[PATCH] lib/crypto: support sha384/sha512 in x509/pkcs7

Dhananjay Phadke dphadke at linux.microsoft.com
Fri Mar 18 15:10:43 CET 2022

On 3/18/2022 12:44 AM, Ilias Apalodimas wrote:
> +cc Akashi-san who initially ported those.
> On Tue, 15 Mar 2022 at 19:19, Dhananjay Phadke
> <dphadke at linux.microsoft.com> wrote:
>> Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509,
>> (not set by ported linux code, but needed by __UBOOT__ part).
>> EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for
>> correctness if certificates contain sha384WithRSAEncryption or
>> sha512WithRSAEncryption OIDs.
> Does the rest of the code parse those?  Or expects -ENOPKG for the
> unsupported certificates?

Yes these OIDs are parsed by Linux code, see x509_note_pkey_algo().
U-Boot code allocates digest buf for invoking hash_calculate(), that
needs this digest_size.

I've verified such certs (chain) with pkcs7_verify_one().


More information about the U-Boot mailing list