Using Linux crypto API from User Space for RSA

Question

I am looking for a way to call Linux kernel crypto API from user space for RSA encryption/decryption. RSA function are implemented in linux kernel.

Currently, I found 2 way to call crypto API from user space:

AF_ALG socket, using [libkapi] (http://www.chronox.de/libkcapi.html). It seems to be the offical solution (https://www.kernel.org/doc/html/v4.19/crypto/userspace-if.html).
[cryptodev] (http://cryptodev-linux.org/) which uses ioctl.

Unfortunaly, cryptodev doesn't support asymmetric algorithms like RSA.

And I am not sur if AF_ALG supports akcipher like RSA. The result of cat /proc/crypto is:

...
name         : rsa
driver       : rsa-generic
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : akcipher

But, I tried to bind an AF_ALG socket with :

int sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0); 
struct sockaddr_alg sa = { 
    .salg_family = AF_ALG, 
    .salg_type = "akcipher",
    .salg_name = "rsa"
};

The bind failed with ***ERROR : bind socket failed (2) : No such file or directory.

Did I miss something ? Is there an other way to call crypto API from user space ?

openssl implements a software solution without using kernel space API (and without hardware acceleration) — tom

Ctx Ctx · Accepted Answer · 2019-08-05T13:37:23

From the documentation:

The kernel crypto API is accessible from user space. Currently, the following ciphers are accessible:

Message digest including keyed message digest (HMAC, CMAC)

Symmetric ciphers

AEAD ciphers

Random Number Generators

This means, that the akcipher cipher family is not available from userspace, hence binding to it fails with ENOENT. Indeed, checking with the linux kernel source reveals, that there is no algif_akcipher.c, where the userspace interface of the akcipher family would be implemented.

Using Linux crypto API from User Space for RSA

1 Answers