Extend crypto SP to support signature verification
The UEFI service of SMM gateway needs pkcs7 signature verification
to authorize variable accesses. Instead of duplicating the mbedtls
entities, crypto SP will provide an interface to do the signature
verification.
Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Change-Id: I7b0472435ac1620c4fe42d0592e1c64faaf10df7
diff --git a/components/service/crypto/client/cpp/crypto_client.h b/components/service/crypto/client/cpp/crypto_client.h
index eebe60e..6792a17 100644
--- a/components/service/crypto/client/cpp/crypto_client.h
+++ b/components/service/crypto/client/cpp/crypto_client.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -235,6 +235,11 @@
const uint8_t *peer_key, size_t peer_key_length,
uint8_t *output, size_t output_size, size_t *output_length) = 0;
+ virtual int verify_pkcs7_signature(const uint8_t *signature_cert,
+ uint64_t signature_cert_len, const uint8_t *hash,
+ uint64_t hash_len, const uint8_t *public_key_cert,
+ uint64_t public_key_cert_len) = 0;
+
protected:
crypto_client();
crypto_client(struct rpc_caller_session *session);
diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
index 2465f05..aaa71f0 100644
--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
+++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -418,3 +418,13 @@
alg, private_key, peer_key, peer_key_length,
output, output_size, output_length);
}
+
+int packedc_crypto_client::verify_pkcs7_signature(const uint8_t *signature_cert,
+ uint64_t signature_cert_len, const uint8_t *hash,
+ uint64_t hash_len, const uint8_t *public_key_cert,
+ uint64_t public_key_cert_len)
+{
+ return crypto_caller_verify_pkcs7_signature(&m_client, signature_cert, signature_cert_len,
+ hash, hash_len, public_key_cert,
+ public_key_cert_len);
+}
diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
index c0e8958..8d4f60c 100644
--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
+++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -233,6 +233,9 @@
const uint8_t *peer_key, size_t peer_key_length,
uint8_t *output, size_t output_size, size_t *output_length);
+ int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len,
+ const uint8_t *hash, uint64_t hash_len,
+ const uint8_t *public_key_cert, uint64_t public_key_cert_len);
};
#endif /* PACKEDC_CRYPTO_CLIENT_H */
diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
index c84c753..6bae7a8 100644
--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
+++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -1158,3 +1158,19 @@
return PSA_ERROR_NOT_SUPPORTED;
}
+
+int protobuf_crypto_client::verify_pkcs7_signature(const uint8_t *signature_cert,
+ uint64_t signature_cert_len, const uint8_t *hash,
+ uint64_t hash_len,
+ const uint8_t *public_key_cert,
+ uint64_t public_key_cert_len)
+{
+ (void)signature_cert;
+ (void)signature_cert_len;
+ (void)hash;
+ (void)hash_len;
+ (void)public_key_cert;
+ (void)public_key_cert_len;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+}
diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
index 8ce896f..9ad43f7 100644
--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
+++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -233,6 +233,10 @@
const uint8_t *peer_key, size_t peer_key_length,
uint8_t *output, size_t output_size, size_t *output_length);
+ int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len,
+ const uint8_t *hash, uint64_t hash_len,
+ const uint8_t *public_key_cert, uint64_t public_key_cert_len);
+
private:
psa_status_t asym_sign(uint32_t opcode,