Conversation
|
(some famously heard me say "I have a branch" during a vid-call this morning... this is what I was talking about, with some cleanup) |
|
Rebased and hopefully last fight with picky compilers |
apps/lib/app_x509.c
Outdated
There was a problem hiding this comment.
I'm not sure I like this diagnostic output. The function seems to be generic but the output is for a particular case.
Unfortunately it seems the red cross is relevant |
|
CI kicking close/re-open |
|
@InfoHunter, it seems that Travis didn't pick up on my last update |
|
Ahh, so it is. |
|
Travis still out of sync, so I did some squashing and pushed that. Maybe that'll kick it hard enough... |
|
Hmm, it remains... |
|
Besides, considering the SM2 implementation changed recently , I think the man7/SM2.pod needs to get an update as well. Would you prefer to do that in this PR or I open a new PR fixing that, @levitte ? |
|
I'm refactoring As for |
|
... some days, it's hard to stand over zealous compilers. |
|
CIs are happy, the Travis failure is the usual timeout. |
levitte
added
approval: done
|
24 hours has passed since 'approval: done' was set, but this PR has failing CI tests. Once the tests pass it will get moved to 'approval: ready to merge' automatically, alternatively please review and set the label manually. |
levitte
added
approval: ready to merge
|
@InfoHunter, thanks for the review! Merge coming up |
A huge problem with calling digest_custom() already in the initialization of DigestSign, DigestVerify etc, is that it force all callers to know that certain controls must be performed before Init and the rest after. This has lead to quite interesting hacks in our own openssl app, where the SM2 ID had to get special treatment instead of just being another sign option or verification option among others. This change moves the call of digest_custom() to the Update and Final functions, to be done exactly once, subject to a flag that's set in the Init function. Seeing to the process of data, through these operations, this makes no difference at all. Seeing to making it possible to perform all controls after the Init call, this makes a huge difference. Fixes openssl#11293 Reviewed-by: Paul Yang <[email protected]> (Merged from openssl#11302)
- X509_set0_sm2_id() -> X509_set0_distinguishing_id() - X509_get0_sm2_id() -> X509_get0_distinguishing_id() - X509_REQ_set0_sm2_id -> X509_REQ_set0_distinguishing_id() - X509_REQ_get0_sm2_id -> X509_REQ_get0_distinguishing_id() The reason for this rename is that the SM2 ID isn't really a unique SM2 data item, but rather a re-use of the Distinguished that is defined in ISO/IEC 15946-3 as well as in FIPS 196, with no special attribution toward any algorithm in particular. Fixes openssl#11293 Reviewed-by: Paul Yang <[email protected]> (Merged from openssl#11302)
Because we start using Distinguished ID, we also define the key name "distid", possibly prefixed with "hex", but keep "sm2_id" and "sm2_hex_id" for compatibility with GmSSL. Fixes openssl#11293 Reviewed-by: Paul Yang <[email protected]> (Merged from openssl#11302)
This should really be part of libcrypto, but since this looks like added legacy support, it's preferable to keep it in apps for now. This allows to build functions that add user given verification options to X509 and X509_REQ structures. Fixes openssl#11293 Reviewed-by: Paul Yang <[email protected]> (Merged from openssl#11302)
SM2 IDs are now passed entirely as '-pkeyopt', '-sigopt' or '-vfyopt' values, just like any other valid option. Fixes openssl#11293 Reviewed-by: Paul Yang <[email protected]> (Merged from openssl#11302)
Fixes openssl#11293 Reviewed-by: Paul Yang <[email protected]> (Merged from openssl#11302)
I had a re-thought on this. It seems current design doesn't allow passing the dist-ID into a provider, so the user can only set the dist-ID in advance and then the calculation of the dist-ID is computed in the |
|
Hmmm. The above comment was intended to post in PR #1124, and I posted to the wrong PR but nevertheless we can still discuss here... |
|
You mean #11248. I would prefer we have the discussion there, as that's an open PR |
4 participants
The idea is to stop special-casing the SM2 ID. In the center core, it means that
digest_custom()is called slightly later, which allows all controls to be performed after EVP_DigestSignInit(), instead of having to call the SM2 ID setting control before and the rest after.This allows us to remove the special
-sm2-idand-sm2-hex-idflags in a number of apps.For more information, see the commit comments.
Fixes #11293