On Mon, Sep 14, 2020 at 9:34 AM Tianjia Zhang <tianjia.zhang@xxxxxxxxxxxxxxxxx> wrote: > > Hi Gilad, > > On 9/13/20 3:12 PM, Gilad Ben-Yossef wrote: > > Hi, > > > > > > On Thu, Sep 3, 2020 at 4:13 PM Tianjia Zhang > > <tianjia.zhang@xxxxxxxxxxxxxxxxx> wrote: > >> > >> The digital certificate format based on SM2 crypto algorithm as > >> specified in GM/T 0015-2012. It was published by State Encryption > >> Management Bureau, China. > >> > >> The method of generating Other User Information is defined as > >> ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA), it also > >> specified in https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02. > >> > >> The x509 certificate supports sm2-with-sm3 type certificate > >> verification. Because certificate verification requires ZA > >> in addition to tbs data, ZA also depends on elliptic curve > >> parameters and public key data, so you need to access tbs in sig > >> and calculate ZA. Finally calculate the digest of the > >> signature and complete the verification work. The calculation > >> process of ZA is declared in specifications GM/T 0009-2012 > >> and GM/T 0003.2-2012. > >> > >> Signed-off-by: Tianjia Zhang <tianjia.zhang@xxxxxxxxxxxxxxxxx> > >> Tested-by: Xufeng Zhang <yunbo.xufeng@xxxxxxxxxxxxxxxxx> > >> --- > >> crypto/asymmetric_keys/Makefile | 1 + > >> crypto/asymmetric_keys/public_key.c | 6 +++ > >> crypto/asymmetric_keys/public_key_sm2.c | 61 ++++++++++++++++++++++++ > >> crypto/asymmetric_keys/x509_public_key.c | 3 ++ > >> include/crypto/public_key.h | 15 ++++++ > >> 5 files changed, 86 insertions(+) > >> create mode 100644 crypto/asymmetric_keys/public_key_sm2.c > >> > >> diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile > >> index 28b91adba2ae..1a99ea5acb6b 100644 > >> --- a/crypto/asymmetric_keys/Makefile > >> +++ b/crypto/asymmetric_keys/Makefile > >> @@ -11,6 +11,7 @@ asymmetric_keys-y := \ > >> signature.o > >> > >> obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o > >> +obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key_sm2.o > >> obj-$(CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE) += asym_tpm.o > >> > >> # > >> diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c > >> index d8410ffd7f12..1d0492098bbd 100644 > >> --- a/crypto/asymmetric_keys/public_key.c > >> +++ b/crypto/asymmetric_keys/public_key.c > >> @@ -299,6 +299,12 @@ int public_key_verify_signature(const struct public_key *pkey, > >> if (ret) > >> goto error_free_key; > >> > >> + if (strcmp(sig->pkey_algo, "sm2") == 0 && sig->data_size) { > >> + ret = cert_sig_digest_update(sig, tfm); > >> + if (ret) > >> + goto error_free_key; > >> + } > >> + > >> sg_init_table(src_sg, 2); > >> sg_set_buf(&src_sg[0], sig->s, sig->s_size); > >> sg_set_buf(&src_sg[1], sig->digest, sig->digest_size); > >> diff --git a/crypto/asymmetric_keys/public_key_sm2.c b/crypto/asymmetric_keys/public_key_sm2.c > >> new file mode 100644 > >> index 000000000000..7325cf21dbb4 > >> --- /dev/null > >> +++ b/crypto/asymmetric_keys/public_key_sm2.c > >> @@ -0,0 +1,61 @@ > >> +/* SPDX-License-Identifier: GPL-2.0-or-later */ > >> +/* > >> + * asymmetric public-key algorithm for SM2-with-SM3 certificate > >> + * as specified by OSCCA GM/T 0003.1-2012 -- 0003.5-2012 SM2 and > >> + * described at https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02 > >> + * > >> + * Copyright (c) 2020, Alibaba Group. > >> + * Authors: Tianjia Zhang <tianjia.zhang@xxxxxxxxxxxxxxxxx> > >> + */ > >> + > >> +#include <crypto/sm3_base.h> > >> +#include <crypto/sm2.h> > >> +#include <crypto/public_key.h> > >> + > >> +#if IS_REACHABLE(CONFIG_CRYPTO_SM2) > >> + > >> +int cert_sig_digest_update(const struct public_key_signature *sig, > >> + struct crypto_akcipher *tfm_pkey) > >> +{ > >> + struct crypto_shash *tfm; > >> + struct shash_desc *desc; > >> + size_t desc_size; > >> + unsigned char dgst[SM3_DIGEST_SIZE]; > >> + int ret; > >> + > >> + BUG_ON(!sig->data); > >> + > >> + ret = sm2_compute_z_digest(tfm_pkey, SM2_DEFAULT_USERID, > >> + SM2_DEFAULT_USERID_LEN, dgst); > >> + if (ret) > >> + return ret; > >> + > >> + tfm = crypto_alloc_shash(sig->hash_algo, 0, 0); > >> + if (IS_ERR(tfm)) > >> + return PTR_ERR(tfm); > >> + > >> + desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); > >> + desc = kzalloc(desc_size, GFP_KERNEL); > >> + if (!desc) > >> + goto error_free_tfm; > >> + > >> + desc->tfm = tfm; > >> + > >> + ret = crypto_shash_init(desc); > >> + if (ret < 0) > >> + goto error_free_desc; > >> + > >> + ret = crypto_shash_update(desc, dgst, SM3_DIGEST_SIZE); > >> + if (ret < 0) > >> + goto error_free_desc; > >> + > >> + ret = crypto_shash_finup(desc, sig->data, sig->data_size, sig->digest); > > > > It looks like you are doing a separate init, update, finup every time > > - I would consider using crypto_shash_digest() in one go. > > > > In fact, considering the fact that you are allocating a tfm just for > > this use and then releasing it, I would consider switching to > > crypto_shash_tfm_digest() and dropping the kzalloc all together. > > > > This should simplify the code a bit. > > > > Other than that I don't have anything smart to say :-) > > > > Gilad > > > > The hash calculation here includes two parts of data, 'dgst' and > 'sig->data'. The last call is 'finup()' not 'final()'. I understand that > it should not be possible to use 'crypto_shash_tfm_digest()' This kind > of function is simplified. > > If a new scope is added, the assignment of desc can be optimized, as > follows: > ``` > do { > SHASH_DESC_ON_STACK(desc, tfm); > desc->tfm = tfm; > > /* ... */ > } while (0); > ``` > However, the kernel code may not accept this style. What is your opinion? No, you are right. I've indeed missed that it's a finup() and not a final(). If the size of data was big enough it might have been worth going to the async. hash interface and creating a scatter list for this but I suspect it is not justified with the data sizes we are dealing with there. So: Reviewed-by: Gilad Ben-Yossef <gilad@xxxxxxxxxxxxx> Thanks, Gilad -- Gilad Ben-Yossef Chief Coffee Drinker values of β will give rise to dom!
