qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Zhuoying Cai <zycai@linux.ibm.com>
Cc: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com,
	jrossi@linux.ibm.com, qemu-s390x@nongnu.org,
	qemu-devel@nongnu.org, walling@linux.ibm.com,
	jjherne@linux.ibm.com, pasic@linux.ibm.com,
	borntraeger@linux.ibm.com, farman@linux.ibm.com,
	mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com,
	armbru@redhat.com, alifm@linux.ibm.com
Subject: Re: [PATCH v5 11/29] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1
Date: Wed, 27 Aug 2025 18:44:41 +0100	[thread overview]
Message-ID: <aK9ECfS7Y_dgBYSj@redhat.com> (raw)
In-Reply-To: <20250818214323.529501-12-zycai@linux.ibm.com>

On Mon, Aug 18, 2025 at 05:43:04PM -0400, Zhuoying Cai wrote:
> Introduce helper functions to support signature verification required by
> DIAG 508 subcode 1:
> 
> qcrypto_pkcs7_convert_sig_pem() – converts a signature from DER to PEM format
> qcrypto_x509_verify_sig() – verifies the provided data against the given signature
> 
> These functions enable basic signature verification support.
> 
> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
> ---
>  crypto/x509-utils.c         | 108 ++++++++++++++++++++++++++++++++++++
>  include/crypto/x509-utils.h |  39 +++++++++++++
>  2 files changed, 147 insertions(+)
> 
> diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c
> index 67b42aad1f..f582e2ee48 100644
> --- a/crypto/x509-utils.c
> +++ b/crypto/x509-utils.c
> @@ -16,6 +16,7 @@
>  #include <gnutls/gnutls.h>
>  #include <gnutls/crypto.h>
>  #include <gnutls/x509.h>
> +#include <gnutls/pkcs7.h>
>  
>  static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = {
>      [QCRYPTO_HASH_ALGO_MD5] = GNUTLS_DIG_MD5,
> @@ -275,6 +276,96 @@ cleanup:
>      return ret;
>  }
>  
> +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size,
> +                                  uint8_t **result, size_t *resultlen,
> +                                  Error **errp)
> +{
> +    int ret = -1;
> +    int rc;
> +    gnutls_pkcs7_t signature;
> +    gnutls_datum_t sig_datum_der = {.data = sig, .size = sig_size};
> +    gnutls_datum_t sig_datum_pem = { 0, };
> +
> +    rc = gnutls_pkcs7_init(&signature);
> +    if (rc < 0) {
> +        error_setg(errp, "Failed to initalize pkcs7 data: %s", gnutls_strerror(rc));
> +        return ret;
> +     }
> +
> +    rc = gnutls_pkcs7_import(signature, &sig_datum_der, GNUTLS_X509_FMT_DER);
> +    if (rc != 0) {
> +        error_setg(errp, "Failed to import signature: %s", gnutls_strerror(rc));
> +        goto cleanup;
> +    }
> +
> +    rc = gnutls_pkcs7_export2(signature, GNUTLS_X509_FMT_PEM, &sig_datum_pem);
> +    if (rc != 0) {
> +        error_setg(errp, "Failed to convert signature to PEM format: %s",
> +                   gnutls_strerror(rc));
> +        gnutls_free(sig_datum_pem.data);
> +        goto cleanup;
> +    }
> +
> +    *result = g_steal_pointer(&sig_datum_pem.data);

I just realized we should actually allocate a buffer with g_new and
copy over from sig_datum_pem, because we can't safely assume that
gnutls buffers can be freed with the system free(), only gnutls_free()

> +    *resultlen = sig_datum_pem.size;
> +
> +    ret = 0;
> +
> +cleanup:
> +    gnutls_pkcs7_deinit(signature);
> +    return ret;
> +}
With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|



  reply	other threads:[~2025-08-27 17:46 UTC|newest]

Thread overview: 64+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-18 21:42 [PATCH v5 00/29] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices Zhuoying Cai
2025-08-18 21:42 ` [PATCH v5 01/29] Add boot-certs to s390-ccw-virtio machine type option Zhuoying Cai
2025-09-11  7:24   ` Markus Armbruster
2025-09-11 19:03     ` Zhuoying Cai
2025-09-12  6:42       ` Markus Armbruster
2025-09-12 18:05         ` Zhuoying Cai
2025-09-15  6:44           ` Markus Armbruster
2025-09-15 16:14             ` Zhuoying Cai
2025-09-15 17:18               ` Daniel P. Berrangé
2025-09-16  5:59                 ` Markus Armbruster
2025-08-18 21:42 ` [PATCH v5 02/29] crypto/x509-utils: Refactor with GNUTLS fallback Zhuoying Cai
2025-08-18 21:42 ` [PATCH v5 03/29] crypto/x509-utils: Add helper functions for certificate store Zhuoying Cai
2025-08-27 17:28   ` Daniel P. Berrangé
2025-08-27 20:13     ` Zhuoying Cai
2025-08-18 21:42 ` [PATCH v5 04/29] hw/s390x/ipl: Create " Zhuoying Cai
2025-08-26 13:40   ` Jared Rossi
2025-08-28 14:31     ` Zhuoying Cai
2025-08-27 23:14   ` Farhan Ali
2025-08-28 14:46     ` Zhuoying Cai
2025-09-02 15:15       ` Jared Rossi
2025-09-02 17:55         ` Zhuoying Cai
2025-09-09  0:54   ` Collin Walling
2025-09-10 20:43     ` Zhuoying Cai
2025-08-18 21:42 ` [PATCH v5 05/29] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Zhuoying Cai
2025-09-09 14:42   ` Collin Walling
2025-08-18 21:42 ` [PATCH v5 06/29] s390x/diag: Refactor address validation check from diag308_parm_check Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 07/29] s390x/diag: Implement DIAG 320 subcode 1 Zhuoying Cai
2025-08-26 22:30   ` Jared Rossi
2025-08-27 14:35     ` Zhuoying Cai
2025-08-27 18:14       ` Collin Walling
2025-08-27 21:49   ` Farhan Ali
2025-08-27 22:01     ` Thomas Huth
2025-08-18 21:43 ` [PATCH v5 08/29] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Zhuoying Cai
2025-08-27 17:36   ` Daniel P. Berrangé
2025-08-18 21:43 ` [PATCH v5 09/29] s390x/diag: Implement " Zhuoying Cai
2025-08-27 14:35   ` Jared Rossi
2025-08-28 15:12     ` Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 10/29] s390x/diag: Introduce DIAG 508 for secure IPL operations Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 11/29] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Zhuoying Cai
2025-08-27 17:44   ` Daniel P. Berrangé [this message]
2025-08-18 21:43 ` [PATCH v5 12/29] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Zhuoying Cai
2025-08-27 14:55   ` Jared Rossi
2025-08-27 18:08     ` Collin Walling
2025-08-27 22:18   ` Farhan Ali
2025-08-28 15:01     ` Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 13/29] pc-bios/s390-ccw: Introduce IPL Information Report Block (IIRB) Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 14/29] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 15/29] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Zhuoying Cai
2025-08-27 16:30   ` Jared Rossi
2025-08-18 21:43 ` [PATCH v5 16/29] hw/s390x/ipl: Set iplb->len to maximum length of " Zhuoying Cai
2025-08-27 16:33   ` Jared Rossi
2025-08-18 21:43 ` [PATCH v5 17/29] s390x: Guest support for Secure-IPL Facility Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 18/29] pc-bios/s390-ccw: Refactor zipl_run() Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 19/29] pc-bios/s390-ccw: Rework zipl_load_segment function Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 20/29] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 21/29] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 22/29] pc-bios/s390-ccw: Add additional security checks for secure boot Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 23/29] Add secure-boot to s390-ccw-virtio machine type option Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 24/29] hw/s390x/ipl: Set IPIB flags for secure IPL Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 25/29] pc-bios/s390-ccw: Handle true secure IPL mode Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 26/29] pc-bios/s390-ccw: Handle secure boot with multiple boot devices Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 27/29] hw/s390x/ipl: Handle secure boot without specifying a boot device Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 28/29] docs/specs: Add secure IPL documentation Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 29/29] docs/system/s390x: " Zhuoying Cai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aK9ECfS7Y_dgBYSj@redhat.com \
    --to=berrange@redhat.com \
    --cc=alifm@linux.ibm.com \
    --cc=armbru@redhat.com \
    --cc=borntraeger@linux.ibm.com \
    --cc=david@redhat.com \
    --cc=eblake@redhat.com \
    --cc=farman@linux.ibm.com \
    --cc=iii@linux.ibm.com \
    --cc=jjherne@linux.ibm.com \
    --cc=jrossi@linux.ibm.com \
    --cc=mjrosato@linux.ibm.com \
    --cc=pasic@linux.ibm.com \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-s390x@nongnu.org \
    --cc=richard.henderson@linaro.org \
    --cc=thuth@redhat.com \
    --cc=walling@linux.ibm.com \
    --cc=zycai@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).