!46 [sync] PR-45: 适配pesign国密特性补丁

From: @openeuler-sync-bot Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2023-09-12 11:45:26 +00:00 · 2023-09-12 11:45:26 +00:00 · c935c90be4
commit c935c90be4
parent f0ba22c593 f1ce0868b7
3 changed files with 165 additions and 1 deletions
--- a/Feature-pesign-support-SM2-signature-algorithm.patch
+++ b/Feature-pesign-support-SM2-signature-algorithm.patch
@ -0,0 +1,112 @@
+From 6c47b45347c946221a8acc3ea3a6a9cfcd734756 Mon Sep 17 00:00:00 2001
+From: godcansee <liu332084460@foxmail.com>
+Date: Sun, 2 Oct 2022 04:33:40 +0800
+Subject: pesign support SM2 signature algorithm.
+
+Co-authored-by:Huaxin Lu <luhuaxin1@huawei.com>
+---
+ src/signer_info.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 71 insertions(+), 1 deletion(-)
+
+diff --git a/src/signer_info.c b/src/signer_info.c
+index afa00e2..4aabf5d 100644
+--- a/src/signer_info.c
+++ b/src/signer_info.c
+@@ -157,6 +157,65 @@ err:
+ 	return -1;
+ }
+ 
+#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3)
+static int sm2_sign(SECItem *sig, cms_context *cms, SECKEYPrivateKey *privkey,
+		SECItem *content, SECOidData *oid)
+{
+	int ret = -1;
+	SECKEYPublicKey *pubkey = NULL;
+	unsigned char *buf = NULL;
+	SECStatus status;
+	SECItem sig_raw = { 0 };
+
+	pubkey = CERT_ExtractPublicKey(cms->cert);
+	if (!pubkey) {
+		cms->log(cms, LOG_ERR, "could not get public key");
+		return -1;
+	}
+
+	if (pubkey->keyType != ecKey) {
+		cms->log(cms, LOG_ERR, "invalid key type for sm2");
+		goto out;
+	}
+
+	buf = malloc(content->len + SM3_LENGTH);
+	if (!buf) {
+		cms->log(cms, LOG_ERR, "fail to alloc item");
+		goto out;
+	}
+
+	status = SEC_CreateSM2Digest(buf, &pubkey->u.ec.publicValue);
+	if (status != SECSuccess) {
+		cms->log(cms, LOG_ERR, "fail to compute sm2 z digest");
+		goto out;
+	}
+
+	memcpy(buf + SM3_LENGTH, content->data, content->len);
+	status = SEC_SignData(&sig_raw, buf, content->len + SM3_LENGTH,
+			privkey, oid->offset);
+	if (status != SECSuccess) {
+		cms->log(cms, LOG_ERR, "fail to sign data with sm2");
+		goto out;
+	}
+
+	status = DSAU_EncodeDerSigWithLen(sig, &sig_raw, 64);
+	if (status != SECSuccess) {
+		cms->log(cms, LOG_ERR, "fail to encode sm2 sig");
+		goto out;
+	}
+
+	ret = 0;
+out:
+	SECKEY_DestroyPublicKey(pubkey);
+	if (buf)
+		free(buf);
+	if (sig_raw.data)
+		PORT_Free(sig_raw.data);
+
+	return ret;
+}
+#endif
+
+ static int
+ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
+ {
+@@ -169,7 +228,8 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
+ 		return -1;
+ 	}
+ 
+-	SECOidData *oid = SECOID_FindOIDByTag(digest_get_signature_oid(cms));
+	SECOidTag oidt = digest_get_signature_oid(cms);
+	SECOidData *oid = SECOID_FindOIDByTag(oidt);
+ 	if (!oid)
+ 		goto err;
+ 
+@@ -186,8 +246,18 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content)
+ 	memset (&tmp, '\0', sizeof (tmp));
+ 
+ 	SECStatus status;
+#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3)
+	if (oidt == SEC_OID_SM2_WITH_SM3) {
+		status = sm2_sign(&tmp, cms, privkey, sign_content, oid) ?
+			SECFailure : SECSuccess;
+	} else {
+		status = SEC_SignData(&tmp, sign_content->data, sign_content->len,
+				privkey, oid->offset);
+	}
+#else
+ 	status = SEC_SignData(&tmp, sign_content->data, sign_content->len,
+ 			privkey, oid->offset);
+#endif
+ 	SECKEY_DestroyPrivateKey(privkey);
+ 	privkey = NULL;
+ 
+-- 
+2.33.0
+
--- a/Feature-pesign-support-SM3-digest-algorithm.patch
+++ b/Feature-pesign-support-SM3-digest-algorithm.patch
@ -0,0 +1,46 @@
+From 2e14b6a91835095720db3ce62949c725e1e44cf1 Mon Sep 17 00:00:00 2001
+From: jinlun <jinlun@huawei.com>
+Date: Mon, 11 Sep 2023 19:24:37 +0800
+Subject: [PATCH] pesign support SM3 digest algorithm.
+
+---
+ src/cms_common.c | 9 +++++++++
+ src/cms_common.h | 2 +-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 228d0ab..7b5abc5 100644
+--- a/src/cms_common.c
+++ b/src/cms_common.c
+@@ -56,6 +56,15 @@ const struct digest_param digest_params[] = {
+ 		.size = 20
+ 	},
+ #endif
+#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3)
+	{.name = "sm3",
+	 .digest_tag = SEC_OID_SM3,
+	 .signature_tag = SEC_OID_SM2_WITH_SM3,
+	 .digest_encryption_tag = SEC_OID_SM2_WITH_SM3,
+	 .efi_guid = NULL,
+	 .size = 32
+	},
+#endif
+ };
+ const unsigned int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
+ 
+diff --git a/src/cms_common.h b/src/cms_common.h
+index 35a128a..73c596f 100644
+--- a/src/cms_common.h
+++ b/src/cms_common.h
+@@ -76,7 +76,7 @@ struct digest_param {
+ 	int size;
+ };
+ 
+-extern const struct digest_param digest_params[2];
+extern const struct digest_param digest_params[3];
+ extern const unsigned int n_digest_params;
+ 
+ typedef struct pk12_file {
+-- 
+2.27.0
+
--- a/pesign.spec
+++ b/pesign.spec
@ -2,7 +2,7 @@
 Name:          pesign
 Summary:       Signing utility for UEFI binaries
 Version:       116
-Release:       1
+Release:       2
 License:       GPLv2
 URL:           https://github.com/rhboot/pesign
 Source0:       https://github.com/rhboot/pesign/archive/refs/tags/116.tar.gz
@ -18,6 +18,9 @@ BuildRequires: python3-rpm-macros python3 systemd python3-devel gcc mandoc

 Patch0001:     Bugfix-cms_common-fix-cert-match-check.patch
 Patch0002:     0001-cms_common-Fixed-Segmentation-fault.patch
+
+Patch9000:     Feature-pesign-support-SM3-digest-algorithm.patch
+Patch9001:     Feature-pesign-support-SM2-signature-algorithm.patch
 Patch9002:     Fix-build-error-of-gcc-version-too-low.patch

 %description
@ -92,6 +95,9 @@ exit 0
 %{_mandir}/man*/*

 %changelog
+* Mon Sep 11 2023 jinlun <jinlun@huawei.com> - 116-2
+- fix the algorithm flag for sm2,sm3
+
 * Thu May 04 2023 chenchen <chen_aka_jan@163.com> - 116-1
 - Update to 116