Re: [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use openssl standard options - Liao, Jui-pengX

From: "Liao, Jui-pengX" <jui-pengx.liao@intel.com>
To: "Gao, Liming" <liming.gao@intel.com>,
	"Long, Qin" <qin.long@intel.com>,
	"Zhu, Yonghong" <yonghong.zhu@intel.com>,
	"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Kinney, Michael D" <michael.d.kinney@intel.com>,
	"Liao, Jui-pengX" <jui-pengx.liao@intel.com>
Subject: Re: [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use openssl standard options
Date: Tue, 27 Mar 2018 09:16:12 +0000	[thread overview]
Message-ID: <8388C294C3367C4BAAE68AB495490AF333D295AE@PGSMSX102.gar.corp.intel.com> (raw)
In-Reply-To: <4A89E2EF3DFEDB4C8BFDE51014F606A14E1EE5E7@SHSMSX104.ccr.corp.intel.com>

Hi all,
The "openssl dgst -sha256" is working as well.

[configuration]
Xcode 9
Openssl 0.9.8zh 14 Jan 2016

Best regards
George Liao
-----Original Message-----
From: Gao, Liming 
Sent: Tuesday, March 27, 2018 4:49 PM
To: Long, Qin <qin.long@intel.com>; Zhu, Yonghong <yonghong.zhu@intel.com>; edk2-devel@lists.01.org
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Liao, Jui-pengX <jui-pengx.liao@intel.com>
Subject: RE: [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use openssl standard options

Qin:
  Thanks for your suggestion. It also work. I agree this style is better. 

Thanks
Liming
>-----Original Message-----
>From: Long, Qin
>Sent: Tuesday, March 27, 2018 4:33 PM
>To: Zhu, Yonghong <yonghong.zhu@intel.com>; Gao, Liming 
><liming.gao@intel.com>; edk2-devel@lists.01.org
>Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Liao, Jui-pengX 
><jui- pengx.liao@intel.com>
>Subject: RE: [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use 
>openssl standard options
>
>This ("sha1 -sha256") looks a little odd.
>Could we try "openssl dgst -sha256 ...."?
>
>
>Best Regards & Thanks,
>LONG, Qin
>
>-----Original Message-----
>From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of 
>Zhu, Yonghong
>Sent: Tuesday, March 27, 2018 3:56 PM
>To: Gao, Liming <liming.gao@intel.com>; edk2-devel@lists.01.org
>Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Liao, Jui-pengX 
><jui- pengx.liao@intel.com>
>Subject: Re: [edk2] [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to 
>use openssl standard options
>
>Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com>
>
>Best Regards,
>Zhu Yonghong
>
>
>-----Original Message-----
>From: Gao, Liming
>Sent: Tuesday, March 27, 2018 1:48 PM
>To: edk2-devel@lists.01.org
>Cc: Liao, Jui-pengX <jui-pengx.liao@intel.com>; Kinney, Michael D 
><michael.d.kinney@intel.com>; Zhu, Yonghong <yonghong.zhu@intel.com>
>Subject: [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use openssl 
>standard options
>
>sha256 is not the standard option. It should be replaced by sha -sha256.
>Otherwise, it doesn't work in MAC OS.
>
>In V2, update the option to sha1 -sha256.
>In late openssl version >= 1.1, there is no sha option, but has sha1,sha256.
>In previous openssl version < 1.1, there is no sha256, but has sha,sha1.
>To work with all openssl version, use sha1 -sha256 for it.
>
>Contributed-under: TianoCore Contribution Agreement 1.1
>Signed-off-by: Liao Jui-peng <jui-pengx.liao@intel.com>
>Signed-off-by: Liming Gao <liming.gao@intel.com>
>Cc: Michael Kinney <michael.d.kinney@intel.com>
>Cc: Yonghong Zhu <yonghong.zhu@intel.com>
>---
> BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 4 
>++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>diff --git
>a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
>b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
>index 1ae6ebb..4188f8e 100644
>--- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
>+++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
>@@ -176,7 +176,7 @@ if __name__ == '__main__':
>     #
>     # Sign the input file using the specified private key and capture 
>signature from STDOUT
>     #
>-    Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand,
>args.PrivateKeyFileName), stdin=subprocess.PIPE, 
>stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
>+    Process = subprocess.Popen('%s sha1 -sha256 -sign "%s"' %
>(OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, 
>stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
>     Signature = Process.communicate(input=FullInputFileBuffer)[0]
>     if Process.returncode <> 0:
>       sys.exit(Process.returncode)
>@@ -225,7 +225,7 @@ if __name__ == '__main__':
>     #
>     # Verify signature
>     #
>-    Process = subprocess.Popen('%s sha256 -prverify "%s" -signature %s' %
>(OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), 
>stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
>shell=True)
>+    Process = subprocess.Popen('%s sha1 -sha256 -prverify "%s" -
>signature %s' % (OpenSslCommand, args.PrivateKeyFileName, 
>args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, 
>stderr=subprocess.PIPE, shell=True)
>     Process.communicate(input=FullInputFileBuffer)
>     if Process.returncode <> 0:
>       print 'ERROR: Verification failed'
>--
>2.8.0.windows.1
>
>_______________________________________________
>edk2-devel mailing list
>edk2-devel@lists.01.org
>https://lists.01.org/mailman/listinfo/edk2-devel