diff options
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/.gitignore | 2 | ||||
-rw-r--r-- | crypto/Kconfig | 19 | ||||
-rw-r--r-- | crypto/Makefile | 10 | ||||
-rw-r--r-- | crypto/rsa.c | 59 |
4 files changed, 86 insertions, 4 deletions
diff --git a/crypto/.gitignore b/crypto/.gitignore new file mode 100644 index 0000000000..92d8af3cf4 --- /dev/null +++ b/crypto/.gitignore @@ -0,0 +1,2 @@ +rsa-keys.h +rsa-keys.h.tmp diff --git a/crypto/Kconfig b/crypto/Kconfig index c06d3c054e..7cc8aceacb 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -94,6 +94,25 @@ config CRYPTO_PBKDF2 config CRYPTO_RSA bool +config CRYPTO_RSA_BUILTIN_KEYS + bool + default y if CRYPTO_RSA_KEY != "" + +config CRYPTO_RSA_KEY + depends on CRYPTO_RSA + string "RSA key to compile in" + help + This option should be a filename of a PEM-formatted file containing + X.509 certificates to be included into barebox. If the string starts + with "pkcs11:" it is interpreted as a PKCS#11 URI rather than a file. + +config CRYPTO_RSA_KEY_NAME_HINT + depends on CRYPTO_RSA + string "FIT image key name hint" + help + In FIT images keys are identified by a key name hint string. Provide + the key name hint here. + config CRYPTO_KEYSTORE bool "Keystore" help diff --git a/crypto/Makefile b/crypto/Makefile index d6fb74aad9..3f59de08f0 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -16,3 +16,13 @@ obj-$(CONFIG_DIGEST_SHA512_GENERIC) += sha4.o obj-$(CONFIG_CRYPTO_PBKDF2) += pbkdf2.o obj-$(CONFIG_CRYPTO_RSA) += rsa.o obj-$(CONFIG_CRYPTO_KEYSTORE) += keystore.o + +extra-$(CONFIG_CRYPTO_RSA_BUILTIN_KEYS) += rsa-keys.h + +ifdef CONFIG_CRYPTO_RSA_BUILTIN_KEYS + +$(obj)/rsa.o: $(obj)/rsa-keys.h +$(eval $(call config_filename,CRYPTO_RSA_KEY)) +$(obj)/rsa-keys.h: FORCE + $(call cmd,rsa_keys,$(CONFIG_CRYPTO_RSA_KEY_NAME_HINT):$(CRYPTO_RSA_KEY_SRCPREFIX)$(CRYPTO_RSA_KEY_FILENAME)) +endif diff --git a/crypto/rsa.c b/crypto/rsa.c index 591d15c415..64241854c8 100644 --- a/crypto/rsa.c +++ b/crypto/rsa.c @@ -380,11 +380,15 @@ static void rsa_convert_big_endian(uint32_t *dst, const uint32_t *src, int len) dst[i] = fdt32_to_cpu(src[len - 1 - i]); } -int rsa_of_read_key(struct device_node *node, struct rsa_public_key *key) +struct rsa_public_key *rsa_of_read_key(struct device_node *node) { const void *modulus, *rr; const uint64_t *public_exponent; int length; + struct rsa_public_key *key; + int err; + + key = xzalloc(sizeof(*key)); of_property_read_u32(node, "rsa,num-bits", &key->len); of_property_read_u32(node, "rsa,n0-inverse", &key->n0inv); @@ -400,14 +404,16 @@ int rsa_of_read_key(struct device_node *node, struct rsa_public_key *key) if (!key->len || !modulus || !rr) { debug("%s: Missing RSA key info", __func__); - return -EFAULT; + err = -EFAULT; + goto out; } /* Sanity check for stack size */ if (key->len > RSA_MAX_KEY_BITS || key->len < RSA_MIN_KEY_BITS) { debug("RSA key bits %u outside allowed range %d..%d\n", key->len, RSA_MIN_KEY_BITS, RSA_MAX_KEY_BITS); - return -EFAULT; + err = -EFAULT; + goto out; } key->len /= sizeof(uint32_t) * 8; @@ -418,5 +424,50 @@ int rsa_of_read_key(struct device_node *node, struct rsa_public_key *key) rsa_convert_big_endian(key->modulus, modulus, key->len); rsa_convert_big_endian(key->rr, rr, key->len); - return 0; + err = 0; +out: + if (err) + free(key); + + return err ? ERR_PTR(err) : key; +} + +void rsa_key_free(struct rsa_public_key *key) +{ + free(key->modulus); + free(key->rr); + free(key); +} + +#ifdef CONFIG_CRYPTO_RSA_BUILTIN_KEYS +#include "rsa-keys.h" + +extern const struct rsa_public_key * const __rsa_keys_start; +extern const struct rsa_public_key * const __rsa_keys_end; + +struct rsa_public_key *rsa_get_key(const char *name) +{ + const struct rsa_public_key *key; + struct rsa_public_key *new; + const struct rsa_public_key * const *iter; + + for (iter = &__rsa_keys_start; iter != &__rsa_keys_end; iter++) { + key = *iter; + if (!strcmp(name, key->key_name_hint)) + goto found; + } + + return ERR_PTR(-ENOENT); +found: + new = xmemdup(key, sizeof(*key)); + new->modulus = xmemdup(key->modulus, key->len * sizeof(uint32_t)); + new->rr = xmemdup(key->rr, key->len * sizeof(uint32_t)); + + return new; +} +#else +struct rsa_public_key *rsa_get_key(const char *name) +{ + return ERR_PTR(-ENOENT); } +#endif |