On Mon, 2021-07-12 at 20:12 +0800, Tianjia Zhang wrote: > > On 7/9/21 8:05 PM, Mimi Zohar wrote: > > On Fri, 2021-07-09 at 17:06 +0800, Tianjia Zhang wrote: > >> On 7/7/21 10:28 AM, Mimi Zohar wrote: > > > > > >>> I'm also seeing: > >>> - openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 -sm3 > >>> -sigopt distid:1234567812345678 -config test-ca.conf -copy_extensions > >>> copyall -newkey sm2 -out test-sm2.cer -outform DER -keyout test-sm2.key > >>> req: Unrecognized flag copy_extensions > >>> > >> > >> This command is for openssl 3.0, and '-copy_extensions copyall' is also > >> a parameter supported on 3.0. At present, the mainstream version of > >> openssl 1.1.1 only partially supports SM2 signatures. For example, the > >> USERID in the SM2 specification cannot be used, and the certificate > >> cannot be operated in the command using the SM2/3 algorithm combination, > >> just like the modification of libimaevm.c in this patch, this cannot be > >> done directly through the openssl command, even if the '-copy_extensions > >> copyall' parameter is deleted, this command will be failed on openssl > >> 1.1.1. The final solution may be openssl 3.0. > >> > >> On openssl 1.1.1, there is no problem to operate the signature of the > >> SM2/3 algorithm combination through the API. If it is possible, the > >> sign_verify test of sm2/3 is not required. What is your opinion? > > > > Instead of dropping the test altogether, add an openssl version > > dependency. > > Great. will do in next version patch. Please consider adding a new CI distro matrix rule that includes the needed openssl version. Another option would be to define a new script in the tests directory to install openssl from the git repo. Please limit using that script to a single distro matrix rule. thanks, Mimi
