‘sign’ is not supported for“sm3'?

[liyangzbx]

    def sign(
        self,
        private_key: CertificateIssuerPrivateKeyTypes,
        algorithm: typing.Optional[_AllowedHashTypes],
        backend: typing.Any = None,
    ) -> CertificateRevocationList:
        if self._issuer_name is None:
            raise ValueError("A CRL must have an issuer name")

        if self._last_update is None:
            raise ValueError("A CRL must have a last update time")

        if self._next_update is None:
            raise ValueError("A CRL must have a next update time")

        return rust_x509.create_x509_crl(self, private_key, algorithm)

class SM3(HashAlgorithm):
    name = "sm3"
    digest_size = 32
    block_size = 64

[reaperhulk]

We don’t currently support SM3 in x509. Are there SM3 OIDs for rsa and ecdsa or is it just sm2-with-sm3?

[github-actions]

This issue has been waiting for a reporter response for 3 days. It will be auto-closed if no activity occurs in the next 5 days.

[github-actions]

This issue has not received a reporter response and has been auto-closed. If the issue is still relevant please leave a comment and we can reopen it.

[raydoom]

I think it is just sm2-with-sm3

[reaperhulk]

Thanks @raydoom. For others who might have seen this issue -- supporting this in cryptography requires us to add support for SM2, then add support in the X509 signer for this OID. We've had a contributor attempt to add SM2 in the past but unfortunately they were unable to finish the work. At the moment we (the primary maintainers) aren't planning to implement that ourselves, but if someone wants to contribute it roughly looks like:

• Ensure rust-openssl has the appropriate bindings
• Add support for a new key type in this project via a PR that looks similar to the work in Migrate EC support to Rust #9024 from a rust perspective but also implements the SM2Sign construction rather than ECDSA.
• Follow up that PR with extending it to allow signatures in X.509