From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Hyman Huang" <yong.huang@smartx.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Hanna Reitz" <hreitz@redhat.com>,
qemu-block@nongnu.org, qemu-stable@nongnu.org,
"Laurent Vivier" <lvivier@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Kevin Wolf" <kwolf@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Dorjoy Chowdhury" <dorjoychy111@gmail.com>
Subject: [PULL 10/10] crypto: Introduce x509 utils
Date: Mon, 9 Sep 2024 15:16:35 +0100 [thread overview]
Message-ID: <20240909141635.1459701-11-berrange@redhat.com> (raw)
In-Reply-To: <20240909141635.1459701-1-berrange@redhat.com>
From: Dorjoy Chowdhury <dorjoychy111@gmail.com>
An utility function for getting fingerprint from X.509 certificate
has been introduced. Implementation only provided using gnutls.
Signed-off-by: Dorjoy Chowdhury <dorjoychy111@gmail.com>
[DB: fixed missing gnutls_x509_crt_deinit in success path]
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
crypto/meson.build | 4 ++
crypto/x509-utils.c | 76 +++++++++++++++++++++++++++++++++++++
include/crypto/x509-utils.h | 22 +++++++++++
3 files changed, 102 insertions(+)
create mode 100644 crypto/x509-utils.c
create mode 100644 include/crypto/x509-utils.h
diff --git a/crypto/meson.build b/crypto/meson.build
index c46f9c22a7..735635de1f 100644
--- a/crypto/meson.build
+++ b/crypto/meson.build
@@ -24,6 +24,10 @@ crypto_ss.add(files(
'rsakey.c',
))
+if gnutls.found()
+ crypto_ss.add(files('x509-utils.c'))
+endif
+
if nettle.found()
crypto_ss.add(nettle, files('hash-nettle.c', 'hmac-nettle.c', 'pbkdf-nettle.c'))
if hogweed.found()
diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c
new file mode 100644
index 0000000000..6e157af76b
--- /dev/null
+++ b/crypto/x509-utils.c
@@ -0,0 +1,76 @@
+/*
+ * X.509 certificate related helpers
+ *
+ * Copyright (c) 2024 Dorjoy Chowdhury <dorjoychy111@gmail.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or
+ * (at your option) any later version. See the COPYING file in the
+ * top-level directory.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "crypto/x509-utils.h"
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+#include <gnutls/x509.h>
+
+static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALG__MAX] = {
+ [QCRYPTO_HASH_ALG_MD5] = GNUTLS_DIG_MD5,
+ [QCRYPTO_HASH_ALG_SHA1] = GNUTLS_DIG_SHA1,
+ [QCRYPTO_HASH_ALG_SHA224] = GNUTLS_DIG_SHA224,
+ [QCRYPTO_HASH_ALG_SHA256] = GNUTLS_DIG_SHA256,
+ [QCRYPTO_HASH_ALG_SHA384] = GNUTLS_DIG_SHA384,
+ [QCRYPTO_HASH_ALG_SHA512] = GNUTLS_DIG_SHA512,
+ [QCRYPTO_HASH_ALG_RIPEMD160] = GNUTLS_DIG_RMD160,
+};
+
+int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,
+ QCryptoHashAlgorithm alg,
+ uint8_t *result,
+ size_t *resultlen,
+ Error **errp)
+{
+ int ret = -1;
+ int hlen;
+ gnutls_x509_crt_t crt;
+ gnutls_datum_t datum = {.data = cert, .size = size};
+
+ if (alg >= G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) {
+ error_setg(errp, "Unknown hash algorithm");
+ return -1;
+ }
+
+ if (result == NULL) {
+ error_setg(errp, "No valid buffer given");
+ return -1;
+ }
+
+ gnutls_x509_crt_init(&crt);
+
+ if (gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM) != 0) {
+ error_setg(errp, "Failed to import certificate");
+ goto cleanup;
+ }
+
+ hlen = gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[alg]);
+ if (*resultlen < hlen) {
+ error_setg(errp,
+ "Result buffer size %zu is smaller than hash %d",
+ *resultlen, hlen);
+ goto cleanup;
+ }
+
+ if (gnutls_x509_crt_get_fingerprint(crt,
+ qcrypto_to_gnutls_hash_alg_map[alg],
+ result, resultlen) != 0) {
+ error_setg(errp, "Failed to get fingerprint from certificate");
+ goto cleanup;
+ }
+
+ ret = 0;
+
+ cleanup:
+ gnutls_x509_crt_deinit(crt);
+ return ret;
+}
diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h
new file mode 100644
index 0000000000..4210dfbcfc
--- /dev/null
+++ b/include/crypto/x509-utils.h
@@ -0,0 +1,22 @@
+/*
+ * X.509 certificate related helpers
+ *
+ * Copyright (c) 2024 Dorjoy Chowdhury <dorjoychy111@gmail.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or
+ * (at your option) any later version. See the COPYING file in the
+ * top-level directory.
+ */
+
+#ifndef QCRYPTO_X509_UTILS_H
+#define QCRYPTO_X509_UTILS_H
+
+#include "crypto/hash.h"
+
+int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,
+ QCryptoHashAlgorithm hash,
+ uint8_t *result,
+ size_t *resultlen,
+ Error **errp);
+
+#endif
--
2.45.2
next prev parent reply other threads:[~2024-09-09 14:21 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-09 14:16 [PULL 00/10] Crypto fixes patches Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 01/10] iotests: fix expected output from gnutls Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 02/10] crypto: run qcrypto_pbkdf2_count_iters in a new thread Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 03/10] crypto: check gnutls & gcrypt support the requested pbkdf hash Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 04/10] tests/unit: always build the pbkdf crypto unit test Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 05/10] tests/unit: build pbkdf test on macOS Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 06/10] crypto: avoid leak of ctx when bad cipher mode is given Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 07/10] crypto: use consistent error reporting pattern for unsupported cipher modes Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 08/10] crypto: Define macros for hash algorithm digest lengths Daniel P. Berrangé
2024-09-09 14:16 ` [PULL 09/10] crypto: Support SHA384 hash when using glib Daniel P. Berrangé
2024-09-09 14:16 ` Daniel P. Berrangé [this message]
2025-03-18 16:44 ` [PULL 10/10] crypto: Introduce x509 utils Peter Maydell
2025-03-18 17:01 ` Dorjoy Chowdhury
2024-09-09 16:06 ` [PULL 00/10] Crypto fixes patches Peter Maydell
2024-09-11 5:59 ` Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240909141635.1459701-11-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=dorjoychy111@gmail.com \
--cc=eblake@redhat.com \
--cc=hreitz@redhat.com \
--cc=kwolf@redhat.com \
--cc=lvivier@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=thuth@redhat.com \
--cc=yong.huang@smartx.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).