国密gmssl使用及问题解决

国密gmssl使用及问题解决

  • 国密gmssl工具箱安装方法
  • 国密gmssl使用
    • SM4加密
    • SM4解密
    • SM3摘要
    • SM2生成密钥/签名
    • 生成SM2私钥及证书请求
  • 问题记录

国密gmssl工具箱安装方法

gmssl工具箱的安装在另一篇博文里写过,这里不赘述啦~
gmssl工具安装使用及问题解决

国密gmssl使用

SM4加密

[root@centos7-1 test-gmssl]# touch sm4test    //创建一个测试文件

[root@centos7-1 test-gmssl]# vim sm4test
this is a sm4 test
~                                                                
~                                                                
~                                                                
~ 
[root@centos7-1 test-gmssl]# gmssl sms4 -e -in sm4test -out sm4test.sms4   //sm4test为输入文件名,sm4test.sms4为输出文件名
enter sms4-cbc encryption password:
Verifying - enter sms4-cbc encryption password:

[root@centos7-1 test-gmssl]# ls
sm4test  sm4test.sms4    //现在已经生成了加密后的文件

[root@centos7-1 test-gmssl]# vim sm4test.sms4    //加密后的文件
Salted__ëÇ<91>ùiìØ\^Ti|<93>akÓn»^X^Bd½Á<9c>^Mo^W<84>^_ð<8a>^RÇÌ<96><8e>*}ÃTZ
~                                                                
~     

SM4解密

[root@centos7-1 test-gmssl]# gmssl sms4 -d -in sm4test.sms4 
enter sms4-cbc decryption password:
this is a sm4 test    //输入密码后可以看到已经解密还原出来原来的内容

SM3摘要

[root@centos7-1 test-gmssl]# touch sm3test

[root@centos7-1 test-gmssl]# vim sm3test
This is a sm3 test, the output will show the digest of the file.
~                                                                
~                                                                
~                                                                

[root@centos7-1 test-gmssl]# gmssl sm3 sm3test 
SM3(sm3test)= b57e6b6f56f7e079e50d5f69a9eff92c67e8f1e49a64c148d6adb14c67ae35ce

SM2生成密钥/签名

[root@centos7-1 test-gmssl]# gmssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:sm2p256v1 \
> -out signkey.pem

[root@centos7-1 test-gmssl]# ls
signkey.pem //已经生成了密钥

[root@centos7-1 test-gmssl]# vim signkey.pem   //查看密钥
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqBHM9VAYItBG0wawIBAQQgK2m9aIxuGHBBXQVE
2GwVUwnxskptoMNwJH1LHlr2wXqhRANCAATreqslHmR631HGqj0OXs+ZFJhgqKLx
pKgFCgYld7Tzqsf1rGysXcKwIxfJYANxUdMm6QLFFhT7oExpE1Rzf9nv
-----END PRIVATE KEY-----
~  

[root@centos7-1 test-gmssl]# touch sm2test
[root@centos7-1 test-gmssl]# vim sm2test 
hello
~                                                                
~                                                                
~     

[root@centos7-1 test-gmssl]# gmssl pkeyutl -sign -pkeyopt ec_scheme:sm2 -inkey signkey.pem \
> -in sm2test -out sm2test.sig  //生成签名文件

[root@centos7-1 test-gmssl]# ls
signkey.pem  sm2test  sm2test.sig  

可以将公钥从signkey.pem中导出并发发布给验证签名的一方

[root@centos7-1 test-gmssl]# gmssl pkeyutl -verify -pkeyopt ec_scheme:sm2 -pubin -inkey vrfykey.pem -in sm2test -sigfile sm2test.sig
Signature Verified Successfully  //使用公钥验签

生成SM2私钥及证书请求

[root@centos7-1 test-gmssl]# gmssl ecparam -genkey -name sm2p256v1 -text -out user.key  //生成私钥

[root@centos7-1 test-gmssl]# gmssl req -new -key user.key -out user.req

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:     
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:

[root@centos7-1 test-gmssl]# ls
user.key      user.req  //已经生成私钥和请求

查看证书内容

[root@centos7-1 test-gmssl]# gmssl req -in user.req -noout -text -subject
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = CN, ST = Beijing, L = Beijing, O = Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:97:ea:5c:d3:9d:0c:7e:d9:61:f8:3a:f5:9b:53:
                    f1:32:0f:8f:f3:0a:be:83:8f:a0:ef:6c:0d:c4:27:
                    03:35:3d:f0:11:fd:a2:89:16:28:0e:22:2e:67:24:
                    ee:47:55:08:10:85:dc:80:dc:24:ff:cf:48:b4:44:
                    ef:49:d2:ba:1d
                ASN1 OID: sm2p256v1
                NIST CURVE: SM2
        Attributes:
            challengePassword        :123456
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:6d:a9:a8:45:b3:e1:c8:3f:fc:93:c6:9d:26:ee:
         d2:6c:cf:bd:53:74:30:c9:39:38:de:bf:40:8e:90:19:90:dc:
         02:20:50:ae:b8:76:01:b6:df:af:68:df:5f:ba:d1:ac:0b:6a:
         55:fa:56:be:d6:0b:f1:b9:72:c8:59:5f:a2:db:79:4a
subject=C = CN, ST = Beijing, L = Beijing, O = Internet Widgits Pty Ltd

问题记录

1. 调用加密算法时libssl.so.1.1问题

问题描述:

gmssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory

问题解决:

  • 出现这个问题,是由于openssl库的位置不正确造成的。
  • 给正确位置添加软链即可
[root@centos7-1 test-gmssl]# ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
[root@centos7-1 test-gmssl]# ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

参考 openssl: error while loading shared libraries: libssl.so.1.1

暂时没碰到其他问题,如果有新问题会持续更新。

你可能感兴趣的:(国密ssl,openssl)