mirror of
https://abf.rosa.ru/djam/kernel-6.6.git
synced 2025-02-25 20:02:47 +00:00
Disable GOST signing for now due to impossibility to make a correct signature untill libressl or openssl-gost-engine support GOST CMS
This commit is contained in:
Mikhail Novosyolov
parent
c98134ffc6
commit
6b48b8dafb
1 changed files with 16 additions and 5 deletions
21
kernel.spec
21
kernel.spec
|
|
@ -11,7 +11,7 @@
|
||||||
%define sublevel 25
|
%define sublevel 25
|
||||||
|
|
||||||
# Release number. Increase this before a rebuild.
|
# Release number. Increase this before a rebuild.
|
||||||
%define rpmrel 3
|
%define rpmrel 5
|
||||||
%define fullrpmrel %{rpmrel}
|
%define fullrpmrel %{rpmrel}
|
||||||
|
|
||||||
%define rpmtag %{disttag}
|
%define rpmtag %{disttag}
|
||||||
|
|
@ -53,6 +53,7 @@
|
||||||
%endif
|
%endif
|
||||||
# User Mode Linux, https://habr.com/ru/company/itsumma/blog/459558/
|
# User Mode Linux, https://habr.com/ru/company/itsumma/blog/459558/
|
||||||
%bcond_without uml
|
%bcond_without uml
|
||||||
|
%bcond_with gost_keys
|
||||||
|
|
||||||
# Kernel flavour
|
# Kernel flavour
|
||||||
%if %{enhanced_security}
|
%if %{enhanced_security}
|
||||||
|
|
@ -988,9 +989,11 @@ EOF
|
||||||
cat "%{certs_key_config_rnd}"
|
cat "%{certs_key_config_rnd}"
|
||||||
|
|
||||||
libressl req -new -nodes -utf8 -batch \
|
libressl req -new -nodes -utf8 -batch \
|
||||||
|
%if %{with gost_keys}
|
||||||
-newkey gost2001 \
|
-newkey gost2001 \
|
||||||
-pkeyopt dgst:streebog512 -pkeyopt paramset:A \
|
-pkeyopt dgst:streebog512 -pkeyopt paramset:A \
|
||||||
-streebog512 \
|
-streebog512 \
|
||||||
|
%endif
|
||||||
-days 109500 \
|
-days 109500 \
|
||||||
-x509 -config "%{certs_key_config_rnd}" \
|
-x509 -config "%{certs_key_config_rnd}" \
|
||||||
-outform PEM \
|
-outform PEM \
|
||||||
|
|
@ -998,12 +1001,14 @@ libressl req -new -nodes -utf8 -batch \
|
||||||
-keyout "%{certs_signing_key_priv_rnd}"
|
-keyout "%{certs_signing_key_priv_rnd}"
|
||||||
|
|
||||||
# Verify
|
# Verify
|
||||||
|
%if %{with gost_keys}
|
||||||
libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
|
libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
|
||||||
| grep -E 'Signature Algorithm:.*GOST R 34.10-2012'
|
| grep -E 'Signature Algorithm:.*GOST R 34.10-2012'
|
||||||
libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
|
libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
|
||||||
| grep -E 'Digest Algorithm:.*GOST R 34-11-2012'
|
| grep -E 'Digest Algorithm:.*GOST R 34-11-2012'
|
||||||
libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
|
libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
|
||||||
| grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'
|
| grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'
|
||||||
|
%endif
|
||||||
|
|
||||||
# Strip public part from the generated PEM
|
# Strip public part from the generated PEM
|
||||||
sed -n \
|
sed -n \
|
||||||
|
|
@ -1019,11 +1024,11 @@ sed -i %{src_dir}/scripts/Makefile \
|
||||||
%endif
|
%endif
|
||||||
-e "s,-lcrypto,${libressl_cflags},g"
|
-e "s,-lcrypto,${libressl_cflags},g"
|
||||||
|
|
||||||
%if %{with additional_keys}
|
%if %{with additional_keys} && !%{with gost_keys}
|
||||||
# Add additional public keys to the list of trusted keys for kernel modules
|
# Add additional public RSA keys to the list of trusted keys for kernel modules
|
||||||
# Build kernel --without additional_keys if you do not want to trust them
|
# Build kernel --without additional_keys if you do not want to trust them
|
||||||
##cat %{expand:%(for i in `seq 1 12`; do echo "%%SOURCE$((200+${i}))" | tr "\n" " "; done)} \
|
cat %{expand:%(for i in `seq 1 12`; do echo "%%SOURCE$((200+${i}))" | tr "\n" " "; done)} \
|
||||||
## >> "%{certs_public_keys}"
|
>> "%{certs_public_keys}"
|
||||||
%endif #endif additional_keys
|
%endif #endif additional_keys
|
||||||
cat %{certs_public_keys}
|
cat %{certs_public_keys}
|
||||||
%endif #endif enhanced_security
|
%endif #endif enhanced_security
|
||||||
|
|
@ -1205,12 +1210,18 @@ _libressl_sign(){
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
f="$1"
|
f="$1"
|
||||||
|
%if %{with gost_keys}
|
||||||
|
# This is an incorrect signature, GOST support is needed in CMS (?!)
|
||||||
libressl dgst -streebog512 \
|
libressl dgst -streebog512 \
|
||||||
-sign "%{certs_signing_key_priv_rnd}" "$f" \
|
-sign "%{certs_signing_key_priv_rnd}" "$f" \
|
||||||
> "${f}.sig"
|
> "${f}.sig"
|
||||||
%{src_dir}/scripts/sign-file -s "${f}.sig" streebog512 \
|
%{src_dir}/scripts/sign-file -s "${f}.sig" streebog512 \
|
||||||
"%{certs_signing_key_priv_rnd}" "$f"
|
"%{certs_signing_key_priv_rnd}" "$f"
|
||||||
rm "${f}.sig"
|
rm "${f}.sig"
|
||||||
|
%else
|
||||||
|
%{src_dir}/scripts/sign-file sha512 \
|
||||||
|
"%{certs_signing_key_priv_rnd}" "%{certs_signing_key_priv_rnd}" "$f"
|
||||||
|
%endif
|
||||||
unset f
|
unset f
|
||||||
}
|
}
|
||||||
export -f _libressl_sign
|
export -f _libressl_sign
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue