{"id":2219378,"url":"http://patchwork.ozlabs.org/api/1.0/patches/2219378/?format=json","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.0/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260402221453.1602899-12-zycai@linux.ibm.com>","date":"2026-04-02T22:14:33","name":"[v10,11/30] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"ec29be3bb215994dc1520e44969e23e913760ae6","submitter":{"id":90643,"url":"http://patchwork.ozlabs.org/api/1.0/people/90643/?format=json","name":"Zhuoying Cai","email":"zycai@linux.ibm.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260402221453.1602899-12-zycai@linux.ibm.com/mbox/","series":[{"id":498557,"url":"http://patchwork.ozlabs.org/api/1.0/series/498557/?format=json","date":"2026-04-02T22:14:35","name":"Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices","version":10,"mbox":"http://patchwork.ozlabs.org/series/498557/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2219378/checks/","tags":{},"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=JV/ouMHj;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fmx6F4JGDz1yFT\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 03 Apr 2026 09:16:53 +1100 (AEDT)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1w8QK3-0000o0-JH; Thu, 02 Apr 2026 18:15:31 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1w8QK2-0000n6-5T; Thu, 02 Apr 2026 18:15:30 -0400","from mx0b-001b2d01.pphosted.com ([148.163.158.5])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1w8QK0-0004nu-Fh; Thu, 02 Apr 2026 18:15:29 -0400","from pps.filterd (m0356516.ppops.net [127.0.0.1])\n by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id\n 632EQb454131589; Thu, 2 Apr 2026 22:15:25 GMT","from ppma21.wdc07v.mail.ibm.com\n (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91])\n by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d64dgx0rb-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Thu, 02 Apr 2026 22:15:24 +0000 (GMT)","from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1])\n by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id\n 632K5BGM022197;\n Thu, 2 Apr 2026 22:15:24 GMT","from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4])\n by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6tanbw6s-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Thu, 02 Apr 2026 22:15:24 +0000","from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com\n [10.241.53.104])\n by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id\n 632MFMuS5046876\n (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);\n Thu, 2 Apr 2026 22:15:23 GMT","from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id D35FD5806C;\n Thu,  2 Apr 2026 22:15:22 +0000 (GMT)","from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id 791D05805D;\n Thu,  2 Apr 2026 22:15:21 +0000 (GMT)","from fedora-workstation.ibmuc.com (unknown [9.61.183.185])\n by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP;\n Thu,  2 Apr 2026 22:15:21 +0000 (GMT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc\n :content-transfer-encoding:content-type:date:from:in-reply-to\n :message-id:mime-version:references:subject:to; s=pp1; bh=8krdrx\n G2lBhi5BUk/WgH/kViQQhqXs4iUUqIZTgqzGQ=; b=JV/ouMHjrC+31JfKQLNoOu\n 8XbmZTdPhJjWpfVqHiLe1VekiMPOCQ+wGIz0GVar8du9ACnBvKUiUGwic0DuD2Ac\n kl830emOknlgtNrGaBTZvC3p6oaiOLOwQD2xSztn0BRMLPsG/W2xgI0+4q/9bgvg\n 86KaijJgovsOJnOgIsMNUd+dlIPgfZ8yktJRx7HUjlQ5NagLhN+c4AmLVmRC7XQI\n kQ7rXcfxWFg32oE0FHl3E7nWRyQlRI295H+IIMxEdtFKprREUmKTcpRWzPkhehq3\n OBaowREKKvJOiFo4+MD2ayK1WyaIAg3x9u6dqFJ6LXk1cNsRC9dgCNZPLVG/yVzg\n ==","From":"Zhuoying Cai <zycai@linux.ibm.com>","To":"qemu-s390x@nongnu.org, qemu-devel@nongnu.org","Cc":"jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com,\n richard.henderson@linaro.org, pierrick.bouvier@linaro.org,\n david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com,\n pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com,\n mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com,\n armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com,\n brueckner@linux.ibm.com, jdaley@linux.ibm.com","Subject":"[PATCH v10 11/30] crypto/x509-utils: Add helper functions for DIAG\n 508 subcode 1","Date":"Thu,  2 Apr 2026 18:14:33 -0400","Message-ID":"<20260402221453.1602899-12-zycai@linux.ibm.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260402221453.1602899-1-zycai@linux.ibm.com>","References":"<20260402221453.1602899-1-zycai@linux.ibm.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=UTF-8","Content-Transfer-Encoding":"8bit","X-TM-AS-GCONF":"00","X-Proofpoint-Spam-Details-Enc":"AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfXwFavbqv9Z6A9\n B4OlMuFenoTn7uFPupHE7L1ZlQ4hCk5fkIK6XnUCt4/eoHyPvd5Os/u+S/AedicgG/tHF5Dwnqe\n 58f/ofmTQHdCME30mwNTGz7C75+9+IcdxIK/VLkGwz7t6eHEJ+WctnO/gHcBOQ8MjHZVgSrKC5o\n Vg8vVGfrQgYJ56WsOj/b/Lr0E/2X7NsHw8AmwfPOoOIkjY3+PPLyoiC+izgspTY25M7aeZJpenI\n vaHrYE87SDrNdaKSdSqfh8DU2zj/iW8zF0mFGea2TpIZYYUVJGOhFI6XMyjMbvFTdoIMCHspVha\n alkGvzYJF2D1ygVErsufo3p09Xy+0dRxAyLfGb3CF6PbMIlwv392HYk5RHQS3ABTOLM+2W6fNzf\n SX2OFpH6CTDqglCLVMqnJwBKlqKDHx7rV+UzG3WchzIjPA+D6fzEXijc26t02JY99NS+T4bPLWi\n MGzhKwyP+PQPvaPZbUw==","X-Authority-Analysis":"v=2.4 cv=QKZlhwLL c=1 sm=1 tr=0 ts=69ceea7d cx=c_pps\n a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17\n a=IkcTkHD0fZMA:10 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22\n a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8\n a=20KFwNOVAAAA:8 a=Ehcw9bocbOASTidboh8A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10","X-Proofpoint-GUID":"bViDEuBsCaQEdgjPXub22tRJ1XD5nRZq","X-Proofpoint-ORIG-GUID":"bViDEuBsCaQEdgjPXub22tRJ1XD5nRZq","X-Proofpoint-Virus-Version":"vendor=baseguard\n engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49\n definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01","X-Proofpoint-Spam-Details":"rule=outbound_notspam policy=outbound score=0\n lowpriorityscore=0 phishscore=0 adultscore=0 impostorscore=0 clxscore=1015\n spamscore=0 bulkscore=0 priorityscore=1501 suspectscore=0 malwarescore=0\n classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0\n reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195","Received-SPF":"pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com;\n helo=mx0b-001b2d01.pphosted.com","X-Spam_score_int":"-26","X-Spam_score":"-2.7","X-Spam_bar":"--","X-Spam_report":"(-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7,\n RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,\n RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,\n SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"Introduce helper functions to support signature verification required by\nDIAG 508 subcode 1:\n\nqcrypto_pkcs7_convert_sig_pem() – converts a signature from DER to PEM format\nqcrypto_x509_verify_sig() – verifies the provided data against the given signature\n\nThese functions enable basic signature verification support.\n\nSigned-off-by: Zhuoying Cai <zycai@linux.ibm.com>\nReviewed-by: Farhan Ali<alifm@linux.ibm.com>\nReviewed-by: Thomas Huth <thuth@redhat.com>\n---\n crypto/x509-utils.c         | 108 ++++++++++++++++++++++++++++++++++++\n include/crypto/x509-utils.h |  41 ++++++++++++++\n 2 files changed, 149 insertions(+)","diff":"diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c\nindex 906d5e5e87..2b991ff9ac 100644\n--- a/crypto/x509-utils.c\n+++ b/crypto/x509-utils.c\n@@ -16,6 +16,7 @@\n #include <gnutls/gnutls.h>\n #include <gnutls/crypto.h>\n #include <gnutls/x509.h>\n+#include <gnutls/pkcs7.h>\n \n static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = {\n     [QCRYPTO_HASH_ALGO_MD5] = GNUTLS_DIG_MD5,\n@@ -335,6 +336,96 @@ int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **errp)\n     return curve_id == GNUTLS_ECC_CURVE_SECP521R1;\n }\n \n+int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size,\n+                                  uint8_t **result, size_t *resultlen,\n+                                  Error **errp)\n+{\n+    int ret = -1;\n+    int rc;\n+    gnutls_pkcs7_t signature;\n+    gnutls_datum_t sig_datum_der = {.data = sig, .size = sig_size};\n+    gnutls_datum_t sig_datum_pem = {.data = NULL, .size = 0};\n+\n+    rc = gnutls_pkcs7_init(&signature);\n+    if (rc < 0) {\n+        error_setg(errp, \"Failed to initialize pkcs7 data: %s\", gnutls_strerror(rc));\n+        return ret;\n+    }\n+\n+    rc = gnutls_pkcs7_import(signature, &sig_datum_der, GNUTLS_X509_FMT_DER);\n+    if (rc != 0) {\n+        error_setg(errp, \"Failed to import signature: %s\", gnutls_strerror(rc));\n+        goto cleanup;\n+    }\n+\n+    rc = gnutls_pkcs7_export2(signature, GNUTLS_X509_FMT_PEM, &sig_datum_pem);\n+    if (rc != 0) {\n+        error_setg(errp, \"Failed to convert signature to PEM format: %s\",\n+                   gnutls_strerror(rc));\n+        goto cleanup;\n+    }\n+\n+    *resultlen = sig_datum_pem.size;\n+    *result = g_memdup2(sig_datum_pem.data, sig_datum_pem.size);\n+\n+    ret = 0;\n+\n+cleanup:\n+    gnutls_pkcs7_deinit(signature);\n+    gnutls_free(sig_datum_pem.data);\n+    return ret;\n+}\n+\n+int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size,\n+                            uint8_t *comp, size_t comp_size,\n+                            uint8_t *sig, size_t sig_size, Error **errp)\n+{\n+    int rc;\n+    int ret = -1;\n+    gnutls_x509_crt_t crt = NULL;\n+    gnutls_pkcs7_t signature = NULL;\n+    gnutls_datum_t cert_datum = {.data = cert, .size = cert_size};\n+    gnutls_datum_t data_datum = {.data = comp, .size = comp_size};\n+    gnutls_datum_t sig_datum = {.data = sig, .size = sig_size};\n+\n+    rc = gnutls_x509_crt_init(&crt);\n+    if (rc < 0) {\n+        error_setg(errp, \"Failed to initialize certificate: %s\", gnutls_strerror(rc));\n+        goto cleanup;\n+    }\n+\n+    rc = gnutls_x509_crt_import(crt, &cert_datum, GNUTLS_X509_FMT_PEM);\n+    if (rc != 0) {\n+        error_setg(errp, \"Failed to import certificate: %s\", gnutls_strerror(rc));\n+        goto cleanup;\n+    }\n+\n+    rc = gnutls_pkcs7_init(&signature);\n+    if (rc < 0) {\n+        error_setg(errp, \"Failed to initialize pkcs7 data: %s\", gnutls_strerror(rc));\n+        goto cleanup;\n+     }\n+\n+    rc = gnutls_pkcs7_import(signature, &sig_datum , GNUTLS_X509_FMT_PEM);\n+    if (rc != 0) {\n+        error_setg(errp, \"Failed to import signature: %s\", gnutls_strerror(rc));\n+        goto cleanup;\n+    }\n+\n+    rc = gnutls_pkcs7_verify_direct(signature, crt, 0, &data_datum, 0);\n+    if (rc != 0) {\n+        error_setg(errp, \"Failed to verify signature: %s\", gnutls_strerror(rc));\n+        goto cleanup;\n+    }\n+\n+    ret = 0;\n+\n+cleanup:\n+    gnutls_x509_crt_deinit(crt);\n+    gnutls_pkcs7_deinit(signature);\n+    return ret;\n+}\n+\n #else /* ! CONFIG_GNUTLS */\n \n int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size,\n@@ -378,4 +469,21 @@ int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **errp)\n     return -1;\n }\n \n+int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size,\n+                                  uint8_t **result,\n+                                  size_t *resultlen,\n+                                  Error **errp)\n+{\n+    error_setg(errp, \"GNUTLS is required to export pkcs7 signature\");\n+    return -1;\n+}\n+\n+int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size,\n+                            uint8_t *comp, size_t comp_size,\n+                            uint8_t *sig, size_t sig_size, Error **errp)\n+{\n+    error_setg(errp, \"GNUTLS is required for signature-verification support\");\n+    return -1;\n+}\n+\n #endif /* ! CONFIG_GNUTLS */\ndiff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h\nindex 6040894a46..02e937b14a 100644\n--- a/include/crypto/x509-utils.h\n+++ b/include/crypto/x509-utils.h\n@@ -91,4 +91,45 @@ int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size,\n  */\n int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **errp);\n \n+/**\n+ * qcrypto_pkcs7_convert_sig_pem\n+ * @sig: pointer to the PKCS#7 signature in DER format\n+ * @sig_size: size of the signature\n+ * @result: output location for the allocated buffer for the signature in\n+ *          PEM format\n+ *          (the function allocates memory which must be freed by the caller)\n+ * @resultlen: pointer to the size of the buffer\n+ *              (will be updated with the actual size of the PEM-encoded\n+ *               signature)\n+ * @errp: error pointer\n+ *\n+ * Convert given PKCS#7 @sig from DER to PEM format.\n+ *\n+ * Returns: 0 if PEM-encoded signature was successfully stored in @result,\n+ *         -1 on error.\n+ */\n+int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size,\n+                                  uint8_t **result,\n+                                  size_t *resultlen,\n+                                  Error **errp);\n+\n+/**\n+ * qcrypto_x509_verify_sig\n+ * @cert: pointer to the raw certificate data\n+ * @cert_size: size of the certificate\n+ * @comp: pointer to the component to be verified\n+ * @comp_size: size of the component\n+ * @sig: pointer to the signature\n+ * @sig_size: size of the signature\n+ * @errp: error pointer\n+ *\n+ * Verify the provided @comp against the @sig and @cert.\n+ *\n+ * Returns: 0 on success,\n+ *         -1 on error.\n+ */\n+int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size,\n+                            uint8_t *comp, size_t comp_size,\n+                            uint8_t *sig, size_t sig_size, Error **errp);\n+\n #endif\n","prefixes":["v10","11/30"]}