mbox series

[0/7] crypto: add eddsa support for x509

Message ID 1620828254-25545-1-git-send-email-herbert.tencent@gmail.com
Headers show
Series crypto: add eddsa support for x509 | expand

Message

Hongbo Li May 12, 2021, 2:04 p.m. UTC
From: Hongbo Li <herberthbli@tencent.com>

This series of patches add support for x509 cert signed by eddsa,
which is described in RFC8032 [1], currently ed25519 only.

According to RFC8032 section 4 [2], there're two variants: PureEdDSA and
HashEdDSA. These patches support PureEdDSA which named Ed25519.

Patch1 fix a memory leak bug in sm2.

Patch2 fix a mpi_resize bug, this bug will cause eddsa verification failed.

Patch3 exports some mpi common functions.

Patch4 makes x509 layer support eddsa.

Patch5 moves some common code in sm2 to separate files. These code is also
       used by eddsa.

Patch6 is the implementation of eddsa verification according to RFC8032
       section 5.1.7 [3].

Patch7 adds test vector for eddsa.

Test by the following script:

keyctl newring test @u

while :; do
    certfile="cert.der"

    openssl req \
            -x509 \
            -newkey ED25519 \
            -keyout key.pem \
            -days 365 \
            -subj '/CN=test' \
            -nodes \
            -outform der \
            -out ${certfile} 2>/dev/null

    exp=0
    id=$(keyctl padd asymmetric testkey %keyring:test < "${certfile}")
    rc=$?
    if [ $rc -ne $exp ]; then
        case "$exp" in
            0) echo "Error: Could not load ed25519 certificate $certfile!";
        esac
        exit 1
    else
        case "$rc" in
            0) printf "load ed25519 cert keyid: %-10s\n" $id;
        esac
    fi
done

Best Regards

Hongbo

[1] https://datatracker.ietf.org/doc/html/rfc8032
[2] https://datatracker.ietf.org/doc/html/rfc8032#section-4
[3] https://datatracker.ietf.org/doc/html/rfc8032#section-5.1.7

Hongbo Li (7):
  crypto: fix a memory leak in sm2
  lib/mpi: use kcalloc in mpi_resize
  lib/mpi: export some common function
  x509: add support for eddsa
  crypto: move common code in sm2 to ec_mpi.c and ec_mpi.h
  crypto: support ed25519 x509 cert
  crypto: add eddsa test vector

 crypto/Kconfig                            |  15 ++++
 crypto/Makefile                           |   4 +
 crypto/asymmetric_keys/public_key.c       |  73 +++++++++++++--
 crypto/asymmetric_keys/x509_cert_parser.c |  14 ++-
 crypto/asymmetric_keys/x509_public_key.c  |   4 +-
 crypto/sm2.c                              | 104 +---------------------
 crypto/testmgr.c                          |   6 ++
 crypto/testmgr.h                          |  32 +++++++
 include/linux/oid_registry.h              |   1 +
 lib/mpi/mpi-add.c                         |   4 +-
 lib/mpi/mpiutil.c                         |   2 +-
 11 files changed, 146 insertions(+), 113 deletions(-)

Comments

Eric Biggers May 12, 2021, 7:11 p.m. UTC | #1
On Wed, May 12, 2021 at 10:04:07PM +0800, Hongbo Li wrote:
> From: Hongbo Li <herberthbli@tencent.com>

> 

> This series of patches add support for x509 cert signed by eddsa,

> which is described in RFC8032 [1], currently ed25519 only.


It would be helpful to explain how this is related to the kernel's existing
Curve25519 support.

- Eric
Eric Biggers May 17, 2021, 9:21 p.m. UTC | #2
On Thu, May 13, 2021 at 02:44:07PM +0000, herberthbli(李弘博) wrote:
> 在 2021/5/13 3:12, Eric Biggers 写道:

> 

> On Wed, May 12, 2021 at 10:04:07PM +0800, Hongbo Li wrote:

> 

> 

> From: Hongbo Li <herberthbli@tencent.com><mailto:herberthbli@tencent.com>

> 

> This series of patches add support for x509 cert signed by eddsa,

> which is described in RFC8032 [1], currently ed25519 only.

> 

> 

> 

> It would be helpful to explain how this is related to the kernel's existing

> Curve25519 support.

> 

> - Eric

> 

> 

> Curve25519 is an elliptic curve used for key agreement(ECDH). It is a Montgomery curve.

> 

> Edwards25519 is a twisted Edwards curve and birationally equivalent to Curve25519, the

> birational maps are described in rfc7748 section 4.1.

> https://datatracker.ietf.org/doc/html/rfc7748#section-4.1

> 

> 

> Ed25519 is a Digital Signature Algorithm over Edwards25519.

> 


Sure, but what does that mean in terms of code.  Can you reuse any of the code,
and if not why not?  I *think* the answer is no, but this is a common point of
confusion, so it would be helpful to properly explain this...

- Eric
Hongbo Li May 18, 2021, 11:40 a.m. UTC | #3
Tianjia Zhang <tianjia.zhang@linux.alibaba.com> 于2021年5月14日周五 下午12:52写道:
>
> Hi Hongbo,
>
> On 5/12/21 10:04 PM, Hongbo Li wrote:
> > From: Hongbo Li <herberthbli@tencent.com>
> >
> > SM2 module alloc ec->Q in sm2_set_pub_key(), when doing alg test in
> > test_akcipher_one(), it will set public key for every test vector,
> > and don't free ec->Q. This will cause a memory leak.
> >
> > This patch alloc ec->Q in sm2_ec_ctx_init().
> >
> > Signed-off-by: Hongbo Li <herberthbli@tencent.com>
> > ---
> >   crypto/sm2.c | 24 ++++++++++--------------
> >   1 file changed, 10 insertions(+), 14 deletions(-)
> >
> > diff --git a/crypto/sm2.c b/crypto/sm2.c
> > index b21addc..db8a4a2 100644
> > --- a/crypto/sm2.c
> > +++ b/crypto/sm2.c
> > @@ -79,10 +79,17 @@ static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
> >               goto free;
> >
> >       rc = -ENOMEM;
> > +
> > +     ec->Q = mpi_point_new(0);
> > +     if (!ec->Q)
> > +             goto free;
> > +
> >       /* mpi_ec_setup_elliptic_curve */
> >       ec->G = mpi_point_new(0);
> > -     if (!ec->G)
> > +     if (!ec->G) {
> > +             mpi_point_release(ec->Q);
> >               goto free;
> > +     }
> >
> >       mpi_set(ec->G->x, x);
> >       mpi_set(ec->G->y, y);
> > @@ -91,6 +98,7 @@ static int sm2_ec_ctx_init(struct mpi_ec_ctx *ec)
> >       rc = -EINVAL;
> >       ec->n = mpi_scanval(ecp->n);
> >       if (!ec->n) {
> > +             mpi_point_release(ec->Q);
> >               mpi_point_release(ec->G);
> >               goto free;
> >       }
> > @@ -386,27 +394,15 @@ static int sm2_set_pub_key(struct crypto_akcipher *tfm,
> >       MPI a;
> >       int rc;
> >
> > -     ec->Q = mpi_point_new(0);
> > -     if (!ec->Q)
> > -             return -ENOMEM;
> > -
> >       /* include the uncompressed flag '0x04' */
> > -     rc = -ENOMEM;
> >       a = mpi_read_raw_data(key, keylen);
> >       if (!a)
> > -             goto error;
> > +             return -ENOMEM;
> >
> >       mpi_normalize(a);
> >       rc = sm2_ecc_os2ec(ec->Q, a);
> >       mpi_free(a);
> > -     if (rc)
> > -             goto error;
> > -
> > -     return 0;
> >
> > -error:
> > -     mpi_point_release(ec->Q);
> > -     ec->Q = NULL;
> >       return rc;
> >   }
> >
> >
>
> Thanks a lot for fixing this issue.
>
> Reviewed-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
>
> Also added:
>
> Cc: stable@vger.kernel.org # v5.10+
>
> Best regards,
> Tianjia

Thank you for your review!
Regards,
Hongbo
Hongbo Li May 18, 2021, 1:57 p.m. UTC | #4
Eric Biggers <ebiggers@kernel.org> 于2021年5月18日周二 上午5:21写道:
>

> On Thu, May 13, 2021 at 02:44:07PM +0000, herberthbli(李弘博) wrote:

> > 在 2021/5/13 3:12, Eric Biggers 写道:

> >

> > On Wed, May 12, 2021 at 10:04:07PM +0800, Hongbo Li wrote:

> >

> >

> > From: Hongbo Li <herberthbli@tencent.com><mailto:herberthbli@tencent.com>

> >

> > This series of patches add support for x509 cert signed by eddsa,

> > which is described in RFC8032 [1], currently ed25519 only.

> >

> >

> >

> > It would be helpful to explain how this is related to the kernel's existing

> > Curve25519 support.

> >

> > - Eric

> >

> >

> > Curve25519 is an elliptic curve used for key agreement(ECDH). It is a Montgomery curve.

> >

> > Edwards25519 is a twisted Edwards curve and birationally equivalent to Curve25519, the

> > birational maps are described in rfc7748 section 4.1.

> > https://datatracker.ietf.org/doc/html/rfc7748#section-4.1

> >

> >

> > Ed25519 is a Digital Signature Algorithm over Edwards25519.

> >

>

> Sure, but what does that mean in terms of code.  Can you reuse any of the code,

> and if not why not?  I *think* the answer is no, but this is a common point of

> confusion, so it would be helpful to properly explain this...

>

> - Eric


Thank you for your review. No, the eddsa can't reuse the code of curve25519.
I'll also explain this in the next version of patches.
Regards,
Hongbo