Documentation: SM2 keys can use only the SM2 curve

Fixes #14411 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15875)
2024-11-21 01:15:20 +08:00 · 2021-06-23 09:40:56 +02:00 · 2021-06-23 09:40:56 +02:00 · 77072e2749
commit 77072e2749
parent 79df244ba0
2 changed files with 6 additions and 1 deletions
--- a/doc/man7/EVP_PKEY-SM2.pod
+++ b/doc/man7/EVP_PKEY-SM2.pod
@ -55,6 +55,9 @@ or EVP_DigestVerifyInit() in such a scenario.
 SM2 can be tested with the L<openssl-speed(1)> application since version 3.0.
 Currently, the only valid algorithm name is B<sm2>.

+Since version 3.0, SM2 keys can be generated and loaded only when the domain
+parameters specify the SM2 elliptic curve.
+
 =head1 EXAMPLES

 This example demonstrates the calling sequence for using an B<EVP_PKEY> to verify
--- a/doc/man7/migration_guide.pod
+++ b/doc/man7/migration_guide.pod
@ -360,7 +360,9 @@ call C<EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)> to get SM2 computations.

 Parameter and key generation is also reworked to make it possible
 to generate EVP_PKEY_SM2 parameters and keys. Applications must now generate
-SM2 keys directly and must not create an EVP_PKEY_EC key first.
+SM2 keys directly and must not create an EVP_PKEY_EC key first. It is no longer
+possible to import an SM2 key with domain parameters other than the SM2 elliptic
+curve ones.

 Validation of SM2 keys has been separated from the validation of regular EC
 keys, allowing to improve the SM2 validation process to reject loaded private