On 3/5/21 2:37 AM, Tianjia Zhang wrote:

Hi,

On 3/4/21 7:46 AM, Stefan Berger wrote:

quoted

Tianjia,

    can you say whether SM2 support works for you before and after 
applying this patch? I cannot verify it with an sm2 key I have 
created using a sequence of commands like this:

 > modprobe sm2_generic
 > id=$(keyctl newring test @u)
 > keyctl padd asymmetric "" $id < sm2.der
add_key: Key was rejected by service
 > keyctl padd asymmetric "" $id < eckeys/cert-prime192v1-0.der
88506426

The sm2 key is reject but the pime192v1 key works just fine. SM2 
support neither worked for me before nor after this patch here. The 
difference is that before it returned 'add_key: Package not installed'.

This is my sm2 cert:

 > base64 < sm2.der
MIIBbzCCARWgAwIBAgIUfqwndeAy7reymWLwvCHOgYPU2YUwCgYIKoZIzj0EAwIwDTELMAkGA1UE 

AwwCbWUwHhcNMjEwMTI0MTgwNjQ3WhcNMjIwMTI0MTgwNjQ3WjANMQswCQYDVQQDDAJtZTBZMBMG 

ByqGSM49AgEGCCqBHM9VAYItA0IABEtiMaczdk46MEugmOsY/u+puf5qoi7JdLd/w3VpdixvDd26 

vrxLKL7lCTVn5w3a07G7QB1dgdMDpzIRgWrVXC6jUzBRMB0GA1UdDgQWBBSxOVnE7ihvTb6Nczb4 

/mow+HIc9TAfBgNVHSMEGDAWgBSxOVnE7ihvTb6Nczb4/mow+HIc9TAPBgNVHRMBAf8EBTADAQH/ 

MAoGCCqGSM49BAMCA0gAMEUCIE1kiji2ABUy663NANe0iCPjCeeqg02Yk4b3K+Ci/Qh4AiEA/cFB 

eJEVklyveRMvuTP7BN7FG4U8iRdtedjiX+YrNio=

Regards,
    Stefan

Yes, it works fine here. Your test method may be wrong. First of all, 
the certificate looks wrong, I don’t know if it is not sent 
completely. Secondly, the SM2 algorithm must be compiled with builtin. 
There will be a problem when it is compiled into a module. This is a 
restriction for SM2 signature with Za. you may refer to this discussion:

https://lkml.org/lkml/2021/1/12/1736

In addition, give you a self-signed root certificate for my test:

-----BEGIN CERTIFICATE-----
MIICLjCCAdWgAwIBAgIUEoozP6LzMYWh4gCpcWlzsUyfgsIwCgYIKoEcz1UBg3Uw
bTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdTMQswCQYDVQQHDAJHdDENMAsGA1UE
CgwEYmFiYTELMAkGA1UECwwCT1MxCzAJBgNVBAMMAmNhMRswGQYJKoZIhvcNAQkB
FgxjYUB3b3JsZC5jb20wHhcNMjAwNDE1MTE1NDA3WhcNMzAwNDEzMTE1NDA3WjBt
MQswCQYDVQQGEwJDTjELMAkGA1UECAwCR1MxCzAJBgNVBAcMAkd0MQ0wCwYDVQQK
DARiYWJhMQswCQYDVQQLDAJPUzELMAkGA1UEAwwCY2ExGzAZBgkqhkiG9w0BCQEW
DGNhQHdvcmxkLmNvbTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABMTGRiHezKm5
MiKHlyfa5Bv5jLxge/WRRG0nLNsZx1yf0XQTQBR/tFFjPGePEr7+Fa1CPgYpXExx
i44coYMmQT6jUzBRMB0GA1UdDgQWBBSjd9GWIe98Ll9J0dquxgCktp9DrTAfBgNV
HSMEGDAWgBSjd9GWIe98Ll9J0dquxgCktp9DrTAPBgNVHRMBAf8EBTADAQH/MAoG
CCqBHM9VAYN1A0cAMEQCIAvLWIfGFq85u/vVMLc5H1D/DnrNS0VhSkQA4daRO4tc
AiABbeWENcQZDZLWTuqG9P2KDPOoNqV/QV/+0XjMAVblhg==
-----END CERTIFICATE-----

If you can, please add:

Tested-by: Tianjia Zhang <redacted>

good luck!

It works with your certificate! When I create the sm2 with OpenSSL on 
Ubuntu, which seems to have sm2 support, or so one may think, I get this 
type of signature:


I cannot create it with sm3, if that's how this is supposed to be signed:

 > # openssl req -x509 -sm3 -newkey ec -pkeyopt ec_paramgen_curve:sm2 
-keyout sm2key.pem -days 365 -subj '/CN=test' -nodes -outform der -out 
sm2.der
parameter error "ec_paramgen_curve:sm2"
140735899258064:error:100AE081:elliptic curve 
routines:EC_GROUP_new_by_curve_name:unknown group:crypto/ec/ec_curve.c:418:
140735899258064:error:100C508D:elliptic curve 
routines:pkey_ec_ctrl:invalid curve:crypto/ec/ec_pmeth.c:231:


Using sha256 instead, which is the mistake:

 > openssl req -x509 -sha256 -newkey ec -pkeyopt ec_paramgen_curve:sm2 
-keyout sm2key.pem -days 365 -subj '/CN=test' -nodes -outform der -out 
sm2-2nd.der

 > openssl x509 -inform der -in sm2-2nd.der -noout -text

[...]

     Signature Algorithm: ecdsa-with-SHA256
          30:45:02:20:05:72:15:b0:e8:f5:5a:27:d2:fb:f9:de:de:35:
          05:b2:76:8a:6f:84:c1:54:db:c2:38:8c:d2:64:8b:67:23:01:
          02:21:00:97:77:9e:42:fa:41:3d:d4:81:5e:5b:ad:9e:56:ad:
          46:fc:5e:94:92:a6:07:2d:af:62:d2:2d:39:7b:71:f1:4a


Yours has this type of signature:

     Signature Algorithm: 1.2.156.10197.1.501
          30:44:02:20:0b:cb:58:87:c6:16:af:39:bb:fb:d5:30:b7:39:
          1f:50:ff:0e:7a:cd:4b:45:61:4a:44:00:e1:d6:91:3b:8b:5c:
          02:20:01:6d:e5:84:35:c4:19:0d:92:d6:4e:ea:86:f4:fd:8a:
          0c:f3:a8:36:a5:7f:41:5f:fe:d1:78:cc:01:56:e5:86

Thanks anyway!


    Stefan