commit ab7db21cfc94e8f2da05d17ba4f99a56fdff059c
author Gabor Toth <gabor.toth2@arm.com> Fri Aug 18 16:08:12 2023 +0200
committer Gyorgy Szing <Gyorgy.Szing@arm.com> Sun Jan 07 15:28:39 2024 +0100
tree d76d8a0fae01f764461cd7ccbd7a0af6188fcba1
parent 6e4a90379c989e29afba8169f2d08d7bd125ce43

Extend crypto SP to support signature verification

The UEFI service of SMM gateway needs pkcs7 signature verification
to authorize variable accesses. Instead of duplicating the mbedtls
entities, crypto SP will provide an interface to do the signature
verification.

Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Change-Id: I7b0472435ac1620c4fe42d0592e1c64faaf10df7

components/service/crypto/client/psa/component.cmake

diff --git a/components/service/crypto/client/psa/component.cmake b/components/service/crypto/client/psa/component.cmake
index ad7e09c..359db3b 100644
--- a/components/service/crypto/client/psa/component.cmake
+++ b/components/service/crypto/client/psa/component.cmake
@@ -31,4 +31,5 @@
 	"${CMAKE_CURRENT_LIST_DIR}/psa_aead.c"
 	"${CMAKE_CURRENT_LIST_DIR}/psa_sign_message.c"
 	"${CMAKE_CURRENT_LIST_DIR}/psa_verify_message.c"
+	"${CMAKE_CURRENT_LIST_DIR}/verify_pkcs7_signature.c"
 	)

components/service/crypto/client/psa/crypto_client.h

diff --git a/components/service/crypto/client/psa/crypto_client.h b/components/service/crypto/client/psa/crypto_client.h
new file mode 100644
index 0000000..4b59bbe
--- /dev/null
+++ b/components/service/crypto/client/psa/crypto_client.h
@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CRYPTO_CLIENT_H
+#define CRYPTO_CLIENT_H
+
+#include <stdint.h>
+
+int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len,
+			   const uint8_t *hash, uint64_t hash_len, const uint8_t *public_key_cert,
+			   uint64_t public_key_cert_len);
+
+#endif /* CRYPTO_CLIENT_H */

components/service/crypto/client/psa/verify_pkcs7_signature.c

diff --git a/components/service/crypto/client/psa/verify_pkcs7_signature.c b/components/service/crypto/client/psa/verify_pkcs7_signature.c
new file mode 100644
index 0000000..e329f34
--- /dev/null
+++ b/components/service/crypto/client/psa/verify_pkcs7_signature.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include "crypto_caller_selector.h"
+#include "crypto_client.h"
+#include "psa_crypto_client.h"
+
+int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len,
+			   const uint8_t *hash, uint64_t hash_len, const uint8_t *public_key_cert,
+			   uint64_t public_key_cert_len)
+{
+	if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
+		return psa_crypto_client_instance.init_status;
+
+	return crypto_caller_verify_pkcs7_signature(&psa_crypto_client_instance.base,
+						    signature_cert, signature_cert_len, hash,
+						    hash_len, public_key_cert, public_key_cert_len);
+}