Fix SM2 certificate verification

Set the default ec_scheme to secg_scheme, add sm3 ZID to X.509
verification.

crypto/asn1/a_verify.c

@@ -21,9 +21,13 @@
 #include <openssl/objects.h>
 #include <openssl/buffer.h>
 #include <openssl/evp.h>
+#ifndef OPENSSL_NO_SM2
+#include <openssl/sm2.h>
+#endif
 #include "internal/asn1_int.h"
 #include "internal/evp_int.h"
 
+
 #ifndef NO_ASN1_OLD
 
 int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
@@ -131,6 +135,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
         ret = -1;
     } else {
         const EVP_MD *type;
+        EVP_PKEY_CTX *pctx;
         type = EVP_get_digestbynid(mdnid);
         if (type == NULL) {
             ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
@@ -144,12 +149,21 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
             goto err;
         }
 
-        if (!EVP_DigestVerifyInit(ctx, NULL, type, NULL, pkey)) {
+        if (!EVP_DigestVerifyInit(ctx, &pctx, type, NULL, pkey)) {
             ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_EVP_LIB);
             ret = 0;
             goto err;
         }
 
+#ifndef OPENSSL_NO_SM2
+        if (OBJ_obj2nid(a->algorithm) == NID_sm2sign_with_sm3) {
+            if (!EVP_PKEY_CTX_set_ec_scheme(pctx, NID_sm_scheme)) {
+                ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_EC_LIB);
+                ret = 0;
+                goto err;
+            }
+        }
+#endif
     }
 
     inl = ASN1_item_i2d(asn, &buf_in, it);

crypto/ec/ec_pmeth.c

@@ -60,10 +60,10 @@ static int pkey_ec_init(EVP_PKEY_CTX *ctx)
     dctx->cofactor_mode = -1;
     dctx->kdf_type = EVP_PKEY_ECDH_KDF_NONE;
 #ifndef OPENSSL_NO_SM2
-    dctx->ec_scheme = NID_sm_scheme;
+    dctx->ec_scheme = NID_secg_scheme;
     dctx->signer_id = NULL;
     dctx->signer_zid = NULL;
-    dctx->ec_encrypt_param = NID_sm3;
+    dctx->ec_encrypt_param = NID_undef;
 #endif
     ctx->data = dctx;
     return 1;