archive mirror
 help / color / mirror / Atom feed
From: Tianjia Zhang <>
To: Mimi Zohar <>,
	Vitaly Chikunov <>,,
	Jia Zhang <>
Subject: Re: [PATCH ima-evm-utils v3] ima-evm-utils: Support SM2 algorithm for sign and verify
Date: Mon, 12 Jul 2021 20:45:52 +0800	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On 7/12/21 8:35 PM, Mimi Zohar wrote:
> On Mon, 2021-07-12 at 20:12 +0800, Tianjia Zhang wrote:
>> On 7/9/21 8:05 PM, Mimi Zohar wrote:
>>> On Fri, 2021-07-09 at 17:06 +0800, Tianjia Zhang wrote:
>>>> On 7/7/21 10:28 AM, Mimi Zohar wrote:
>>>>> I'm also seeing:
>>>>> - openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 -sm3
>>>>> -sigopt distid:1234567812345678 -config test-ca.conf -copy_extensions
>>>>> copyall -newkey sm2 -out test-sm2.cer -outform DER -keyout test-sm2.key
>>>>> req: Unrecognized flag copy_extensions
>>>> This command is for openssl 3.0, and '-copy_extensions copyall' is also
>>>> a parameter supported on 3.0. At present, the mainstream version of
>>>> openssl 1.1.1 only partially supports SM2 signatures. For example, the
>>>> USERID in the SM2 specification cannot be used, and the certificate
>>>> cannot be operated in the command using the SM2/3 algorithm combination,
>>>> just like the modification of libimaevm.c in this patch, this cannot be
>>>> done directly through the openssl command, even if the '-copy_extensions
>>>> copyall' parameter is deleted, this command will be failed on openssl
>>>> 1.1.1. The final solution may be openssl 3.0.
>>>> On openssl 1.1.1, there is no problem to operate the signature of the
>>>> SM2/3 algorithm combination through the API. If it is possible, the
>>>> sign_verify test of sm2/3 is not required. What is your opinion?
>>> Instead of dropping the test altogether, add an openssl version
>>> dependency.
>> Great. will do in next version patch.
> Please consider adding a new CI distro matrix rule that includes the
> needed openssl version.  Another option would be to define a new script
> in the tests directory to install openssl from the git repo.  Please
> limit using that script to a single distro matrix rule.

Got it, thanks for your suggestion. It seems that the second method is 
more suitable.


  reply	other threads:[~2021-07-12 12:45 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-26  8:44 [PATCH ima-evm-utils v3] ima-evm-utils: Support SM2 algorithm for sign and verify Tianjia Zhang
2021-07-02  3:18 ` Tianjia Zhang
2021-07-07  2:28   ` Mimi Zohar
2021-07-09  9:06     ` Tianjia Zhang
2021-07-09 12:05       ` Mimi Zohar
2021-07-12 12:12         ` Tianjia Zhang
2021-07-12 12:35           ` Mimi Zohar
2021-07-12 12:45             ` Tianjia Zhang [this message]
2021-07-12 20:27               ` Petr Vorel
2021-07-12 22:44                 ` Mimi Zohar
2021-07-14 13:07                 ` Tianjia Zhang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).