Fix the bug in issuing sm2 certificate.

Cargo.toml

@@ -43,7 +43,7 @@ log = "0.4"
 env_logger = "0.10"
 hex = "0.4"
 humantime = "2.1"
-delay_timer = "0.11"
+delay_timer = "0.11.6"
 as-any = "0.3.1"
 pem = "3.0"
 chrono = "0.4"
@@ -60,8 +60,8 @@ base64 = "0.22"
 ipnetwork = "0.20"
 
 # optional dependencies
-openssl = { version = "0.10", optional = true }
-openssl-sys = { version = "0.9", optional = true }
+openssl = { version = "0.10.64", optional = true }
+openssl-sys = { version = "0.9.102", optional = true }
 
 # uncomment the following lines to use Tongsuo as underlying crypto adaptor
 #[patch.crates-io]

src/modules/pki/path_issue.rs

@@ -150,6 +150,7 @@ impl PkiBackendInner {
             subject,
             dns_sans: common_names,
             ip_sans,
+            key_type: role_entry.key_type.clone(),
             key_bits: role_entry.key_bits,
             ..cert::Certificate::default()
         };

src/modules/pki/path_keys.rs

@@ -308,9 +308,7 @@ impl PkiBackendInner {
             key_bundle.bits = (key_bundle.key.len() as u32) * 8;
             match key_bundle.bits {
                 128 | 192 | 256 => {},
-                _ => {
-                    return Err(RvError::ErrPkiKeyBitsInvalid);
-                }
+                _ => return Err(RvError::ErrPkiKeyBitsInvalid),
             };
             let iv_value = req.get_data_or_default("iv")?;
             let is_iv_required = matches!(key_type, "aes-gcm" | "aes-cbc" | "sm4-gcm" | "sm4-ccm");

src/modules/pki/path_roles.rs

@@ -359,6 +359,16 @@ impl PkiBackendInner {
                     return Err(RvError::ErrPkiKeyBitsInvalid);
                 }
             }
+            #[cfg(feature = "crypto_adaptor_tongsuo")]
+            "sm2" => {
+                if key_bits == 0 {
+                    key_bits = 256;
+                }
+
+                if key_bits != 256 {
+                    return Err(RvError::ErrPkiKeyBitsInvalid);
+                }
+            },
             _ => {
                 return Err(RvError::ErrPkiKeyTypeInvalid);
             }

src/modules/pki/util.rs

@@ -40,9 +40,17 @@ pub fn get_role_params(req: &mut Request) -> Result<RoleEntry, RvError> {
                 return Err(RvError::ErrPkiKeyBitsInvalid);
             }
         }
-        _ => {
-            return Err(RvError::ErrPkiKeyTypeInvalid);
+        #[cfg(feature = "crypto_adaptor_tongsuo")]
+        "sm2" => {
+            if key_bits == 0 {
+                key_bits = 256;
+            }
+
+            if key_bits != 256 {
+                return Err(RvError::ErrPkiKeyBitsInvalid);
+            }
         }
+        _ => return Err(RvError::ErrPkiKeyTypeInvalid),
     }
 
     let signature_bits = req.get_data_or_default("signature_bits")?.as_u64().ok_or(RvError::ErrRequestFieldInvalid)?;
@@ -145,6 +153,7 @@ pub fn generate_certificate(role_entry: &RoleEntry, req: &mut Request) -> Result
         subject,
         dns_sans: common_names,
         ip_sans,
+        key_type: role_entry.key_type.clone(),
         key_bits: role_entry.key_bits,
         ..Default::default()
     };

src/utils/cert.rs

@@ -283,10 +283,16 @@ impl Certificate {
             AuthorityKeyIdentifier::new().keyid(true).issuer(false).build(&builder.x509v3_context(ca_cert, None))?;
         builder.append_extension(authority_key_id)?;
 
+        let digest = match self.key_type.as_str() {
+            "rsa" | "ec" => MessageDigest::sha256(),
+            #[cfg(feature = "crypto_adaptor_tongsuo")]
+            "sm2" => MessageDigest::sm3(),
+            _ => return Err(RvError::ErrPkiKeyTypeInvalid),
+        };
         if ca_key.is_some() {
-            builder.sign(ca_key.as_ref().unwrap(), MessageDigest::sha256())?;
+            builder.sign(ca_key.as_ref().unwrap(), digest)?;
         } else {
-            builder.sign(private_key, MessageDigest::sha256())?;
+            builder.sign(private_key, digest)?;
         }
 
         Ok(builder.build())
@@ -300,31 +306,36 @@ impl Certificate {
         let key_bits = self.key_bits;
         let priv_key = match self.key_type.as_str() {
             "rsa" => {
-                if key_bits != 2048 && key_bits != 3072 && key_bits != 4096 {
-                    return Err(RvError::ErrPkiKeyBitsInvalid);
+                match key_bits {
+                    2048 | 3072 | 4096 => {
+                        let rsa_key = Rsa::generate(key_bits)?;
+                        PKey::from_rsa(rsa_key)?
+                    },
+                    _ => return Err(RvError::ErrPkiKeyBitsInvalid),
                 }
-                let rsa_key = Rsa::generate(key_bits)?;
-                let pkey = PKey::from_rsa(rsa_key)?;
-                pkey
             }
             "ec" => {
                 let curve_name = match key_bits {
                     224 => Nid::SECP224R1,
                     256 => Nid::SECP256K1,
                     384 => Nid::SECP384R1,
                     521 => Nid::SECP521R1,
-                    _ => {
-                        return Err(RvError::ErrPkiKeyBitsInvalid);
-                    }
+                    _ => return Err(RvError::ErrPkiKeyBitsInvalid),
                 };
                 let ec_group = EcGroup::from_curve_name(curve_name)?;
                 let ec_key = EcKey::generate(ec_group.as_ref())?;
-                let pkey = PKey::from_ec_key(ec_key)?;
-                pkey
+                PKey::from_ec_key(ec_key)?
             }
-            _ => {
-                return Err(RvError::ErrPkiKeyTypeInvalid);
+            #[cfg(feature = "crypto_adaptor_tongsuo")]
+            "sm2" => {
+                if key_bits != 256 {
+                    return Err(RvError::ErrPkiKeyBitsInvalid);
+                }
+                let ec_group = EcGroup::from_curve_name(Nid::SM2)?;
+                let ec_key = EcKey::generate(&ec_group)?;
+                PKey::from_ec_key(ec_key)?
             }
+            _ => return Err(RvError::ErrPkiKeyTypeInvalid),
         };
 
         let cert = self.to_x509(ca_cert, ca_key, &priv_key)?;

src/utils/key.rs

@@ -136,9 +136,7 @@ impl KeyBundle {
                 rand_bytes(&mut key)?;
                 key
             },
-            _ => {
-                return Err(RvError::ErrPkiKeyTypeInvalid);
-            }
+            _ => return Err(RvError::ErrPkiKeyTypeInvalid),
         };
 
         self.key = priv_key;