From f49d465b4213efee5bcde0eca01c9b210deb83b2 Mon Sep 17 00:00:00 2001 From: Zhi Guan Date: Mon, 25 Jul 2022 16:48:45 +0800 Subject: [PATCH] Update demos, asn.1 bug fix --- demos/cademo.sh | 10 ++--- demos/certdemo.sh | 42 +++++++++++++++------ demos/cmsdemo.sh | 2 +- demos/sm2/CMakeLists.txt | 8 ++++ demos/sm2/sm2keyparse.c | 80 ++++++++++++++++++++++++++++++++++++++++ demos/tlcp_client.sh | 10 ----- demos/tlcp_server.sh | 22 ----------- demos/tlcpdemo.sh | 36 ++++++++++++++++++ demos/tls12.sh | 15 -------- demos/tls12_client.sh | 10 ----- demos/tls12_server.sh | 16 -------- demos/tls12demo.sh | 30 +++++++++++++++ demos/tls13demo.sh | 30 +++++++++++++++ src/asn1.c | 6 +-- src/tls12.c | 12 +++--- 15 files changed, 229 insertions(+), 100 deletions(-) create mode 100644 demos/sm2/CMakeLists.txt create mode 100644 demos/sm2/sm2keyparse.c delete mode 100755 demos/tlcp_client.sh delete mode 100755 demos/tlcp_server.sh create mode 100755 demos/tlcpdemo.sh delete mode 100755 demos/tls12.sh delete mode 100755 demos/tls12_client.sh delete mode 100755 demos/tls12_server.sh create mode 100755 demos/tls12demo.sh create mode 100755 demos/tls13demo.sh diff --git a/demos/cademo.sh b/demos/cademo.sh index f3dae83d..6ccd5db3 100755 --- a/demos/cademo.sh +++ b/demos/cademo.sh @@ -10,13 +10,13 @@ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem gmssl certparse -in cacert.pem +gmssl sm2keygen -pass 1234 -out signkey.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem +gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem +gmssl certparse -in signcert.pem + gmssl sm2keygen -pass 1234 -out enckey.pem gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem gmssl certparse -in enccert.pem -cat enccert.pem > certs.pem -cat cacert.pem >> certs.pem - -#sudo gmssl tlcp_server -cert cert.pem -key signkey.pem -pass 1234 -ex_key enckey.pem -ex_pass 1234 # -cacert cacert.pem - diff --git a/demos/certdemo.sh b/demos/certdemo.sh index 4ea3f849..2c8337b3 100755 --- a/demos/certdemo.sh +++ b/demos/certdemo.sh @@ -1,14 +1,34 @@ -#!/bin/bash -x - -# generate sm2 keypair and encrypt with password -gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem - -# generate a self-signed certificate -gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Alice -days 365 -key sm2.pem -pass 1234 \ - -key_usage "digitalSignature" -key_usage "keyCertSign" -key_usage cRLSign \ - -out cert.pem - -gmssl certparse -in cert.pem +#!/bin/bash +gmssl sm2keygen -pass 1234 -out rootcakey.pem +gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign +gmssl certparse -in rootcacert.pem + +gmssl sm2keygen -pass 1234 -out cakey.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem +gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem +gmssl certparse -in cacert.pem + +gmssl sm2keygen -pass 1234 -out signkey.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem +gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem +gmssl certparse -in signcert.pem + +gmssl sm2keygen -pass 1234 -out enckey.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem +gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem +gmssl certparse -in enccert.pem + + +cat signcert.pem > certs.pem +cat cacert.pem >> certs.pem +gmssl certverify -in certs.pem -cacert rootcacert.pem + + +cat signcert.pem > dbl_certs.pem +cat enccert.pem >> dbl_certs.pem +cat cacert.pem >> dbl_certs.pem +gmssl certverify -double_certs -in dbl_certs.pem -cacert rootcacert.pem + diff --git a/demos/cmsdemo.sh b/demos/cmsdemo.sh index e4ec19e8..e37c9340 100755 --- a/demos/cmsdemo.sh +++ b/demos/cmsdemo.sh @@ -2,7 +2,7 @@ gmssl sm2keygen -pass 1234 -out key.pem -pubout keypub.pem -gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Alice -days 365 -key key.pem -pass 1234 -out cert.pem +gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Alice -key_usage dataEncipherment -days 365 -key key.pem -pass 1234 -out cert.pem echo "The plaintext message." > plain.txt diff --git a/demos/sm2/CMakeLists.txt b/demos/sm2/CMakeLists.txt new file mode 100644 index 00000000..a294502d --- /dev/null +++ b/demos/sm2/CMakeLists.txt @@ -0,0 +1,8 @@ +cmake_minimum_required(VERSION 3.0) +project(sm2demo) + +include_directories(/usr/local/include) +link_directories(/usr/local/lib) + +add_executable(sm2keyparse sm2keyparse.c) +target_link_libraries(sm2keyparse gmssl) diff --git a/demos/sm2/sm2keyparse.c b/demos/sm2/sm2keyparse.c new file mode 100644 index 00000000..1c345221 --- /dev/null +++ b/demos/sm2/sm2keyparse.c @@ -0,0 +1,80 @@ +/* + * Copyright (c) 2014 - 2021 The GmSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the GmSSL Project. + * (http://gmssl.org/)" + * + * 4. The name "GmSSL Project" must not be used to endorse or promote + * products derived from this software without prior written + * permission. For written permission, please contact + * guanzhi1980@gmail.com. + * + * 5. Products derived from this software may not be called "GmSSL" + * nor may "GmSSL" appear in their names without prior written + * permission of the GmSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the GmSSL Project + * (http://gmssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE GmSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE GmSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include + + +int main(int argc, char **argv) +{ + uint8_t buf[4096]; + ssize_t len; + uint8_t dgst[32]; + int i; + + + for (i = 0; i < sizeof(dgst); i++) { + printf("%02x", dgst[i]); + } + printf("\n"); + return 0; +} + + + + + + + + + + + + diff --git a/demos/tlcp_client.sh b/demos/tlcp_client.sh deleted file mode 100755 index 31088861..00000000 --- a/demos/tlcp_client.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - - -# 当服务器发送CertificateRequest而Client又没有用证书、密钥时,会SegFault - - -#../build/bin/tls12_client -host 127.0.0.1 -cacert cacert.pem -cert cert.pem -key key.pem -pass 123456 -../build/bin/tlcp_client -host 127.0.0.1 -cacert cacert.pem # -cert cert.pem -key key.pem -pass 123456 - - diff --git a/demos/tlcp_server.sh b/demos/tlcp_server.sh deleted file mode 100755 index 171a792d..00000000 --- a/demos/tlcp_server.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - - -gmssl sm2keygen -pass 1234 -out cakey.pem -gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN CA -days 365 -key cakey.pem -pass 1234 -out cacert.pem -key_usage keyCertSign -key_usage cRLSign -gmssl certparse -in cacert.pem - -gmssl sm2keygen -pass 1234 -out signkey.pem -gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem -gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem -gmssl certparse -in signcert.pem - -gmssl sm2keygen -pass 1234 -out enckey.pem -gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem -gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem -gmssl certparse -in enccert.pem - -cat signcert.pem > cert.pem -cat enccert.pem >> cert.pem - -sudo gmssl tlcp_server -cert cert.pem -key signkey.pem -pass 1234 -ex_key enckey.pem -ex_pass 1234 # -cacert cacert.pem - diff --git a/demos/tlcpdemo.sh b/demos/tlcpdemo.sh new file mode 100755 index 00000000..7e53ca86 --- /dev/null +++ b/demos/tlcpdemo.sh @@ -0,0 +1,36 @@ +#!/bin/bash -x + + +gmssl sm2keygen -pass 1234 -out rootcakey.pem +gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign +gmssl certparse -in rootcacert.pem + +gmssl sm2keygen -pass 1234 -out cakey.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem +gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem +gmssl certparse -in cacert.pem + +gmssl sm2keygen -pass 1234 -out signkey.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem +gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem +gmssl certparse -in signcert.pem + +gmssl sm2keygen -pass 1234 -out enckey.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem +gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem +gmssl certparse -in enccert.pem + +cat signcert.pem > double_certs.pem +cat enccert.pem >> double_certs.pem +cat cacert.pem >> double_certs.pem + +sudo gmssl tlcp_server -port 443 -cert double_certs.pem -key signkey.pem -pass 1234 -ex_key enckey.pem -ex_pass 1234 -cacert cacert.pem 1>/dev/null 2>/dev/null & +sleep 3 + +gmssl sm2keygen -pass 1234 -out clientkey.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Client -days 365 -key clientkey.pem -pass 1234 -out clientreq.pem +gmssl reqsign -in clientreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out clientcert.pem +gmssl certparse -in clientcert.pem + +gmssl tlcp_client -host 127.0.0.1 -cacert rootcacert.pem -cert clientcert.pem -key clientkey.pem -pass 1234 + diff --git a/demos/tls12.sh b/demos/tls12.sh deleted file mode 100755 index 4cf1e78a..00000000 --- a/demos/tls12.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/bin/bash -x - - -# server-authentication only -../build/bin/tls12_server -cert cert.pem -key key.pem -pass 123456 1>/dev/null 2>/dev/null & -sleep 3 -../build/bin/tls12_client -host 127.0.0.1 -cacert cacert.pem - - -# mutual authentication, i.e. client certificate requested -../build/bin/tls12_server -cert cert.pem -key key.pem -pass 123456 -cacert cacert.pem 1>/dev/null 2>/dev/null & -sleep 3 -../build/bin/tls12_client -host 127.0.0.1 -cacert cacert.pem -cert cert.pem -key key.pem -pass 123456 - - diff --git a/demos/tls12_client.sh b/demos/tls12_client.sh deleted file mode 100755 index ab013397..00000000 --- a/demos/tls12_client.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - - -# 当服务器发送CertificateRequest而Client又没有用证书、密钥时,会SegFault - - -#../build/bin/tls12_client -host 127.0.0.1 -cacert cacert.pem -cert cert.pem -key key.pem -pass 123456 -../build/bin/tls12_client -host 127.0.0.1 -cacert cacert.pem # -cert cert.pem -key key.pem -pass 123456 - - diff --git a/demos/tls12_server.sh b/demos/tls12_server.sh deleted file mode 100755 index 78fc2cb2..00000000 --- a/demos/tls12_server.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash - - -# 现在的错误是服务器想要让客户端发送证书,但是客户端没有发证书 -# 如果要求客户端发送证书,那么服务器必须准备相应的CA证书 -# 客户端的证书和CA证书有什么区别吗?可能没有区别,但是还应该生成一个 -# 客户端的名字是什么呢? -# -# 服务器的证书需要设定服务器名字,也就是127.0.0.1或者localhost -# 这个名字和SNI是有关系的 - -# 客户端的名字可以任意定了,而且客户端的CA可以有所不同吧 - - -../build/bin/tls12_server -cert cert.pem -key key.pem -pass 123456 #-cacert cacert.pem - diff --git a/demos/tls12demo.sh b/demos/tls12demo.sh new file mode 100755 index 00000000..676fb4a4 --- /dev/null +++ b/demos/tls12demo.sh @@ -0,0 +1,30 @@ +#!/bin/bash -x + + +gmssl sm2keygen -pass 1234 -out rootcakey.pem +gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign +gmssl certparse -in rootcacert.pem + +gmssl sm2keygen -pass 1234 -out cakey.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem +gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem +gmssl certparse -in cacert.pem + +gmssl sm2keygen -pass 1234 -out signkey.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem +gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem +gmssl certparse -in signcert.pem + +cat signcert.pem > certs.pem +cat cacert.pem >> certs.pem + +sudo gmssl tls12_server -port 443 -cert certs.pem -key signkey.pem -pass 1234 -cacert cacert.pem 1>/dev/null 2>/dev/null & +sleep 3 + +gmssl sm2keygen -pass 1234 -out clientkey.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Client -days 365 -key clientkey.pem -pass 1234 -out clientreq.pem +gmssl reqsign -in clientreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out clientcert.pem +gmssl certparse -in clientcert.pem + +gmssl tls12_client -host 127.0.0.1 -cacert rootcacert.pem -cert clientcert.pem -key clientkey.pem -pass 1234 + diff --git a/demos/tls13demo.sh b/demos/tls13demo.sh new file mode 100755 index 00000000..d36c9582 --- /dev/null +++ b/demos/tls13demo.sh @@ -0,0 +1,30 @@ +#!/bin/bash -x + + +gmssl sm2keygen -pass 1234 -out rootcakey.pem +gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign +gmssl certparse -in rootcacert.pem + +gmssl sm2keygen -pass 1234 -out cakey.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem +gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem +gmssl certparse -in cacert.pem + +gmssl sm2keygen -pass 1234 -out signkey.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem +gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem +gmssl certparse -in signcert.pem + +cat signcert.pem > certs.pem +cat cacert.pem >> certs.pem + +sudo gmssl tls13_server -port 443 -cert certs.pem -key signkey.pem -pass 1234 -cacert cacert.pem 1>/dev/null 2>/dev/null & +sleep 3 + +gmssl sm2keygen -pass 1234 -out clientkey.pem +gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN Client -days 365 -key clientkey.pem -pass 1234 -out clientreq.pem +gmssl reqsign -in clientreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out clientcert.pem +gmssl certparse -in clientcert.pem + +gmssl tls13_client -host 127.0.0.1 -cacert rootcacert.pem -cert clientcert.pem -key clientkey.pem -pass 1234 + diff --git a/src/asn1.c b/src/asn1.c index ead4c6a6..d0a5d99f 100644 --- a/src/asn1.c +++ b/src/asn1.c @@ -454,13 +454,13 @@ int asn1_integer_to_der_ex(int tag, const uint8_t *a, size_t alen, uint8_t **out return -1; } + if (!a) { + return 0; + } if (alen <= 0 || alen > INT_MAX) { error_print(); return -1; } - if (!a) { - return 0; - } if (out && *out) *(*out)++ = tag; diff --git a/src/tls12.c b/src/tls12.c index 2f768180..18cb8653 100644 --- a/src/tls12.c +++ b/src/tls12.c @@ -295,15 +295,13 @@ int tls12_do_connect(TLS_CONNECT *conn) int signature_algors[] = { TLS_sig_sm2sig_sm3 }; size_t signature_algors_cnt = 1; + + p = client_exts; client_exts_len = 0; - /* - tls_exts_add_ec_point_formats(client_exts, &client_exts_len, sizeof(client_exts), ec_point_formats, ec_point_formats_cnt); - tls_exts_add_supported_groups(client_exts, &client_exts_len, sizeof(client_exts), supported_groups, supported_groups_cnt); - tls_exts_add_signature_algors(client_exts, &client_exts_len, sizeof(client_exts), signature_algors, signature_algors_cnt); - */ - - + tls_ec_point_formats_ext_to_bytes(ec_point_formats, ec_point_formats_cnt, &p, &client_exts_len); + tls_supported_groups_ext_to_bytes(supported_groups, supported_groups_cnt, &p, &client_exts_len); + tls_signature_algorithms_ext_to_bytes(signature_algors, signature_algors_cnt, &p, &client_exts_len); if (tls_record_set_handshake_client_hello(record, &recordlen, conn->protocol, client_random, NULL, 0,