Message ID | 20200903131242.128665-7-tianjia.zhang@linux.alibaba.com (mailing list archive) |
---|---|
State | Changes Requested |
Delegated to: | Herbert Xu |
Headers | show |
Series | crpyto: introduce OSCCA certificate and SM2 asymmetric algorithm | expand |
On Thu, Sep 03, 2020 at 09:12:40PM +0800, Tianjia Zhang wrote: > The digital certificate format based on SM2 crypto algorithm as > specified in GM/T 0015-2012. It was published by State Encryption > Management Bureau, China. > > This patch adds the OID object identifier defined by OSCCA. The > x509 certificate supports sm2-with-sm3 type certificate parsing. > It uses the standard elliptic curve public key, and the sm2 > algorithm signs the hash generated by sm3. > > Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> > Tested-by: Xufeng Zhang <yunbo.xufeng@linux.alibaba.com> > --- > crypto/asymmetric_keys/x509_cert_parser.c | 14 +++++++++++++- > include/linux/oid_registry.h | 6 ++++++ > 2 files changed, 19 insertions(+), 1 deletion(-) > > diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c > index 26ec20ef4899..6a8aee22bfd4 100644 > --- a/crypto/asymmetric_keys/x509_cert_parser.c > +++ b/crypto/asymmetric_keys/x509_cert_parser.c > @@ -234,6 +234,10 @@ int x509_note_pkey_algo(void *context, size_t hdrlen, > case OID_gost2012Signature512: > ctx->cert->sig->hash_algo = "streebog512"; > goto ecrdsa; > + > + case OID_sm2_with_sm3: > + ctx->cert->sig->hash_algo = "sm3"; > + goto sm2; > } > > rsa_pkcs1: > @@ -246,6 +250,11 @@ int x509_note_pkey_algo(void *context, size_t hdrlen, > ctx->cert->sig->encoding = "raw"; > ctx->algo_oid = ctx->last_oid; > return 0; > +sm2: > + ctx->cert->sig->pkey_algo = "sm2"; > + ctx->cert->sig->encoding = "raw"; > + ctx->algo_oid = ctx->last_oid; > + return 0; > } > > /* > @@ -266,7 +275,8 @@ int x509_note_signature(void *context, size_t hdrlen, > } > > if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0 || > - strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0) { > + strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0 || > + strcmp(ctx->cert->sig->pkey_algo, "sm2") == 0) { > /* Discard the BIT STRING metadata */ > if (vlen < 1 || *(const u8 *)value != 0) > return -EBADMSG; > @@ -456,6 +466,8 @@ int x509_extract_key_data(void *context, size_t hdrlen, > else if (ctx->last_oid == OID_gost2012PKey256 || > ctx->last_oid == OID_gost2012PKey512) > ctx->cert->pub->pkey_algo = "ecrdsa"; > + else if (ctx->last_oid == OID_id_ecPublicKey) > + ctx->cert->pub->pkey_algo = "sm2"; > else > return -ENOPKG; > > diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h > index 657d6bf2c064..48fe3133ff39 100644 > --- a/include/linux/oid_registry.h > +++ b/include/linux/oid_registry.h > @@ -107,6 +107,12 @@ enum OID { > OID_gostTC26Sign512B, /* 1.2.643.7.1.2.1.2.2 */ > OID_gostTC26Sign512C, /* 1.2.643.7.1.2.1.2.3 */ > > + /* OSCCA */ > + OID_sm2, /* 1.2.156.10197.1.301 */ > + OID_sm3, /* 1.2.156.10197.1.401 */ > + OID_sm2_with_sm3, /* 1.2.156.10197.1.501 */ > + OID_sm3WithRSAEncryption, /* 1.2.156.10197.1.504 */ OID_sm3WithRSAEncryption identifier is unused and this mode looks not implemented. But, this is probably ok for possible future extension. Reviewed-by: Vitaly Chikunov <vt@altlinux.org> Thanks, > + > OID__NR > }; >
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 26ec20ef4899..6a8aee22bfd4 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -234,6 +234,10 @@ int x509_note_pkey_algo(void *context, size_t hdrlen, case OID_gost2012Signature512: ctx->cert->sig->hash_algo = "streebog512"; goto ecrdsa; + + case OID_sm2_with_sm3: + ctx->cert->sig->hash_algo = "sm3"; + goto sm2; } rsa_pkcs1: @@ -246,6 +250,11 @@ int x509_note_pkey_algo(void *context, size_t hdrlen, ctx->cert->sig->encoding = "raw"; ctx->algo_oid = ctx->last_oid; return 0; +sm2: + ctx->cert->sig->pkey_algo = "sm2"; + ctx->cert->sig->encoding = "raw"; + ctx->algo_oid = ctx->last_oid; + return 0; } /* @@ -266,7 +275,8 @@ int x509_note_signature(void *context, size_t hdrlen, } if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0 || - strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0) { + strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0 || + strcmp(ctx->cert->sig->pkey_algo, "sm2") == 0) { /* Discard the BIT STRING metadata */ if (vlen < 1 || *(const u8 *)value != 0) return -EBADMSG; @@ -456,6 +466,8 @@ int x509_extract_key_data(void *context, size_t hdrlen, else if (ctx->last_oid == OID_gost2012PKey256 || ctx->last_oid == OID_gost2012PKey512) ctx->cert->pub->pkey_algo = "ecrdsa"; + else if (ctx->last_oid == OID_id_ecPublicKey) + ctx->cert->pub->pkey_algo = "sm2"; else return -ENOPKG; diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h index 657d6bf2c064..48fe3133ff39 100644 --- a/include/linux/oid_registry.h +++ b/include/linux/oid_registry.h @@ -107,6 +107,12 @@ enum OID { OID_gostTC26Sign512B, /* 1.2.643.7.1.2.1.2.2 */ OID_gostTC26Sign512C, /* 1.2.643.7.1.2.1.2.3 */ + /* OSCCA */ + OID_sm2, /* 1.2.156.10197.1.301 */ + OID_sm3, /* 1.2.156.10197.1.401 */ + OID_sm2_with_sm3, /* 1.2.156.10197.1.501 */ + OID_sm3WithRSAEncryption, /* 1.2.156.10197.1.504 */ + OID__NR };