Add ECDHE cipher suites to TLCP

2026-06-27 15:43:42 +08:00 · 2026-06-24 08:12:01 +08:00
parent 24f4224fcb
commit dadd2a3e0d
16 changed files with 1083 additions and 105 deletions
--- a/cmake/tlcp_commands.cmake
+++ b/cmake/tlcp_commands.cmake
@@ -5,6 +5,8 @@ gmssl_require_file(sm2_tlcp_server_certs.pem)
 gmssl_require_file(sm2_tlcp_server_keys.pem)
 gmssl_require_file(sm2_tls_client_certs.pem)
 gmssl_require_file(sm2_tls_client_key.pem)
+gmssl_require_file(sm2_tlcp_client_certs.pem)
+gmssl_require_file(sm2_tlcp_client_keys.pem)

 if(NOT DEFINED TEST_CASE)
 	set(TEST_CASE tlcp_sm4_gcm_sni)
@@ -25,6 +27,18 @@ elseif(TEST_CASE STREQUAL tlcp_sm4_gcm_client_cert)
 	set(TEST_PORT 4436)
 	set(TEST_CIPHER_SUITE TLS_ECC_SM4_GCM_SM3)
 	set(TEST_CLIENT_CERT ON)
+elseif(TEST_CASE STREQUAL tlcp_ecdhe_sm4_cbc_client_cert)
+	set(TEST_NAME tlcp_ecdhe_sm4_cbc_client_cert)
+	set(TEST_PORT 4437)
+	set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_CBC_SM3)
+	set(TEST_CLIENT_CERT ON)
+	set(TEST_CLIENT_DOUBLE_CERT ON)
+elseif(TEST_CASE STREQUAL tlcp_ecdhe_sm4_gcm_client_cert)
+	set(TEST_NAME tlcp_ecdhe_sm4_gcm_client_cert)
+	set(TEST_PORT 4438)
+	set(TEST_CIPHER_SUITE TLS_ECDHE_SM4_GCM_SM3)
+	set(TEST_CLIENT_CERT ON)
+	set(TEST_CLIENT_DOUBLE_CERT ON)
 else()
 	message(FATAL_ERROR "unknown TLCP test case: ${TEST_CASE}")
 endif()
@@ -50,10 +64,17 @@ if(TEST_CLIENT_CERT)
 	list(APPEND TEST_SERVER_ARGS
 		-cacert sm2_root_ca_cert.pem
 		-cert_request)
-	list(APPEND TEST_CLIENT_ARGS
-		-cert sm2_tls_client_certs.pem
-		-key sm2_tls_client_key.pem
-		-pass P@ssw0rd)
+	if(TEST_CLIENT_DOUBLE_CERT)
+		list(APPEND TEST_CLIENT_ARGS
+			-cert sm2_tlcp_client_certs.pem
+			-key sm2_tlcp_client_keys.pem
+			-pass P@ssw0rd)
+	else()
+		list(APPEND TEST_CLIENT_ARGS
+			-cert sm2_tls_client_certs.pem
+			-key sm2_tls_client_key.pem
+			-pass P@ssw0rd)
+	endif()
 endif()

 gmssl_run_tls_command_test(
--- a/cmake/tool_cert.cmake
+++ b/cmake/tool_cert.cmake
@@ -187,6 +187,20 @@ gmssl_generate_end_entity(SM2 sm2_tls_client "GmSSL SM2 TLS Client"
 gmssl_write_bundle(sm2_tls_client_certs.pem
 	sm2_tls_client_cert.pem sm2_tls_client_ca_cert.pem)

+# SM2 TLCP client chain reuses the SM2 TLS client CA and adds an encryption certificate.
+gmssl_generate_end_entity(SM2 sm2_tlcp_client_sign "GmSSL SM2 TLCP Client"
+	sm2_tls_client_ca_cert.pem sm2_tls_client_ca_key.pem
+	digitalSignature clientAuth "" OFF)
+gmssl_generate_end_entity(SM2 sm2_tlcp_client_enc "GmSSL SM2 TLCP Client"
+	sm2_tls_client_ca_cert.pem sm2_tls_client_ca_key.pem
+	keyEncipherment clientAuth "" OFF)
+gmssl_write_bundle(sm2_tlcp_client_certs.pem
+	sm2_tlcp_client_sign_cert.pem
+	sm2_tlcp_client_enc_cert.pem
+	sm2_tls_client_ca_cert.pem)
+gmssl_write_bundle(sm2_tlcp_client_keys.pem
+	sm2_tlcp_client_sign_key.pem sm2_tlcp_client_enc_key.pem)
+
 # P256 TLS client chain: root -> client CA -> client certificate
 gmssl_generate_ca(P256 p256_tls_client_ca "GmSSL P256 TLS Client CA"
 	p256_root_ca_cert.pem p256_root_ca_key.pem 0)