On Fri, 2021-07-09 at 17:06 +0800, Tianjia Zhang wrote: > On 7/7/21 10:28 AM, Mimi Zohar wrote: > > I'm also seeing: > > - openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 -sm3 > > -sigopt distid:1234567812345678 -config test-ca.conf -copy_extensions > > copyall -newkey sm2 -out test-sm2.cer -outform DER -keyout test-sm2.key > > req: Unrecognized flag copy_extensions > > > > This command is for openssl 3.0, and '-copy_extensions copyall' is also > a parameter supported on 3.0. At present, the mainstream version of > openssl 1.1.1 only partially supports SM2 signatures. For example, the > USERID in the SM2 specification cannot be used, and the certificate > cannot be operated in the command using the SM2/3 algorithm combination, > just like the modification of libimaevm.c in this patch, this cannot be > done directly through the openssl command, even if the '-copy_extensions > copyall' parameter is deleted, this command will be failed on openssl > 1.1.1. The final solution may be openssl 3.0. > > On openssl 1.1.1, there is no problem to operate the signature of the > SM2/3 algorithm combination through the API. If it is possible, the > sign_verify test of sm2/3 is not required. What is your opinion? Instead of dropping the test altogether, add an openssl version dependency. thanks, Mimi
