Update TLS commands

2026-06-19 19:33:38 +08:00 · 2026-06-12 10:55:29 +08:00
parent dbbee6dbe0
commit 30bc6a2a4c
9 changed files with 58 additions and 94 deletions
--- a/include/gmssl/tls.h
+++ b/include/gmssl/tls.h
@@ -931,11 +931,9 @@ int tls_ctx_set_ca_certificates(TLS_CTX *ctx, const char *cacertsfile, int depth
 int tls_ctx_set_certificate_and_key(TLS_CTX *ctx, const char *chainfile,
 	const char *keyfile, const char *keypass);
 int tlcp_ctx_add_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile,
-	const char *signkeyfile, const char *signkeypass,
+	const char *keyfile, const char *keypass);
 	const char *kenckeyfile, const char *kenckeypass);
 int tls_ctx_set_tlcp_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile,
-	const char *signkeyfile, const char *signkeypass,
+	const char *keyfile, const char *keypass);
 	const char *kenckeyfile, const char *kenckeypass);
 void tls_ctx_cleanup(TLS_CTX *ctx);
 int tls_ctx_add_certificate_chain_and_key(TLS_CTX *ctx, const char *chainfile,
--- a/src/tls.c
+++ b/src/tls.c
@@ -2742,8 +2742,7 @@ end:
 }
 int tlcp_ctx_add_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile,
-	const char *signkeyfile, const char *signkeypass,
+	const char *keyfile, const char *keypass)
 	const char *kenckeyfile, const char *kenckeypass)
 {
 	int ret = -1;
 	const int algor = OID_ec_public_key;
@@ -2753,15 +2752,14 @@ int tlcp_ctx_add_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile
 	size_t cert_chains_len;
 	size_t key_idx;
 	FILE *certfp = NULL;
-	FILE *signkeyfp = NULL;
+	FILE *keyfp = NULL;
 	FILE *kenckeyfp = NULL;
 	const uint8_t *cert;
 	size_t certlen;
 	X509_KEY public_key;
-	if (!ctx || !chainfile || !signkeyfile || !signkeypass || !kenckeyfile || !kenckeypass) {
+	if (!ctx || !chainfile || !keyfile || !keypass) {
 		error_print();
 		return -1;
 	}
@@ -2798,11 +2796,11 @@ int tlcp_ctx_add_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile
 	cert_chains_len += cert_chain_len;
 	// load sign key
-	if (!(signkeyfp = fopen(signkeyfile, "r"))) {
+	if (!(keyfp = fopen(keyfile, "r"))) {
 		error_print();
 		goto end;
 	}
-	if (x509_private_key_from_file(&ctx->x509_keys[key_idx], algor, signkeypass, signkeyfp) != 1) {
+	if (x509_private_key_from_file(&ctx->x509_keys[key_idx], algor, keypass, keyfp) != 1) {
 		error_print();
 		goto end;
 	}
@@ -2818,11 +2816,7 @@ int tlcp_ctx_add_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile
 	}
 	// load enc key
-	if (!(kenckeyfp = fopen(kenckeyfile, "r"))) {
+	if (x509_private_key_from_file(&ctx->enc_keys[key_idx], algor, keypass, keyfp) != 1) {
 		error_print();
 		goto end;
 	}
 	if (x509_private_key_from_file(&ctx->enc_keys[key_idx], algor, kenckeypass, kenckeyfp) != 1) {
 		error_print();
 		goto end;
 	}
@@ -2852,21 +2846,19 @@ end:
 		x509_key_cleanup(&ctx->enc_keys[key_idx]);
 	}
 	if (certfp) fclose(certfp);
-	if (signkeyfp) fclose(signkeyfp);
+	if (keyfp) fclose(keyfp);
 	if (kenckeyfp) fclose(kenckeyfp);
 	return ret;
 }
 int tls_ctx_set_tlcp_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile,
-	const char *signkeyfile, const char *signkeypass,
+	const char *keyfile, const char *keypass)
 	const char *kenckeyfile, const char *kenckeypass)
 {
 	if (!ctx || ctx->cert_chains_len || ctx->x509_keys_cnt) {
 		error_print();
 		return -1;
 	}
 	if (tlcp_ctx_add_server_certificate_and_keys(ctx, chainfile,
-		signkeyfile, signkeypass, kenckeyfile, kenckeypass) != 1) {
+		keyfile, keypass) != 1) {
 		error_print();
 		return -1;
 	}
--- a/tools/tlcp_client.c
+++ b/tools/tlcp_client.c
@@ -20,9 +20,9 @@
 #define TIMEOUT_SECONDS 1
 static const char *usage =
-	"-host str [-port num] [-cacert file]"
+	"-host str [-port num] [-cacert pem]"
-	" [-cert file -key file -pass str]"
+	" [-cert pem -key pem -pass str]"
-	" [-outcerts file]"
+	" [-certout pem]"
 	" [-get path]"
 	" [-alpn str]"
 	" [-trusted_ca_keys]"
@@ -36,14 +36,14 @@ static const char *help =
 "    -cipher_suite str      Supported cipher suites, may appear multiple times, higher priority first\n"
 "    -supported_group str   Supported elliptic curves, may appear multiple times, higher priority first\n"
 "    -sig_alg str           Supported signature algorithms\n"
-"    -cacert file           Trusted CA certificate(s) in PEM format\n"
+"    -cacert pem            Trusted CA certificate(s) in PEM format\n"
 "    -verify_depth num      Certificate verification depth\n"
-"    -cert file             Client certificate(s) in PEM format\n"
+"    -cert pem              Client certificate(s) in PEM format\n"
-"    -key file              Private key of client certificate\n"
+"    -key pem               Private key of client certificate in PEM format\n"
 "    -pass password         Password of encrypted private key\n"
 "    -client_cert_optional  Allow client send empty Certificate\n"
 "    -get path              Send a GET request with given path of URI\n"
-"    -outcerts file         Save server certificates to a PEM file\n"
+"    -certout pem           Save server certificates to a PEM file\n"
 "    -server_name str       Send server_name (SNI) request\n"
 "    -trusted_ca_keys       Send trusted_ca_keys request\n"
 "    -alpn str              Application protocol name, may appear multiple times, higher priority first\n"
@@ -78,7 +78,7 @@ int tlcp_client_main(int argc, char *argv[])
 	size_t alpn_protocols_cnt = 0;
 	int client_cert_optional = 0;
 	char *get = NULL;
-	char *outcertsfile = NULL;
+	char *certoutfile = NULL;
 	int quiet = 0;
 	struct hostent *hp;
 	struct sockaddr_in server;
@@ -186,9 +186,9 @@ int tlcp_client_main(int argc, char *argv[])
 		} else if (!strcmp(*argv, "-get")) {
 			if (--argc < 1) goto bad;
 			get = *(++argv);
-		} else if (!strcmp(*argv, "-outcerts")) {
+		} else if (!strcmp(*argv, "-certout")) {
 			if (--argc < 1) goto bad;
-			outcertsfile = *(++argv);
+			certoutfile = *(++argv);
 		} else if (!strcmp(*argv, "-quiet")) {
 			quiet = 1;
 		} else {
@@ -322,19 +322,19 @@ bad:
 		goto end;
 	}
-	if (outcertsfile) {
+	if (certoutfile) {
-		FILE *outcertsfp;
+		FILE *certoutfp;
-		if (!(outcertsfp = fopen(outcertsfile, "wb"))) {
+		if (!(certoutfp = fopen(certoutfile, "wb"))) {
-			fprintf(stderr, "%s: open '%s' failure\n", prog, outcertsfile);
+			fprintf(stderr, "%s: open '%s' failure\n", prog, certoutfile);
 			perror("fopen");
 			goto end;
 		}
-		if (x509_certs_to_pem(conn.server_certs, conn.server_certs_len, outcertsfp) != 1) {
+		if (x509_certs_to_pem(conn.server_certs, conn.server_certs_len, certoutfp) != 1) {
 			fprintf(stderr, "%s: x509_certs_to_pem error\n", prog);
-			fclose(outcertsfp);
+			fclose(certoutfp);
 			goto end;
 		}
-		fclose(outcertsfp);
+		fclose(certoutfp);
 	}
 	if (get) {
--- a/tools/tlcp_help.h
+++ b/tools/tlcp_help.h
@@ -13,7 +13,7 @@
 "      TLS_ECC_SM4_GCM_SM3\n"
 "      TLS_ECC_SM4_CBC_SM3\n"
 "\n"
-"  gmssl tlcp_client -host www.pbc.gov.cn -get / -outcerts certs.pem\n"
+"  gmssl tlcp_client -host www.pbc.gov.cn -get / -certout certs.pem\n"
 "\n"
 "  gmssl tlcp_client -host www.pbc.gov.cn -port 443\n"
 "\n"
@@ -36,6 +36,10 @@
 "    cat signcert.pem > double_certs.pem\n"
 "    cat enccert.pem >> double_certs.pem\n"
 "    cat cacert.pem >> double_certs.pem\n"
 "    # double_keys.pem contains two encrypted private key PEM blocks with the same password:\n"
 "    # the first is the signing private key, the second is the encryption private key.\n"
 "    cat signkey.pem > double_keys.pem\n"
 "    cat enckey.pem >> double_keys.pem\n"
 "\n"
-"    gmssl tlcp_server -port 443 -cert double_certs.pem -key signkey.pem -pass 1234 -ex_key enckey.pem -ex_pass 1234\n"
+"    gmssl tlcp_server -port 443 -cert double_certs.pem -key double_keys.pem -pass 1234\n"
 "    gmssl tlcp_client -host 127.0.0.1 -cacert rootcacert.pem\n"
--- a/tools/tlcp_server.c
+++ b/tools/tlcp_server.c
@@ -18,20 +18,18 @@
 #include <gmssl/error.h>
-static const char *options = "[-port num] -cert file -key file -pass str -ex_key file -ex_pass str [-alpn str] [-cacert file]";
+static const char *options = "[-port num] -cert pem -key pem -pass str [-alpn str] [-cacert pem]";
 static const char *help =
 "Options\n"
 "\n"
 "    -port num              Listening port number, default 443\n"
-"    -cert file             Server's certificate chain in PEM format, may appear multiple times\n"
+"    -cert pem              Server's certificate chain in PEM format, may appear multiple times\n"
-"    -key file              Server's signing private key in PEM format, may appear multiple times\n"
+"    -key pem               Server's signing and encryption private keys in PEM format: signing key first, encryption key second, may appear multiple times\n"
-"    -pass str              Password to decrypt signing private key, may appear multiple times\n"
+"    -pass str              Password to decrypt both private keys in the same -key PEM, may appear multiple times\n"
 "    -ex_key file           Server's encryption private key in PEM format, may appear multiple times\n"
 "    -ex_pass str           Password to decrypt encryption private key, may appear multiple times\n"
 "    -alpn str              Application protocol name, may appear multiple times, higher priority first\n"
-"    -cacert file           CA certificate for client certificate verification\n"
+"    -cacert pem            CA certificate for client certificate verification\n"
 "\n"
 #include "tlcp_help.h"
 "\n";
@@ -47,10 +45,6 @@ int tlcp_server_main(int argc , char **argv)
 	size_t signkeyfiles_cnt = 0;
 	char *signpasses[sizeof(certfiles)/sizeof(certfiles[0])];
 	size_t signpasses_cnt = 0;
 	char *enckeyfiles[sizeof(certfiles)/sizeof(certfiles[0])];
 	size_t enckeyfiles_cnt = 0;
 	char *encpasses[sizeof(certfiles)/sizeof(certfiles[0])];
 	size_t encpasses_cnt = 0;
 	char *alpn_protocols[4];
 	size_t alpn_protocols_cnt = 0;
 	char *cacertfile = NULL;
@@ -108,20 +102,6 @@ int tlcp_server_main(int argc , char **argv)
 			}
 			if (--argc < 1) goto bad;
 			signpasses[signpasses_cnt++] = *(++argv);
 		} else if (!strcmp(*argv, "-ex_key")) {
 			if (enckeyfiles_cnt >= sizeof(enckeyfiles)/sizeof(enckeyfiles[0])) {
 				fprintf(stderr, "%s: too many -ex_key options\n", prog);
 				return -1;
 			}
 			if (--argc < 1) goto bad;
 			enckeyfiles[enckeyfiles_cnt++] = *(++argv);
 		} else if (!strcmp(*argv, "-ex_pass")) {
 			if (encpasses_cnt >= sizeof(encpasses)/sizeof(encpasses[0])) {
 				fprintf(stderr, "%s: too many -ex_pass options\n", prog);
 				return -1;
 			}
 			if (--argc < 1) goto bad;
 			encpasses[encpasses_cnt++] = *(++argv);
 		} else if (!strcmp(*argv, "-alpn")) {
 			if (alpn_protocols_cnt >= sizeof(alpn_protocols)/sizeof(alpn_protocols[0])) {
 				fprintf(stderr, "%s: too many -alpn options\n", prog);
@@ -154,17 +134,8 @@ bad:
 		fprintf(stderr, "%s: '-pass' option required\n", prog);
 		return 1;
 	}
-	if (!enckeyfiles_cnt) {
+	if (certfiles_cnt != signkeyfiles_cnt || signkeyfiles_cnt != signpasses_cnt) {
-		fprintf(stderr, "%s: '-ex_key' option required\n", prog);
+		fprintf(stderr, "%s: -cert/-key/-pass counts mismatch\n", prog);
 		return 1;
 	}
 	if (!encpasses_cnt) {
 		fprintf(stderr, "%s: '-ex_pass' option required\n", prog);
 		return 1;
 	}
 	if (certfiles_cnt != signkeyfiles_cnt || signkeyfiles_cnt != signpasses_cnt
 		|| signpasses_cnt != enckeyfiles_cnt || enckeyfiles_cnt != encpasses_cnt) {
 		fprintf(stderr, "%s: -cert/-key/-pass/-ex_key/-ex_pass counts mismatch\n", prog);
 		return 1;
 	}
@@ -185,8 +156,7 @@ bad:
 	}
 	for (i = 0; i < certfiles_cnt; i++) {
 		if (tlcp_ctx_add_server_certificate_and_keys(&ctx,
-			certfiles[i], signkeyfiles[i], signpasses[i],
+			certfiles[i], signkeyfiles[i], signpasses[i]) != 1) {
 			enckeyfiles[i], encpasses[i]) != 1) {
 			error_print();
 			return -1;
 		}
--- a/tools/tls12_client.c
+++ b/tools/tls12_client.c
@@ -23,7 +23,7 @@ static const char *http_get =
 	"Hostname: aaa\r\n"
 	"\r\n\r\n";
-static const char *options = "-host str [-port num] [-cacert file] [-cert file -key file -pass str] [-trusted_ca_keys]";
+static const char *options = "-host str [-port num] [-cacert pem] [-cert pem -key pem -pass str] [-trusted_ca_keys]";
 static const char *help =
 "Options\n"
@@ -33,10 +33,10 @@ static const char *help =
 "    -cipher_suite str      Supported cipher suites, may appear multiple times, higher priority first\n"
 "    -supported_group str   Supported elliptic curves, may appear multiple times, higher priority first\n"
 "    -sig_alg str           Supported signature algorithms\n"
-"    -cacert file           Root CA certificate\n"
+"    -cacert pem            Root CA certificate in PEM format\n"
 "    -verify_depth num      Certificate verification depth\n"
-"    -cert file             Client's certificate chain in PEM format\n"
+"    -cert pem              Client's certificate chain in PEM format\n"
-"    -key file              Client's encrypted private key in PEM format\n"
+"    -key pem               Client's encrypted private key in PEM format\n"
 "    -pass str              Password to decrypt private key\n"
 "    -client_cert_optional  Allow client send empty Certificate\n"
 "    -server_name str       Send server_name (SNI) request\n"
--- a/tools/tls12_server.c
+++ b/tools/tls12_server.c
@@ -18,7 +18,7 @@
 #include <gmssl/error.h>
-static const char *options = "[-port num] -cert file -key file -pass str [-cacert file]";
+static const char *options = "[-port num] -cert pem -key pem -pass str [-cacert pem]";
 static const char *help =
 "Options\n"
@@ -27,11 +27,11 @@ static const char *help =
 "    -cipher_suite str      Supported cipher suites, may appear multiple times, higher priority first\n"
 "    -supported_group str   Supported elliptic curves, may appear multiple times, higher priority first\n"
 "    -sig_alg str           Supported signature algorithms\n"
-"    -cert file             Server's certificate chain in PEM format\n"
+"    -cert pem              Server's certificate chain in PEM format\n"
-"    -key file              Server's encrypted private key in PEM format\n"
+"    -key pem               Server's encrypted private key in PEM format\n"
 "    -pass str              Password to decrypt private key\n"
 "    -cert_request          Client certificate request\n"
-"    -cacert file           CA certificate for client certificate verification\n"
+"    -cacert pem            CA certificate for client certificate verification\n"
 "    -verify_depth num      Certificate verification depth\n"
 "    -client_cert_optional  Allow client send empty Certificate\n"
 "    -renegotiation_info    Send renegotiation_info response when client supports RFC 5746\n"
--- a/tools/tls13_client.c
+++ b/tools/tls13_client.c
@@ -28,7 +28,7 @@ static const char *http_get =
 	"Hostname: aaa\r\n"
 	"\r\n\r\n";
-static const char *options = "-host str [-port num] [-cacert file] [-cert file -key file -pass str]";
+static const char *options = "-host str [-port num] [-cacert pem] [-cert pem -key pem -pass str]";
 static const char *help =
 "Options\n"
@@ -39,10 +39,10 @@ static const char *help =
 "    -supported_group str      Supported elliptic curves, may appear multiple times, higher priority first\n"
 "    -sig_alg str              Supported signature algorithms\n"
 "    -max_key_exchanges num    Number of key exchanges in key_share extension\n"
-"    -cacert file              Root CA certificate\n"
+"    -cacert pem               Root CA certificate in PEM format\n"
 "    -verify_depth num         Certificate verification depth\n"
-"    -cert file                Client's certificate chain in PEM format\n"
+"    -cert pem                 Client's certificate chain in PEM format\n"
-"    -key file                 Client's encrypted private key in PEM format\n"
+"    -key pem                  Client's encrypted private key in PEM format\n"
 "    -pass str                 Password to decrypt private key\n"
 "    -server_name str          Send server_name (SNI) request\n"
 "    -signature_algorithms_cert Send signature_algorithms_cert extension\n"
--- a/tools/tls13_server.c
+++ b/tools/tls13_server.c
@@ -20,7 +20,7 @@
-static const char *options = "[-port num] -cert file -key file -pass str [-cacert file]";
+static const char *options = "[-port num] -cert pem -key pem -pass str [-cacert pem]";
 static const char *help =
 "Options\n"
@@ -29,12 +29,12 @@ static const char *help =
 "    -cipher_suite str         Client's cipher suites, may appear multiple times, higher priority first\n"
 "    -supported_group str      Supported elliptic curves, may appear multiple times, higher priority first\n"
 "    -sig_alg str              Supported signature algorithms\n"
-"    -cert file                Server's certificate chain in PEM format\n"
+"    -cert pem                 Server's certificate chain in PEM format\n"
-"    -key file                 Server's encrypted private key in PEM format\n"
+"    -key pem                  Server's encrypted private key in PEM format\n"
 "    -pass str                 Password to decrypt private key\n"
 "    -cert_request             Client certificate request\n"
 "    -client_cert_optional     Allow client send empty Certificate\n"
-"    -cacert file              CA certificate for client certificate verification\n"
+"    -cacert pem               CA certificate for client certificate verification\n"
 "    -verify_depth num         Certificate verification depth\n"
 "    -psk_ke                   Support PSK-only key exchange\n"
 "    -psk_dhe_ke               Support PSK with (EC)DHE key exchange\n"