abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-05-29 19:56:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update TLS 1.3

Browse Source 
Cross-validation with OpenSSL
This commit is contained in:
Zhi Guan
2026-05-21 14:23:35 +08:00
parent 8e8819f27d
commit 431a22e2e9
7 changed files with 153 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
tools/gmssl.c
View File

@@ -158,7 +158,7 @@ static const char *options =
" cmssign Generate CMS SignedData\n"
" cmsverify Verify CMS SignedData\n"
#ifdef ENABLE_SECP256R1
" p256keygen Generate P-256 (secp256r1, prime256v1) keypair\n"
" p256keygen Generate P-256 (secp256r1, prime256v1) keypair\n"
#endif
#ifdef ENABLE_LMS
" lmskeygen Generate LMS-SM3 (Leighton-Micali Signature) keypair\n"

20
tools/p256keygen.c
View File

@@ -24,6 +24,7 @@ static const char *options =
" -pass pass Password to encrypt the private key\n"
" -out pem Output password-encrypted PKCS #8 private key in PEM format\n"
" -pubout pem Output public key in PEM format\n"
" -export pem Output non-encrypted PKCS#8 private key in PEM format\n"
"\n"
"Examples\n"
"\n"
@@ -38,8 +39,10 @@ int p256keygen_main(int argc, char **argv)
char *pass = NULL;
char *outfile = NULL;
char *puboutfile = NULL;
char *exportfile = NULL;
FILE *outfp = stdout;
FILE *puboutfp = stdout;
FILE *exportfp = NULL;
int curve_oid = OID_secp256r1;
X509_KEY key;
@@ -71,7 +74,14 @@ int p256keygen_main(int argc, char **argv)
if (--argc < 1) goto bad;
puboutfile = *(++argv);
if (!(puboutfp = fopen(puboutfile, "wb"))) {
fprintf(stderr, "gmssl %s: open '%s' failure : %s\n", prog, outfile, strerror(errno));
fprintf(stderr, "gmssl %s: open '%s' failure : %s\n", prog, puboutfile, strerror(errno));
goto end;
}
} else if (!strcmp(*argv, "-export")) {
if (--argc < 1) goto bad;
exportfile = *(++argv);
if (!(exportfp = fopen(exportfile, "wb"))) {
fprintf(stderr, "gmssl %s: open '%s' failure : %s\n", prog, exportfile, strerror(errno));
goto end;
}
} else {
@@ -91,7 +101,6 @@ bad:
goto end;
}
if (x509_key_generate(&key, OID_ec_public_key, &curve_oid, sizeof(curve_oid)) != 1) {
fprintf(stderr, "gmssl %s: inner failure\n", prog);
return -1;
@@ -104,6 +113,13 @@ bad:
fprintf(stderr, "gmssl %s: inner failure\n", prog);
goto end;
}
if (exportfp) {
if (secp256r1_private_key_to_pem(&key.u.secp256r1_key, exportfp) != 1) {
fprintf(stderr, "gmssl %s: inner failure\n", prog);
goto end;
}
}
ret = 0;
end:

13
tools/tls13_server.c
View File

@@ -33,6 +33,8 @@
// 或者P256的私钥应该用AES-128 + SHA-256加密
// 应该首先打印openssl的密钥序列early_secret, pre_master_secret, 以及 handshake_secret 等
static const char *options = "[-port num] -cert file -key file -pass str [-cacert file]";
@@ -109,12 +111,12 @@ static const char *help =
"\n"
"Generate P-256 certificates\n"
"\n"
" gmssl p256keygen -pass 1234 -out p256rootcakey.pem\n"
" gmssl p256keygen -pass 1234 -out p256rootcakey.pem -export p256rootcakey.exp\n"
" gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN P256ROOTCA -days 3650 \\\n"
" -key p256rootcakey.pem -pass 1234 -out p256rootcacert.pem \\\n"
" -key_usage keyCertSign -key_usage cRLSign -ca\n"
"\n"
" gmssl p256keygen -pass 1234 -out p256cakey.pem\n"
" gmssl p256keygen -pass 1234 -out p256cakey.pem -export p256cakey.exp\n"
" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"P256 Sub CA\" \\\n"
" -key p256cakey.pem -pass 1234 -out p256careq.pem\n"
" gmssl reqsign -in p256careq.pem -days 365 -key_usage keyCertSign \\\n"
@@ -122,7 +124,7 @@ static const char *help =
" -ca -path_len_constraint 0 \\\n"
" -out p256cacert.pem\n"
"\n"
" gmssl p256keygen -pass 1234 -out p256signkey.pem\n"
" gmssl p256keygen -pass 1234 -out p256signkey.pem -export p256signkey.exp\n"
" gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN 127.0.0.1 \\\n"
" -key p256signkey.pem -pass 1234 -out p256signreq.pem\n"
" gmssl reqsign -in p256signreq.pem -days 365 -key_usage digitalSignature \\\n"
@@ -144,6 +146,11 @@ static const char *help =
" gmssl tls13_client -host 127.0.0.1 -port 4430 -cacert rootcacerts.pem \\\n"
" -cipher_suite TLS_AES_128_GCM_SHA256 -supported_group prime256v1 -sig_alg ecdsa_secp256r1_sha256\n"
"\n"
" add `SSL_CTX_clear_options(ctx, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);` to openssl apps/s_server.c\n"
" /usr/local/bin/openssl s_server -accept 4430 -cert p256signcert.pem -cert_chain p256cacert.pem -key p256signkey.exp \\\n"
" -tls1_3 -ciphersuites TLS_AES_128_GCM_SHA256 -named_curve prime256v1 \\\n"
" -trace -keylogfile sslkeys.log\n"
"\n"
"TLS 1.3 SNI\n"
"\n"
" sudo gmssl tls13_server -port 4430 \\\n"