From 202d652e028f2636252a19022e1c932070ee56b0 Mon Sep 17 00:00:00 2001
From: s_c_c <shichuchao@huawei.com>
Date: Wed, 29 Jun 2022 18:00:11 +0800
Subject: [PATCH] X509 command support SM2 signing with default sm2id

---
 ...rtificate-signing-with-default-sm2id.patch | 87 +++++++++++++++++++
 openssl.spec                                  |  6 +-
 2 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 Feature-X509-command-supports-SM2-certificate-signing-with-default-sm2id.patch

diff --git a/Feature-X509-command-supports-SM2-certificate-signing-with-default-sm2id.patch b/Feature-X509-command-supports-SM2-certificate-signing-with-default-sm2id.patch
new file mode 100644
index 0000000..99610bc
--- /dev/null
+++ b/Feature-X509-command-supports-SM2-certificate-signing-with-default-sm2id.patch
@@ -0,0 +1,87 @@
+From d3e1106ea296a2ec94d27dd34692c34ad543ad04 Mon Sep 17 00:00:00 2001
+From: s_c_c <shichuchao@huawei.com>
+Date: Wed, 29 Jun 2022 17:54:50 +0800
+Subject: [PATCH] X509 command supports SM2 certificate signing with default
+ sm2id
+
+---
+ apps/x509.c                |  4 ++++
+ include/openssl/sm2.h      |  9 +++++++++
+ test/recipes/25-test_req.t | 13 ++++++++++---
+ 3 files changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/apps/x509.c b/apps/x509.c
+index 1043eba..2669894 100644
+--- a/apps/x509.c
++++ b/apps/x509.c
+@@ -1078,6 +1078,10 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
+         if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))
+             goto err;
+     }
++#ifndef OPENSSL_NO_SM2
++    if (EVP_PKEY_is_sm2(pkey) && !EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2))
++        goto err;
++#endif
+     if (!X509_sign(x, pkey, digest))
+         goto err;
+     return 1;
+diff --git a/include/openssl/sm2.h b/include/openssl/sm2.h
+index 505ebfc..cc517bc 100644
+--- a/include/openssl/sm2.h
++++ b/include/openssl/sm2.h
+@@ -1,3 +1,12 @@
++/*
++ * Copyright 2022 Huawei Technologies Co., Ltd. All Rights Reserved.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
+ #ifndef HEADER_SM2_H
+ # define HEADER_SM2_H
+ 
+diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
+index d53e577..2b0c08c 100644
+--- a/test/recipes/25-test_req.t
++++ b/test/recipes/25-test_req.t
+@@ -182,10 +182,10 @@ subtest "generating certificate requests" => sub {
+ };
+ 
+ subtest "generating SM2 certificate requests" => sub {
+-    plan tests => 4;
++    plan tests => 5;
+ 
+     SKIP: {
+-        skip "SM2 is not supported by this OpenSSL build", 4
++        skip "SM2 is not supported by this OpenSSL build", 5
+         if disabled("sm2");
+         ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
+                     "-new", "-key", srctop_file("test", "certs", "sm2.key"),
+@@ -198,6 +198,13 @@ subtest "generating SM2 certificate requests" => sub {
+                     "-sm2-id", "1234567812345678", "-sm3"])),
+            "Verifying signature on SM2 certificate request");
+ 
++        # Use default sm2 id
++        ok(run(app(["openssl", "x509", "-req", "-extfile", srctop_file("test", "CAss.cnf"),
++                    "-extensions", "v3_ca", "-sm3", "-days", "365",
++                    "-in", "testreq.pem", "-signkey", srctop_file("test", "certs", "sm2.key"),
++                    "-out", "testsign.pem"])),
++           "Signing SM2 certificate request");
++
+         ok(run(app(["openssl", "req", "-config", srctop_file("test", "test.cnf"),
+                     "-new", "-key", srctop_file("test", "certs", "sm2.key"),
+                     "-sigopt", "sm2_hex_id:DEADBEEF",
+@@ -218,7 +225,7 @@ run_conversion('req conversions',
+ run_conversion('req conversions -- testreq2',
+                srctop_file("test", "testreq2.pem"));
+ 
+-unlink "testkey.pem", "testreq.pem", "testreq_withattrs_pem.pem", "testreq_withattrs_der.pem";
++unlink "testkey.pem", "testreq.pem", "testreq_withattrs_pem.pem", "testreq_withattrs_der.pem", "testsign.pem";
+ 
+ sub run_conversion {
+     my $title = shift;
+-- 
+2.20.1 (Apple Git-117)
+
diff --git a/openssl.spec b/openssl.spec
index c94a691..eabf07f 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -2,7 +2,7 @@
 Name:        openssl
 Epoch:       1
 Version:     1.1.1m
-Release:     3
+Release:     4
 Summary:     Cryptography and SSL/TLS Toolkit
 License:     OpenSSL and SSLeay
 URL:         https://www.openssl.org/
@@ -29,6 +29,7 @@ Patch18:     Backport-Fix-a-document-description-in-apps-req.patch
 Patch19:     Backport-Update-expired-SCT-certificates.patch
 Patch20:     Backport-ct_test.c-Update-the-epoch-time.patch
 Patch21:     Feature-Support-TLCP-protocol.patch
+Patch22:     Feature-X509-command-supports-SM2-certificate-signing-with-default-sm2id.patch
 
 BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
 Requires:    coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@@ -225,6 +226,9 @@ make test || :
 %ldconfig_scriptlets libs
 
 %changelog
+* Wed Jun 29 2022 shichuchao <shichuchao@huawei.com> - 1:1.1.1m-4
+- x509 command support SM2 signing with default sm2id
+
 * Thu Jun 9 2022 shichuchao <shichuchao@huawei.com> - 1:1.1.1m-3
 - support sm2 certificate sign and verify
 - fix ct test errors