Disable GOST signing for now due to impossibility to make a correct signature untill libressl or openssl-gost-engine support GOST CMS

2025-02-25 11:52:46 +00:00 · 2020-03-15 20:26:01 +03:00 · 2020-03-15 20:26:01 +03:00 · 6b48b8dafb
commit 6b48b8dafb
parent c98134ffc6
1 changed files with 16 additions and 5 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -11,7 +11,7 @@
 %define sublevel	25

 # Release number. Increase this before a rebuild.
-%define rpmrel		3
+%define rpmrel		5
 %define fullrpmrel	%{rpmrel}

 %define rpmtag		%{disttag}
@ -53,6 +53,7 @@
 %endif
 # User Mode Linux, https://habr.com/ru/company/itsumma/blog/459558/
 %bcond_without uml
+%bcond_with gost_keys

 # Kernel flavour
 %if %{enhanced_security}
@ -988,9 +989,11 @@ EOF
 cat "%{certs_key_config_rnd}"

 libressl req -new -nodes -utf8 -batch \
+%if %{with gost_keys}
 	-newkey gost2001 \
 	-pkeyopt dgst:streebog512 -pkeyopt paramset:A \
 	-streebog512 \
+%endif
 	-days 109500 \
 	-x509 -config "%{certs_key_config_rnd}" \
 	-outform PEM \
@ -998,12 +1001,14 @@ libressl req -new -nodes -utf8 -batch \
 	-keyout "%{certs_signing_key_priv_rnd}"

 # Verify
+%if %{with gost_keys}
 libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
 	| grep -E 'Signature Algorithm:.*GOST R 34.10-2012'
 libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
 	| grep -E 'Digest Algorithm:.*GOST R 34-11-2012'
 libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
 	| grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'
+%endif

 # Strip public part from the generated PEM
 sed -n \
@ -1019,11 +1024,11 @@ sed -i %{src_dir}/scripts/Makefile \
 %endif
 	-e "s,-lcrypto,${libressl_cflags},g"

-%if %{with additional_keys}
-# Add additional public keys to the list of trusted keys for kernel modules
+%if %{with additional_keys} && !%{with gost_keys}
+# Add additional public RSA keys to the list of trusted keys for kernel modules
 # Build kernel --without additional_keys if you do not want to trust them
-##cat %{expand:%(for i in `seq 1 12`; do echo "%%SOURCE$((200+${i}))" | tr "\n" " "; done)} \
-##	>> "%{certs_public_keys}"
+cat %{expand:%(for i in `seq 1 12`; do echo "%%SOURCE$((200+${i}))" | tr "\n" " "; done)} \
+	>> "%{certs_public_keys}"
 %endif #endif additional_keys
 cat %{certs_public_keys}
 %endif #endif enhanced_security
@ -1205,12 +1210,18 @@ _libressl_sign(){
 	  return 0
 	fi
 	f="$1"
+%if %{with gost_keys}
+	# This is an incorrect signature, GOST support is needed in CMS (?!)
 	libressl dgst -streebog512 \
 		-sign "%{certs_signing_key_priv_rnd}" "$f" \
 		> "${f}.sig"
 	%{src_dir}/scripts/sign-file -s "${f}.sig" streebog512 \
 		"%{certs_signing_key_priv_rnd}" "$f"
 	rm "${f}.sig"
+%else
+	%{src_dir}/scripts/sign-file sha512 \
+		"%{certs_signing_key_priv_rnd}" "%{certs_signing_key_priv_rnd}" "$f"
+%endif
 	unset f
 }
 export -f _libressl_sign