Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.2/patches/2233176/?format=api
{ "id": 2233176, "url": "http://patchwork.ozlabs.org/api/1.2/patches/2233176/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260505201905.997996-9-zycai@linux.ibm.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/1.2/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260505201905.997996-9-zycai@linux.ibm.com>", "list_archive_url": null, "date": "2026-05-05T20:18:40", "name": "[v11,08/32] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "d27d33c4ba7896a32f36c6275d7cb3d00037df80", "submitter": { "id": 90643, "url": "http://patchwork.ozlabs.org/api/1.2/people/90643/?format=api", "name": "Zhuoying Cai", "email": "zycai@linux.ibm.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260505201905.997996-9-zycai@linux.ibm.com/mbox/", "series": [ { "id": 502896, "url": "http://patchwork.ozlabs.org/api/1.2/series/502896/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=502896", "date": "2026-05-05T20:18:37", "name": "Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices", "version": 11, "mbox": "http://patchwork.ozlabs.org/series/502896/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2233176/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2233176/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=tl9er4/P;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g98yQ3x7xz1yJx\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 06 May 2026 06:20:14 +1000 (AEST)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wKMEy-0007em-5y; Tue, 05 May 2026 16:19:36 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1wKMEt-0007Z6-BN; Tue, 05 May 2026 16:19:31 -0400", "from mx0b-001b2d01.pphosted.com ([148.163.158.5])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1wKMEr-0000DC-7O; Tue, 05 May 2026 16:19:31 -0400", "from pps.filterd (m0353725.ppops.net [127.0.0.1])\n by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id\n 645Adpuh1590574; Tue, 5 May 2026 20:19:25 GMT", "from ppma11.dal12v.mail.ibm.com\n (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219])\n by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9xxn50g-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Tue, 05 May 2026 20:19:25 +0000 (GMT)", "from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1])\n by ppma11.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id\n 645K9Q0x015549;\n Tue, 5 May 2026 20:19:24 GMT", "from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71])\n by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwx9yb249-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Tue, 05 May 2026 20:19:24 +0000 (GMT)", "from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com\n [10.39.53.229])\n by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id\n 645KJMIN43319790\n (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);\n Tue, 5 May 2026 20:19:22 GMT", "from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id C29935805C;\n Tue, 5 May 2026 20:19:22 +0000 (GMT)", "from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id 2A51A58059;\n Tue, 5 May 2026 20:19:21 +0000 (GMT)", "from fedora-workstation.pok.ibm.com (unknown [9.12.79.241])\n by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP;\n Tue, 5 May 2026 20:19:21 +0000 (GMT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc\n :content-transfer-encoding:content-type:date:from:in-reply-to\n :message-id:mime-version:references:subject:to; s=pp1; bh=slu57R\n hsP9V5y/w105doFgjQg0HKAF2KwZnOyZHw+J4=; b=tl9er4/PE+OUhBxUz5Nb3T\n tHW0w01n1qk/kgTY9a1pkoifDBx4K7Zr1M8KAaxREHdG5SHTD6e6U/aE25TdnsXA\n UH/JHJj4lVvWq+Xne4c7Tn9i/k9hvzzyzd2EWw6NO27jGSqoiW/Eu5Fr31tGrh18\n PeNH+0jebEaX9uk6ovZEnKjZnEN+iXBNOPnLtmT+1+cd0Wy+uIWl7EwihaKvqaf5\n jSH6VhYv+Xu2aIhOpsSxvZJwAAQkuEX+DQcS4EDvni3E0K9vN0CRjsyGhSgNnoHW\n lk3k3w+VgVSNv/SKw9VCWr8SzVmpC9Ou50XhwJmN1RKzbflkPvUiiUgfjmQbuK4Q\n ==", "From": "Zhuoying Cai <zycai@linux.ibm.com>", "To": "qemu-s390x@nongnu.org, qemu-devel@nongnu.org", "Cc": "jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com,\n richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com,\n jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com,\n farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com,\n eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com,\n alifm@linux.ibm.com, brueckner@linux.ibm.com,\n pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com", "Subject": "[PATCH v11 08/32] crypto/x509-utils: Add helper functions for DIAG\n 320 subcode 2", "Date": "Tue, 5 May 2026 16:18:40 -0400", "Message-ID": "<20260505201905.997996-9-zycai@linux.ibm.com>", "X-Mailer": "git-send-email 2.54.0", "In-Reply-To": "<20260505201905.997996-1-zycai@linux.ibm.com>", "References": "<20260505201905.997996-1-zycai@linux.ibm.com>", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=UTF-8", "Content-Transfer-Encoding": "8bit", "X-TM-AS-GCONF": "00", "X-Proofpoint-Spam-Details-Enc": "AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfXyEfxHxgdBzZf\n r/Diixi54Ogg3cfcdRuNgVKT4dndFSer6D/CN2lwqqnzoQVSj3jCnFza/LW+L0z8W4A97cWnRDM\n TvkdqB/TK1AQRzPXN7MG+pA7fghEcdmdcz4psa+puQPWM8+U7Aq8oEKtcakRhn5tV6cxj8oiRdV\n +EJHqT50coFmNzbzYVvbvz95ndEHQ7HnkHnPPSPgY3MC2MFhGpTXniOnk10jFdrY7WbxSjiiQyL\n ya8fh7MnDLvGfiNVzsq5R+eo2CIr5OxZaS45l7qjbP7QEO9todi8CdgHxzWh21DKbLsN8NR6XoT\n v9j0DlCSnt1Kl9Nk4NZTW0w4i3wRfldyi5Ep/ZAd6+MRIdKfJnREFs8kJpUX7rGZGWXvwnasK9P\n FlkHTXGhXC/9agS+XZyCWk2wWbFpxjglP89iRPEZ+vcQKhCLroOpqSA61OHc5ZI54XdbRdq7oez\n Q2hVnvAxMC5NDPF2pZg==", "X-Proofpoint-ORIG-GUID": "1f7QwPYqiH9DEALzjYGiQDWCmdy7_ojx", "X-Proofpoint-GUID": "1f7QwPYqiH9DEALzjYGiQDWCmdy7_ojx", "X-Authority-Analysis": "v=2.4 cv=ctWrVV4i c=1 sm=1 tr=0 ts=69fa50cd cx=c_pps\n a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17\n a=IkcTkHD0fZMA:10 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22\n a=RnoormkPH1_aCDwRdu11:22 a=V8glGbnc2Ofi9Qvn3v5h:22 a=VnNF1IyMAAAA:8\n a=20KFwNOVAAAA:8 a=cx8EP_J7U0ANkHmDKVUA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10", "X-Proofpoint-Virus-Version": "vendor=baseguard\n engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49\n definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01", "X-Proofpoint-Spam-Details": "rule=outbound_notspam policy=outbound score=0\n priorityscore=1501 lowpriorityscore=0 adultscore=0 clxscore=1011\n suspectscore=0 impostorscore=0 spamscore=0 malwarescore=0 phishscore=0\n bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound\n adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000\n definitions=main-2605050195", "Received-SPF": "pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com;\n helo=mx0b-001b2d01.pphosted.com", "X-Spam_score_int": "-26", "X-Spam_score": "-2.7", "X-Spam_bar": "--", "X-Spam_report": "(-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7,\n RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "Introduce new helper functions to extract certificate metadata:\n\nqcrypto_x509_check_cert_times() - validates the certificate's validity period against the current time\nqcrypto_x509_get_cert_key_id() - extracts the key ID from the certificate\nqcrypto_x509_check_ecc_curve_p521() - determines the ECC public key algorithm uses P-521 curve\n\nThese functions provide support for metadata extraction and validity checking\nfor X.509 certificates.\n\nSigned-off-by: Zhuoying Cai <zycai@linux.ibm.com>\nAcked-by: Daniel P. Berrangé <berrange@redhat.com>\nReviewed-by: Daniel P. Berrangé <berrange@redhat.com>\nReviewed-by: Farhan Ali<alifm@linux.ibm.com>\n---\n crypto/x509-utils.c | 236 ++++++++++++++++++++++++++++++++++++\n include/crypto/x509-utils.h | 51 ++++++++\n 2 files changed, 287 insertions(+)", "diff": "diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c\nindex 68cf008938..7dd8d1a0e9 100644\n--- a/crypto/x509-utils.c\n+++ b/crypto/x509-utils.c\n@@ -27,6 +27,16 @@ static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = {\n [QCRYPTO_HASH_ALGO_RIPEMD160] = GNUTLS_DIG_RMD160,\n };\n \n+static const int qcrypto_to_gnutls_keyid_flags_map[] = {\n+ [QCRYPTO_HASH_ALGO_MD5] = -1,\n+ [QCRYPTO_HASH_ALGO_SHA1] = GNUTLS_KEYID_USE_SHA1,\n+ [QCRYPTO_HASH_ALGO_SHA224] = -1,\n+ [QCRYPTO_HASH_ALGO_SHA256] = GNUTLS_KEYID_USE_SHA256,\n+ [QCRYPTO_HASH_ALGO_SHA384] = -1,\n+ [QCRYPTO_HASH_ALGO_SHA512] = GNUTLS_KEYID_USE_SHA512,\n+ [QCRYPTO_HASH_ALGO_RIPEMD160] = -1,\n+};\n+\n int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,\n QCryptoHashAlgo alg,\n uint8_t *result,\n@@ -121,6 +131,210 @@ cleanup:\n return ret;\n }\n \n+int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp)\n+{\n+ int rc;\n+ int ret = -1;\n+ gnutls_x509_crt_t crt;\n+ gnutls_datum_t datum = {.data = cert, .size = size};\n+ time_t now = time(NULL);\n+ time_t exp_time;\n+ time_t act_time;\n+\n+ if (now == ((time_t)-1)) {\n+ error_setg_errno(errp, errno, \"Cannot get current time\");\n+ return ret;\n+ }\n+\n+ rc = gnutls_x509_crt_init(&crt);\n+ if (rc < 0) {\n+ error_setg(errp, \"Failed to initialize certificate: %s\", gnutls_strerror(rc));\n+ return ret;\n+ }\n+\n+ rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM);\n+ if (rc != 0) {\n+ error_setg(errp, \"Failed to import certificate: %s\", gnutls_strerror(rc));\n+ goto cleanup;\n+ }\n+\n+ exp_time = gnutls_x509_crt_get_expiration_time(crt);\n+ if (exp_time == ((time_t)-1)) {\n+ error_setg(errp, \"Failed to get certificate expiration time\");\n+ goto cleanup;\n+ }\n+ if (exp_time < now) {\n+ error_setg(errp, \"The certificate has expired\");\n+ goto cleanup;\n+ }\n+\n+ act_time = gnutls_x509_crt_get_activation_time(crt);\n+ if (act_time == ((time_t)-1)) {\n+ error_setg(errp, \"Failed to get certificate activation time\");\n+ goto cleanup;\n+ }\n+ if (act_time > now) {\n+ error_setg(errp, \"The certificate is not yet active\");\n+ goto cleanup;\n+ }\n+\n+ ret = 0;\n+\n+cleanup:\n+ gnutls_x509_crt_deinit(crt);\n+ return ret;\n+}\n+\n+static int qcrypto_x509_get_pk_algorithm(uint8_t *cert, size_t size, Error **errp)\n+{\n+ int rc;\n+ int ret = -1;\n+ unsigned int bits;\n+ gnutls_x509_crt_t crt;\n+ gnutls_datum_t datum = {.data = cert, .size = size};\n+\n+ rc = gnutls_x509_crt_init(&crt);\n+ if (rc < 0) {\n+ error_setg(errp, \"Failed to initialize certificate: %s\", gnutls_strerror(rc));\n+ return ret;\n+ }\n+\n+ rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM);\n+ if (rc != 0) {\n+ error_setg(errp, \"Failed to import certificate: %s\", gnutls_strerror(rc));\n+ goto cleanup;\n+ }\n+\n+ rc = gnutls_x509_crt_get_pk_algorithm(crt, &bits);\n+ if (rc < 0) {\n+ error_setg(errp, \"Unknown public key algorithm %d\", rc);\n+ goto cleanup;\n+ }\n+\n+ ret = rc;\n+\n+cleanup:\n+ gnutls_x509_crt_deinit(crt);\n+ return ret;\n+}\n+\n+int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size,\n+ QCryptoHashAlgo hash_alg,\n+ uint8_t **result,\n+ size_t *resultlen,\n+ Error **errp)\n+{\n+ int rc;\n+ int ret = -1;\n+ gnutls_x509_crt_t crt;\n+ gnutls_datum_t datum = {.data = cert, .size = size};\n+\n+ if (hash_alg >= G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) {\n+ error_setg(errp, \"Unknown hash algorithm %d\", hash_alg);\n+ return ret;\n+ }\n+\n+ if (hash_alg >= G_N_ELEMENTS(qcrypto_to_gnutls_keyid_flags_map) ||\n+ qcrypto_to_gnutls_keyid_flags_map[hash_alg] == -1) {\n+ error_setg(errp, \"Unsupported key id flag %d\", hash_alg);\n+ return ret;\n+ }\n+\n+ rc = gnutls_x509_crt_init(&crt);\n+ if (rc < 0) {\n+ error_setg(errp, \"Failed to initialize certificate: %s\", gnutls_strerror(rc));\n+ return ret;\n+ }\n+\n+ rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM);\n+ if (rc != 0) {\n+ error_setg(errp, \"Failed to import certificate: %s\", gnutls_strerror(rc));\n+ goto cleanup;\n+ }\n+\n+ *resultlen = gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[hash_alg]);\n+ if (*resultlen == 0) {\n+ error_setg(errp, \"Failed to get hash algorithn length: %s\", gnutls_strerror(rc));\n+ goto cleanup;\n+ }\n+\n+ *result = g_malloc0(*resultlen);\n+ if (gnutls_x509_crt_get_key_id(crt,\n+ qcrypto_to_gnutls_keyid_flags_map[hash_alg],\n+ *result, resultlen) != 0) {\n+ error_setg(errp, \"Failed to get key ID from certificate\");\n+ g_clear_pointer(result, g_free);\n+ goto cleanup;\n+ }\n+\n+ ret = 0;\n+\n+cleanup:\n+ gnutls_x509_crt_deinit(crt);\n+ return ret;\n+}\n+\n+static int qcrypto_x509_get_ecc_curve(uint8_t *cert, size_t size, Error **errp)\n+{\n+ int rc;\n+ int ret = -1;\n+ gnutls_x509_crt_t crt;\n+ gnutls_datum_t datum = {.data = cert, .size = size};\n+ gnutls_ecc_curve_t curve_id;\n+ gnutls_datum_t x = {.data = NULL, .size = 0};\n+ gnutls_datum_t y = {.data = NULL, .size = 0};\n+\n+ rc = gnutls_x509_crt_init(&crt);\n+ if (rc < 0) {\n+ error_setg(errp, \"Failed to initialize certificate: %s\", gnutls_strerror(rc));\n+ return ret;\n+ }\n+\n+ rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM);\n+ if (rc != 0) {\n+ error_setg(errp, \"Failed to import certificate: %s\", gnutls_strerror(rc));\n+ goto cleanup;\n+ }\n+\n+ rc = gnutls_x509_crt_get_pk_ecc_raw(crt, &curve_id, &x, &y);\n+ if (rc != 0) {\n+ error_setg(errp, \"Failed to get ECC public key curve: %s\", gnutls_strerror(rc));\n+ goto cleanup;\n+ }\n+\n+ ret = curve_id;\n+\n+cleanup:\n+ gnutls_x509_crt_deinit(crt);\n+ g_free(x.data);\n+ g_free(y.data);\n+ return ret;\n+}\n+\n+int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **errp)\n+{\n+ int algo;\n+ int curve_id;\n+\n+ algo = qcrypto_x509_get_pk_algorithm(cert, size, errp);\n+ if (algo != GNUTLS_PK_ECDSA) {\n+ return 0;\n+ }\n+\n+ curve_id = qcrypto_x509_get_ecc_curve(cert, size, errp);\n+ if (curve_id == -1) {\n+ error_setg(errp, \"Failed to get ECC curve\");\n+ return -1;\n+ }\n+\n+ if (curve_id == GNUTLS_ECC_CURVE_INVALID) {\n+ error_setg(errp, \"Invalid ECC curve\");\n+ return -1;\n+ }\n+\n+ return curve_id == GNUTLS_ECC_CURVE_SECP521R1;\n+}\n+\n #else /* ! CONFIG_GNUTLS */\n \n int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,\n@@ -142,4 +356,26 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size,\n return -1;\n }\n \n+int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp)\n+{\n+ error_setg(errp, \"GNUTLS is required to get certificate times\");\n+ return -1;\n+}\n+\n+int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size,\n+ QCryptoHashAlgo hash_alg,\n+ uint8_t **result,\n+ size_t *resultlen,\n+ Error **errp)\n+{\n+ error_setg(errp, \"GNUTLS is required to get key ID\");\n+ return -1;\n+}\n+\n+int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **errp)\n+{\n+ error_setg(errp, \"GNUTLS is required to determine ecc curve\");\n+ return -1;\n+}\n+\n #endif /* ! CONFIG_GNUTLS */\ndiff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h\nindex 91ae79fb03..6040894a46 100644\n--- a/include/crypto/x509-utils.h\n+++ b/include/crypto/x509-utils.h\n@@ -40,4 +40,55 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size,\n size_t *resultlen,\n Error **errp);\n \n+/**\n+ * qcrypto_x509_check_cert_times\n+ * @cert: pointer to the raw certificate data\n+ * @size: size of the certificate\n+ * @errp: error pointer\n+ *\n+ * Check whether the activation and expiration times of @cert\n+ * are valid at the current time.\n+ *\n+ * Returns: 0 if the certificate times are valid,\n+ * -1 on error.\n+ */\n+int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp);\n+\n+/**\n+ * qcrypto_x509_get_cert_key_id\n+ * @cert: pointer to the raw certificate data\n+ * @size: size of the certificate\n+ * @hash_alg: the hash algorithm flag\n+ * @result: output location for the allocated buffer for key ID\n+ * (the function allocates memory which must be freed by the caller)\n+ * @resultlen: pointer to the size of the buffer\n+ * (will be updated with the actual size of key id)\n+ * @errp: error pointer\n+ *\n+ * Retrieve the key ID from the @cert based on the specified @flag.\n+ *\n+ * Returns: 0 if key ID was successfully stored in @result,\n+ * -1 on error.\n+ */\n+int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size,\n+ QCryptoHashAlgo hash_alg,\n+ uint8_t **result,\n+ size_t *resultlen,\n+ Error **errp);\n+\n+/**\n+ * qcrypto_x509_check_ecc_curve_p521\n+ * @cert: pointer to the raw certificate data\n+ * @size: size of the certificate\n+ * @errp: error pointer\n+ *\n+ * Determine whether the ECC public key in the given certificate uses the P-521\n+ * curve.\n+ *\n+ * Returns: 0 if ECC public key does not use P521 curve.\n+ * 1 if ECC public key uses P521 curve.\n+ * -1 on error.\n+ */\n+int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **errp);\n+\n #endif\n", "prefixes": [ "v11", "08/32" ] }