[PATCH v3 15/25] mbedtls: add X509 cert parser porting layer
Raymond Mao
raymond.mao at linaro.org
Tue Jun 4 18:05:37 CEST 2024
Hi Ilias,
On Fri, 31 May 2024 at 07:42, Ilias Apalodimas <ilias.apalodimas at linaro.org>
wrote:
> On Tue, 28 May 2024 at 17:15, Raymond Mao <raymond.mao at linaro.org> wrote:
> >
> > Add porting layer for X509 cert parser on top of MbedTLS X509
> > library.
> >
> > Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
> > ---
> > Changes in v2
> > - Move the porting layer to MbedTLS dir.
> > Changes in v3
> > - None.
> >
> > lib/mbedtls/Makefile | 1 +
> > lib/mbedtls/x509_cert_parser.c | 497 +++++++++++++++++++++++++++++++++
> > 2 files changed, 498 insertions(+)
> > create mode 100644 lib/mbedtls/x509_cert_parser.c
> >
>
[snip]
> > diff --git a/lib/mbedtls/x509_cert_parser.c
> b/lib/mbedtls/x509_cert_parser.c
> > new file mode 100644
> > index 00000000000..b0867d31047
> > --- /dev/null
> > +++ b/lib/mbedtls/x509_cert_parser.c
>
> [snip]
> > +static int x509_set_cert_flags(struct x509_certificate *cert)
> > +{
> > + struct public_key_signature *sig = cert->sig;
> > +
> > + if (!sig || !cert->pub) {
> > + pr_err("Signature or public key is not initialized\n");
> > + return -ENOPKG;
> > + }
> > +
> > + if (!cert->pub->pkey_algo)
> > + cert->unsupported_key = true;
> > +
> > + if (!sig->pkey_algo)
> > + cert->unsupported_sig = true;
> > +
> > + if (!sig->hash_algo)
> > + cert->unsupported_sig = true;
> > +
> > + /* TODO: is_hash_blacklisted()? */
>
> Is this supported by our current implementation?
>
> This is not supported currently either. I just copied the TODO mark
from legacy lib.
[snip]
> > + }
> > + goto out;
> > + }
> > +
> > + pr_devel("Cert Self-signature verified");
> > + cert->self_signed = true;
> > +
> > +out:
> > + return ret;
> > +
> > +not_self_signed:
> > + return 0;
> > +}
>
> the whole function looks like a copy of lib/crypto/x509_public_key.c.
> Can you move all the c/p ones to a common file that the existing and
> mbedTLS implementations can use?
>
> Per a previous discussion with Tom, eventually we tend to keep only one
crypto lib, that is the reason I prefer to copy/optimize a few existing
functions into MbedTLS implementation instead of creating another
common file.
Regards,
Raymond
More information about the U-Boot
mailing list