On 2/28/26 8:43 AM, Thomas Huth wrote:
> On 12/02/2026 21.43, Zhuoying Cai wrote:
>> Introduce new helper functions to extract certificate metadata:
>>
>> qcrypto_x509_check_cert_times() - validates the certificate's validity
>> period against the current time
>> qcrypto_x509_get_pk_algorithm() - returns the public key algorithm used in
>> the certificate
>> qcrypto_x509_get_cert_key_id() - extracts the key ID from the certificate
>> qcrypto_x509_check_ecc_curve_p521() - determines the ECC public key
>> algorithm uses P-521 curve
>>
>> These functions provide support for metadata extraction and validity checking
>> for X.509 certificates.
>>
>> Signed-off-by: Zhuoying Cai <[email protected]>
>> Reviewed-by: Farhan Ali<[email protected]>
>> ---
>> crypto/x509-utils.c | 236 ++++++++++++++++++++++++++++++++++++
>> include/crypto/x509-utils.h | 51 ++++++++
>> 2 files changed, 287 insertions(+)
>>
>> diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c
>> index 2696d48155..906d5e5e87 100644
>> --- a/crypto/x509-utils.c
>> +++ b/crypto/x509-utils.c
>> @@ -27,6 +27,16 @@ static const int
>> qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = {
>> [QCRYPTO_HASH_ALGO_RIPEMD160] = GNUTLS_DIG_RMD160,
>
> So there is a mapping for RIPEMD160 - everything else will be mapped to 0,
> which is GNUTLS_DIG_UNKNOWN if I got the gnutls.h header right ...
>
>> };
> ...
>> +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size,
>> + QCryptoHashAlgo hash_alg,
>> + uint8_t **result,
>> + size_t *resultlen,
>> + Error **errp)
>
> ... and in patch 09/30, you call this function with:
>
> + rc = qcrypto_x509_get_cert_key_id(cert->raw, cert->size,
> + QCRYPTO_HASH_ALGO_SHA256,
> + &key_id_data, &key_id_len, &err);
>
> i.e. hash_alg is QCRYPTO_HASH_ALGO_SHA256...
>
>> +{
>> + int rc;
>> + int ret = -1;
>> + gnutls_x509_crt_t crt;
>> + gnutls_datum_t datum = {.data = cert, .size = size};
>> +
>> + if (hash_alg >= G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) {
>> + error_setg(errp, "Unknown hash algorithm %d", hash_alg);
>> + return ret;
>> + }
>> +
>> + if (hash_alg >= G_N_ELEMENTS(qcrypto_to_gnutls_keyid_flags_map) ||
>> + qcrypto_to_gnutls_keyid_flags_map[hash_alg] == -1) {
>> + error_setg(errp, "Unsupported key id flag %d", hash_alg);
>> + return ret;
>> + }
>> +
>> + rc = gnutls_x509_crt_init(&crt);
>> + if (rc < 0) {
>> + error_setg(errp, "Failed to initialize certificate: %s",
>> gnutls_strerror(rc));
>> + return ret;
>> + }
>> +
>> + rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM);
>> + if (rc != 0) {
>> + error_setg(errp, "Failed to import certificate: %s",
>> gnutls_strerror(rc));
>> + goto cleanup;
>> + }
>> +
>> + *resultlen =
>> gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[hash_alg]);
>
> ... so qcrypto_to_gnutls_hash_alg_map[hash_alg] should result in
> GNUTLS_DIG_UNKNOWN as far as I can see. How is this supposed to work? Is
> this code used at all? Or is the error simply ignored somewhere up in the
> call chain? Or did I miss something?
>
> Thomas
>
>
Thanks for the review!
To clarify: the diff context only showed the RIPEMD160 line, but the
existing qcrypto_to_gnutls_hash_alg_map[] also includes SHA256 in
x509-utils.c.
static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = {
[QCRYPTO_HASH_ALGO_MD5] = GNUTLS_DIG_MD5,
[QCRYPTO_HASH_ALGO_SHA1] = GNUTLS_DIG_SHA1,
[QCRYPTO_HASH_ALGO_SHA224] = GNUTLS_DIG_SHA224,
[QCRYPTO_HASH_ALGO_SHA256] = GNUTLS_DIG_SHA256,
[QCRYPTO_HASH_ALGO_SHA384] = GNUTLS_DIG_SHA384,
[QCRYPTO_HASH_ALGO_SHA512] = GNUTLS_DIG_SHA512,
[QCRYPTO_HASH_ALGO_RIPEMD160] = GNUTLS_DIG_RMD160,
};
For the call in patch 09/30, hash_alg is QCRYPTO_HASH_ALGO_SHA256, so
qcrypto_to_gnutls_hash_alg_map[hash_alg] resolves to GNUTLS_DIG_SHA256
(value 6), and gnutls_hash_get_len(...) returns 32 as expected.
>> + if (*resultlen == 0) {
>> + error_setg(errp, "Failed to get hash algorithn length: %s",
>> gnutls_strerror(rc));
>> + goto cleanup;
>> + }
>> +
>> + *result = g_malloc0(*resultlen);
>> + if (gnutls_x509_crt_get_key_id(crt,
>> +
>> qcrypto_to_gnutls_keyid_flags_map[hash_alg],
>> + *result, resultlen) != 0) {
>> + error_setg(errp, "Failed to get key ID from certificate");
>> + g_clear_pointer(result, g_free);
>> + goto cleanup;
>> + }
>> +
>> + ret = 0;
>> +
>> +cleanup:
>> + gnutls_x509_crt_deinit(crt);
>> + return ret;
>> +}
>
> Thomas
>
