diff --git a/Feature-pesign-support-SM2-signature-algorithm.patch b/Feature-pesign-support-SM2-signature-algorithm.patch new file mode 100644 index 0000000000000000000000000000000000000000..adb6dc23cf4db6657467905f97d4b74a5e2c86a2 --- /dev/null +++ b/Feature-pesign-support-SM2-signature-algorithm.patch @@ -0,0 +1,112 @@ +From 6c47b45347c946221a8acc3ea3a6a9cfcd734756 Mon Sep 17 00:00:00 2001 +From: godcansee +Date: Sun, 2 Oct 2022 04:33:40 +0800 +Subject: pesign support SM2 signature algorithm. + +Co-authored-by:Huaxin Lu +--- + src/signer_info.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 71 insertions(+), 1 deletion(-) + +diff --git a/src/signer_info.c b/src/signer_info.c +index afa00e2..4aabf5d 100644 +--- a/src/signer_info.c ++++ b/src/signer_info.c +@@ -157,6 +157,65 @@ err: + return -1; + } + ++#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3) ++static int sm2_sign(SECItem *sig, cms_context *cms, SECKEYPrivateKey *privkey, ++ SECItem *content, SECOidData *oid) ++{ ++ int ret = -1; ++ SECKEYPublicKey *pubkey = NULL; ++ unsigned char *buf = NULL; ++ SECStatus status; ++ SECItem sig_raw = { 0 }; ++ ++ pubkey = CERT_ExtractPublicKey(cms->cert); ++ if (!pubkey) { ++ cms->log(cms, LOG_ERR, "could not get public key"); ++ return -1; ++ } ++ ++ if (pubkey->keyType != ecKey) { ++ cms->log(cms, LOG_ERR, "invalid key type for sm2"); ++ goto out; ++ } ++ ++ buf = malloc(content->len + SM3_LENGTH); ++ if (!buf) { ++ cms->log(cms, LOG_ERR, "fail to alloc item"); ++ goto out; ++ } ++ ++ status = SEC_CreateSM2Digest(buf, &pubkey->u.ec.publicValue); ++ if (status != SECSuccess) { ++ cms->log(cms, LOG_ERR, "fail to compute sm2 z digest"); ++ goto out; ++ } ++ ++ memcpy(buf + SM3_LENGTH, content->data, content->len); ++ status = SEC_SignData(&sig_raw, buf, content->len + SM3_LENGTH, ++ privkey, oid->offset); ++ if (status != SECSuccess) { ++ cms->log(cms, LOG_ERR, "fail to sign data with sm2"); ++ goto out; ++ } ++ ++ status = DSAU_EncodeDerSigWithLen(sig, &sig_raw, 64); ++ if (status != SECSuccess) { ++ cms->log(cms, LOG_ERR, "fail to encode sm2 sig"); ++ goto out; ++ } ++ ++ ret = 0; ++out: ++ SECKEY_DestroyPublicKey(pubkey); ++ if (buf) ++ free(buf); ++ if (sig_raw.data) ++ PORT_Free(sig_raw.data); ++ ++ return ret; ++} ++#endif ++ + static int + sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content) + { +@@ -169,7 +228,8 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content) + return -1; + } + +- SECOidData *oid = SECOID_FindOIDByTag(digest_get_signature_oid(cms)); ++ SECOidTag oidt = digest_get_signature_oid(cms); ++ SECOidData *oid = SECOID_FindOIDByTag(oidt); + if (!oid) + goto err; + +@@ -186,8 +246,18 @@ sign_blob(cms_context *cms, SECItem *sigitem, SECItem *sign_content) + memset (&tmp, '\0', sizeof (tmp)); + + SECStatus status; ++#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3) ++ if (oidt == SEC_OID_SM2_WITH_SM3) { ++ status = sm2_sign(&tmp, cms, privkey, sign_content, oid) ? ++ SECFailure : SECSuccess; ++ } else { ++ status = SEC_SignData(&tmp, sign_content->data, sign_content->len, ++ privkey, oid->offset); ++ } ++#else + status = SEC_SignData(&tmp, sign_content->data, sign_content->len, + privkey, oid->offset); ++#endif + SECKEY_DestroyPrivateKey(privkey); + privkey = NULL; + +-- +2.33.0 + diff --git a/Feature-pesign-support-SM3-digest-algorithm.patch b/Feature-pesign-support-SM3-digest-algorithm.patch new file mode 100644 index 0000000000000000000000000000000000000000..4579218c9fcfbec358e8f0351236defce77558f8 --- /dev/null +++ b/Feature-pesign-support-SM3-digest-algorithm.patch @@ -0,0 +1,46 @@ +From 2e14b6a91835095720db3ce62949c725e1e44cf1 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Mon, 11 Sep 2023 19:24:37 +0800 +Subject: [PATCH] pesign support SM3 digest algorithm. + +--- + src/cms_common.c | 9 +++++++++ + src/cms_common.h | 2 +- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/cms_common.c b/src/cms_common.c +index 228d0ab..7b5abc5 100644 +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -56,6 +56,15 @@ const struct digest_param digest_params[] = { + .size = 20 + }, + #endif ++#if defined(CKM_SM2_WITH_SM3) || defined(CKM_NSS_SM2_WITH_SM3) ++ {.name = "sm3", ++ .digest_tag = SEC_OID_SM3, ++ .signature_tag = SEC_OID_SM2_WITH_SM3, ++ .digest_encryption_tag = SEC_OID_SM2_WITH_SM3, ++ .efi_guid = NULL, ++ .size = 32 ++ }, ++#endif + }; + const unsigned int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]); + +diff --git a/src/cms_common.h b/src/cms_common.h +index 35a128a..73c596f 100644 +--- a/src/cms_common.h ++++ b/src/cms_common.h +@@ -76,7 +76,7 @@ struct digest_param { + int size; + }; + +-extern const struct digest_param digest_params[2]; ++extern const struct digest_param digest_params[3]; + extern const unsigned int n_digest_params; + + typedef struct pk12_file { +-- +2.27.0 + diff --git a/pesign.spec b/pesign.spec index 2fea4948e85308d858c2b3d3223afad0565277d2..1bf462e590553c47bee0d2cee5b9851f5c18f798 100644 --- a/pesign.spec +++ b/pesign.spec @@ -2,7 +2,7 @@ Name: pesign Summary: Signing utility for UEFI binaries Version: 116 -Release: 1 +Release: 2 License: GPLv2 URL: https://github.com/rhboot/pesign Source0: https://github.com/rhboot/pesign/archive/refs/tags/116.tar.gz @@ -18,6 +18,9 @@ BuildRequires: python3-rpm-macros python3 systemd python3-devel gcc mandoc Patch0001: Bugfix-cms_common-fix-cert-match-check.patch Patch0002: 0001-cms_common-Fixed-Segmentation-fault.patch + +Patch9000: Feature-pesign-support-SM3-digest-algorithm.patch +Patch9001: Feature-pesign-support-SM2-signature-algorithm.patch Patch9002: Fix-build-error-of-gcc-version-too-low.patch %description @@ -92,6 +95,9 @@ exit 0 %{_mandir}/man*/* %changelog +* Mon Sep 11 2023 jinlun - 116-2 +- fix the algorithm flag for sm2,sm3 + * Thu May 04 2023 chenchen - 116-1 - Update to 116