Re: [PATCH v6 3/8] crypto: Introduce x509 utils

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Dorjoy Chowdhury <dorjoychy111@gmail.com>
Cc: qemu-devel@nongnu.org, graf@amazon.com, agraf@csgraf.de,
	stefanha@redhat.com, pbonzini@redhat.com, slp@redhat.com,
	richard.henderson@linaro.org, eduardo@habkost.net,
	mst@redhat.com, marcel.apfelbaum@gmail.com, philmd@linaro.org
Subject: Re: [PATCH v6 3/8] crypto: Introduce x509 utils
Date: Fri, 6 Sep 2024 14:50:18 +0100	[thread overview]
Message-ID: <ZtsImlL43_dzUTp9@redhat.com> (raw)
In-Reply-To: <20240905195735.16911-4-dorjoychy111@gmail.com>

On Fri, Sep 06, 2024 at 01:57:30AM +0600, Dorjoy Chowdhury wrote:
> An utility function for getting fingerprint from X.509 certificate
> has been introduced. Implementation only provided using gnutls.
> 
> Signed-off-by: Dorjoy Chowdhury <dorjoychy111@gmail.com>
> ---
>  crypto/meson.build          |  4 ++
>  crypto/x509-utils.c         | 75 +++++++++++++++++++++++++++++++++++++
>  include/crypto/x509-utils.h | 22 +++++++++++
>  3 files changed, 101 insertions(+)
>  create mode 100644 crypto/x509-utils.c
>  create mode 100644 include/crypto/x509-utils.h


> +int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,
> +                                      QCryptoHashAlgorithm alg,
> +                                      uint8_t *result,
> +                                      size_t *resultlen,
> +                                      Error **errp)
> +{
> +    int ret;
> +    gnutls_x509_crt_t crt;
> +    gnutls_datum_t datum = {.data = cert, .size = size};
> +
> +    if (alg >= G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) {
> +        error_setg(errp, "Unknown hash algorithm");
> +        return -1;
> +    }
> +
> +    if (result == NULL) {
> +        error_setg(errp, "No valid buffer given");
> +        return -1;
> +    }
> +
> +    gnutls_x509_crt_init(&crt);
> +
> +    if (gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM) != 0) {
> +        error_setg(errp, "Failed to import certificate");
> +        goto cleanup;
> +    }
> +
> +    ret = gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[alg]);
> +    if (*resultlen < ret) {
> +        error_setg(errp,
> +                   "Result buffer size %zu is smaller than hash %d",
> +                   *resultlen, ret);
> +        goto cleanup;
> +    }
> +
> +    if (gnutls_x509_crt_get_fingerprint(crt,
> +                                        qcrypto_to_gnutls_hash_alg_map[alg],
> +                                        result, resultlen) != 0) {
> +        error_setg(errp, "Failed to get fingerprint from certificate");
> +        goto cleanup;
> +    }
> +
> +    return 0;
> +
> + cleanup:
> +    gnutls_x509_crt_deinit(crt);
> +    return -1;
> +}

This fails to call gnutls_x509_crt_deinit in the success path.

I'm going to squash in the following change:


diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c
index 593eb8968b..6e157af76b 100644
--- a/crypto/x509-utils.c
+++ b/crypto/x509-utils.c
@@ -31,7 +31,8 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,
                                       size_t *resultlen,
                                       Error **errp)
 {
-    int ret;
+    int ret = -1;
+    int hlen;
     gnutls_x509_crt_t crt;
     gnutls_datum_t datum = {.data = cert, .size = size};
 
@@ -52,11 +53,11 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,
         goto cleanup;
     }
 
-    ret = gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[alg]);
-    if (*resultlen < ret) {
+    hlen = gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[alg]);
+    if (*resultlen < hlen) {
         error_setg(errp,
                    "Result buffer size %zu is smaller than hash %d",
-                   *resultlen, ret);
+                   *resultlen, hlen);
         goto cleanup;
     }
 
@@ -67,9 +68,9 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,
         goto cleanup;
     }
 
-    return 0;
+    ret = 0;
 
  cleanup:
     gnutls_x509_crt_deinit(crt);
-    return -1;
+    return ret;
 }



With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

next prev parent reply	other threads:[~2024-09-06 13:51 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-05 19:57 [PATCH v6 0/8] AWS Nitro Enclave emulation support Dorjoy Chowdhury
2024-09-05 19:57 ` [PATCH v6 1/8] crypto: Define macros for hash algorithm digest lengths Dorjoy Chowdhury
2024-09-05 19:57 ` [PATCH v6 2/8] crypto: Support SHA384 hash when using glib Dorjoy Chowdhury
2024-09-05 19:57 ` [PATCH v6 3/8] crypto: Introduce x509 utils Dorjoy Chowdhury
2024-09-06 13:50   ` Daniel P. Berrangé [this message]
2024-09-06 14:07     ` Dorjoy Chowdhury
2024-09-06 14:48     ` Philippe Mathieu-Daudé
2024-09-05 19:57 ` [PATCH v6 4/8] tests/lcitool: Update libvirt-ci and add libcbor dependency Dorjoy Chowdhury
2024-09-05 19:57 ` [PATCH v6 5/8] device/virtio-nsm: Support for Nitro Secure Module device Dorjoy Chowdhury
2024-09-15 19:26   ` Michael S. Tsirkin
2024-09-15 19:46     ` Dorjoy Chowdhury
2024-09-15 20:09       ` Michael S. Tsirkin
2024-09-15 20:11   ` Michael S. Tsirkin
2024-09-05 19:57 ` [PATCH v6 6/8] hw/core: Add Enclave Image Format (EIF) related helpers Dorjoy Chowdhury
2024-09-05 19:57 ` [PATCH v6 7/8] machine/nitro-enclave: New machine type for AWS Nitro Enclaves Dorjoy Chowdhury
2024-09-05 19:57 ` [PATCH v6 8/8] docs/nitro-enclave: Documentation for nitro-enclave machine type Dorjoy Chowdhury
2024-09-06 13:53 ` [PATCH v6 0/8] AWS Nitro Enclave emulation support Daniel P. Berrangé
2024-09-15 18:26 ` Dorjoy Chowdhury
2024-09-22  9:51   ` Dorjoy Chowdhury

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:593eb8968 dfblob:6e157af76 )
 OR (
bs:"Re: [PATCH v6 3/8] crypto: Introduce x509 utils" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZtsImlL43_dzUTp9@redhat.com \
    --to=berrange@redhat.com \
    --cc=agraf@csgraf.de \
    --cc=dorjoychy111@gmail.com \
    --cc=eduardo@habkost.net \
    --cc=graf@amazon.com \
    --cc=marcel.apfelbaum@gmail.com \
    --cc=mst@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=philmd@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=richard.henderson@linaro.org \
    --cc=slp@redhat.com \
    --cc=stefanha@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.