Hi Tianjia, Mimi, > On 7/12/21 8:35 PM, Mimi Zohar wrote: > > On Mon, 2021-07-12 at 20:12 +0800, Tianjia Zhang wrote: > > > On 7/9/21 8:05 PM, Mimi Zohar wrote: > > > > On Fri, 2021-07-09 at 17:06 +0800, Tianjia Zhang wrote: > > > > > On 7/7/21 10:28 AM, Mimi Zohar wrote: > > > > > > I'm also seeing: > > > > > > - openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 -sm3 > > > > > > -sigopt distid:1234567812345678 -config test-ca.conf -copy_extensions > > > > > > copyall -newkey sm2 -out test-sm2.cer -outform DER -keyout test-sm2.key > > > > > > req: Unrecognized flag copy_extensions > > > > > This command is for openssl 3.0, and '-copy_extensions copyall' is also > > > > > a parameter supported on 3.0. At present, the mainstream version of > > > > > openssl 1.1.1 only partially supports SM2 signatures. For example, the > > > > > USERID in the SM2 specification cannot be used, and the certificate > > > > > cannot be operated in the command using the SM2/3 algorithm combination, > > > > > just like the modification of libimaevm.c in this patch, this cannot be > > > > > done directly through the openssl command, even if the '-copy_extensions > > > > > copyall' parameter is deleted, this command will be failed on openssl > > > > > 1.1.1. The final solution may be openssl 3.0. > > > > > On openssl 1.1.1, there is no problem to operate the signature of the > > > > > SM2/3 algorithm combination through the API. If it is possible, the > > > > > sign_verify test of sm2/3 is not required. What is your opinion? > > > > Instead of dropping the test altogether, add an openssl version > > > > dependency. > > > Great. will do in next version patch. > > Please consider adding a new CI distro matrix rule that includes the > > needed openssl version. Another option would be to define a new script > > in the tests directory to install openssl from the git repo. Please > > limit using that script to a single distro matrix rule. > Got it, thanks for your suggestion. It seems that the second method is more > suitable. Although it appears there is no distro which would have openssl 3.0 [1], Debian actually have 3.0.0~~beta1-1 in experimental [2]. openSUSE has slightly older version openssl-3.0.0-alpha16 [3]. I suppose we update soon to beta1 as well. Using distro packages would be probably faster to run in CI than install from git. Kind regards, Petr [1] https://pkgs.org/download/openssl [2] https://tracker.debian.org/pkg/openssl [3] https://build.opensuse.org/package/show/security:tls/openssl-3 > Thanks, > Tianjia
