On Tue, May 14, 2024 at 07:07:18AM +0800, Huaxin Lu wrote:
> In the commit of e5221fa6a355 ("KEYS: asymmetric: Move sm2 code into
> x509_public_key"), the SM2 digest hashing is moved to the process of
> certificate loading. It cause the SM2 certificate chain validation
> failure. For example, when importing a SM2 IMA certificate (x509_ima.der)
> verified by the trusted kering. The import fails due to the wrong Z value
> calculating. Because he Z value should be calculated from the public key
> of the signing certificate, not from the public key of the certificate
> itself (reference: datatracker.ietf.org/doc/html/draft-shen-sm2-ecdsa-02).
>
> This commit partially revert the previous commit. Restore SM2 digest value
> calculating into the signature verification process, and use the right
> information to calculate Z value and SM2 digest.
>
> Fixes: e5221fa6a355 ("KEYS: asymmetric: Move sm2 code into x509_public_key")
> Signed-off-by: Huaxin Lu <luhuaxin1@xxxxxxxxxx>
> ---
> crypto/asymmetric_keys/public_key.c | 57 ++++++++++++++++++++++++
> crypto/asymmetric_keys/x509_public_key.c | 20 +++------
> include/crypto/public_key.h | 2 +
> 3 files changed, 64 insertions(+), 15 deletions(-)
Sorry about this.
> diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
> index 6a4f00be2..54738af7d 100644
> --- a/crypto/asymmetric_keys/x509_public_key.c
> +++ b/crypto/asymmetric_keys/x509_public_key.c
> @@ -32,6 +32,9 @@ int x509_get_sig_params(struct x509_certificate *cert)
>
> pr_devel("==>%s()\n", __func__);
>
> + sig->data = cert->tbs;
> + sig->data_size = cert->tbs_size;
> +
> sig->s = kmemdup(cert->raw_sig, cert->raw_sig_size, GFP_KERNEL);
> if (!sig->s)
> return -ENOMEM;
> @@ -64,21 +67,8 @@ int x509_get_sig_params(struct x509_certificate *cert)
>
> desc->tfm = tfm;
>
> - if (strcmp(cert->pub->pkey_algo, "sm2") == 0) {
> - ret = strcmp(sig->hash_algo, "sm3") != 0 ? -EINVAL :
> - crypto_shash_init(desc) ?:
> - sm2_compute_z_digest(desc, cert->pub->key,
> - cert->pub->keylen, sig->digest) ?:
> - crypto_shash_init(desc) ?:
> - crypto_shash_update(desc, sig->digest,
> - sig->digest_size) ?:
> - crypto_shash_finup(desc, cert->tbs, cert->tbs_size,
> - sig->digest);
> - } else {
> - ret = crypto_shash_digest(desc, cert->tbs, cert->tbs_size,
> - sig->digest);
> - }
> -
> + ret = crypto_shash_digest(desc, cert->tbs, cert->tbs_size,
> + sig->digest);
This (and the original code) breaks the blacklisting calculations
since those were dependent on the calculated hash.
There's also the issue of PKCS7 digests which probably should also
be modified for SM2.
I think we should probably just remove SM2 unless someone can
rearchitect this properly to support these digests.
Cheers,
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
