Enable RSA-SM3 in the default provider

It turns out that we didn't allow the combination RSA + SM3 anywhere. This is perfectly reasonable in the FIPS module, but less so in the default provider. This change enables it in the default provider, and adds a simple evp_test stanza for the RSA-SM3 signature scheme. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23416)
author: Richard Levitte <levitte@openssl.org> 2024-08-19 08:38:56 +0200
committer: Richard Levitte <levitte@openssl.org> 2024-08-21 08:21:06 +0200
commit: 523187df47cf6082004e872c6c47b202fce5d574 (patch)
tree: 9629dc63a867bbf029f5b899d99efdaf27cfed2b
parent: fix coding style (diff)
download: openssl-523187df47cf6082004e872c6c47b202fce5d574.tar.xz
openssl-523187df47cf6082004e872c6c47b202fce5d574.zip
4 files changed, 26 insertions, 0 deletions
diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index b14b134080..884846e814 100644
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -34,6 +34,9 @@
 # ifndef OPENSSL_NO_RMD160
 #  include <openssl/ripemd.h> /* uses RIPEMD160_DIGEST_LENGTH */
 # endif
+# ifndef OPENSSL_NO_SM3
+#  include "internal/sm3.h" /* uses SM3_DIGEST_LENGTH */
+# endif
 #endif
 #include <openssl/sha.h> /* uses SHA???_DIGEST_LENGTH */
 #include "crypto/rsa.h"
@@ -123,6 +126,16 @@ static const unsigned char digestinfo_ripemd160_der[] = {
       ASN1_OCTET_STRING, RIPEMD160_DIGEST_LENGTH
 };
 # endif
+# ifndef OPENSSL_NO_SM3
+/* SM3 (1 2 156 10197 1 401) */
+static const unsigned char digestinfo_sm3_der[] = {
+    ASN1_SEQUENCE, 0x0f + SM3_DIGEST_LENGTH,
+      ASN1_SEQUENCE, 0x0c,
+        ASN1_OID, 0x08, 1 * 40 + 2, 0x81, 0x1c, 0xcf, 0x55, 1, 0x83, 0x78,
+        ASN1_NULL, 0x00,
+      ASN1_OCTET_STRING, SM3_DIGEST_LENGTH
+};
+# endif
 #endif /* FIPS_MODULE */
 
 /* SHA-1 (1 3 14 3 2 26) */
@@ -169,6 +182,9 @@ const unsigned char *ossl_rsa_digestinfo_encoding(int md_nid, size_t *len)
 # ifndef OPENSSL_NO_RMD160
     MD_CASE(ripemd160)
 # endif
+# ifndef OPENSSL_NO_SM3
+    MD_CASE(sm3)
+# endif
 #endif /* FIPS_MODULE */
     MD_CASE(sha1)
     MD_CASE(sha224)
diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c
index b9c1bda674..19916a46ca 100644
--- a/providers/common/securitycheck_default.c
+++ b/providers/common/securitycheck_default.c
@@ -33,6 +33,7 @@ int ossl_digest_rsa_sign_get_md_nid(const EVP_MD *md)
         { NID_md4,       OSSL_DIGEST_NAME_MD4       },
         { NID_mdc2,      OSSL_DIGEST_NAME_MDC2      },
         { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 },
+        { NID_sm3,       OSSL_DIGEST_NAME_SM3 },
     };
 
     mdnid = ossl_digest_get_approved_nid(md);
diff --git a/test/evp_test.c b/test/evp_test.c
index 3e445dcf9b..4789438846 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -5201,6 +5201,10 @@ static int is_pkey_disabled(const char *name)
     if (HAS_CASE_SUFFIX(name, "-RIPEMD160"))
         return 1;
 #endif
+#ifdef OPENSSL_NO_SM3
+    if (HAS_CASE_SUFFIX(name, "-SM3"))
+        return 1;
+#endif
     return 0;
 }
 
diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt b/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt
index f510f04a1f..cbb3e78714 100644
--- a/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt
+++ b/test/recipes/30-test_evp_data/evppkey_rsa_sigalg.txt
@@ -182,3 +182,8 @@ Availablein = default
 Sign-Message = RSA-RIPEMD160:RSA-2048
 Input = "Hello World"
 Output = 6a7fc08e9999fc9d50cda476e973a01a06efeb52eece1c78cb1422950476cbff67408c6f5c0a5749a70d3b505d9b6ad84f6854cb290fab18b28c13233030964ce81e3cf4f34bd606322e44534c335994c9761ae989936fd33be4c53e43cc54f027e4d3eb48563be6242ffcb831d4382e5b3f155c345e6f4367ae40d92cb70376942f45ce9fde97eb282ff3767b7972821381e1c3443b0e595bc968c16119dbdeef9f91d9f15f61feb0a0a25c66c2e72513a853d6cc797e83c8719d82ed951ccce06292f07696c7f97a52a7048bd4c70c5a70dbab0470be3b75af0f28dd39535bb8fee899cb69d3b6970cc59c773c0c15122931b6904d3c5c98011650bb8283d6
+
+Availablein = default
+Sign-Message = RSA-SM3:RSA-2048
+Input = "Hello World"
+Output = 92657e22036214c343d8e95d129c0c47430d5a1ae452371a7847a963f533f96e018aa6658958e6a584cf0d380aa9435175cf2de3dfa60100aca893b76aa6d8f0cc9154ee982cb5ea8f19153fe8a9c801aa2da8bb4451c7ec6fd836e81ecdacf022b68294db068efa47decf3a7c548ea7088a16433029b8733b9573053b7e7122ea10b662726fc97bd149c663617434a9707b672b024f95865d91077edfb79c8ed4c8528032204c46c984a6c82b17794cbf9c4dfe4c1af1d59535f7755540ff36d6a2b55accbf046896c4aae9287a33f38c2a269a02abdac46c17b1b55ee89cc9eb3011a84916596f982c5375dd2110633be6dc43532919466d83bd0f3e406978
author	Richard Levitte <levitte@openssl.org>	2024-08-19 08:38:56 +0200
committer	Richard Levitte <levitte@openssl.org>	2024-08-21 08:21:06 +0200
commit	523187df47cf6082004e872c6c47b202fce5d574 (patch)
tree	9629dc63a867bbf029f5b899d99efdaf27cfed2b
parent	fix coding style (diff)
download	openssl-523187df47cf6082004e872c6c47b202fce5d574.tar.xz openssl-523187df47cf6082004e872c6c47b202fce5d574.zip