On Fri, 2021-07-09 at 17:06 +0800, Tianjia Zhang wrote:

On 7/7/21 10:28 AM, Mimi Zohar wrote:

quoted

I'm also seeing:
- openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 -sm3
-sigopt distid:1234567812345678 -config test-ca.conf -copy_extensions
copyall -newkey sm2 -out test-sm2.cer -outform DER -keyout test-sm2.key
req: Unrecognized flag copy_extensions

This command is for openssl 3.0, and '-copy_extensions copyall' is also 
a parameter supported on 3.0. At present, the mainstream version of 
openssl 1.1.1 only partially supports SM2 signatures. For example, the 
USERID in the SM2 specification cannot be used, and the certificate 
cannot be operated in the command using the SM2/3 algorithm combination, 
just like the modification of libimaevm.c in this patch, this cannot be 
done directly through the openssl command, even if the '-copy_extensions 
copyall' parameter is deleted, this command will be failed on openssl 
1.1.1. The final solution may be openssl 3.0.

On openssl 1.1.1, there is no problem to operate the signature of the 
SM2/3 algorithm combination through the API. If it is possible, the 
sign_verify test of sm2/3 is not required. What is your opinion?

Instead of dropping the test altogether, add an openssl version
dependency.

thanks,

Mimi