Enable RSA-SM3 in the default provider

It turns out that we didn't allow the combination RSA + SM3 anywhere. This is perfectly reasonable in the FIPS module, but less so in the default provider. This change enables it in the default provider, and adds a simple evp_test stanza for the RSA-SM3 signature scheme. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23416)
2024-11-21 01:15:20 +08:00 · 2024-08-19 08:38:56 +02:00 · 2024-08-19 08:38:56 +02:00 · 523187df47
commit 523187df47
parent 8736de5e77
4 changed files with 26 additions and 0 deletions
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@ -34,6 +34,9 @@
 # ifndef OPENSSL_NO_RMD160
 #  include <openssl/ripemd.h> /* uses RIPEMD160_DIGEST_LENGTH */
 # endif
+# ifndef OPENSSL_NO_SM3
+#  include "internal/sm3.h" /* uses SM3_DIGEST_LENGTH */
+# endif
 #endif
 #include <openssl/sha.h> /* uses SHA???_DIGEST_LENGTH */
 #include "crypto/rsa.h"
@ -123,6 +126,16 @@ static const unsigned char digestinfo_ripemd160_der[] = {
      ASN1_OCTET_STRING, RIPEMD160_DIGEST_LENGTH
 };
 # endif
+# ifndef OPENSSL_NO_SM3
+/* SM3 (1 2 156 10197 1 401) */
+static const unsigned char digestinfo_sm3_der[] = {
+    ASN1_SEQUENCE, 0x0f + SM3_DIGEST_LENGTH,
+      ASN1_SEQUENCE, 0x0c,
+        ASN1_OID, 0x08, 1 * 40 + 2, 0x81, 0x1c, 0xcf, 0x55, 1, 0x83, 0x78,
+        ASN1_NULL, 0x00,
+      ASN1_OCTET_STRING, SM3_DIGEST_LENGTH
+};
+# endif
 #endif /* FIPS_MODULE */

 /* SHA-1 (1 3 14 3 2 26) */
@ -169,6 +182,9 @@ const unsigned char *ossl_rsa_digestinfo_encoding(int md_nid, size_t *len)
 # ifndef OPENSSL_NO_RMD160
    MD_CASE(ripemd160)
 # endif
+# ifndef OPENSSL_NO_SM3
+    MD_CASE(sm3)
+# endif
 #endif /* FIPS_MODULE */
    MD_CASE(sha1)
    MD_CASE(sha224)
--- a/providers/common/securitycheck_default.c
+++ b/providers/common/securitycheck_default.c
@ -33,6 +33,7 @@ int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md)
        { NID_md4,       OSSL_DIGEST_NAME_MD4       },
        { NID_mdc2,      OSSL_DIGEST_NAME_MDC2      },
        { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
+        { NID_sm3,       OSSL_DIGEST_NAME_SM3 },
    };

    mdnid = ossl_digest_get_approved_nid(md);
--- a/test/evp_test.c
+++ b/test/evp_test.c
@ -5200,6 +5200,10 @@ static int is_pkey_disabled(const char *name)
 #ifdef OPENSSL_NO_RMD160
    if (HAS_CASE_SUFFIX(name, "-RIPEMD160"))
        return 1;
+#endif
+#ifdef OPENSSL_NO_SM3
+    if (HAS_CASE_SUFFIX(name, "-SM3"))
+        return 1;
 #endif
    return 0;
 }
--- a/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt
@ -182,3 +182,8 @@ Availablein = default
 Sign-Message = RSA-RIPEMD160:RSA-2048
 Input = "Hello World"
 Output = 6a7fc08e9999fc9d50cda476e973a01a06efeb52eece1c78cb1422950476cbff67408c6f5c0a5749a70d3b505d9b6ad84f6854cb290fab18b28c13233030964ce81e3cf4f34bd606322e44534c335994c9761ae989936fd33be4c53e43cc54f027e4d3eb48563be6242ffcb831d4382e5b3f155c345e6f4367ae40d92cb70376942f45ce9fde97eb282ff3767b7972821381e1c3443b0e595bc968c16119dbdeef9f91d9f15f61feb0a0a25c66c2e72513a853d6cc797e83c8719d82ed951ccce06292f07696c7f97a52a7048bd4c70c5a70dbab0470be3b75af0f28dd39535bb8fee899cb69d3b6970cc59c773c0c15122931b6904d3c5c98011650bb8283d6
+
+Availablein = default
+Sign-Message = RSA-SM3:RSA-2048
+Input = "Hello World"
+Output = 92657e22036214c343d8e95d129c0c47430d5a1ae452371a7847a963f533f96e018aa6658958e6a584cf0d380aa9435175cf2de3dfa60100aca893b76aa6d8f0cc9154ee982cb5ea8f19153fe8a9c801aa2da8bb4451c7ec6fd836e81ecdacf022b68294db068efa47decf3a7c548ea7088a16433029b8733b9573053b7e7122ea10b662726fc97bd149c663617434a9707b672b024f95865d91077edfb79c8ed4c8528032204c46c984a6c82b17794cbf9c4dfe4c1af1d59535f7755540ff36d6a2b55accbf046896c4aae9287a33f38c2a269a02abdac46c17b1b55ee89cc9eb3011a84916596f982c5375dd2110633be6dc43532919466d83bd0f3e406978