On Mon, Aug 18, 2025 at 05:43:01PM -0400, Zhuoying Cai wrote:
> Introduce new helper functions to extract certificate metadata needed for
> DIAG 320 subcode 2:
>
> qcrypto_x509_check_cert_times() - validates the certificate's validity period
> against the current time
> qcrypto_x509_get_pk_algorithm() - returns the public key algorithm used in
> the certificate
> qcrypto_x509_get_cert_key_id() - extracts the key ID from the certificate
>
> These functions provide support for metadata extraction and validity checking
> for X.509 certificates.
>
> Signed-off-by: Zhuoying Cai <[email protected]>
> ---
> crypto/x509-utils.c | 174 ++++++++++++++++++++++++++++++++++++
> include/crypto/x509-utils.h | 58 ++++++++++++
> 2 files changed, 232 insertions(+)
>
> diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c
> index 29d5146bb2..67b42aad1f 100644
> --- a/crypto/x509-utils.c
> +++ b/crypto/x509-utils.c
> @@ -27,6 +27,21 @@ static const int
> qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = {
> [QCRYPTO_HASH_ALGO_RIPEMD160] = GNUTLS_DIG_RMD160,
> };
>
> +static const int gnutls_to_qcrypto_pk_alg_map[] = {
> + [GNUTLS_PK_RSA] = QCRYPTO_PK_ALGO_RSA,
> + [GNUTLS_PK_DSA] = QCRYPTO_PK_ALGO_DSA,
> + [GNUTLS_PK_ECDSA] = QCRYPTO_PK_ALGO_ECDSA,
> + [GNUTLS_PK_RSA_OAEP] = QCRYPTO_PK_ALGO_RSA_OAEP,
> + [GNUTLS_PK_EDDSA_ED25519] = QCRYPTO_PK_ALGO_ED25519,
> + [GNUTLS_PK_EDDSA_ED448] = QCRYPTO_PK_ALGO_ED448,
> +};
> +
> +static const int qcrypto_to_gnutls_keyid_flags_map[] = {
> + [QCRYPTO_HASH_ALGO_SHA1] = GNUTLS_KEYID_USE_SHA1,
> + [QCRYPTO_HASH_ALGO_SHA256] = GNUTLS_KEYID_USE_SHA256,
> + [QCRYPTO_HASH_ALGO_SHA512] = GNUTLS_KEYID_USE_SHA512,
> +};
> +
> int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,
> QCryptoHashAlgo alg,
> uint8_t *result,
> @@ -123,6 +138,143 @@ cleanup:
> return ret;
> }
>
> +
> +int qcrypto_x509_get_pk_algorithm(uint8_t *cert, size_t size, Error **errp)
> +{
> + int rc;
> + int ret = -1;
> + unsigned int bits;
> + gnutls_x509_crt_t crt;
> + gnutls_datum_t datum = {.data = cert, .size = size};
> +
> + rc = gnutls_x509_crt_init(&crt);
> + if (rc < 0) {
> + error_setg(errp, "Failed to initialize certificate: %s",
> gnutls_strerror(rc));
> + return ret;
> + }
> +
> + rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM);
> + if (rc != 0) {
> + error_setg(errp, "Failed to import certificate: %s",
> gnutls_strerror(rc));
> + goto cleanup;
> + }
> +
> + rc = gnutls_x509_crt_get_pk_algorithm(crt, &bits);
> + if (rc >= G_N_ELEMENTS(gnutls_to_qcrypto_pk_alg_map)) {
> + error_setg(errp, "Unknown public key algorithm %d", rc);
> + goto cleanup;
> + }
> +
> + ret = gnutls_to_qcrypto_pk_alg_map[rc];
> +
> +cleanup:
> + gnutls_x509_crt_deinit(crt);
> + return ret;
> +}
> +
> +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size,
> + QCryptoHashAlgo hash_alg,
> + uint8_t **result,
> + size_t *resultlen,
> + Error **errp)
> +{
> + int rc;
> + int ret = -1;
> + gnutls_x509_crt_t crt;
> + gnutls_datum_t datum = {.data = cert, .size = size};
> +
> + if (hash_alg >= G_N_ELEMENTS(qcrypto_to_gnutls_keyid_flags_map)) {
Must also check qcrypto_to_gnutls_hash_alg_map bounds.
> + error_setg(errp, "Unknow hash algorithm %d", hash_alg);
's/Unknow/Unknown/'
> + return ret;
> + }
> +
> + rc = gnutls_x509_crt_init(&crt);
> + if (rc < 0) {
> + error_setg(errp, "Failed to initialize certificate: %s",
> gnutls_strerror(rc));
> + return ret;
> + }
> +
> + rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM);
> + if (rc != 0) {
> + error_setg(errp, "Failed to import certificate: %s",
> gnutls_strerror(rc));
> + goto cleanup;
> + }
> +
> + *resultlen =
> gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[hash_alg]);
> + if (*resultlen == 0) {
> + error_setg(errp, "Failed to get hash algorithn length: %s",
> gnutls_strerror(rc));
> + goto cleanup;
> + }
> +
> + *result = g_malloc0(*resultlen);
> + if (gnutls_x509_crt_get_key_id(crt,
> +
> qcrypto_to_gnutls_keyid_flags_map[hash_alg],
> + *result, resultlen) != 0) {
> + error_setg(errp, "Failed to get key ID from certificate");
> + g_clear_pointer(result, g_free);
> + goto cleanup;
> + }
> +
> + ret = 0;
> +
> +cleanup:
> + gnutls_x509_crt_deinit(crt);
> + return ret;
> +}
> +
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
