diff mbox series

[RFC,6/8] cert: add l_cert_pkcs5_pbkdf2_from_key_id

Message ID 20221118211624.19298-7-prestwoj@gmail.com (mailing list archive)
State New
Headers show
Series Crypto operations by key ID | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success

Commit Message

James Prestwood Nov. 18, 2022, 9:16 p.m. UTC
The same pbkdf2 algorithm but uses a key ID as the password.
---
 ell/cert-crypto.c | 27 +++++++++++++++++++++++++++
 ell/cert.h        |  6 +++++-
 ell/ell.sym       |  1 +
 3 files changed, 33 insertions(+), 1 deletion(-)

Comments

Denis Kenzior Nov. 22, 2022, 5:03 p.m. UTC | #1
Hi James,

On 11/18/22 15:16, James Prestwood wrote:
> The same pbkdf2 algorithm but uses a key ID as the password.
> ---
>   ell/cert-crypto.c | 27 +++++++++++++++++++++++++++
>   ell/cert.h        |  6 +++++-
>   ell/ell.sym       |  1 +
>   3 files changed, 33 insertions(+), 1 deletion(-)
> 

<snip>

> diff --git a/ell/cert.h b/ell/cert.h
> index f637588..ce430fa 100644
> --- a/ell/cert.h
> +++ b/ell/cert.h
> @@ -76,7 +76,11 @@ bool l_cert_pkcs5_pbkdf2(enum l_checksum_type type, const char *password,
>   				const uint8_t *salt, size_t salt_len,
>   				unsigned int iter_count,
>   				uint8_t *out_dk, size_t dk_len);
> -
> +bool l_cert_pkcs5_pbkdf2_from_key_id(enum l_checksum_type type,

missing LIB_EXPORT?

> +					int32_t key_id, const uint8_t *salt,
> +					size_t salt_len,
> +					unsigned int iter_count,
> +					uint8_t *out_dk, size_t dk_len);

So personally I'd rather have l_cert_pkcs5_pbkdf2 take a struct l_checksum * as 
the first parameter instead of creating two almost identical constructors. 
Especially since we already would have a special l_checksum_hmac_* constructor 
that takes a key id.

Regards,
-Denis
diff mbox series

Patch

diff --git a/ell/cert-crypto.c b/ell/cert-crypto.c
index bf748b0..42f602e 100644
--- a/ell/cert-crypto.c
+++ b/ell/cert-crypto.c
@@ -200,6 +200,33 @@  LIB_EXPORT bool l_cert_pkcs5_pbkdf2(enum l_checksum_type type,
 	return r;
 }
 
+LIB_EXPORT bool l_cert_pkcs5_pbkdf2_from_key_id(enum l_checksum_type type,
+						int32_t key_id,
+						const uint8_t *salt,
+						size_t salt_len,
+						unsigned int iter_count,
+						uint8_t *out_dk, size_t dk_len)
+{
+	size_t h_len;
+	struct l_checksum *checksum;
+	bool r;
+
+	h_len = cert_checksum_to_length(type);
+	if (!h_len)
+		return false;
+
+	checksum = l_checksum_new_hmac_from_key_id(type, key_id);
+	if (!checksum)
+		return false;
+
+	r = cert_pkcs5_pbkdf2(checksum, salt, salt_len, h_len, iter_count,
+				out_dk, dk_len);
+
+	l_checksum_free(checksum);
+
+	return r;
+}
+
 /* RFC7292 Appendix B */
 uint8_t *cert_pkcs12_pbkdf(const char *password,
 				const struct cert_pkcs12_hash *hash,
diff --git a/ell/cert.h b/ell/cert.h
index f637588..ce430fa 100644
--- a/ell/cert.h
+++ b/ell/cert.h
@@ -76,7 +76,11 @@  bool l_cert_pkcs5_pbkdf2(enum l_checksum_type type, const char *password,
 				const uint8_t *salt, size_t salt_len,
 				unsigned int iter_count,
 				uint8_t *out_dk, size_t dk_len);
-
+bool l_cert_pkcs5_pbkdf2_from_key_id(enum l_checksum_type type,
+					int32_t key_id, const uint8_t *salt,
+					size_t salt_len,
+					unsigned int iter_count,
+					uint8_t *out_dk, size_t dk_len);
 #ifdef __cplusplus
 }
 #endif
diff --git a/ell/ell.sym b/ell/ell.sym
index 08252b8..2572989 100644
--- a/ell/ell.sym
+++ b/ell/ell.sym
@@ -565,6 +565,7 @@  global:
 	l_cert_load_container_file;
 	l_cert_pkcs5_pbkdf1;
 	l_cert_pkcs5_pbkdf2;
+	l_cert_pkcs5_pbkdf2_from_key_id;
 	/* ecc */
 	l_ecc_supported_ike_groups;
 	l_ecc_supported_tls_groups;