Update demos, asn.1 bug fix

2026-05-06 16:36:16 +08:00 · 2022-07-25 16:48:45 +08:00
parent 08dd20b70f
commit f49d465b42
15 changed files with 229 additions and 100 deletions
--- a/demos/cademo.sh
+++ b/demos/cademo.sh
@@ -10,13 +10,13 @@ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650
 gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem
 gmssl certparse -in cacert.pem

+gmssl sm2keygen -pass 1234 -out signkey.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
+gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem
+gmssl certparse -in signcert.pem
+
 gmssl sm2keygen -pass 1234 -out enckey.pem
 gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem
 gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem
 gmssl certparse -in enccert.pem

-cat enccert.pem > certs.pem
-cat cacert.pem >> certs.pem
-
-#sudo gmssl tlcp_server -cert cert.pem -key signkey.pem -pass 1234 -ex_key enckey.pem -ex_pass 1234 # -cacert cacert.pem
-
--- a/demos/certdemo.sh
+++ b/demos/certdemo.sh
@@ -1,14 +1,34 @@
-#!/bin/bash -x
-
-# generate sm2 keypair and encrypt with password
-gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem
-
-# generate a self-signed certificate
-gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Alice -days 365 -key sm2.pem -pass 1234 \
-	-key_usage "digitalSignature" -key_usage "keyCertSign" -key_usage cRLSign \
-	-out cert.pem
-
-gmssl certparse -in cert.pem
+#!/bin/bash


+gmssl sm2keygen -pass 1234 -out rootcakey.pem
+gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign
+gmssl certparse -in rootcacert.pem
+
+gmssl sm2keygen -pass 1234 -out cakey.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
+gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem
+gmssl certparse -in cacert.pem
+
+gmssl sm2keygen -pass 1234 -out signkey.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
+gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem
+gmssl certparse -in signcert.pem
+
+gmssl sm2keygen -pass 1234 -out enckey.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem
+gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem
+gmssl certparse -in enccert.pem
+
+
+cat signcert.pem > certs.pem
+cat cacert.pem >> certs.pem
+gmssl certverify -in certs.pem -cacert rootcacert.pem
+
+
+cat signcert.pem > dbl_certs.pem
+cat enccert.pem >> dbl_certs.pem
+cat cacert.pem >> dbl_certs.pem
+gmssl certverify -double_certs -in dbl_certs.pem -cacert rootcacert.pem
+

--- a/demos/cmsdemo.sh
+++ b/demos/cmsdemo.sh
@@ -2,7 +2,7 @@


 gmssl sm2keygen -pass 1234 -out key.pem -pubout keypub.pem
-gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Alice -days 365 -key key.pem -pass 1234 -out cert.pem
+gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Alice -key_usage dataEncipherment -days 365 -key key.pem -pass 1234 -out cert.pem

 echo "<html>The plaintext message.</html>" > plain.txt

--- a/demos/sm2/CMakeLists.txt
+++ b/demos/sm2/CMakeLists.txt
@@ -0,0 +1,8 @@
+cmake_minimum_required(VERSION 3.0)
+project(sm2demo)
+
+include_directories(/usr/local/include)
+link_directories(/usr/local/lib)
+
+add_executable(sm2keyparse sm2keyparse.c)
+target_link_libraries(sm2keyparse gmssl)
--- a/demos/sm2/sm2keyparse.c
+++ b/demos/sm2/sm2keyparse.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 2014 - 2021 The GmSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the GmSSL Project.
+ *    (http://gmssl.org/)"
+ *
+ * 4. The name "GmSSL Project" must not be used to endorse or promote
+ *    products derived from this software without prior written
+ *    permission. For written permission, please contact
+ *    guanzhi1980@gmail.com.
+ *
+ * 5. Products derived from this software may not be called "GmSSL"
+ *    nor may "GmSSL" appear in their names without prior written
+ *    permission of the GmSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the GmSSL Project
+ *    (http://gmssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE GmSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <gmssl/sm2.h>
+
+
+int main(int argc, char **argv)
+{
+	uint8_t buf[4096];
+	ssize_t len;
+	uint8_t dgst[32];
+	int i;
+
+
+	for (i = 0; i < sizeof(dgst); i++) {
+		printf("%02x", dgst[i]);
+	}
+	printf("\n");
+	return 0;
+}
+
+
+
+
+
+
+
+
+
+
+
+
--- a/demos/tlcp_client.sh
+++ b/demos/tlcp_client.sh
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-
-# 当服务器发送CertificateRequest而Client又没有用证书、密钥时，会SegFault
-
-
-#../build/bin/tls12_client -host 127.0.0.1 -cacert cacert.pem -cert cert.pem -key key.pem -pass 123456
-../build/bin/tlcp_client -host 127.0.0.1 -cacert cacert.pem # -cert cert.pem -key key.pem -pass 123456
-
-
--- a/demos/tlcp_server.sh
+++ b/demos/tlcp_server.sh
@@ -1,22 +0,0 @@
-#!/bin/bash
-
-
-gmssl sm2keygen -pass 1234 -out cakey.pem
-gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN CA -days 365 -key cakey.pem -pass 1234 -out cacert.pem -key_usage keyCertSign -key_usage cRLSign
-gmssl certparse -in cacert.pem
-
-gmssl sm2keygen -pass 1234 -out signkey.pem
-gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
-gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem
-gmssl certparse -in signcert.pem
-
-gmssl sm2keygen -pass 1234 -out enckey.pem
-gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem
-gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem
-gmssl certparse -in enccert.pem
-
-cat signcert.pem > cert.pem
-cat enccert.pem >> cert.pem
-
-sudo gmssl tlcp_server -cert cert.pem -key signkey.pem -pass 1234 -ex_key enckey.pem -ex_pass 1234 # -cacert cacert.pem
-
--- a/demos/tlcpdemo.sh
+++ b/demos/tlcpdemo.sh
@@ -0,0 +1,36 @@
+#!/bin/bash -x
+
+
+gmssl sm2keygen -pass 1234 -out rootcakey.pem
+gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign
+gmssl certparse -in rootcacert.pem
+
+gmssl sm2keygen -pass 1234 -out cakey.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
+gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem
+gmssl certparse -in cacert.pem
+
+gmssl sm2keygen -pass 1234 -out signkey.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
+gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem
+gmssl certparse -in signcert.pem
+
+gmssl sm2keygen -pass 1234 -out enckey.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem
+gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem
+gmssl certparse -in enccert.pem
+
+cat signcert.pem > double_certs.pem
+cat enccert.pem >> double_certs.pem
+cat cacert.pem >> double_certs.pem
+
+sudo gmssl tlcp_server -port 443 -cert double_certs.pem -key signkey.pem -pass 1234 -ex_key enckey.pem -ex_pass 1234 -cacert cacert.pem  1>/dev/null  2>/dev/null &
+sleep 3
+
+gmssl sm2keygen -pass 1234 -out clientkey.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Client -days 365 -key clientkey.pem -pass 1234 -out clientreq.pem
+gmssl reqsign -in clientreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out clientcert.pem
+gmssl certparse -in clientcert.pem
+
+gmssl tlcp_client -host 127.0.0.1 -cacert rootcacert.pem -cert clientcert.pem -key clientkey.pem -pass 1234
+
--- a/demos/tls12.sh
+++ b/demos/tls12.sh
@@ -1,15 +0,0 @@
-#!/bin/bash -x
-
-
-# server-authentication only
-../build/bin/tls12_server -cert cert.pem -key key.pem -pass 123456  1>/dev/null  2>/dev/null &
-sleep 3
-../build/bin/tls12_client -host 127.0.0.1 -cacert cacert.pem
-
-
-# mutual authentication, i.e. client certificate requested
-../build/bin/tls12_server -cert cert.pem -key key.pem -pass 123456 -cacert cacert.pem 1>/dev/null  2>/dev/null &
-sleep 3
-../build/bin/tls12_client -host 127.0.0.1 -cacert cacert.pem -cert cert.pem -key key.pem -pass 123456
-
-
--- a/demos/tls12_client.sh
+++ b/demos/tls12_client.sh
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-
-# 当服务器发送CertificateRequest而Client又没有用证书、密钥时，会SegFault
-
-
-#../build/bin/tls12_client -host 127.0.0.1 -cacert cacert.pem -cert cert.pem -key key.pem -pass 123456
-../build/bin/tls12_client -host 127.0.0.1 -cacert cacert.pem # -cert cert.pem -key key.pem -pass 123456
-
-
--- a/demos/tls12_server.sh
+++ b/demos/tls12_server.sh
@@ -1,16 +0,0 @@
-#!/bin/bash
-
-
-# 现在的错误是服务器想要让客户端发送证书，但是客户端没有发证书
-# 如果要求客户端发送证书，那么服务器必须准备相应的CA证书
-# 客户端的证书和CA证书有什么区别吗？可能没有区别，但是还应该生成一个
-# 客户端的名字是什么呢？
-#
-# 服务器的证书需要设定服务器名字，也就是127.0.0.1或者localhost
-# 这个名字和SNI是有关系的
-
-# 客户端的名字可以任意定了，而且客户端的CA可以有所不同吧
-
-
-../build/bin/tls12_server  -cert cert.pem -key key.pem -pass 123456 #-cacert cacert.pem
-
--- a/demos/tls12demo.sh
+++ b/demos/tls12demo.sh
@@ -0,0 +1,30 @@
+#!/bin/bash -x
+
+
+gmssl sm2keygen -pass 1234 -out rootcakey.pem
+gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign
+gmssl certparse -in rootcacert.pem
+
+gmssl sm2keygen -pass 1234 -out cakey.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
+gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem
+gmssl certparse -in cacert.pem
+
+gmssl sm2keygen -pass 1234 -out signkey.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
+gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem
+gmssl certparse -in signcert.pem
+
+cat signcert.pem > certs.pem
+cat cacert.pem >> certs.pem
+
+sudo gmssl tls12_server -port 443 -cert certs.pem -key signkey.pem -pass 1234 -cacert cacert.pem  1>/dev/null  2>/dev/null &
+sleep 3
+
+gmssl sm2keygen -pass 1234 -out clientkey.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Client -days 365 -key clientkey.pem -pass 1234 -out clientreq.pem
+gmssl reqsign -in clientreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out clientcert.pem
+gmssl certparse -in clientcert.pem
+
+gmssl tls12_client -host 127.0.0.1 -cacert rootcacert.pem -cert clientcert.pem -key clientkey.pem -pass 1234
+
--- a/demos/tls13demo.sh
+++ b/demos/tls13demo.sh
@@ -0,0 +1,30 @@
+#!/bin/bash -x
+
+
+gmssl sm2keygen -pass 1234 -out rootcakey.pem
+gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign
+gmssl certparse -in rootcacert.pem
+
+gmssl sm2keygen -pass 1234 -out cakey.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
+gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem
+gmssl certparse -in cacert.pem
+
+gmssl sm2keygen -pass 1234 -out signkey.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
+gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem
+gmssl certparse -in signcert.pem
+
+cat signcert.pem > certs.pem
+cat cacert.pem >> certs.pem
+
+sudo gmssl tls13_server -port 443 -cert certs.pem -key signkey.pem -pass 1234 -cacert cacert.pem  1>/dev/null  2>/dev/null &
+sleep 3
+
+gmssl sm2keygen -pass 1234 -out clientkey.pem
+gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Client -days 365 -key clientkey.pem -pass 1234 -out clientreq.pem
+gmssl reqsign -in clientreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out clientcert.pem
+gmssl certparse -in clientcert.pem
+
+gmssl tls13_client -host 127.0.0.1 -cacert rootcacert.pem -cert clientcert.pem -key clientkey.pem -pass 1234
+
--- a/src/asn1.c
+++ b/src/asn1.c
@@ -454,13 +454,13 @@ int asn1_integer_to_der_ex(int tag, const uint8_t *a, size_t alen, uint8_t **out
 		return -1;
 	}

+	if (!a) {
+		return 0;
+	}
 	if (alen <= 0 || alen > INT_MAX) {
 		error_print();
 		return -1;
 	}
-	if (!a) {
-		return 0;
-	}

 	if (out && *out)
 		*(*out)++ = tag;
--- a/src/tls12.c
+++ b/src/tls12.c
@@ -295,15 +295,13 @@ int tls12_do_connect(TLS_CONNECT *conn)
 	int signature_algors[] = { TLS_sig_sm2sig_sm3 };
 	size_t signature_algors_cnt = 1;

+
+	p = client_exts;
 	client_exts_len = 0;
-	/*
-	tls_exts_add_ec_point_formats(client_exts, &client_exts_len, sizeof(client_exts), ec_point_formats, ec_point_formats_cnt);
-	tls_exts_add_supported_groups(client_exts, &client_exts_len, sizeof(client_exts), supported_groups, supported_groups_cnt);
-	tls_exts_add_signature_algors(client_exts, &client_exts_len, sizeof(client_exts), signature_algors, signature_algors_cnt);
-	*/
-
-

+	tls_ec_point_formats_ext_to_bytes(ec_point_formats, ec_point_formats_cnt, &p, &client_exts_len);
+	tls_supported_groups_ext_to_bytes(supported_groups, supported_groups_cnt, &p, &client_exts_len);
+	tls_signature_algorithms_ext_to_bytes(signature_algors, signature_algors_cnt, &p, &client_exts_len);

 	if (tls_record_set_handshake_client_hello(record, &recordlen,
 		conn->protocol, client_random, NULL, 0,