Legacy SM2 key generation does not work

[mattcaswell]

In 1.1.1, to generate an SM2 key (in an EVP_PKEY), you would first create an EC
key (in an EVP_PKEY), and then call EVP_PKEY_set_alias_type() to convert it to
an SM2 key.

In 3.0 you are supposed to generate an SM2 key directly.

However, the CHANGES.md file seems to indicate that the old way should still
work - however it doesn't. Generating an EC key ends up with a provider side
EC key. Calling EVP_PKEY_set_alias_type() on a provided key will only work if
the "alias" type is the same as the actual type. Otherwise it fails. Therefore
legacy code will fail.

CHANGES says these things about it:

• Validation of SM2 keys has been separated from the validation of regular EC
  keys, allowing to improve the SM2 validation process to reject loaded private
  keys that are not conforming to the SM2 ISO standard.
  In particular, a private scalar k outside the range 1 <= k < n-1 is now
  correctly rejected.

• Deprecated EVP_PKEY_set_alias_type(). This function was previously
  needed as a workaround to recognise SM2 keys. With OpenSSL 3.0, this key
  type is internally recognised so the workaround is no longer needed.

  Functionality is still retained as it is, but will only work with
  EVP_PKEYs with a legacy internal key.

• Reworked the treatment of EC EVP_PKEYs with the SM2 curve to
  automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC.
  This means that applications don't have to look at the curve NID and
  EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2) to get SM2 computations.
  However, they still can, that EVP_PKEY_set_alias_type() call acts as
  a no-op when the EVP_PKEY is already of the given type.

  Parameter and key generation is also reworked to make it possible
  to generate EVP_PKEY_SM2 parameters and keys without having to go
  through EVP_PKEY_EC generation and then change the EVP_PKEY type.
  However, code that does the latter will still work as before.

[levitte]

Ah, right... At the time, creating an SM2 key always ended up as a legacy key, because we hadn't figured out all the ins and outs to make it provided. There was some ugly hackery in a few places that actually downgraded a provided EC key to a legacy SM2 key if it had an SM2 curve.

That has changed since, but CHANGES wasn't amended.
I'm not really sure any longer what effect this has on old code that did SM2. Did you perhaps find that things no longer works as before, considering that you're looking at 1.1.1 apps against 3.0 libs?

Do note that this has been subject for intense debate, and a choice was made not to transport certain legacy mechanisms (for SM2, it was also an ugly hack) over to provider support.

[mattcaswell]

I'm not really sure any longer what effect this has on old code that did SM2. Did you perhaps find that things no longer works as before, considering that you're looking at 1.1.1 apps against 3.0 libs?

Yes - exactly that.

Do note that this has been subject for intense debate, and a choice was made not to transport certain legacy mechanisms (for SM2, it was also an ugly hack) over to provider support.

Yes. I think an OTC discussion on what we want the behaviour to be is probably warranted.

[t-j-h]

Needs OTC decision on whether or not types should be mutable (both for this and DH/DHX) and if so we may make a breaking change here and remove this API. To be discussed.

[mattcaswell]

OTC voted on the following:
EVP_PKEY types are immutable once set. Types cannot be changed once set. To move from one type to another compatible type will require export/import.

The vote has passed.