point *result, > > vli_set(tx, point->x, ndigits); > vli_set(ty, point->y, ndigits); > - apply_z(tx, ty, z, curve->p, ndigits); > + apply_z(tx, ty, z, curve); > vli_mod_sub(tz, rx, tx, curve->p, ndigits); > - xycz_add(tx, ty, rx, ry, curve->p, ndigits); > - vli_mod_mult_fast(z, z, tz, curve->p, ndigits); > + xycz_add(tx, ty, rx, ry, curve); > + vli_mod_mult_fast(z, z, tz, curve); > } > } > vli_mod_inv(z, z, curve->p, ndigits); > - apply_z(rx, ry, z, curve->p, ndigits); > + apply_z(rx, ry, z, curve); > } > EXPORT_SYMBOL(ecc_point_mult_shamir); > > static int __ecc_is_key_valid(const struct ecc_curve *curve, > - const u64 *private_key, unsigned int ndigits) > + const u64 *private_key, unsigned int ndigits) The reformatting should not be necessary. > { > u64 one[ECC_MAX_DIGITS] = { 1, }; > u64 res[ECC_MAX_DIGITS]; > @@ -1306,7 +1426,7 @@ static int __ecc_is_key_valid(const struct ecc_curve *curve, > } > > int ecc_is_key_valid(unsigned int curve_id, unsigned int ndigits, > - const u64 *private_key, unsigned int private_key_len) > + const u64 *private_key, unsigned int private_key_len) Should not be necessary. > { > int nbytes; > const struct ecc_curve *curve = ecc_get_curve(curve_id); > @@ -1374,7 +1494,7 @@ int ecc_gen_privkey(unsigned int curve_id, unsigned int ndigits, u64 *privkey) > EXPORT_SYMBOL(ecc_gen_privkey); > > int ecc_make_pub_key(unsigned int curve_id, unsigned int ndigits, > - const u64 *private_key, u64 *public_key) > + const u64 *private_key, u64 *public_key) Should not be necessary. > { > int ret = 0; > struct ecc_point *pk; > @@ -1432,10 +1552,10 @@ int ecc_is_pubkey_valid_partial(const struct ecc_curve *curve, > return -EINVAL; > > /* Check 3: Verify that y^2 == (x^3 + a·x + b) mod p */ > - vli_mod_square_fast(yy, pk->y, curve->p, pk->ndigits); /* y^2 */ > - vli_mod_square_fast(xxx, pk->x, curve->p, pk->ndigits); /* x^2 */ > - vli_mod_mult_fast(xxx, xxx, pk->x, curve->p, pk->ndigits); /* x^3 */ > - vli_mod_mult_fast(w, curve->a, pk->x, curve->p, pk->ndigits); /* a·x */ > + vli_mod_square_fast(yy, pk->y, curve); /* y^2 */ > + vli_mod_square_fast(xxx, pk->x, curve); /* x^2 */ > + vli_mod_mult_fast(xxx, xxx, pk->x, curve); /* x^3 */ > + vli_mod_mult_fast(w, curve->a, pk->x, curve); /* a·x */ > vli_mod_add(w, w, curve->b, curve->p, pk->ndigits); /* a·x + b */ > vli_mod_add(w, w, xxx, curve->p, pk->ndigits); /* x^3 + a·x + b */ > if (vli_cmp(yy, w, pk->ndigits) != 0) /* Equation */ > @@ -1447,7 +1567,7 @@ EXPORT_SYMBOL(ecc_is_pubkey_valid_partial); > > /* SP800-56A section 5.6.2.3.3 full verification */ > int ecc_is_pubkey_valid_full(const struct ecc_curve *curve, > - struct ecc_point *pk) > + struct ecc_point *pk) Should not be necessary. > { > struct ecc_point *nQ; > > @@ -1473,8 +1593,8 @@ int ecc_is_pubkey_valid_full(const struct ecc_curve *curve, > EXPORT_SYMBOL(ecc_is_pubkey_valid_full); > > int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, > - const u64 *private_key, const u64 *public_key, > - u64 *secret) > + const u64 *private_key, const u64 *public_key, > + u64 *secret) Should not be necessary. > { > int ret = 0; > struct ecc_point *product, *pk; > @@ -1484,7 +1604,7 @@ int crypto_ecdh_shared_secret(unsigned int curve_id, unsigned int ndigits, > const struct ecc_curve *curve = ecc_get_curve(curve_id); > > if (!private_key || !public_key || !curve || > - ndigits > ARRAY_SIZE(priv) || ndigits > ARRAY_SIZE(rand_z)) { > + ndigits > ARRAY_SIZE(priv) || ndigits > ARRAY_SIZE(rand_z)) { Should not be necessary. > ret = -EINVAL; > goto out; > } > diff --git a/crypto/ecc.h b/crypto/ecc.h > index 2ea86dfb5cf7..861de67b538f 100644 > --- a/crypto/ecc.h > +++ b/crypto/ecc.h > @@ -29,7 +29,8 @@ > /* One digit is u64 qword. */ > #define ECC_CURVE_NIST_P192_DIGITS 3 > #define ECC_CURVE_NIST_P256_DIGITS 4 > -#define ECC_MAX_DIGITS (512 / 64) > +#define ECC_CURVE_NIST_P384_DIGITS 6 > +#define ECC_MAX_DIGITS (ECC_CURVE_NIST_P384_DIGITS) Good. > > #define ECC_DIGITS_TO_BYTES_SHIFT 3 > In my opinion this patch here should primarily add: static void vli_mmod_fast_384(u64 *result, const u64 *product, const u64 *curve_prime, u64 *tmp) We should also only introduce the change in function signatures (curve instead of ndigits and curve_prime) when we need it for NIST p521, unless I am missing something why it is needed for p384.
On 2/19/21 1:57 PM, Saulo Alessandre wrote: > From: Saulo Alessandre <saulo.alessandre@tse.jus.br> > > * crypto/asymmetric_keys/x509_cert_parser.c > - prepare x509 parser to load nist_secpp384r1 > > * crypto/ecc_curve_defs.h > - add nist_p384 params > > * include/crypto/ecdh.h > - add ECC_CURVE_NIST_P384 > > * include/linux/oid_registry.h > - reorder OID_id_ecdsa_with_sha1 > - add OID_id_secp384r1 > --- > crypto/asymmetric_keys/x509_cert_parser.c | 3 +++ > crypto/ecc_curve_defs.h | 32 +++++++++++++++++++++++ > include/crypto/ecdh.h | 1 + > include/linux/oid_registry.h | 3 ++- > 4 files changed, 38 insertions(+), 1 deletion(-) > > diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c > index d6d72420307c..03535bd8b8ef 100644 > --- a/crypto/asymmetric_keys/x509_cert_parser.c > +++ b/crypto/asymmetric_keys/x509_cert_parser.c > @@ -512,6 +512,9 @@ int x509_extract_key_data(void *context, size_t hdrlen, > case OID_id_prime256v1: > ctx->cert->pub->pkey_algo = "ecdsa-nist-p256"; > break; > + case OID_id_secp384r1: > + ctx->cert->pub->pkey_algo = "ecdsa-nist-p384"; > + break; > default: > return -ENOPKG; > } > diff --git a/crypto/ecc_curve_defs.h b/crypto/ecc_curve_defs.h > index 69be6c7d228f..b327732f6ef5 100644 > --- a/crypto/ecc_curve_defs.h > +++ b/crypto/ecc_curve_defs.h > @@ -54,4 +54,36 @@ static struct ecc_curve nist_p256 = { > .b = nist_p256_b > }; > > +/* NIST P-384 */ > +static u64 nist_p384_g_x[] = { 0x3A545E3872760AB7ull, 0x5502F25DBF55296Cull, > + 0x59F741E082542A38ull, 0x6E1D3B628BA79B98ull, > + 0x8Eb1C71EF320AD74ull, 0xAA87CA22BE8B0537ull }; > +static u64 nist_p384_g_y[] = { 0x7A431D7C90EA0E5Full, 0x0A60B1CE1D7E819Dull, > + 0xE9DA3113B5F0B8C0ull, 0xF8F41DBD289A147Cull, > + 0x5D9E98BF9292DC29ull, 0x3617DE4A96262C6Full }; > +static u64 nist_p384_p[] = { 0x00000000FFFFFFFFull, 0xFFFFFFFF00000000ull, > + 0xFFFFFFFFFFFFFFFEull, 0xFFFFFFFFFFFFFFFFull, > + 0xFFFFFFFFFFFFFFFFull, 0xFFFFFFFFFFFFFFFFull }; > +static u64 nist_p384_n[] = { 0xECEC196ACCC52973ull, 0x581A0DB248B0A77Aull, > + 0xC7634D81F4372DDFull, 0xFFFFFFFFFFFFFFFFull, > + 0xFFFFFFFFFFFFFFFFull, 0xFFFFFFFFFFFFFFFFull }; > +static u64 nist_p384_a[] = { 0x00000000FFFFFFFCull, 0xFFFFFFFF00000000ull, > + 0xFFFFFFFFFFFFFFFEull, 0xFFFFFFFFFFFFFFFFull, > + 0xFFFFFFFFFFFFFFFFull, 0xFFFFFFFFFFFFFFFFull }; > +static u64 nist_p384_b[] = { 0x2a85c8edd3ec2aefull, 0xc656398d8a2ed19dull, > + 0x0314088f5013875aull, 0x181d9c6efe814112ull, > + 0x988e056be3f82d19ull, 0xb3312fa7e23ee7e4ull }; > +static struct ecc_curve nist_p384 = { > + .name = "nist_384", > + .g = { > + .x = nist_p384_g_x, > + .y = nist_p384_g_y, > + .ndigits = 6, > + }, > + .p = nist_p384_p, > + .n = nist_p384_n, > + .a = nist_p384_a, > + .b = nist_p384_b > +}; > + > #endif > diff --git a/include/crypto/ecdh.h b/include/crypto/ecdh.h > index a5b805b5526d..e4ba1de961e4 100644 > --- a/include/crypto/ecdh.h > +++ b/include/crypto/ecdh.h > @@ -25,6 +25,7 @@ > /* Curves IDs */ > #define ECC_CURVE_NIST_P192 0x0001 > #define ECC_CURVE_NIST_P256 0x0002 > +#define ECC_CURVE_NIST_P384 0x0003 > > /** > * struct ecdh - define an ECDH private key > diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h > index ff3cad9f8c1f..d656450dfc66 100644 > --- a/include/linux/oid_registry.h > +++ b/include/linux/oid_registry.h > @@ -19,10 +19,10 @@ > enum OID { > OID_id_dsa_with_sha1, /* 1.2.840.10030.4.3 */ > OID_id_dsa, /* 1.2.840.10040.4.1 */ > - OID_id_ecdsa_with_sha1, /* 1.2.840.10045.4.1 */ > OID_id_ecPublicKey, /* 1.2.840.10045.2.1 */ > OID_id_prime192v1, /* 1.2.840.10045.3.1.1 */ > OID_id_prime256v1, /* 1.2.840.10045.3.1.7 */ > + OID_id_ecdsa_with_sha1, /* 1.2.840.10045.4.1 */ > OID_id_ecdsa_with_sha224, /* 1.2.840.10045.4.3.1 */ > OID_id_ecdsa_with_sha256, /* 1.2.840.10045.4.3.2 */ > OID_id_ecdsa_with_sha384, /* 1.2.840.10045.4.3.3 */ > @@ -64,6 +64,7 @@ enum OID { > > OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */ > OID_sha1, /* 1.3.14.3.2.26 */ > + OID_id_secp384r1, /* 1.3.132.0.34 */ > OID_sha256, /* 2.16.840.1.101.3.4.2.1 */ > OID_sha384, /* 2.16.840.1.101.3.4.2.2 */ > OID_sha512, /* 2.16.840.1.101.3.4.2.3 */ This patch looks good to me.
On 2/22/21 12:58 PM, Saulo Alessandre wrote: > From: Saulo Alessandre <saulo.alessandre@tse.jus.br> > > * crypto/asymmetric_keys/x509_cert_parser.c > - prepare x509 parser to load nist_secp384r1 > > * crypto/ecc_curve_defs.h > - add nist_p384 params > > * include/crypto/ecdh.h > - add ECC_CURVE_NIST_P384 > > * include/linux/oid_registry.h > - reorder OID_id_ecdsa_with_sha1 > - add OID_id_secp384r1 > > Signed-off-by: Saulo Alessandre <saulo.alessandre@tse.jus.br> I would separate this patch into an x509: and certs: part since it touches two subsystems. I can take this series of patches and post my v9 including them at the end. This would make it easier for others to test. I would massage them a bit, including the separation of the 1st patch into 2 patches, if you don't mind, preserving your Signed-off-by. I need to fix something in my v8 regarding registration failure handling. Let me know whether this is fine with you. I had tested your patches over the weekend with my endless test tool creating keys in user space and loading them into the kernel. It worked fine for NIST p256 & p384. Also signing kernel modules with NIST p384 is working fine. So, for the series: Tested-by: Stefan Berger <stefanb@linux.ibm.com> Regards, Stefan
Em seg., 22 de fev. de 2021 às 17:26, Stefan Berger <stefanb@linux.ibm.com> escreveu: > > On 2/22/21 12:58 PM, Saulo Alessandre wrote: > > From: Saulo Alessandre <saulo.alessandre@tse.jus.br> > > > > * crypto/asymmetric_keys/x509_cert_parser.c > > - prepare x509 parser to load nist_secp384r1 > > > > * crypto/ecc_curve_defs.h > > - add nist_p384 params > > > > * include/crypto/ecdh.h > > - add ECC_CURVE_NIST_P384 > > > > * include/linux/oid_registry.h > > - reorder OID_id_ecdsa_with_sha1 > > - add OID_id_secp384r1 > > > > Signed-off-by: Saulo Alessandre <saulo.alessandre@tse.jus.br> > > I would separate this patch into an x509: and certs: part since it > touches two subsystems. > > I can take this series of patches and post my v9 including them at the > end. This would make it easier for others to test. I would massage them > a bit, including the separation of the 1st patch into 2 patches, if you > don't mind, preserving your Signed-off-by. I need to fix something in my > v8 regarding registration failure handling. Let me know whether this is > fine with you. For me it's ok. > > I had tested your patches over the weekend with my endless test tool > creating keys in user space and loading them into the kernel. It worked > fine for NIST p256 & p384. Also signing kernel modules with NIST p384 is > working fine. > > So, for the series: > > Tested-by: Stefan Berger <stefanb@linux.ibm.com> > > Regards, > > Stefan > > Regards -- []'s ----- Saulo Alessandre <saulo.alessandre@gmail.com>
This series of patches adds support for x509 certificates signed by a CA that uses NIST p256 or p192 keys for signing. It also adds support for certificates where the public key is a NIST p256 or p192 key. The math for ECDSA signature verification is also added. Since self-signed certificates are verified upon loading, the following script can be used for testing: k=$(keyctl newring test @u) while :; do for hash in sha1 sha224 sha256 sha384 sha512; do openssl req \ -x509 \ -${hash} \ -newkey ec \ -pkeyopt ec_paramgen_curve:prime256v1 \ -keyout key.pem \ -days 365 \ -subj '/CN=test' \ -nodes \ -outform der \ -out cert.der keyctl padd asymmetric testkey $k < cert.der if [ $? -ne 0 ]; then echo "ERROR" exit 1 fi done done Ecdsa support also works with restricted keyrings where an RSA key is used to sign a NIST P256/P192 key. Scripts for testing are here: https://github.com/stefanberger/eckey-testing The ECDSA signature verification will be used by IMA Appraisal where ECDSA file signatures stored in RPM packages will use substantially less space than if RSA signatures were to be used. Stefan v7->v8: - patch 3/4: Do not determine key algo using parse_OID in public_key.c but do this when parsing the certificate. This addresses an issue with certain build configurations where OID_REGISTRY is not available as 'Reported-by: kernel test robot <lkp@intel.com>'. v6->v7: - Moved some OID defintions to patch 1 for bisectability - Applied R-b's v5->v6: - moved ecdsa code into its own module ecdsa_generic built from ecdsa.c - added script-generated test vectors for NIST P256 & P192 and all hashes - parsing of OID that contain header with new parse_oid() v4->v5: - registering crypto support under names ecdsa-nist-p256/p192 following Hubert Xu's suggestion in other thread - appended IMA ECDSA support patch v3->v4: - split off of ecdsa crypto part; registering akcipher as "ecdsa" and deriving used curve from digits in parsed key v2->v3: - patch 2 now includes linux/scatterlist.h v1->v2: - using faster vli_sub rather than newly added vli_mod_fast to 'reduce' result - rearranged switch statements to follow after RSA - 3rd patch from 1st posting is now 1st patch Stefan Berger (4): crypto: Add support for ECDSA signature verification x509: Detect sm2 keys by their parameters OID x509: Add support for parsing x509 certs with ECDSA keys ima: Support EC keys for signature verification crypto/Kconfig | 10 + crypto/Makefile | 6 + crypto/asymmetric_keys/public_key.c | 4 +- crypto/asymmetric_keys/x509_cert_parser.c | 46 ++- crypto/asymmetric_keys/x509_public_key.c | 4 +- crypto/ecc.c | 13 +- crypto/ecc.h | 28 ++ crypto/ecdsa.c | 361 ++++++++++++++++++++++ crypto/ecdsasignature.asn1 | 4 + crypto/testmgr.c | 12 + crypto/testmgr.h | 267 ++++++++++++++++ include/keys/asymmetric-type.h | 6 + include/linux/oid_registry.h | 7 + lib/oid_registry.c | 13 + security/integrity/digsig_asymmetric.c | 30 +- 15 files changed, 780 insertions(+), 31 deletions(-) create mode 100644 crypto/ecdsa.c create mode 100644 crypto/ecdsasignature.asn1