GmSSL 支持国密SM2/SM3/SM4/SM9/SSL 密码工具箱 · Spring Boot 技术栈

GmSSL 国密SM2/SM3/SM4/SM9/SSL密码工具箱 GmSSL是由北京大学自主开发的国产商用密码开源库，实现了对国密算法、标准和安全通信协议的全面功能覆盖，支持包括移动端在内的主流操作系统和处理器，支持密码钥匙、密码卡等典型国产密码硬件，提供功能丰富的命令行工具及多种编译语言编程接口。 ## 主要特性 * 超轻量：GmSSL 3 大幅度降低了内存需求和二进制代码体积，不依赖动态内存，可以用于无操作系统的低功耗嵌入式环境(MCU、SOC等)，开发者也可以更容易地将国密算法和SSL协议嵌入到现有的项目中。 * 更合规：GmSSL 3 可以配置为仅包含国密算法和国密协议(TLCP协议)，依赖GmSSL 的密码应用更容易满足密码产品型号检测的要求，避免由于混杂非国密算法、不安全算法等导致的安全问题和合规问题。 * 更安全：TLS 1.3在安全性和通信延迟上相对之前的TLS协议有巨大的提升，GmSSL 3 支持TLS 1.3协议和RFC 8998的国密套件。GmSSL 3 默认支持密钥的加密保护，提升了密码算法的抗侧信道攻击能力。 * 跨平台：GmSSL 3 更容易跨平台，构建系统不再依赖Perl，默认的CMake构建系统可以容易地和Visual Studio、Android NDK等默认编译工具配合使用，开发者也可以手工编写Makefile在特殊环境中编译、剪裁。 ## 编译与安装 > GmSSL-3.1.1 发布版本包含二进制包，其中包括头文件、动态库和`gmssl`命令行工具。这里使用Linux X64 自解压安装包。下载 ``` wget https://github.com/guanzhi/GmSSL/archive/refs/tags/v3.1.1.zip unzip v3.1.1.zip ``` 编译与安装 ``` cd GmSSL-3.1.1/ mkdir build cd build/ sudo cmake .. ``` cmake 执行结果 ``` sudo cmake .. -- The C compiler identification is GNU 7.5.0 -- Check for working C compiler: /usr/bin/cc -- Check for working C compiler: /usr/bin/cc -- works -- Detecting C compiler ABI info -- Detecting C compiler ABI info - done -- Detecting C compile features -- Detecting C compile features - done -- Looking for getentropy -- Looking for getentropy - found -- have getentropy -- Configuring done -- Generating done -- Build files have been written to: /home/www/build/GmSSL-3.1.1/build ``` 编译 ``` make ``` ![](https://img.kancloud.cn/a8/0f/a80fefc0b60d1d78203e6dca1e6c71f3_687x506.png) 安装 ``` sudo make install ``` 执行gmssl时的错误 ``` sudo /usr/local/bin/gmssl /usr/local/bin/gmssl: error while loading shared libraries: libgmssl.so.3: cannot open shared object file: No such file or directory ``` 这时候要编辑`/etc/ld.so.conf`文件，添加一行： ``` /usr/local/lib ``` 然后执行命令： ``` ldconfig ``` 在命令行中输入 `gmssl version` ``` sudo /usr/local/bin/gmssl version GmSSL 3.1.1 ``` 当你看到`GmSSL 3.1.1`的时候，说明gmssl安装成功了。赋予当前用户执行权限 ``` sudo chown www:www /usr/local/bin/ ``` ## 基础命令 ``` gmssl --help gmssl: illegal option '--help' usage: gmssl command [options] command -help Commands: help Print this help message version Print version rand Generate random bytes sm2keygen Generate SM2 keypair sm2sign Generate SM2 signature sm2verify Verify SM2 signature sm2encrypt Encrypt with SM2 public key sm2decrypt Decrypt with SM2 private key sm3 Generate SM3 hash sm3hmac Generate SM3 HMAC tag sm4 Encrypt or decrypt with SM4 zuc Encrypt or decrypt with ZUC sm9setup Generate SM9 master secret sm9keygen Generate SM9 private key sm9sign Generate SM9 signature sm9verify Verify SM9 signature sm9encrypt SM9 public key encryption sm9decrypt SM9 decryption pbkdf2 Generate key from password reqgen Generate certificate signing request (CSR) reqsign Generate certificate from CSR reqparse Parse and print a CSR crlget Download the CRL of given certificate crlgen Sign a CRL with CA certificate and private key crlverify Verify a CRL with issuer's certificate crlparse Parse and print CRL certgen Generate a self-signed certificate certparse Parse and print certificates certverify Verify certificate chain certrevoke Revoke certificate and output RevokedCertificate record cmsparse Parse CMS (cryptographic message syntax) file cmsencrypt Generate CMS EnvelopedData cmsdecrypt Decrypt CMS EnvelopedData cmssign Generate CMS SignedData cmsverify Verify CMS SignedData sdfutil SDF crypto device utility skfutil SKF crypto device utility tlcp_client TLCP client tlcp_server TLCP server tls12_client TLS 1.2 client tls12_server TLS 1.2 server tls13_client TLS 1.3 client tls13_server TLS 1.3 server ``` ### SM4加密解密 ```sh $ KEY=11223344556677881122334455667788 $ IV=11223344556677881122334455667788 ``` 加密 ```sh echo Hello Tinywan | gmssl sm4 -cbc -encrypt -key $KEY -iv $IV -out sm4.cbc // 加密内容 more sm4.cbc $×񓮨ʩ#򴮙 ``` 解密 ```sh gmssl sm4 -cbc -decrypt -key $KEY -iv $IV -in sm4.cbc Hello Tinywan ``` ### SM3摘要 ``` echo -n “开源技术小栈” | gmssl sm3 3b944faa488763d08967e7999aa565f8035277f9b017adc8fe209e81de698465 ``` 生成公钥和私钥 ``` gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem ``` 私钥 ```sh cat sm2.pem -----BEGIN ENCRYPTED PRIVATE KEY----- MIIBBjBhBgkqhkiG9w0BBQ0wVDA0BgkqhkiG9w0BBQwwJwQQD7UeQ0Nd0c8HjwJC BwrZDAIDAQAAAgEQMAsGCSqBHM9VAYMRAjAcBggqgRzPVQFoAgQQJXNNiqfAxKIx y4Ze0KxunASBoHsXGe2jtW6N1DkBROWr/QAY9r6zRlZ4JTphVjdy5MzRJo1Wa6pc +AxPKqouSi5kfayp0nKvJijIZY2e67J3hF327g+xGHj9+keSfTZS1sJfN2c/i1CM Zcg2IKes5/T3Zk6DRZKcGIwuuUo3cVYcw+oT3lE5onnSBYT0DXdrRpfGzM8yB3Qb yfEcSLm+f22Xzx05AzyiMKWQHSk7n+aH50o= -----END ENCRYPTED PRIVATE KEY----- ``` 公钥 ``` cat sm2pub.pem -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAE7DOZdFLay3eY7/H8J1CECQ5s2Z8o 4flOpF1HdPjUh4mPGigJzuOp/PzrrEMTuu9cISHqMmHn6XQDP6B6cy56Rg== ``` 公钥加密 ``` echo -n "Tinywan 开源技术小栈" | gmssl sm3 -pubkey sm2pub.pem -id 1234567812345678 7b2f0eb9ce8bf75a799bccff590f38178fbe8d14ff56a2ab001ce382b05cfcf0 ``` ### SM2签名及验签 ``` $ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem $ echo hello | gmssl sm2sign -key sm2.pem -pass 1234 -out sm2.sig #-id 1234567812345678 $ echo hello | gmssl sm2verify -pubkey sm2pub.pem -sig sm2.sig -id 1234567812345678 $ echo hello | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der $ gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der ``` ### SM2加密及解密 ``` $ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem $ echo hello | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der $ gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der ``` ### 生成SM2根证书rootcakey.pem及CA证书cakey.pem ``` $ gmssl sm2keygen -pass 1234 -out rootcakey.pem $ gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign $ gmssl certparse -in rootcacert.pem $ gmssl sm2keygen -pass 1234 -out cakey.pem $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem $ gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem ``` ### 使用CA证书签发签名证书和加密证书 ``` $ gmssl sm2keygen -pass 1234 -out signkey.pem $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem $ gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem $ gmssl sm2keygen -pass 1234 -out enckey.pem $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem $ gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem ``` ### 将签名证书和ca证书合并为服务端证书certs.pem，并验证 ``` $ cat signcert.pem > certs.pem $ cat cacert.pem >> certs.pem $ gmssl certverify -in certs.pem -cacert rootcacert.pem ``` ### 查看证书内容 ``` $ gmssl certparse -in cacert.pem ``` 官方文档：[http://gmssl.org/docs/quickstart.html](https://cloud.tencent.com/developer/tools/blog-entry?target=http%3A%2F%2Fgmssl.org%2Fdocs%2Fquickstart.html&source=article&objectId=2421530)