diff --git a/Feature-pesign-support-SM2-signature-algorithm.patch b/Feature-pesign-support-SM2-signature-algorithm.patch new file mode 100644 index 0000000000000000000000000000000000000000..502e590874ae0635a0973095d6d2de43cd0a799d --- /dev/null +++ b/Feature-pesign-support-SM2-signature-algorithm.patch @@ -0,0 +1,112 @@ +From 6c47b45347c946221a8acc3ea3a6a9cfcd734756 Mon Sep 17 00:00:00 2001 +From: godcansee +Date: Sun, 2 Oct 2022 04:33:40 +0800 +Subject: [PATCH 2/2] pesign support SM2 signature algorithm. + +Co-authored-by:Huaxin Lu +--- + src/signer_info.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 71 insertions(+), 1 deletion(-) + +diff --git a/src/signer_info.c b/src/signer_info.c +index afa00e2..4aabf5d 100644 +--- a/src/signer_info.c ++++ b/src/signer_info.c +@@ -157,6 +157,65 @@ err: + return -1; + } + ++#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3) ++static int sm2_sign(SECItem *sig, cms_context *cms, SECKEYPrivateKey *privkey, ++ SECItem *content, SECOidData *oid) ++{ ++ int ret = -1; ++ SECKEYPublicKey *pubkey; ++ unsigned char *buf; ++ SECStatus status; ++ SECItem sig_raw = { 0 }; ++ ++ pubkey = CERT_ExtractPublicKey(cms->cert); ++ if (!pubkey) { ++ cms->log(cms, LOG_ERR, "could not get public key"); ++ return -1; ++ } ++ ++ if (pubkey->keyType != ecKey) { ++ cms->log(cms, LOG_ERR, "invalid key type for sm2"); ++ goto out; ++ } ++ ++ buf = malloc(content->len + SM3_LENGTH); ++ if (!buf) { ++ cms->log(cms, LOG_ERR, "fail to alloc item"); ++ goto out; ++ } ++ ++ status = SEC_CreateSM2Digest(buf, &pubkey->u.ec.publicValue); ++ if (status != SECSuccess) { ++ cms->log(cms, LOG_ERR, "fail to compute sm2 z digest"); ++ goto out; ++ } ++ ++ memcpy(buf + SM3_LENGTH, content->data, content->len); ++ status = SEC_SignData(&sig_raw, buf, content->len + SM3_LENGTH, ++ privkey, oid->offset); ++ if (status != SECSuccess) { ++ cms->log(cms, LOG_ERR, "fail to sign data with sm2"); ++ goto out; ++ } ++ ++ status = DSAU_EncodeDerSigWithLen(sig, &sig_raw, 64); ++ if (status != SECSuccess) { ++ cms->log(cms, LOG_ERR, "fail to encode sm2 sig"); ++ goto out; ++ } ++ ++ ret = 0; ++out: ++ SECKEY_DestroyPublicKey(pubkey); ++ if (buf) ++ free(buf); ++ if (sig_raw.data) ++ PORT_Free(sig_raw.data); ++ ++ return ret; ++} ++#endif ++ + static int + sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content) + { +@@ -169,7 +228,8 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content) + return -1; + } + +- SECOidData *oid = SECOID_FindOIDByTag(digest_get_signature_oid(cms)); ++ SECOidTag oidt = digest_get_signature_oid(cms); ++ SECOidData *oid = SECOID_FindOIDByTag(oidt); + if (!oid) + goto err; + +@@ -186,8 +246,18 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content) + memset (&tmp, '\0', sizeof (tmp)); + + SECStatus status; ++#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3) ++ if (oidt == SEC_OID_SM2_WITH_SM3) { ++ status = sm2_sign(&tmp, cms, privkey, sign_content, oid) ? ++ SECFailure : SECSuccess; ++ } else { ++ status = SEC_SignData(&tmp, sign_content->data, sign_content->len, ++ privkey, oid->offset); ++ } ++#else + status = SEC_SignData(&tmp, sign_content->data, sign_content->len, + privkey, oid->offset); ++#endif + SECKEY_DestroyPrivateKey(privkey); + privkey = NULL; + +-- +2.33.0 + diff --git a/Feature-pesign-support-SM3-digest-algorithm.patch b/Feature-pesign-support-SM3-digest-algorithm.patch new file mode 100644 index 0000000000000000000000000000000000000000..dbfb020e8c19dbecdb099c0f319eac6be6ecf38c --- /dev/null +++ b/Feature-pesign-support-SM3-digest-algorithm.patch @@ -0,0 +1,32 @@ +From fa5e86eca363b8d2bcf23feedcc86fdd076be7d4 Mon Sep 17 00:00:00 2001 +From: godcansee +Date: Sun, 2 Oct 2022 04:23:35 +0800 +Subject: [PATCH 1/2] pesign support SM3 digest algorithm. + +--- + src/cms_common.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/cms_common.c b/src/cms_common.c +index d13b2cb..7b6dc0e 100644 +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -68,6 +68,15 @@ static struct digest_param digest_params[] = { + .size = 20 + }, + #endif ++#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3) ++ {.name = "sm3", ++ .digest_tag = SEC_OID_SM3, ++ .signature_tag = SEC_OID_SM2_WITH_SM3, ++ .digest_encryption_tag = SEC_OID_SM2_WITH_SM3, ++ .efi_guid = NULL, ++ .size = 32 ++ }, ++#endif + }; + static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]); + +-- +2.33.0 + diff --git a/pesign.spec b/pesign.spec index 78164925dfd11b2bc9b0c2989bc950da88b3dd28..64b262d9da1e3cfd8c7975a6db9d3f98ec233a31 100644 --- a/pesign.spec +++ b/pesign.spec @@ -2,7 +2,7 @@ Name: pesign Summary: Signing utility for UEFI binaries Version: 0.113 -Release: 5 +Release: 7 License: GPLv2 URL: https://github.com/vathpela/pesign Source0: https://github.com/rhboot/pesign/archive/113.tar.gz @@ -19,6 +19,10 @@ BuildRequires: python3-rpm-macros python3 systemd python3-devel gcc Patch0001: Fix-the-build-with-nss-3.44.patch Patch0002: remove-superfluous-type-settings.patch +# Feature: support SM2 and SM3 +Patch9000: Feature-pesign-support-SM3-digest-algorithm.patch +Patch9001: Feature-pesign-support-SM2-signature-algorithm.patch + %description pesign is a command line tool for manipulating signatures and cryptographic digests of UEFI applications. @@ -94,7 +98,13 @@ exit 0 %{_mandir}/man*/* %changelog -* Sat Jul 31 2021 Shenmei Tu - 0.113-5 +* Mon Oct 31 2022 luhuaxin - 0.113-7 +- fix the algorithm flag for sm2,sm3 + +* Mon Oct 10 2022 godcansee - 0.113-6 +- add feature to support for sm2,sm3 + +* Sat July 31 2021 Shenmei Tu - 0.113-5 - remove-superfluous-type-settings.patch * Mon May 31 2021 huanghaitao - 0.113-4