GmSSL 支持國密SM2/SM3/SM4/SM9/SSL 密碼工具箱 · Spring Boot 技術棧

GmSSL 國密SM2/SM3/SM4/SM9/SSL密碼工具箱 GmSSL是由北京大學自主開發的國產商用密碼開源庫，實現了對國密算法、標準和安全通信協議的全面功能覆蓋，支持包括移動端在內的主流操作系統和處理器，支持密碼鑰匙、密碼卡等典型國產密碼硬件，提供功能豐富的命令行工具及多種編譯語言編程接口。 ## 主要特性 * 超輕量：GmSSL 3 大幅度降低了內存需求和二進制代碼體積，不依賴動態內存，可以用于無操作系統的低功耗嵌入式環境(MCU、SOC等)，開發者也可以更容易地將國密算法和SSL協議嵌入到現有的項目中。 * 更合規：GmSSL 3 可以配置為僅包含國密算法和國密協議(TLCP協議)，依賴GmSSL 的密碼應用更容易滿足密碼產品型號檢測的要求，避免由于混雜非國密算法、不安全算法等導致的安全問題和合規問題。 * 更安全：TLS 1.3在安全性和通信延遲上相對之前的TLS協議有巨大的提升，GmSSL 3 支持TLS 1.3協議和RFC 8998的國密套件。GmSSL 3 默認支持密鑰的加密保護，提升了密碼算法的抗側信道攻擊能力。 * 跨平臺：GmSSL 3 更容易跨平臺，構建系統不再依賴Perl，默認的CMake構建系統可以容易地和Visual Studio、Android NDK等默認編譯工具配合使用，開發者也可以手工編寫Makefile在特殊環境中編譯、剪裁。 ## 編譯與安裝 > GmSSL-3.1.1 發布版本包含二進制包，其中包括頭文件、動態庫和`gmssl`命令行工具。這里使用Linux X64 自解壓安裝包。下載 ``` wget https://github.com/guanzhi/GmSSL/archive/refs/tags/v3.1.1.zip unzip v3.1.1.zip ``` 編譯與安裝 ``` cd GmSSL-3.1.1/ mkdir build cd build/ sudo cmake .. ``` cmake 執行結果 ``` sudo cmake .. -- The C compiler identification is GNU 7.5.0 -- Check for working C compiler: /usr/bin/cc -- Check for working C compiler: /usr/bin/cc -- works -- Detecting C compiler ABI info -- Detecting C compiler ABI info - done -- Detecting C compile features -- Detecting C compile features - done -- Looking for getentropy -- Looking for getentropy - found -- have getentropy -- Configuring done -- Generating done -- Build files have been written to: /home/www/build/GmSSL-3.1.1/build ``` 編譯 ``` make ``` ![](https://img.kancloud.cn/a8/0f/a80fefc0b60d1d78203e6dca1e6c71f3_687x506.png) 安裝 ``` sudo make install ``` 執行gmssl時的錯誤 ``` sudo /usr/local/bin/gmssl /usr/local/bin/gmssl: error while loading shared libraries: libgmssl.so.3: cannot open shared object file: No such file or directory ``` 這時候要編輯`/etc/ld.so.conf`文件，添加一行： ``` /usr/local/lib ``` 然后執行命令： ``` ldconfig ``` 在命令行中輸入 `gmssl version` ``` sudo /usr/local/bin/gmssl version GmSSL 3.1.1 ``` 當你看到`GmSSL 3.1.1`的時候，說明gmssl安裝成功了。賦予當前用戶執行權限 ``` sudo chown www:www /usr/local/bin/ ``` ## 基礎命令 ``` gmssl --help gmssl: illegal option '--help' usage: gmssl command [options] command -help Commands: help Print this help message version Print version rand Generate random bytes sm2keygen Generate SM2 keypair sm2sign Generate SM2 signature sm2verify Verify SM2 signature sm2encrypt Encrypt with SM2 public key sm2decrypt Decrypt with SM2 private key sm3 Generate SM3 hash sm3hmac Generate SM3 HMAC tag sm4 Encrypt or decrypt with SM4 zuc Encrypt or decrypt with ZUC sm9setup Generate SM9 master secret sm9keygen Generate SM9 private key sm9sign Generate SM9 signature sm9verify Verify SM9 signature sm9encrypt SM9 public key encryption sm9decrypt SM9 decryption pbkdf2 Generate key from password reqgen Generate certificate signing request (CSR) reqsign Generate certificate from CSR reqparse Parse and print a CSR crlget Download the CRL of given certificate crlgen Sign a CRL with CA certificate and private key crlverify Verify a CRL with issuer's certificate crlparse Parse and print CRL certgen Generate a self-signed certificate certparse Parse and print certificates certverify Verify certificate chain certrevoke Revoke certificate and output RevokedCertificate record cmsparse Parse CMS (cryptographic message syntax) file cmsencrypt Generate CMS EnvelopedData cmsdecrypt Decrypt CMS EnvelopedData cmssign Generate CMS SignedData cmsverify Verify CMS SignedData sdfutil SDF crypto device utility skfutil SKF crypto device utility tlcp_client TLCP client tlcp_server TLCP server tls12_client TLS 1.2 client tls12_server TLS 1.2 server tls13_client TLS 1.3 client tls13_server TLS 1.3 server ``` ### SM4加密解密 ```sh $ KEY=11223344556677881122334455667788 $ IV=11223344556677881122334455667788 ``` 加密 ```sh echo Hello Tinywan | gmssl sm4 -cbc -encrypt -key $KEY -iv $IV -out sm4.cbc // 加密內容 more sm4.cbc $×???#?? ``` 解密 ```sh gmssl sm4 -cbc -decrypt -key $KEY -iv $IV -in sm4.cbc Hello Tinywan ``` ### SM3摘要 ``` echo -n “開源技術小棧” | gmssl sm3 3b944faa488763d08967e7999aa565f8035277f9b017adc8fe209e81de698465 ``` 生成公鑰和私鑰 ``` gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem ``` 私鑰 ```sh cat sm2.pem -----BEGIN ENCRYPTED PRIVATE KEY----- MIIBBjBhBgkqhkiG9w0BBQ0wVDA0BgkqhkiG9w0BBQwwJwQQD7UeQ0Nd0c8HjwJC BwrZDAIDAQAAAgEQMAsGCSqBHM9VAYMRAjAcBggqgRzPVQFoAgQQJXNNiqfAxKIx y4Ze0KxunASBoHsXGe2jtW6N1DkBROWr/QAY9r6zRlZ4JTphVjdy5MzRJo1Wa6pc +AxPKqouSi5kfayp0nKvJijIZY2e67J3hF327g+xGHj9+keSfTZS1sJfN2c/i1CM Zcg2IKes5/T3Zk6DRZKcGIwuuUo3cVYcw+oT3lE5onnSBYT0DXdrRpfGzM8yB3Qb yfEcSLm+f22Xzx05AzyiMKWQHSk7n+aH50o= -----END ENCRYPTED PRIVATE KEY----- ``` 公鑰 ``` cat sm2pub.pem -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAE7DOZdFLay3eY7/H8J1CECQ5s2Z8o 4flOpF1HdPjUh4mPGigJzuOp/PzrrEMTuu9cISHqMmHn6XQDP6B6cy56Rg== ``` 公鑰加密 ``` echo -n "Tinywan 開源技術小棧" | gmssl sm3 -pubkey sm2pub.pem -id 1234567812345678 7b2f0eb9ce8bf75a799bccff590f38178fbe8d14ff56a2ab001ce382b05cfcf0 ``` ### SM2簽名及驗簽 ``` $ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem $ echo hello | gmssl sm2sign -key sm2.pem -pass 1234 -out sm2.sig #-id 1234567812345678 $ echo hello | gmssl sm2verify -pubkey sm2pub.pem -sig sm2.sig -id 1234567812345678 $ echo hello | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der $ gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der ``` ### SM2加密及解密 ``` $ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem $ echo hello | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der $ gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der ``` ### 生成SM2根證書rootcakey.pem及CA證書cakey.pem ``` $ gmssl sm2keygen -pass 1234 -out rootcakey.pem $ gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign $ gmssl certparse -in rootcacert.pem $ gmssl sm2keygen -pass 1234 -out cakey.pem $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem $ gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem ``` ### 使用CA證書簽發簽名證書和加密證書 ``` $ gmssl sm2keygen -pass 1234 -out signkey.pem $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem $ gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem $ gmssl sm2keygen -pass 1234 -out enckey.pem $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem $ gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem ``` ### 將簽名證書和ca證書合并為服務端證書certs.pem，并驗證 ``` $ cat signcert.pem > certs.pem $ cat cacert.pem >> certs.pem $ gmssl certverify -in certs.pem -cacert rootcacert.pem ``` ### 查看證書內容 ``` $ gmssl certparse -in cacert.pem ``` 官方文檔：[http://gmssl.org/docs/quickstart.html](https://cloud.tencent.com/developer/tools/blog-entry?target=http%3A%2F%2Fgmssl.org%2Fdocs%2Fquickstart.html&source=article&objectId=2421530)