From: Saulo Alessandre <saulo.alessan...@tse.jus.br> * crypto/asymmetric_keys/pkcs7_parser.c - pkcs7_sig_note_pkey_algo - changed to recognize OID_id_ecdsa_with_sha(1,256,384,512).
* crypto/asymmetric_keys/pkcs7_verify.c - pkcs7_digest - added warning when the summary has an unsupported algorithm, to avoid let others waste time, like me. * crypto/asymmetric_keys/public_key.c - software_key_determine_akcipher - modified to recognize ecdsa. * crypto/asymmetric_keys/x509_cert_parser.c - x509_note_pkey_algo - changed to recognize ecdsa and to use lookup_oid_ routines; added info about certificates found inside kernel; - x509_note_signature - changed to recognize ecdsa; - x509_extract_key_data - changed to recognize OID_id_ecPublicKey as ecdsa --- crypto/asymmetric_keys/pkcs7_parser.c | 7 ++++- crypto/asymmetric_keys/pkcs7_verify.c | 5 ++- crypto/asymmetric_keys/public_key.c | 30 ++++++++++++------ crypto/asymmetric_keys/x509_cert_parser.c | 37 ++++++++++++----------- 4 files changed, 49 insertions(+), 30 deletions(-) diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c index 967329e0a07b..501af4937516 100644 --- a/crypto/asymmetric_keys/pkcs7_parser.c +++ b/crypto/asymmetric_keys/pkcs7_parser.c @@ -267,12 +267,17 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen, switch (ctx->last_oid) { case OID_rsaEncryption: ctx->sinfo->sig->pkey_algo = "rsa"; - ctx->sinfo->sig->encoding = "pkcs1"; + break; + case OID_id_ecdsa_with_sha256: + case OID_id_ecdsa_with_sha384: + case OID_id_ecdsa_with_sha512: + ctx->sinfo->sig->pkey_algo = "ecdsa"; break; default: printk("Unsupported pkey algo: %u\n", ctx->last_oid); return -ENOPKG; } + ctx->sinfo->sig->encoding = "pkcs1"; return 0; } diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index ce49820caa97..a963aa9ec648 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -41,8 +41,11 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7, * big the hash operational data will be. */ tfm = crypto_alloc_shash(sinfo->sig->hash_algo, 0, 0); - if (IS_ERR(tfm)) + if (IS_ERR(tfm)) { + pr_warn("%s unsupported hash_algo[%s]", __func__, + sinfo->sig->hash_algo); return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); + } desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); sig->digest_size = crypto_shash_digestsize(tfm); diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c index 8892908ad58c..42429a10ef0b 100644 --- a/crypto/asymmetric_keys/public_key.c +++ b/crypto/asymmetric_keys/public_key.c @@ -70,18 +70,28 @@ int software_key_determine_akcipher(const char *encoding, int n; if (strcmp(encoding, "pkcs1") == 0) { - /* The data wangled by the RSA algorithm is typically padded - * and encoded in some manner, such as EMSA-PKCS1-1_5 [RFC3447 - * sec 8.2]. - */ - if (!hash_algo) + if (pkey->pkey_algo && strcmp(pkey->pkey_algo, "rsa") == 0) { + /* The data wangled by the RSA algorithm is typically padded + * and encoded in some manner, such as EMSA-PKCS1-1_5 [RFC3447 + * sec 8.2]. + */ + if (!hash_algo) + n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, + "pkcs1pad(%s)", + pkey->pkey_algo); + else + n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, + "pkcs1pad(%s,%s)", + pkey->pkey_algo, hash_algo); + } else if (pkey->pkey_algo && + strcmp(pkey->pkey_algo, "ecdsa") == 0) { n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, - "pkcs1pad(%s)", - pkey->pkey_algo); - else + "%s(%s)", pkey->pkey_algo, hash_algo); + } else { n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, - "pkcs1pad(%s,%s)", - pkey->pkey_algo, hash_algo); + "pkcs1pad(%s,%s)", + pkey->pkey_algo, hash_algo); + } return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0; } diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 52c9b455fc7d..a67bdbae1055 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -197,6 +197,7 @@ int x509_note_pkey_algo(void *context, size_t hdrlen, pr_debug("PubKey Algo: %u\n", ctx->last_oid); + ctx->key_algo = ctx->last_oid; switch (ctx->last_oid) { case OID_md2WithRSAEncryption: case OID_md3WithRSAEncryption: @@ -204,27 +205,15 @@ int x509_note_pkey_algo(void *context, size_t hdrlen, return -ENOPKG; /* Unsupported combination */ case OID_md4WithRSAEncryption: - ctx->cert->sig->hash_algo = "md4"; - goto rsa_pkcs1; - case OID_sha1WithRSAEncryption: - ctx->cert->sig->hash_algo = "sha1"; - goto rsa_pkcs1; - case OID_sha256WithRSAEncryption: - ctx->cert->sig->hash_algo = "sha256"; - goto rsa_pkcs1; - case OID_sha384WithRSAEncryption: - ctx->cert->sig->hash_algo = "sha384"; - goto rsa_pkcs1; - case OID_sha512WithRSAEncryption: - ctx->cert->sig->hash_algo = "sha512"; - goto rsa_pkcs1; - case OID_sha224WithRSAEncryption: - ctx->cert->sig->hash_algo = "sha224"; + case OID_id_ecdsa_with_sha1: + case OID_id_ecdsa_with_sha256: + case OID_id_ecdsa_with_sha384: + case OID_id_ecdsa_with_sha512: goto rsa_pkcs1; case OID_gost2012Signature256: @@ -241,9 +230,13 @@ int x509_note_pkey_algo(void *context, size_t hdrlen, } rsa_pkcs1: - ctx->cert->sig->pkey_algo = "rsa"; + lookup_oid_sign_info(ctx->key_algo, &ctx->cert->sig->pkey_algo); + lookup_oid_digest_info(ctx->key_algo, &ctx->cert->sig->hash_algo, + NULL, NULL); ctx->cert->sig->encoding = "pkcs1"; ctx->algo_oid = ctx->last_oid; + pr_info("Found %s(%s) X509 certificate\n", ctx->cert->sig->pkey_algo, + ctx->cert->sig->hash_algo); return 0; ecrdsa: ctx->cert->sig->pkey_algo = "ecrdsa"; @@ -275,6 +268,7 @@ int x509_note_signature(void *context, size_t hdrlen, } if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0 || + strcmp(ctx->cert->sig->pkey_algo, "ecdsa") == 0 || strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0 || strcmp(ctx->cert->sig->pkey_algo, "sm2") == 0) { /* Discard the BIT STRING metadata */ @@ -470,7 +464,14 @@ int x509_extract_key_data(void *context, size_t hdrlen, ctx->cert->pub->pkey_algo = "ecrdsa"; break; case OID_id_ecPublicKey: - ctx->cert->pub->pkey_algo = "sm2"; + if (ctx->algo_oid == OID_id_ecdsa_with_sha512 || + ctx->algo_oid == OID_id_ecdsa_with_sha384 || + ctx->algo_oid == OID_id_ecdsa_with_sha256 || + ctx->algo_oid == OID_id_ecdsa_with_sha1) { + ctx->cert->pub->pkey_algo = "ecdsa"; + } else { + ctx->cert->pub->pkey_algo = "sm2"; + } break; default: return -ENOPKG; -- 2.25.1