From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
Vitaly Chikunov <vt@altlinux.org>,
linux-integrity@vger.kernel.org,
Jia Zhang <zhang.jia@linux.alibaba.com>
Subject: Re: [PATCH ima-evm-utils v3] ima-evm-utils: Support SM2 algorithm for sign and verify
Date: Mon, 12 Jul 2021 20:45:52 +0800 [thread overview]
Message-ID: <3b5aea51-c82c-70f3-d41e-d615bc14823a@linux.alibaba.com> (raw)
In-Reply-To: <d1b072c36b4d3770d6b7385836fbed2ec23be349.camel@linux.ibm.com>
On 7/12/21 8:35 PM, Mimi Zohar wrote:
> On Mon, 2021-07-12 at 20:12 +0800, Tianjia Zhang wrote:
>>
>> On 7/9/21 8:05 PM, Mimi Zohar wrote:
>>> On Fri, 2021-07-09 at 17:06 +0800, Tianjia Zhang wrote:
>>>> On 7/7/21 10:28 AM, Mimi Zohar wrote:
>>>
>>>
>>>>> I'm also seeing:
>>>>> - openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 -sm3
>>>>> -sigopt distid:1234567812345678 -config test-ca.conf -copy_extensions
>>>>> copyall -newkey sm2 -out test-sm2.cer -outform DER -keyout test-sm2.key
>>>>> req: Unrecognized flag copy_extensions
>>>>>
>>>>
>>>> This command is for openssl 3.0, and '-copy_extensions copyall' is also
>>>> a parameter supported on 3.0. At present, the mainstream version of
>>>> openssl 1.1.1 only partially supports SM2 signatures. For example, the
>>>> USERID in the SM2 specification cannot be used, and the certificate
>>>> cannot be operated in the command using the SM2/3 algorithm combination,
>>>> just like the modification of libimaevm.c in this patch, this cannot be
>>>> done directly through the openssl command, even if the '-copy_extensions
>>>> copyall' parameter is deleted, this command will be failed on openssl
>>>> 1.1.1. The final solution may be openssl 3.0.
>>>>
>>>> On openssl 1.1.1, there is no problem to operate the signature of the
>>>> SM2/3 algorithm combination through the API. If it is possible, the
>>>> sign_verify test of sm2/3 is not required. What is your opinion?
>>>
>>> Instead of dropping the test altogether, add an openssl version
>>> dependency.
>>
>> Great. will do in next version patch.
>
> Please consider adding a new CI distro matrix rule that includes the
> needed openssl version. Another option would be to define a new script
> in the tests directory to install openssl from the git repo. Please
> limit using that script to a single distro matrix rule.
>
Got it, thanks for your suggestion. It seems that the second method is
more suitable.
Thanks,
Tianjia
next prev parent reply other threads:[~2021-07-12 12:45 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-26 8:44 [PATCH ima-evm-utils v3] ima-evm-utils: Support SM2 algorithm for sign and verify Tianjia Zhang
2021-07-02 3:18 ` Tianjia Zhang
2021-07-07 2:28 ` Mimi Zohar
2021-07-09 9:06 ` Tianjia Zhang
2021-07-09 12:05 ` Mimi Zohar
2021-07-12 12:12 ` Tianjia Zhang
2021-07-12 12:35 ` Mimi Zohar
2021-07-12 12:45 ` Tianjia Zhang [this message]
2021-07-12 20:27 ` Petr Vorel
2021-07-12 22:44 ` Mimi Zohar
2021-07-14 13:07 ` Tianjia Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3b5aea51-c82c-70f3-d41e-d615bc14823a@linux.alibaba.com \
--to=tianjia.zhang@linux.alibaba.com \
--cc=linux-integrity@vger.kernel.org \
--cc=vt@altlinux.org \
--cc=zhang.jia@linux.alibaba.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.