[RFC,6/8] cert: add l_cert_pkcs5_pbkdf2_from_key_id

Message ID	20221118211624.19298-7-prestwoj@gmail.com (mailing list archive)
State	New
Headers	show Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5759BA48C for <ell@lists.linux.dev>; Fri, 18 Nov 2022 21:16:43 +0000 (UTC) From: James Prestwood <prestwoj@gmail.com> To: ell@lists.linux.dev Cc: James Prestwood <prestwoj@gmail.com> Subject: [RFC 6/8] cert: add l_cert_pkcs5_pbkdf2_from_key_id Date: Fri, 18 Nov 2022 13:16:22 -0800 Message-Id: <20221118211624.19298-7-prestwoj@gmail.com> In-Reply-To: <20221118211624.19298-1-prestwoj@gmail.com> References: <20221118211624.19298-1-prestwoj@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Crypto operations by key ID \| expand [RFC,0/8] Crypto operations by key ID [RFC,1/8] key: add l_key_search [RFC,2/8] unit: add key search test [RFC,3/8] checksum: commonize checksum creation [RFC,4/8] checksum: add l_checksum_new_hmac_from_key_id [RFC,5/8] cert-crypto: refactor l_cert_pkcs5_pbkdf2 [RFC,6/8] cert: add l_cert_pkcs5_pbkdf2_from_key_id [RFC,7/8] cert: add explicit length to l_cert_pkcs5_pbkdf2 [RFC,8/8] unit: update test-pbkdf2 with API change

Message ID

20221118211624.19298-7-prestwoj@gmail.com (mailing list archive)

State

New

Headers

From: James Prestwood <prestwoj@gmail.com>
To: ell@lists.linux.dev
Cc: James Prestwood <prestwoj@gmail.com>
Subject: [RFC 6/8] cert: add l_cert_pkcs5_pbkdf2_from_key_id
Date: Fri, 18 Nov 2022 13:16:22 -0800
Message-Id: <20221118211624.19298-7-prestwoj@gmail.com>
In-Reply-To: <20221118211624.19298-1-prestwoj@gmail.com>
References: <20221118211624.19298-1-prestwoj@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Crypto operations by key ID | expand

Context	Check	Description
tedd_an/pre-ci_am	success	Success

Context

Check

Description

tedd_an/pre-ci_am

success

Success

The same pbkdf2 algorithm but uses a key ID as the password. --- ell/cert-crypto.c | 27 +++++++++++++++++++++++++++ ell/cert.h | 6 +++++- ell/ell.sym | 1 + 3 files changed, 33 insertions(+), 1 deletion(-)

Comments

Denis Kenzior Nov. 22, 2022, 5:03 p.m. UTC | #1

Hi James,

On 11/18/22 15:16, James Prestwood wrote:
> The same pbkdf2 algorithm but uses a key ID as the password.
> ---
>   ell/cert-crypto.c | 27 +++++++++++++++++++++++++++
>   ell/cert.h        |  6 +++++-
>   ell/ell.sym       |  1 +
>   3 files changed, 33 insertions(+), 1 deletion(-)
> 

<snip>

> diff --git a/ell/cert.h b/ell/cert.h
> index f637588..ce430fa 100644
> --- a/ell/cert.h
> +++ b/ell/cert.h
> @@ -76,7 +76,11 @@ bool l_cert_pkcs5_pbkdf2(enum l_checksum_type type, const char *password,
>   				const uint8_t *salt, size_t salt_len,
>   				unsigned int iter_count,
>   				uint8_t *out_dk, size_t dk_len);
> -
> +bool l_cert_pkcs5_pbkdf2_from_key_id(enum l_checksum_type type,

missing LIB_EXPORT?

> +					int32_t key_id, const uint8_t *salt,
> +					size_t salt_len,
> +					unsigned int iter_count,
> +					uint8_t *out_dk, size_t dk_len);

So personally I'd rather have l_cert_pkcs5_pbkdf2 take a struct l_checksum * as 
the first parameter instead of creating two almost identical constructors. 
Especially since we already would have a special l_checksum_hmac_* constructor 
that takes a key id.

Regards,
-Denis

diff --git a/ell/cert-crypto.c b/ell/cert-crypto.c
index bf748b0..42f602e 100644
--- a/ell/cert-crypto.c
+++ b/ell/cert-crypto.c
@@ -200,6 +200,33 @@  LIB_EXPORT bool l_cert_pkcs5_pbkdf2(enum l_checksum_type type,
 	return r;
 }
 
+LIB_EXPORT bool l_cert_pkcs5_pbkdf2_from_key_id(enum l_checksum_type type,
+						int32_t key_id,
+						const uint8_t *salt,
+						size_t salt_len,
+						unsigned int iter_count,
+						uint8_t *out_dk, size_t dk_len)
+{
+	size_t h_len;
+	struct l_checksum *checksum;
+	bool r;
+
+	h_len = cert_checksum_to_length(type);
+	if (!h_len)
+		return false;
+
+	checksum = l_checksum_new_hmac_from_key_id(type, key_id);
+	if (!checksum)
+		return false;
+
+	r = cert_pkcs5_pbkdf2(checksum, salt, salt_len, h_len, iter_count,
+				out_dk, dk_len);
+
+	l_checksum_free(checksum);
+
+	return r;
+}
+
 /* RFC7292 Appendix B */
 uint8_t *cert_pkcs12_pbkdf(const char *password,
 				const struct cert_pkcs12_hash *hash,
diff --git a/ell/cert.h b/ell/cert.h
index f637588..ce430fa 100644
--- a/ell/cert.h
+++ b/ell/cert.h
@@ -76,7 +76,11 @@  bool l_cert_pkcs5_pbkdf2(enum l_checksum_type type, const char *password,
 				const uint8_t *salt, size_t salt_len,
 				unsigned int iter_count,
 				uint8_t *out_dk, size_t dk_len);
-
+bool l_cert_pkcs5_pbkdf2_from_key_id(enum l_checksum_type type,
+					int32_t key_id, const uint8_t *salt,
+					size_t salt_len,
+					unsigned int iter_count,
+					uint8_t *out_dk, size_t dk_len);
 #ifdef __cplusplus
 }
 #endif
diff --git a/ell/ell.sym b/ell/ell.sym
index 08252b8..2572989 100644
--- a/ell/ell.sym
+++ b/ell/ell.sym
@@ -565,6 +565,7 @@  global:
 	l_cert_load_container_file;
 	l_cert_pkcs5_pbkdf1;
 	l_cert_pkcs5_pbkdf2;
+	l_cert_pkcs5_pbkdf2_from_key_id;
 	/* ecc */
 	l_ecc_supported_ike_groups;
 	l_ecc_supported_tls_groups;

[RFC,6/8] cert: add l_cert_pkcs5_pbkdf2_from_key_id

Checks

Commit Message

Comments

Patch