新手入坑GMSSL(一)Windows下编译GMSSL并生成CA证书
首先申明,我不是密码学的专业人员,没有这方面知识基础,这个以及接下来的博客都是我根据网上能找到的资料、博客,一点点摸索总结出来的,问了很多前辈和博主,但是可能都没有看到都没有回复我 = = 。但项目必须得做身不由己,无奈只能自己试一试了。
如果有哪里不对的地方,请各位一定指出,也让我学习一下,感谢!
博客参考的资料地址会将参考的内容会在文中给出,我总结的步骤有不清楚的地方可以参考原文。
相信看到这篇博客的同学对于openssl的认识应该都比我要深,我就不班门弄斧了。可能国密这个领域对于其他技术来说还是太小众了,可以参考的教程太少,而且个人实现的国密算法基本上都没有经过严格测试,问题的解决也不是很迅速。本文的目的是记录我在国密https尝试过程中遇到的坑以及解决方法,或许对刚入坑的新手有所帮助,不会像我一样毫无头绪。
废话少说我们就开始吧
一、编译GMSSL
首先是编译GMSSL,我没有尝试TASSL,首先是因为知道的太晚了,其次是目前只有Windows的环境,暂时没法返校用Linux服务器,简单搜了一下没找到TASSL在win下的编译教程,遂放弃 = =
这里网上的教程比较多,我就不添油加醋了,参考了GMSSL编译-Windows篇和GMSSL在Window下的编译这两篇博客:
- GMSSL源码下载:https://github.com/guanzhi/GmSSL/archive/master.zip
- ActivePerl下载:https://activeperl.en.softonic.com
- NASM下载地址:https://www.nasm.us
- 需要将ActivePerl,NASM安装目录添加至Windows系统环境变量Path中
- 打开VS Tools中“VS 本机工具命令提示符”提示符,切换至GmSSL目录
- 这里需要注意的是你已经安装了VS,可以通过cl命令查看VS的版本是x86还是x64的:
- 不同的VS版本使用的工具不相同,我装了2013和2015的VS,名字是“VS2015 x86 Native Tools Command Prompt”:
- 这里需要注意的是你已经安装了VS,可以通过cl命令查看VS的版本是x86还是x64的:
- 执行perl Configure VC-WIN32
- 执行nmake
7.1 编译系统没有找到nmake。实际上nmake是Visual Studio自带的工具,不需要单独安装。编译系统无法找到nmake的原因是没有在Visual Studio的命令行环境下执行编译指定。
(Microsoft Visual Studio\VC\bin 添加至Windows系统环境变量Path中)
7.2 可能出现某些头文件找不到,需要将CMD命令切到Microsoft Visual Studio 12.0\VC\bin目录下执行下vcvars32.bat脚本文件。 - nmake install,这一步记得要管理员权限
- 编译完成。
这里最好是一次成功,失败的话请删除整个文件夹,重新解压干净的版本编译。
如果编译成功的话,第二次编译大概率会是失败的,因为系统里会保留第一次编译的结果,可能会有各种问题。
我遇到的问题:
把第六步的命令改成:
perl Configure VC-WIN32 no-asm添加no-asm目的是不生成二进制文件。这里参考的是OpenSSL源码在Win下编译报错-LNK2005/fatal error LNK1169这篇博客
虽然这个方法对我没啥效果,也不知道为啥,有明白的前辈或者大佬看到了麻烦告诉我一下。
我解决的方法可能也不是很合理:我改用了和第一次编译成功GMSSL相同的代码版本重新试了一下就ok了。
二、生成CA证书
使用GMSSL生成CA证书的过程和生成普通证书的方法类似
云水木石这个大神的博客大家可以好好学习
创建自签名的SM2证书:搭建国密SSL开发测试环境
1. 生成SM2私钥:
gmssl ecparam -genkey -name sm2p256v1 -text -out user.key
2. 创建证书请求:
gmssl req -new -key user.key -out user.req
3. 创建一个 certext.ext 文本文件,内容如下:
subjectAltName=DNS:www.example.com
4. 生成证书:
gmssl x509 -req -days 365 -in user.req -signkey user.key -out user_cert.pem -extfile certext.ext
查看证书的内容:
gmssl x509 -text -in user_cert.pem -noout
1. 启动服务器端
gmssl s_server -key user.key -cert user_cert.pem -accept 44330 -www
2. 启动客户端
gmssl s_client -connect localhost:44330创建CA证书,并生成服务端证书:搭建个人国密CA(Certification Authority)
文中模拟了三级CA管理:
Root CA -> Server CA -> Server
Root CA为一级CA,拥有根CA证书,Server CA为二级CA,其CA证书由Root CA签发,Server为最终的用户,其证书由Server CA签发。1.制作根CA证书:
创建一个 certext.ext 文本文件,内容为:
[ v3_ca ]
basicConstraints = CA:true
[ usr_cert ]
subjectAltName = DNS:localhostgmssl ecparam -genkey -name sm2p256v1 -text -out rootkey.pem
gmssl req -new -key rootkey.pem -out rootreq.pem
gmssl x509 -req -days 365 -in rootreq.pem -signkey rootkey.pem -extfile certext.ext -extensions v3_ca -out rootcert.pem2.签发 Server CA 证书:
gmssl ecparam -genkey -name sm2p256v1 -text -out serverCAkey.pem
gmssl req -new -key serverCAkey.pem -out serverCAreq.pem
gmssl x509 -req -days 365 -in serverCAreq.pem -extfile certext.ext -extensions v3_ca -CA rootcert.pem -CAkey rootkey.pem -CAcreateserial -out serverCAcert.pem3.签发 Server 证书:
gmssl ecparam -genkey -name sm2p256v1 -text -out serverkey.pem
gmssl req -new -key serverkey.pem -out serverreq.pem
gmssl x509 -req -days 365 -in serverreq.pem -extfile certext.ext -extensions usr_cert -CA serverCAcert.pem -CAkey serverCAkey.pem -CAcreateserial -out servercert.pem这两篇博客写的非常详细,反正我看了之后有种拨云见月的感觉。
三、运行结果:
s_client客户端:
gmssl s_client -connect localhost:4433 -key .\user.key -cert .\user_cert.pem
[GMTLS_DEBUG] set sm2 signing certificate
[GMTLS_DEBUG] set sm2 signing private key
CONNECTED(00000224)
depth=0 C = CN, ST = Hunan, L = Changsha, O = csu, OU = csu, CN = csu.com, emailAddress = [email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CN, ST = Hunan, L = Changsha, O = csu, OU = csu, CN = csu.com, emailAddress = [email protected]
verify return:1
---
Certificate chain
0 s:/C=CN/ST=Hunan/L=Changsha/O=csu/OU=csu/CN=csu.com/[email protected]
i:/C=CN/ST=Hunan/L=Changsha/O=csu/OU=csu/CN=csu.com/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICCTCCAa+gAwIBAgIJAPQlTnQHYjZDMAoGCCqBHM9VAYN1MHoxCzAJBgNVBAYT
AkNOMQ4wDAYDVQQIDAVIdW5hbjERMA8GA1UEBwwIQ2hhbmdzaGExDDAKBgNVBAoM
A2NzdTEMMAoGA1UECwwDY3N1MRAwDgYDVQQDDAdjc3UuY29tMRowGAYJKoZIhvcN
AQkBFgtjcHU1QHFxLmNvbTAeFw0yMDA2MTgxNjA0MjRaFw0yMTA2MTgxNjA0MjRa
MHoxCzAJBgNVBAYTAkNOMQ4wDAYDVQQIDAVIdW5hbjERMA8GA1UEBwwIQ2hhbmdz
aGExDDAKBgNVBAoMA2NzdTEMMAoGA1UECwwDY3N1MRAwDgYDVQQDDAdjc3UuY29t
MRowGAYJKoZIhvcNAQkBFgtjcHU1QHFxLmNvbTBZMBMGByqGSM49AgEGCCqBHM9V
AYItA0IABCl+QPszZf0T9n5AX8/QgFxkhSM67gOzz4K4HARpCVq4u0XA/q8NXkCA
hq5JWRy0XjpRkdgEqHbL0+cjDaVYezyjHjAcMBoGA1UdEQQTMBGCD3d3dy5leGFt
cGxlLmNvbTAKBggqgRzPVQGDdQNIADBFAiEAwmfCTnokgFChwvCtdJ/ro8p3QMJY
NRBEkmsn68vCsWACIHyT/BruUcNZK+cD2DiVb5+NIYGewUippqkAUVn52VHS
-----END CERTIFICATE-----
subject=/C=CN/ST=Hunan/L=Changsha/O=csu/OU=csu/CN=csu.com/[email protected]
issuer=/C=CN/ST=Hunan/L=Changsha/O=csu/OU=csu/CN=csu.com/[email protected]
---
No client certificate CA names sent
Peer signing digest: SM3
Server Temp Key: ECDH, SM2, 256 bits
---
SSL handshake has read 998 bytes and written 322 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-SM2-WITH-SMS4-GCM-SM3
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-SM2-WITH-SMS4-GCM-SM3
Session-ID: F02DF9EEFE47099D3BCD29200771C975BA2A6B87E98BFEFA48F282BF5665C6C5
Session-ID-ctx:
Master-Key: CC6CFE9A11AE606BC91B19740E2A1B123F1FAE01E7D30CF37768BA613B73445FD6A8A4B5910B595BD1EF46B403D19DC6
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - b7 80 81 0e 35 68 e9 fc-b6 6a 90 2a ca b6 96 97 ....5h...j.*....
0010 - 32 9e 1d c8 44 16 73 e8-67 67 d7 6c a4 b7 a9 1b 2...D.s.gg.l....
0020 - 43 76 b4 d9 b0 e0 19 72-b3 45 23 6f b7 ee f1 f5 Cv.....r.E#o....
0030 - 06 0d 87 6f 20 2b 40 fb-7a 1d 35 12 97 17 c2 42 ...o [email protected]
0040 - f5 0a 0d 97 52 d4 0d bb-e9 e0 02 4c 44 71 9c bc ....R......LDq..
0050 - fc 06 f5 7c 1f 3b bb e6-9b 1b 76 38 02 46 f6 7e ...|.;....v8.F.~
0060 - c2 b7 ed c2 da d5 f1 a4-17 a4 0c 8a 37 5d dd 26 ............7].&
0070 - c5 04 21 97 19 69 23 76-df 11 2d 1b 53 35 28 14 ..!..i#v..-.S5(.
0080 - f9 e1 fa e0 79 13 b1 5a-50 8a 24 86 5d 2b f5 b9 ....y..ZP.$.]+..
0090 - 58 46 e6 9f f8 48 9a e3-f8 3c 76 e4 9f 92 d9 f9 XF...H...s_server服务端:
gmssl s_server -key .\user.key -cert .\user_cert.pem -accept 4433 -www -debug
Using default temp DH parameters
[GMTLS_DEBUG] set sm2 signing certificate
[GMTLS_DEBUG] set sm2 signing private key
ACCEPT
read from 0x31ca4b8 [0x31de50b] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 bf .....
read from 0x31ca4b8 [0x31de510] (191 bytes => 191 (0xBF))
0000 - 01 00 00 bb 03 03 12 7c-a1 b2 ee 60 5e 64 d0 7e .......|...`^d.~
0010 - 2b 58 ac 42 d8 fb c4 24-ca 78 d3 5c 8e bc 06 2e +X.B...$.x.\....
0020 - 0c 11 f6 52 d1 88 00 00-48 c0 2c c0 30 00 9f cc ...R....H.,.0...
0030 - a9 cc a8 cc aa c0 2b c0-2f 00 9e e1 07 c0 24 c0 ......+./.....$.
0040 - 28 00 6b c0 23 c0 27 00-67 e1 02 c0 0a c0 14 00 (.k.#.'.g.......
0050 - 39 c0 09 c0 13 00 33 00-9d 00 9c 00 3d 00 3c 00 9.....3.....=.<.
0060 - 35 e0 17 e0 15 e0 13 e0-11 00 2f e0 1a e0 19 00 5........./.....
0070 - ff 01 00 00 4a 00 0b 00-04 03 00 01 02 00 0a 00 ....J...........
0080 - 0c 00 0a 00 1e 00 1d 00-17 00 19 00 18 00 23 00 ..............#.
0090 - 00 00 0d 00 22 00 20 06-01 06 02 06 03 05 01 05 ....". .........
00a0 - 02 05 03 04 01 04 02 04-03 03 01 03 02 03 03 02 ................
00b0 - 01 02 02 02 03 07 07 00-16 00 00 00 17 .............
00bf -
write to 0x31ca4b8 [0x31ecc78] (771 bytes => 771 (0x303))
0000 - 16 03 03 00 41 02 00 00-3d 03 03 92 34 d3 c8 66 ....A...=...4..f
0010 - b7 df c2 2b 7f ec 08 44-20 f9 ae 42 b2 c1 d2 b5 ...+...D ..B....
0020 - 2f 27 5a 27 fe 11 56 24-4c 85 0e 00 e1 07 00 00 /'Z'..V$L.......
0030 - 15 ff 01 00 01 00 00 0b-00 04 03 00 01 02 00 23 ...............#
0040 - 00 00 00 17 00 00 16 03-03 02 17 0b 00 02 13 00 ................
0050 - 02 10 00 02 0d 30 82 02-09 30 82 01 af a0 03 02 .....0...0......
0060 - 01 02 02 09 00 f4 25 4e-74 07 62 36 43 30 0a 06 ......%Nt.b6C0..
0070 - 08 2a 81 1c cf 55 01 83-75 30 7a 31 0b 30 09 06 .*...U..u0z1.0..
0080 - 03 55 04 06 13 02 43 4e-31 0e 30 0c 06 03 55 04 .U....CN1.0...U.
0090 - 08 0c 05 48 75 6e 61 6e-31 11 30 0f 06 03 55 04 ...Hunan1.0...U.
00a0 - 07 0c 08 43 68 61 6e 67-73 68 61 31 0c 30 0a 06 ...Changsha1.0..
00b0 - 03 55 04 0a 0c 03 63 73-75 31 0c 30 0a 06 03 55 .U....csu1.0...U
00c0 - 04 0b 0c 03 63 73 75 31-10 30 0e 06 03 55 04 03 ....csu1.0...U..
00d0 - 0c 07 63 73 75 2e 63 6f-6d 31 1a 30 18 06 09 2a ..csu.com1.0...*
00e0 - 86 48 86 f7 0d 01 09 01-16 0b 63 70 75 35 40 71 .H........cpu5@q
00f0 - 71 2e 63 6f 6d 30 1e 17-0d 32 30 30 36 31 38 31 q.com0...2006181
0100 - 36 30 34 32 34 5a 17 0d-32 31 30 36 31 38 31 36 60424Z..21061816
0110 - 30 34 32 34 5a 30 7a 31-0b 30 09 06 03 55 04 06 0424Z0z1.0...U..
0120 - 13 02 43 4e 31 0e 30 0c-06 03 55 04 08 0c 05 48 ..CN1.0...U....H
0130 - 75 6e 61 6e 31 11 30 0f-06 03 55 04 07 0c 08 43 unan1.0...U....C
0140 - 68 61 6e 67 73 68 61 31-0c 30 0a 06 03 55 04 0a hangsha1.0...U..
0150 - 0c 03 63 73 75 31 0c 30-0a 06 03 55 04 0b 0c 03 ..csu1.0...U....
0160 - 63 73 75 31 10 30 0e 06-03 55 04 03 0c 07 63 73 csu1.0...U....cs
0170 - 75 2e 63 6f 6d 31 1a 30-18 06 09 2a 86 48 86 f7 u.com1.0...*.H..
0180 - 0d 01 09 01 16 0b 63 70-75 35 40 71 71 2e 63 6f [email protected]
0190 - 6d 30 59 30 13 06 07 2a-86 48 ce 3d 02 01 06 08 m0Y0...*.H.=....
01a0 - 2a 81 1c cf 55 01 82 2d-03 42 00 04 29 7e 40 fb *...U..-.B..)~@.
01b0 - 33 65 fd 13 f6 7e 40 5f-cf d0 80 5c 64 85 23 3a 3e...~@_...\d.#:
01c0 - ee 03 b3 cf 82 b8 1c 04-69 09 5a b8 bb 45 c0 fe ........i.Z..E..
01d0 - af 0d 5e 40 80 86 ae 49-59 1c b4 5e 3a 51 91 d8 ..^@...IY..^:Q..
01e0 - 04 a8 76 cb d3 e7 23 0d-a5 58 7b 3c a3 1e 30 1c ..v...#..X{<..0.
01f0 - 30 1a 06 03 55 1d 11 04-13 30 11 82 0f 77 77 77 0...U....0...www
0200 - 2e 65 78 61 6d 70 6c 65-2e 63 6f 6d 30 0a 06 08 .example.com0...
0210 - 2a 81 1c cf 55 01 83 75-03 48 00 30 45 02 21 00 *...U..u.H.0E.!.
0220 - c2 67 c2 4e 7a 24 80 50-a1 c2 f0 ad 74 9f eb a3 .g.Nz$.P....t...
0230 - ca 77 40 c2 58 35 10 44-92 6b 27 eb cb c2 b1 60 [email protected]'....`
0240 - 02 20 7c 93 fc 1a ee 51-c3 59 2b e7 03 d8 38 95 . |....Q.Y+...8.
0250 - 6f 9f 8d 21 81 9e c1 48-a9 a6 a9 00 51 59 f9 d9 o..!...H....QY..
0260 - 51 d2 16 03 03 00 93 0c-00 00 8f 03 00 1e 41 04 Q.............A.
0270 - 27 28 2b b6 13 29 2b 70-b2 e1 b2 70 26 d7 19 53 '(+..)+p...p&..S
0280 - 3f 4d c1 92 15 29 50 3a-99 71 17 77 0a c6 b0 67 ?M...)P:.q.w...g
0290 - db 0a ee 9e c8 16 34 09-26 23 db 04 de 4c aa c2 ......4.&#...L..
02a0 - 5a 2c 53 13 b0 56 94 97-e7 57 7d 3a 0a 21 db d9 Z,S..V...W}:.!..
02b0 - 07 07 00 46 30 44 02 20-4f 1a 87 5b f8 a1 13 44 ...F0D. O..[...D
02c0 - 67 ba 68 a6 76 94 2c c0-80 af 10 68 f4 5a 0f d3 g.h.v.,....h.Z..
02d0 - d0 d4 58 4a 59 be 70 e5-02 20 00 a5 be 7f e4 dd ..XJY.p.. ......
02e0 - 48 ce 9f 60 ec ad dc eb-52 f7 48 de 7e 6d e3 0f H..`....R.H.~m..
02f0 - 6c 17 8d 93 a3 17 1d 14-c3 41 16 03 03 00 04 0e l........A......
0303 -
read from 0x31ca4b8 [0x31de50b] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 46 ....F
read from 0x31ca4b8 [0x31de510] (70 bytes => 70 (0x46))
0000 - 10 00 00 42 41 04 4b 4c-fa 16 48 2e 51 89 50 cd ...BA.KL..H.Q.P.
0010 - c9 4d fc fb 21 1f de 0a-95 73 58 4a 41 d9 c8 2a .M..!....sXJA..*
0020 - c9 44 f2 cc 2a 63 1c 4f-fb 84 93 82 cc f3 93 fd .D..*c.O........
0030 - fb 6d 8b fe 8f d2 84 b5-93 d8 60 96 0c b1 55 cb .m........`...U.
0040 - 6f ed b7 c2 27 69 o...'i
read from 0x31ca4b8 [0x31de50b] (5 bytes => 5 (0x5))
0000 - 14 03 03 00 01 .....
read from 0x31ca4b8 [0x31de510] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x31ca4b8 [0x31de50b] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 28 ....(
read from 0x31ca4b8 [0x31de510] (40 bytes => 40 (0x28))
0000 - 1e b4 53 3d 6c c6 1e e8-36 14 a9 c9 11 fa d3 9c ..S=l...6.......
0010 - 0a ee f4 78 81 ad 8c ea-a7 04 00 c8 48 a2 57 e0 ...x........H.W.
0020 - 51 be 6f 65 0f 9d 5b 63- Q.oe..[c
write to 0x31ca4b8 [0x31ecc78] (226 bytes => 226 (0xE2))
0000 - 16 03 03 00 aa 04 00 00-a6 00 00 1c 20 00 a0 12 ............ ...
0010 - 64 54 d6 c8 5c c2 e7 bf-79 ea 88 83 9b d2 b2 9c dT..\...y.......
0020 - 19 e9 91 aa ad 4e 09 86-66 39 4d 42 79 2d 9b bb .....N..f9MBy-..
0030 - cb 4c 32 e8 74 35 14 44-7b 10 41 c0 ce e9 2a 8b .L2.t5.D{.A...*.
0040 - 26 9c a3 2a a8 38 26 c0-d1 06 32 fb da d4 d1 ef &..*.8&...2.....
0050 - 26 75 4e 9e 89 9d d7 5f-0d a3 d6 35 f2 97 6a b0 &uN...._...5..j.
0060 - 4d d6 83 97 16 46 91 ff-2c 2b 7d 42 a8 c3 84 26 M....F..,+}B...&
0070 - 40 00 bf 48 72 f9 f1 bc-03 df 77 d9 e7 7d 6f 3a @..Hr.....w..}o:
0080 - 98 a6 2e cf 05 a8 6d 72-9f 86 fb 9c 0b 97 52 23 ......mr......R#
0090 - ea 13 9d 50 bc f4 4f c1-6b 93 ac 77 bc ee 38 93 ...P..O.k..w..8.
00a0 - 19 44 0f 6c 36 ff 73 2e-78 3e ed f1 de 4a fa 14 .D.l6.s.x>...J..
00b0 - 03 03 00 01 01 16 03 03-00 28 7e cb bd cb 95 cd .........(~.....
00c0 - 6b 04 d3 f4 02 12 e1 52-91 71 fa 4e c2 93 43 7d k......R.q.N..C}
00d0 - 00 13 cc b5 0d bf d8 61-44 a5 51 01 54 da 46 c8 .......aD.Q.T.F.
00e0 - e4 15 ..
四、存在问题:
无法与国密浏览器通讯,这个问题暂留到下篇博客再详细讨论。