(/usr/bin/git 2025-02-03, commit: cb6bc27)
Implementation of signature checking. More...
#include "sig.h"#include <linux/keyctl.h>#include <pthread.h>#include <stdlib.h>#include <sys/syscall.h>#include <unistd.h>#include "common.h"#include "fseries.h"#include "logio.h"#include "mbedtls/error.h"#include "mbedtls/pk.h"#include "mbedtls/sha256.h"#include "mbedtls/version.h"
Macros | |
| #define | CRINIT_SIGNATURE_PK_DATA_MAX_SIZE 4096uL |
| Maximum supported size of a signature file. | |
| #define | CRINIT_RSASSA_PSS_HASH_SIZE 32uL |
| Size of a hash result in the used signature algorithm. | |
| #define | CRINIT_SIGNATURE_PK_PEM_EXTENSION ".pem" |
| File extension of PEM-encoded keys. | |
| #define | CRINIT_SIGNATURE_PK_DER_EXTENSION ".der" |
| File extension of DER-encoded keys. | |
| #define | CRINIT_MBEDTLS_ERR_MAX_LEN 128 |
| Maximum length of a string generated by mbedtls_strerror() | |
| #define | crinitKeyctlRead(keyID, pld, pldSz) syscall(SYS_keyctl, KEYCTL_READ, keyID, pld, pldSz, 0) |
| #define | crinitKeyctlSearch(keyringID, keyType, keyDesc) syscall(SYS_keyctl, KEYCTL_SEARCH, keyringID, keyType, keyDesc, 0) |
Functions | |
| static int | crinitGenerateHash (uint8_t *dataHash, const uint8_t *data, size_t dataSz) |
| static int | crinitLoadAndVerifySignedKeysFromFileSeries (mbedtls_pk_context *tgt, const crinitFileSeries_t *src, bool pemFmt) |
| int | crinitSigSubsysInit (char *rootKeyDesc) |
| void | crinitSigSubsysDestroy (void) |
| int | crinitLoadAndVerifySignedKeys (char *sigKeyDir) |
| int | crinitVerifySignature (const uint8_t *data, size_t dataSz, const uint8_t *signature) |
Variables | ||
| struct { | ||
| mbedtls_pk_context rootKey | ||
| MbedTLS context to be initialized with the root public key. More... | ||
| mbedtls_pk_context * signedKeys | ||
| Array of MbedTLS contexts to be inited with signed downstream public keys. More... | ||
| size_t numSignedKeys | ||
| Number of initialized downstream key contexts. More... | ||
| pthread_mutex_t lock | ||
| Mutex synchronizing concurrent access to this structure. More... | ||
| } | crinitSigCtx | |
Detailed Description
Implementation of signature checking.
Macro Definition Documentation
◆ CRINIT_MBEDTLS_ERR_MAX_LEN
| #define CRINIT_MBEDTLS_ERR_MAX_LEN 128 |
Maximum length of a string generated by mbedtls_strerror()
◆ CRINIT_RSASSA_PSS_HASH_SIZE
| #define CRINIT_RSASSA_PSS_HASH_SIZE 32uL |
Size of a hash result in the used signature algorithm.
◆ CRINIT_SIGNATURE_PK_DATA_MAX_SIZE
| #define CRINIT_SIGNATURE_PK_DATA_MAX_SIZE 4096uL |
Maximum supported size of a signature file.
◆ CRINIT_SIGNATURE_PK_DER_EXTENSION
| #define CRINIT_SIGNATURE_PK_DER_EXTENSION ".der" |
File extension of DER-encoded keys.
◆ CRINIT_SIGNATURE_PK_PEM_EXTENSION
| #define CRINIT_SIGNATURE_PK_PEM_EXTENSION ".pem" |
File extension of PEM-encoded keys.
◆ crinitKeyctlRead
| #define crinitKeyctlRead | ( | keyID, | |
| pld, | |||
| pldSz | |||
| ) | syscall(SYS_keyctl, KEYCTL_READ, keyID, pld, pldSz, 0) |
Convenience wrapper macro for the read operation of the keyctl system call.
See https://man7.org/linux/man-pages/man2/keyctl.2.html
- Parameters
-
keyID They key ID to read the payload from (int32_t). pld Return pointer where the payload gets written (char *). pldSz Size of the payload buffer (size_t).
- Returns
- The length of the key's payload on success, -1 otherwise.
◆ crinitKeyctlSearch
| #define crinitKeyctlSearch | ( | keyringID, | |
| keyType, | |||
| keyDesc | |||
| ) | syscall(SYS_keyctl, KEYCTL_SEARCH, keyringID, keyType, keyDesc, 0) |
Convenience wrapper macro for the search operation of the keyctl system call.
See https://man7.org/linux/man-pages/man2/keyctl.2.html
- Parameters
-
keyringID ID of the keyring to search in (int32_t). Search is recursive for all nested keyrings with searchpermission.keyType The type of the key to search for (char *, see man page). keyDesc The description string of the key to search for (char *).
- Returns
- The key's ID (as int32_t) on success, -1 otherwise.
Function Documentation
◆ crinitGenerateHash()
|
static |
Calculates the Hash value used to verify the data against a signature.
- Parameters
-
dataHash Output pointer, where the computed hash value is written as a byte array. Must have a size of at least CRINIT_RSASSA_PSS_HASH_SIZE Bytes. data Input pointer to an array of bytes containing the data to be hashed. dataSz Size in Bytes of the input data.
- Returns
- 0 on success, -1 otherwise
◆ crinitLoadAndVerifySignedKeys()
| int crinitLoadAndVerifySignedKeys | ( | char * | sigKeyDir | ) |
Searches given directory for signed public keys and loads them into the signature subsystem.
Signatures of the loaded keys must match the root key.
If the signed downstream public keys should be used to verify configuration files, this function must be called before parsing them.
Keys may be in DER (.der) or PEM (.pem) format and must each have a signature file (e.g. <keyfile>.pem.sig) in the same directory.
- Parameters
-
sigKeyDir The path to the directory from where to load/verify the keys.
- Returns
- 0 on success, -1 otherwise
◆ crinitLoadAndVerifySignedKeysFromFileSeries()
|
static |
Given a set of signed public key files, verify their signatures, and generate MbedTLS contexts from them.
- Parameters
-
tgt The array of MbedTLS contexts to be initialized with the public keys, memory will be allocated. src The crinitFileSeries_t containing the set of signed public key files. pemFmt If the key files are in PEM (true) or DER (false) format.
- Returns
- 0 on success, -1 otherwise
◆ crinitSigSubsysDestroy()
| void crinitSigSubsysDestroy | ( | void | ) |
Frees memory allocated by crinitSigSubsysInit().
After calling this function no other functions from this header file may be used.
◆ crinitSigSubsysInit()
| int crinitSigSubsysInit | ( | char * | rootKeyDesc | ) |
Initializes the Crinit signature subsystem.
Will read the root key from Kernel user keyring.
This function must be called once before any other function from this header file is used.
- Parameters
-
rootKeyDesc The key description value to search for the root key in the user keyring.
- Returns
- 0 on success, -1 otherwise.
◆ crinitVerifySignature()
| int crinitVerifySignature | ( | const uint8_t * | data, |
| size_t | dataSz, | ||
| const uint8_t * | signature | ||
| ) |
Verify the signature of arbitrary data using the keys loaded to the signature subsystem.
See crinitSigSubsysInit() and crinitLoadAndVerifySignedKeys() for information on prior subsytem setup.
Verification uses the RSA-PSS algorithm with SHA256 hashes. It will check the hashed data against all loaded keys. If one matches, verification is passed.
- Parameters
-
data The data array to check against the signature. dataSz The number of elements in the data array. signature A byte array containing the signature, must be of CRINIT_RSASSA_PSS_SIGNATURE_SIZE.
- Returns
- 0 on success, -1 otherwise
Variable Documentation
◆ [struct]
| struct { ... } crinitSigCtx |
Structure holding the current context of the signature verification subsystem.
◆ lock
| pthread_mutex_t lock |
Mutex synchronizing concurrent access to this structure.
◆ numSignedKeys
| size_t numSignedKeys |
Number of initialized downstream key contexts.
◆ rootKey
| mbedtls_pk_context rootKey |
MbedTLS context to be initialized with the root public key.
◆ signedKeys
| mbedtls_pk_context* signedKeys |
Array of MbedTLS contexts to be inited with signed downstream public keys.
