| Message ID | 20240702182325.2904421-21-raymond.mao@linaro.org |
|---|---|
| State | Changes Requested |
| Delegated to: | Tom Rini |
| Headers | show |
| Series | Integrate MbedTLS v3.6 LTS with U-Boot | expand |
Hi Raymond > > +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > +/* Backup of part of the parsing context */ I am not sure I understand the comment > +struct x509_cert_mbedtls_ctx { > + void *tbs; /* Signed data */ > + void *raw_serial; /* Raw serial number in ASN.1 */ > + void *raw_issuer; /* Raw issuer name in ASN.1 */ > + void *raw_subject; /* Raw subject name in ASN.1 */ > + void *raw_skid; /* Raw subjectKeyId in ASN.1 */ > +}; > +#endif > + > +/* > + * MbedTLS integration Notes: > + * > + * Fields we don't need to populate from MbedTLS: You mean *for* mbedTLS? > + * 'raw_sig' and 'raw_sig_size' are buffer for x509_parse_context, 'raw_sig' and 'raw_sig_size' are used in x509_parse_context(), which in turn is not used in mbedTLS? > + * not needed for MbedTLS. > + * 'signer' and 'seen' are used internally by pkcs7_verify. > + * 'verified' is not inuse. either 'unsued' or 'not in use' > + */ > struct x509_certificate { > +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > + struct x509_cert_mbedtls_ctx *mbedtls_ctx; > +#endif > struct x509_certificate *next; > struct x509_certificate *signer; /* Certificate that signed this one */ > struct public_key *pub; /* Public key details */ > @@ -48,6 +76,32 @@ struct x509_certificate { > * x509_cert_parser.c > */ > extern void x509_free_certificate(struct x509_certificate *cert); > +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > +/** > + * x509_populate_pubkey() - Populate public key from MbedTLS context > + * > + * @cert: Pointer to MbedTLS X509 cert > + * @pub_key: Pointer to the populated public key handle > + * Return: 0 on succcess, error code on failure > + */ > +int x509_populate_pubkey(mbedtls_x509_crt *cert, struct public_key **pub_key); > +/** > + * x509_populate_cert() - Populate X509 cert from MbedTLS context > + * > + * @mbedtls_cert: Pointer to MbedTLS X509 cert > + * @pcert: Pointer to the populated X509 cert handle > + * Return: 0 on succcess, error code on failure > + */ > +int x509_populate_cert(mbedtls_x509_crt *mbedtls_cert, > + struct x509_certificate **pcert); > +/** > + * x509_get_timestamp() - Translate timestamp from MbedTLS context > + * > + * @x509_time: Pointer to MbedTLS time > + * Return: Time in time64_t format > + */ > +time64_t x509_get_timestamp(const mbedtls_x509_time *x509_time); > +#endif > extern struct x509_certificate *x509_cert_parse(const void *data, size_t datalen); > extern int x509_decode_time(time64_t *_t, size_t hdrlen, > unsigned char tag, > @@ -56,6 +110,8 @@ extern int x509_decode_time(time64_t *_t, size_t hdrlen, > /* > * x509_public_key.c > */ > +#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > extern int x509_get_sig_params(struct x509_certificate *cert); > +#endif > extern int x509_check_for_self_signed(struct x509_certificate *cert); > #endif /* _X509_PARSER_H */ > diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig > index 6e0656ad1c5..6106190677e 100644 > --- a/lib/crypto/Kconfig > +++ b/lib/crypto/Kconfig > @@ -1,6 +1,6 @@ > menuconfig ASYMMETRIC_KEY_TYPE > bool "Asymmetric (public-key cryptographic) key Support" > - depends on FIT_SIGNATURE > + depends on LEGACY_CRYPTO_CERT || MBEDTLS_LIB_X509 > help > This option provides support for a key type that holds the data for > the asymmetric keys used for public key cryptographic operations such > diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile > index 228ae443a27..7f5f04d582c 100644 > --- a/lib/crypto/Makefile > +++ b/lib/crypto/Makefile > @@ -32,11 +32,11 @@ endif > # X.509 Certificate handling > # > obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += x509_key_parser.o > -x509_key_parser-y := \ > +x509_key_parser-y := x509_helper.o > +x509_key_parser-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_LEGACY) += \ > x509.asn1.o \ > x509_akid.asn1.o \ > x509_cert_parser.o \ > - x509_helper.o \ > x509_public_key.o > > $(obj)/x509_cert_parser.o: \ > diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c > index 4ba13c1adc3..310edbd21be 100644 > --- a/lib/crypto/x509_public_key.c > +++ b/lib/crypto/x509_public_key.c > @@ -30,6 +30,8 @@ > #include "x509_parser.h" > #endif > > +#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > + > /* > * Set up the signature parameters in an X.509 certificate. This involves > * digesting the signed data and extracting the signature. > -- > 2.25.1 >
On Mon, 29 Jul 2024 at 09:20, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote: > Hi Raymond > > > > > +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > > +/* Backup of part of the parsing context */ > > I am not sure I understand the comment > > We can remove this comment line. > > +struct x509_cert_mbedtls_ctx { > > + void *tbs; /* Signed data */ > > + void *raw_serial; /* Raw serial number in ASN.1 */ > > + void *raw_issuer; /* Raw issuer name in ASN.1 */ > > + void *raw_subject; /* Raw subject name in ASN.1 */ > > + void *raw_skid; /* Raw subjectKeyId in ASN.1 */ > > +}; > > +#endif > > + > > +/* > > + * MbedTLS integration Notes: > > + * > > + * Fields we don't need to populate from MbedTLS: > > You mean *for* mbedTLS? > > > + * 'raw_sig' and 'raw_sig_size' are buffer for x509_parse_context, > > 'raw_sig' and 'raw_sig_size' are used in x509_parse_context(), which > in turn is not used in mbedTLS? > > Both are used by the U-Boot ASN1 library when parsing the x509. But for MbedTLS, we removed "struct x509_parse_context ", since all parsing is done under MbedTLS and we don't need to expose them at all. > + * not needed for MbedTLS. > > + * 'signer' and 'seen' are used internally by pkcs7_verify. > > + * 'verified' is not inuse. > > either 'unsued' or 'not in use' > A typo. will fix it. Regards, Raymond
diff --git a/include/crypto/x509_parser.h b/include/crypto/x509_parser.h index 4cbdc1d6612..3f917da5430 100644 --- a/include/crypto/x509_parser.h +++ b/include/crypto/x509_parser.h @@ -11,8 +11,36 @@ #include <linux/time.h> #include <crypto/public_key.h> #include <keys/asymmetric-type.h> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include <image.h> +#include <mbedtls/error.h> +#include <mbedtls/asn1.h> +#endif +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +/* Backup of part of the parsing context */ +struct x509_cert_mbedtls_ctx { + void *tbs; /* Signed data */ + void *raw_serial; /* Raw serial number in ASN.1 */ + void *raw_issuer; /* Raw issuer name in ASN.1 */ + void *raw_subject; /* Raw subject name in ASN.1 */ + void *raw_skid; /* Raw subjectKeyId in ASN.1 */ +}; +#endif + +/* + * MbedTLS integration Notes: + * + * Fields we don't need to populate from MbedTLS: + * 'raw_sig' and 'raw_sig_size' are buffer for x509_parse_context, + * not needed for MbedTLS. + * 'signer' and 'seen' are used internally by pkcs7_verify. + * 'verified' is not inuse. + */ struct x509_certificate { +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) + struct x509_cert_mbedtls_ctx *mbedtls_ctx; +#endif struct x509_certificate *next; struct x509_certificate *signer; /* Certificate that signed this one */ struct public_key *pub; /* Public key details */ @@ -48,6 +76,32 @@ struct x509_certificate { * x509_cert_parser.c */ extern void x509_free_certificate(struct x509_certificate *cert); +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +/** + * x509_populate_pubkey() - Populate public key from MbedTLS context + * + * @cert: Pointer to MbedTLS X509 cert + * @pub_key: Pointer to the populated public key handle + * Return: 0 on succcess, error code on failure + */ +int x509_populate_pubkey(mbedtls_x509_crt *cert, struct public_key **pub_key); +/** + * x509_populate_cert() - Populate X509 cert from MbedTLS context + * + * @mbedtls_cert: Pointer to MbedTLS X509 cert + * @pcert: Pointer to the populated X509 cert handle + * Return: 0 on succcess, error code on failure + */ +int x509_populate_cert(mbedtls_x509_crt *mbedtls_cert, + struct x509_certificate **pcert); +/** + * x509_get_timestamp() - Translate timestamp from MbedTLS context + * + * @x509_time: Pointer to MbedTLS time + * Return: Time in time64_t format + */ +time64_t x509_get_timestamp(const mbedtls_x509_time *x509_time); +#endif extern struct x509_certificate *x509_cert_parse(const void *data, size_t datalen); extern int x509_decode_time(time64_t *_t, size_t hdrlen, unsigned char tag, @@ -56,6 +110,8 @@ extern int x509_decode_time(time64_t *_t, size_t hdrlen, /* * x509_public_key.c */ +#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) extern int x509_get_sig_params(struct x509_certificate *cert); +#endif extern int x509_check_for_self_signed(struct x509_certificate *cert); #endif /* _X509_PARSER_H */ diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index 6e0656ad1c5..6106190677e 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -1,6 +1,6 @@ menuconfig ASYMMETRIC_KEY_TYPE bool "Asymmetric (public-key cryptographic) key Support" - depends on FIT_SIGNATURE + depends on LEGACY_CRYPTO_CERT || MBEDTLS_LIB_X509 help This option provides support for a key type that holds the data for the asymmetric keys used for public key cryptographic operations such diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 228ae443a27..7f5f04d582c 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -32,11 +32,11 @@ endif # X.509 Certificate handling # obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += x509_key_parser.o -x509_key_parser-y := \ +x509_key_parser-y := x509_helper.o +x509_key_parser-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_LEGACY) += \ x509.asn1.o \ x509_akid.asn1.o \ x509_cert_parser.o \ - x509_helper.o \ x509_public_key.o $(obj)/x509_cert_parser.o: \ diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c index 4ba13c1adc3..310edbd21be 100644 --- a/lib/crypto/x509_public_key.c +++ b/lib/crypto/x509_public_key.c @@ -30,6 +30,8 @@ #include "x509_parser.h" #endif +#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) + /* * Set up the signature parameters in an X.509 certificate. This involves * digesting the signed data and extracting the signature.
Previous patch has introduced MbedTLS porting layer for x509 cert parser, here to adjust the header and makefiles accordingly. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. - Add function comments for the new APIs. - Update the dependence of ASYMMETRIC_KEY_TYPE. - Minor fix of the include directories. include/crypto/x509_parser.h | 56 ++++++++++++++++++++++++++++++++++++ lib/crypto/Kconfig | 2 +- lib/crypto/Makefile | 4 +-- lib/crypto/x509_public_key.c | 2 ++ 4 files changed, 61 insertions(+), 3 deletions(-)