GmSSL进行SM2(签名验签/加密解密/证书生成和验证)/SM3(哈希)/SM4(加密解密)测试
GmSSL 是一个开源的密码学工具包和库,它实现了包括 SM2、SM3、SM4 在内的中国商用密码算法,以及国际通用的密码算法,如 RSA、AES、DES、SHA 等。GmSSL 旨在提供一个符合中国国家标准的密码学解决方案,适用于需要使用国产密码算法的场景。
快速上手:《快速上手 (gmssl.org)》;项目文档:《项目文档 (gmssl.org)》。
1 下载GmSSL
git clone https://github.com/guanzhi/GmSSL.git -b v3.1.1
2 编译安装GmSSL
mkdir build
cd build
cmake ..
make
make test
sudo make install
3 使用GmSSL
3.1 SM4加密解密
gmssl sm4使用说明:
usage: sm4 (-cbc|-ctr|-gcm|-cbc_sm3_hmac|-ctr_sm3_hmac) {-encrypt|-decrypt} -key hex -iv hex [-aad str| -aad_hex hex] [-in file] [-out file]
Options
Modes
-cbc CBC mode with padding, need 16-byte key and 16-byte iv
-ctr CTR mode, need 16-byte key and 16-byte iv
-gcm GCM mode, need 16-byte key and any iv length
-cbc_sm3_hmac CBC mode with padding and HMAC-SM3 (encrypt-then-mac), need 48-byte key and 16-byte iv
-ctr_sm3_hmac CTR mode with HMAC-SM3 (entrypt-then-mac), need 48-byte key and 16-byte iv
-encrypt Encrypt
-decrypt Decrypt
-key hex Symmetric key in HEX format
-iv hex IV in HEX format
-aad str Authenticated-only message
-aad_hex hex Authenticated-only data in HEX format
-in file | stdin Input data
-out file | stdout Output data
加密解密如下:
KEY=11223344556677881122334455667788 IV=11223344556677881122334455667788
echo hello | gmssl sm4 -cbc -encrypt -key $KEY -iv $IV -out sm4.cbc gmssl sm4 -cbc -decrypt -key $KEY -iv $IV -in sm4.cbc echo hello | gmssl sm4 -ctr -encrypt -key $KEY -iv $IV -out sm4.ctr gmssl sm4 -ctr -decrypt -key $KEY -iv $IV -in sm4.ctr
2.2 SM3哈希
sm3使用方法:
usage: sm3 [-hex|-bin] [-pubkey pem [-id str]] [-in file] [-out file]
sm3使用示例:
echo -n abc | gmssl sm3 gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem echo -n abc | gmssl sm3 -pubkey sm2pub.pem -id 1234567812345678
sm3hmac使用方法:
usage: sm3hmac -key hex [-in file] [-bin|-hex] [-out file]
sm3hmac使用示例:
echo -n abc | gmssl sm3hmac -key 11223344556677881122334455667788
2.3 SM2签名/验签和加密/解密
2.3.1 SM2签名/验签
sm2keygen生成SM2密钥对:
usage: sm2keygen -pass str [-out pem] [-pubout pem]
示例如下:
gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem
sm2sigh进行签名,sm2verify进行验签:
usage: sm2sign -key pem -pass str [-id str] [-in file] [-out file] usage: sm2verify (-pubkey pem | -cert pem) [-id str] [-in file] -sig file
示例如下:
echo hello | gmssl sm2sign -key sm2.pem -pass 1234 -out sm2.sig #-id 1234567812345678 echo hello | gmssl sm2verify -pubkey sm2pub.pem -sig sm2.sig -id 1234567812345678
2.3.2 SM2加密/解密
sm2encrypt/sm2decrypt使用说明:
usage: sm2encrypt (-pubkey pem | -cert pem) [-in file] [-out file] usage: sm2decrypt -key pem -pass str [-in file] [-out file]
示例如下:
echo hello | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der
2.4 SM2证书,以及基于证书的签名和验签
2.4.1 SM2生成Root CA证书和CA证书
reqgen:生成CSR文件,用于发起证书请求。
reqsign:根据CSR文件生成证书。
reqparse:解析并显示CSR文件内容。
certgen:生成一个自签名证书。
certparse:解析并显示证书的详细内容。
certverify:进行证书链验证。
生成自签名根证书:
gmssl sm2keygen -pass 1234 -out rootcakey.pem gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.cer -key_usage keyCertSign -key_usage cRLSign gmssl certparse -in rootcacert.cer
输出如下:
Certificate tbsCertificate version: v3 (2) serialNumber: BEB231D09D74E8869C778ECC signature algorithm: sm2sign-with-sm3 issuer countryName: CN stateOrProvinceName: Beijing localityName: Haidian organizationName: PKU organizationalUnitName: CS commonName: ROOTCA validity notBefore: Wed Sep 18 16:59:38 2024 notAfter: Sat Sep 16 16:59:38 2034 subject countryName: CN stateOrProvinceName: Beijing localityName: Haidian organizationName: PKU organizationalUnitName: CS commonName: ROOTCA subjectPulbicKeyInfo algorithm algorithm: ecPublicKey namedCurve: sm2p256v1 subjectPublicKey ECPoint: 04F9EF341D8FAF4CF342FD6C14544C522D9554AECE63E72BC04BC3180603FA815E3186DA769994AFA32CF3DBF5EF463035FC0A18F59C0EFCE13DABC2A7313CC17B extensions Extension extnID: KeyUsage (2.5.29.15) critical: true KeyUsage: keyCertSign,cRLSign signatureAlgorithm algorithm: sm2sign-with-sm3 signatureValue: 3045022100AABA9E22F908CB95C5302C632FF978855A11CF28088C38A5A7750130610913D702202D993F5B1A38130E2F1FF07BF06CE4C08A414E3D402DCCA974258BC8FFB16B6B -----BEGIN CERTIFICATE-----... -----END CERTIFICATE-----
然后使用根证书签发证书:
gmssl sm2keygen -pass 1234 -out cakey.pem gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -key cakey.pem -pass 1234 -out careq.csr gmssl reqsign -in careq.csr -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.cer -key rootcakey.pem -pass 1234 -out cacert.cer gmssl certparse -in cacert.cer
证书内容如下:
Certificate tbsCertificate version: v3 (2) serialNumber: BE64F1B90EF4B544E416D218 signature algorithm: sm2sign-with-sm3 issuer countryName: CN stateOrProvinceName: Beijing localityName: Haidian organizationName: PKU organizationalUnitName: CS commonName: ROOTCA validity notBefore: Wed Sep 18 17:00:09 2024 notAfter: Thu Sep 18 17:00:09 2025 subject countryName: CN stateOrProvinceName: Beijing localityName: Haidian organizationName: PKU organizationalUnitName: CS commonName: Sub CA subjectPulbicKeyInfo algorithm algorithm: ecPublicKey namedCurve: sm2p256v1 subjectPublicKey ECPoint: 045E534E74F174240F95B7EA0E782063AF318B1DD5F9AFE727E17D26A46CA596B7531F219F6EBAA13AB4A28EAC3D607F9AB0F3236EE462965A8B29202ACF4FFBA3 extensions Extension extnID: KeyUsage (2.5.29.15) critical: true KeyUsage: keyCertSign Extension extnID: BasicConstraints (2.5.29.19) critical: true BasicConstraints pathLenConstraint: 0 signatureAlgorithm algorithm: sm2sign-with-sm3 signatureValue: 30450220508EAE359C9A807DEFB989FDEEA87D0B0F3D2A68D8D779EAB44C61B2D93C8B49022100A99151DDBEC43779282432F0D7218585161F05345AF607E838BF7E00BB6A0BFC -----BEGIN CERTIFICATE-----... -----END CERTIFICATE-----
2.4.2 使用CA证书签发签名证书和加密证书
gmssl sm2keygen -pass 1234 -out signkey.pem gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key signkey.pem -pass 1234 -out signreq.csr gmssl reqsign -in signreq.csr -days 365 -key_usage digitalSignature -cacert cacert.cer -key cakey.pem -pass 1234 -out signcert.cer gmssl sm2keygen -pass 1234 -out enckey.pem gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key enckey.pem -pass 1234 -out encreq.csr gmssl reqsign -in encreq.csr -days 365 -key_usage keyEncipherment -cacert cacert.cer -key cakey.pem -pass 1234 -out enccert.cer
2.4.3 合并CA证书和签名证书,并使用Root CA证书验证
cat signcert.cer > certs.cer cat cacert.cer >> certs.cer gmssl certverify -in certs.cer -cacert rootcacert.cer
证书链验证显示信息如下:localhost->Sub CA->ROOTCA。
Certificate serialNumber: 2DE0DC5434CC19E76A953183 subject countryName: CN stateOrProvinceName: Beijing localityName: Haidian organizationName: PKU organizationalUnitName: CS commonName: localhost Verification success Signed by Certificate serialNumber: BE64F1B90EF4B544E416D218 Certificate countryName: CN stateOrProvinceName: Beijing localityName: Haidian organizationName: PKU organizationalUnitName: CS commonName: Sub CA Verification success Signed by Certificate serialNumber: BEB231D09D74E8869C778ECC subject countryName: CN stateOrProvinceName: Beijing localityName: Haidian organizationName: PKU organizationalUnitName: CS commonName: ROOTCA
联系方式:arnoldlu@qq.com
