Fixes #11241 problems of using openssl x509 -req self sign certificate#11242
Fixes #11241 problems of using openssl x509 -req self sign certificate#11242Neo-ZK wants to merge 4 commits intoopenssl:masterfrom
Conversation
openssl-machine
added
the
hold: cla required
apps/x509.c
Outdated
| } | ||
|
|
||
| #ifndef OPENSSL_NO_SM2 | ||
| if (EVP_PKEY_id(Upkey) == EVP_PKEY_SM2) { |
There was a problem hiding this comment.
This seems not necessary anymore in 3.0.0. I recall @levitte resolved this to automatically set the SM2 tag when loading a key.
|
|
||
| Convert a SM2 certificate request into a self signed SM2 certificate: | ||
|
|
||
| openssl x509 -req -in careq.pem -extfile openssl.cnf -signkey key.pem \ |
There was a problem hiding this comment.
You need to add the newly added 'sm2-id' and 'sm2-hex-id' in 'SYNOPSIS' and leave descriptions of these options in 'Signing Options' I think.
Neo-ZK
force-pushed
the
dev_fixup_x509_req_sm2
branch
from
bb3e706 to
55791ad
Compare
test/recipes/80-test_x509sm2_sign.t
Outdated
| "-noout", "-sm3", | ||
| "-sm2-id", "1234567812345678", | ||
| "-sigopt", "sm2_id:1234567812345678"]))); | ||
|
No newline at end of file |
There was a problem hiding this comment.
There is no newline at the end of this file
There was a problem hiding this comment.
fixed, and add a new test case about hex_id
There was a problem hiding this comment.
Besides, it seems you need to add a test case that verifies the newly generated certificate to see if it's issued correctly
|
The Travis "red cross" seems relevant. Also please can you supply a CLA: |
|
@zk3326312 You need to |
|
I think the options newly added to |
levitte
left a comment
levitte
left a comment
There was a problem hiding this comment.
The special -sm2-id and -sm2-hex-id options should be dropped. Stick with -sigopt.
| */ | ||
| return do_X509_sign(x, pkey, digest, sigopts); | ||
| } | ||
| #endif |
There was a problem hiding this comment.
Instead if this special case, it should be enough to replace X509_sign(x, pkey, digest) with do_X509_sign(x, pkey, digest, sigopts) below
| "Specify an ID string to verify an SM2 certificate request"}, | ||
| {"sm2-hex-id", OPT_SM2HEXID, 's', | ||
| "Specify a hex ID string to verify an SM2 certificate request"}, | ||
| #endif |
There was a problem hiding this comment.
There is -sigopt already, no need to make the SM2 id special
There was a problem hiding this comment.
Actually using sm-id would make code easier reading, if only use sigopt, then have to resolve sm2-id from string "sm2id:...", it seems that openssl does't use this way
There was a problem hiding this comment.
The SM2 EVP_PKEY_METHOD recognises sm2_id. You are using it in the test recipe, so you know this.
| "-signkey", srctop_file("test", "certs", "sm2-root.key"), | ||
| "-noout", "-sm3", | ||
| "-sm2-id", "1234567812345678", | ||
| "-sigopt", "sm2_id:1234567812345678"]))); |
There was a problem hiding this comment.
The reason is:
only using -sm2-id would not transfer sm2-id when calling sign(x, Upkey, fkey, days, clrext, digest, extconf, extsect, preserve_dates, sigopts), that would cause sign fail
There was a problem hiding this comment.
sm2 ID given twice? Why?
That is because the -sm2-id is used for verifying the CSR and the sm2_id (notice the slight difference between stick and underscore...) in the sigopt is used for signing the CSR into a real certificate.
Because the CSR is generated by the user and the final certificate is signed by the issuer, so the ID in the CSR (which also contains an SM2 signature) could be different compared to the final signing one.
So I think this explains the following question as well:
The special -sm2-id and -sm2-hex-id options should be dropped
Another choice is to add something like vfyopt to the x509 command...
There was a problem hiding this comment.
Another choice is to add something like vfyopt to the x509 command...
That would probably be a good thing
There was a problem hiding this comment.
So the conclusion is that we should implement a vfyopt in this pr? :-)
There was a problem hiding this comment.
What about other openssl commands? Are there options like vfyopt?
There was a problem hiding this comment.
There seems to be no similar option
| "-signkey", srctop_file("test", "certs", "sm2-root.key"), | ||
| "-noout", "-sm3", | ||
| "-sm2-hex-id", "31:32:33:34:35:36:37:38:31:32:33:34:35:36:37:38", | ||
| "-sigopt", "sm2_hex_id:31:32:33:34:35:36:37:38:31:32:33:34:35:36:37:38"]))); |
|
Furthermore, I think the initial commit's title is too long and there is not message body in it - but we can resolve this when the PR gets merged by anyone who is doing the squash job. |
|
Close/reopen to kick CLA bot. |
openssl-machine
removed
the
hold: cla required
Neo-ZK
force-pushed
the
dev_fixup_x509_req_sm2
branch
2 times, most recently
from
6582ffd to
5e700d8
Compare
Neo-ZK
force-pushed
the
dev_fixup_x509_req_sm2
branch
from
5e700d8 to
c830177
Compare
|
FYI, I'm having a closer look at this. I'm still convinced that the use of |
| X509_REQ_set0_sm2_id(req, v); | ||
| } | ||
| #endif | ||
| i = X509_REQ_verify(req, pkey); |
There was a problem hiding this comment.
So it seems that what's really missing is a do_X509_REQ_verify that takes a sigopts stack...
There was a problem hiding this comment.
Yes, it seems that problem is how to set an sm2-id to a X509_REQ with sig-opt
There was a problem hiding this comment.
But that loses the ability of setting different IDs for CSR and final signing separately.
There was a problem hiding this comment.
@william-zk, it seems to go deeper, there's no X509_REQ_verify_ctx() either, so support seems to be lacking quite deeply. I'm preparing a PR that adds such support.
There was a problem hiding this comment.
@InfoHunter, sorry, you lost me there... are you essentially asking for vfyopts? That would certainly be possible...
There was a problem hiding this comment.
@levitte , so what you meant was adding 'vfyopts' and then use its content in something like do_X509_REQ_verify ?
|
I see where this PR is coming from... we have the same kind of SM2 hackery all over the place already. I have some ideas on how to make it... a little less hacky. PR coming up! |
Any update on this? |
So far, an issue where I've written down my analysis of the actual problem, #11293. I'll follow up with a PR shortly. |
|
@william-zk, thank you for this PR. I can understand if it felt like a waste, but considering how it helped highlight problematic code, I see it as highly valuable, even if we didn't use it directly. |
oh, that's all right:-), I'd very happy to see that there is a more effective way to solve the problem. Later I'd help to find if there is any problem in openssl x509 ca...,if problem exist, I would make a issue and help to fix it |
5 participants
the problem is illustrated in issue #11241