From: Zhuoying Cai <zycai@linux.ibm.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com,
jrossi@linux.ibm.com, qemu-s390x@nongnu.org,
qemu-devel@nongnu.org, walling@linux.ibm.com,
jjherne@linux.ibm.com, pasic@linux.ibm.com,
borntraeger@linux.ibm.com, farman@linux.ibm.com,
mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com,
armbru@redhat.com, alifm@linux.ibm.com
Subject: Re: [PATCH v5 03/29] crypto/x509-utils: Add helper functions for certificate store
Date: Wed, 27 Aug 2025 16:13:46 -0400 [thread overview]
Message-ID: <4ca3161b-5b72-4e2e-9688-4aa90ff7a769@linux.ibm.com> (raw)
In-Reply-To: <aK9ARYO83XACYPYZ@redhat.com>
On 8/27/25 1:28 PM, Daniel P. Berrangé wrote:
> On Mon, Aug 18, 2025 at 05:42:56PM -0400, Zhuoying Cai wrote:
>> Introduce new helper functions for x509 certificate, which will be used
>> by the certificate store:
>>
>> qcrypto_x509_convert_cert_der() - converts a certificate from PEM to DER format
>>
>> These functions provide support for certificate format conversion.
>>
>> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
>> ---
>> crypto/x509-utils.c | 51 +++++++++++++++++++++++++++++++++++++
>> include/crypto/x509-utils.h | 20 +++++++++++++++
>> 2 files changed, 71 insertions(+)
>>
>> diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c
>> index 6176a88653..29d5146bb2 100644
>> --- a/crypto/x509-utils.c
>> +++ b/crypto/x509-utils.c
>> @@ -81,6 +81,48 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,
>> return ret;
>> }
>>
>> +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size,
>> + uint8_t **result, size_t *resultlen,
>> + Error **errp)
>> +{
>> + int ret = -1;
>> + int rc;
>> + gnutls_x509_crt_t crt;
>> + gnutls_datum_t datum = {.data = cert, .size = size};
>> +
>> + rc = gnutls_x509_crt_init(&crt);
>> + if (rc < 0) {
>> + error_setg(errp, "Failed to initialize certificate: %s", gnutls_strerror(rc));
>> + return ret;
>> + }
>> +
>> + rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM);
>> + if (rc != 0) {
>> + error_setg(errp, "Failed to import certificate: %s", gnutls_strerror(rc));
>> + goto cleanup;
>> + }
>> +
>> + if (*resultlen == 0) {
>> + error_setg(errp, "Invalid buffer size");
>> + goto cleanup;
>> + }
>
> Requiring resultlen to be set as an input parameter is strange, when
> this function is allocating the buffer. It would be better if we
> ignore resultlen on input and....
>
>
>> +
>> + *result = g_malloc0(*resultlen);
>> + rc = gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_DER, *result, resultlen);
>
> Use 'gnutls_x509_crt_export2' instead
>
> datum.data = NULL;
> datum.size = 0;
> rc = gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_DER, &datum);
> if (rc != 0) {
> ....
> }
> *result = g_new0(uint8_t, datum.size);
> *resultlen = datum.size;
> memcpy(result, datum.data, datum.size);
> gnutls_free(datum.data);
>
Thanks for the suggestion! I'll make the change in the next version.
>> + if (rc != 0) {
>> + error_setg(errp, "Failed to convert certificate to DER format: %s",
>> + gnutls_strerror(rc));
>> + g_clear_pointer(result, g_free);
>> + goto cleanup;
>> + }
>> +
>> + ret = 0;
>> +
>> +cleanup:
>> + gnutls_x509_crt_deinit(crt);
>> + return ret;
>> +}
>> +
>> #else /* ! CONFIG_GNUTLS */
>>
>> int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,
>> @@ -93,4 +135,13 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,
>> return -1;
>> }
>>
>> +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size,
>> + uint8_t **result,
>> + size_t *resultlen,
>> + Error **errp)
>> +{
>> + error_setg(errp, "GNUTLS is required to export X.509 certificate");
>> + return -1;
>> +}
>> +
>> #endif /* ! CONFIG_GNUTLS */
>> diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h
>> index 1e99661a71..4239e3e55a 100644
>> --- a/include/crypto/x509-utils.h
>> +++ b/include/crypto/x509-utils.h
>> @@ -19,4 +19,24 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,
>> size_t *resultlen,
>> Error **errp);
>>
>> +/**
>> + * qcrypto_x509_convert_cert_der
>> + * @cert: pointer to the raw certificate data in PEM format
>> + * @size: size of the certificate
>> + * @result: output location for the allocated buffer for the certificate in DER format
>> + (the function allocates memory which must be freed by the caller)
>> + * @resultlen: pointer to the size of the buffer
>> + (will be updated with the actual size of the DER-encoded certificate)
>> + * @errp: error pointer
>> + *
>> + * Convert the given @cert from PEM to DER format.
>> + *
>> + * Returns: 0 on success,
>> + * -1 on error.
>> + */
>> +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size,
>> + uint8_t **result,
>> + size_t *resultlen,
>> + Error **errp);
>> +
>> #endif
>> --
>> 2.50.1
>>
>
> With regards,
> Daniel
next prev parent reply other threads:[~2025-08-27 20:15 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-18 21:42 [PATCH v5 00/29] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices Zhuoying Cai
2025-08-18 21:42 ` [PATCH v5 01/29] Add boot-certs to s390-ccw-virtio machine type option Zhuoying Cai
2025-09-11 7:24 ` Markus Armbruster
2025-09-11 19:03 ` Zhuoying Cai
2025-09-12 6:42 ` Markus Armbruster
2025-09-12 18:05 ` Zhuoying Cai
2025-09-15 6:44 ` Markus Armbruster
2025-09-15 16:14 ` Zhuoying Cai
2025-09-15 17:18 ` Daniel P. Berrangé
2025-09-16 5:59 ` Markus Armbruster
2025-08-18 21:42 ` [PATCH v5 02/29] crypto/x509-utils: Refactor with GNUTLS fallback Zhuoying Cai
2025-08-18 21:42 ` [PATCH v5 03/29] crypto/x509-utils: Add helper functions for certificate store Zhuoying Cai
2025-08-27 17:28 ` Daniel P. Berrangé
2025-08-27 20:13 ` Zhuoying Cai [this message]
2025-08-18 21:42 ` [PATCH v5 04/29] hw/s390x/ipl: Create " Zhuoying Cai
2025-08-26 13:40 ` Jared Rossi
2025-08-28 14:31 ` Zhuoying Cai
2025-08-27 23:14 ` Farhan Ali
2025-08-28 14:46 ` Zhuoying Cai
2025-09-02 15:15 ` Jared Rossi
2025-09-02 17:55 ` Zhuoying Cai
2025-09-09 0:54 ` Collin Walling
2025-09-10 20:43 ` Zhuoying Cai
2025-08-18 21:42 ` [PATCH v5 05/29] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Zhuoying Cai
2025-09-09 14:42 ` Collin Walling
2025-08-18 21:42 ` [PATCH v5 06/29] s390x/diag: Refactor address validation check from diag308_parm_check Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 07/29] s390x/diag: Implement DIAG 320 subcode 1 Zhuoying Cai
2025-08-26 22:30 ` Jared Rossi
2025-08-27 14:35 ` Zhuoying Cai
2025-08-27 18:14 ` Collin Walling
2025-08-27 21:49 ` Farhan Ali
2025-08-27 22:01 ` Thomas Huth
2025-08-18 21:43 ` [PATCH v5 08/29] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Zhuoying Cai
2025-08-27 17:36 ` Daniel P. Berrangé
2025-08-18 21:43 ` [PATCH v5 09/29] s390x/diag: Implement " Zhuoying Cai
2025-08-27 14:35 ` Jared Rossi
2025-08-28 15:12 ` Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 10/29] s390x/diag: Introduce DIAG 508 for secure IPL operations Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 11/29] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Zhuoying Cai
2025-08-27 17:44 ` Daniel P. Berrangé
2025-08-18 21:43 ` [PATCH v5 12/29] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Zhuoying Cai
2025-08-27 14:55 ` Jared Rossi
2025-08-27 18:08 ` Collin Walling
2025-08-27 22:18 ` Farhan Ali
2025-08-28 15:01 ` Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 13/29] pc-bios/s390-ccw: Introduce IPL Information Report Block (IIRB) Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 14/29] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 15/29] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Zhuoying Cai
2025-08-27 16:30 ` Jared Rossi
2025-08-18 21:43 ` [PATCH v5 16/29] hw/s390x/ipl: Set iplb->len to maximum length of " Zhuoying Cai
2025-08-27 16:33 ` Jared Rossi
2025-08-18 21:43 ` [PATCH v5 17/29] s390x: Guest support for Secure-IPL Facility Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 18/29] pc-bios/s390-ccw: Refactor zipl_run() Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 19/29] pc-bios/s390-ccw: Rework zipl_load_segment function Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 20/29] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 21/29] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 22/29] pc-bios/s390-ccw: Add additional security checks for secure boot Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 23/29] Add secure-boot to s390-ccw-virtio machine type option Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 24/29] hw/s390x/ipl: Set IPIB flags for secure IPL Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 25/29] pc-bios/s390-ccw: Handle true secure IPL mode Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 26/29] pc-bios/s390-ccw: Handle secure boot with multiple boot devices Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 27/29] hw/s390x/ipl: Handle secure boot without specifying a boot device Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 28/29] docs/specs: Add secure IPL documentation Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 29/29] docs/system/s390x: " Zhuoying Cai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ca3161b-5b72-4e2e-9688-4aa90ff7a769@linux.ibm.com \
--to=zycai@linux.ibm.com \
--cc=alifm@linux.ibm.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=david@redhat.com \
--cc=eblake@redhat.com \
--cc=farman@linux.ibm.com \
--cc=iii@linux.ibm.com \
--cc=jjherne@linux.ibm.com \
--cc=jrossi@linux.ibm.com \
--cc=mjrosato@linux.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
--cc=walling@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).