From: Tomas Mraz Date: Wed, 23 Jun 2021 07:40:56 +0000 (+0200) Subject: Documentation: SM2 keys can use only the SM2 curve X-Git-Tag: openssl-3.0.0-beta2~221 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=77072e274925d26da3a17378e4794dc11f43ace4;p=thirdparty%2Fopenssl.git Documentation: SM2 keys can use only the SM2 curve Fixes #14411 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15875) --- diff --git a/doc/man7/EVP_PKEY-SM2.pod b/doc/man7/EVP_PKEY-SM2.pod index 4f0e240f3f3..8bdc506cec2 100644 --- a/doc/man7/EVP_PKEY-SM2.pod +++ b/doc/man7/EVP_PKEY-SM2.pod @@ -55,6 +55,9 @@ or EVP_DigestVerifyInit() in such a scenario. SM2 can be tested with the L application since version 3.0. Currently, the only valid algorithm name is B. +Since version 3.0, SM2 keys can be generated and loaded only when the domain +parameters specify the SM2 elliptic curve. + =head1 EXAMPLES This example demonstrates the calling sequence for using an B to verify diff --git a/doc/man7/migration_guide.pod b/doc/man7/migration_guide.pod index 6d281472c97..9a9d940af4b 100644 --- a/doc/man7/migration_guide.pod +++ b/doc/man7/migration_guide.pod @@ -360,7 +360,9 @@ call C to get SM2 computations. Parameter and key generation is also reworked to make it possible to generate EVP_PKEY_SM2 parameters and keys. Applications must now generate -SM2 keys directly and must not create an EVP_PKEY_EC key first. +SM2 keys directly and must not create an EVP_PKEY_EC key first. It is no longer +possible to import an SM2 key with domain parameters other than the SM2 elliptic +curve ones. Validation of SM2 keys has been separated from the validation of regular EC keys, allowing to improve the SM2 validation process to reject loaded private