SM2 CSR public key OID error #22184
Replies: 12 comments 15 replies
-
I checked some websites,include openssl/test/certs/sm2-csr.pem, and java BouncyCastle,OID all 1.2.840.10045.2.1 |
Beta Was this translation helpful? Give feedback.
-
@InfoHunter Do you have any ideas here? |
Beta Was this translation helpful? Give feedback.
-
@InfoHunter Can you help me deal with it? |
Beta Was this translation helpful? Give feedback.
-
I get a similiar thing just by doing the following
|
Beta Was this translation helpful? Give feedback.
-
This is an encoding bug, and this discussion should be converted to an issue UPDATE: this might turn out not to be a bug, see further discussions below. |
Beta Was this translation helpful? Give feedback.
-
Hmmm. This encoding seems to have first been introduced by commit f2db052 - which makes no mention of the change of behaviour. So maybe this wasn't quite so deliberate after all. The question is whether we should change it now. It's been like this since 3.0. |
Beta Was this translation helpful? Give feedback.
-
As a reference re standards, I'm finding this: https://github.com/metanorma/gmt-0010-2012/blob/master/gmt-0010-2012-en.adoc#appendix-a-sm2-private-key-format
The only GM/T 0006-2012 that I can find is this: https://github.com/guanzhi/GM-Standards/blob/master/GMT%E5%AF%86%E7%A0%81%E8%A1%8C%E6%A0%87/GMT%200006-2012%20%E5%AF%86%E7%A0%81%E5%BA%94%E7%94%A8%E6%A0%87%E8%AF%86%E8%A7%84%E8%8C%83.pdf So it's quite possible that my claim that this is a bug is incorrect. |
Beta Was this translation helpful? Give feedback.
-
I think we would need someone that is able to read Section 5.2.3.7 of GMT 0015-2012 基于SM2 |
Beta Was this translation helpful? Give feedback.
-
@qwe857359351a are you able to translate these docs? |
Beta Was this translation helpful? Give feedback.
-
@InfoHunter could perhaps also help |
Beta Was this translation helpful? Give feedback.
-
the ROOTCA(rootca)which is operated by China Office of Security Commercial Code Administration (OSCCA) ‘s certficate also use 1.2.840.10045.2.1。we can download it from here |
Beta Was this translation helpful? Give feedback.
-
Okay, this is something that makes people confused a lot due to the 'practice implementation' and 'the right thing' issue. IIRC, the SM2 OID change from 1.1.1 to 3.0 was because the team had an agreement that SM2 should have an independent OID (1 2 156 10197 1 301) rather than using the ECC one. (need more time to find the history). I consider this is the right thing in the high level logic. In the specific implementation, before OpenSSL 3.0, every implementations including OpenSSL 1.1.1 all treat SM2 as an ECC (1.2.840.10045.2.1) so the conflicts is here. |
Beta Was this translation helpful? Give feedback.
-
openssl version:3.1.2
Used in our projects CSR:
The openssl create CSR, not available:
this is code:
What should I do to use the same OID?
Beta Was this translation helpful? Give feedback.
All reactions