[PATCH] lib/crypto: support sha384/sha512 in x509/pkcs7

Ilias Apalodimas ilias.apalodimas at linaro.org
Fri Mar 18 08:44:01 CET 2022


+cc Akashi-san who initially ported those.


On Tue, 15 Mar 2022 at 19:19, Dhananjay Phadke
<dphadke at linux.microsoft.com> wrote:
>
> Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509,
> (not set by ported linux code, but needed by __UBOOT__ part).
>
> EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for
> correctness if certificates contain sha384WithRSAEncryption or
> sha512WithRSAEncryption OIDs.
>

Does the rest of the code parse those?  Or expects -ENOPKG for the
unsupported certificates?

Thanks
/Ilias

> Signed-off-by: Dhananjay Phadke <dphadke at linux.microsoft.com>
> ---
>  lib/crypto/pkcs7_verify.c    | 4 ++++
>  lib/crypto/x509_public_key.c | 4 ++++
>  2 files changed, 8 insertions(+)
>
> diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c
> index 82c5c745d4..b832f01356 100644
> --- a/lib/crypto/pkcs7_verify.c
> +++ b/lib/crypto/pkcs7_verify.c
> @@ -65,6 +65,10 @@ static int pkcs7_digest(struct pkcs7_message *pkcs7,
>                 return -ENOPKG;
>         if (!strcmp(sinfo->sig->hash_algo, "sha256"))
>                 sig->digest_size = SHA256_SUM_LEN;
> +       else if (!strcmp(sinfo->sig->hash_algo, "sha384"))
> +               sig->digest_size = SHA384_SUM_LEN;
> +       else if (!strcmp(sinfo->sig->hash_algo, "sha512"))
> +               sig->digest_size = SHA512_SUM_LEN;
>         else if (!strcmp(sinfo->sig->hash_algo, "sha1"))
>                 sig->digest_size = SHA1_SUM_LEN;
>         else
> diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c
> index d557ab27ae..5c0e2b622d 100644
> --- a/lib/crypto/x509_public_key.c
> +++ b/lib/crypto/x509_public_key.c
> @@ -71,6 +71,10 @@ int x509_get_sig_params(struct x509_certificate *cert)
>                 return -ENOPKG;
>         if (!strcmp(sig->hash_algo, "sha256"))
>                 sig->digest_size = SHA256_SUM_LEN;
> +       else if (!strcmp(sig->hash_algo, "sha384"))
> +               sig->digest_size = SHA384_SUM_LEN;
> +       else if (!strcmp(sig->hash_algo, "sha512"))
> +               sig->digest_size = SHA512_SUM_LEN;
>         else if (!strcmp(sig->hash_algo, "sha1"))
>                 sig->digest_size = SHA1_SUM_LEN;
>         else
> --
> 2.25.1
>


More information about the U-Boot mailing list