Extend crypto SP to support signature verification
The UEFI service of SMM gateway needs pkcs7 signature verification
to authorize variable accesses. Instead of duplicating the mbedtls
entities, crypto SP will provide an interface to do the signature
verification.
Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Change-Id: I7b0472435ac1620c4fe42d0592e1c64faaf10df7
diff --git a/components/service/crypto/backend/mbedcrypto/component.cmake b/components/service/crypto/backend/mbedcrypto/component.cmake
index bd7f4ae..36fd3df 100644
--- a/components/service/crypto/backend/mbedcrypto/component.cmake
+++ b/components/service/crypto/backend/mbedcrypto/component.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+# Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -8,6 +8,9 @@
message(FATAL_ERROR "mandatory parameter TGT is not defined.")
endif()
+target_include_directories(${TGT} PRIVATE
+ "${MBEDTLS_INSTALL_DIR}/include"
+)
target_sources(${TGT} PRIVATE
"${CMAKE_CURRENT_LIST_DIR}/mbedcrypto_backend.c"
)
diff --git a/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/component.cmake b/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/component.cmake
new file mode 100644
index 0000000..878af28
--- /dev/null
+++ b/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/component.cmake
@@ -0,0 +1,16 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_include_directories(${TGT} PRIVATE
+ "${MBEDTLS_INSTALL_DIR}/include"
+)
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/mbedtls_fake_x509.c"
+ )
diff --git a/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/mbedtls_fake_x509.c b/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/mbedtls_fake_x509.c
new file mode 100644
index 0000000..a579252
--- /dev/null
+++ b/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/mbedtls_fake_x509.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <mbedtls/build_info.h>
+#include <mbedtls/error.h>
+#include <mbedtls/pkcs7.h>
+#include <mbedtls/x509_crt.h>
+#include <compiler.h>
+#include <stdlib.h>
+
+#include "mbedtls_fake_x509.h"
+
+/*
+ * This file contains X509 and PKCS#7 related fake functions. When crypto SP is compiled
+ * with a minimalistic mbedtls config which does not support the aformentioned features
+ * these functions need to be included to avoid linkage errors.
+ */
+#if !defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
+{
+ (void)crt;
+}
+
+int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain,
+ const unsigned char *buf,
+ size_t buflen)
+{
+ (void)chain;
+ (void)buf;
+ (void)buflen;
+
+ return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+}
+
+void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
+{
+ (void)crt;
+}
+#endif
+
+#if !defined(MBEDTLS_PKCS7_C)
+void mbedtls_pkcs7_init(mbedtls_pkcs7 *pkcs7)
+{
+ (void)pkcs7;
+}
+
+int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf,
+ const size_t buflen)
+{
+ (void)pkcs7;
+ (void)buf;
+ (void)buflen;
+
+ return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+}
+
+void mbedtls_pkcs7_free(mbedtls_pkcs7 *pkcs7)
+{
+ (void)pkcs7;
+}
+
+int mbedtls_pkcs7_signed_hash_verify(mbedtls_pkcs7 *pkcs7,
+ const mbedtls_x509_crt *cert,
+ const unsigned char *hash, size_t hashlen)
+{
+ (void)pkcs7;
+ (void)cert;
+ (void)hash;
+ (void)hashlen;
+
+ return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+}
+#endif
diff --git a/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/mbedtls_fake_x509.h b/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/mbedtls_fake_x509.h
new file mode 100644
index 0000000..f282aa7
--- /dev/null
+++ b/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/mbedtls_fake_x509.h
@@ -0,0 +1,11 @@
+/*
+ * Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef MBEDTLS_FAKE_X509_H
+#define MBEDTLS_FAKE_X509_H
+
+
+#endif /* MBEDTLS_FAKE_X509_H */
diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller.h b/components/service/crypto/client/caller/packed-c/crypto_caller.h
index e41a8cb..d834bc2 100644
--- a/components/service/crypto/client/caller/packed-c/crypto_caller.h
+++ b/components/service/crypto/client/caller/packed-c/crypto_caller.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -13,22 +13,23 @@
* provided by a crypto service instance using the packed-c serialization.
*/
#include "crypto_caller_aead.h"
-#include "crypto_caller_copy_key.h"
-#include "crypto_caller_generate_key.h"
-#include "crypto_caller_hash.h"
-#include "crypto_caller_mac.h"
#include "crypto_caller_asymmetric_decrypt.h"
-#include "crypto_caller_destroy_key.h"
-#include "crypto_caller_generate_random.h"
-#include "crypto_caller_import_key.h"
-#include "crypto_caller_purge_key.h"
#include "crypto_caller_asymmetric_encrypt.h"
-#include "crypto_caller_export_key.h"
-#include "crypto_caller_get_key_attributes.h"
-#include "crypto_caller_sign_hash.h"
#include "crypto_caller_cipher.h"
+#include "crypto_caller_copy_key.h"
+#include "crypto_caller_destroy_key.h"
+#include "crypto_caller_export_key.h"
#include "crypto_caller_export_public_key.h"
+#include "crypto_caller_generate_key.h"
+#include "crypto_caller_generate_random.h"
+#include "crypto_caller_get_key_attributes.h"
+#include "crypto_caller_hash.h"
+#include "crypto_caller_import_key.h"
#include "crypto_caller_key_derivation.h"
+#include "crypto_caller_mac.h"
+#include "crypto_caller_purge_key.h"
+#include "crypto_caller_sign_hash.h"
#include "crypto_caller_verify_hash.h"
+#include "crypto_caller_verify_pkcs7_signature.h"
#endif /* PACKEDC_CRYPTO_CALLER_H */
diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_verify_pkcs7_signature.h b/components/service/crypto/client/caller/packed-c/crypto_caller_verify_pkcs7_signature.h
new file mode 100644
index 0000000..fef4d28
--- /dev/null
+++ b/components/service/crypto/client/caller/packed-c/crypto_caller_verify_pkcs7_signature.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef PACKEDC_CRYPTO_CALLER_VERIFY_PKCS7_SIGNATURE_H
+#define PACKEDC_CRYPTO_CALLER_VERIFY_PKCS7_SIGNATURE_H
+
+#include <common/tlv/tlv.h>
+#include <protocols/rpc/common/packed-c/status.h>
+#include <protocols/service/crypto/packed-c/opcodes.h>
+#include <protocols/service/crypto/packed-c/verify_pkcs7_signature.h>
+#include <service/common/client/service_client.h>
+#include <stdlib.h>
+#include <string.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+static inline int crypto_caller_verify_pkcs7_signature(struct service_client *context,
+ const uint8_t *signature_cert,
+ uint64_t signature_cert_len,
+ const uint8_t *hash, uint64_t hash_len,
+ const uint8_t *public_key_cert,
+ uint64_t public_key_cert_len)
+{
+ int status = RPC_ERROR_INTERNAL;
+ size_t req_len = 0;
+
+ struct tlv_record signature_record = {
+ .tag = TS_CRYPTO_VERIFY_PKCS7_SIGNATURE_IN_TAG_SIGNATURE,
+ .length = signature_cert_len,
+ .value = signature_cert
+ };
+
+ struct tlv_record hash_record = { .tag = TS_CRYPTO_VERIFY_PKCS7_SIGNATURE_IN_TAG_HASH,
+ .length = hash_len,
+ .value = hash };
+
+ struct tlv_record public_key_record = {
+ .tag = TS_CRYPTO_VERIFY_PKCS7_SIGNATURE_IN_TAG_PUBLIC_KEY_CERT,
+ .length = public_key_cert_len,
+ .value = public_key_cert
+ };
+
+ req_len += tlv_required_space(signature_record.length);
+ req_len += tlv_required_space(hash_record.length);
+ req_len += tlv_required_space(public_key_record.length);
+
+ rpc_call_handle call_handle;
+ uint8_t *req_buf;
+
+ call_handle = rpc_caller_session_begin(context->session, &req_buf, req_len, 0);
+
+ if (call_handle) {
+ uint8_t *resp_buf;
+ size_t resp_len;
+ service_status_t service_status;
+ struct tlv_iterator req_iter;
+
+ tlv_iterator_begin(&req_iter, req_buf, req_len);
+ tlv_encode(&req_iter, &signature_record);
+ tlv_encode(&req_iter, &hash_record);
+ tlv_encode(&req_iter, &public_key_record);
+
+ context->rpc_status = rpc_caller_session_invoke(
+ call_handle, TS_CRYPTO_OPCODE_VERIFY_PKCS7_SIGNATURE, &resp_buf, &resp_len,
+ &service_status);
+
+ if (context->rpc_status == RPC_SUCCESS)
+ status = service_status;
+
+ rpc_caller_session_end(call_handle);
+ }
+
+ return status;
+}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* PACKEDC_CRYPTO_CALLER_VERIFY_PKCS7_SIGNATURE_H */
diff --git a/components/service/crypto/client/cpp/crypto_client.h b/components/service/crypto/client/cpp/crypto_client.h
index eebe60e..6792a17 100644
--- a/components/service/crypto/client/cpp/crypto_client.h
+++ b/components/service/crypto/client/cpp/crypto_client.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -235,6 +235,11 @@
const uint8_t *peer_key, size_t peer_key_length,
uint8_t *output, size_t output_size, size_t *output_length) = 0;
+ virtual int verify_pkcs7_signature(const uint8_t *signature_cert,
+ uint64_t signature_cert_len, const uint8_t *hash,
+ uint64_t hash_len, const uint8_t *public_key_cert,
+ uint64_t public_key_cert_len) = 0;
+
protected:
crypto_client();
crypto_client(struct rpc_caller_session *session);
diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
index 2465f05..aaa71f0 100644
--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
+++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -418,3 +418,13 @@
alg, private_key, peer_key, peer_key_length,
output, output_size, output_length);
}
+
+int packedc_crypto_client::verify_pkcs7_signature(const uint8_t *signature_cert,
+ uint64_t signature_cert_len, const uint8_t *hash,
+ uint64_t hash_len, const uint8_t *public_key_cert,
+ uint64_t public_key_cert_len)
+{
+ return crypto_caller_verify_pkcs7_signature(&m_client, signature_cert, signature_cert_len,
+ hash, hash_len, public_key_cert,
+ public_key_cert_len);
+}
diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
index c0e8958..8d4f60c 100644
--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
+++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -233,6 +233,9 @@
const uint8_t *peer_key, size_t peer_key_length,
uint8_t *output, size_t output_size, size_t *output_length);
+ int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len,
+ const uint8_t *hash, uint64_t hash_len,
+ const uint8_t *public_key_cert, uint64_t public_key_cert_len);
};
#endif /* PACKEDC_CRYPTO_CLIENT_H */
diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
index c84c753..6bae7a8 100644
--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
+++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -1158,3 +1158,19 @@
return PSA_ERROR_NOT_SUPPORTED;
}
+
+int protobuf_crypto_client::verify_pkcs7_signature(const uint8_t *signature_cert,
+ uint64_t signature_cert_len, const uint8_t *hash,
+ uint64_t hash_len,
+ const uint8_t *public_key_cert,
+ uint64_t public_key_cert_len)
+{
+ (void)signature_cert;
+ (void)signature_cert_len;
+ (void)hash;
+ (void)hash_len;
+ (void)public_key_cert;
+ (void)public_key_cert_len;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+}
diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
index 8ce896f..9ad43f7 100644
--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
+++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -233,6 +233,10 @@
const uint8_t *peer_key, size_t peer_key_length,
uint8_t *output, size_t output_size, size_t *output_length);
+ int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len,
+ const uint8_t *hash, uint64_t hash_len,
+ const uint8_t *public_key_cert, uint64_t public_key_cert_len);
+
private:
psa_status_t asym_sign(uint32_t opcode,
diff --git a/components/service/crypto/client/psa/component.cmake b/components/service/crypto/client/psa/component.cmake
index ad7e09c..359db3b 100644
--- a/components/service/crypto/client/psa/component.cmake
+++ b/components/service/crypto/client/psa/component.cmake
@@ -31,4 +31,5 @@
"${CMAKE_CURRENT_LIST_DIR}/psa_aead.c"
"${CMAKE_CURRENT_LIST_DIR}/psa_sign_message.c"
"${CMAKE_CURRENT_LIST_DIR}/psa_verify_message.c"
+ "${CMAKE_CURRENT_LIST_DIR}/verify_pkcs7_signature.c"
)
diff --git a/components/service/crypto/client/psa/crypto_client.h b/components/service/crypto/client/psa/crypto_client.h
new file mode 100644
index 0000000..4b59bbe
--- /dev/null
+++ b/components/service/crypto/client/psa/crypto_client.h
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CRYPTO_CLIENT_H
+#define CRYPTO_CLIENT_H
+
+#include <stdint.h>
+
+int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len,
+ const uint8_t *hash, uint64_t hash_len, const uint8_t *public_key_cert,
+ uint64_t public_key_cert_len);
+
+#endif /* CRYPTO_CLIENT_H */
diff --git a/components/service/crypto/client/psa/verify_pkcs7_signature.c b/components/service/crypto/client/psa/verify_pkcs7_signature.c
new file mode 100644
index 0000000..e329f34
--- /dev/null
+++ b/components/service/crypto/client/psa/verify_pkcs7_signature.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include "crypto_caller_selector.h"
+#include "crypto_client.h"
+#include "psa_crypto_client.h"
+
+int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len,
+ const uint8_t *hash, uint64_t hash_len, const uint8_t *public_key_cert,
+ uint64_t public_key_cert_len)
+{
+ if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
+ return psa_crypto_client_instance.init_status;
+
+ return crypto_caller_verify_pkcs7_signature(&psa_crypto_client_instance.base,
+ signature_cert, signature_cert_len, hash,
+ hash_len, public_key_cert, public_key_cert_len);
+}
diff --git a/components/service/crypto/provider/crypto_provider.c b/components/service/crypto/provider/crypto_provider.c
index d1798d7..8992b93 100644
--- a/components/service/crypto/provider/crypto_provider.c
+++ b/components/service/crypto/provider/crypto_provider.c
@@ -1,8 +1,11 @@
/*
- * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
+#include <mbedtls/build_info.h>
+#include <mbedtls/pkcs7.h>
+#include <mbedtls/x509_crt.h>
#include <protocols/rpc/common/packed-c/status.h>
#include <protocols/service/crypto/packed-c/opcodes.h>
#include <psa/crypto.h>
@@ -26,24 +29,26 @@
static rpc_status_t copy_key_handler(void *context, struct rpc_request *req);
static rpc_status_t purge_key_handler(void *context, struct rpc_request *req);
static rpc_status_t get_key_attributes_handler(void *context, struct rpc_request *req);
+static rpc_status_t verify_pkcs7_signature_handler(void *context, struct rpc_request *req);
/* Handler mapping table for service */
static const struct service_handler handler_table[] = {
- { TS_CRYPTO_OPCODE_GENERATE_KEY, generate_key_handler },
- { TS_CRYPTO_OPCODE_DESTROY_KEY, destroy_key_handler },
- { TS_CRYPTO_OPCODE_EXPORT_KEY, export_key_handler },
- { TS_CRYPTO_OPCODE_EXPORT_PUBLIC_KEY, export_public_key_handler },
- { TS_CRYPTO_OPCODE_IMPORT_KEY, import_key_handler },
- { TS_CRYPTO_OPCODE_SIGN_HASH, asymmetric_sign_handler },
- { TS_CRYPTO_OPCODE_VERIFY_HASH, asymmetric_verify_handler },
- { TS_CRYPTO_OPCODE_ASYMMETRIC_DECRYPT, asymmetric_decrypt_handler },
- { TS_CRYPTO_OPCODE_ASYMMETRIC_ENCRYPT, asymmetric_encrypt_handler },
- { TS_CRYPTO_OPCODE_GENERATE_RANDOM, generate_random_handler },
- { TS_CRYPTO_OPCODE_COPY_KEY, copy_key_handler },
- { TS_CRYPTO_OPCODE_PURGE_KEY, purge_key_handler },
- { TS_CRYPTO_OPCODE_GET_KEY_ATTRIBUTES, get_key_attributes_handler },
- { TS_CRYPTO_OPCODE_SIGN_MESSAGE, asymmetric_sign_handler },
- { TS_CRYPTO_OPCODE_VERIFY_MESSAGE, asymmetric_verify_handler },
+ { TS_CRYPTO_OPCODE_GENERATE_KEY, generate_key_handler },
+ { TS_CRYPTO_OPCODE_DESTROY_KEY, destroy_key_handler },
+ { TS_CRYPTO_OPCODE_EXPORT_KEY, export_key_handler },
+ { TS_CRYPTO_OPCODE_EXPORT_PUBLIC_KEY, export_public_key_handler },
+ { TS_CRYPTO_OPCODE_IMPORT_KEY, import_key_handler },
+ { TS_CRYPTO_OPCODE_SIGN_HASH, asymmetric_sign_handler },
+ { TS_CRYPTO_OPCODE_VERIFY_HASH, asymmetric_verify_handler },
+ { TS_CRYPTO_OPCODE_ASYMMETRIC_DECRYPT, asymmetric_decrypt_handler },
+ { TS_CRYPTO_OPCODE_ASYMMETRIC_ENCRYPT, asymmetric_encrypt_handler },
+ { TS_CRYPTO_OPCODE_GENERATE_RANDOM, generate_random_handler },
+ { TS_CRYPTO_OPCODE_COPY_KEY, copy_key_handler },
+ { TS_CRYPTO_OPCODE_PURGE_KEY, purge_key_handler },
+ { TS_CRYPTO_OPCODE_GET_KEY_ATTRIBUTES, get_key_attributes_handler },
+ { TS_CRYPTO_OPCODE_SIGN_MESSAGE, asymmetric_sign_handler },
+ { TS_CRYPTO_OPCODE_VERIFY_MESSAGE, asymmetric_verify_handler },
+ { TS_CRYPTO_OPCODE_VERIFY_PKCS7_SIGNATURE, verify_pkcs7_signature_handler },
};
struct rpc_service_interface *
@@ -595,3 +600,80 @@
return rpc_status;
}
+
+static rpc_status_t verify_pkcs7_signature_handler(void *context, struct rpc_request *req)
+{
+ rpc_status_t rpc_status = RPC_ERROR_INTERNAL;
+ struct rpc_buffer *req_buf = &req->request;
+ const struct crypto_provider_serializer *serializer = get_crypto_serializer(context, req);
+
+ int mbedtls_status = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+
+ uint8_t *signature_cert = NULL;
+ uint64_t signature_cert_len = 0;
+ uint8_t *hash = NULL;
+ uint64_t hash_len = 0;
+ uint8_t *public_key_cert = NULL;
+ uint64_t public_key_cert_len = 0;
+
+ if (serializer) {
+ /* First collect the lengths of the fields */
+ rpc_status = serializer->deserialize_verify_pkcs7_signature_req(
+ req_buf, NULL, &signature_cert_len, NULL, &hash_len, NULL,
+ &public_key_cert_len);
+
+ if (rpc_status == RPC_SUCCESS) {
+ /* Allocate the needed space and get the data */
+ signature_cert = (uint8_t *)malloc(signature_cert_len);
+ hash = (uint8_t *)malloc(hash_len);
+ public_key_cert = (uint8_t *)malloc(public_key_cert_len);
+
+ if (signature_cert && hash && public_key_cert) {
+ rpc_status = serializer->deserialize_verify_pkcs7_signature_req(
+ req_buf, signature_cert, &signature_cert_len, hash,
+ &hash_len, public_key_cert, &public_key_cert_len);
+ } else {
+ rpc_status = RPC_ERROR_RESOURCE_FAILURE;
+ }
+ }
+ }
+
+ if (rpc_status == RPC_SUCCESS) {
+ /* Parse the public key certificate */
+ mbedtls_x509_crt signer_certificate;
+
+ mbedtls_x509_crt_init(&signer_certificate);
+
+ mbedtls_status = mbedtls_x509_crt_parse_der(&signer_certificate, public_key_cert,
+ public_key_cert_len);
+
+ if (mbedtls_status == 0) {
+ /* Parse the PKCS#7 DER encoded signature block */
+ mbedtls_pkcs7 pkcs7_structure;
+
+ mbedtls_pkcs7_init(&pkcs7_structure);
+
+ mbedtls_status = mbedtls_pkcs7_parse_der(&pkcs7_structure, signature_cert,
+ signature_cert_len);
+
+ if (mbedtls_status == MBEDTLS_PKCS7_SIGNED_DATA) {
+ /* Verify hash against signed hash */
+ mbedtls_status = mbedtls_pkcs7_signed_hash_verify(
+ &pkcs7_structure, &signer_certificate, hash, hash_len);
+ }
+
+ mbedtls_pkcs7_free(&pkcs7_structure);
+ }
+
+ mbedtls_x509_crt_free(&signer_certificate);
+ }
+
+ free(signature_cert);
+ free(hash);
+ free(public_key_cert);
+
+ /* Provide the result of the verification */
+ req->service_status = mbedtls_status;
+
+ return rpc_status;
+}
diff --git a/components/service/crypto/provider/serializer/crypto_provider_serializer.h b/components/service/crypto/provider/serializer/crypto_provider_serializer.h
index afc2f05..1a0ce3c 100644
--- a/components/service/crypto/provider/serializer/crypto_provider_serializer.h
+++ b/components/service/crypto/provider/serializer/crypto_provider_serializer.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -118,6 +118,14 @@
rpc_status_t (*serialize_generate_random_resp)(struct rpc_buffer *resp_buf,
const uint8_t *output, size_t output_len);
+
+ /* Operation: verify_pkcs7_signature */
+ rpc_status_t (*deserialize_verify_pkcs7_signature_req)(struct rpc_buffer *req_buf,
+ uint8_t *signature_cert,
+ uint64_t *signature_cert_len,
+ uint8_t *hash, uint64_t *hash_len,
+ uint8_t *public_key_cert,
+ uint64_t *public_key_cert_len);
};
#endif /* CRYPTO_PROVIDER_SERIALIZER_H */
diff --git a/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c b/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c
index 2ca39ea..f59173d 100644
--- a/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c
+++ b/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -21,6 +21,7 @@
#include <protocols/service/crypto/packed-c/purge_key.h>
#include <protocols/service/crypto/packed-c/sign_hash.h>
#include <protocols/service/crypto/packed-c/verify_hash.h>
+#include <protocols/service/crypto/packed-c/verify_pkcs7_signature.h>
#include <psa/crypto.h>
#include <stdlib.h>
#include <string.h>
@@ -620,22 +621,89 @@
return rpc_status;
}
+/* Operation: mbedtls_verify_pkcs7_signature */
+static rpc_status_t deserialize_verify_pkcs7_signature_req(
+ struct rpc_buffer *req_buf, uint8_t *signature_cert, uint64_t *signature_cert_len,
+ uint8_t *hash, uint64_t *hash_len, uint8_t *public_key_cert, uint64_t *public_key_cert_len)
+{
+ rpc_status_t rpc_status = RPC_ERROR_INVALID_REQUEST_BODY;
+
+ if (req_buf->data_length) {
+ struct tlv_const_iterator req_iter;
+ struct tlv_record decoded_record;
+
+ rpc_status = RPC_SUCCESS;
+
+ tlv_const_iterator_begin(&req_iter, (uint8_t *)req_buf->data, req_buf->data_length);
+
+ if (tlv_find_decode(&req_iter, TS_CRYPTO_VERIFY_PKCS7_SIGNATURE_IN_TAG_SIGNATURE,
+ &decoded_record)) {
+ *signature_cert_len = decoded_record.length;
+
+ if (signature_cert)
+ memcpy(signature_cert, decoded_record.value, decoded_record.length);
+ } else {
+ /* Default to a zero length */
+ *signature_cert_len = 0;
+ }
+
+ if (tlv_find_decode(&req_iter, TS_CRYPTO_VERIFY_PKCS7_SIGNATURE_IN_TAG_HASH,
+ &decoded_record)) {
+ *hash_len = decoded_record.length;
+
+ if (hash)
+ memcpy(hash, decoded_record.value, decoded_record.length);
+ } else {
+ /* Default to a zero length */
+ *hash_len = 0;
+ }
+
+ if (tlv_find_decode(&req_iter,
+ TS_CRYPTO_VERIFY_PKCS7_SIGNATURE_IN_TAG_PUBLIC_KEY_CERT,
+ &decoded_record)) {
+ *public_key_cert_len = decoded_record.length;
+
+ if (public_key_cert)
+ memcpy(public_key_cert, decoded_record.value,
+ decoded_record.length);
+ } else {
+ /* Default to a zero length */
+ *public_key_cert_len = 0;
+ }
+ }
+
+ return rpc_status;
+}
+
/* Singleton method to provide access to the serializer instance */
const struct crypto_provider_serializer *packedc_crypto_provider_serializer_instance(void)
{
static const struct crypto_provider_serializer instance = {
- max_deserialised_parameter_size, deserialize_generate_key_req,
- serialize_generate_key_resp, deserialize_destroy_key_req,
- deserialize_export_key_req, serialize_export_key_resp,
- deserialize_export_public_key_req, serialize_export_public_key_resp,
- deserialize_import_key_req, serialize_import_key_resp,
- deserialize_copy_key_req, serialize_copy_key_resp,
- deserialize_purge_key_req, deserialize_get_key_attributes_req,
- serialize_get_key_attributes_resp, deserialize_asymmetric_sign_req,
- serialize_asymmetric_sign_resp, deserialize_asymmetric_verify_req,
- deserialize_asymmetric_decrypt_req, serialize_asymmetric_decrypt_resp,
- deserialize_asymmetric_encrypt_req, serialize_asymmetric_encrypt_resp,
- deserialize_generate_random_req, serialize_generate_random_resp
+ max_deserialised_parameter_size,
+ deserialize_generate_key_req,
+ serialize_generate_key_resp,
+ deserialize_destroy_key_req,
+ deserialize_export_key_req,
+ serialize_export_key_resp,
+ deserialize_export_public_key_req,
+ serialize_export_public_key_resp,
+ deserialize_import_key_req,
+ serialize_import_key_resp,
+ deserialize_copy_key_req,
+ serialize_copy_key_resp,
+ deserialize_purge_key_req,
+ deserialize_get_key_attributes_req,
+ serialize_get_key_attributes_resp,
+ deserialize_asymmetric_sign_req,
+ serialize_asymmetric_sign_resp,
+ deserialize_asymmetric_verify_req,
+ deserialize_asymmetric_decrypt_req,
+ serialize_asymmetric_decrypt_resp,
+ deserialize_asymmetric_encrypt_req,
+ serialize_asymmetric_encrypt_resp,
+ deserialize_generate_random_req,
+ serialize_generate_random_resp,
+ deserialize_verify_pkcs7_signature_req,
};
return &instance;
diff --git a/components/service/crypto/test/service/crypto_service_scenarios.cpp b/components/service/crypto/test/service/crypto_service_scenarios.cpp
index b334555..3f6b146 100644
--- a/components/service/crypto/test/service/crypto_service_scenarios.cpp
+++ b/components/service/crypto/test/service/crypto_service_scenarios.cpp
@@ -551,3 +551,227 @@
CHECK(memcmp(num9_64bit, num10_64bit, sizeof(num9_64bit)) != 0);
CHECK(memcmp(num11_128bit, num12_128bit, sizeof(num11_128bit)) != 0);
}
+
+void crypto_service_scenarios::verifypkcs7signature(void)
+{
+ psa_status_t status;
+
+ unsigned char hash[] = { 0x56, 0xcf, 0x42, 0x1c, 0x35, 0x78, 0x2f, 0x6f, 0x77, 0xdd, 0x2b,
+ 0x44, 0x0b, 0xb4, 0xdf, 0x34, 0x56, 0x6b, 0x69, 0xc4, 0x51, 0x9b,
+ 0x47, 0x7b, 0x64, 0xfd, 0x56, 0x56, 0x25, 0xd6, 0x47, 0x27 };
+
+ unsigned char public_key[] = {
+ 0x30, 0x82, 0x03, 0x07, 0x30, 0x82, 0x01, 0xef, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02,
+ 0x14, 0x5a, 0x8e, 0x8a, 0x75, 0x09, 0xe8, 0x96, 0xed, 0x26, 0x29, 0xca, 0xd6, 0x01,
+ 0xfc, 0xce, 0xb4, 0x70, 0x70, 0x68, 0x55, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f,
+ 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x4b,
+ 0x31, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x38, 0x32, 0x32, 0x30, 0x38, 0x31,
+ 0x30, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x33, 0x30, 0x38, 0x31, 0x39, 0x30, 0x38,
+ 0x31, 0x30, 0x33, 0x37, 0x5a, 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55,
+ 0x04, 0x03, 0x0c, 0x08, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x4b, 0x31, 0x30, 0x82,
+ 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+ 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82,
+ 0x01, 0x01, 0x00, 0xd5, 0x55, 0x6e, 0x9f, 0xa8, 0x92, 0x68, 0x2b, 0x3c, 0xbd, 0xbc,
+ 0x37, 0xd5, 0x2f, 0x5e, 0xf1, 0x70, 0x76, 0x7b, 0x5e, 0x54, 0xd5, 0x89, 0x90, 0x5a,
+ 0xeb, 0x01, 0x63, 0x6c, 0x34, 0xe9, 0x54, 0xa0, 0x06, 0x31, 0xf0, 0xff, 0x9b, 0xd8,
+ 0x80, 0x2a, 0x3d, 0x42, 0x37, 0xab, 0x37, 0xd9, 0x22, 0xff, 0x66, 0xd1, 0x02, 0xb9,
+ 0xbc, 0xe2, 0x8a, 0x45, 0xc8, 0xfe, 0x6f, 0x6c, 0xfc, 0xca, 0x5e, 0x90, 0x5c, 0xb1,
+ 0xc6, 0xd8, 0x2f, 0x59, 0xac, 0x46, 0x36, 0x0c, 0x7d, 0x39, 0xc4, 0x5f, 0xd4, 0xae,
+ 0x1f, 0x81, 0x6e, 0x79, 0xdf, 0xe5, 0xfd, 0x8f, 0xbb, 0x28, 0xc8, 0x7d, 0x0e, 0x46,
+ 0x66, 0xb9, 0x4b, 0x30, 0xf6, 0x9b, 0xc2, 0xff, 0x0d, 0xc7, 0x93, 0x5d, 0xd8, 0xbb,
+ 0x00, 0x7b, 0x35, 0x6a, 0x79, 0xa8, 0x47, 0xd6, 0xf5, 0x54, 0xc6, 0x28, 0x88, 0x58,
+ 0x7d, 0x34, 0xdc, 0x41, 0x29, 0x9c, 0xef, 0x54, 0x00, 0x2c, 0xce, 0xcd, 0xad, 0x07,
+ 0x38, 0x98, 0x07, 0x05, 0xf9, 0x4a, 0x67, 0x1e, 0xeb, 0x14, 0x33, 0x73, 0x6e, 0x3b,
+ 0xa4, 0x4d, 0xc5, 0x0b, 0x6a, 0xfb, 0x76, 0xa5, 0xef, 0x4f, 0xb4, 0x59, 0xf0, 0x2a,
+ 0xce, 0x8c, 0xdc, 0xdf, 0xd1, 0x3d, 0x52, 0x36, 0xb9, 0x05, 0xc4, 0x11, 0x7f, 0xe8,
+ 0x5a, 0x7f, 0xfc, 0xfc, 0xdc, 0x53, 0x62, 0x34, 0x69, 0xa7, 0x67, 0x49, 0x74, 0xb9,
+ 0xd1, 0x40, 0x72, 0x7a, 0x06, 0x8b, 0xb6, 0xc5, 0x0e, 0x4c, 0x99, 0xf8, 0xcb, 0x3a,
+ 0x96, 0xe9, 0x8e, 0x49, 0x87, 0xe8, 0xa6, 0x80, 0x43, 0x0e, 0x66, 0x87, 0x9a, 0xca,
+ 0xd6, 0x58, 0x97, 0x5d, 0xd4, 0x9f, 0x2f, 0x00, 0x9b, 0xed, 0x94, 0x8f, 0x13, 0xc2,
+ 0xd8, 0xd1, 0x35, 0x24, 0x96, 0x61, 0x66, 0xed, 0xa7, 0xd1, 0x36, 0xb4, 0xe9, 0x28,
+ 0x9c, 0x36, 0xf9, 0x2d, 0x38, 0x03, 0xaf, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x53,
+ 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xc1,
+ 0xb8, 0xa7, 0xa0, 0xb9, 0x1c, 0x8c, 0x02, 0x5a, 0x17, 0x3e, 0x68, 0x94, 0xc0, 0x88,
+ 0xcb, 0x4e, 0x63, 0x7f, 0x2d, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18,
+ 0x30, 0x16, 0x80, 0x14, 0xc1, 0xb8, 0xa7, 0xa0, 0xb9, 0x1c, 0x8c, 0x02, 0x5a, 0x17,
+ 0x3e, 0x68, 0x94, 0xc0, 0x88, 0xcb, 0x4e, 0x63, 0x7f, 0x2d, 0x30, 0x0f, 0x06, 0x03,
+ 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30,
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00,
+ 0x03, 0x82, 0x01, 0x01, 0x00, 0x49, 0x3a, 0x18, 0xc9, 0x09, 0x77, 0xfa, 0xde, 0xbe,
+ 0xd4, 0x1c, 0xdb, 0xbd, 0x42, 0x53, 0x25, 0x21, 0x45, 0xe3, 0xcc, 0xe8, 0xa4, 0xe5,
+ 0x68, 0xf6, 0xba, 0x09, 0x01, 0xad, 0x9e, 0x75, 0x9f, 0x1e, 0x5c, 0x07, 0xef, 0xcd,
+ 0x0b, 0x4a, 0x26, 0x5b, 0x03, 0x52, 0x04, 0xb5, 0x27, 0x5c, 0x18, 0x1e, 0x58, 0x54,
+ 0xa3, 0xc8, 0xbd, 0x87, 0xc3, 0xa1, 0x7d, 0x8a, 0x9b, 0x3e, 0xa8, 0xbf, 0x76, 0xa8,
+ 0x3c, 0xaa, 0x54, 0xfa, 0x78, 0x30, 0xfc, 0xa8, 0x52, 0xca, 0x20, 0x8d, 0x72, 0x29,
+ 0x61, 0x38, 0x10, 0xcb, 0x36, 0x50, 0x3f, 0xf3, 0x8c, 0xc6, 0xb5, 0xd6, 0xa3, 0xf0,
+ 0x6f, 0x76, 0x30, 0xb7, 0xbd, 0x2b, 0x5d, 0x2d, 0x10, 0x63, 0x17, 0xbd, 0x0f, 0x54,
+ 0x88, 0xb6, 0x78, 0x6e, 0x06, 0x8d, 0x65, 0x0e, 0x26, 0xea, 0x4e, 0x3c, 0xb4, 0xf0,
+ 0x74, 0x0b, 0xd6, 0xef, 0x5a, 0x04, 0x77, 0x66, 0xc8, 0x74, 0x5e, 0xe1, 0xd7, 0x37,
+ 0xcc, 0x74, 0x5f, 0x32, 0xb1, 0x42, 0x70, 0x5f, 0x05, 0xfa, 0x9f, 0x0d, 0xb6, 0xf7,
+ 0xd9, 0xf7, 0x42, 0xbe, 0x2b, 0xf4, 0x5f, 0xf1, 0x65, 0x2c, 0xaf, 0xde, 0xfb, 0xf4,
+ 0x69, 0xa4, 0x45, 0x1f, 0xa0, 0x39, 0x37, 0xda, 0x81, 0x07, 0xd2, 0x3e, 0xd9, 0x5b,
+ 0xc4, 0xb2, 0x7c, 0xea, 0x17, 0xaf, 0x05, 0x68, 0x70, 0xfd, 0x85, 0x81, 0x15, 0x16,
+ 0xa8, 0xc3, 0xbf, 0xbf, 0x00, 0xbf, 0x17, 0xef, 0x78, 0xc9, 0x40, 0xd1, 0x2a, 0x11,
+ 0x00, 0xcc, 0x39, 0x40, 0xae, 0x79, 0x30, 0xa8, 0x27, 0xb6, 0x6c, 0x64, 0x26, 0xcb,
+ 0x20, 0xdb, 0xad, 0x75, 0x75, 0xe8, 0xa0, 0x50, 0x84, 0x2b, 0x00, 0x93, 0xdf, 0xf8,
+ 0x79, 0x69, 0xef, 0x6d, 0x1c, 0xdf, 0xc6, 0x40, 0x39, 0xc9, 0x8e, 0xda, 0x70, 0xcf,
+ 0x1c, 0x4d, 0x78, 0xc6, 0x9c, 0xa7, 0xe0, 0x8e, 0x25
+ };
+
+ unsigned char signature[] = {
+ 0x30, 0x82, 0x04, 0x9d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07,
+ 0x02, 0xa0, 0x82, 0x04, 0x8e, 0x30, 0x82, 0x04, 0x8a, 0x02, 0x01, 0x01, 0x31, 0x0f,
+ 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
+ 0x00, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01,
+ 0xa0, 0x82, 0x03, 0x0b, 0x30, 0x82, 0x03, 0x07, 0x30, 0x82, 0x01, 0xef, 0xa0, 0x03,
+ 0x02, 0x01, 0x02, 0x02, 0x14, 0x5a, 0x8e, 0x8a, 0x75, 0x09, 0xe8, 0x96, 0xed, 0x26,
+ 0x29, 0xca, 0xd6, 0x01, 0xfc, 0xce, 0xb4, 0x70, 0x70, 0x68, 0x55, 0x30, 0x0d, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x13,
+ 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x54, 0x65, 0x73,
+ 0x74, 0x20, 0x50, 0x4b, 0x31, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x38, 0x32,
+ 0x32, 0x30, 0x38, 0x31, 0x30, 0x33, 0x37, 0x5a, 0x17, 0x0d, 0x33, 0x33, 0x30, 0x38,
+ 0x31, 0x39, 0x30, 0x38, 0x31, 0x30, 0x33, 0x37, 0x5a, 0x30, 0x13, 0x31, 0x11, 0x30,
+ 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50,
+ 0x4b, 0x31, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+ 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
+ 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd5, 0x55, 0x6e, 0x9f, 0xa8, 0x92, 0x68,
+ 0x2b, 0x3c, 0xbd, 0xbc, 0x37, 0xd5, 0x2f, 0x5e, 0xf1, 0x70, 0x76, 0x7b, 0x5e, 0x54,
+ 0xd5, 0x89, 0x90, 0x5a, 0xeb, 0x01, 0x63, 0x6c, 0x34, 0xe9, 0x54, 0xa0, 0x06, 0x31,
+ 0xf0, 0xff, 0x9b, 0xd8, 0x80, 0x2a, 0x3d, 0x42, 0x37, 0xab, 0x37, 0xd9, 0x22, 0xff,
+ 0x66, 0xd1, 0x02, 0xb9, 0xbc, 0xe2, 0x8a, 0x45, 0xc8, 0xfe, 0x6f, 0x6c, 0xfc, 0xca,
+ 0x5e, 0x90, 0x5c, 0xb1, 0xc6, 0xd8, 0x2f, 0x59, 0xac, 0x46, 0x36, 0x0c, 0x7d, 0x39,
+ 0xc4, 0x5f, 0xd4, 0xae, 0x1f, 0x81, 0x6e, 0x79, 0xdf, 0xe5, 0xfd, 0x8f, 0xbb, 0x28,
+ 0xc8, 0x7d, 0x0e, 0x46, 0x66, 0xb9, 0x4b, 0x30, 0xf6, 0x9b, 0xc2, 0xff, 0x0d, 0xc7,
+ 0x93, 0x5d, 0xd8, 0xbb, 0x00, 0x7b, 0x35, 0x6a, 0x79, 0xa8, 0x47, 0xd6, 0xf5, 0x54,
+ 0xc6, 0x28, 0x88, 0x58, 0x7d, 0x34, 0xdc, 0x41, 0x29, 0x9c, 0xef, 0x54, 0x00, 0x2c,
+ 0xce, 0xcd, 0xad, 0x07, 0x38, 0x98, 0x07, 0x05, 0xf9, 0x4a, 0x67, 0x1e, 0xeb, 0x14,
+ 0x33, 0x73, 0x6e, 0x3b, 0xa4, 0x4d, 0xc5, 0x0b, 0x6a, 0xfb, 0x76, 0xa5, 0xef, 0x4f,
+ 0xb4, 0x59, 0xf0, 0x2a, 0xce, 0x8c, 0xdc, 0xdf, 0xd1, 0x3d, 0x52, 0x36, 0xb9, 0x05,
+ 0xc4, 0x11, 0x7f, 0xe8, 0x5a, 0x7f, 0xfc, 0xfc, 0xdc, 0x53, 0x62, 0x34, 0x69, 0xa7,
+ 0x67, 0x49, 0x74, 0xb9, 0xd1, 0x40, 0x72, 0x7a, 0x06, 0x8b, 0xb6, 0xc5, 0x0e, 0x4c,
+ 0x99, 0xf8, 0xcb, 0x3a, 0x96, 0xe9, 0x8e, 0x49, 0x87, 0xe8, 0xa6, 0x80, 0x43, 0x0e,
+ 0x66, 0x87, 0x9a, 0xca, 0xd6, 0x58, 0x97, 0x5d, 0xd4, 0x9f, 0x2f, 0x00, 0x9b, 0xed,
+ 0x94, 0x8f, 0x13, 0xc2, 0xd8, 0xd1, 0x35, 0x24, 0x96, 0x61, 0x66, 0xed, 0xa7, 0xd1,
+ 0x36, 0xb4, 0xe9, 0x28, 0x9c, 0x36, 0xf9, 0x2d, 0x38, 0x03, 0xaf, 0x02, 0x03, 0x01,
+ 0x00, 0x01, 0xa3, 0x53, 0x30, 0x51, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04,
+ 0x16, 0x04, 0x14, 0xc1, 0xb8, 0xa7, 0xa0, 0xb9, 0x1c, 0x8c, 0x02, 0x5a, 0x17, 0x3e,
+ 0x68, 0x94, 0xc0, 0x88, 0xcb, 0x4e, 0x63, 0x7f, 0x2d, 0x30, 0x1f, 0x06, 0x03, 0x55,
+ 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xc1, 0xb8, 0xa7, 0xa0, 0xb9, 0x1c,
+ 0x8c, 0x02, 0x5a, 0x17, 0x3e, 0x68, 0x94, 0xc0, 0x88, 0xcb, 0x4e, 0x63, 0x7f, 0x2d,
+ 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03,
+ 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+ 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x49, 0x3a, 0x18, 0xc9, 0x09,
+ 0x77, 0xfa, 0xde, 0xbe, 0xd4, 0x1c, 0xdb, 0xbd, 0x42, 0x53, 0x25, 0x21, 0x45, 0xe3,
+ 0xcc, 0xe8, 0xa4, 0xe5, 0x68, 0xf6, 0xba, 0x09, 0x01, 0xad, 0x9e, 0x75, 0x9f, 0x1e,
+ 0x5c, 0x07, 0xef, 0xcd, 0x0b, 0x4a, 0x26, 0x5b, 0x03, 0x52, 0x04, 0xb5, 0x27, 0x5c,
+ 0x18, 0x1e, 0x58, 0x54, 0xa3, 0xc8, 0xbd, 0x87, 0xc3, 0xa1, 0x7d, 0x8a, 0x9b, 0x3e,
+ 0xa8, 0xbf, 0x76, 0xa8, 0x3c, 0xaa, 0x54, 0xfa, 0x78, 0x30, 0xfc, 0xa8, 0x52, 0xca,
+ 0x20, 0x8d, 0x72, 0x29, 0x61, 0x38, 0x10, 0xcb, 0x36, 0x50, 0x3f, 0xf3, 0x8c, 0xc6,
+ 0xb5, 0xd6, 0xa3, 0xf0, 0x6f, 0x76, 0x30, 0xb7, 0xbd, 0x2b, 0x5d, 0x2d, 0x10, 0x63,
+ 0x17, 0xbd, 0x0f, 0x54, 0x88, 0xb6, 0x78, 0x6e, 0x06, 0x8d, 0x65, 0x0e, 0x26, 0xea,
+ 0x4e, 0x3c, 0xb4, 0xf0, 0x74, 0x0b, 0xd6, 0xef, 0x5a, 0x04, 0x77, 0x66, 0xc8, 0x74,
+ 0x5e, 0xe1, 0xd7, 0x37, 0xcc, 0x74, 0x5f, 0x32, 0xb1, 0x42, 0x70, 0x5f, 0x05, 0xfa,
+ 0x9f, 0x0d, 0xb6, 0xf7, 0xd9, 0xf7, 0x42, 0xbe, 0x2b, 0xf4, 0x5f, 0xf1, 0x65, 0x2c,
+ 0xaf, 0xde, 0xfb, 0xf4, 0x69, 0xa4, 0x45, 0x1f, 0xa0, 0x39, 0x37, 0xda, 0x81, 0x07,
+ 0xd2, 0x3e, 0xd9, 0x5b, 0xc4, 0xb2, 0x7c, 0xea, 0x17, 0xaf, 0x05, 0x68, 0x70, 0xfd,
+ 0x85, 0x81, 0x15, 0x16, 0xa8, 0xc3, 0xbf, 0xbf, 0x00, 0xbf, 0x17, 0xef, 0x78, 0xc9,
+ 0x40, 0xd1, 0x2a, 0x11, 0x00, 0xcc, 0x39, 0x40, 0xae, 0x79, 0x30, 0xa8, 0x27, 0xb6,
+ 0x6c, 0x64, 0x26, 0xcb, 0x20, 0xdb, 0xad, 0x75, 0x75, 0xe8, 0xa0, 0x50, 0x84, 0x2b,
+ 0x00, 0x93, 0xdf, 0xf8, 0x79, 0x69, 0xef, 0x6d, 0x1c, 0xdf, 0xc6, 0x40, 0x39, 0xc9,
+ 0x8e, 0xda, 0x70, 0xcf, 0x1c, 0x4d, 0x78, 0xc6, 0x9c, 0xa7, 0xe0, 0x8e, 0x25, 0x31,
+ 0x82, 0x01, 0x56, 0x30, 0x82, 0x01, 0x52, 0x02, 0x01, 0x01, 0x30, 0x2b, 0x30, 0x13,
+ 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x54, 0x65, 0x73,
+ 0x74, 0x20, 0x50, 0x4b, 0x31, 0x02, 0x14, 0x5a, 0x8e, 0x8a, 0x75, 0x09, 0xe8, 0x96,
+ 0xed, 0x26, 0x29, 0xca, 0xd6, 0x01, 0xfc, 0xce, 0xb4, 0x70, 0x70, 0x68, 0x55, 0x30,
+ 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00,
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
+ 0x00, 0x04, 0x82, 0x01, 0x00, 0x33, 0x93, 0x6d, 0x8d, 0xf6, 0xf9, 0x3f, 0xbe, 0x37,
+ 0xed, 0xc7, 0xb3, 0xf6, 0xd3, 0xd3, 0x55, 0x2e, 0x30, 0x98, 0xd9, 0x50, 0x7f, 0xc5,
+ 0x3c, 0x12, 0x9c, 0xcf, 0x53, 0x1e, 0x0d, 0xd7, 0x5c, 0x94, 0x67, 0x15, 0x07, 0x17,
+ 0x6d, 0x41, 0x93, 0x9d, 0x1a, 0x36, 0x92, 0x8c, 0x46, 0xb9, 0x3a, 0x4d, 0xed, 0xd6,
+ 0xe0, 0x23, 0x50, 0x7e, 0xfd, 0x4d, 0xd9, 0x59, 0xbc, 0xaf, 0x7b, 0x4f, 0x83, 0x99,
+ 0xd4, 0x11, 0xf5, 0xb4, 0x24, 0xba, 0x35, 0x87, 0x22, 0xbf, 0xa6, 0x3d, 0xe0, 0xcb,
+ 0x52, 0xbd, 0xcb, 0xb0, 0xae, 0x86, 0xb8, 0x97, 0x8e, 0xc7, 0xc5, 0x9a, 0x14, 0x15,
+ 0xc8, 0x71, 0x57, 0x40, 0x1c, 0x47, 0x11, 0x68, 0xfd, 0x27, 0xe4, 0xde, 0x2d, 0xbb,
+ 0x27, 0xea, 0xa3, 0xe9, 0x75, 0xe3, 0x74, 0x33, 0x87, 0x04, 0xe1, 0x72, 0x1a, 0x24,
+ 0x75, 0x94, 0xfd, 0x6a, 0x9c, 0xef, 0xc5, 0x4b, 0xee, 0x86, 0x51, 0x11, 0xb2, 0x59,
+ 0x07, 0x33, 0x5c, 0xa1, 0x11, 0xd0, 0x83, 0xd2, 0x99, 0x40, 0x92, 0xe8, 0xc8, 0xe5,
+ 0x20, 0xd9, 0x0e, 0x25, 0x2b, 0x27, 0x92, 0xc7, 0xbc, 0xe0, 0xb7, 0xd8, 0x16, 0x15,
+ 0x38, 0x25, 0xfc, 0x85, 0x75, 0xaf, 0x9c, 0x12, 0x87, 0x88, 0x2f, 0x6d, 0xd6, 0x24,
+ 0x89, 0xe5, 0x5e, 0x0c, 0x0d, 0x03, 0xf6, 0x5e, 0x03, 0xf9, 0xf7, 0x6b, 0x92, 0xeb,
+ 0xe4, 0x4b, 0xab, 0x58, 0x81, 0xe8, 0x73, 0x90, 0x0e, 0x84, 0x9e, 0x9d, 0x24, 0x25,
+ 0x91, 0x75, 0x8a, 0xdc, 0x92, 0xe6, 0x42, 0x52, 0x38, 0xcf, 0x63, 0xd9, 0xb7, 0xe6,
+ 0xcd, 0x80, 0x35, 0x8a, 0xe4, 0x1d, 0xb9, 0xe2, 0x86, 0xc2, 0xbf, 0x44, 0x83, 0x20,
+ 0x3a, 0x59, 0x9b, 0xbf, 0x64, 0xc0, 0xae, 0x2a, 0x6b, 0xe5, 0x06, 0x4a, 0x86, 0x26,
+ 0xb3, 0x48, 0xdb, 0xad, 0x31, 0x2f, 0x71, 0xef, 0x33,
+ };
+
+ /* Inject error into hash value and expect failure */
+ hash[0] = ~hash[0];
+ status = m_crypto_client->verify_pkcs7_signature((const uint8_t *)signature,
+ sizeof(signature), (const uint8_t *)hash,
+ sizeof(hash), (const uint8_t *)public_key,
+ sizeof(public_key));
+ hash[0] = ~hash[0];
+
+ /*
+ * If the functionality to be tested here is missing from mbedtls let's return.
+ * Expected: MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED
+ */
+ if(status == (-0x0072))
+ return;
+
+ CHECK(status != 0);
+
+ /* Inject error into the public key format and expect failure */
+ public_key[0] = ~public_key[0];
+ status = m_crypto_client->verify_pkcs7_signature((const uint8_t *)signature,
+ sizeof(signature), (const uint8_t *)hash,
+ sizeof(hash), (const uint8_t *)public_key,
+ sizeof(public_key));
+ public_key[0] = ~public_key[0];
+
+ CHECK(status != 0);
+
+ /* Inject error into the public key value and expect failure
+ * The beginning of the key is found by using parser.
+ */
+ int first_byte_of_public_key = 152;
+ public_key[first_byte_of_public_key] = ~public_key[first_byte_of_public_key];
+ status = m_crypto_client->verify_pkcs7_signature((const uint8_t *)signature,
+ sizeof(signature), (const uint8_t *)hash,
+ sizeof(hash), (const uint8_t *)public_key,
+ sizeof(public_key));
+ public_key[first_byte_of_public_key] = ~public_key[first_byte_of_public_key];
+
+ CHECK(status != 0);
+
+ /* Inject error into the signature format and expect failure */
+ signature[0] = ~signature[0];
+ status = m_crypto_client->verify_pkcs7_signature((const uint8_t *)signature,
+ sizeof(signature), (const uint8_t *)hash,
+ sizeof(hash), (const uint8_t *)public_key,
+ sizeof(public_key));
+ signature[0] = ~signature[0];
+
+ CHECK(status != 0);
+
+ /* Inject error into the signature value what is at the end of the vector */
+ signature[sizeof(signature) - 1] = ~signature[sizeof(signature) - 1];
+ status = m_crypto_client->verify_pkcs7_signature((const uint8_t *)signature,
+ sizeof(signature), (const uint8_t *)hash,
+ sizeof(hash), (const uint8_t *)public_key,
+ sizeof(public_key));
+ signature[sizeof(signature) - 1] = ~signature[sizeof(signature) - 1];
+
+ CHECK(status != 0);
+
+ /* Verify correct signature */
+ status = m_crypto_client->verify_pkcs7_signature((const uint8_t *)signature,
+ sizeof(signature), (const uint8_t *)hash,
+ sizeof(hash), (const uint8_t *)public_key,
+ sizeof(public_key));
+
+ CHECK(status == 0);
+}
\ No newline at end of file
diff --git a/components/service/crypto/test/service/crypto_service_scenarios.h b/components/service/crypto/test/service/crypto_service_scenarios.h
index 2367164..8081877 100644
--- a/components/service/crypto/test/service/crypto_service_scenarios.h
+++ b/components/service/crypto/test/service/crypto_service_scenarios.h
@@ -32,6 +32,7 @@
void generateVolatileKeys();
void copyKey();
void purgeKey();
+ void verifypkcs7signature(void);
private:
crypto_client *m_crypto_client;
diff --git a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
index de66e58..bc0f908 100644
--- a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
+++ b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
@@ -112,3 +112,8 @@
{
m_scenarios->generateRandomNumbers();
}
+
+TEST(CryptoServicePackedcTests, verifyPkcs7Signature)
+{
+ m_scenarios->verifypkcs7signature();
+}
diff --git a/deployments/component-test/component-test.cmake b/deployments/component-test/component-test.cmake
index 1f5c38a..a8718f0 100644
--- a/deployments/component-test/component-test.cmake
+++ b/deployments/component-test/component-test.cmake
@@ -145,6 +145,7 @@
"components/service/crypto/provider/extension/aead/serializer/packed-c"
"components/service/crypto/provider/test"
"components/service/crypto/backend/mbedcrypto"
+ "components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509"
"components/service/crypto/factory/full"
"components/service/crypto/test/unit"
"components/service/crypto/test/service"
@@ -225,6 +226,11 @@
target_link_libraries(component-test PRIVATE MbedTLS::mbedcrypto)
target_link_libraries(component-test PRIVATE MbedTLS::mbedx509)
+# Pass the location of the mbedtls config file to C preprocessor.
+target_compile_definitions(component-test PRIVATE
+ MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}"
+)
+
# Qcbor
include(${TS_ROOT}/external/qcbor/qcbor.cmake)
target_link_libraries(component-test PRIVATE qcbor)
diff --git a/deployments/crypto/crypto.cmake b/deployments/crypto/crypto.cmake
index f6c75bf..155099c 100644
--- a/deployments/crypto/crypto.cmake
+++ b/deployments/crypto/crypto.cmake
@@ -29,6 +29,7 @@
"components/service/crypto/provider/extension/aead/serializer/packed-c"
"components/service/crypto/factory/full"
"components/service/crypto/backend/mbedcrypto"
+ "components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509"
"protocols/rpc/common/packed-c"
"protocols/service/crypto/protobuf"
)
@@ -44,10 +45,17 @@
protobuf_generate_all(TGT "crypto" NAMESPACE "protobuf" BASE_DIR "${TS_ROOT}/protocols")
# Mbed TLS provides libmbedcrypto
-set(MBEDTLS_USER_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/crypto_isolated.h"
+set(MBEDTLS_USER_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/libmbedx509.h"
CACHE STRING "Configuration file for Mbed TLS" FORCE)
include(${TS_ROOT}/external/MbedTLS/MbedTLS.cmake)
target_link_libraries(crypto PRIVATE MbedTLS::mbedcrypto)
+target_link_libraries(crypto PRIVATE MbedTLS::mbedx509)
+
+# Provide the config path to mbedtls
+target_compile_definitions(crypto
+ PRIVATE
+ MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}"
+)
#################################################################
diff --git a/deployments/libts/linux-pc/CMakeLists.txt b/deployments/libts/linux-pc/CMakeLists.txt
index d3e2912..38dd75a 100644
--- a/deployments/libts/linux-pc/CMakeLists.txt
+++ b/deployments/libts/linux-pc/CMakeLists.txt
@@ -170,6 +170,11 @@
target_link_libraries(ts PRIVATE MbedTLS::mbedcrypto)
target_link_libraries(ts PRIVATE MbedTLS::mbedx509)
+# Pass the location of the mbedtls config file to C preprocessor.
+target_compile_definitions(ts PRIVATE
+ MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}"
+)
+
# Qcbor
include(${TS_ROOT}/external/qcbor/qcbor.cmake)
target_link_libraries(ts PRIVATE qcbor)
diff --git a/protocols/service/crypto/packed-c/opcodes.h b/protocols/service/crypto/packed-c/opcodes.h
index 5aebf2f..35b8159 100644
--- a/protocols/service/crypto/packed-c/opcodes.h
+++ b/protocols/service/crypto/packed-c/opcodes.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -27,6 +27,7 @@
#define TS_CRYPTO_OPCODE_GET_KEY_ATTRIBUTES (TS_CRYPTO_OPCODE_BASE + 15)
#define TS_CRYPTO_OPCODE_SIGN_MESSAGE (TS_CRYPTO_OPCODE_BASE + 16)
#define TS_CRYPTO_OPCODE_VERIFY_MESSAGE (TS_CRYPTO_OPCODE_BASE + 17)
+#define TS_CRYPTO_OPCODE_VERIFY_PKCS7_SIGNATURE (TS_CRYPTO_OPCODE_BASE + 18)
/* Hash operations */
#define TS_CRYPTO_OPCODE_HASH_BASE (0x0200)
diff --git a/protocols/service/crypto/packed-c/verify_pkcs7_signature.h b/protocols/service/crypto/packed-c/verify_pkcs7_signature.h
new file mode 100644
index 0000000..5b32d3f
--- /dev/null
+++ b/protocols/service/crypto/packed-c/verify_pkcs7_signature.h
@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef TS_CRYPTO_VERIFY_PKCS7_SIGNATURE_H
+#define TS_CRYPTO_VERIFY_PKCS7_SIGNATURE_H
+
+#include <stdint.h>
+
+/* Variable length input parameter tags */
+enum {
+ TS_CRYPTO_VERIFY_PKCS7_SIGNATURE_IN_TAG_SIGNATURE = 1,
+ TS_CRYPTO_VERIFY_PKCS7_SIGNATURE_IN_TAG_HASH = 2,
+ TS_CRYPTO_VERIFY_PKCS7_SIGNATURE_IN_TAG_PUBLIC_KEY_CERT = 3
+};
+
+#endif /* TS_CRYPTO_VERIFY_PKCS7_SIGNATURE_H */