国密curl的用法指南

1.curl是什么

  cURL（客户端URL）是一个开放源代码的命令行工具，用来请求 Web和其他各种类型的服务器。curl有着大量的参数，常用来测试/调试服务器的开发和排查等，堪称一个网络“神器”。

2.国密curl是什么

curl自身不支持国密SSL协议（TLCP）。程序员说：要有国密版curl，于是就有了国密版curl，哈哈，程序员就是软件世界的上帝啊。国密版curl，简称gmcurl，由国密SSL实验室（www.gmssl.cn）移植，并提供免费下载和使用。

3.国密curl使用（单向国密SSL）

3.1 简单执行

[root@206test ~]# ./gmcurl

GM Version:1.0.0 Ported by www.gmssl.cn

Options:

--gmssl, use TLCP protocol

--cert,  use sm2 sig pem cert

--key,  use sm2 sig pem key

--cert2, use sm2 enc pem cert

--key2,  use sm2 enc pem key

curl: try'curl --help'or'curl --manual'formore information

3.2 简单访问

[root@206test ~]# ./gmcurl --gmssl -k https://ebssec.boc.cn

GM Version:1.0.0 Ported by www.gmssl.cn

Options:

--gmssl, use TLCP protocol

--cert,  use sm2 sig pem cert

--key,  use sm2 sig pem key

--cert2, use sm2 enc pem cert

--key2,  use sm2 enc pem key

注释：

1）--gmssl表示启用国密SSL

2）-k表示不验证服务端证书

3.3 验证证书

[root@206test ~]# ./gmcurl --gmssl --cacert boc.ca.pem https://ebssec.boc.cn

GM Version:1.0.0 Ported by www.gmssl.cn

Options:

--gmssl, use TLCP protocol

--cert,  use sm2 sig pem cert

--key,  use sm2 sig pem key

--cert2, use sm2 enc pem cert

--key2,  use sm2 enc pem key

注释：

1）--cacert表示加载本地可信证书链

2）boc.ca.pem下载地址为https://www.gmssl.cn/gmssl/down/boc.ca.pem

3.4 简单调试

[root@206test ~]# ./gmcurl --gmssl -k --verbose https://ebssec.boc.cn

GM Version: 1.0.0 Ported by www.gmssl.cn

Options:

--gmssl, use TLCP protocol

--cert,  use sm2 sig pem cert

--key,  use sm2 sig pem key

--cert2, use sm2 enc pem cert

--key2,  use sm2 enc pem key

*  Trying 123.124.191.183:443...

* Connected to ebssec.boc.cn (123.124.191.183) port 443 (#0)

* ALPN, offering http/1.1

* (101) (OUT), , Unknown (1):

* (101) (IN), , Unknown (2):

* (101) (IN), , Unknown (11):

* (101) (IN), , Unknown (12):

* (101) (IN), , Unknown (14):

* (101) (OUT), , Unknown (16):

* (101) (OUT), , Change cipher spec (1):

* (101) (OUT), , Unknown (20):

* (101) (IN), , Unknown (20):

* SSL connection using GMSSLv1.1 / ECC-SM4-CBC-SM3

* ALPN, server did not agree to a protocol

* Server certificate:

*  subject: C=CN; ST=\U5317\U4EAC; L=\U5317\U4EAC; O=\U4E2D\U56FD\U94F6\U884C\U80A1\U4EFD\U6709\U9650\U516C\U53F8; OU=Local RA; OU=SSL; CN=ebssec.boc.cn

*  start date: Jun 11 09:05:20 2021 GMT

*  expire date: Jun 19 08:16:56 2026 GMT

*  issuer: C=CN; O=CFCA SM2 OCA1

*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

> GET / HTTP/1.1

> Host: ebssec.boc.cn

> User-Agent: curl/7.82.0

> Accept: \*/*

>

* Mark bundle as not supporting multiuse

< HTTP/1.1 200 OK

< Date: Sun, 17 Jul 2022 04:06:39 GMT

< Last-Modified: Sat, 27 Jun 2015 16:48:38 GMT

< Accept-Ranges: bytes

< Content-Length: 156

< Cache-Control: max-age=300

< Expires: Sun, 17 Jul 2022 04:11:39 GMT

< Vary: Accept-Encoding,User-Agent

< Content-Type: text/html

<

* Connection #0 to host ebssec.boc.cn left intact

注释：

1） 可以看到协议GMSSLv1.1和算法ECC-SM4-CBC-SM3

2） 可以看到服务器证书信息

3） 可以看到HTTPS请求头和应答头

4） -–verbose可以简写为-v，

即./gmcurl --gmssl -k -v https://ebssec.boc.cn

3.5 深度调试（包含SSL过程）

[root@206test ~]# ./gmcurl --gmssl -k --trace - https://ebssec.boc.cn

GM Version:1.0.0 Ported by www.gmssl.cn

Options:

--gmssl, use TLCP protocol

--cert,  use sm2 sig pem cert

--key,  use sm2 sig pem key

--cert2, use sm2 enc pem cert

--key2,  use sm2 enc pem key

==Info:  Trying123.124.191.183:443...

==Info: Connected to ebssec.boc.cn (123.124.191.183) port443(#0)

==Info: ALPN, offering http/1.1

=> Send SSL data,5bytes (0x5)

0000:1601010080.....

==Info: (101) (OUT), , Unknown (1):

=> Send SSL data,128bytes (0x80)

0000:0100007c0101048c218f c5 fc d8 1e 9b15...|....!.......

0010:54111b 7bcc4f de bf5646f73085b63246T..{.O..VF.0..2F

0020:28b5037a801700000e e053e051e013e0 (..z......S.Q...

0030:11e003e00100ff010000450000001200..........E.....

0040:1000000d6562737365632e626f632e63....ebssec.boc.c

0050: 6e000b000403000102000a000c000a00n...............

0060: 1d0017001e0019001833740000001000.........3t.....

0070: 0b000908687474702f312e3100160000....http/1.1....

<=Recv SSL data,5bytes (0x5)

0000:1601010039....9

==Info: (101) (IN), , Unknown (2):

<=Recv SSL data,57bytes (0x39)

0000:02000035010162d3 8c347c a3 f0 aa e3 da ...5..b..4|.....

0010:6185fd 8e057798f0 9e 3e f0823d5770cf a....w...>..=Wp.

0020: e174dc19544400e01300000d ff010001.t..TD..........

0030:00000b000403000102.........

<=Recv SSL data,5bytes (0x5)

0000:16010105b2                  .....

==Info: (101) (IN), , Unknown (11):

<=Recv SSL data,1458bytes (0x5b2)

0000: 0b0005ae0005ab0002d3308202cf3082..........0...0.

0010:0272a00302010202051336393370300c .r........693p0.

0020:06082a811c cf5501837505003025310b ..\*...U..u..0%1.

0030:300906035504061302434e31163014060...U....CN1.0..

0040:0355040a 0c 0d4346434120534d32204f .U....CFCA SM2 O

0050:434131301e170d323130363131303930CA10...210611090

0060:3532305a170d32363036313930383136520Z..2606190816

0070:35365a308191310b300906035504061356Z0..1.0...U...

0080:02434e310f300d06035504080c06e5 8c .CN1.0...U......

0090:97e4 ba ac310f300d06035504070c06e5 ....1.0...U.....

00a0: 8c97e4 ba ac31273025060355040a 0c 1e .....1'0%..U....

00b0: e4 b8 ad e5 9b bd e993b6 e8 a1 8c e882a1 e4 ................

00c0: bb bd e6 9c89e99990e585ac e5 8f b83111..............1.

00d0:300f060355040b 0c084c 6f63616c20520...U....Local R

00e0:41310c300a060355040b 0c0353534c31A1.0...U....SSL1

00f0:16301406035504030c 0d656273736563.0...U....ebssec

0100: 2e626f632e636e3059301306072a8648.boc.cn0Y0...\*.H

0110: ce 3d020106082a811c cf5501822d0342.=....\*...U..-.B

0120:0004fb 0d527a1940cf424a 7b c2 e7 b4 db [email protected]{....

0130: bd d7 f23930ae 3c e4 a56663c0 cb104a16...90.<..fc...J.

0140: 3f98d501ff c6 5b 9b 1d d5 5f e5 7a87ac ed ?.....[..._.z...

0150:63083462ed a37920a197405d78f7673c c.4b..y ..@]x.g<

0160: d373a382011e3082011a301f0603551d .s....0...0...U.

0170:230418301680145c9358205a24735610#..0...\.X Z$sV.

0180: 1b645010ec e9 a7 ca074111300c060355.dP......A.0...U

0190: 1d130101ff0402300030480603551d20.......0.0H..U.

01a0:0441303f303d060860811c86ef 2a0101.A0?0=..`....\*..

01b0:3031302f06082b060105050702011623010/..+........#

01c0:687474703a 2f 2f7777772e636663612e http://www.cfca.

01d0:636f 6d 2e636e 2f75732f75732d31342e com.cn/us/us-14.

01e0:68746d30370603551d 1f0430302e302c htm07..U...00.0,

01f0: a0 2a a0288626687474703a 2f 2f63726c .\*.(.&http://crl

0200: 2e636663612e636f 6d 2e636e 2f534d32.cfca.com.cn/SM2

0210: 2f63726c353631382e63726c30180603/crl5618.crl0...

0220:551d110411300f820d6562737365632e U....0...ebssec.

0230:626f632e636e300e0603551d 0f0101ff boc.cn0...U.....

0240:0404030206c0301d0603551d 0e041604......0...U.....

0250:149e a8168f ce ac a80384714e4696aa d3 ..........qNF...

0260:8917ed 3d 4a301d0603551d2504163014...=J0...U.%..0.

0270:06082b0601050507030206082b060105..+.........+...

0280:05070301300c06082a811c cf55018375....0...\*...U..u

0290:05000349003046022100af852b db bf98...I.0F.!...+...

02a0: 7a11197561c0 8b83e7 f3 f5495e41b6 8f z..ua......I^A..

02b0: 7c1630523503d9 d00755022100c442e2 |.0R5....U.!..B.

02c0: 4f52fe6482d1 4a54bc 2a a1 fc3402d948OR.d..JT.\*..4..H

02d0: bc 4d c7 1d e4 6d888184ac72750d0002d2 .M...m....ru....

02e0:308202ce30820272a0030201020205130...0..r........

02f0:36393371300c06082a811c cf55018375693q0...\*...U..u

0300:05003025310b30090603550406130243..0%1.0...U....C

0310: 4e31163014060355040a 0c 0d43464341N1.0...U....CFCA

0320:20534d32204f434131301e170d323130SM2 OCA10...210

0330:3631313039303532305a170d32363036611090520Z..2606

0340:31393038313635365a308191310b300919081656Z0..1.0.

0350:06035504061302434e310f300d060355..U....CN1.0...U

0360:04080c06e5 8c97e4 ba ac310f300d0603..........1.0...

0370:5504070c06e5 8c97e4 ba ac3127302506U..........1'0%.

0380:0355040a 0c 1e e4 b8 ad e5 9b bd e993b6 e8 .U..............

0390: a1 8c e882a1 e4 bb bd e6 9c89e99990e585................

03a0: ac e5 8f b83111300f060355040b 0c084c ....1.0...U....L

03b0: 6f63616c205241310c300a060355040b ocal RA1.0...U..

03c0: 0c0353534c3116301406035504030c 0d ..SSL1.0...U....

03d0:6562737365632e626f632e636e305930ebssec.boc.cn0Y0

03e0:1306072a8648ce 3d020106082a811c cf ...\*.H.=....\*...

03f0:5501822d03420004c9 f5abe8 5b5748b5 U..-.B......[WH.

0400: aa7280cb b4 1e67765f003f a0 a875f817.r....gv_.?..u..

0410:932a221b 1a ac e0 e5 5a c6 af 7f f7 5c a6 b0 .\*".....Z...\..

0420: b4176e fbcdce38698041ff 7b 9c cb83c5 ..n...8i.A.{....

0430: a976911d 0a 7c 3c 4c a382011e3082011a .v...|***

0440:301f0603551d230418301680145c93580...U.#..0...\.X

0450:205a247356101b645010ec e9 a7 ca0741Z$sV..dP......A

0460:11300c0603551d130101ff0402300030.0...U.......0.0

0470:480603551d200441303f303d06086081H..U. .A0?0=..`.

0480: 1c86ef 2a01013031302f06082b060105...\*..010/..+...

0490:050702011623687474703a 2f 2f777777.....#http://www

04a0: 2e636663612e636f 6d 2e636e 2f75732f .cfca.com.cn/us/

04b0:75732d31342e68746d30370603551d 1f us-14.htm07..U..

04c0:0430302e302c a0 2a a028862668747470.00.0,.\*.(.&http

04d0: 3a 2f 2f63726c 2e636663612e636f 6d 2e ://crl.cfca.com.

04e0:636e 2f534d322f63726c353631382e63cn/SM2/crl5618.c

04f0:726c30180603551d110411300f820d65rl0...U....0...e

0500:62737365632e626f632e636e300e0603bssec.boc.cn0...

0510:551d 0f0101ff040403020338301d0603U..........80...

0520:551d 0e041604145f da d491efccbc db a4 U......_........

0530:56c19635fb84dc51a6 3f f6301d060355V..5...Q.?.0...U

0540: 1d250416301406082b06010505070302.%..0...+.......

0550:06082b06010505070301300c06082a81..+.......0...\*.

0560: 1c cf5501837505000348003045022100..U..u...H.0E.!.

0570: c23858b579972088de ad fa 1e a5 c4 bc12.8X.y. .........

0580:82b021dc96a597e67203678f c3 ac 5c 8f ..!.....r.g...\.

0590:02203720ef a3 be b5769c0985cc967f25.7....v.....%

05a0:420276937f455f e032d62352be 4b ba68B.v.E_.2.#R.K.h

05b0:52bf                      R.

<=Recv SSL data,5bytes (0x5)

0000:160101004d                  ....M

==Info: (101) (IN), , Unknown (12):

<=Recv SSL data,77bytes (0x4d)

0000: 0c00004900473045022007bb 5c f790d0 ...I.G0E. ..\...

0010: c091fd80690f c778277b b4 fd555b591b ....i..x'{..U[Y.

0020:35e814b7 b1723c 0b0493022100fd 4c d75....r<....!..L.

0030: 5c16875f 6b63f3 7e a973758bcc567e fa \.._kc.~.su..V~.

0040: bc78bf 7a 2d cb300d 3b7806916f      .x.z-.0.;x..o

<=Recv SSL data,5bytes (0x5)

0000:1601010004.....

==Info: (101) (IN), , Unknown (14):

<=Recv SSL data,4bytes (0x4)

0000: 0e000000....

=> Send SSL data,5bytes (0x5)

0000:16010100a3                  .....

==Info: (101) (OUT), , Unknown (16):

=> Send SSL data,163bytes (0xa3)

0000:1000009f009d308199022100ad db a9 b8 ......0...!.....

0010: af 6f be 9e d4788a d5 f683e8459042db ad .o...x.....E.B..

0020: cb 9f a0292c e566888d278b2702203d b4 ...),.f..'.'.=.

0030: dc f94084c402609695a6 da f376f9 d106..@...`.....v...

0040: b018f5 da c6302f dd da69d597177f0420.....0/..i....*

0050: bf 2c652497507b a662df27db348f65bf .,e$.P{.b.'.4.e.

0060:903f b9 e2 2d f0 e4 b81798c9 cf 8f 4e78db .?..-........Nx.

0070:043048d808d9 1e86311682e8 f8 bd e523.0H.....1......#

0080: 0e ae9506774f20ca751a435705d2 2b d6 ....wO .u.CW..+.

0090:81fc a588b4 6e726b228d873d 0acdde b1 .....nrk"..=....

00a0: 6f8400o..

=> Send SSL data,5bytes (0x5)

0000:1401010001.....

==Info: (101) (OUT), , Change cipher spec (1):

=> Send SSL data,1bytes (0x1)

0000:01.

=> Send SSL data,5bytes (0x5)

0000:1601010050....P

==Info: (101) (OUT), , Unknown (20):

=> Send SSL data,16bytes (0x10)

0000:1400000c c1 5f 9d fc528d 3a99128b 4e fa ....._..R.:...N.

<=Recv SSL data,5bytes (0x5)

0000:1401010001.....

<=Recv SSL data,5bytes (0x5)

0000:1601010050....P

==Info: (101) (IN), , Unknown (20):

<=Recv SSL data,16bytes (0x10)

0000:1400000c407b25ad a346d9 8a a2 d027a0 ....@{%..F....'.

==Info: SSL connection using GMSSLv1.1 / ECC-SM4-CBC-SM3

==Info: ALPN, server did not agree to a protocol

==Info: Server certificate:

==Info:  subject:C=CN;ST=\U5317\U4EAC;L=\U5317\U4EAC;O=\U4E2D\U56FD\U94F6\U884C\U80A1\U4EFD\U6709\U9650\U516C\U53F8;OU=Local RA;OU=SSL;CN=ebssec.boc.cn

==Info:startdate: Jun1109:05:202021GMT

==Info:  expire date: Jun1908:16:562026GMT

==Info:  issuer:C=CN;O=CFCA SM2 OCA1

==Info:  SSL certificate verify result: unable togetlocal issuer certificate (20), continuing anyway.

=> Send SSL data,5bytes (0x5)

0000:1701010080.....

=> Send header,77bytes (0x4d)

0000:474554202f20485454502f312e310d 0a GET / HTTP/1.1..

0010:486f73743a206562737365632e626f63Host: ebssec.boc

0020: 2e636e 0d 0a557365722d4167656e743a .cn..User-Agent:

0030:206375726c 2f372e38322e300d 0a4163curl/7.82.0..Ac

0040:636570743a202a 2f 2a 0d 0a 0d 0a      cept: \*/\*....

<=Recv SSL data,5bytes (0x5)

0000:17010101e0                  .....

==Info: Mark bundle as not supporting multiuse

<=Recv header,17bytes (0x11)

0000:485454502f312e3120323030204f 4b 0d HTTP/1.1200OK.

0010: 0a                        .

<=Recv header,37bytes (0x25)

0000:446174653a2053756e 2c203137204a75Date: Sun,17Ju

0010: 6c20323032322030343a31323a333620l202204:12:36

0020:474d540d 0a                  GMT..

<=Recv header,46bytes (0x2e)

0000: 4c6173742d 4d 6f6469666965643a2053Last-Modified: S

0010:61742c203237204a756e203230313520at,27Jun2015

0020:31363a34383a333820474d540d 0a16:48:38 GMT..

<=Recv header,22bytes (0x16)

0000:4163636570742d52616e6765733a2062Accept-Ranges: b

0010:797465730d 0a                ytes..

<=Recv header,21bytes (0x15)

0000:436f 6e74656e742d 4c656e6774683a20Content-Length:

0010:3135360d 0a156..

<=Recv header,28bytes (0x1c)

0000:43616368652d436f 6e74726f 6c 3a206d Cache-Control: m

0010:61782d6167653d3330300d 0aax-age=300..

<=Recv header,40bytes (0x28)

0000:457870697265733a2053756e 2c203137Expires: Sun,17

0010:204a756c20323032322030343a31373a  Jul202204:17:

0020:333620474d540d 0a36GMT..

<=Recv header,34bytes (0x22)

0000:566172793a204163636570742d456e63Vary: Accept-Enc

0010: 6f64696e672c557365722d4167656e74oding,User-Agent

0020: 0d 0a                      ..

<=Recv header,25bytes (0x19)

0000:436f 6e74656e742d547970653a207465Content-Type: te

0010:78742f68746d 6c 0d 0a            xt/html..

<=Recv header,2bytes (0x2)

0000: 0d 0a                      ..

<=Recv data,156bytes (0x9c)

0000: 3c21444f43545950452068746d 6c 3e 3c <

0010:68746d 6c 3e 3c686561643e 3c 6d657461html>

0020:20687474702d65717569763d22726566http-equiv="ref

0030:726573682220636f 6e74656e743d2230resh" content="0

0040: 3b75726c 3d 2f626f6331352f 6c 6f6769;url=/boc15/logi

0050: 6e 2e68746d 6c223e 3c 6d657461206e61n.html">

0060: 6d653d2272656e64657265722220636fme="renderer"co

0070: 6e74656e743d2269652d7374616e6422ntent="ie-stand"

0080: 3e 3c 2f686561643e 3c626f64793e 3c 2f >

0090:626f64793e 3c 2f68746d 6c 3e             body>

==Info: Connection#0 to host ebssec.boc.cn left intact

注释：

1）可以看到国密SSL国产的完整数据

2）可以把日志输出到文件

即./gmcurl --gmssl -k --trace ssl.log https://ebssec.boc.cn

4.国密curl使用（双向国密SSL）

4.1 生成用户国密双证书

4.2 使用用户国密双证书访问

[root@206test ~]# ./gmcurl --gmssl -k --cert ./sm2.user1.sig.crt.pem --key ./sm2.user1.sig.key.pem --cert2 ./sm2.user1.enc.crt.pem --key2 ./sm2.user1.enc.key.pem https://demo.gmssl.cn:1443

GM Version:1.0.0 Ported by www.gmssl.cn

Options:

--gmssl, use TLCP protocol

--cert,  use sm2 sig pem cert

--key,   use sm2 sig pem key

--cert2, use sm2 enc pem cert

--key2,  use sm2 enc pem key

.style1

{

    font-family: Consolas,monospace;

    font-size: 14px;

    white-space: nowrap;

}

   

   

   

       

                   

                        成功访问了受HTTPS保护的页面。

                   

                        SSL信息：GMSSLv1.1,ECC-SM4-GCM-SM3

                   

                        证书信息

                   

                          [0]        Version: 3
        SerialNumber: 1658039001384
            IssuerDN: C=CN,O=GMSSL,OU=PKI/SM2,CN=MiddleCA for Test
          Start Date: Sun Jul 17 00:00:00 CST 2022
          Final Date: Mon Jul 17 00:00:00 CST 2023
            SubjectDN: C=CN,CN=user1
          Public Key: EC Public Key
            X: 97c5e022cd46ff344da14c59c97d1d71d67b4daf2c5b1c6687adde3fd3e3d051
            Y: 97015282f9dc49ea209aebc5b0c1b4f81b8018b391d5195438bdab9251fe1341
  Signature Algorithm: 1.2.156.10197.1.501
            Signature:
3045022100f7937695e82f349cc00fe94cc07988
                      0ecd5ff1b36bcf25b144f1a150889bd89b022075
                      f9cae85fdcd0ad30e6b4cd2cbd95686ee1310f89
                      56605827f6501148800988
      Extensions:
                      critical(false) 2.5.29.35 value = Sequence
    Tagged [0] IMPLICIT
        DER Octet String[16]
                      critical(false) 2.5.29.14 value = DER Octet String[16]
                      critical(false) BasicConstraints: isCa(false)
                      critical(true) KeyUsage: 0xc0

                   

                        证书PEM

                   

                        -----BEGIN CERTIFICATE-----
MIIBuTCCAV2gAwIBAgIGAYIK02EoMAwGCCqBHM9VAYN1BQAwSzELMAkGA1UEBhMC
Q04xDjAMBgNVBAoTBUdNU1NMMRAwDgYDVQQLEwdQS0kvU00yMRowGAYDVQQDExFN
aWRkbGVDQSBmb3IgVGVzdDAiGA8yMDIyMDcxNjE2MDAwMFoYDzIwMjMwNzE2MTYw
MDAwWjAdMQswCQYDVQQGEwJDTjEOMAwGA1UEAxMFdXNlcjEwWTATBgcqhkjOPQIB
BggqgRzPVQGCLQNCAASXxeAizUb/NE2hTFnJfR1x1ntNryxbHGaHrd4/0+PQUZcB
UoL53EnqIJrrxbDBtPgbgBizkdUZVDi9q5JR/hNBo1UwUzAbBgNVHSMEFDASgBD5
f1W0J5QzYqZWym/MXRr/MBkGA1UdDgQSBBBTZ9eBZ4tYvhe+Sj2oeI4xMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgDAMAwGCCqBHM9VAYN1BQADSAAwRQIhAPeTdpXo
LzScwA/pTMB5iA7NX/Gza88lsUTxoVCIm9ibAiB1+croX9zQrTDmtM0svZVobuEx-----END CERTIFICATE-----

注释：

1）https://demo.gmssl.cn:1443同时也支持单向国密SSL，不带客户端证书也可以访问，但页面不显示客户端证书信息

5.国密curl下载

1） XP/Win7/Win10

https://www.gmssl.cn/gmssl/down/gmcurl.exe

2） CentOS7/8

https://www.gmssl.cn/gmssl/down/gmcurl

3） MacOS x86_64

https://www.gmssl.cn/gmssl/down/gmcurl_macos_x64