Describe the bug
CyberChef’s “Parse X.509 certificate” operation fails when parsing certificates using SM2 public keys. The parser stops with the error “unsupported curve name”, even though the certificate is valid and correctly parsed by OpenSSL.
The certificate uses:
Signature Algorithm: SM2-with-SM3
Public Key Algorithm: id-ecPublicKey
EC Curve: SM2 (GM/T 0003 / GB/T 32918)
OpenSSL is able to fully decode the certificate and correctly identifies the SM2 curve, but CyberChef fails during EC curve name resolution.
To Reproduce
Steps to reproduce the behaviour or a link to the recipe / input used to cause the bug:
- Open CyberChef
- Use “Parse X.509 certificate”
- Paste a PEM encoded SM2 certificate
- Observe error: “unsupported curve name”
-----BEGIN CERTIFICATE-----
MIICXzCCAgWgAwIBAgIIRdOoIoXXdMAwCgYIKoEcz1UBg3UwNjELMAkGA1UEBhMC
Q04xEzARBgNVBAoTClNoYW5nTWlCZWkxEjAQBgNVBAMTCVNoYW5nTWlDQTAeFw0y
NTA2MDkwMjUwNDlaFw00NTEwMTAxMjAxMDFaMFUxEzARBgNVBAoTClNoYW5nTWlC
ZWkxFzAVBgNVBAsTDlNoYW5nTWlCZWkyMDI1MRgwFgYDVQQDEw9zaGFuZ21pYmVp
YWRtaW4xCzAJBgNVBAYTAkNOMFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAE7+t5
4QoxLPHIhxkdATembEfiRb//K8HBn9L4rJqVMb8dGN2Q9Q8ARuUSuV7q3oZPxJ4w
sks9VEvU/Ahk90Cy6aOB3TCB2jAOBgNVHQ8BAf8EBAMCA4gwHQYDVR0lBBYwFAYI
KwYBBQUHAwIGCCsGAQUFBwMBMA8GA1UdDgQIBAYBAgMEBQYwDwYDVR0jBAgwBoAE
AQIDBDAuBgNVHREEJzAlgQtnaXRAZ2l0LmNvbYcEfwAAAYcQIAFIYAAAIAEAAAAA
AAAAaDBXBgNVHR8EUDBOMCWgI6Ahhh9odHRwOi8vY3JsMS5leGFtcGxlLmNvbS9j
YTEuY3JsMCWgI6Ahhh9odHRwOi8vY3JsMi5leGFtcGxlLmNvbS9jYTEuY3JsMAoG
CCqBHM9VAYN1A0gAMEUCIAd+mmPuM/Cy+/D1Cs8bWGV1e9mvrcM6RZ9NHxWGHPlt
AiEAjv414wEmlZd3PU7AkYaO5Dz6GbVoXxwj0ROR9OH+Dvw=
-----END CERTIFICATE-----
Expected behaviour
The parser should either:
correctly recognize SM2 curve (e.g. “sm2p256v1”), or
fall back to displaying the raw OID instead of failing
openssl x509 -in pubkey.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5031550074930820288 (0x45d3a82285d774c0)
Signature Algorithm: SM2-with-SM3
Issuer: C=CN, O=ShangMiBei, CN=ShangMiCA
Validity
Not Before: Jun 9 02:50:49 2025 GMT
Not After : Oct 10 12:01:01 2045 GMT
Subject: O=ShangMiBei, OU=ShangMiBei2025, CN=shangmibeiadmin, C=CN
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:ef:eb:79:e1:0a:31:2c:f1:c8:87:19:1d:01:37:
a6:6c:47:e2:45:bf:ff:2b:c1:c1:9f:d2:f8:ac:9a:
95:31:bf:1d:18:dd:90:f5:0f:00:46:e5:12:b9:5e:
ea:de:86:4f:c4:9e:30:b2:4b:3d:54:4b:d4:fc:08:
64:f7:40:b2:e9
ASN1 OID: SM2
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
01:02:03:04:05:06
X509v3 Authority Key Identifier:
01:02:03:04
X509v3 Subject Alternative Name:
email:git@git.com, IP Address:127.0.0.1, IP Address:2001:4860:0:2001:0:0:0:68
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl1.example.com/ca1.crl
Full Name:
URI:http://crl2.example.com/ca1.crl
Signature Algorithm: SM2-with-SM3
Signature Value:
30:45:02:20:07:7e:9a:63:ee:33:f0:b2:fb:f0:f5:0a:cf:1b:
58:65:75:7b:d9:af:ad:c3:3a:45:9f:4d:1f:15:86:1c:f9:6d:
02:21:00:8e:fe:35:e3:01:26:95:97:77:3d:4e:c0:91:86:8e:
e4:3c:fa:19:b5:68:5f:1c:23:d1:13:91:f4:e1:fe:0e:fc
Desktop (if relevant, please complete the following information):
- OS: [MacOS 15.7.4]
- Browser: [chrome 149.0.7827.201 (Official Build) (arm64)]
- CyberChef version: [v11.2.0]
Additional context
SM2 is widely used in Chinese PKI systems (GM/T 0003 / GB/T 32918). OpenSSL supports it, so the issue is likely missing OID → curve name mapping in CyberChef’s ASN.1/X.509 parsing layer.
Describe the bug
CyberChef’s “Parse X.509 certificate” operation fails when parsing certificates using SM2 public keys. The parser stops with the error “unsupported curve name”, even though the certificate is valid and correctly parsed by OpenSSL.
The certificate uses:
Signature Algorithm: SM2-with-SM3
Public Key Algorithm: id-ecPublicKey
EC Curve: SM2 (GM/T 0003 / GB/T 32918)
OpenSSL is able to fully decode the certificate and correctly identifies the SM2 curve, but CyberChef fails during EC curve name resolution.
To Reproduce
Steps to reproduce the behaviour or a link to the recipe / input used to cause the bug:
Expected behaviour
The parser should either:
correctly recognize SM2 curve (e.g. “sm2p256v1”), or
fall back to displaying the raw OID instead of failing
openssl x509 -in pubkey.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 5031550074930820288 (0x45d3a82285d774c0) Signature Algorithm: SM2-with-SM3 Issuer: C=CN, O=ShangMiBei, CN=ShangMiCA Validity Not Before: Jun 9 02:50:49 2025 GMT Not After : Oct 10 12:01:01 2045 GMT Subject: O=ShangMiBei, OU=ShangMiBei2025, CN=shangmibeiadmin, C=CN Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:ef:eb:79:e1:0a:31:2c:f1:c8:87:19:1d:01:37: a6:6c:47:e2:45:bf:ff:2b:c1:c1:9f:d2:f8:ac:9a: 95:31:bf:1d:18:dd:90:f5:0f:00:46:e5:12:b9:5e: ea:de:86:4f:c4:9e:30:b2:4b:3d:54:4b:d4:fc:08: 64:f7:40:b2:e9 ASN1 OID: SM2 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Key Identifier: 01:02:03:04:05:06 X509v3 Authority Key Identifier: 01:02:03:04 X509v3 Subject Alternative Name: email:git@git.com, IP Address:127.0.0.1, IP Address:2001:4860:0:2001:0:0:0:68 X509v3 CRL Distribution Points: Full Name: URI:http://crl1.example.com/ca1.crl Full Name: URI:http://crl2.example.com/ca1.crl Signature Algorithm: SM2-with-SM3 Signature Value: 30:45:02:20:07:7e:9a:63:ee:33:f0:b2:fb:f0:f5:0a:cf:1b: 58:65:75:7b:d9:af:ad:c3:3a:45:9f:4d:1f:15:86:1c:f9:6d: 02:21:00:8e:fe:35:e3:01:26:95:97:77:3d:4e:c0:91:86:8e: e4:3c:fa:19:b5:68:5f:1c:23:d1:13:91:f4:e1:fe:0e:fcDesktop (if relevant, please complete the following information):
Additional context
SM2 is widely used in Chinese PKI systems (GM/T 0003 / GB/T 32918). OpenSSL supports it, so the issue is likely missing OID → curve name mapping in CyberChef’s ASN.1/X.509 parsing layer.