abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-06-19 19:33:38 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update TLS commands

Browse Source
This commit is contained in:
Zhi Guan
2026-06-12 10:55:29 +08:00
parent dbbee6dbe0
commit 30bc6a2a4c
9 changed files with 58 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
include/gmssl/tls.h
View File

@@ -931,11 +931,9 @@ int tls_ctx_set_ca_certificates(TLS_CTX *ctx, const char *cacertsfile, int depth
int tls_ctx_set_certificate_and_key(TLS_CTX *ctx, const char *chainfile,
const char *keyfile, const char *keypass);
int tlcp_ctx_add_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile,
const char *signkeyfile, const char *signkeypass,
const char *kenckeyfile, const char *kenckeypass);
const char *keyfile, const char *keypass);
int tls_ctx_set_tlcp_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile,
const char *signkeyfile, const char *signkeypass,
const char *kenckeyfile, const char *kenckeypass);
const char *keyfile, const char *keypass);
void tls_ctx_cleanup(TLS_CTX *ctx);
int tls_ctx_add_certificate_chain_and_key(TLS_CTX *ctx, const char *chainfile,

26
src/tls.c
View File

@@ -2742,8 +2742,7 @@ end:
}
int tlcp_ctx_add_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile,
const char *signkeyfile, const char *signkeypass,
const char *kenckeyfile, const char *kenckeypass)
const char *keyfile, const char *keypass)
{
int ret = -1;
const int algor = OID_ec_public_key;
@@ -2753,15 +2752,14 @@ int tlcp_ctx_add_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile
size_t cert_chains_len;
size_t key_idx;
FILE *certfp = NULL;
FILE *signkeyfp = NULL;
FILE *kenckeyfp = NULL;
FILE *keyfp = NULL;
const uint8_t *cert;
size_t certlen;
X509_KEY public_key;
if (!ctx || !chainfile || !signkeyfile || !signkeypass || !kenckeyfile || !kenckeypass) {
if (!ctx || !chainfile || !keyfile || !keypass) {
error_print();
return -1;
}
@@ -2798,11 +2796,11 @@ int tlcp_ctx_add_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile
cert_chains_len += cert_chain_len;
// load sign key
if (!(signkeyfp = fopen(signkeyfile, "r"))) {
if (!(keyfp = fopen(keyfile, "r"))) {
error_print();
goto end;
}
if (x509_private_key_from_file(&ctx->x509_keys[key_idx], algor, signkeypass, signkeyfp) != 1) {
if (x509_private_key_from_file(&ctx->x509_keys[key_idx], algor, keypass, keyfp) != 1) {
error_print();
goto end;
}
@@ -2818,11 +2816,7 @@ int tlcp_ctx_add_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile
}
// load enc key
if (!(kenckeyfp = fopen(kenckeyfile, "r"))) {
error_print();
goto end;
}
if (x509_private_key_from_file(&ctx->enc_keys[key_idx], algor, kenckeypass, kenckeyfp) != 1) {
if (x509_private_key_from_file(&ctx->enc_keys[key_idx], algor, keypass, keyfp) != 1) {
error_print();
goto end;
}
@@ -2852,21 +2846,19 @@ end:
x509_key_cleanup(&ctx->enc_keys[key_idx]);
}
if (certfp) fclose(certfp);
if (signkeyfp) fclose(signkeyfp);
if (kenckeyfp) fclose(kenckeyfp);
if (keyfp) fclose(keyfp);
return ret;
}
int tls_ctx_set_tlcp_server_certificate_and_keys(TLS_CTX *ctx, const char *chainfile,
const char *signkeyfile, const char *signkeypass,
const char *kenckeyfile, const char *kenckeypass)
const char *keyfile, const char *keypass)
{
if (!ctx || ctx->cert_chains_len || ctx->x509_keys_cnt) {
error_print();
return -1;
}
if (tlcp_ctx_add_server_certificate_and_keys(ctx, chainfile,
signkeyfile, signkeypass, kenckeyfile, kenckeypass) != 1) {
keyfile, keypass) != 1) {
error_print();
return -1;
}

34
tools/tlcp_client.c
View File

@@ -20,9 +20,9 @@
#define TIMEOUT_SECONDS 1
static const char *usage =
"-host str [-port num] [-cacert file]"
" [-cert file -key file -pass str]"
" [-outcerts file]"
"-host str [-port num] [-cacert pem]"
" [-cert pem -key pem -pass str]"
" [-certout pem]"
" [-get path]"
" [-alpn str]"
" [-trusted_ca_keys]"
@@ -36,14 +36,14 @@ static const char *help =
" -cipher_suite str Supported cipher suites, may appear multiple times, higher priority first\n"
" -supported_group str Supported elliptic curves, may appear multiple times, higher priority first\n"
" -sig_alg str Supported signature algorithms\n"
" -cacert file Trusted CA certificate(s) in PEM format\n"
" -cacert pem Trusted CA certificate(s) in PEM format\n"
" -verify_depth num Certificate verification depth\n"
" -cert file Client certificate(s) in PEM format\n"
" -key file Private key of client certificate\n"
" -cert pem Client certificate(s) in PEM format\n"
" -key pem Private key of client certificate in PEM format\n"
" -pass password Password of encrypted private key\n"
" -client_cert_optional Allow client send empty Certificate\n"
" -get path Send a GET request with given path of URI\n"
" -outcerts file Save server certificates to a PEM file\n"
" -certout pem Save server certificates to a PEM file\n"
" -server_name str Send server_name (SNI) request\n"
" -trusted_ca_keys Send trusted_ca_keys request\n"
" -alpn str Application protocol name, may appear multiple times, higher priority first\n"
@@ -78,7 +78,7 @@ int tlcp_client_main(int argc, char *argv[])
size_t alpn_protocols_cnt = 0;
int client_cert_optional = 0;
char *get = NULL;
char *outcertsfile = NULL;
char *certoutfile = NULL;
int quiet = 0;
struct hostent *hp;
struct sockaddr_in server;
@@ -186,9 +186,9 @@ int tlcp_client_main(int argc, char *argv[])
} else if (!strcmp(*argv, "-get")) {
if (--argc < 1) goto bad;
get = *(++argv);
} else if (!strcmp(*argv, "-outcerts")) {
} else if (!strcmp(*argv, "-certout")) {
if (--argc < 1) goto bad;
outcertsfile = *(++argv);
certoutfile = *(++argv);
} else if (!strcmp(*argv, "-quiet")) {
quiet = 1;
} else {
@@ -322,19 +322,19 @@ bad:
goto end;
}
if (outcertsfile) {
FILE *outcertsfp;
if (!(outcertsfp = fopen(outcertsfile, "wb"))) {
fprintf(stderr, "%s: open '%s' failure\n", prog, outcertsfile);
if (certoutfile) {
FILE *certoutfp;
if (!(certoutfp = fopen(certoutfile, "wb"))) {
fprintf(stderr, "%s: open '%s' failure\n", prog, certoutfile);
perror("fopen");
goto end;
}
if (x509_certs_to_pem(conn.server_certs, conn.server_certs_len, outcertsfp) != 1) {
if (x509_certs_to_pem(conn.server_certs, conn.server_certs_len, certoutfp) != 1) {
fprintf(stderr, "%s: x509_certs_to_pem error\n", prog);
fclose(outcertsfp);
fclose(certoutfp);
goto end;
}
fclose(outcertsfp);
fclose(certoutfp);
}
if (get) {

8
tools/tlcp_help.h
View File

@@ -13,7 +13,7 @@
" TLS_ECC_SM4_GCM_SM3\n"
" TLS_ECC_SM4_CBC_SM3\n"
"\n"
" gmssl tlcp_client -host www.pbc.gov.cn -get / -outcerts certs.pem\n"
" gmssl tlcp_client -host www.pbc.gov.cn -get / -certout certs.pem\n"
"\n"
" gmssl tlcp_client -host www.pbc.gov.cn -port 443\n"
"\n"
@@ -36,6 +36,10 @@
" cat signcert.pem > double_certs.pem\n"
" cat enccert.pem >> double_certs.pem\n"
" cat cacert.pem >> double_certs.pem\n"
" # double_keys.pem contains two encrypted private key PEM blocks with the same password:\n"
" # the first is the signing private key, the second is the encryption private key.\n"
" cat signkey.pem > double_keys.pem\n"
" cat enckey.pem >> double_keys.pem\n"
"\n"
" gmssl tlcp_server -port 443 -cert double_certs.pem -key signkey.pem -pass 1234 -ex_key enckey.pem -ex_pass 1234\n"
" gmssl tlcp_server -port 443 -cert double_certs.pem -key double_keys.pem -pass 1234\n"
" gmssl tlcp_client -host 127.0.0.1 -cacert rootcacert.pem\n"

46
tools/tlcp_server.c
View File

@@ -18,20 +18,18 @@
#include <gmssl/error.h>
static const char *options = "[-port num] -cert file -key file -pass str -ex_key file -ex_pass str [-alpn str] [-cacert file]";
static const char *options = "[-port num] -cert pem -key pem -pass str [-alpn str] [-cacert pem]";
static const char *help =
"Options\n"
"\n"
" -port num Listening port number, default 443\n"
" -cert file Server's certificate chain in PEM format, may appear multiple times\n"
" -key file Server's signing private key in PEM format, may appear multiple times\n"
" -pass str Password to decrypt signing private key, may appear multiple times\n"
" -ex_key file Server's encryption private key in PEM format, may appear multiple times\n"
" -ex_pass str Password to decrypt encryption private key, may appear multiple times\n"
" -cert pem Server's certificate chain in PEM format, may appear multiple times\n"
" -key pem Server's signing and encryption private keys in PEM format: signing key first, encryption key second, may appear multiple times\n"
" -pass str Password to decrypt both private keys in the same -key PEM, may appear multiple times\n"
" -alpn str Application protocol name, may appear multiple times, higher priority first\n"
" -cacert file CA certificate for client certificate verification\n"
" -cacert pem CA certificate for client certificate verification\n"
"\n"
#include "tlcp_help.h"
"\n";
@@ -47,10 +45,6 @@ int tlcp_server_main(int argc , char **argv)
size_t signkeyfiles_cnt = 0;
char *signpasses[sizeof(certfiles)/sizeof(certfiles[0])];
size_t signpasses_cnt = 0;
char *enckeyfiles[sizeof(certfiles)/sizeof(certfiles[0])];
size_t enckeyfiles_cnt = 0;
char *encpasses[sizeof(certfiles)/sizeof(certfiles[0])];
size_t encpasses_cnt = 0;
char *alpn_protocols[4];
size_t alpn_protocols_cnt = 0;
char *cacertfile = NULL;
@@ -108,20 +102,6 @@ int tlcp_server_main(int argc , char **argv)
}
if (--argc < 1) goto bad;
signpasses[signpasses_cnt++] = *(++argv);
} else if (!strcmp(*argv, "-ex_key")) {
if (enckeyfiles_cnt >= sizeof(enckeyfiles)/sizeof(enckeyfiles[0])) {
fprintf(stderr, "%s: too many -ex_key options\n", prog);
return -1;
}
if (--argc < 1) goto bad;
enckeyfiles[enckeyfiles_cnt++] = *(++argv);
} else if (!strcmp(*argv, "-ex_pass")) {
if (encpasses_cnt >= sizeof(encpasses)/sizeof(encpasses[0])) {
fprintf(stderr, "%s: too many -ex_pass options\n", prog);
return -1;
}
if (--argc < 1) goto bad;
encpasses[encpasses_cnt++] = *(++argv);
} else if (!strcmp(*argv, "-alpn")) {
if (alpn_protocols_cnt >= sizeof(alpn_protocols)/sizeof(alpn_protocols[0])) {
fprintf(stderr, "%s: too many -alpn options\n", prog);
@@ -154,17 +134,8 @@ bad:
fprintf(stderr, "%s: '-pass' option required\n", prog);
return 1;
}
if (!enckeyfiles_cnt) {
fprintf(stderr, "%s: '-ex_key' option required\n", prog);
return 1;
}
if (!encpasses_cnt) {
fprintf(stderr, "%s: '-ex_pass' option required\n", prog);
return 1;
}
if (certfiles_cnt != signkeyfiles_cnt || signkeyfiles_cnt != signpasses_cnt
|| signpasses_cnt != enckeyfiles_cnt || enckeyfiles_cnt != encpasses_cnt) {
fprintf(stderr, "%s: -cert/-key/-pass/-ex_key/-ex_pass counts mismatch\n", prog);
if (certfiles_cnt != signkeyfiles_cnt || signkeyfiles_cnt != signpasses_cnt) {
fprintf(stderr, "%s: -cert/-key/-pass counts mismatch\n", prog);
return 1;
}
@@ -185,8 +156,7 @@ bad:
}
for (i = 0; i < certfiles_cnt; i++) {
if (tlcp_ctx_add_server_certificate_and_keys(&ctx,
certfiles[i], signkeyfiles[i], signpasses[i],
enckeyfiles[i], encpasses[i]) != 1) {
certfiles[i], signkeyfiles[i], signpasses[i]) != 1) {
error_print();
return -1;
}

8
tools/tls12_client.c
View File

@@ -23,7 +23,7 @@ static const char *http_get =
"Hostname: aaa\r\n"
"\r\n\r\n";
static const char *options = "-host str [-port num] [-cacert file] [-cert file -key file -pass str] [-trusted_ca_keys]";
static const char *options = "-host str [-port num] [-cacert pem] [-cert pem -key pem -pass str] [-trusted_ca_keys]";
static const char *help =
"Options\n"
@@ -33,10 +33,10 @@ static const char *help =
" -cipher_suite str Supported cipher suites, may appear multiple times, higher priority first\n"
" -supported_group str Supported elliptic curves, may appear multiple times, higher priority first\n"
" -sig_alg str Supported signature algorithms\n"
" -cacert file Root CA certificate\n"
" -cacert pem Root CA certificate in PEM format\n"
" -verify_depth num Certificate verification depth\n"
" -cert file Client's certificate chain in PEM format\n"
" -key file Client's encrypted private key in PEM format\n"
" -cert pem Client's certificate chain in PEM format\n"
" -key pem Client's encrypted private key in PEM format\n"
" -pass str Password to decrypt private key\n"
" -client_cert_optional Allow client send empty Certificate\n"
" -server_name str Send server_name (SNI) request\n"

8
tools/tls12_server.c
View File

@@ -18,7 +18,7 @@
#include <gmssl/error.h>
static const char *options = "[-port num] -cert file -key file -pass str [-cacert file]";
static const char *options = "[-port num] -cert pem -key pem -pass str [-cacert pem]";
static const char *help =
"Options\n"
@@ -27,11 +27,11 @@ static const char *help =
" -cipher_suite str Supported cipher suites, may appear multiple times, higher priority first\n"
" -supported_group str Supported elliptic curves, may appear multiple times, higher priority first\n"
" -sig_alg str Supported signature algorithms\n"
" -cert file Server's certificate chain in PEM format\n"
" -key file Server's encrypted private key in PEM format\n"
" -cert pem Server's certificate chain in PEM format\n"
" -key pem Server's encrypted private key in PEM format\n"
" -pass str Password to decrypt private key\n"
" -cert_request Client certificate request\n"
" -cacert file CA certificate for client certificate verification\n"
" -cacert pem CA certificate for client certificate verification\n"
" -verify_depth num Certificate verification depth\n"
" -client_cert_optional Allow client send empty Certificate\n"
" -renegotiation_info Send renegotiation_info response when client supports RFC 5746\n"

8
tools/tls13_client.c
View File

@@ -28,7 +28,7 @@ static const char *http_get =
"Hostname: aaa\r\n"
"\r\n\r\n";
static const char *options = "-host str [-port num] [-cacert file] [-cert file -key file -pass str]";
static const char *options = "-host str [-port num] [-cacert pem] [-cert pem -key pem -pass str]";
static const char *help =
"Options\n"
@@ -39,10 +39,10 @@ static const char *help =
" -supported_group str Supported elliptic curves, may appear multiple times, higher priority first\n"
" -sig_alg str Supported signature algorithms\n"
" -max_key_exchanges num Number of key exchanges in key_share extension\n"
" -cacert file Root CA certificate\n"
" -cacert pem Root CA certificate in PEM format\n"
" -verify_depth num Certificate verification depth\n"
" -cert file Client's certificate chain in PEM format\n"
" -key file Client's encrypted private key in PEM format\n"
" -cert pem Client's certificate chain in PEM format\n"
" -key pem Client's encrypted private key in PEM format\n"
" -pass str Password to decrypt private key\n"
" -server_name str Send server_name (SNI) request\n"
" -signature_algorithms_cert Send signature_algorithms_cert extension\n"

8
tools/tls13_server.c
View File

@@ -20,7 +20,7 @@
static const char *options = "[-port num] -cert file -key file -pass str [-cacert file]";
static const char *options = "[-port num] -cert pem -key pem -pass str [-cacert pem]";
static const char *help =
"Options\n"
@@ -29,12 +29,12 @@ static const char *help =
" -cipher_suite str Client's cipher suites, may appear multiple times, higher priority first\n"
" -supported_group str Supported elliptic curves, may appear multiple times, higher priority first\n"
" -sig_alg str Supported signature algorithms\n"
" -cert file Server's certificate chain in PEM format\n"
" -key file Server's encrypted private key in PEM format\n"
" -cert pem Server's certificate chain in PEM format\n"
" -key pem Server's encrypted private key in PEM format\n"
" -pass str Password to decrypt private key\n"
" -cert_request Client certificate request\n"
" -client_cert_optional Allow client send empty Certificate\n"
" -cacert file CA certificate for client certificate verification\n"
" -cacert pem CA certificate for client certificate verification\n"
" -verify_depth num Certificate verification depth\n"
" -psk_ke Support PSK-only key exchange\n"
" -psk_dhe_ke Support PSK with (EC)DHE key exchange\n"