diff --git a/Feature-PKCS7-sign-and-verify-support-SM2-algorithm.patch b/Feature-PKCS7-sign-and-verify-support-SM2-algorithm.patch new file mode 100644 index 0000000000000000000000000000000000000000..73de05090108b80e7b503d453d7ddf25981f664b --- /dev/null +++ b/Feature-PKCS7-sign-and-verify-support-SM2-algorithm.patch @@ -0,0 +1,79 @@ +From 95ae0cd988b4a556c1719f84af3fe3a116352fd7 Mon Sep 17 00:00:00 2001 +From: gaoyusong +Date: Fri, 30 Sep 2022 12:10:15 +0800 +Subject: [PATCH] PKCS7 sign and verify support SM2 algorithm + +--- + crypto/pkcs7/pk7_doit.c | 28 +++++++++++++++++++++------- + crypto/sm2/sm2_pmeth.c | 1 + + 2 files changed, 22 insertions(+), 7 deletions(-) + +diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c +index f63fbc5..2e86cce 100644 +--- a/crypto/pkcs7/pk7_doit.c ++++ b/crypto/pkcs7/pk7_doit.c +@@ -946,6 +946,9 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, + STACK_OF(X509_ATTRIBUTE) *sk; + BIO *btmp; + EVP_PKEY *pkey; ++#ifndef OPENSSL_NO_SM2 ++ EVP_PKEY_CTX *pctx = NULL; ++#endif + + mdc_tmp = EVP_MD_CTX_new(); + if (mdc_tmp == NULL) { +@@ -1013,7 +1016,19 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, + goto err; + } + +- if (!EVP_VerifyInit_ex(mdc_tmp, EVP_get_digestbynid(md_type), NULL)) ++ pkey = X509_get0_pubkey(x509); ++ if (!pkey) { ++ ret = -1; ++ goto err; ++ } ++ ++ ret = ++#ifndef OPENSSL_NO_SM2 ++ EVP_PKEY_is_sm2(pkey) ? ++ EVP_DigestVerifyInit(mdc_tmp, &pctx, EVP_get_digestbynid(md_type), NULL, pkey) : ++#endif ++ EVP_VerifyInit_ex(mdc_tmp, EVP_get_digestbynid(md_type), NULL); ++ if (!ret) + goto err; + + alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf, +@@ -1030,13 +1045,12 @@ int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, + } + + os = si->enc_digest; +- pkey = X509_get0_pubkey(x509); +- if (!pkey) { +- ret = -1; +- goto err; +- } + +- i = EVP_VerifyFinal(mdc_tmp, os->data, os->length, pkey); ++ i = ++#ifndef OPENSSL_NO_SM2 ++ EVP_PKEY_is_sm2(pkey) ? EVP_DigestVerifyFinal(mdc_tmp, os->data, os->length) : ++#endif ++ EVP_VerifyFinal(mdc_tmp, os->data, os->length, pkey); + if (i <= 0) { + PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_SIGNATURE_FAILURE); + ret = -1; +diff --git a/crypto/sm2/sm2_pmeth.c b/crypto/sm2/sm2_pmeth.c +index 1998812..53cdbe9 100644 +--- a/crypto/sm2/sm2_pmeth.c ++++ b/crypto/sm2/sm2_pmeth.c +@@ -221,6 +221,7 @@ static int pkey_sm2_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) + return 1; + + case EVP_PKEY_CTRL_DIGESTINIT: ++ case EVP_PKEY_CTRL_PKCS7_SIGN: + /* nothing to be inited, this is to suppress the error... */ + return 1; + +-- +2.33.0 + diff --git a/openssl.spec b/openssl.spec index 55742c5484f1d93c2977fa553248bb0cbf8572d9..81c72ee3ad928890246805178d1b4da1bbd03a44 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1m -Release: 9 +Release: 11 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay URL: https://www.openssl.org/ @@ -35,7 +35,7 @@ Patch22: Backport-Fix-a-double-free-issue-when-signing-SM2-cert.patch Patch23: Backport-Fix-a-document-description-in-apps-req.patch Patch26: Feature-Support-TLCP-protocol.patch Patch27: Feature-X509-command-supports-SM2-certificate-signing-with-default-sm2id.patch - +Patch28: Feature-PKCS7-sign-and-verify-support-SM2-algorithm.patch BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel Requires: coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} @@ -238,6 +238,9 @@ make test || : %ldconfig_scriptlets libs %changelog +* Fri Oct 21 2022 luhuaxin - 1:1.1.1m-11 +- add support for SM2 PKCS7 + * Mon Oct 17 2022 luhuaxin - 1:1.1.1m-10 - add sm2 cert and TLCP feature from master