[{"id":4398,"web_url":"https://patchwork.libcamera.org/comment/4398/","msgid":"<20200407203356.GN1716317@oden.dyn.berto.se>","date":"2020-04-07T20:33:56","subject":"Re: [libcamera-devel] [PATCH 08/11] libcamera: Add PubKey class","submitter":{"id":5,"url":"https://patchwork.libcamera.org/api/people/5/","name":"Niklas Söderlund","email":"niklas.soderlund@ragnatech.se"},"content":"Hi Laurent,\n\nThanks for your work.\n\nOn 2020-04-04 04:56:21 +0300, Laurent Pinchart wrote:\n> Add a new PubKey class to handle public key signature verification. The\n> implementation is based on the gnutls library, which is added as an\n> optional dependency. If gnutls is not found, signature verification will\n> unconditionally fail.\n> \n> Signed-off-by: Laurent Pinchart \n> ---\n> src/libcamera/include/meson.build | 1 +\n> src/libcamera/include/pub_key.h | 36 ++++++++++++\n> src/libcamera/meson.build | 7 +++\n> src/libcamera/pub_key.cpp | 97 +++++++++++++++++++++++++++++++\n> 4 files changed, 141 insertions(+)\n> create mode 100644 src/libcamera/include/pub_key.h\n> create mode 100644 src/libcamera/pub_key.cpp\n> \n> diff --git a/src/libcamera/include/meson.build b/src/libcamera/include/meson.build\n> index 921ed5a063cb..5aaa99472e4a 100644\n> --- a/src/libcamera/include/meson.build\n> +++ b/src/libcamera/include/meson.build\n> @@ -21,6 +21,7 @@ libcamera_headers = files([\n> 'message.h',\n> 'pipeline_handler.h',\n> 'process.h',\n> + 'pub_key.h',\n> 'semaphore.h',\n> 'thread.h',\n> 'utils.h',\n> diff --git a/src/libcamera/include/pub_key.h b/src/libcamera/include/pub_key.h\n> new file mode 100644\n> index 000000000000..4d3bdd69bfd8\n> --- /dev/null\n> +++ b/src/libcamera/include/pub_key.h\n> @@ -0,0 +1,36 @@\n> +/* SPDX-License-Identifier: LGPL-2.1-or-later */\n> +/*\n> + * Copyright (C) 2020, Google Inc.\n> + *\n> + * pub_key.h - Public key signature verification\n> + */\n> +#ifndef __LIBCAMERA_PUB_KEY_H__\n> +#define __LIBCAMERA_PUB_KEY_H__\n> +\n> +#include \n> +\n> +#include \n> +\n> +struct gnutls_pubkey_st;\n\nNit, this forward declaration is only needed if HAVE_GNUTLS is set, \nwould it make to sens to make it conditional on that to make it clear?\n\nWith or without this fixed,\n\nReviewed-by: Niklas Söderlund \n\n> +\n> +namespace libcamera {\n> +\n> +class PubKey\n> +{\n> +public:\n> +\tPubKey(Span key);\n> +\t~PubKey();\n> +\n> +\tbool isValid() const { return valid_; }\n> +\tbool verify(Span data, Span sig) const;\n> +\n> +private:\n> +\tbool valid_;\n> +#if HAVE_GNUTLS\n> +\tstruct gnutls_pubkey_st *pubkey_;\n> +#endif\n> +};\n> +\n> +} /* namespace libcamera */\n> +\n> +#endif /* __LIBCAMERA_PUB_KEY_H__ */\n> diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build\n> index 4f5c41678781..c2a657e4938c 100644\n> --- a/src/libcamera/meson.build\n> +++ b/src/libcamera/meson.build\n> @@ -34,6 +34,7 @@ libcamera_sources = files([\n> 'pipeline_handler.cpp',\n> 'pixelformats.cpp',\n> 'process.cpp',\n> + 'pub_key.cpp',\n> 'request.cpp',\n> 'semaphore.cpp',\n> 'signal.cpp',\n> @@ -61,8 +62,13 @@ subdir('proxy')\n> \n> libatomic = cc.find_library('atomic', required : false)\n> libdl = cc.find_library('dl')\n> +libgnutls = cc.find_library('gnutls', required : false)\n> libudev = dependency('libudev', required : false)\n> \n> +if libgnutls.found()\n> + config_h.set('HAVE_GNUTLS', 1)\n> +endif\n> +\n> if libudev.found()\n> config_h.set('HAVE_LIBUDEV', 1)\n> libcamera_sources += files([\n> @@ -98,6 +104,7 @@ libcamera_sources += version_cpp\n> libcamera_deps = [\n> libatomic,\n> libdl,\n> + libgnutls,\n> libudev,\n> dependency('threads'),\n> ]\n> diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp\n> new file mode 100644\n> index 000000000000..064d2dd200e1\n> --- /dev/null\n> +++ b/src/libcamera/pub_key.cpp\n> @@ -0,0 +1,97 @@\n> +/* SPDX-License-Identifier: LGPL-2.1-or-later */\n> +/*\n> + * Copyright (C) 2020, Google Inc.\n> + *\n> + * pub_key.cpp - Public key signature verification\n> + */\n> +\n> +#include \"pub_key.h\"\n> +\n> +#if HAVE_GNUTLS\n> +#include \n> +#endif\n> +\n> +/**\n> + * \\file pub_key.h\n> + * \\brief Public key signature verification\n> + */\n> +\n> +namespace libcamera {\n> +\n> +/**\n> + * \\class PubKey\n> + * \\brief Public key wrapper for signature verification\n> + *\n> + * The PubKey class wraps a public key and implements signature verification. It\n> + * only supports RSA keys and the RSA-SHA256 signature algorithm.\n> + */\n> +\n> +/**\n> + * \\brief Construct a PubKey from key data\n> + * \\param[in] key Key data encoded in DER format\n> + */\n> +PubKey::PubKey(Span key)\n> +\t: valid_(false)\n> +{\n> +#if HAVE_GNUTLS\n> +\tint ret = gnutls_pubkey_init(&pubkey_);\n> +\tif (ret < 0)\n> +\t\treturn;\n> +\n> +\tconst gnutls_datum_t gnuTlsKey{\n> +\t\tconst_cast(key.data()),\n> +\t\tstatic_cast(key.size())\n> +\t};\n> +\tret = gnutls_pubkey_import(pubkey_, &gnuTlsKey, GNUTLS_X509_FMT_DER);\n> +\tif (ret < 0)\n> +\t\treturn;\n> +\n> +\tvalid_ = true;\n> +#endif\n> +}\n> +\n> +PubKey::~PubKey()\n> +{\n> +#if HAVE_GNUTLS\n> +\tgnutls_pubkey_deinit(pubkey_);\n> +#endif\n> +}\n> +\n> +/**\n> + * \\fn bool PubKey::isValid() const\n> + * \\brief Check is the public key is valid\n> + * \\return True if the public key is valid, false otherwise\n> + */\n> +\n> +/**\n> + * \\brief Verify signature on data\n> + * \\param[in] data The signed data\n> + * \\param[in] sig The signature\n> + *\n> + * Verify that the signature \\a sig matches the signed \\a data for the public\n> + * key. The signture algorithm is hardcoded to RSA-SHA256.\n> + *\n> + * \\return True if the signature is valid, false otherwise\n> + */\n> +bool PubKey::verify(Span data, Span sig) const\n> +{\n> +#if HAVE_GNUTLS\n> +\tconst gnutls_datum_t gnuTlsData{\n> +\t\tconst_cast(data.data()),\n> +\t\tstatic_cast(data.size())\n> +\t};\n> +\n> +\tconst gnutls_datum_t gnuTlsSig{\n> +\t\tconst_cast(sig.data()),\n> +\t\tstatic_cast(sig.size())\n> +\t};\n> +\n> +\tint ret = gnutls_pubkey_verify_data2(pubkey_, GNUTLS_SIGN_RSA_SHA256, 0,\n> +\t\t\t\t\t &gnuTlsData, &gnuTlsSig);\n> +\treturn ret >= 0;\n> +#else\n> +\treturn false;\n> +#endif\n> +}\n> +\n> +} /* namespace libcamera */\n> -- \n> Regards,\n> \n> Laurent Pinchart\n> \n> _______________________________________________\n> libcamera-devel mailing list\n> libcamera-devel@lists.libcamera.org\n> https://lists.libcamera.org/listinfo/libcamera-devel","headers":{"Return-Path":"","Received":["from mail-lf1-x141.google.com (mail-lf1-x141.google.com\n\t[IPv6:2a00:1450:4864:20::141])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id A658E600F0\n\tfor ;\n\tTue, 7 Apr 2020 22:33:57 +0200 (CEST)","by mail-lf1-x141.google.com with SMTP id t11so3448136lfe.4\n\tfor ;\n\tTue, 07 Apr 2020 13:33:57 -0700 (PDT)","from localhost (h-200-138.A463.priv.bahnhof.se. [176.10.200.138])\n\tby smtp.gmail.com with ESMTPSA id\n\tx23sm3334022lfe.51.2020.04.07.13.33.56\n\t(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n\tTue, 07 Apr 2020 13:33:56 -0700 (PDT)"],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (2048-bit key; \n\tunprotected)\n\theader.d=ragnatech-se.20150623.gappssmtp.com\n\theader.i=@ragnatech-se.20150623.gappssmtp.com header.b=\"eLnJpPHB\"; \n\tdkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=ragnatech-se.20150623.gappssmtp.com; s=20150623;\n\th=date:from:to:cc:subject:message-id:references:mime-version\n\t:content-disposition:content-transfer-encoding:in-reply-to;\n\tbh=6OGSaXOzZm6NzTw44k1TMx0S34t3kEaOZHUjJAVrtGc=;\n\tb=eLnJpPHBEFygzZ8Jsw9gFOQQ4MKf6uZ7wFqA4RiEBdDZeOmd73FZGP1IDY+WjrndPi\n\tbLhdDalZB+k8I6LmmoD8AvmGaoNMLh0Tr5gx3ma3i2dw/eDT4x7azHhBLSTDacmvtw30\n\tHJ2x+sZgONwpa8QOUcN3GVZO1R7+R2Tp6jfcdkBdyvKBLtDUdDCpKZSZfYdJCIRj2oR+\n\tpAcFEN0rQNKk/UDyyuczgAyLWIAcX8z0O68Q98OGjyqpO/EcI07FMWo7LhvU+SobKyqK\n\toWMPAa1ZgJHAkESwZsTbZW5yKEsIdR1CQbSoVcg+lFBUGzMCGfyMlK4F1UKnR5Tdmeob\n\tey3A==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:date:from:to:cc:subject:message-id:references\n\t:mime-version:content-disposition:content-transfer-encoding\n\t:in-reply-to;\n\tbh=6OGSaXOzZm6NzTw44k1TMx0S34t3kEaOZHUjJAVrtGc=;\n\tb=bheuVlAmxicrEyraA6B6TtpVtCrbrXP7fLqBBh3dZWM4Lq7t81BAJJL5xSW2F3mswd\n\tab60P2NJ93PO5Qxw6He9zciD937aeqEshsJT75Y2EPFnMXS2DTG/qVLyEvoYfpa0SUvw\n\tVGfNYitVQaIf/jfqbJiapLACvaDwiJ+xcF1lKafuaV6cgXllT+icLH9+muNmlvzrfmqY\n\tHJscc1veL09PMH28aRMmMI6pgzqwqOaBA90Qwr8h9ji/ftbjBtjpvYUmD/JnIsC8kYPq\n\tWOml6hsIITBpTHilfMVEIqV3Zg833Y7rWznY8W8M86ZdFuVHSosNCFtT770ycGUYY+PK\n\tXmCw==","X-Gm-Message-State":"AGi0PuZ9d/X8TX2ERX1++jvFZAYX6a0H6SOb3bcFHb8eVUkjqBEUnm5d\n\twRGyxc7EbGvDtmH+Gg89kwHa1miCumA=","X-Google-Smtp-Source":"APiQypJp1nCnDhGXmCftWlc8n2u91+hhClPORREGELopALyKSWCU+nT37Oxi0BszPDJ3WgvsskUU1g==","X-Received":"by 2002:a19:e308:: with SMTP id a8mr2439086lfh.135.1586291636956;\n\tTue, 07 Apr 2020 13:33:56 -0700 (PDT)","Date":"Tue, 7 Apr 2020 22:33:56 +0200","From":"Niklas =?iso-8859-1?q?S=F6derlund?= ","To":"Laurent Pinchart ","Cc":"libcamera-devel@lists.libcamera.org","Message-ID":"<20200407203356.GN1716317@oden.dyn.berto.se>","References":"<20200404015624.30440-1-laurent.pinchart@ideasonboard.com>\n\t<20200404015624.30440-9-laurent.pinchart@ideasonboard.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=iso-8859-1","Content-Disposition":"inline","Content-Transfer-Encoding":"8bit","In-Reply-To":"<20200404015624.30440-9-laurent.pinchart@ideasonboard.com>","Subject":"Re: [libcamera-devel] [PATCH 08/11] libcamera: Add PubKey class","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","X-List-Received-Date":"Tue, 07 Apr 2020 20:33:57 -0000"}}]