diff --git a/include/gmssl/tls.h b/include/gmssl/tls.h index dffdb28d..df99c285 100644 --- a/include/gmssl/tls.h +++ b/include/gmssl/tls.h @@ -931,11 +931,9 @@ int tls_ctx_set_ca_certificates(TLS_CTX *ctx, const char *cacertsfile, int depth int tls_ctx_set_certificate_and_key(TLS_CTX *ctx, const char *chainfile, const char *keyfile, const char *keypass); int tlcp_ctx_add_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile, - const char *signkeyfile, const char *signkeypass, - const char *kenckeyfile, const char *kenckeypass); + const char *keyfile, const char *keypass); int tls_ctx_set_tlcp_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile, - const char *signkeyfile, const char *signkeypass, - const char *kenckeyfile, const char *kenckeypass); + const char *keyfile, const char *keypass); void tls_ctx_cleanup(TLS_CTX *ctx); int tls_ctx_add_certificate_chain_and_key(TLS_CTX *ctx, const char *chainfile, diff --git a/src/tls.c b/src/tls.c index cd0953c1..472d2645 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2742,8 +2742,7 @@ end: } int tlcp_ctx_add_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile, - const char *signkeyfile, const char *signkeypass, - const char *kenckeyfile, const char *kenckeypass) + const char *keyfile, const char *keypass) { int ret = -1; const int algor = OID_ec_public_key; @@ -2753,15 +2752,14 @@ int tlcp_ctx_add_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile size_t cert_chains_len; size_t key_idx; FILE *certfp = NULL; - FILE *signkeyfp = NULL; - FILE *kenckeyfp = NULL; + FILE *keyfp = NULL; const uint8_t *cert; size_t certlen; X509_KEY public_key; - if (!ctx || !chainfile || !signkeyfile || !signkeypass || !kenckeyfile || !kenckeypass) { + if (!ctx || !chainfile || !keyfile || !keypass) { error_print(); return -1; } @@ -2798,11 +2796,11 @@ int tlcp_ctx_add_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile cert_chains_len += cert_chain_len; // load sign key - if (!(signkeyfp = fopen(signkeyfile, "r"))) { + if (!(keyfp = fopen(keyfile, "r"))) { error_print(); goto end; } - if (x509_private_key_from_file(&ctx->x509_keys[key_idx], algor, signkeypass, signkeyfp) != 1) { + if (x509_private_key_from_file(&ctx->x509_keys[key_idx], algor, keypass, keyfp) != 1) { error_print(); goto end; } @@ -2818,11 +2816,7 @@ int tlcp_ctx_add_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile } // load enc key - if (!(kenckeyfp = fopen(kenckeyfile, "r"))) { - error_print(); - goto end; - } - if (x509_private_key_from_file(&ctx->enc_keys[key_idx], algor, kenckeypass, kenckeyfp) != 1) { + if (x509_private_key_from_file(&ctx->enc_keys[key_idx], algor, keypass, keyfp) != 1) { error_print(); goto end; } @@ -2852,21 +2846,19 @@ end: x509_key_cleanup(&ctx->enc_keys[key_idx]); } if (certfp) fclose(certfp); - if (signkeyfp) fclose(signkeyfp); - if (kenckeyfp) fclose(kenckeyfp); + if (keyfp) fclose(keyfp); return ret; } int tls_ctx_set_tlcp_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile, - const char *signkeyfile, const char *signkeypass, - const char *kenckeyfile, const char *kenckeypass) + const char *keyfile, const char *keypass) { if (!ctx || ctx->cert_chains_len || ctx->x509_keys_cnt) { error_print(); return -1; } if (tlcp_ctx_add_server_certificate_and_keys(ctx, chainfile, - signkeyfile, signkeypass, kenckeyfile, kenckeypass) != 1) { + keyfile, keypass) != 1) { error_print(); return -1; } diff --git a/tools/tlcp_client.c b/tools/tlcp_client.c index 0791594b..9684f2a1 100644 --- a/tools/tlcp_client.c +++ b/tools/tlcp_client.c @@ -20,9 +20,9 @@ #define TIMEOUT_SECONDS 1 static const char *usage = - "-host str [-port num] [-cacert file]" - " [-cert file -key file -pass str]" - " [-outcerts file]" + "-host str [-port num] [-cacert pem]" + " [-cert pem -key pem -pass str]" + " [-certout pem]" " [-get path]" " [-alpn str]" " [-trusted_ca_keys]" @@ -36,14 +36,14 @@ static const char *help = " -cipher_suite str Supported cipher suites, may appear multiple times, higher priority first\n" " -supported_group str Supported elliptic curves, may appear multiple times, higher priority first\n" " -sig_alg str Supported signature algorithms\n" -" -cacert file Trusted CA certificate(s) in PEM format\n" +" -cacert pem Trusted CA certificate(s) in PEM format\n" " -verify_depth num Certificate verification depth\n" -" -cert file Client certificate(s) in PEM format\n" -" -key file Private key of client certificate\n" +" -cert pem Client certificate(s) in PEM format\n" +" -key pem Private key of client certificate in PEM format\n" " -pass password Password of encrypted private key\n" " -client_cert_optional Allow client send empty Certificate\n" " -get path Send a GET request with given path of URI\n" -" -outcerts file Save server certificates to a PEM file\n" +" -certout pem Save server certificates to a PEM file\n" " -server_name str Send server_name (SNI) request\n" " -trusted_ca_keys Send trusted_ca_keys request\n" " -alpn str Application protocol name, may appear multiple times, higher priority first\n" @@ -78,7 +78,7 @@ int tlcp_client_main(int argc, char *argv[]) size_t alpn_protocols_cnt = 0; int client_cert_optional = 0; char *get = NULL; - char *outcertsfile = NULL; + char *certoutfile = NULL; int quiet = 0; struct hostent *hp; struct sockaddr_in server; @@ -186,9 +186,9 @@ int tlcp_client_main(int argc, char *argv[]) } else if (!strcmp(*argv, "-get")) { if (--argc < 1) goto bad; get = *(++argv); - } else if (!strcmp(*argv, "-outcerts")) { + } else if (!strcmp(*argv, "-certout")) { if (--argc < 1) goto bad; - outcertsfile = *(++argv); + certoutfile = *(++argv); } else if (!strcmp(*argv, "-quiet")) { quiet = 1; } else { @@ -322,19 +322,19 @@ bad: goto end; } - if (outcertsfile) { - FILE *outcertsfp; - if (!(outcertsfp = fopen(outcertsfile, "wb"))) { - fprintf(stderr, "%s: open '%s' failure\n", prog, outcertsfile); + if (certoutfile) { + FILE *certoutfp; + if (!(certoutfp = fopen(certoutfile, "wb"))) { + fprintf(stderr, "%s: open '%s' failure\n", prog, certoutfile); perror("fopen"); goto end; } - if (x509_certs_to_pem(conn.server_certs, conn.server_certs_len, outcertsfp) != 1) { + if (x509_certs_to_pem(conn.server_certs, conn.server_certs_len, certoutfp) != 1) { fprintf(stderr, "%s: x509_certs_to_pem error\n", prog); - fclose(outcertsfp); + fclose(certoutfp); goto end; } - fclose(outcertsfp); + fclose(certoutfp); } if (get) { diff --git a/tools/tlcp_help.h b/tools/tlcp_help.h index 71b6d435..3ea4ad6a 100644 --- a/tools/tlcp_help.h +++ b/tools/tlcp_help.h @@ -13,7 +13,7 @@ " TLS_ECC_SM4_GCM_SM3\n" " TLS_ECC_SM4_CBC_SM3\n" "\n" -" gmssl tlcp_client -host www.pbc.gov.cn -get / -outcerts certs.pem\n" +" gmssl tlcp_client -host www.pbc.gov.cn -get / -certout certs.pem\n" "\n" " gmssl tlcp_client -host www.pbc.gov.cn -port 443\n" "\n" @@ -36,6 +36,10 @@ " cat signcert.pem > double_certs.pem\n" " cat enccert.pem >> double_certs.pem\n" " cat cacert.pem >> double_certs.pem\n" +" # double_keys.pem contains two encrypted private key PEM blocks with the same password:\n" +" # the first is the signing private key, the second is the encryption private key.\n" +" cat signkey.pem > double_keys.pem\n" +" cat enckey.pem >> double_keys.pem\n" "\n" -" gmssl tlcp_server -port 443 -cert double_certs.pem -key signkey.pem -pass 1234 -ex_key enckey.pem -ex_pass 1234\n" +" gmssl tlcp_server -port 443 -cert double_certs.pem -key double_keys.pem -pass 1234\n" " gmssl tlcp_client -host 127.0.0.1 -cacert rootcacert.pem\n" diff --git a/tools/tlcp_server.c b/tools/tlcp_server.c index 215de9c0..fda0c29a 100644 --- a/tools/tlcp_server.c +++ b/tools/tlcp_server.c @@ -18,20 +18,18 @@ #include -static const char *options = "[-port num] -cert file -key file -pass str -ex_key file -ex_pass str [-alpn str] [-cacert file]"; +static const char *options = "[-port num] -cert pem -key pem -pass str [-alpn str] [-cacert pem]"; static const char *help = "Options\n" "\n" " -port num Listening port number, default 443\n" -" -cert file Server's certificate chain in PEM format, may appear multiple times\n" -" -key file Server's signing private key in PEM format, may appear multiple times\n" -" -pass str Password to decrypt signing private key, may appear multiple times\n" -" -ex_key file Server's encryption private key in PEM format, may appear multiple times\n" -" -ex_pass str Password to decrypt encryption private key, may appear multiple times\n" +" -cert pem Server's certificate chain in PEM format, may appear multiple times\n" +" -key pem Server's signing and encryption private keys in PEM format: signing key first, encryption key second, may appear multiple times\n" +" -pass str Password to decrypt both private keys in the same -key PEM, may appear multiple times\n" " -alpn str Application protocol name, may appear multiple times, higher priority first\n" -" -cacert file CA certificate for client certificate verification\n" +" -cacert pem CA certificate for client certificate verification\n" "\n" #include "tlcp_help.h" "\n"; @@ -47,10 +45,6 @@ int tlcp_server_main(int argc , char **argv) size_t signkeyfiles_cnt = 0; char *signpasses[sizeof(certfiles)/sizeof(certfiles[0])]; size_t signpasses_cnt = 0; - char *enckeyfiles[sizeof(certfiles)/sizeof(certfiles[0])]; - size_t enckeyfiles_cnt = 0; - char *encpasses[sizeof(certfiles)/sizeof(certfiles[0])]; - size_t encpasses_cnt = 0; char *alpn_protocols[4]; size_t alpn_protocols_cnt = 0; char *cacertfile = NULL; @@ -108,20 +102,6 @@ int tlcp_server_main(int argc , char **argv) } if (--argc < 1) goto bad; signpasses[signpasses_cnt++] = *(++argv); - } else if (!strcmp(*argv, "-ex_key")) { - if (enckeyfiles_cnt >= sizeof(enckeyfiles)/sizeof(enckeyfiles[0])) { - fprintf(stderr, "%s: too many -ex_key options\n", prog); - return -1; - } - if (--argc < 1) goto bad; - enckeyfiles[enckeyfiles_cnt++] = *(++argv); - } else if (!strcmp(*argv, "-ex_pass")) { - if (encpasses_cnt >= sizeof(encpasses)/sizeof(encpasses[0])) { - fprintf(stderr, "%s: too many -ex_pass options\n", prog); - return -1; - } - if (--argc < 1) goto bad; - encpasses[encpasses_cnt++] = *(++argv); } else if (!strcmp(*argv, "-alpn")) { if (alpn_protocols_cnt >= sizeof(alpn_protocols)/sizeof(alpn_protocols[0])) { fprintf(stderr, "%s: too many -alpn options\n", prog); @@ -154,17 +134,8 @@ bad: fprintf(stderr, "%s: '-pass' option required\n", prog); return 1; } - if (!enckeyfiles_cnt) { - fprintf(stderr, "%s: '-ex_key' option required\n", prog); - return 1; - } - if (!encpasses_cnt) { - fprintf(stderr, "%s: '-ex_pass' option required\n", prog); - return 1; - } - if (certfiles_cnt != signkeyfiles_cnt || signkeyfiles_cnt != signpasses_cnt - || signpasses_cnt != enckeyfiles_cnt || enckeyfiles_cnt != encpasses_cnt) { - fprintf(stderr, "%s: -cert/-key/-pass/-ex_key/-ex_pass counts mismatch\n", prog); + if (certfiles_cnt != signkeyfiles_cnt || signkeyfiles_cnt != signpasses_cnt) { + fprintf(stderr, "%s: -cert/-key/-pass counts mismatch\n", prog); return 1; } @@ -185,8 +156,7 @@ bad: } for (i = 0; i < certfiles_cnt; i++) { if (tlcp_ctx_add_server_certificate_and_keys(&ctx, - certfiles[i], signkeyfiles[i], signpasses[i], - enckeyfiles[i], encpasses[i]) != 1) { + certfiles[i], signkeyfiles[i], signpasses[i]) != 1) { error_print(); return -1; } diff --git a/tools/tls12_client.c b/tools/tls12_client.c index bba29650..45c73f9e 100644 --- a/tools/tls12_client.c +++ b/tools/tls12_client.c @@ -23,7 +23,7 @@ static const char *http_get = "Hostname: aaa\r\n" "\r\n\r\n"; -static const char *options = "-host str [-port num] [-cacert file] [-cert file -key file -pass str] [-trusted_ca_keys]"; +static const char *options = "-host str [-port num] [-cacert pem] [-cert pem -key pem -pass str] [-trusted_ca_keys]"; static const char *help = "Options\n" @@ -33,10 +33,10 @@ static const char *help = " -cipher_suite str Supported cipher suites, may appear multiple times, higher priority first\n" " -supported_group str Supported elliptic curves, may appear multiple times, higher priority first\n" " -sig_alg str Supported signature algorithms\n" -" -cacert file Root CA certificate\n" +" -cacert pem Root CA certificate in PEM format\n" " -verify_depth num Certificate verification depth\n" -" -cert file Client's certificate chain in PEM format\n" -" -key file Client's encrypted private key in PEM format\n" +" -cert pem Client's certificate chain in PEM format\n" +" -key pem Client's encrypted private key in PEM format\n" " -pass str Password to decrypt private key\n" " -client_cert_optional Allow client send empty Certificate\n" " -server_name str Send server_name (SNI) request\n" diff --git a/tools/tls12_server.c b/tools/tls12_server.c index 3d80b0c4..9f6e70be 100644 --- a/tools/tls12_server.c +++ b/tools/tls12_server.c @@ -18,7 +18,7 @@ #include -static const char *options = "[-port num] -cert file -key file -pass str [-cacert file]"; +static const char *options = "[-port num] -cert pem -key pem -pass str [-cacert pem]"; static const char *help = "Options\n" @@ -27,11 +27,11 @@ static const char *help = " -cipher_suite str Supported cipher suites, may appear multiple times, higher priority first\n" " -supported_group str Supported elliptic curves, may appear multiple times, higher priority first\n" " -sig_alg str Supported signature algorithms\n" -" -cert file Server's certificate chain in PEM format\n" -" -key file Server's encrypted private key in PEM format\n" +" -cert pem Server's certificate chain in PEM format\n" +" -key pem Server's encrypted private key in PEM format\n" " -pass str Password to decrypt private key\n" " -cert_request Client certificate request\n" -" -cacert file CA certificate for client certificate verification\n" +" -cacert pem CA certificate for client certificate verification\n" " -verify_depth num Certificate verification depth\n" " -client_cert_optional Allow client send empty Certificate\n" " -renegotiation_info Send renegotiation_info response when client supports RFC 5746\n" diff --git a/tools/tls13_client.c b/tools/tls13_client.c index 02261b26..b74c20ed 100644 --- a/tools/tls13_client.c +++ b/tools/tls13_client.c @@ -28,7 +28,7 @@ static const char *http_get = "Hostname: aaa\r\n" "\r\n\r\n"; -static const char *options = "-host str [-port num] [-cacert file] [-cert file -key file -pass str]"; +static const char *options = "-host str [-port num] [-cacert pem] [-cert pem -key pem -pass str]"; static const char *help = "Options\n" @@ -39,10 +39,10 @@ static const char *help = " -supported_group str Supported elliptic curves, may appear multiple times, higher priority first\n" " -sig_alg str Supported signature algorithms\n" " -max_key_exchanges num Number of key exchanges in key_share extension\n" -" -cacert file Root CA certificate\n" +" -cacert pem Root CA certificate in PEM format\n" " -verify_depth num Certificate verification depth\n" -" -cert file Client's certificate chain in PEM format\n" -" -key file Client's encrypted private key in PEM format\n" +" -cert pem Client's certificate chain in PEM format\n" +" -key pem Client's encrypted private key in PEM format\n" " -pass str Password to decrypt private key\n" " -server_name str Send server_name (SNI) request\n" " -signature_algorithms_cert Send signature_algorithms_cert extension\n" diff --git a/tools/tls13_server.c b/tools/tls13_server.c index 89b1f936..599efee6 100644 --- a/tools/tls13_server.c +++ b/tools/tls13_server.c @@ -20,7 +20,7 @@ -static const char *options = "[-port num] -cert file -key file -pass str [-cacert file]"; +static const char *options = "[-port num] -cert pem -key pem -pass str [-cacert pem]"; static const char *help = "Options\n" @@ -29,12 +29,12 @@ static const char *help = " -cipher_suite str Client's cipher suites, may appear multiple times, higher priority first\n" " -supported_group str Supported elliptic curves, may appear multiple times, higher priority first\n" " -sig_alg str Supported signature algorithms\n" -" -cert file Server's certificate chain in PEM format\n" -" -key file Server's encrypted private key in PEM format\n" +" -cert pem Server's certificate chain in PEM format\n" +" -key pem Server's encrypted private key in PEM format\n" " -pass str Password to decrypt private key\n" " -cert_request Client certificate request\n" " -client_cert_optional Allow client send empty Certificate\n" -" -cacert file CA certificate for client certificate verification\n" +" -cacert pem CA certificate for client certificate verification\n" " -verify_depth num Certificate verification depth\n" " -psk_ke Support PSK-only key exchange\n" " -psk_dhe_ke Support PSK with (EC)DHE key exchange\n"