GmSSL-3.0.0国密支持的验证笔记

GmSSL-3.0.0国密支持的验证笔记

github上直接下源码编译

github上的tag只有3.0.0和3.1.1两个版本

GmSSL-3.1.1

ubuntu18.04上直接编译报错，放弃了。

GMSSL-3.0.0

cmake直接编译，没有问题

测试1：CA证书生成与签发证书

第一步，生成CA密钥

# root @ ubuntu in /opt/GmSSL-3.0.0/bin [5:54:26] 
$ ../bin/gmssl version
GmSSL 3.0.0

# root @ ubuntu in /opt/GmSSL-3.0.0/test [5:55:46] C:130
$ ../bin/gmssl sm2keygen -pass 1234 -out rootcakey.pem
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEEVtfgydCmbg0DqHI5l9E19PFyBy0
4FEsQ45YbmsYCLRRj2KiFHG2K9XSA1zlFJ3ayfVR4p3L1xFtv7LcgCTqXg==
-----END PUBLIC KEY-----

第二步，生成CA证书

# root @ ubuntu in /opt/GmSSL-3.0.0/test [5:56:14] 
$ ../bin/gmssl certgen -C CN -ST HeNan -L ZhengZhou -O JL -OU HW -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign

# root @ ubuntu in /opt/GmSSL-3.0.0/test [5:57:28] 
$ ../bin/gmssl certparse -in rootcacert.pem
Certificate
    tbsCertificate
        version: v3 (2)
        serialNumber: 39916719DA11E3ED72623D9B
        siganture: sm2sign-with-sm3
        issuer
            countryName: CN
            stateOrProvinceName: HeNan
            localityName: ZhengZhou
            organizationName: JL
            organizationalUnitName: HW
            commonName: ROOTCA
        validity
            notBefore: Tue Aug  1 05:57:24 2023
            notAfter: Fri Jul 29 05:57:24 2033
        subject
            countryName: CN
            stateOrProvinceName: HeNan
            localityName: ZhengZhou
            organizationName: JL
            organizationalUnitName: HW
            commonName: ROOTCA
        subjectPulbicKeyInfo
            algorithm
                algorithm: ecPublicKey
                namedCurve: sm2p256v1
            subjectPublicKey
                ECPoint: 04115B5F83274299B8340EA1C8E65F44D7D3C5C81CB4E0512C438E586E6B1808B4518F62A21471B62BD5D2035CE5149DDAC9F551E29DCBD7116DBFB2DC8024EA5E
        extensions
            Extension
                extnID: KeyUsage (2.5.29.15)
                critical: true
                KeyUsage: keyCertSign,cRLSign
            Extension
                extnID: BasicConstraints (2.5.29.19)
                critical: true
                BasicConstraints
                    cA: true
            Extension
                extnID: AuthorityKeyIdentifier (2.5.29.35)
                AuthorityKeyIdentifier
                    keyIdentifier: 3A7F99EF48DCB5D9FAB383BE1D2D769B23E40BB8310B7D82CD1A1172A27C0052
    signatureAlgorithm: sm2sign-with-sm3
    signatureValue: 3045022009695034ED4A2D277DF32B094E3B70E23766DAAB3D20E0CD509F6CD85B3D4FA4022100A906ACB14B40ACC6FB9214680A839FD2E157AF0D00858856FE7285B53FA8B014
-----BEGIN CERTIFICATE-----
MIICBjCCAaqgAwIBAgIMOZFnGdoR4+1yYj2bMAwGCCqBHM9VAYN1BQAwXDELMAkG
A1UEBhMCQ04xDjAMBgNVBAgTBUhlTmFuMRIwEAYDVQQHEwlaaGVuZ1pob3UxCzAJ
BgNVBAoTAkpMMQswCQYDVQQLEwJIVzEPMA0GA1UEAxMGUk9PVENBMB4XDTIzMDgw
MTA1NTcyNFoXDTMzMDcyOTA1NTcyNFowXDELMAkGA1UEBhMCQ04xDjAMBgNVBAgT
BUhlTmFuMRIwEAYDVQQHEwlaaGVuZ1pob3UxCzAJBgNVBAoTAkpMMQswCQYDVQQL
EwJIVzEPMA0GA1UEAxMGUk9PVENBMFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAE
EVtfgydCmbg0DqHI5l9E19PFyBy04FEsQ45YbmsYCLRRj2KiFHG2K9XSA1zlFJ3a
yfVR4p3L1xFtv7LcgCTqXqNQME4wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
MAMBAf8wKwYDVR0jBCQwIoAgOn+Z70jctdn6s4O+HS12myPkC7gxC32CzRoRcqJ8
AFIwDAYIKoEcz1UBg3UFAANIADBFAiAJaVA07UotJ33zKwlOO3DiN2baqz0g4M1Q
n2zYWz1PpAIhAKkGrLFLQKzG+5IUaAqDn9LhV68NAIWIVv5yhbU/qLAU
-----END CERTIFICATE-----

第三步，给证书请求文件签发证书

# root @ ubuntu in /opt/GmSSL-3.0.0/test [7:43:43] C:1
$ ../bin/gmssl reqparse -in gbs_req_cert_a77d169.pem 
CertificationRequest
    certificationRequestInfo
        version: v1 (0)
        subject
            countryName: CN
            stateOrProvinceName: HN
            localityName: ZZ
            organizationName: JL
            organizationalUnitName: LiveGBS
            commonName: 34020000002000000001
            serialNumber: a77d1691d30cdc6eec2e9fb0acd4a4f4
        subjectPublicKeyInfo
            algorithm
                algorithm: ecPublicKey
                namedCurve: sm2p256v1
            subjectPublicKey
                ECPoint: 0401283C5026D1730DE4DBF81462BB1A7439FCB4C59A9B826E111A4C597DFB97318D8C7D9BCBA93536F14153CF3141A791BFEFA9C95D7D6338624670A62E9D7612
        attributes
            Attribute
                type: (unknown) (1.2.840.113549.1.9.14)
                values: 301E301C0603551D11041530138111796A6B68746464784073696E612E636F6D
    signatureAlgorithm
        algorithm: sm2sign-with-sm3
    signature: : 30460221008FF14C5E568A8BB8D5B29D0B05A472EC916701D084B0306ABAC110F0B2BA128D022100BD01A7FE0335BAAD2F358DF8FEB11E1E7EF75B4EF3AA22D30A2E7905F217E359
-----BEGIN CERTIFICATE REQUEST-----
MIIBfTCCASICAQAwgZAxCzAJBgNVBAYTAkNOMQswCQYDVQQIEwJITjELMAkGA1UE
BxMCWloxCzAJBgNVBAoTAkpMMRAwDgYDVQQLEwdMaXZlR0JTMR0wGwYDVQQDExQz
NDAyMDAwMDAwMjAwMDAwMDAwMTEpMCcGA1UEBRMgYTc3ZDE2OTFkMzBjZGM2ZWVj
MmU5ZmIwYWNkNGE0ZjQwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAQBKDxQJtFz
DeTb+BRiuxp0Ofy0xZqbgm4RGkxZffuXMY2MfZvLqTU28UFTzzFBp5G/76nJXX1j
OGJGcKYunXYSoC8wLQYJKoZIhvcNAQkOMSAwHjAcBgNVHREEFTATgRF5amtodGRk
eEBzaW5hLmNvbTAKBggqgRzPVQGDdQNJADBGAiEAj/FMXlaKi7jVsp0LBaRy7JFn
AdCEsDBqusEQ8LK6Eo0CIQC9Aaf+AzW6rS81jfj+sR4efvdbTvOqItMKLnkF8hfj
WQ==
-----END CERTIFICATE REQUEST-----

# root @ ubuntu in /opt/GmSSL-3.0.0/test [5:58:45] 
$ ../bin/gmssl reqsign -in gbs_req_cert_a77d169.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out gbs_cert.pem    

# root @ ubuntu in /opt/GmSSL-3.0.0/test [6:00:14] C:127
$ ../bin.gmssl certparse -in gbs_cert.pem
zsh: no such file or directory: ../bin.gmssl

# root @ ubuntu in /opt/GmSSL-3.0.0/test [6:00:24] C:127
$ ../bin/gmssl certparse -in gbs_cert.pem
Certificate
    tbsCertificate
        version: v3 (2)
        serialNumber: D8646727FE6BB7048619C1D5
        siganture: sm2sign-with-sm3
        issuer
            countryName: CN
            stateOrProvinceName: HeNan
            localityName: ZhengZhou
            organizationName: JL
            organizationalUnitName: HW
            commonName: ROOTCA
        validity
            notBefore: Tue Aug  1 05:59:57 2023
            notAfter: Wed Jul 31 05:59:57 2024
        subject
            countryName: CN
            stateOrProvinceName: HN
            localityName: ZZ
            organizationName: JL
            organizationalUnitName: LiveGBS
            commonName: 34020000002000000001
            serialNumber: a77d1691d30cdc6eec2e9fb0acd4a4f4
        subjectPulbicKeyInfo
            algorithm
                algorithm: ecPublicKey
                namedCurve: sm2p256v1
            subjectPublicKey
                ECPoint: 0401283C5026D1730DE4DBF81462BB1A7439FCB4C59A9B826E111A4C597DFB97318D8C7D9BCBA93536F14153CF3141A791BFEFA9C95D7D6338624670A62E9D7612
        extensions
            Extension
                extnID: KeyUsage (2.5.29.15)
                critical: true
                KeyUsage: keyCertSign
            Extension
                extnID: BasicConstraints (2.5.29.19)
                critical: true
                BasicConstraints
                    cA: true
                    pathLenConstraint: 0
            Extension
                extnID: AuthorityKeyIdentifier (2.5.29.35)
                AuthorityKeyIdentifier
                    keyIdentifier: 3A7F99EF48DCB5D9FAB383BE1D2D769B23E40BB8310B7D82CD1A1172A27C0052
    signatureAlgorithm: sm2sign-with-sm3
    signatureValue: 30440220764BDE97CE2569800D352303587EB888A26C16B61FA6764EA38E1700ADA43577022057F4C7DF30738B4FE0045DB2EEFFD19813109A3BCF8FF654E37D900BE4F5AB2A
-----BEGIN CERTIFICATE-----
MIICPjCCAeOgAwIBAgINANhkZyf+a7cEhhnB1TAMBggqgRzPVQGDdQUAMFwxCzAJ
BgNVBAYTAkNOMQ4wDAYDVQQIEwVIZU5hbjESMBAGA1UEBxMJWmhlbmdaaG91MQsw
CQYDVQQKEwJKTDELMAkGA1UECxMCSFcxDzANBgNVBAMTBlJPT1RDQTAeFw0yMzA4
MDEwNTU5NTdaFw0yNDA3MzEwNTU5NTdaMIGQMQswCQYDVQQGEwJDTjELMAkGA1UE
CBMCSE4xCzAJBgNVBAcTAlpaMQswCQYDVQQKEwJKTDEQMA4GA1UECxMHTGl2ZUdC
UzEdMBsGA1UEAxMUMzQwMjAwMDAwMDIwMDAwMDAwMDExKTAnBgNVBAUTIGE3N2Qx
NjkxZDMwY2RjNmVlYzJlOWZiMGFjZDRhNGY0MFkwEwYHKoZIzj0CAQYIKoEcz1UB
gi0DQgAEASg8UCbRcw3k2/gUYrsadDn8tMWam4JuERpMWX37lzGNjH2by6k1NvFB
U88xQaeRv++pyV19YzhiRnCmLp12EqNTMFEwDgYDVR0PAQH/BAQDAgIEMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwKwYDVR0jBCQwIoAgOn+Z70jctdn6s4O+HS12myPkC7gx
C32CzRoRcqJ8AFIwDAYIKoEcz1UBg3UFAANHADBEAiB2S96XziVpgA01IwNYfriI
omwWth+mdk6jjhcAraQ1dwIgV/TH3zBzi0/gBF2y7v/RmBMQmjvPj/ZU432QC+T1
qyo=
-----END CERTIFICATE-----

CA根证书生成和签发证书流程异常顺利

测试2：设备证书请求和签发验证

第一步，生成设备密钥

# root @ ubuntu in /opt/GmSSL-3.0.0/test [6:32:30] 
$ ../bin/gmssl sm2keygen -pass 1234 -out devicekey.pem
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEsHPsIaOwTtOKhX/ynbCbcgO7dYZk
1q1MyJPtkONdcJG+xrYhBdwj/pmWxZPqBWUNcbr7BRYBhCWOOm/89gK+UQ==
-----END PUBLIC KEY-----

第二步，生成证书请求文件

# root @ ubuntu in /opt/GmSSL-3.0.0/test [7:36:13] C:1
$ ../bin/gmssl reqgen -C CN -ST HeNan -L ZhengZhou -O JL -OU HW -CN 410102001120070000001 -days 365 -key devicekey.pem -pass 1234 -out devicereq.pem

# root @ ubuntu in /opt/GmSSL-3.0.0/test [7:37:44] 
$ ../bin/gmssl reqparse -in devicereq.pem
CertificationRequest
    certificationRequestInfo
        version: v1 (0)
        subject
            countryName: CN
            stateOrProvinceName: HeNan
            localityName: ZhengZhou
            organizationName: JL
            organizationalUnitName: HW
            commonName: 410102001120070000001
        subjectPublicKeyInfo
            algorithm
                algorithm: ecPublicKey
                namedCurve: sm2p256v1
            subjectPublicKey
                ECPoint: 04B073EC21A3B04ED38A857FF29DB09B7203BB758664D6AD4CC893ED90E35D7091BEC6B62105DC23FE9996C593EA05650D71BAFB05160184258E3A6FFCF602BE51
    signatureAlgorithm
        algorithm: sm2sign-with-sm3
        parameters: NULL
    signature: : 3044022004800C1D57E11F65CA240ADE9904238A0AA084AEF6A7108A3F94F7CB60F0BFBC0220339A744AA4D78AE3B362BF79F8F5851105AB1B1A8CB9509297A32D82CA94F6FC
-----BEGIN CERTIFICATE REQUEST-----
MIIBJTCBywIBADBrMQswCQYDVQQGEwJDTjEOMAwGA1UECBMFSGVOYW4xEjAQBgNV
BAcTCVpoZW5nWmhvdTELMAkGA1UEChMCSkwxCzAJBgNVBAsTAkhXMR4wHAYDVQQD
ExU0MTAxMDIwMDExMjAwNzAwMDAwMDEwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNC
AASwc+who7BO04qFf/KdsJtyA7t1hmTWrUzIk+2Q411wkb7GtiEF3CP+mZbFk+oF
ZQ1xuvsFFgGEJY46b/z2Ar5RMAwGCCqBHM9VAYN1BQADRwAwRAIgBIAMHVfhH2XK
JAremQQjigqghK72pxCKP5T3y2Dwv7wCIDOadEqk14rjs2K/efj1hREFqxsajLlQ
kpejLYLKlPb8
-----END CERTIFICATE REQUEST-----

第三步，请求文件签发