Add support for parsing FIPS 202 SHA-3 signature hashes. Separately,
it is not clear why explicit hashes are re-encoded here, instead of
trying to generically show any digest openssl supports.
Signed-off-by: Dimitri John Ledkov <[email protected]>
---
libkmod/libkmod-signature.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
index b749a818f9..a39059cd7c 100644
--- a/libkmod/libkmod-signature.c
+++ b/libkmod/libkmod-signature.c
@@ -57,6 +57,9 @@ enum pkey_hash_algo {
PKEY_HASH_SHA512,
PKEY_HASH_SHA224,
PKEY_HASH_SM3,
+ PKEY_HASH_SHA3_256,
+ PKEY_HASH_SHA3_384,
+ PKEY_HASH_SHA3_512,
PKEY_HASH__LAST
};
@@ -70,6 +73,9 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
[PKEY_HASH_SHA512] = "sha512",
[PKEY_HASH_SHA224] = "sha224",
[PKEY_HASH_SM3] = "sm3",
+ [PKEY_HASH_SHA3_256] = "sha3-256",
+ [PKEY_HASH_SHA3_384] = "sha3-384",
+ [PKEY_HASH_SHA3_512] = "sha3-512",
};
enum pkey_id_type {
@@ -167,6 +173,12 @@ static int obj_to_hash_algo(const ASN1_OBJECT *o)
case NID_sm3:
return PKEY_HASH_SM3;
# endif
+ case NID_sha3_256:
+ return PKEY_HASH_SHA3_256;
+ case NID_sha3_384:
+ return PKEY_HASH_SHA3_384;
+ case NID_sha3_512:
+ return PKEY_HASH_SHA3_512;
default:
return -1;
}
--
2.34.1
On Sun, Oct 22, 2023 at 07:09:28PM +0100, Dimitri John Ledkov wrote:
>Add support for parsing FIPS 202 SHA-3 signature hashes. Separately,
>it is not clear why explicit hashes are re-encoded here, instead of
>trying to generically show any digest openssl supports.
>
>Signed-off-by: Dimitri John Ledkov <[email protected]>
>---
> libkmod/libkmod-signature.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
>diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
>index b749a818f9..a39059cd7c 100644
>--- a/libkmod/libkmod-signature.c
>+++ b/libkmod/libkmod-signature.c
>@@ -57,6 +57,9 @@ enum pkey_hash_algo {
> PKEY_HASH_SHA512,
> PKEY_HASH_SHA224,
> PKEY_HASH_SM3,
>+ PKEY_HASH_SHA3_256,
>+ PKEY_HASH_SHA3_384,
>+ PKEY_HASH_SHA3_512,
> PKEY_HASH__LAST
> };
>
>@@ -70,6 +73,9 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
> [PKEY_HASH_SHA512] = "sha512",
> [PKEY_HASH_SHA224] = "sha224",
> [PKEY_HASH_SM3] = "sm3",
>+ [PKEY_HASH_SHA3_256] = "sha3-256",
>+ [PKEY_HASH_SHA3_384] = "sha3-384",
>+ [PKEY_HASH_SHA3_512] = "sha3-512",
> };
>
> enum pkey_id_type {
>@@ -167,6 +173,12 @@ static int obj_to_hash_algo(const ASN1_OBJECT *o)
> case NID_sm3:
> return PKEY_HASH_SM3;
> # endif
>+ case NID_sha3_256:
>+ return PKEY_HASH_SHA3_256;
>+ case NID_sha3_384:
>+ return PKEY_HASH_SHA3_384;
>+ case NID_sha3_512:
>+ return PKEY_HASH_SHA3_512;
with your other patch, libkmod: remove pkcs7 obj_to_hash_algo(), this
hunk is not needed anymore. Do you want to send a new version of this
patch?
thanks
Lucas De Marchi
> default:
> return -1;
> }
>--
>2.34.1
>
>
On Wed, 6 Dec 2023 at 15:26, Lucas De Marchi <[email protected]> wrote:
>
> On Sun, Oct 22, 2023 at 07:09:28PM +0100, Dimitri John Ledkov wrote:
> >Add support for parsing FIPS 202 SHA-3 signature hashes. Separately,
> >it is not clear why explicit hashes are re-encoded here, instead of
> >trying to generically show any digest openssl supports.
> >
> >Signed-off-by: Dimitri John Ledkov <[email protected]>
NACK
> >---
> > libkmod/libkmod-signature.c | 12 ++++++++++++
> > 1 file changed, 12 insertions(+)
> >
> >diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c
> >index b749a818f9..a39059cd7c 100644
> >--- a/libkmod/libkmod-signature.c
> >+++ b/libkmod/libkmod-signature.c
> >@@ -57,6 +57,9 @@ enum pkey_hash_algo {
> > PKEY_HASH_SHA512,
> > PKEY_HASH_SHA224,
> > PKEY_HASH_SM3,
> >+ PKEY_HASH_SHA3_256,
> >+ PKEY_HASH_SHA3_384,
> >+ PKEY_HASH_SHA3_512,
> > PKEY_HASH__LAST
> > };
> >
> >@@ -70,6 +73,9 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
> > [PKEY_HASH_SHA512] = "sha512",
> > [PKEY_HASH_SHA224] = "sha224",
> > [PKEY_HASH_SM3] = "sm3",
> >+ [PKEY_HASH_SHA3_256] = "sha3-256",
> >+ [PKEY_HASH_SHA3_384] = "sha3-384",
> >+ [PKEY_HASH_SHA3_512] = "sha3-512",
> > };
> >
> > enum pkey_id_type {
> >@@ -167,6 +173,12 @@ static int obj_to_hash_algo(const ASN1_OBJECT *o)
> > case NID_sm3:
> > return PKEY_HASH_SM3;
> > # endif
> >+ case NID_sha3_256:
> >+ return PKEY_HASH_SHA3_256;
> >+ case NID_sha3_384:
> >+ return PKEY_HASH_SHA3_384;
> >+ case NID_sha3_512:
> >+ return PKEY_HASH_SHA3_512;
>
>
> with your other patch, libkmod: remove pkcs7 obj_to_hash_algo(), this
> hunk is not needed anymore. Do you want to send a new version of this
> patch?
This patch is no longer required, given that
https://lore.kernel.org/all/[email protected]/
is applied. Upgrade kmod to the one that has at least that patch
applied, and then pkcs7 signatures are parsed correctly with
everything that a runtime OpenSSL supports. Thus if you want to see
SHA3 signatures, ensure your runtime libssl has SHA3 support.
>
> thanks
> Lucas De Marchi
>
> > default:
> > return -1;
> > }
> >--
> >2.34.1
> >
> >
--
Dimitri
Sent from Ubuntu Pro
https://ubuntu.com/pro