crypto: asymmetric_keys - allow FIPS 202 SHA-3 signatures

Add FIPS 202 SHA-3 hash signature support in x509 certificates, pkcs7
signatures, and authenticode signatures. Supports hashes of size 256
and up, as 224 is too weak for any practical purposes.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/asymmetric_keys/mscode_parser.c b/crypto/asymmetric_keys/mscode_parser.c
index 855cbc46a9c3689866846ba16f13b57bc16ad4fc..05402ef8964ed41332f121919660376dc7e43e6a 100644 (file)
--- a/crypto/asymmetric_keys/mscode_parser.c
+++ b/crypto/asymmetric_keys/mscode_parser.c
@@ -84,6 +84,15 @@ int mscode_note_digest_algo(void *context, size_t hdrlen,
        case OID_sha512:
                ctx->digest_algo = "sha512";
                break;
+       case OID_sha3_256:
+               ctx->digest_algo = "sha3-256";
+               break;
+       case OID_sha3_384:
+               ctx->digest_algo = "sha3-384";
+               break;
+       case OID_sha3_512:
+               ctx->digest_algo = "sha3-512";
+               break;
 
        case OID__NR:
                sprint_oid(value, vlen, buffer, sizeof(buffer));

diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
index ab647cb4d76689c078f3e663b5b0542c8b2d99f4..5b08c50722d0f512f9605b5d3375b90cff119778 100644 (file)
--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys/pkcs7_parser.c
@@ -248,6 +248,15 @@ int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
        case OID_gost2012Digest512:
                ctx->sinfo->sig->hash_algo = "streebog512";
                break;
+       case OID_sha3_256:
+               ctx->sinfo->sig->hash_algo = "sha3-256";
+               break;
+       case OID_sha3_384:
+               ctx->sinfo->sig->hash_algo = "sha3-384";
+               break;
+       case OID_sha3_512:
+               ctx->sinfo->sig->hash_algo = "sha3-512";
+               break;
        default:
                printk("Unsupported digest algo: %u\n", ctx->last_oid);
                return -ENOPKG;
@@ -273,6 +282,9 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
        case OID_id_ecdsa_with_sha256:
        case OID_id_ecdsa_with_sha384:
        case OID_id_ecdsa_with_sha512:
+       case OID_id_ecdsa_with_sha3_256:
+       case OID_id_ecdsa_with_sha3_384:
+       case OID_id_ecdsa_with_sha3_512:
                ctx->sinfo->sig->pkey_algo = "ecdsa";
                ctx->sinfo->sig->encoding = "x962";
                break;

diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index 5bf0452c17af214a25c9b3b7429b34997b9cedf9..8eeab38a3d8ae2d76cd2c7077a743ed5beaaec2f 100644 (file)
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -119,7 +119,10 @@ software_key_determine_akcipher(const struct public_key *pkey,
                if (strcmp(hash_algo, "sha224") != 0 &&
                    strcmp(hash_algo, "sha256") != 0 &&
                    strcmp(hash_algo, "sha384") != 0 &&
-                   strcmp(hash_algo, "sha512") != 0)
+                   strcmp(hash_algo, "sha512") != 0 &&
+                   strcmp(hash_algo, "sha3-256") != 0 &&
+                   strcmp(hash_algo, "sha3-384") != 0 &&
+                   strcmp(hash_algo, "sha3-512") != 0)
                        return -EINVAL;
        } else if (strcmp(pkey->pkey_algo, "sm2") == 0) {
                if (strcmp(encoding, "raw") != 0)

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 68ef1ffbbef6b83236385a06c0fafcca24ea5750..487204d394266e74be91e1b47beb25eecfdc8f54 100644 (file)
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -214,6 +214,18 @@ int x509_note_sig_algo(void *context, size_t hdrlen, unsigned char tag,
                ctx->cert->sig->hash_algo = "sha224";
                goto rsa_pkcs1;
 
+       case OID_id_rsassa_pkcs1_v1_5_with_sha3_256:
+               ctx->cert->sig->hash_algo = "sha3-256";
+               goto rsa_pkcs1;
+
+       case OID_id_rsassa_pkcs1_v1_5_with_sha3_384:
+               ctx->cert->sig->hash_algo = "sha3-384";
+               goto rsa_pkcs1;
+
+       case OID_id_rsassa_pkcs1_v1_5_with_sha3_512:
+               ctx->cert->sig->hash_algo = "sha3-512";
+               goto rsa_pkcs1;
+
        case OID_id_ecdsa_with_sha224:
                ctx->cert->sig->hash_algo = "sha224";
                goto ecdsa;
@@ -230,6 +242,18 @@ int x509_note_sig_algo(void *context, size_t hdrlen, unsigned char tag,
                ctx->cert->sig->hash_algo = "sha512";
                goto ecdsa;
 
+       case OID_id_ecdsa_with_sha3_256:
+               ctx->cert->sig->hash_algo = "sha3-256";
+               goto ecdsa;
+
+       case OID_id_ecdsa_with_sha3_384:
+               ctx->cert->sig->hash_algo = "sha3-384";
+               goto ecdsa;
+
+       case OID_id_ecdsa_with_sha3_512:
+               ctx->cert->sig->hash_algo = "sha3-512";
+               goto ecdsa;
+
        case OID_gost2012Signature256:
                ctx->cert->sig->hash_algo = "streebog256";
                goto ecrdsa;