From: "Gao, Liming" <liming.gao@intel.com>
To: "Long, Qin" <qin.long@intel.com>,
"Zhu, Yonghong" <yonghong.zhu@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Kinney, Michael D" <michael.d.kinney@intel.com>,
"Liao, Jui-pengX" <jui-pengx.liao@intel.com>
Subject: Re: [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use openssl standard options
Date: Tue, 27 Mar 2018 08:49:03 +0000 [thread overview]
Message-ID: <4A89E2EF3DFEDB4C8BFDE51014F606A14E1EE5E7@SHSMSX104.ccr.corp.intel.com> (raw)
In-Reply-To: <BF2CCE9263284D428840004653A28B6E540882BC@SHSMSX103.ccr.corp.intel.com>
Qin:
Thanks for your suggestion. It also work. I agree this style is better.
Thanks
Liming
>-----Original Message-----
>From: Long, Qin
>Sent: Tuesday, March 27, 2018 4:33 PM
>To: Zhu, Yonghong <yonghong.zhu@intel.com>; Gao, Liming
><liming.gao@intel.com>; edk2-devel@lists.01.org
>Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Liao, Jui-pengX <jui-
>pengx.liao@intel.com>
>Subject: RE: [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use openssl
>standard options
>
>This ("sha1 -sha256") looks a little odd.
>Could we try "openssl dgst -sha256 ...."?
>
>
>Best Regards & Thanks,
>LONG, Qin
>
>-----Original Message-----
>From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Zhu,
>Yonghong
>Sent: Tuesday, March 27, 2018 3:56 PM
>To: Gao, Liming <liming.gao@intel.com>; edk2-devel@lists.01.org
>Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Liao, Jui-pengX <jui-
>pengx.liao@intel.com>
>Subject: Re: [edk2] [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use
>openssl standard options
>
>Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
>
>Best Regards,
>Zhu Yonghong
>
>
>-----Original Message-----
>From: Gao, Liming
>Sent: Tuesday, March 27, 2018 1:48 PM
>To: edk2-devel@lists.01.org
>Cc: Liao, Jui-pengX <jui-pengx.liao@intel.com>; Kinney, Michael D
><michael.d.kinney@intel.com>; Zhu, Yonghong <yonghong.zhu@intel.com>
>Subject: [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use openssl
>standard options
>
>sha256 is not the standard option. It should be replaced by sha -sha256.
>Otherwise, it doesn't work in MAC OS.
>
>In V2, update the option to sha1 -sha256.
>In late openssl version >= 1.1, there is no sha option, but has sha1,sha256.
>In previous openssl version < 1.1, there is no sha256, but has sha,sha1.
>To work with all openssl version, use sha1 -sha256 for it.
>
>Contributed-under: TianoCore Contribution Agreement 1.1
>Signed-off-by: Liao Jui-peng <jui-pengx.liao@intel.com>
>Signed-off-by: Liming Gao <liming.gao@intel.com>
>Cc: Michael Kinney <michael.d.kinney@intel.com>
>Cc: Yonghong Zhu <yonghong.zhu@intel.com>
>---
> BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>diff --git
>a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
>b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
>index 1ae6ebb..4188f8e 100644
>--- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
>+++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
>@@ -176,7 +176,7 @@ if __name__ == '__main__':
> #
> # Sign the input file using the specified private key and capture signature
>from STDOUT
> #
>- Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand,
>args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE,
>stderr=subprocess.PIPE, shell=True)
>+ Process = subprocess.Popen('%s sha1 -sha256 -sign "%s"' %
>(OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE,
>stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
> Signature = Process.communicate(input=FullInputFileBuffer)[0]
> if Process.returncode <> 0:
> sys.exit(Process.returncode)
>@@ -225,7 +225,7 @@ if __name__ == '__main__':
> #
> # Verify signature
> #
>- Process = subprocess.Popen('%s sha256 -prverify "%s" -signature %s' %
>(OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName),
>stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
>shell=True)
>+ Process = subprocess.Popen('%s sha1 -sha256 -prverify "%s" -
>signature %s' % (OpenSslCommand, args.PrivateKeyFileName,
>args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE,
>stderr=subprocess.PIPE, shell=True)
> Process.communicate(input=FullInputFileBuffer)
> if Process.returncode <> 0:
> print 'ERROR: Verification failed'
>--
>2.8.0.windows.1
>
>_______________________________________________
>edk2-devel mailing list
>edk2-devel@lists.01.org
>https://lists.01.org/mailman/listinfo/edk2-devel
next prev parent reply other threads:[~2018-03-27 8:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-27 5:48 [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use openssl standard options Liming Gao
2018-03-27 7:56 ` Zhu, Yonghong
2018-03-27 8:33 ` Long, Qin
2018-03-27 8:49 ` Gao, Liming [this message]
2018-03-27 9:16 ` Liao, Jui-pengX
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A89E2EF3DFEDB4C8BFDE51014F606A14E1EE5E7@SHSMSX104.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox