Support authentication of uefi priv. variables To authenticate private uefi variables a fingerprint has to be calculated based on the common name of the signing certificate's Subject field and the tbsCertificate of the top-level issuer certificate. These variables have a public key certificate attached so the verify_pkcs7_signature_handler is also reorganized to be able to verify its own signature with its internal public key. This commit implements the changes needed for the described functionality. Signed-off-by: Gabor Toth <gabor.toth2@arm.com> Change-Id: Ida22977f3ef1a730ea95834ca5c9f9e4ed78d927

commit: af77b4798827fb41363326f3d22b0ad020a43194 [log] [tgz]
author: Gabor Toth <gabor.toth2@arm.com> Fri Apr 05 11:19:37 2024 +0200
committer: Gabor Toth <gabor.toth2@arm.com> Mon Jun 10 12:10:20 2024 +0200
tree: e46cd02921607549c951014f4824c0ef4cfbe24d
parent: 2d4d29f5556c9838844378462652c8ec2b400839 [diff] [blame]
diff --git a/components/service/crypto/client/psa/crypto_client.h b/components/service/crypto/client/psa/crypto_client.h
index 4b59bbe..af04df1 100644
--- a/components/service/crypto/client/psa/crypto_client.h
+++ b/components/service/crypto/client/psa/crypto_client.h

@@ -7,10 +7,15 @@
 #ifndef CRYPTO_CLIENT_H
 #define CRYPTO_CLIENT_H
 
+#include <stddef.h>
 #include <stdint.h>
 
 int verify_pkcs7_signature(const uint8_t *signature_cert, uint64_t signature_cert_len,
 			   const uint8_t *hash, uint64_t hash_len, const uint8_t *public_key_cert,
 			   uint64_t public_key_cert_len);
 
+int get_uefi_priv_auth_var_fingerprint_handler(const uint8_t *signature_cert,
+				    uint64_t signature_cert_len,
+				    uint8_t *output);
+
 #endif /* CRYPTO_CLIENT_H */
commit	af77b4798827fb41363326f3d22b0ad020a43194	[log] [tgz]
author	Gabor Toth <gabor.toth2@arm.com>	Fri Apr 05 11:19:37 2024 +0200
committer	Gabor Toth <gabor.toth2@arm.com>	Mon Jun 10 12:10:20 2024 +0200
tree	e46cd02921607549c951014f4824c0ef4cfbe24d
parent	2d4d29f5556c9838844378462652c8ec2b400839 [diff] [blame]