Asymmetric digsig supports SM2-with-SM3 algorithm combination,
so that IMA can also verify SM2's signature data.
Signed-off-by: Tianjia Zhang <[email protected]>
Tested-by: Xufeng Zhang <[email protected]>
---
security/integrity/digsig_asymmetric.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index cfa4127d0518..b86a4a8f61ab 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -99,14 +99,22 @@ int asymmetric_verify(struct key *keyring, const char *sig,
memset(&pks, 0, sizeof(pks));
pks.hash_algo = hash_algo_name[hdr->hash_algo];
- if (hdr->hash_algo == HASH_ALGO_STREEBOG_256 ||
- hdr->hash_algo == HASH_ALGO_STREEBOG_512) {
+ switch (hdr->hash_algo) {
+ case HASH_ALGO_STREEBOG_256:
+ case HASH_ALGO_STREEBOG_512:
/* EC-RDSA and Streebog should go together. */
pks.pkey_algo = "ecrdsa";
pks.encoding = "raw";
- } else {
+ break;
+ case HASH_ALGO_SM3_256:
+ /* SM2 and SM3 should go together. */
+ pks.pkey_algo = "sm2";
+ pks.encoding = "raw";
+ break;
+ default:
pks.pkey_algo = "rsa";
pks.encoding = "pkcs1";
+ break;
}
pks.digest = (u8 *)data;
pks.digest_size = datalen;
--
2.19.1.3.ge56e4f7
On Thu, Sep 03, 2020 at 09:12:42PM +0800, Tianjia Zhang wrote:
> Asymmetric digsig supports SM2-with-SM3 algorithm combination,
> so that IMA can also verify SM2's signature data.
>
> Signed-off-by: Tianjia Zhang <[email protected]>
> Tested-by: Xufeng Zhang <[email protected]>
> Reviewed-by: Mimi Zohar <[email protected]> (coding, not crypto
It looks not breaking ecrdsa/streebog handling and accords to rfc draft:
https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
5.1.4.2. Hash Functions
The sm2 digital signature algorithm requires the hash functions
approved by Chinese Commercial Cryptography Administration Office,
such as sm3.
Reviewed-by: Vitaly Chikunov <[email protected]>
Thanks,
> ---
> security/integrity/digsig_asymmetric.c | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
> index cfa4127d0518..b86a4a8f61ab 100644
> --- a/security/integrity/digsig_asymmetric.c
> +++ b/security/integrity/digsig_asymmetric.c
> @@ -99,14 +99,22 @@ int asymmetric_verify(struct key *keyring, const char *sig,
> memset(&pks, 0, sizeof(pks));
>
> pks.hash_algo = hash_algo_name[hdr->hash_algo];
> - if (hdr->hash_algo == HASH_ALGO_STREEBOG_256 ||
> - hdr->hash_algo == HASH_ALGO_STREEBOG_512) {
> + switch (hdr->hash_algo) {
> + case HASH_ALGO_STREEBOG_256:
> + case HASH_ALGO_STREEBOG_512:
> /* EC-RDSA and Streebog should go together. */
> pks.pkey_algo = "ecrdsa";
> pks.encoding = "raw";
> - } else {
> + break;
> + case HASH_ALGO_SM3_256:
> + /* SM2 and SM3 should go together. */
> + pks.pkey_algo = "sm2";
> + pks.encoding = "raw";
> + break;
> + default:
> pks.pkey_algo = "rsa";
> pks.encoding = "pkcs1";
> + break;
> }
> pks.digest = (u8 *)data;
> pks.digest_size = datalen;