Message ID | 20220315171932.3662368-1-dphadke@linux.microsoft.com |
---|---|
State | Accepted |
Commit | e146a2c12ff1e9138f564ae6815a131bd850d8ef |
Delegated to: | Tom Rini |
Headers | show |
Series | lib/crypto: support sha384/sha512 in x509/pkcs7 | expand |
+cc Akashi-san who initially ported those. On Tue, 15 Mar 2022 at 19:19, Dhananjay Phadke <dphadke@linux.microsoft.com> wrote: > > Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509, > (not set by ported linux code, but needed by __UBOOT__ part). > > EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for > correctness if certificates contain sha384WithRSAEncryption or > sha512WithRSAEncryption OIDs. > Does the rest of the code parse those? Or expects -ENOPKG for the unsupported certificates? Thanks /Ilias > Signed-off-by: Dhananjay Phadke <dphadke@linux.microsoft.com> > --- > lib/crypto/pkcs7_verify.c | 4 ++++ > lib/crypto/x509_public_key.c | 4 ++++ > 2 files changed, 8 insertions(+) > > diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c > index 82c5c745d4..b832f01356 100644 > --- a/lib/crypto/pkcs7_verify.c > +++ b/lib/crypto/pkcs7_verify.c > @@ -65,6 +65,10 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, > return -ENOPKG; > if (!strcmp(sinfo->sig->hash_algo, "sha256")) > sig->digest_size = SHA256_SUM_LEN; > + else if (!strcmp(sinfo->sig->hash_algo, "sha384")) > + sig->digest_size = SHA384_SUM_LEN; > + else if (!strcmp(sinfo->sig->hash_algo, "sha512")) > + sig->digest_size = SHA512_SUM_LEN; > else if (!strcmp(sinfo->sig->hash_algo, "sha1")) > sig->digest_size = SHA1_SUM_LEN; > else > diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c > index d557ab27ae..5c0e2b622d 100644 > --- a/lib/crypto/x509_public_key.c > +++ b/lib/crypto/x509_public_key.c > @@ -71,6 +71,10 @@ int x509_get_sig_params(struct x509_certificate *cert) > return -ENOPKG; > if (!strcmp(sig->hash_algo, "sha256")) > sig->digest_size = SHA256_SUM_LEN; > + else if (!strcmp(sig->hash_algo, "sha384")) > + sig->digest_size = SHA384_SUM_LEN; > + else if (!strcmp(sig->hash_algo, "sha512")) > + sig->digest_size = SHA512_SUM_LEN; > else if (!strcmp(sig->hash_algo, "sha1")) > sig->digest_size = SHA1_SUM_LEN; > else > -- > 2.25.1 >
On 3/18/2022 12:44 AM, Ilias Apalodimas wrote: > +cc Akashi-san who initially ported those. > > > On Tue, 15 Mar 2022 at 19:19, Dhananjay Phadke > <dphadke@linux.microsoft.com> wrote: >> >> Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509, >> (not set by ported linux code, but needed by __UBOOT__ part). >> >> EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for >> correctness if certificates contain sha384WithRSAEncryption or >> sha512WithRSAEncryption OIDs. >> > > Does the rest of the code parse those? Or expects -ENOPKG for the > unsupported certificates? Yes these OIDs are parsed by Linux code, see x509_note_pkey_algo(). U-Boot code allocates digest buf for invoking hash_calculate(), that needs this digest_size. I've verified such certs (chain) with pkcs7_verify_one(). Thanks, Dhananjay
On Fri, Mar 18, 2022 at 07:10:43AM -0700, Dhananjay Phadke wrote: > On 3/18/2022 12:44 AM, Ilias Apalodimas wrote: > > +cc Akashi-san who initially ported those. > > > > > > On Tue, 15 Mar 2022 at 19:19, Dhananjay Phadke > > <dphadke@linux.microsoft.com> wrote: > > > > > > Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509, > > > (not set by ported linux code, but needed by __UBOOT__ part). > > > > > > EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for > > > correctness if certificates contain sha384WithRSAEncryption or > > > sha512WithRSAEncryption OIDs. > > > > > > > Does the rest of the code parse those? Or expects -ENOPKG for the > > unsupported certificates? > > Yes these OIDs are parsed by Linux code, see x509_note_pkey_algo(). > U-Boot code allocates digest buf for invoking hash_calculate(), that > needs this digest_size. > > I've verified such certs (chain) with pkcs7_verify_one(). Ah right, I probably missed that as well when I sent 8699af63b8a5 ("lib/crypto: Enable more algorithms in cert verification") Thanks! > > Thanks, > Dhananjay Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
On Tue, Mar 15, 2022 at 10:19:32AM -0700, Dhananjay Phadke wrote: > Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509, > (not set by ported linux code, but needed by __UBOOT__ part). > > EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for > correctness if certificates contain sha384WithRSAEncryption or > sha512WithRSAEncryption OIDs. > > Signed-off-by: Dhananjay Phadke <dphadke@linux.microsoft.com> > Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Applied to u-boot/master, thanks!
diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c index 82c5c745d4..b832f01356 100644 --- a/lib/crypto/pkcs7_verify.c +++ b/lib/crypto/pkcs7_verify.c @@ -65,6 +65,10 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, return -ENOPKG; if (!strcmp(sinfo->sig->hash_algo, "sha256")) sig->digest_size = SHA256_SUM_LEN; + else if (!strcmp(sinfo->sig->hash_algo, "sha384")) + sig->digest_size = SHA384_SUM_LEN; + else if (!strcmp(sinfo->sig->hash_algo, "sha512")) + sig->digest_size = SHA512_SUM_LEN; else if (!strcmp(sinfo->sig->hash_algo, "sha1")) sig->digest_size = SHA1_SUM_LEN; else diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c index d557ab27ae..5c0e2b622d 100644 --- a/lib/crypto/x509_public_key.c +++ b/lib/crypto/x509_public_key.c @@ -71,6 +71,10 @@ int x509_get_sig_params(struct x509_certificate *cert) return -ENOPKG; if (!strcmp(sig->hash_algo, "sha256")) sig->digest_size = SHA256_SUM_LEN; + else if (!strcmp(sig->hash_algo, "sha384")) + sig->digest_size = SHA384_SUM_LEN; + else if (!strcmp(sig->hash_algo, "sha512")) + sig->digest_size = SHA512_SUM_LEN; else if (!strcmp(sig->hash_algo, "sha1")) sig->digest_size = SHA1_SUM_LEN; else
Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509, (not set by ported linux code, but needed by __UBOOT__ part). EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for correctness if certificates contain sha384WithRSAEncryption or sha512WithRSAEncryption OIDs. Signed-off-by: Dhananjay Phadke <dphadke@linux.microsoft.com> --- lib/crypto/pkcs7_verify.c | 4 ++++ lib/crypto/x509_public_key.c | 4 ++++ 2 files changed, 8 insertions(+)