Hi Raymond > > +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > +/* Backup of part of the parsing context */
I am not sure I understand the comment > +struct x509_cert_mbedtls_ctx { > + void *tbs; /* Signed data */ > + void *raw_serial; /* Raw serial number in ASN.1 */ > + void *raw_issuer; /* Raw issuer name in ASN.1 */ > + void *raw_subject; /* Raw subject name in ASN.1 */ > + void *raw_skid; /* Raw subjectKeyId in ASN.1 */ > +}; > +#endif > + > +/* > + * MbedTLS integration Notes: > + * > + * Fields we don't need to populate from MbedTLS: You mean *for* mbedTLS? > + * 'raw_sig' and 'raw_sig_size' are buffer for x509_parse_context, 'raw_sig' and 'raw_sig_size' are used in x509_parse_context(), which in turn is not used in mbedTLS? > + * not needed for MbedTLS. > + * 'signer' and 'seen' are used internally by pkcs7_verify. > + * 'verified' is not inuse. either 'unsued' or 'not in use' > + */ > struct x509_certificate { > +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > + struct x509_cert_mbedtls_ctx *mbedtls_ctx; > +#endif > struct x509_certificate *next; > struct x509_certificate *signer; /* Certificate that signed > this one */ > struct public_key *pub; /* Public key details */ > @@ -48,6 +76,32 @@ struct x509_certificate { > * x509_cert_parser.c > */ > extern void x509_free_certificate(struct x509_certificate *cert); > +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > +/** > + * x509_populate_pubkey() - Populate public key from MbedTLS context > + * > + * @cert: Pointer to MbedTLS X509 cert > + * @pub_key: Pointer to the populated public key handle > + * Return: 0 on succcess, error code on failure > + */ > +int x509_populate_pubkey(mbedtls_x509_crt *cert, struct public_key > **pub_key); > +/** > + * x509_populate_cert() - Populate X509 cert from MbedTLS context > + * > + * @mbedtls_cert: Pointer to MbedTLS X509 cert > + * @pcert: Pointer to the populated X509 cert handle > + * Return: 0 on succcess, error code on failure > + */ > +int x509_populate_cert(mbedtls_x509_crt *mbedtls_cert, > + struct x509_certificate **pcert); > +/** > + * x509_get_timestamp() - Translate timestamp from MbedTLS context > + * > + * @x509_time: Pointer to MbedTLS time > + * Return: Time in time64_t format > + */ > +time64_t x509_get_timestamp(const mbedtls_x509_time *x509_time); > +#endif > extern struct x509_certificate *x509_cert_parse(const void *data, size_t > datalen); > extern int x509_decode_time(time64_t *_t, size_t hdrlen, > unsigned char tag, > @@ -56,6 +110,8 @@ extern int x509_decode_time(time64_t *_t, size_t hdrlen, > /* > * x509_public_key.c > */ > +#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > extern int x509_get_sig_params(struct x509_certificate *cert); > +#endif > extern int x509_check_for_self_signed(struct x509_certificate *cert); > #endif /* _X509_PARSER_H */ > diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig > index 6e0656ad1c5..6106190677e 100644 > --- a/lib/crypto/Kconfig > +++ b/lib/crypto/Kconfig > @@ -1,6 +1,6 @@ > menuconfig ASYMMETRIC_KEY_TYPE > bool "Asymmetric (public-key cryptographic) key Support" > - depends on FIT_SIGNATURE > + depends on LEGACY_CRYPTO_CERT || MBEDTLS_LIB_X509 > help > This option provides support for a key type that holds the data for > the asymmetric keys used for public key cryptographic operations > such > diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile > index 228ae443a27..7f5f04d582c 100644 > --- a/lib/crypto/Makefile > +++ b/lib/crypto/Makefile > @@ -32,11 +32,11 @@ endif > # X.509 Certificate handling > # > obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += x509_key_parser.o > -x509_key_parser-y := \ > +x509_key_parser-y := x509_helper.o > +x509_key_parser-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_LEGACY) += \ > x509.asn1.o \ > x509_akid.asn1.o \ > x509_cert_parser.o \ > - x509_helper.o \ > x509_public_key.o > > $(obj)/x509_cert_parser.o: \ > diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c > index 4ba13c1adc3..310edbd21be 100644 > --- a/lib/crypto/x509_public_key.c > +++ b/lib/crypto/x509_public_key.c > @@ -30,6 +30,8 @@ > #include "x509_parser.h" > #endif > > +#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > + > /* > * Set up the signature parameters in an X.509 certificate. This involves > * digesting the signed data and extracting the signature. > -- > 2.25.1 >