[PATCH] lib/crypto: support sha384/sha512 in x509/pkcs7
ilias.apalodimas at linaro.org
Fri Mar 18 15:37:59 CET 2022
On Fri, Mar 18, 2022 at 07:10:43AM -0700, Dhananjay Phadke wrote:
> On 3/18/2022 12:44 AM, Ilias Apalodimas wrote:
> > +cc Akashi-san who initially ported those.
> > On Tue, 15 Mar 2022 at 19:19, Dhananjay Phadke
> > <dphadke at linux.microsoft.com> wrote:
> > >
> > > Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509,
> > > (not set by ported linux code, but needed by __UBOOT__ part).
> > >
> > > EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for
> > > correctness if certificates contain sha384WithRSAEncryption or
> > > sha512WithRSAEncryption OIDs.
> > >
> > Does the rest of the code parse those? Or expects -ENOPKG for the
> > unsupported certificates?
> Yes these OIDs are parsed by Linux code, see x509_note_pkey_algo().
> U-Boot code allocates digest buf for invoking hash_calculate(), that
> needs this digest_size.
> I've verified such certs (chain) with pkcs7_verify_one().
Ah right, I probably missed that as well when I sent
8699af63b8a5 ("lib/crypto: Enable more algorithms in cert verification")
Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
More information about the U-Boot