pkey: add support for pkey APIs

Author: mathstuf

keyutils-raw/src/constants.rs

@@ -40,6 +40,11 @@ pub const KEY_SPEC_USER_SESSION_KEYRING:    KeyringSerial = unsafe { KeyringSeri
 pub const KEY_SPEC_GROUP_KEYRING:           KeyringSerial = unsafe { KeyringSerial::new_unchecked(-6) };
 pub const KEY_SPEC_REQKEY_AUTH_KEY:         KeyringSerial = unsafe { KeyringSerial::new_unchecked(-7) };
 
+pub const KEYCTL_SUPPORTS_ENCRYPT:          u32 = 0x01;
+pub const KEYCTL_SUPPORTS_DECRYPT:          u32 = 0x02;
+pub const KEYCTL_SUPPORTS_SIGN:             u32 = 0x04;
+pub const KEYCTL_SUPPORTS_VERIFY:           u32 = 0x08;
+
 pub const KEY_POS_VIEW:    KeyPermissions = 0x0100_0000;     /* possessor can view a key's attributes */
 pub const KEY_POS_READ:    KeyPermissions = 0x0200_0000;     /* possessor can read key payload / view keyring */
 pub const KEY_POS_WRITE:   KeyPermissions = 0x0400_0000;     /* possessor can update key payload / add link to keyring */

keyutils-raw/src/functions.rs

@@ -472,3 +472,172 @@ pub fn keyctl_restrict_keyring(keyring: KeyringSerial, restriction: Restriction)
     }
     .map(ignore)
 }
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+// #[non_exhaustive]
+pub struct PKeyQuery {
+    pub supported_ops: u32,
+    pub key_size: u32,
+    pub max_data_size: u16,
+    pub max_sig_size: u16,
+    pub max_enc_size: u16,
+    pub max_dec_size: u16,
+}
+
+#[repr(C)]
+pub struct PKeyQueryKernel {
+    supported_ops: u32,
+    key_size: u32,
+    max_data_size: u16,
+    max_sig_size: u16,
+    max_enc_size: u16,
+    max_dec_size: u16,
+    _spare: [u32; 10],
+}
+
+impl PKeyQueryKernel {
+    fn zeroed() -> Self {
+        PKeyQueryKernel {
+            supported_ops: 0,
+            key_size: 0,
+            max_data_size: 0,
+            max_sig_size: 0,
+            max_enc_size: 0,
+            max_dec_size: 0,
+            _spare: [0; 10],
+        }
+    }
+}
+
+impl From<PKeyQueryKernel> for PKeyQuery {
+    fn from(kernel: PKeyQueryKernel) -> Self {
+        PKeyQuery {
+            supported_ops: kernel.supported_ops,
+            key_size: kernel.key_size,
+            max_data_size: kernel.max_data_size,
+            max_sig_size: kernel.max_sig_size,
+            max_enc_size: kernel.max_enc_size,
+            max_dec_size: kernel.max_dec_size,
+        }
+    }
+}
+
+pub fn keyctl_pkey_query(key: KeyringSerial, info: &str) -> Result<PKeyQuery> {
+    let mut query = PKeyQueryKernel::zeroed();
+    let info_cstr = cstring(info);
+    unsafe {
+        keyctl!(
+            libc::KEYCTL_PKEY_QUERY,
+            key.get(),
+            0,
+            info_cstr.as_ptr(),
+            &mut query as *mut PKeyQueryKernel,
+        )
+    }
+    .map(ignore)?;
+
+    Ok(query.into())
+}
+
+#[repr(C)]
+struct PKeyOpParamsKernel {
+    key_id: i32,
+    in_len: u32,
+    out_len: u32,
+    in2_len: u32,
+}
+
+pub fn keyctl_pkey_encrypt(
+    key: KeyringSerial,
+    info: &str,
+    data: &[u8],
+    mut buffer: Out<[u8]>,
+) -> Result<usize> {
+    let params = PKeyOpParamsKernel {
+        key_id: key.get(),
+        in_len: safe_len(data.len())?,
+        out_len: safe_len(buffer.len())?,
+        in2_len: 0,
+    };
+    let info_cstr = cstring(info);
+    unsafe {
+        keyctl!(
+            libc::KEYCTL_PKEY_ENCRYPT,
+            &params as *const PKeyOpParamsKernel,
+            info_cstr.as_ptr(),
+            data.as_ptr(),
+            buffer.as_mut_ptr(),
+        )
+    }
+    .map(size)
+}
+
+pub fn keyctl_pkey_decrypt(
+    key: KeyringSerial,
+    info: &str,
+    data: &[u8],
+    mut buffer: Out<[u8]>,
+) -> Result<usize> {
+    let params = PKeyOpParamsKernel {
+        key_id: key.get(),
+        in_len: safe_len(data.len())?,
+        out_len: safe_len(buffer.len())?,
+        in2_len: 0,
+    };
+    let info_cstr = cstring(info);
+    unsafe {
+        keyctl!(
+            libc::KEYCTL_PKEY_DECRYPT,
+            &params as *const PKeyOpParamsKernel,
+            info_cstr.as_ptr(),
+            data.as_ptr(),
+            buffer.as_mut_ptr(),
+        )
+    }
+    .map(size)
+}
+
+pub fn keyctl_pkey_sign(
+    key: KeyringSerial,
+    info: &str,
+    data: &[u8],
+    mut buffer: Out<[u8]>,
+) -> Result<usize> {
+    let params = PKeyOpParamsKernel {
+        key_id: key.get(),
+        in_len: safe_len(data.len())?,
+        out_len: safe_len(buffer.len())?,
+        in2_len: 0,
+    };
+    let info_cstr = cstring(info);
+    unsafe {
+        keyctl!(
+            libc::KEYCTL_PKEY_SIGN,
+            &params as *const PKeyOpParamsKernel,
+            info_cstr.as_ptr(),
+            data.as_ptr(),
+            buffer.as_mut_ptr(),
+        )
+    }
+    .map(size)
+}
+
+pub fn keyctl_pkey_verify(key: KeyringSerial, info: &str, data: &[u8], sig: &[u8]) -> Result<bool> {
+    let params = PKeyOpParamsKernel {
+        key_id: key.get(),
+        in_len: safe_len(data.len())?,
+        out_len: 0,
+        in2_len: safe_len(sig.len())?,
+    };
+    let info_cstr = cstring(info);
+    unsafe {
+        keyctl!(
+            libc::KEYCTL_PKEY_VERIFY,
+            &params as *const PKeyOpParamsKernel,
+            info_cstr.as_ptr(),
+            data.as_ptr(),
+            sig.as_ptr(),
+        )
+    }
+    .map(|res| res == 0)
+}

src/api.rs

@@ -35,7 +35,7 @@ use keyutils_raw::*;
 use log::error;
 use uninit::extension_traits::VecCapacity;
 
-use crate::constants::{Permission, SpecialKeyring};
+use crate::constants::{KeyctlSupportFlags, Permission, SpecialKeyring};
 use crate::keytype::*;
 use crate::keytypes;
 
@@ -511,6 +511,64 @@ pub struct Key {
     id: KeyringSerial,
 }
 
+/// Structure to store results from a query on optional feature support for a key.
+#[derive(Debug, Clone, Copy)]
+pub struct KeySupportInfo {
+    /// Features supported by the key.
+    pub supported_ops: KeyctlSupportFlags,
+    /// The size of the key (in bits).
+    pub key_size: u32,
+    /// The maximum size of a data blob which may be signed.
+    pub max_data_size: u16,
+    /// The maximum size of a signature blob.
+    pub max_sig_size: u16,
+    /// The maximum size of a blob to be encrypted.
+    pub max_enc_size: u16,
+    /// The maximum size of a blob to be decrypted.
+    pub max_dec_size: u16,
+}
+
+impl KeySupportInfo {
+    fn from_c(c_info: PKeyQuery) -> Self {
+        KeySupportInfo {
+            supported_ops: c_info.supported_ops,
+            key_size: c_info.key_size,
+            max_data_size: c_info.max_data_size,
+            max_sig_size: c_info.max_sig_size,
+            max_enc_size: c_info.max_enc_size,
+            max_dec_size: c_info.max_dec_size,
+        }
+    }
+}
+
+/// Encodings supported by the kernel.
+#[derive(Debug, Clone)]
+// #[non_exhaustive]
+pub enum KeyctlEncoding {
+    /// The RSASSA-PKCS1-v1.5 encoding.
+    RsassaPkcs1V15,
+    /// The RSAES-PKCS1-v1.5 encoding.
+    RsaesPkcs1V15,
+    /// The RSASSA-PSS encoding.
+    RsassaPss,
+    /// The RSAES-OAEP encoding.
+    RsaesOaep,
+    /// For extensibility.
+    OtherEncoding(Cow<'static, str>),
+}
+
+impl KeyctlEncoding {
+    fn encoding(&self) -> &str {
+        match *self {
+            KeyctlEncoding::RsassaPkcs1V15 => "pkcs1",
+            KeyctlEncoding::RsaesPkcs1V15 => "pkcs1",
+            KeyctlEncoding::RsassaPss => "pss",
+            KeyctlEncoding::RsaesOaep => "oaep",
+            KeyctlEncoding::OtherEncoding(ref s) => &s,
+        }
+    }
+}
+
 /// Hashes supported by the kernel.
 #[derive(Debug, Clone)]
 // #[non_exhaustive]
@@ -581,6 +639,28 @@ impl KeyctlHash {
     }
 }
 
+/// Options for output from public key functions (encryption, decryption, signing, and verifying).
+#[derive(Debug, Clone)]
+pub struct PublicKeyOptions {
+    /// The encoding of the encrypted blob or the signature.
+    pub encoding: Option<KeyctlEncoding>,
+    /// Hash algorithm to use (if the encoding uses it).
+    pub hash: Option<KeyctlHash>,
+}
+
+impl PublicKeyOptions {
+    fn info(&self) -> String {
+        let options = [
+            ("enc", self.encoding.as_ref().map(KeyctlEncoding::encoding)),
+            ("hash", self.hash.as_ref().map(KeyctlHash::hash)),
+        ]
+        .iter()
+        .map(|&(key, value)| value.map_or_else(String::new, |v| format!("{}={}", key, v)))
+        .collect::<Vec<_>>();
+        options.join(" ").trim().to_owned()
+    }
+}
+
 impl Key {
     /// Instantiate a key from an ID.
     ///
@@ -814,6 +894,60 @@ impl Key {
         buffer.truncate(sz);
         Ok(buffer)
     }
+
+    fn pkey_query_support_impl(&self, info: &str) -> Result<PKeyQuery> {
+        keyctl_pkey_query(self.id, info)
+    }
+
+    /// Query which optionally supported features may be used by the key.
+    pub fn pkey_query_support(&self, query: &PublicKeyOptions) -> Result<KeySupportInfo> {
+        let info = query.info();
+        self.pkey_query_support_impl(&info)
+            .map(KeySupportInfo::from_c)
+    }
+
+    /// Encrypt data using the key.
+    pub fn encrypt(&self, options: &PublicKeyOptions, data: &[u8]) -> Result<Vec<u8>> {
+        let info = options.info();
+        let support = self.pkey_query_support_impl(&info)?;
+        let mut buffer = Vec::with_capacity(support.max_enc_size as usize);
+        let write_buffer = buffer.get_backing_buffer();
+        let sz = keyctl_pkey_encrypt(self.id, &info, data, write_buffer)?;
+        buffer.truncate(sz);
+        Ok(buffer)
+    }
+
+    /// Decrypt data using the key.
+    pub fn decrypt(&self, options: &PublicKeyOptions, data: &[u8]) -> Result<Vec<u8>> {
+        let info = options.info();
+        let support = self.pkey_query_support_impl(&info)?;
+        let mut buffer = Vec::with_capacity(support.max_dec_size as usize);
+        let write_buffer = buffer.get_backing_buffer();
+        let sz = keyctl_pkey_decrypt(self.id, &info, data, write_buffer)?;
+        buffer.truncate(sz);
+        Ok(buffer)
+    }
+
+    /// Sign data using the key.
+    pub fn sign(&self, options: &PublicKeyOptions, data: &[u8]) -> Result<Vec<u8>> {
+        let info = options.info();
+        let support = self.pkey_query_support_impl(&info)?;
+        let mut buffer = Vec::with_capacity(support.max_sig_size as usize);
+        let write_buffer = buffer.get_backing_buffer();
+        let sz = keyctl_pkey_sign(self.id, &info, data, write_buffer)?;
+        buffer.truncate(sz);
+        Ok(buffer)
+    }
+
+    /// Verify a signature of the data using the key.
+    pub fn verify(
+        &self,
+        options: &PublicKeyOptions,
+        data: &[u8],
+        signature: &[u8],
+    ) -> Result<bool> {
+        keyctl_pkey_verify(self.id, &options.info(), data, signature)
+    }
 }
 
 /// Structure representing the metadata about a key or keyring.

src/constants.rs

@@ -146,6 +146,21 @@ bitflags! {
     }
 }
 
+/// They kernel type for representing support for optional features.
+///
+/// Asymmetric keys might only support a limited set of operations. These flags indicate which
+/// operations are available.
+pub type KeyctlSupportFlags = u32;
+
+bitflags! {
+    struct KeyctlSupportFlag: KeyctlSupportFlags {
+        const SUPPORTS_ENCRYPT  = 0x01;
+        const SUPPORTS_DECRYPT  = 0x02;
+        const SUPPORTS_SIGN     = 0x04;
+        const SUPPORTS_VERIFY   = 0x08;
+    }
+}
+
 #[test]
 fn test_keyring_ids() {
     assert_eq!(SpecialKeyring::Thread.serial(), KEY_SPEC_THREAD_KEYRING);
@@ -202,3 +217,20 @@ fn test_other_permission_bits() {
     assert_eq!(Permission::OTHER_SET_ATTRIBUTE.bits, KEY_OTH_SETATTR);
     assert_eq!(Permission::OTHER_ALL.bits, KEY_OTH_ALL);
 }
+
+#[test]
+fn test_support_flags() {
+    assert_eq!(
+        KeyctlSupportFlag::SUPPORTS_ENCRYPT.bits,
+        KEYCTL_SUPPORTS_ENCRYPT,
+    );
+    assert_eq!(
+        KeyctlSupportFlag::SUPPORTS_DECRYPT.bits,
+        KEYCTL_SUPPORTS_DECRYPT,
+    );
+    assert_eq!(KeyctlSupportFlag::SUPPORTS_SIGN.bits, KEYCTL_SUPPORTS_SIGN);
+    assert_eq!(
+        KeyctlSupportFlag::SUPPORTS_VERIFY.bits,
+        KEYCTL_SUPPORTS_VERIFY,
+    );
+}