On 7/7/21 10:28 AM, Mimi Zohar wrote:
On Fri, 2021-07-02 at 11:18 +0800, Tianjia Zhang wrote:
Hi,
Any comment?
Except for a few older distros, Travis complains:
openssl dgst -sm3 sm3-hash.txt
+ evmctl -v ima_hash --hashalgo sm3 --xattr-user sm3-hash.txt
hash(sm3):
04111ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b
Did not find expected hash for sm3:
user.ima=0x011ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035
eb5082aa2b
Actual output below:
# file: sm3-hash.txt
user.ima=0x04111ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed0
35eb5082aa2b
Thanks for pointing it out, This is caused by incorrect use of
hdr-prefix and will be fixed in the next version.
diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
index 46130cf..a75dc2e 100755
--- a/tests/gen-keys.sh
+++ b/tests/gen-keys.sh
@@ -112,6 +112,28 @@ for m in \
fi
done
+# SM2
+for curve in sm2; do
+ if [ "$1" = clean ] || [ "$1" = force ]; then
+ rm -f test-$curve.cer test-$curve.key test-$curve.pub
+ fi
+ if [ "$1" = clean ]; then
+ continue
+ fi
+ if [ ! -e test-$curve.key ]; then
+ log openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 \
+ -sm3 -sigopt "distid:1234567812345678" \
+ -config test-ca.conf \
+ -copy_extensions copyall \
+ -newkey $curve \
+ -out test-$curve.cer -outform DER \
+ -keyout test-$curve.key
+ if [ -s test-$curve.key ]; then
+ log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
+ fi
+ fi
+done
I'm also seeing:
- openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 -sm3
-sigopt distid:1234567812345678 -config test-ca.conf -copy_extensions
copyall -newkey sm2 -out test-sm2.cer -outform DER -keyout test-sm2.key
req: Unrecognized flag copy_extensions
This command is for openssl 3.0, and '-copy_extensions copyall' is also
a parameter supported on 3.0. At present, the mainstream version of
openssl 1.1.1 only partially supports SM2 signatures. For example, the
USERID in the SM2 specification cannot be used, and the certificate
cannot be operated in the command using the SM2/3 algorithm combination,
just like the modification of libimaevm.c in this patch, this cannot be
done directly through the openssl command, even if the '-copy_extensions
copyall' parameter is deleted, this command will be failed on openssl
1.1.1. The final solution may be openssl 3.0.
On openssl 1.1.1, there is no problem to operate the signature of the
SM2/3 algorithm combination through the API. If it is possible, the
sign_verify test of sm2/3 is not required. What is your opinion?
thanks,
Mimi
Cheers,
Tianjia
