(/usr/bin/git 2025-03-14, commit: 3f3d877)
Header related to signature checking. More...
#include <stddef.h>#include <stdint.h>
Go to the source code of this file.
Macros | |
| #define | CRINIT_SIGNATURE_DEFAULT_ROOT_KEY_DESC "crinit-root" |
| #define | CRINIT_SIGNATURE_FILE_SUFFIX ".sig" |
| #define | CRINIT_RSASSA_PSS_SIGNATURE_SIZE 512uL |
Functions | |
| int | crinitSigSubsysInit (char *rootKeyDesc) |
| void | crinitSigSubsysDestroy (void) |
| int | crinitLoadAndVerifySignedKeys (char *sigKeyDir) |
| int | crinitVerifySignature (const uint8_t *data, size_t dataSz, const uint8_t *signature) |
Detailed Description
Header related to signature checking.
Macro Definition Documentation
◆ CRINIT_RSASSA_PSS_SIGNATURE_SIZE
| #define CRINIT_RSASSA_PSS_SIGNATURE_SIZE 512uL |
The size in bytes of a signature as used by crinit.
◆ CRINIT_SIGNATURE_DEFAULT_ROOT_KEY_DESC
| #define CRINIT_SIGNATURE_DEFAULT_ROOT_KEY_DESC "crinit-root" |
The key description of the root public key within the user keyring.
◆ CRINIT_SIGNATURE_FILE_SUFFIX
| #define CRINIT_SIGNATURE_FILE_SUFFIX ".sig" |
The filename suffix identifying signature files.
Function Documentation
◆ crinitLoadAndVerifySignedKeys()
| int crinitLoadAndVerifySignedKeys | ( | char * | sigKeyDir | ) |
Searches given directory for signed public keys and loads them into the signature subsystem.
Signatures of the loaded keys must match the root key.
If the signed downstream public keys should be used to verify configuration files, this function must be called before parsing them.
Keys may be in DER (.der) or PEM (.pem) format and must each have a signature file (e.g. <keyfile>.pem.sig) in the same directory.
- Parameters
-
sigKeyDir The path to the directory from where to load/verify the keys.
- Returns
- 0 on success, -1 otherwise
◆ crinitSigSubsysDestroy()
| void crinitSigSubsysDestroy | ( | void | ) |
Frees memory allocated by crinitSigSubsysInit().
After calling this function no other functions from this header file may be used.
◆ crinitSigSubsysInit()
| int crinitSigSubsysInit | ( | char * | rootKeyDesc | ) |
Initializes the Crinit signature subsystem.
Will read the root key from Kernel user keyring.
This function must be called once before any other function from this header file is used.
- Parameters
-
rootKeyDesc The key description value to search for the root key in the user keyring.
- Returns
- 0 on success, -1 otherwise.
◆ crinitVerifySignature()
| int crinitVerifySignature | ( | const uint8_t * | data, |
| size_t | dataSz, | ||
| const uint8_t * | signature | ||
| ) |
Verify the signature of arbitrary data using the keys loaded to the signature subsystem.
See crinitSigSubsysInit() and crinitLoadAndVerifySignedKeys() for information on prior subsytem setup.
Verification uses the RSA-PSS algorithm with SHA256 hashes. It will check the hashed data against all loaded keys. If one matches, verification is passed.
- Parameters
-
data The data array to check against the signature. dataSz The number of elements in the data array. signature A byte array containing the signature, must be of CRINIT_RSASSA_PSS_SIGNATURE_SIZE.
- Returns
- 0 on success, -1 otherwise
