New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
about SM2(ECC) cert verify #6579
Comments
Which pre-release of 1.1.1? We will need to see the failing certificate chain. There is not enough information here to reproduce/diagnose your error. |
this is the verify function:
|
try using $ openssl x509 -in cert.pem -text
$ openssl x509 -in root.pem -text |
yes, I can parse certs with the functuin
But I want verify cert chain with c code, |
In the essence this is question to SM2 contributors. I tried to pose related question about algorithm identification, but reply was vague reference to SM2 being permitted only with SM2 curve. To be more specific, in above output you can note "Public Key Algorithm: id-ecPublicKey", with "ASN1 OID: SM2". So we have the SM2 curve appointed for an operation. Then signature algorithm has to be chosen. Identifier can be observed as "Signature Algorithm: 1.2.156.10197.1.501". But OpenSSL does not know anything about 501. It ought to be "SM2 signature [presumably] with SM3 digest", but computer programs don't make assumptions, they need to be explicitly told... In other words [unsurprisingly] SM2 support needs more work... |
thinks a lot |
Ping @randombit @ronaldtse. Thoughts? |
So, obviously the OIDs identifying SM2 signatures with various hashes need to be added. But I think additionally for cert verification, some check will need to be added to certificate verification, to detect use of an SM2 OID and then call |
Sorry for the late reply. Indeed, we will need to extend the OIDs and allow certificate verification. SM2 support was never a single PR thing and requires a comprehensive effort, which we will help with. In particular, we need to deal with GM/T 0015 (SM2 Certificate generation and validation) which we haven't had time to translate/spec yet... |
This is supposedly closed on master. Closing. If not, please reopen or open a new issue. |
how to verify SM2(ECC) certificate
this is my code:
X509 *issuer
X509 *subject
EVP_PKEY *signing_key = X509_get_pubkey(issuer);
int result = X509_verify(x509, signing_key);
but it return -1;
The certificate chain is OK.
I try the code with RSA.It's OK.
But it is error with SM2.
I have no idea
the version is 1.1.1
The text was updated successfully, but these errors were encountered: