It is no longer possible to load an SM2 key based on a non-SM2 curve

[mattcaswell]

In 1.1.1 SM2 would work with any curve. You just had to remember to call EVP_PKEY_set_alias_type() with your key to make sure that it is handled as SM2 and not standard EC.

However if you have a key saved in a PEM file based that is intended to be used with SM2 but is based on some non-SM2 curve then it no longer seems to be possible to load it.

For example to load an SM2 key saved in SubjectPublicKeyInfo format then you might have used PEM_read_bio_PUBKEY to load it. The result would have been an EC key that you convert to SM2 using EVP_PKEY_set_alias_type(). However since the loaded key is now a provider side key the call to EVP_PKEY_set_alias_type() fails.

I thought it would be possible to load it another way using a DECODER directly, e.g.

    dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", "SubjectPublicKeyInfo",
                                         "SM2", 
                                         OSSL_KEYMGMT_SELECT_PUBLIC_KEY
                                         | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS,
                                         NULL, NULL);

Here I am telling the decoder directly to expect an SM2 key. However this still fails. Internally it loads the key as an EC key and then fails because it was expecting SM2.

This is related to but slightly different to the issue described in #14379.

[t8m]

I remember we discussed this a few months ago and said we do not want to suppor SM2 keys with arbitrary curves. @romen ?

[mattcaswell]

I remember we discussed this a few months ago and said we do not want to suppor SM2 keys with arbitrary curves

This could be a valid answer to this problem - but if so, it is a breaking change, we should document that change in behaviour in CHANGES.md and there should be a formal OTC vote IMO.

[romen]

When SM2 was being migrated to providers I think we ended up with saying:

• for backward compatibility our decoder, finding an EC key file with the SM2 OID for the curve field will yield an SM2 keymgmt object. Finding other curve OIDs (or explicit params) an EC keymgmt object is returned
• programmatically we want to retain the ability of using the SM2 DH and SM2DSA crypto systems on any curve (for tinkerers and scientists, and expecting that soon there might be a standard update adding a ~512 bit curve as an option)

So in light of our recent meeting, I would say that we don't have a requirement to support decoding of SM2 keys over arbitrary curves (as by the standard they are indistinguishable from regular EC key encodings), but we want to retain the option of using the SM2 keymgmt to generate an object over any curve.

Does this make sense?

[mattcaswell]

I would say that we don't have a requirement to support decoding of SM2 keys over arbitrary curves

The implication is that you can't save and restore an SM2 key over an arbitrary curve. They are "ephemeral". Is that really the requirement?

[levitte]

If I've understood the SM2 spec correctly, an SM2 key has an SM2 curve by definition. There's absolutely nothing else that identifies them as such, they are otherwise like any EC key, including using the same OID (id-ecPublicKey) in AlgorithmIdentifiers.

[mattcaswell]

If I've understood the SM2 spec correctly, an SM2 key has an SM2 curve by definition. There's absolutely nothing else that identifies them as such, they are otherwise like any EC key, including using the same OID (id-ecPublicKey) in AlgorithmIdentifiers.

Nonetheless in 1.1.1 we allowed any curve to be used, so not doing so is a breaking change.

[t8m]

And we are back at the topic of allowing in-provider key type conversions between compatible types.

[levitte]

... or simply accept this breaking change. When discussing this with @romen, he expressed serious doubts that this was actully used anywhere, except perhaps by himself...

Like @mattcaswell said, we'd better have this confirmed (or not) with OTC

[romen]

If I've understood the SM2 spec correctly, an SM2 key has an SM2 curve by definition. There's absolutely nothing else that identifies them as such, they are otherwise like any EC key, including using the same OID (id-ecPublicKey) in AlgorithmIdentifiers.

Nonetheless in 1.1.1 we allowed any curve to be used, so not doing so is a breaking change.

@mattcaswell in 1.1.1 SM2 keys on arbitrary keys were similarly "ephemeral": on saving them to a file and reloading them you would get back an EC key, with the requirement to explicitly convert it to SM2 programmatically.

The breaking change would be that it's the way to programmatically "cast" the EC key in a SM2 key: before it was set_alias now it's an explicit export by the EC keymgmt paired with an explicit import by the SM2 keymgmt.

As long as we retain the option of programmatically create SM2 keys over arbitrary curves, the breaking change does not equate to a functionality loss.
(and as @levitte remarked, I don't believe there is any software in production using SM2 keys over arbitrary curves: it's mostly a thing done for experimentation, so I believe the breaking change in getting rid of set_alias, to be replaced with some other mean of "casting" the key, won't really be catastrophic for anyone)

[mattcaswell]

The breaking change would be that it's the way to programmatically "cast" the EC key in a SM2 key: before it was set_alias now it's an explicit export by the EC keymgmt paired with an explicit import by the SM2 keymgmt.

As far as I know there is no way for an application to programmatically do that???

the breaking change does not equate to a functionality loss.

Unless we make some other change there is funcationality loss.