linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
To: herbert@gondor.apana.org.au, David Howells <dhowells@redhat.com>,
	"David S. Miller" <davem@davemloft.net>
Cc: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
	keyrings@vger.kernel.org
Subject: [PATCH 4/6] crypto: x509 pkcs7 - allow FIPS 202 SHA-3 signatures
Date: Sun, 22 Oct 2023 19:22:06 +0100	[thread overview]
Message-ID: <20231022182208.188714-5-dimitri.ledkov@canonical.com> (raw)
In-Reply-To: <20231022182208.188714-1-dimitri.ledkov@canonical.com>

Add FIPS 202 SHA-3 hash signature support in x509 certificates, pkcs7
signatures, and authenticode signatures. Supports hashes of size 256
and up, as 224 is too weak for any practical purposes.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
---
 crypto/asymmetric_keys/mscode_parser.c    |  9 +++++++++
 crypto/asymmetric_keys/pkcs7_parser.c     | 12 ++++++++++++
 crypto/asymmetric_keys/public_key.c       |  5 ++++-
 crypto/asymmetric_keys/x509_cert_parser.c | 24 +++++++++++++++++++++++
 4 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/crypto/asymmetric_keys/mscode_parser.c b/crypto/asymmetric_keys/mscode_parser.c
index 855cbc46a9..05402ef896 100644
--- a/crypto/asymmetric_keys/mscode_parser.c
+++ b/crypto/asymmetric_keys/mscode_parser.c
@@ -84,6 +84,15 @@ int mscode_note_digest_algo(void *context, size_t hdrlen,
 	case OID_sha512:
 		ctx->digest_algo = "sha512";
 		break;
+	case OID_sha3_256:
+		ctx->digest_algo = "sha3-256";
+		break;
+	case OID_sha3_384:
+		ctx->digest_algo = "sha3-384";
+		break;
+	case OID_sha3_512:
+		ctx->digest_algo = "sha3-512";
+		break;
 
 	case OID__NR:
 		sprint_oid(value, vlen, buffer, sizeof(buffer));
diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
index ab647cb4d7..5b08c50722 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys/pkcs7_parser.c
@@ -248,6 +248,15 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
 	case OID_gost2012Digest512:
 		ctx->sinfo->sig->hash_algo = "streebog512";
 		break;
+	case OID_sha3_256:
+		ctx->sinfo->sig->hash_algo = "sha3-256";
+		break;
+	case OID_sha3_384:
+		ctx->sinfo->sig->hash_algo = "sha3-384";
+		break;
+	case OID_sha3_512:
+		ctx->sinfo->sig->hash_algo = "sha3-512";
+		break;
 	default:
 		printk("Unsupported digest algo: %u\n", ctx->last_oid);
 		return -ENOPKG;
@@ -273,6 +282,9 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
 	case OID_id_ecdsa_with_sha256:
 	case OID_id_ecdsa_with_sha384:
 	case OID_id_ecdsa_with_sha512:
+	case OID_id_ecdsa_with_sha3_256:
+	case OID_id_ecdsa_with_sha3_384:
+	case OID_id_ecdsa_with_sha3_512:
 		ctx->sinfo->sig->pkey_algo = "ecdsa";
 		ctx->sinfo->sig->encoding = "x962";
 		break;
diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index 5bf0452c17..8eeab38a3d 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -119,7 +119,10 @@ software_key_determine_akcipher(const struct public_key *pkey,
 		if (strcmp(hash_algo, "sha224") != 0 &&
 		    strcmp(hash_algo, "sha256") != 0 &&
 		    strcmp(hash_algo, "sha384") != 0 &&
-		    strcmp(hash_algo, "sha512") != 0)
+		    strcmp(hash_algo, "sha512") != 0 &&
+		    strcmp(hash_algo, "sha3-256") != 0 &&
+		    strcmp(hash_algo, "sha3-384") != 0 &&
+		    strcmp(hash_algo, "sha3-512") != 0)
 			return -EINVAL;
 	} else if (strcmp(pkey->pkey_algo, "sm2") == 0) {
 		if (strcmp(encoding, "raw") != 0)
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 68ef1ffbbe..487204d394 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -214,6 +214,18 @@ int x509_note_sig_algo(void *context, size_t hdrlen, unsigned char tag,
 		ctx->cert->sig->hash_algo = "sha224";
 		goto rsa_pkcs1;
 
+	case OID_id_rsassa_pkcs1_v1_5_with_sha3_256:
+		ctx->cert->sig->hash_algo = "sha3-256";
+		goto rsa_pkcs1;
+
+	case OID_id_rsassa_pkcs1_v1_5_with_sha3_384:
+		ctx->cert->sig->hash_algo = "sha3-384";
+		goto rsa_pkcs1;
+
+	case OID_id_rsassa_pkcs1_v1_5_with_sha3_512:
+		ctx->cert->sig->hash_algo = "sha3-512";
+		goto rsa_pkcs1;
+
 	case OID_id_ecdsa_with_sha224:
 		ctx->cert->sig->hash_algo = "sha224";
 		goto ecdsa;
@@ -230,6 +242,18 @@ int x509_note_sig_algo(void *context, size_t hdrlen, unsigned char tag,
 		ctx->cert->sig->hash_algo = "sha512";
 		goto ecdsa;
 
+	case OID_id_ecdsa_with_sha3_256:
+		ctx->cert->sig->hash_algo = "sha3-256";
+		goto ecdsa;
+
+	case OID_id_ecdsa_with_sha3_384:
+		ctx->cert->sig->hash_algo = "sha3-384";
+		goto ecdsa;
+
+	case OID_id_ecdsa_with_sha3_512:
+		ctx->cert->sig->hash_algo = "sha3-512";
+		goto ecdsa;
+
 	case OID_gost2012Signature256:
 		ctx->cert->sig->hash_algo = "streebog256";
 		goto ecrdsa;
-- 
2.34.1


  parent reply	other threads:[~2023-10-22 18:23 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-22 18:22 [PATCH 0/6] crypto: pkcs7 x509 add FIPS 202 SHA-3 support Dimitri John Ledkov
2023-10-22 18:22 ` [PATCH 1/6] x509: Add OIDs for FIPS 202 SHA-3 hash and signatures Dimitri John Ledkov
2023-10-22 18:22 ` [PATCH 2/6] crypto: FIPS 202 SHA-3 register in hash info for IMA Dimitri John Ledkov
2023-10-22 18:22 ` [PATCH 3/6] crypto: rsa-pkcs1pad - Add FIPS 202 SHA-3 support Dimitri John Ledkov
2023-10-22 18:22 ` Dimitri John Ledkov [this message]
2023-10-22 18:22 ` [PATCH 5/6] crypto: enable automatic module signing with FIPS 202 SHA-3 Dimitri John Ledkov
2023-10-22 18:22 ` [PATCH 6/6] Documentation/module-signing.txt: bring up to date Dimitri John Ledkov
2023-10-27 10:57 ` [PATCH 0/6] crypto: pkcs7 x509 add FIPS 202 SHA-3 support Herbert Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231022182208.188714-5-dimitri.ledkov@canonical.com \
    --to=dimitri.ledkov@canonical.com \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).