[PATCH] lib/crypto: support sha384/sha512 in x509/pkcs7

Ilias Apalodimas ilias.apalodimas at linaro.org
Fri Mar 18 15:37:59 CET 2022


On Fri, Mar 18, 2022 at 07:10:43AM -0700, Dhananjay Phadke wrote:
> On 3/18/2022 12:44 AM, Ilias Apalodimas wrote:
> > +cc Akashi-san who initially ported those.
> > 
> > 
> > On Tue, 15 Mar 2022 at 19:19, Dhananjay Phadke
> > <dphadke at linux.microsoft.com> wrote:
> > > 
> > > Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509,
> > > (not set by ported linux code, but needed by __UBOOT__ part).
> > > 
> > > EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for
> > > correctness if certificates contain sha384WithRSAEncryption or
> > > sha512WithRSAEncryption OIDs.
> > > 
> > 
> > Does the rest of the code parse those?  Or expects -ENOPKG for the
> > unsupported certificates?
> 
> Yes these OIDs are parsed by Linux code, see x509_note_pkey_algo().
> U-Boot code allocates digest buf for invoking hash_calculate(), that
> needs this digest_size.
> 
> I've verified such certs (chain) with pkcs7_verify_one().

Ah right,  I probably missed that as well when I sent 
8699af63b8a5 ("lib/crypto: Enable more algorithms in cert verification")

Thanks!

> 
> Thanks,
> Dhananjay
Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>


More information about the U-Boot mailing list