Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verify sm2 certification failed through 'openssl verify' #24167

Open
b1gcat opened this issue Apr 17, 2024 · 5 comments
Open

verify sm2 certification failed through 'openssl verify' #24167

b1gcat opened this issue Apr 17, 2024 · 5 comments
Labels
resolved: not a bug The issue is not considered a bug triaged: bug The issue/pr is/fixes a bug

Comments

@b1gcat
Copy link

b1gcat commented Apr 17, 2024

the issue says as follows:

`openssl verify -no_check_time -CAfile ./chain.pem u2.pem

C=CN, O=BJCA, OU=BJCA, CN=Beijing SM2 CA
error 7 at 1 depth lookup: certificate signature failure
error u2.pem: verification failed
00B14644F87F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:216:
`

certs.zip
@nhorman
Copy link
Contributor

nhorman commented Apr 17, 2024

does your openssl build have sm2 and sm3 enabled? When enabling both algorithms on the master branch, I was able to run the above command without issue

@b1gcat
Copy link
Author

b1gcat commented Apr 18, 2024

I have no idea, maybe I will try master later.

does your openssl build have sm2 and sm3 enabled? When enabling both algorithms on the master branch, I was able to run the above command without issue

`b1gcat@b1gcat  openssl-3.3.0  perl configdata.pm --dump

Command line (with current working directory = .):

perl ./Configure --prefix=/usr/local --openssldir=/usr/local/openssl

Perl information:

perl
5.34.1 for darwin-thread-multi-2level

Enabled features:

apps
argon2
aria
asm
async
atexit
autoalginit
autoerrinit
autoload-config
bf
blake2
bulk
cached-fetch
camellia
capieng
cast
chacha
cmac
cmp
cms
comp
ct
default-thread-pool
deprecated
des
dgram
dh
docs
dsa
dso
dtls
dynamic-engine
ec
ec2m
ecdh
ecdsa
ecx
engine
err
filenames
gost
http
idea
legacy
loadereng
makedepend
md4
mdc2
module
multiblock
nextprotoneg
ocb
ocsp
padlockeng
pic
pinshared
poly1305
posix-io
psk
quic
unstable-qlog
rc2
rc4
rdrand
rfc3779
rmd160
scrypt
secure-memory
seed
shared
siphash
siv
sm2
sm2-precomp
sm3
sm4
sock
srp
srtp
sse2
ssl
ssl-trace
static-engine
stdio
tests
thread-pool
threads
tls
ts
ui-console
whirlpool
tls1
tls1-method
tls1_1
tls1_1-method
tls1_2
tls1_2-method
tls1_3
dtls1
dtls1-method
dtls1_2
dtls1_2-method`

@nhorman
Copy link
Contributor

nhorman commented Apr 18, 2024

I suspect its not. I believe sm2/3 is disabled by default.

If you configure with:

./Configure enable-sm2 enable-sm3

Then the output of configdump shows

Enabled features:

    afalgeng
    apps
    argon2
    aria
    asm
    async
    atexit
    autoalginit
    autoerrinit
    autoload-config
    bf
    blake2
    bulk
    cached-fetch
    camellia
    capieng
    cast
    chacha
    cmac
    cmp
    cms
    comp
    ct
    default-thread-pool
    deprecated
    des
    dgram
    dh
    docs
    dsa
    dso
    dtls
    dynamic-engine
    ec
    ec2m
    ecdh
    ecdsa
    ecx
    engine
    err
    filenames
    gost
    http
    idea
    legacy
    loadereng
    makedepend
    md4
    mdc2
    module
    multiblock
    nextprotoneg
    ocb
    ocsp
    padlockeng
    pic
    pinshared
    poly1305
    posix-io
    psk
    quic
    unstable-qlog
    rc2
    rc4
    rdrand
    rfc3779
    rmd160
    scrypt
    secure-memory
    seed
    shared
    siphash
    siv
    sm2  <=======HERE
    sm2-precomp
    sm3 <=====HERE
    sm4
...

And everything works

@nhorman nhorman added triaged: bug The issue/pr is/fixes a bug resolved: not a bug The issue is not considered a bug labels Apr 18, 2024
@b1gcat
Copy link
Author

b1gcat commented Apr 28, 2024

very very wierd ......:

brew edit openssl@3  ==> config enable-sm2/3
brew install --build-from-source --formula /Users/b1gcat/Desktop/openssl@3.rb

 nm /usr/local/Cellar/openssl@3/3.3.0/lib/libcrypto.3.dylib|grep sm2
00000000002ae45b t _PrivateKeyInfo_der2sm2_does_selection
00000000002ae41f t _PrivateKeyInfo_der2sm2_newctx
0000000000389c50 s _PrivateKeyInfo_sm2_desc
00000000002ae4cc t _SubjectPublicKeyInfo_der2sm2_does_selection
00000000002ae490 t _SubjectPublicKeyInfo_der2sm2_newctx
0000000000389cb0 s _SubjectPublicKeyInfo_sm2_desc
000000000032b5b8 s __EC_sm2p256v1
00000000002cb935 t _common_check_sm2
0000000000388e80 S _ossl_PrivateKeyInfo_der_to_sm2_decoder_functions
0000000000388f00 S _ossl_SubjectPublicKeyInfo_der_to_sm2_decoder_functions
00000000003378d8 S _ossl_der_oid_sm2_with_SM3
00000000003277d8 S _ossl_sm2_asn1_meth
000000000037ddc0 S _ossl_sm2_asym_cipher_functions
00000000002588ed T _ossl_sm2_ciphertext_size
00000000002599ea T _ossl_sm2_compute_z_digest
000000000025926c T _ossl_sm2_decrypt
0000000000259f0d T _ossl_sm2_do_sign
000000000025a4ec T _ossl_sm2_do_verify
00000000002589c0 T _ossl_sm2_encrypt
000000000025a82a T _ossl_sm2_internal_sign
000000000025a96a T _ossl_sm2_internal_verify
00000000002598c9 T _ossl_sm2_key_private_check
00000000003927b0 S _ossl_sm2_keymgmt_functions
0000000000258865 T _ossl_sm2_plaintext_size
0000000000399770 S _ossl_sm2_signature_functions
000000000038c150 S _ossl_sm2_to_EncryptedPrivateKeyInfo_der_encoder_functions
000000000038c1e0 S _ossl_sm2_to_EncryptedPrivateKeyInfo_pem_encoder_functions
000000000038c270 S _ossl_sm2_to_PrivateKeyInfo_der_encoder_functions
000000000038c300 S _ossl_sm2_to_PrivateKeyInfo_pem_encoder_functions
000000000038d7d0 S _ossl_sm2_to_SM2_der_encoder_functions
000000000038d860 S _ossl_sm2_to_SM2_pem_encoder_functions
000000000038c390 S _ossl_sm2_to_SubjectPublicKeyInfo_der_encoder_functions
000000000038c420 S _ossl_sm2_to_SubjectPublicKeyInfo_pem_encoder_functions
000000000038df80 S _ossl_sm2_to_blob_encoder_functions
000000000038e3c0 S _ossl_sm2_to_text_encoder_functions
000000000038a920 S _ossl_sm2_to_type_specific_no_pub_der_encoder_functions
000000000038ac80 S _ossl_sm2_to_type_specific_no_pub_pem_encoder_functions
0000000000388f80 S _ossl_type_specific_no_pub_der_to_sm2_decoder_functions
00000000000a4ce2 T _ossl_x509_algor_is_sm2
00000000002b778b t _sm22blob_does_selection
00000000002b77f5 t _sm22blob_encode
00000000002b77e1 t _sm22blob_free_object
00000000002b77c8 t _sm22blob_import_object
00000000002b825c t _sm22text_encode
00000000002b8248 t _sm22text_free_object
00000000002b822f t _sm22text_import_object
0000000000298e4c t _sm2_asym_decrypt
0000000000298d9f t _sm2_asym_encrypt
0000000000259f4d t _sm2_compute_msg_hash
00000000002ae9f8 t _sm2_d2i_PKCS8
0000000000298efd t _sm2_dupctx
0000000000298ec8 t _sm2_freectx
00000000002cb412 t _sm2_gen
00000000002cb3c3 t _sm2_gen_init
0000000000298f8c t _sm2_get_ctx_params
0000000000299045 t _sm2_get_md
00000000002cb4f5 t _sm2_get_params
0000000000298ffd t _sm2_gettable_ctx_params
00000000002cb504 t _sm2_gettable_params
00000000002cb630 t _sm2_import
0000000000298d31 t _sm2_init
0000000000394650 s _sm2_known_gettable_params
00000000003949f0 s _sm2_known_settable_params
00000000002cb4e6 t _sm2_load
0000000000298cf6 t _sm2_newctx
00000000002cb38b t _sm2_newdata
00000000002cb63f t _sm2_query_operation_name
000000000029900a t _sm2_set_ctx_params
0000000000299038 t _sm2_settable_ctx_params
00000000002cb511 t _sm2_settable_params
000000000025a164 t _sm2_sig_gen
000000000025a54b t _sm2_sig_verify
00000000002b3096 t _sm2_to_EncryptedPrivateKeyInfo_der_does_selection
00000000002b30f8 t _sm2_to_EncryptedPrivateKeyInfo_der_encode
00000000002b30e4 t _sm2_to_EncryptedPrivateKeyInfo_der_free_object
00000000002b30cb t _sm2_to_EncryptedPrivateKeyInfo_der_import_object
00000000002b3181 t _sm2_to_EncryptedPrivateKeyInfo_pem_does_selection
00000000002b31e3 t _sm2_to_EncryptedPrivateKeyInfo_pem_encode
00000000002b31cf t _sm2_to_EncryptedPrivateKeyInfo_pem_free_object
00000000002b31b6 t _sm2_to_EncryptedPrivateKeyInfo_pem_import_object
00000000002b326c t _sm2_to_PrivateKeyInfo_der_does_selection
00000000002b32ce t _sm2_to_PrivateKeyInfo_der_encode
00000000002b32ba t _sm2_to_PrivateKeyInfo_der_free_object
00000000002b32a1 t _sm2_to_PrivateKeyInfo_der_import_object
00000000002b3357 t _sm2_to_PrivateKeyInfo_pem_does_selection
00000000002b33b9 t _sm2_to_PrivateKeyInfo_pem_encode
00000000002b33a5 t _sm2_to_PrivateKeyInfo_pem_free_object
00000000002b338c t _sm2_to_PrivateKeyInfo_pem_import_object
00000000002b5602 t _sm2_to_SM2_der_does_selection
00000000002b5670 t _sm2_to_SM2_der_encode
00000000002b565c t _sm2_to_SM2_der_free_object
00000000002b5643 t _sm2_to_SM2_der_import_object
00000000002b573f t _sm2_to_SM2_pem_does_selection
00000000002b57ad t _sm2_to_SM2_pem_encode
00000000002b5799 t _sm2_to_SM2_pem_free_object
00000000002b5780 t _sm2_to_SM2_pem_import_object
00000000002b3442 t _sm2_to_SubjectPublicKeyInfo_der_does_selection
00000000002b34a5 t _sm2_to_SubjectPublicKeyInfo_der_encode
00000000002b3491 t _sm2_to_SubjectPublicKeyInfo_der_free_object
00000000002b3478 t _sm2_to_SubjectPublicKeyInfo_der_import_object
00000000002b352e t _sm2_to_SubjectPublicKeyInfo_pem_does_selection
00000000002b3591 t _sm2_to_SubjectPublicKeyInfo_pem_encode
00000000002b357d t _sm2_to_SubjectPublicKeyInfo_pem_free_object
00000000002b3564 t _sm2_to_SubjectPublicKeyInfo_pem_import_object
00000000002b071c t _sm2_to_type_specific_no_pub_der_does_selection
00000000002b078a t _sm2_to_type_specific_no_pub_der_encode
00000000002b0776 t _sm2_to_type_specific_no_pub_der_free_object
00000000002b075d t _sm2_to_type_specific_no_pub_der_import_object
00000000002b0de1 t _sm2_to_type_specific_no_pub_pem_does_selection
00000000002b0e4f t _sm2_to_type_specific_no_pub_pem_encode
00000000002b0e3b t _sm2_to_type_specific_no_pub_pem_free_object
00000000002b0e22 t _sm2_to_type_specific_no_pub_pem_import_object
00000000002cb51e t _sm2_validate
00000000002db6d5 t _sm2sig_compute_z_digest
00000000002db02b t _sm2sig_digest_sign_final
00000000002daec2 t _sm2sig_digest_signverify_init
00000000002dafd5 t _sm2sig_digest_signverify_update
00000000002db0dc t _sm2sig_digest_verify_final
00000000002db215 t _sm2sig_dupctx
00000000002db1a0 t _sm2sig_freectx
00000000002db5a7 t _sm2sig_get_ctx_md_params
00000000002db37d t _sm2sig_get_ctx_params
00000000002db5c1 t _sm2sig_gettable_ctx_md_params
00000000002db43f t _sm2sig_gettable_ctx_params
00000000002dacd3 t _sm2sig_newctx
00000000002db5db t _sm2sig_set_ctx_md_params
00000000002db44c t _sm2sig_set_ctx_params
00000000002db60f t _sm2sig_set_mdname
00000000002db5f5 t _sm2sig_settable_ctx_md_params
00000000002db59a t _sm2sig_settable_ctx_params
00000000002dae00 t _sm2sig_sign
00000000002dad66 t _sm2sig_signature_init
00000000002dae8e t _sm2sig_verify
00000000002ae53e t _type_specific_no_pub_der2sm2_does_selection
00000000002ae502 t _type_specific_no_pub_der2sm2_newctx
0000000000389d10 s _type_specific_no_pub_sm2_desc

@b1gcat
Copy link
Author

b1gcat commented May 6, 2024

well, i clone master and start as follows:

git clone https://github.com/openssl/openssl
   33  ls
   34  cd openssl
   35  ls
   36  ./Configure enable-sm2 enable-sm3
   37  make
   38  cd ..
   39  export LD_LIBRARY_PATH=openssl
   40  ./openssl/apps/openssl verify -no_check_time -CAfile ./chain.pem u2.pem
   41  ./openssl/apps/openssl verify  -CAfile ./chain.pem u2.pem

bong :(

└─# ./openssl/apps/openssl verify -untrusted ./chain.pem  -CAfile ./chain.pem u2.pem
C=CN, O=BJCA, OU=BJCA, CN=Beijing SM2 CA
error 7 at 1 depth lookup: certificate signature failure
error u2.pem: verification failed
801BCB21577F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:216:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
resolved: not a bug The issue is not considered a bug triaged: bug The issue/pr is/fixes a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nhorman @b1gcat