[PATCH v4 20/29] lib/crypto: Adapt x509_cert_parser to MbedTLS

Ilias Apalodimas ilias.apalodimas at linaro.org
Mon Jul 29 15:19:58 CEST 2024 

Hi Raymond

>
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
> +/* Backup of part of the parsing context */

I am not sure I understand the comment

> +struct x509_cert_mbedtls_ctx {
> +       void    *tbs;                   /* Signed data */
> +       void    *raw_serial;            /* Raw serial number in ASN.1 */
> +       void    *raw_issuer;            /* Raw issuer name in ASN.1 */
> +       void    *raw_subject;           /* Raw subject name in ASN.1 */
> +       void    *raw_skid;              /* Raw subjectKeyId in ASN.1 */
> +};
> +#endif
> +
> +/*
> + * MbedTLS integration Notes:
> + *
> + * Fields we don't need to populate from MbedTLS:

You mean *for* mbedTLS?

> + * 'raw_sig' and 'raw_sig_size' are buffer for x509_parse_context,

'raw_sig' and 'raw_sig_size' are used in x509_parse_context(), which
in turn is not used in mbedTLS?

> + * not needed for MbedTLS.
> + * 'signer' and 'seen' are used internally by pkcs7_verify.
> + * 'verified' is not inuse.

either 'unsued' or 'not in use'
> + */
>  struct x509_certificate {
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
> +       struct x509_cert_mbedtls_ctx *mbedtls_ctx;
> +#endif
>         struct x509_certificate *next;
>         struct x509_certificate *signer;        /* Certificate that signed this one */
>         struct public_key *pub;                 /* Public key details */
> @@ -48,6 +76,32 @@ struct x509_certificate {
>   * x509_cert_parser.c
>   */
>  extern void x509_free_certificate(struct x509_certificate *cert);
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
> +/**
> + * x509_populate_pubkey() - Populate public key from MbedTLS context
> + *
> + * @cert:      Pointer to MbedTLS X509 cert
> + * @pub_key:   Pointer to the populated public key handle
> + * Return: 0 on succcess, error code on failure
> + */
> +int x509_populate_pubkey(mbedtls_x509_crt *cert, struct public_key **pub_key);
> +/**
> + * x509_populate_cert() - Populate X509 cert from MbedTLS context
> + *
> + * @mbedtls_cert:      Pointer to MbedTLS X509 cert
> + * @pcert:             Pointer to the populated X509 cert handle
> + * Return: 0 on succcess, error code on failure
> + */
> +int x509_populate_cert(mbedtls_x509_crt *mbedtls_cert,
> +                      struct x509_certificate **pcert);
> +/**
> + * x509_get_timestamp() - Translate timestamp from MbedTLS context
> + *
> + * @x509_time: Pointer to MbedTLS time
> + * Return: Time in time64_t format
> + */
> +time64_t x509_get_timestamp(const mbedtls_x509_time *x509_time);
> +#endif
>  extern struct x509_certificate *x509_cert_parse(const void *data, size_t datalen);
>  extern int x509_decode_time(time64_t *_t,  size_t hdrlen,
>                             unsigned char tag,
> @@ -56,6 +110,8 @@ extern int x509_decode_time(time64_t *_t,  size_t hdrlen,
>  /*
>   * x509_public_key.c
>   */
> +#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
>  extern int x509_get_sig_params(struct x509_certificate *cert);
> +#endif
>  extern int x509_check_for_self_signed(struct x509_certificate *cert);
>  #endif /* _X509_PARSER_H */
> diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
> index 6e0656ad1c5..6106190677e 100644
> --- a/lib/crypto/Kconfig
> +++ b/lib/crypto/Kconfig
> @@ -1,6 +1,6 @@
>  menuconfig ASYMMETRIC_KEY_TYPE
>         bool "Asymmetric (public-key cryptographic) key Support"
> -       depends on FIT_SIGNATURE
> +       depends on LEGACY_CRYPTO_CERT || MBEDTLS_LIB_X509
>         help
>           This option provides support for a key type that holds the data for
>           the asymmetric keys used for public key cryptographic operations such
> diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
> index 228ae443a27..7f5f04d582c 100644
> --- a/lib/crypto/Makefile
> +++ b/lib/crypto/Makefile
> @@ -32,11 +32,11 @@ endif
>  # X.509 Certificate handling
>  #
>  obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += x509_key_parser.o
> -x509_key_parser-y := \
> +x509_key_parser-y := x509_helper.o
> +x509_key_parser-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_LEGACY) += \
>         x509.asn1.o \
>         x509_akid.asn1.o \
>         x509_cert_parser.o \
> -       x509_helper.o \
>         x509_public_key.o
>
>  $(obj)/x509_cert_parser.o: \
> diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c
> index 4ba13c1adc3..310edbd21be 100644
> --- a/lib/crypto/x509_public_key.c
> +++ b/lib/crypto/x509_public_key.c
> @@ -30,6 +30,8 @@
>  #include "x509_parser.h"
>  #endif
>
> +#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
> +
>  /*
>   * Set up the signature parameters in an X.509 certificate.  This involves
>   * digesting the signed data and extracting the signature.
> --
> 2.25.1
>

More information about the U-Boot mailing list