Update X509

This commit is contained in:
Zhi Guan
2023-02-08 21:51:05 +08:00
parent 14b23cec47
commit da9ef786eb
8 changed files with 226 additions and 66 deletions

View File

@@ -93,6 +93,11 @@ cat $signcert > $chain
cat $cacert >> $chain
gmssl certverify -in $chain -cacert $rootcacert
chain_with_root=chain_with_root.pem
cp $chain $chain_with_root
cat $rootcacert >> $chain_with_root
gmssl certverify -in $chain_with_root -cacert $rootcacert
double_certs=double_certs.pem
cat $signcert > $double_certs
cat $enccert >> $double_certs
@@ -104,9 +109,9 @@ cat $cacert >> $double_chain
gmssl certverify -in $double_chain -cacert $rootcacert -double_certs
gmssl certparse -in $double_chain
#gmssl certverify -in $double_chain -cacert $rootcacert -double_certs -check_crl
#gmssl crlget -cert $signcert -out $crl
#gmssl crlparse -in $crl
gmssl certverify -in $double_chain -cacert $rootcacert -double_certs -check_crl
gmssl crlget -cert $signcert -out $crl
gmssl crlparse -in $crl
rm -fr $signcert
@@ -115,7 +120,7 @@ rm -fr $crl
rm -fr $cacert
rm -fr $rootcacert
rm -fr $chain
rm -fr $chain_with_root
rm -fr $double_certs
rm -fr $double_chain

View File

@@ -2,21 +2,21 @@
gmssl sm2keygen -pass 1234 -out rootcakey.pem
gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign
gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -ca
gmssl certparse -in rootcacert.pem
gmssl sm2keygen -pass 1234 -out cakey.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -key cakey.pem -pass 1234 -out careq.pem
gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem -ca
gmssl certparse -in cacert.pem
gmssl sm2keygen -pass 1234 -out signkey.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.pem
gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem
gmssl certparse -in signcert.pem
gmssl sm2keygen -pass 1234 -out enckey.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key enckey.pem -pass 1234 -out encreq.pem
gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem
gmssl certparse -in enccert.pem
@@ -25,15 +25,25 @@ cat enccert.pem >> double_certs.pem
cat cacert.pem >> double_certs.pem
sudo gmssl tlcp_server -port 443 -cert double_certs.pem -key signkey.pem -pass 1234 -ex_key enckey.pem -ex_pass 1234 -cacert cacert.pem 1>/dev/null 2>/dev/null &
#sudo gmssl tlcp_server -port 443 -cert double_certs.pem -key signkey.pem -pass 1234 -ex_key enckey.pem -ex_pass 1234 1>/dev/null 2>/dev/null &
sleep 3
gmssl sm2keygen -pass 1234 -out clientkey.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Client -days 365 -key clientkey.pem -pass 1234 -out clientreq.pem
gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Client -key clientkey.pem -pass 1234 -out clientreq.pem
gmssl reqsign -in clientreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out clientcert.pem
gmssl certparse -in clientcert.pem
# build and install BabaSSL 8.3.1
# build and install BabaSSL 8.3.2
# Download
# ./config enable-ntls; make; sudo make install
# current /demos/scripts
# /build/bin
openssl version
openssl s_client -enable_ntls -ntls -connect localhost:443 -no_ticket -CAfile rootcacert.pem
../../build/bin/demo_sm2_key_export clientkey.pem 1234 > clientpkey.pem
#openssl s_client -enable_ntls -ntls -connect localhost:443 -no_ticket -CAfile rootcacert.pem -sign_cert clientcert.pem -sign_key clientpkey.pem -pass pass:1234

View File

@@ -34,5 +34,5 @@ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Client -key clientke
gmssl reqsign -in clientreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out clientcert.pem
gmssl certparse -in clientcert.pem
gmssl tlcp_client -host 127.0.0.1 -cacert rootcacert.pem -cert clientcert.pem -key clientkey.pem -pass 1234
#gmssl tlcp_client -host 127.0.0.1 -cacert rootcacert.pem -cert clientcert.pem -key clientkey.pem -pass 1234

View File

@@ -0,0 +1,64 @@
/*
* Copyright 2014-2022 The GmSSL Project. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the License); you may
* not use this file except in compliance with the License.
*
* http://www.apache.org/licenses/LICENSE-2.0
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/mem.h>
#include <gmssl/sm2.h>
int main(int argc, char **argv)
{
int ret = -1;
char *prog = argv[0];
char *keyfile;
char *pass;
FILE *keyfp = NULL;
SM2_KEY sm2_key;
if (argc < 3) {
fprintf(stderr, "usage: %s <key.pem> <pass>\n", prog);
return -1;
}
keyfile = argv[1];
pass = argv[2];
if (!(keyfp = fopen(keyfile, "rb"))) {
fprintf(stderr, "%s: open file '%s' failure\n", prog, keyfile);
return -1;
}
if (sm2_private_key_info_decrypt_from_pem(&sm2_key, pass, keyfp) != 1) {
fprintf(stderr, "%s: load key failure\n", prog);
goto end;
}
if (sm2_private_key_info_to_pem(&sm2_key, stdout) != 1) {
fprintf(stderr, "%s: export failure\n", prog);
goto end;
}
ret = 0;
end:
gmssl_secure_clear(&sm2_key, sizeof(sm2_key));
if (keyfp) fclose(keyfp);
return ret;
}

View File

@@ -11,20 +11,39 @@
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <gmssl/mem.h>
#include <gmssl/sm2.h>
int main(int argc, char **argv)
{
uint8_t buf[4096];
uint8_t dgst[32];
int i;
char *prog = argv[0];
char *keyfile;
char *pass;
FILE *keyfp = NULL;
SM2_KEY sm2_key;
for (i = 0; i < sizeof(dgst); i++) {
printf("%02x", dgst[i]);
if (argc < 3) {
fprintf(stderr, "usage: %s <key.pem> <pass>\n", prog);
return -1;
}
printf("\n");
keyfile = argv[1];
pass = argv[2];
if (!(keyfp = fopen(keyfile, "rb"))) {
fprintf(stderr, "%s: open file '%s' failure\n", prog, keyfile);
return -1;
}
if (sm2_private_key_info_decrypt_from_pem(&sm2_key, pass, keyfp) != 1) {
fprintf(stderr, "%s: load key failure\n", prog);
fclose(keyfp);
return -1;
}
sm2_key_print(stdout, 0, 0, "SM2_KEY", &sm2_key);
gmssl_secure_clear(&sm2_key, sizeof(sm2_key));
fclose(keyfp);
return 0;
}