!21 add sm2 support

From: @HuaxinLuGitee Reviewed-by: @zhuchunyi Signed-off-by: @zhuchunyi
2022-11-01 03:03:19 +00:00 · 2022-11-01 03:03:19 +00:00 · 2714247f69
commit 2714247f69
parent d7f7231c49 3c56b24835
3 changed files with 156 additions and 2 deletions
--- a/Feature-pesign-support-SM2-signature-algorithm.patch
+++ b/Feature-pesign-support-SM2-signature-algorithm.patch
@ -0,0 +1,112 @@
+From 6c47b45347c946221a8acc3ea3a6a9cfcd734756 Mon Sep 17 00:00:00 2001
+From: godcansee <liu332084460@foxmail.com>
+Date: Sun, 2 Oct 2022 04:33:40 +0800
+Subject: [PATCH 2/2] pesign support SM2 signature algorithm.
+
+Co-authored-by:Huaxin Lu <luhuaxin1@huawei.com>
+---
+ src/signer_info.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 71 insertions(+), 1 deletion(-)
+
+diff --git a/src/signer_info.c b/src/signer_info.c
+index afa00e2..4aabf5d 100644
+--- a/src/signer_info.c
+++ b/src/signer_info.c
+@@ -157,6 +157,65 @@ err:
+ 	return -1;
+ }
+ 
+#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3)
+static int sm2_sign(SECItem *sig, cms_context *cms, SECKEYPrivateKey *privkey,
+		SECItem *content, SECOidData *oid)
+{
+	int ret = -1;
+	SECKEYPublicKey *pubkey;
+	unsigned char *buf;
+	SECStatus status;
+	SECItem sig_raw = { 0 };
+
+	pubkey = CERT_ExtractPublicKey(cms->cert);
+	if (!pubkey) {
+		cms->log(cms, LOG_ERR, "could not get public key");
+		return -1;
+	}
+
+	if (pubkey->keyType != ecKey) {
+		cms->log(cms, LOG_ERR, "invalid key type for sm2");
+		goto out;
+	}
+
+	buf = malloc(content->len + SM3_LENGTH);
+	if (!buf) {
+		cms->log(cms, LOG_ERR, "fail to alloc item");
+		goto out;
+	}
+
+	status = SEC_CreateSM2Digest(buf, &pubkey->u.ec.publicValue);
+	if (status != SECSuccess) {
+		cms->log(cms, LOG_ERR, "fail to compute sm2 z digest");
+		goto out;
+	}
+
+	memcpy(buf + SM3_LENGTH, content->data, content->len);
+	status = SEC_SignData(&sig_raw, buf, content->len + SM3_LENGTH,
+			privkey, oid->offset);
+	if (status != SECSuccess) {
+		cms->log(cms, LOG_ERR, "fail to sign data with sm2");
+		goto out;
+	}
+
+	status = DSAU_EncodeDerSigWithLen(sig, &sig_raw, 64);
+	if (status != SECSuccess) {
+		cms->log(cms, LOG_ERR, "fail to encode sm2 sig");
+		goto out;
+	}
+
+	ret = 0;
+out:
+	SECKEY_DestroyPublicKey(pubkey);
+	if (buf)
+		free(buf);
+	if (sig_raw.data)
+		PORT_Free(sig_raw.data);
+
+	return ret;
+}
+#endif
+
+ static int
+ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
+ {
+@@ -169,7 +228,8 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
+ 		return -1;
+ 	}
+ 
+-	SECOidData *oid = SECOID_FindOIDByTag(digest_get_signature_oid(cms));
+	SECOidTag oidt = digest_get_signature_oid(cms);
+	SECOidData *oid = SECOID_FindOIDByTag(oidt);
+ 	if (!oid)
+ 		goto err;
+ 
+@@ -186,8 +246,18 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
+ 	memset (&tmp, '\0', sizeof (tmp));
+ 
+ 	SECStatus status;
+#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3)
+	if (oidt == SEC_OID_SM2_WITH_SM3) {
+		status = sm2_sign(&tmp, cms, privkey, sign_content, oid) ?
+			SECFailure : SECSuccess;
+	} else {
+		status = SEC_SignData(&tmp, sign_content->data, sign_content->len,
+				privkey, oid->offset);
+	}
+#else
+ 	status = SEC_SignData(&tmp, sign_content->data, sign_content->len,
+ 			privkey, oid->offset);
+#endif
+ 	SECKEY_DestroyPrivateKey(privkey);
+ 	privkey = NULL;
+ 
+-- 
+2.33.0
+
--- a/Feature-pesign-support-SM3-digest-algorithm.patch
+++ b/Feature-pesign-support-SM3-digest-algorithm.patch
@ -0,0 +1,32 @@
+From fa5e86eca363b8d2bcf23feedcc86fdd076be7d4 Mon Sep 17 00:00:00 2001
+From: godcansee <liu332084460@foxmail.com>
+Date: Sun, 2 Oct 2022 04:23:35 +0800
+Subject: [PATCH 1/2] pesign support SM3 digest algorithm.
+
+---
+ src/cms_common.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index d13b2cb..7b6dc0e 100644
+--- a/src/cms_common.c
+++ b/src/cms_common.c
+@@ -68,6 +68,15 @@ static struct digest_param digest_params[] = {
+ 	 .size = 20
+ 	},
+ #endif
+#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3)
+	{.name = "sm3",
+	 .digest_tag = SEC_OID_SM3,
+	 .signature_tag = SEC_OID_SM2_WITH_SM3,
+	 .digest_encryption_tag = SEC_OID_SM2_WITH_SM3,
+	 .efi_guid = NULL,
+	 .size = 32
+	},
+#endif
+ };
+ static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
+ 
+-- 
+2.33.0
+
--- a/pesign.spec
+++ b/pesign.spec
@ -2,7 +2,7 @@
 Name:          pesign
 Summary:       Signing utility for UEFI binaries
 Version:       0.113
-Release:       5
+Release:       7
 License:       GPLv2
 URL:           https://github.com/vathpela/pesign
 Source0:       https://github.com/rhboot/pesign/archive/113.tar.gz
@ -19,6 +19,10 @@ BuildRequires: python3-rpm-macros python3 systemd python3-devel gcc
 Patch0001:     Fix-the-build-with-nss-3.44.patch
 Patch0002:     remove-superfluous-type-settings.patch

+# Feature: support SM2 and SM3
+Patch9000:     Feature-pesign-support-SM3-digest-algorithm.patch
+Patch9001:     Feature-pesign-support-SM2-signature-algorithm.patch
+
 %description
 pesign is a command line tool for manipulating signatures and
 cryptographic digests of UEFI applications.
@ -94,7 +98,13 @@ exit 0
 %{_mandir}/man*/*

 %changelog
-* Sat Jul 31 2021 Shenmei Tu <tushenmei@huawei.com> - 0.113-5
+* Mon Oct 31 2022 luhuaxin <luhuaxin1@huawei.com> - 0.113-7
+- fix the algorithm flag for sm2,sm3
+
+* Mon Oct 10 2022 godcansee <liu332084460@foxmail.com> - 0.113-6
+- add feature to support for sm2,sm3 
+
+* Sat July 31 2021 Shenmei Tu <tushenmei@huawei.com> - 0.113-5
 - remove-superfluous-type-settings.patch

 * Mon May 31 2021 huanghaitao <huanghaitao8@huawei.com> - 0.113-4