[PATCH] lib/crypto: support sha384/sha512 in x509/pkcs7

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

* [PATCH] lib/crypto: support sha384/sha512 in x509/pkcs7
@ 2022-03-15 17:19 Dhananjay Phadke
  2022-03-18  7:44 ` Ilias Apalodimas
  2022-04-11 20:14 ` Tom Rini
  0 siblings, 2 replies; 5+ messages in thread
From: Dhananjay Phadke @ 2022-03-15 17:19 UTC (permalink / raw)
  To: u-boot; +Cc: Simon Glass, Alexandru Gagniuc, Ilias Apalodimas,
	Dhananjay Phadke

Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509,
(not set by ported linux code, but needed by __UBOOT__ part).

EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for
correctness if certificates contain sha384WithRSAEncryption or
sha512WithRSAEncryption OIDs.

Signed-off-by: Dhananjay Phadke <dphadke@linux.microsoft.com>
---
 lib/crypto/pkcs7_verify.c    | 4 ++++
 lib/crypto/x509_public_key.c | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c
index 82c5c745d4..b832f01356 100644
--- a/lib/crypto/pkcs7_verify.c
+++ b/lib/crypto/pkcs7_verify.c
@@ -65,6 +65,10 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
 		return -ENOPKG;
 	if (!strcmp(sinfo->sig->hash_algo, "sha256"))
 		sig->digest_size = SHA256_SUM_LEN;
+	else if (!strcmp(sinfo->sig->hash_algo, "sha384"))
+		sig->digest_size = SHA384_SUM_LEN;
+	else if (!strcmp(sinfo->sig->hash_algo, "sha512"))
+		sig->digest_size = SHA512_SUM_LEN;
 	else if (!strcmp(sinfo->sig->hash_algo, "sha1"))
 		sig->digest_size = SHA1_SUM_LEN;
 	else
diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c
index d557ab27ae..5c0e2b622d 100644
--- a/lib/crypto/x509_public_key.c
+++ b/lib/crypto/x509_public_key.c
@@ -71,6 +71,10 @@ int x509_get_sig_params(struct x509_certificate *cert)
 		return -ENOPKG;
 	if (!strcmp(sig->hash_algo, "sha256"))
 		sig->digest_size = SHA256_SUM_LEN;
+	else if (!strcmp(sig->hash_algo, "sha384"))
+		sig->digest_size = SHA384_SUM_LEN;
+	else if (!strcmp(sig->hash_algo, "sha512"))
+		sig->digest_size = SHA512_SUM_LEN;
 	else if (!strcmp(sig->hash_algo, "sha1"))
 		sig->digest_size = SHA1_SUM_LEN;
 	else
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] lib/crypto: support sha384/sha512 in x509/pkcs7
  2022-03-15 17:19 [PATCH] lib/crypto: support sha384/sha512 in x509/pkcs7 Dhananjay Phadke
@ 2022-03-18  7:44 ` Ilias Apalodimas
  2022-03-18 14:10   ` Dhananjay Phadke
  2022-04-11 20:14 ` Tom Rini
  1 sibling, 1 reply; 5+ messages in thread
From: Ilias Apalodimas @ 2022-03-18  7:44 UTC (permalink / raw)
  To: Dhananjay Phadke; +Cc: u-boot, Simon Glass, Alexandru Gagniuc, Takahiro Akashi

+cc Akashi-san who initially ported those.


On Tue, 15 Mar 2022 at 19:19, Dhananjay Phadke
<dphadke@linux.microsoft.com> wrote:
>
> Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509,
> (not set by ported linux code, but needed by __UBOOT__ part).
>
> EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for
> correctness if certificates contain sha384WithRSAEncryption or
> sha512WithRSAEncryption OIDs.
>

Does the rest of the code parse those?  Or expects -ENOPKG for the
unsupported certificates?

Thanks
/Ilias

> Signed-off-by: Dhananjay Phadke <dphadke@linux.microsoft.com>
> ---
>  lib/crypto/pkcs7_verify.c    | 4 ++++
>  lib/crypto/x509_public_key.c | 4 ++++
>  2 files changed, 8 insertions(+)
>
> diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c
> index 82c5c745d4..b832f01356 100644
> --- a/lib/crypto/pkcs7_verify.c
> +++ b/lib/crypto/pkcs7_verify.c
> @@ -65,6 +65,10 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
>                 return -ENOPKG;
>         if (!strcmp(sinfo->sig->hash_algo, "sha256"))
>                 sig->digest_size = SHA256_SUM_LEN;
> +       else if (!strcmp(sinfo->sig->hash_algo, "sha384"))
> +               sig->digest_size = SHA384_SUM_LEN;
> +       else if (!strcmp(sinfo->sig->hash_algo, "sha512"))
> +               sig->digest_size = SHA512_SUM_LEN;
>         else if (!strcmp(sinfo->sig->hash_algo, "sha1"))
>                 sig->digest_size = SHA1_SUM_LEN;
>         else
> diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c
> index d557ab27ae..5c0e2b622d 100644
> --- a/lib/crypto/x509_public_key.c
> +++ b/lib/crypto/x509_public_key.c
> @@ -71,6 +71,10 @@ int x509_get_sig_params(struct x509_certificate *cert)
>                 return -ENOPKG;
>         if (!strcmp(sig->hash_algo, "sha256"))
>                 sig->digest_size = SHA256_SUM_LEN;
> +       else if (!strcmp(sig->hash_algo, "sha384"))
> +               sig->digest_size = SHA384_SUM_LEN;
> +       else if (!strcmp(sig->hash_algo, "sha512"))
> +               sig->digest_size = SHA512_SUM_LEN;
>         else if (!strcmp(sig->hash_algo, "sha1"))
>                 sig->digest_size = SHA1_SUM_LEN;
>         else
> --
> 2.25.1
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] lib/crypto: support sha384/sha512 in x509/pkcs7
  2022-03-18  7:44 ` Ilias Apalodimas
@ 2022-03-18 14:10   ` Dhananjay Phadke
  2022-03-18 14:37     ` Ilias Apalodimas
  0 siblings, 1 reply; 5+ messages in thread
From: Dhananjay Phadke @ 2022-03-18 14:10 UTC (permalink / raw)
  To: Ilias Apalodimas; +Cc: u-boot, Simon Glass, Alexandru Gagniuc, Takahiro Akashi

On 3/18/2022 12:44 AM, Ilias Apalodimas wrote:
> +cc Akashi-san who initially ported those.
> 
> 
> On Tue, 15 Mar 2022 at 19:19, Dhananjay Phadke
> <dphadke@linux.microsoft.com> wrote:
>>
>> Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509,
>> (not set by ported linux code, but needed by __UBOOT__ part).
>>
>> EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for
>> correctness if certificates contain sha384WithRSAEncryption or
>> sha512WithRSAEncryption OIDs.
>>
> 
> Does the rest of the code parse those?  Or expects -ENOPKG for the
> unsupported certificates?

Yes these OIDs are parsed by Linux code, see x509_note_pkey_algo().
U-Boot code allocates digest buf for invoking hash_calculate(), that
needs this digest_size.

I've verified such certs (chain) with pkcs7_verify_one().

Thanks,
Dhananjay

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] lib/crypto: support sha384/sha512 in x509/pkcs7
  2022-03-18 14:10   ` Dhananjay Phadke
@ 2022-03-18 14:37     ` Ilias Apalodimas
  0 siblings, 0 replies; 5+ messages in thread
From: Ilias Apalodimas @ 2022-03-18 14:37 UTC (permalink / raw)
  To: Dhananjay Phadke; +Cc: u-boot, Simon Glass, Alexandru Gagniuc, Takahiro Akashi

On Fri, Mar 18, 2022 at 07:10:43AM -0700, Dhananjay Phadke wrote:
> On 3/18/2022 12:44 AM, Ilias Apalodimas wrote:
> > +cc Akashi-san who initially ported those.
> > 
> > 
> > On Tue, 15 Mar 2022 at 19:19, Dhananjay Phadke
> > <dphadke@linux.microsoft.com> wrote:
> > > 
> > > Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509,
> > > (not set by ported linux code, but needed by __UBOOT__ part).
> > > 
> > > EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for
> > > correctness if certificates contain sha384WithRSAEncryption or
> > > sha512WithRSAEncryption OIDs.
> > > 
> > 
> > Does the rest of the code parse those?  Or expects -ENOPKG for the
> > unsupported certificates?
> 
> Yes these OIDs are parsed by Linux code, see x509_note_pkey_algo().
> U-Boot code allocates digest buf for invoking hash_calculate(), that
> needs this digest_size.
> 
> I've verified such certs (chain) with pkcs7_verify_one().

Ah right,  I probably missed that as well when I sent 
8699af63b8a5 ("lib/crypto: Enable more algorithms in cert verification")

Thanks!

> 
> Thanks,
> Dhananjay
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] lib/crypto: support sha384/sha512 in x509/pkcs7
  2022-03-15 17:19 [PATCH] lib/crypto: support sha384/sha512 in x509/pkcs7 Dhananjay Phadke
  2022-03-18  7:44 ` Ilias Apalodimas
@ 2022-04-11 20:14 ` Tom Rini
  1 sibling, 0 replies; 5+ messages in thread
From: Tom Rini @ 2022-04-11 20:14 UTC (permalink / raw)
  To: Dhananjay Phadke; +Cc: u-boot, Simon Glass, Alexandru Gagniuc, Ilias Apalodimas

[-- Attachment #1: Type: text/plain, Size: 557 bytes --]

On Tue, Mar 15, 2022 at 10:19:32AM -0700, Dhananjay Phadke wrote:

> Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509,
> (not set by ported linux code, but needed by __UBOOT__ part).
> 
> EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for
> correctness if certificates contain sha384WithRSAEncryption or
> sha512WithRSAEncryption OIDs.
> 
> Signed-off-by: Dhananjay Phadke <dphadke@linux.microsoft.com>
> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Applied to u-boot/master, thanks!

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-04-11 20:15 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-03-15 17:19 [PATCH] lib/crypto: support sha384/sha512 in x509/pkcs7 Dhananjay Phadke
2022-03-18  7:44 ` Ilias Apalodimas
2022-03-18 14:10   ` Dhananjay Phadke
2022-03-18 14:37     ` Ilias Apalodimas
2022-04-11 20:14 ` Tom Rini

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox