Add support for PKCS7 SM2

2022-10-18 09:38:00 +08:00 · 2022-10-18 09:38:00 +08:00 · 5c6c6011af
commit 5c6c6011af
parent 3b0e96c594
2 changed files with 85 additions and 2 deletions
--- a/Feature-PKCS7-sign-and-verify-support-SM2-algorithm.patch
+++ b/Feature-PKCS7-sign-and-verify-support-SM2-algorithm.patch
@ -0,0 +1,79 @@
 From 95ae0cd988b4a556c1719f84af3fe3a116352fd7 Mon Sep 17 00:00:00 2001
 From: gaoyusong <gaoyusong2@huawei.com>
 Date: Fri, 30 Sep 2022 12:10:15 +0800
 Subject: [PATCH] PKCS7 sign and verify support SM2 algorithm
 ---
 crypto/pkcs7/pk7_doit.c | 28 +++++++++++++++++++++-------
 crypto/sm2/sm2_pmeth.c  |  1 +
 2 files changed, 22 insertions(+), 7 deletions(-)
 diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
 index f63fbc5..2e86cce 100644
 --- a/crypto/pkcs7/pk7_doit.c
 +++ b/crypto/pkcs7/pk7_doit.c
@@ -946,6 +946,9 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
     STACK_OF(X509_ATTRIBUTE) *sk;
     BIO *btmp;
     EVP_PKEY *pkey;
 +#ifndef OPENSSL_NO_SM2
 +    EVP_PKEY_CTX *pctx = NULL;
 +#endif
     mdc_tmp = EVP_MD_CTX_new();
     if (mdc_tmp == NULL) {
@@ -1013,7 +1016,19 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
             goto err;
         }
 -        if (!EVP_VerifyInit_ex(mdc_tmp, EVP_get_digestbynid(md_type), NULL))
 +        pkey = X509_get0_pubkey(x509);
 +        if (!pkey) {
 +            ret = -1;
 +            goto err;
 +        }
 +
 +        ret =
 +#ifndef OPENSSL_NO_SM2
 +        EVP_PKEY_is_sm2(pkey) ?
 +        EVP_DigestVerifyInit(mdc_tmp, &pctx, EVP_get_digestbynid(md_type), NULL, pkey) :
 +#endif
 +        EVP_VerifyInit_ex(mdc_tmp, EVP_get_digestbynid(md_type), NULL);
 +        if (!ret)
             goto err;
         alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf,
@@ -1030,13 +1045,12 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
     }
     os = si->enc_digest;
 -    pkey = X509_get0_pubkey(x509);
 -    if (!pkey) {
 -        ret = -1;
 -        goto err;
 -    }
 -    i = EVP_VerifyFinal(mdc_tmp, os->data, os->length, pkey);
 +    i =
 +#ifndef OPENSSL_NO_SM2
 +    EVP_PKEY_is_sm2(pkey) ? EVP_DigestVerifyFinal(mdc_tmp, os->data, os->length) :
 +#endif
 +    EVP_VerifyFinal(mdc_tmp, os->data, os->length, pkey);
     if (i <= 0) {
         PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_SIGNATURE_FAILURE);
         ret = -1;
 diff --git a/crypto/sm2/sm2_pmeth.c b/crypto/sm2/sm2_pmeth.c
 index 1998812..53cdbe9 100644
 --- a/crypto/sm2/sm2_pmeth.c
 +++ b/crypto/sm2/sm2_pmeth.c
@@ -221,6 +221,7 @@ static int pkey_sm2_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
         return 1;
     case EVP_PKEY_CTRL_DIGESTINIT:
 +    case EVP_PKEY_CTRL_PKCS7_SIGN:
         /* nothing to be inited, this is to suppress the error... */
         return 1;
 -- 
 2.33.0
--- a/openssl.spec
+++ b/openssl.spec
@ -2,7 +2,7 @@
 Name:        openssl
 Epoch:       1
 Version:     1.1.1m
-Release:     9
+Release:     10
 Summary:     Cryptography and SSL/TLS Toolkit
 License:     OpenSSL and SSLeay
 URL:         https://www.openssl.org/
@ -34,7 +34,8 @@ Patch23:     CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
 Patch24:     CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
 Patch25:     Feature-add-ARMv8-implementations-of-SM4-in-ECB-and-XTS.patch
 Patch26:     Fix-reported-performance-degradation-on-aarch64.patch 
-
+Patch27:    Feature-PKCS7-sign-and-verify-support-SM2-algorithm.patch
 BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
 Requires:    coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 Obsoletes:   openssl-SMx < %{epoch}:%{version}-%{release}
@ -236,6 +237,9 @@ make test || :
 %ldconfig_scriptlets libs
 %changelog
 * Fri Oct 21 2022 luhuaxin <luhuaxin1@huawei.com> - 1:1.1.1m-10
 - add support for SM2 PKCS7
 * Thu Oct 20 2022 fangxiuning <fangxiuning@huawei.com> - 1:1.1.1m-9
 - fix proformance degradation on aarch64