• 构建用于签名/加密双证书测试体系的可执行命令

    注意事项

    • 生成证书请求的填写 范例
    • Subject: C = CN, ST = Beijing, L = Beijing, O = MSI, OU = msi, CN = ca, emailAddress = ca@gmssl.com 
    • 前面的步骤存在错误,后面改用脚本进行证书生成,阅读时请跳过前面错误的内容

    错误的内容 -> 开始

    CA

    • 生成私钥
      • openssl ecparam -genkey -name SM2 -param_enc explicit -outform pem -out ca.key
    • 生成请求
      • openssl req -new -key ca.key -out ca.csr

    • 生成自签名证书
      • openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
    • 查看ca证书
      • openssl x509 -text -in ca.crt 
    1. chy-cpabe@ubuntu:~/double_certificate/ca$ openssl x509 -text -in ca.crt 
    2. Certificate:
    3.     Data:
    4.         Version: 1 (0x0)
    5.         Serial Number:
    6.             13:d6:69:ae:15:ee:3e:c0:73:aa:67:d5:23:08:d5:45:51:77:9e:ef
    7.         Signature Algorithm: ecdsa-with-SHA256
    8.         Issuer: C = CN, ST = Beijing, L = Beijing, O = MSI, OU = msi, CN = ca, emailAddress = ca@gmssl.com
    9.         Validity
    10.             Not Before: Nov 28 05:55:02 2022 GMT
    11.             Not After : Nov 28 05:55:02 2023 GMT
    12.         Subject: C = CN, ST = Beijing, L = Beijing, O = MSI, OU = msi, CN = ca, emailAddress = ca@gmssl.com
    13.         Subject Public Key Info:
    14.             Public Key Algorithm: id-ecPublicKey
    15.                 Public-Key: (256 bit)
    16.                 pub:
    17.                     04:57:b3:c7:cd:72:ac:21:de:90:62:fd:9c:bf:06:
    18.                     42:68:5b:25:6c:ae:a6:e4:fb:1f:4a:95:27:b2:3a:
    19.                     1d:57:fd:e7:d4:4c:2b:c8:38:99:81:08:ec:77:f4:
    20.                     66:78:7f:17:e5:88:70:d7:aa:ac:f8:05:d1:22:da:
    21.                     18:43:7f:cf:12
    22.                 Field Type: prime-field
    23.                 Prime:
    24.                     00:ff:ff:ff:fe:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    25.                     ff:ff:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:
    26.                     ff:ff:ff
    27.                 A:   
    28.                     00:ff:ff:ff:fe:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    29.                     ff:ff:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:
    30.                     ff:ff:fc
    31.                 B:   
    32.                     28:e9:fa:9e:9d:9f:5e:34:4d:5a:9e:4b:cf:65:09:
    33.                     a7:f3:97:89:f5:15:ab:8f:92:dd:bc:bd:41:4d:94:
    34.                     0e:93
    35.                 Generator (uncompressed):
    36.                     04:32:c4:ae:2c:1f:19:81:19:5f:99:04:46:6a:39:
    37.                     c9:94:8f:e3:0b:bf:f2:66:0b:e1:71:5a:45:89:33:
    38.                     4c:74:c7:bc:37:36:a2:f4:f6:77:9c:59:bd:ce:e3:
    39.                     6b:69:21:53:d0:a9:87:7c:c6:2a:47:40:02:df:32:
    40.                     e5:21:39:f0:a0
    41.                 Order: 
    42.                     00:ff:ff:ff:fe:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    43.                     ff:ff:72:03:df:6b:21:c6:05:2b:53:bb:f4:09:39:
    44.                     d5:41:23
    45.                 Cofactor:  1 (0x1)
    46.     Signature Algorithm: ecdsa-with-SHA256
    47.          30:44:02:20:34:10:62:ec:8b:34:ec:1b:dd:4d:fc:d7:d3:67:
    48.          87:5b:1b:0b:5b:02:13:af:af:db:66:01:13:1a:d7:52:84:f3:
    49.          02:20:35:6a:44:e0:f5:6e:d9:4d:be:2b:88:db:a4:61:d8:f3:
    50.          45:38:40:8e:7f:65:93:7d:12:20:9b:66:0d:ec:61:87
    51. -----BEGIN CERTIFICATE-----
    52. MIICxDCCAmsCFBPWaa4V7j7Ac6pn1SMI1UVRd57vMAoGCCqGSM49BAMCMHcxCzAJ
    53. BgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQww
    54. CgYDVQQKDANNU0kxDDAKBgNVBAsMA21zaTELMAkGA1UEAwwCY2ExGzAZBgkqhkiG
    55. 9w0BCQEWDGNhQGdtc3NsLmNvbTAeFw0yMjExMjgwNTU1MDJaFw0yMzExMjgwNTU1
    56. MDJaMHcxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdC
    57. ZWlqaW5nMQwwCgYDVQQKDANNU0kxDDAKBgNVBAsMA21zaTELMAkGA1UEAwwCY2Ex
    58. GzAZBgkqhkiG9w0BCQEWDGNhQGdtc3NsLmNvbTCCATMwgewGByqGSM49AgEwgeAC
    59. AQEwLAYHKoZIzj0BAQIhAP7/AAAAAP//
    60. MEQEIP7/AAAAAP/8BCAo6fqenZ9eNE1a
    61. nkvPZQmn85eJ9RWrj5LdvL1BTZQOkwRBBDLEriwfGYEZX5kERmo5yZSP4wu/8mYL
    62. 4XFaRYkzTHTHvDc2ovT2d5xZvc7ja2khU9Cph3zGKkdAAt8y5SE58KACIQD+
    63. cgPfayHGBStTu/QJOdVBIwIBAQNCAARXs8fNcqwh3pBi/Zy/
    64. BkJoWyVsrqbk+x9KlSeyOh1X/efUTCvIOJmBCOx39GZ4fxfliHDXqqz4BdEi2hhD
    65. f88SMAoGCCqGSM49BAMCA0cAMEQCIDQQYuyLNOwb3U3819Nnh1sbC1sCE6+v22YB
    66. ExrXUoTzAiA1akTg9W7ZTb4riNukYdjzRThAjn9lk30SIJtmDexhhw==
    67. -----END CERTIFICATE-----

    前情提要

    •  s -> 服务端
    •  c -> 客户端
    •  s -> 签名
    •  e -> 加密
    • key -> 私钥
    • pem -> 证书(格式的一种,此格式使用较为普遍)

    服务端

    签名

    • 生成私钥
      •  openssl ecparam -genkey -name SM2 -param_enc explicit -outform pem -out ss.key
    • 生成请求
      • openssl req -new -key ss.key -out ss.csr

    • 使用ca私钥进行签名,生成签名证书
    • openssl x509 -req -days 365 -in ss.csr -signkey ../ca/ca.key -out ss.crt
    1. chy-cpabe@ubuntu:~/double_certificate/first$ openssl x509 -text -in ss.crt 
    2. Certificate:
    3.     Data:
    4.         Version: 1 (0x0)
    5.         Serial Number:
    6.             59:9b:09:1b:a8:fc:b9:e7:a4:13:19:bb:15:bf:ea:40:dd:46:37:a5
    7.         Signature Algorithm: ecdsa-with-SHA256
    8.         Issuer: C = CN, ST = Beijing, L = Beijing, O = MSI, OU = msi, CN = server_sign, emailAddress = server_sign@gmssl.com
    9.         Validity
    10.             Not Before: Nov 28 06:07:41 2022 GMT
    11.             Not After : Nov 28 06:07:41 2023 GMT
    12.         Subject: C = CN, ST = Beijing, L = Beijing, O = MSI, OU = msi, CN = server_sign, emailAddress = server_sign@gmssl.com
    13.         Subject Public Key Info:
    14.             Public Key Algorithm: id-ecPublicKey
    15.                 Public-Key: (256 bit)
    16.                 pub:
    17.                     04:57:b3:c7:cd:72:ac:21:de:90:62:fd:9c:bf:06:
    18.                     42:68:5b:25:6c:ae:a6:e4:fb:1f:4a:95:27:b2:3a:
    19.                     1d:57:fd:e7:d4:4c:2b:c8:38:99:81:08:ec:77:f4:
    20.                     66:78:7f:17:e5:88:70:d7:aa:ac:f8:05:d1:22:da:
    21.                     18:43:7f:cf:12
    22.                 Field Type: prime-field
    23.                 Prime:
    24.                     00:ff:ff:ff:fe:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    25.                     ff:ff:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:
    26.                     ff:ff:ff
    27.                 A:   
    28.                     00:ff:ff:ff:fe:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    29.                     ff:ff:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:
    30.                     ff:ff:fc
    31.                 B:   
    32.                     28:e9:fa:9e:9d:9f:5e:34:4d:5a:9e:4b:cf:65:09:
    33.                     a7:f3:97:89:f5:15:ab:8f:92:dd:bc:bd:41:4d:94:
    34.                     0e:93
    35.                 Generator (uncompressed):
    36.                     04:32:c4:ae:2c:1f:19:81:19:5f:99:04:46:6a:39:
    37.                     c9:94:8f:e3:0b:bf:f2:66:0b:e1:71:5a:45:89:33:
    38.                     4c:74:c7:bc:37:36:a2:f4:f6:77:9c:59:bd:ce:e3:
    39.                     6b:69:21:53:d0:a9:87:7c:c6:2a:47:40:02:df:32:
    40.                     e5:21:39:f0:a0
    41.                 Order: 
    42.                     00:ff:ff:ff:fe:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    43.                     ff:ff:72:03:df:6b:21:c6:05:2b:53:bb:f4:09:39:
    44.                     d5:41:23
    45.                 Cofactor:  1 (0x1)
    46.     Signature Algorithm: ecdsa-with-SHA256
    47.          30:46:02:21:00:aa:aa:9a:3b:8e:76:5a:00:58:e2:62:96:f0:
    48.          65:e4:31:3c:7f:16:54:99:31:e6:a1:25:53:9c:5c:03:eb:66:
    49.          cd:02:21:00:fe:ce:ba:f0:a6:ec:df:9e:7a:72:87:a1:ca:ae:
    50.          1f:7d:43:2c:a2:a7:e2:7e:0a:46:86:ca:81:e0:7c:17:c5:85
    51. -----BEGIN CERTIFICATE-----
    52. MIIC7DCCApECFFmbCRuo/LnnpBMZuxW/6kDdRjelMAoGCCqGSM49BAMCMIGJMQsw
    53. CQYDVQQGEwJDTjEQMA4GA1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEM
    54. MAoGA1UECgwDTVNJMQwwCgYDVQQLDANtc2kxFDASBgNVBAMMC3NlcnZlcl9zaWdu
    55. MSQwIgYJKoZIhvcNAQkBFhVzZXJ2ZXJfc2lnbkBnbXNzbC5jb20wHhcNMjIxMTI4
    56. MDYwNzQxWhcNMjMxMTI4MDYwNzQxWjCBiTELMAkGA1UEBhMCQ04xEDAOBgNVBAgM
    57. B0JlaWppbmcxEDAOBgNVBAcMB0JlaWppbmcxDDAKBgNVBAoMA01TSTEMMAoGA1UE
    58. CwwDbXNpMRQwEgYDVQQDDAtzZXJ2ZXJfc2lnbjEkMCIGCSqGSIb3DQEJARYVc2Vy
    59. dmVyX3NpZ25AZ21zc2wuY29tMIIBMzCB7AYHKoZIzj0CATCB4AIBATAsBgcqhkjO
    60. PQEBAiEA/v8AAAAA//8wRAQg/v//
    61. //8AAAAA//wEICjp+p6dn140TVqeS89lCafzl4n1
    62. FauPkt28vUFNlA6TBEEEMsSuLB8ZgRlfmQRGajnJlI/jC7/yZgvhcVpFiTNMdMe8
    63. Nzai9PZ3nFm9zuNraSFT0KmHfMYqR0AC3zLlITnwoAIhAP7/
    64. //9yA99rIcYFK1O79Ak51UEjAgEBA0IABFezx81yrCHekGL9nL8GQmhbJWyupuT7
    65. H0qVJ7I6HVf959RMK8g4mYEI7Hf0Znh/F+WIcNeqrPgF0SLaGEN/zxIwCgYIKoZI
    66. zj0EAwIDSQAwRgIhAKqqmjuOdloAWOJilvBl5DE8fxZUmTHmoSVTnFwD62bNAiEA
    67. /s668Kbs3556coehyq4ffUMsoqfifgpGhsqB4HwXxYU=
    68. -----END CERTIFICATE-----

    加密

    • 生成私钥
      • openssl ecparam -genkey -name SM2 -param_enc explicit -outform pem -out se.key
    • 生成请求
      • openssl req -new -key se.key -out se.csr

    • 使用ca私钥进行签名,生成加密证书
      • openssl x509 -req -days 365 -in se.csr -signkey ../ca/ca.key -out se.crt
    • 查看加密证书
      • openssl x509 -text -in se.crt 
    1. chy-cpabe@ubuntu:~/double_certificate/first$ openssl x509 -text -in se.crt
    2. Certificate:
    3.     Data:
    4.         Version: 1 (0x0)
    5.         Serial Number:
    6.             3c:86:77:a6:a6:08:c9:66:85:5a:01:73:aa:b4:f2:07:91:09:cc:dd
    7.         Signature Algorithm: ecdsa-with-SHA256
    8.         Issuer: C = CN, ST = Beijing, L = Beijing, O = MSI, OU = msi, CN = server_encrypt, emailAddress = server_encrypt@gmssl.com
    9.         Validity
    10.             Not Before: Nov 28 06:23:08 2022 GMT
    11.             Not After : Nov 28 06:23:08 2023 GMT
    12.         Subject: C = CN, ST = Beijing, L = Beijing, O = MSI, OU = msi, CN = server_encrypt, emailAddress = server_encrypt@gmssl.com
    13.         Subject Public Key Info:
    14.             Public Key Algorithm: id-ecPublicKey
    15.                 Public-Key: (256 bit)
    16.                 pub:
    17.                     04:57:b3:c7:cd:72:ac:21:de:90:62:fd:9c:bf:06:
    18.                     42:68:5b:25:6c:ae:a6:e4:fb:1f:4a:95:27:b2:3a:
    19.                     1d:57:fd:e7:d4:4c:2b:c8:38:99:81:08:ec:77:f4:
    20.                     66:78:7f:17:e5:88:70:d7:aa:ac:f8:05:d1:22:da:
    21.                     18:43:7f:cf:12
    22.                 Field Type: prime-field
    23.                 Prime:
    24.                     00:ff:ff:ff:fe:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    25.                     ff:ff:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:
    26.                     ff:ff:ff
    27.                 A:   
    28.                     00:ff:ff:ff:fe:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    29.                     ff:ff:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:
    30.                     ff:ff:fc
    31.                 B:   
    32.                     28:e9:fa:9e:9d:9f:5e:34:4d:5a:9e:4b:cf:65:09:
    33.                     a7:f3:97:89:f5:15:ab:8f:92:dd:bc:bd:41:4d:94:
    34.                     0e:93
    35.                 Generator (uncompressed):
    36.                     04:32:c4:ae:2c:1f:19:81:19:5f:99:04:46:6a:39:
    37.                     c9:94:8f:e3:0b:bf:f2:66:0b:e1:71:5a:45:89:33:
    38.                     4c:74:c7:bc:37:36:a2:f4:f6:77:9c:59:bd:ce:e3:
    39.                     6b:69:21:53:d0:a9:87:7c:c6:2a:47:40:02:df:32:
    40.                     e5:21:39:f0:a0
    41.                 Order: 
    42.                     00:ff:ff:ff:fe:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    43.                     ff:ff:72:03:df:6b:21:c6:05:2b:53:bb:f4:09:39:
    44.                     d5:41:23
    45.                 Cofactor:  1 (0x1)
    46.     Signature Algorithm: ecdsa-with-SHA256
    47.          30:45:02:21:00:a9:49:7c:5c:27:3f:91:54:f2:89:d4:a5:aa:
    48.          45:f4:56:88:eb:d6:f7:0e:51:af:ab:df:e6:16:62:0e:62:e2:
    49.          d9:02:20:3f:e2:75:c4:84:a3:64:69:c5:d3:1a:22:4b:10:77:
    50.          70:1d:09:c7:70:67:7e:65:cc:71:00:ef:8f:61:5e:36:9e
    51. -----BEGIN CERTIFICATE-----
    52. MIIC9zCCAp0CFDyGd6amCMlmhVoBc6q08geRCczdMAoGCCqGSM49BAMCMIGPMQsw
    53. CQYDVQQGEwJDTjEQMA4GA1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEM
    54. MAoGA1UECgwDTVNJMQwwCgYDVQQLDANtc2kxFzAVBgNVBAMMDnNlcnZlcl9lbmNy
    55. eXB0MScwJQYJKoZIhvcNAQkBFhhzZXJ2ZXJfZW5jcnlwdEBnbXNzbC5jb20wHhcN
    56. MjIxMTI4MDYyMzA4WhcNMjMxMTI4MDYyMzA4WjCBjzELMAkGA1UEBhMCQ04xEDAO
    57. BgNVBAgMB0JlaWppbmcxEDAOBgNVBAcMB0JlaWppbmcxDDAKBgNVBAoMA01TSTEM
    58. MAoGA1UECwwDbXNpMRcwFQYDVQQDDA5zZXJ2ZXJfZW5jcnlwdDEnMCUGCSqGSIb3
    59. DQEJARYYc2VydmVyX2VuY3J5cHRAZ21zc2wuY29tMIIBMzCB7AYHKoZIzj0CATCB
    60. 4AIBATAsBgcqhkjOPQEBAiEA/v8AAAAA
    61. //8wRAQg/v8AAAAA//wEICjp+p6dn140
    62. TVqeS89lCafzl4n1FauPkt28vUFNlA6TBEEEMsSuLB8ZgRlfmQRGajnJlI/jC7/y
    63. ZgvhcVpFiTNMdMe8Nzai9PZ3nFm9zuNraSFT0KmHfMYqR0AC3zLlITnwoAIhAP//
    64. //7///9yA99rIcYFK1O79Ak51UEjAgEBA0IABFezx81yrCHekGL9
    65. nL8GQmhbJWyupuT7H0qVJ7I6HVf959RMK8g4mYEI7Hf0Znh/F+WIcNeqrPgF0SLa
    66. GEN/zxIwCgYIKoZIzj0EAwIDSAAwRQIhAKlJfFwnP5FU8onUpapF9FaI69b3DlGv
    67. q9/mFmIOYuLZAiA/4nXEhKNkacXTGiJLEHdwHQnHcGd+ZcxxAO+PYV42ng==
    68. -----END CERTIFICATE-----

    客户端

    签名

    • 生成私钥
      • openssl ecparam -genkey -name SM2 -param_enc explicit -outform pem -out cs.key
    • 生成请求
      • openssl req -new -key cs.key -out cs.csr

    • 使用ca私钥进行签名,生成加密证书
      • openssl x509 -req -days 365 -in cs.csr -signkey ../ca/ca.key -out cs.crt
    • 查看加密证书
      • openssl x509 -text -in cs.crt 
    1. chy-cpabe@ubuntu:~/double_certificate/second$ openssl x509 -text -in cs.crt 
    2. Certificate:
    3.     Data:
    4.         Version: 1 (0x0)
    5.         Serial Number:
    6.             2e:6c:49:b9:b6:6d:42:b6:aa:5e:40:4d:94:da:49:3d:d4:ec:69:4c
    7.         Signature Algorithm: ecdsa-with-SHA256
    8.         Issuer: C = CN, ST = Beijing, L = Beijing, O = MSI, OU = msi, CN = client_sign, emailAddress = client_sign@gmssl.com
    9.         Validity
    10.             Not Before: Nov 28 06:30:09 2022 GMT
    11.             Not After : Nov 28 06:30:09 2023 GMT
    12.         Subject: C = CN, ST = Beijing, L = Beijing, O = MSI, OU = msi, CN = client_sign, emailAddress = client_sign@gmssl.com
    13.         Subject Public Key Info:
    14.             Public Key Algorithm: id-ecPublicKey
    15.                 Public-Key: (256 bit)
    16.                 pub:
    17.                     04:57:b3:c7:cd:72:ac:21:de:90:62:fd:9c:bf:06:
    18.                     42:68:5b:25:6c:ae:a6:e4:fb:1f:4a:95:27:b2:3a:
    19.                     1d:57:fd:e7:d4:4c:2b:c8:38:99:81:08:ec:77:f4:
    20.                     66:78:7f:17:e5:88:70:d7:aa:ac:f8:05:d1:22:da:
    21.                     18:43:7f:cf:12
    22.                 Field Type: prime-field
    23.                 Prime:
    24.                     00:ff:ff:ff:fe:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    25.                     ff:ff:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:
    26.                     ff:ff:ff
    27.                 A:   
    28.                     00:ff:ff:ff:fe:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    29.                     ff:ff:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:
    30.                     ff:ff:fc
    31.                 B:   
    32.                     28:e9:fa:9e:9d:9f:5e:34:4d:5a:9e:4b:cf:65:09:
    33.                     a7:f3:97:89:f5:15:ab:8f:92:dd:bc:bd:41:4d:94:
    34.                     0e:93
    35.                 Generator (uncompressed):
    36.                     04:32:c4:ae:2c:1f:19:81:19:5f:99:04:46:6a:39:
    37.                     c9:94:8f:e3:0b:bf:f2:66:0b:e1:71:5a:45:89:33:
    38.                     4c:74:c7:bc:37:36:a2:f4:f6:77:9c:59:bd:ce:e3:
    39.                     6b:69:21:53:d0:a9:87:7c:c6:2a:47:40:02:df:32:
    40.                     e5:21:39:f0:a0
    41.                 Order: 
    42.                     00:ff:ff:ff:fe:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    43.                     ff:ff:72:03:df:6b:21:c6:05:2b:53:bb:f4:09:39:
    44.                     d5:41:23
    45.                 Cofactor:  1 (0x1)
    46.     Signature Algorithm: ecdsa-with-SHA256
    47.          30:45:02:21:00:b3:b8:70:98:4c:cc:b5:e5:da:3f:c2:2a:0b:
    48.          77:e4:85:4b:0e:b2:df:7d:a0:43:77:d3:e3:b6:47:e2:3c:6b:
    49.          03:02:20:7e:fb:d0:84:12:08:0e:a8:3a:69:5e:f9:58:ad:d6:
    50.          13:d1:54:f8:16:bd:a2:0f:07:1b:c6:83:d4:8e:49:29:95
    51. -----BEGIN CERTIFICATE-----
    52. MIIC6zCCApECFC5sSbm2bUK2ql5ATZTaST3U7GlMMAoGCCqGSM49BAMCMIGJMQsw
    53. CQYDVQQGEwJDTjEQMA4GA1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEM
    54. MAoGA1UECgwDTVNJMQwwCgYDVQQLDANtc2kxFDASBgNVBAMMC2NsaWVudF9zaWdu
    55. MSQwIgYJKoZIhvcNAQkBFhVjbGllbnRfc2lnbkBnbXNzbC5jb20wHhcNMjIxMTI4
    56. MDYzMDA5WhcNMjMxMTI4MDYzMDA5WjCBiTELMAkGA1UEBhMCQ04xEDAOBgNVBAgM
    57. B0JlaWppbmcxEDAOBgNVBAcMB0JlaWppbmcxDDAKBgNVBAoMA01TSTEMMAoGA1UE
    58. CwwDbXNpMRQwEgYDVQQDDAtjbGllbnRfc2lnbjEkMCIGCSqGSIb3DQEJARYVY2xp
    59. ZW50X3NpZ25AZ21zc2wuY29tMIIBMzCB7AYHKoZIzj0CATCB4AIBATAsBgcqhkjO
    60. PQEBAiEA/v8AAAAA//8wRAQg/v//
    61. //8AAAAA//wEICjp+p6dn140TVqeS89lCafzl4n1
    62. FauPkt28vUFNlA6TBEEEMsSuLB8ZgRlfmQRGajnJlI/jC7/yZgvhcVpFiTNMdMe8
    63. Nzai9PZ3nFm9zuNraSFT0KmHfMYqR0AC3zLlITnwoAIhAP7/
    64. //9yA99rIcYFK1O79Ak51UEjAgEBA0IABFezx81yrCHekGL9nL8GQmhbJWyupuT7
    65. H0qVJ7I6HVf959RMK8g4mYEI7Hf0Znh/F+WIcNeqrPgF0SLaGEN/zxIwCgYIKoZI
    66. zj0EAwIDSAAwRQIhALO4cJhMzLXl2j/CKgt35IVLDrLffaBDd9PjtkfiPGsDAiB+
    67. +9CEEggOqDppXvlYrdYT0VT4Fr2iDwcbxoPUjkkplQ==
    68. -----END CERTIFICATE-----

    加密

    • 生成私钥
      • openssl ecparam -genkey -name SM2 -param_enc explicit -outform pem -out ce.key
    • 生成请求
      • openssl req -new -key ce.key -out ce.csr

    • 使用ca私钥进行签名,生成加密证书
      • openssl x509 -req -days 365 -in ce.csr -signkey ../ca/ca.key -out ce.crt
    • 查看加密证书
      • openssl x509 -text -in ce.crt 
    1. chy-cpabe@ubuntu:~/double_certificate/second$ openssl x509 -text -in ce.crt
    2. Certificate:
    3.     Data:
    4.         Version: 1 (0x0)
    5.         Serial Number:
    6.             ac:9b:ca:be:a9:7a:4b:5e:fe:6f:e3:4c:05:ad:3f:e5:c0:c3:9c
    7.         Signature Algorithm: ecdsa-with-SHA256
    8.         Issuer: C = CN, ST = Beijing, L = Beijing, O = MSI, OU = msi, CN = client_encrypt, emailAddress = client_encrypt@gmssl.com
    9.         Validity
    10.             Not Before: Nov 28 06:33:09 2022 GMT
    11.             Not After : Nov 28 06:33:09 2023 GMT
    12.         Subject: C = CN, ST = Beijing, L = Beijing, O = MSI, OU = msi, CN = client_encrypt, emailAddress = client_encrypt@gmssl.com
    13.         Subject Public Key Info:
    14.             Public Key Algorithm: id-ecPublicKey
    15.                 Public-Key: (256 bit)
    16.                 pub:
    17.                     04:57:b3:c7:cd:72:ac:21:de:90:62:fd:9c:bf:06:
    18.                     42:68:5b:25:6c:ae:a6:e4:fb:1f:4a:95:27:b2:3a:
    19.                     1d:57:fd:e7:d4:4c:2b:c8:38:99:81:08:ec:77:f4:
    20.                     66:78:7f:17:e5:88:70:d7:aa:ac:f8:05:d1:22:da:
    21.                     18:43:7f:cf:12
    22.                 Field Type: prime-field
    23.                 Prime:
    24.                     00:ff:ff:ff:fe:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    25.                     ff:ff:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:
    26.                     ff:ff:ff
    27.                 A:   
    28.                     00:ff:ff:ff:fe:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    29.                     ff:ff:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:
    30.                     ff:ff:fc
    31.                 B:   
    32.                     28:e9:fa:9e:9d:9f:5e:34:4d:5a:9e:4b:cf:65:09:
    33.                     a7:f3:97:89:f5:15:ab:8f:92:dd:bc:bd:41:4d:94:
    34.                     0e:93
    35.                 Generator (uncompressed):
    36.                     04:32:c4:ae:2c:1f:19:81:19:5f:99:04:46:6a:39:
    37.                     c9:94:8f:e3:0b:bf:f2:66:0b:e1:71:5a:45:89:33:
    38.                     4c:74:c7:bc:37:36:a2:f4:f6:77:9c:59:bd:ce:e3:
    39.                     6b:69:21:53:d0:a9:87:7c:c6:2a:47:40:02:df:32:
    40.                     e5:21:39:f0:a0
    41.                 Order: 
    42.                     00:ff:ff:ff:fe:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
    43.                     ff:ff:72:03:df:6b:21:c6:05:2b:53:bb:f4:09:39:
    44.                     d5:41:23
    45.                 Cofactor:  1 (0x1)
    46.     Signature Algorithm: ecdsa-with-SHA256
    47.          30:44:02:20:4a:8e:f4:1c:79:40:95:93:ea:13:30:d5:96:78:
    48.          20:62:59:8c:35:66:55:68:b1:1a:4c:cb:82:74:b9:71:2e:a2:
    49.          02:20:75:b7:57:c3:ba:37:11:c7:57:7a:6a:6f:68:e5:bc:a3:
    50.          c9:2c:2b:69:95:f0:2d:79:4c:d1:e8:aa:57:fd:a0:dd
    51. -----BEGIN CERTIFICATE-----
    52. MIIC9jCCAp0CFACsm8q+qXpLXv5v40wFrT/lwMOcMAoGCCqGSM49BAMCMIGPMQsw
    53. CQYDVQQGEwJDTjEQMA4GA1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEM
    54. MAoGA1UECgwDTVNJMQwwCgYDVQQLDANtc2kxFzAVBgNVBAMMDmNsaWVudF9lbmNy
    55. eXB0MScwJQYJKoZIhvcNAQkBFhhjbGllbnRfZW5jcnlwdEBnbXNzbC5jb20wHhcN
    56. MjIxMTI4MDYzMzA5WhcNMjMxMTI4MDYzMzA5WjCBjzELMAkGA1UEBhMCQ04xEDAO
    57. BgNVBAgMB0JlaWppbmcxEDAOBgNVBAcMB0JlaWppbmcxDDAKBgNVBAoMA01TSTEM
    58. MAoGA1UECwwDbXNpMRcwFQYDVQQDDA5jbGllbnRfZW5jcnlwdDEnMCUGCSqGSIb3
    59. DQEJARYYY2xpZW50X2VuY3J5cHRAZ21zc2wuY29tMIIBMzCB7AYHKoZIzj0CATCB
    60. 4AIBATAsBgcqhkjOPQEBAiEA/v8AAAAA
    61. //8wRAQg/v8AAAAA//wEICjp+p6dn140
    62. TVqeS89lCafzl4n1FauPkt28vUFNlA6TBEEEMsSuLB8ZgRlfmQRGajnJlI/jC7/y
    63. ZgvhcVpFiTNMdMe8Nzai9PZ3nFm9zuNraSFT0KmHfMYqR0AC3zLlITnwoAIhAP//
    64. //7///9yA99rIcYFK1O79Ak51UEjAgEBA0IABFezx81yrCHekGL9
    65. nL8GQmhbJWyupuT7H0qVJ7I6HVf959RMK8g4mYEI7Hf0Znh/F+WIcNeqrPgF0SLa
    66. GEN/zxIwCgYIKoZIzj0EAwIDRwAwRAIgSo70HHlAlZPqEzDVlnggYlmMNWZVaLEa
    67. TMuCdLlxLqICIHW3V8O6NxHHV3pqb2jlvKPJLCtplfAteUzR6KpX/aDd
    68. -----END CERTIFICATE-----

    层次结构

    测试未通过,报错信息如下:

    • 140524443496448:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:crypto/x509/x509_cmp.c:288:
    • 140622668791808:error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:1502:

    错误分析

    • 需要修改配置文件openssl.cnf,从而开启证书的keyUsage字段,实现签名和加密证书的区分
    • 给用户生成证书的时候,不仅要使用-CA指定证书,还需要使用-CAKey指定CA的私钥
    • 不知道是否合规:将证书和私钥存储在同一个文件中;这条命令不是必须的,双向认证并未使用包含私钥的证书文件,其目的是用于格式转换

    不理解(后期弥补)

    • 不理解:生成请求数据,无论是客户端服务端的签名加密,均使用根证书,多了一条-newkey ec:根证书.pem -new;此外,在成成证书的时候,使用的是CA的key和证书,ca是由根推出来的。延长证书链???
    • 不理解:生成证书的时候使用 -extensions v3_req \ 就能实现签名/加密的区分??
    • 不理解:-CAcreateserial 的含义是啥?

    错误的内容 -> 结束

    正确的开始

    目录层级

    自动化脚本

    SM2certgen.sh

    1.  
    2. # For a list of supported curves, use "apps/openssl ecparam -list_curves".
    3.  
    4. # Path to the openssl distribution
    5. OPENSSL_DIR=.
    6. # Path to the openssl program
    7. OPENSSL_CMD=gmssl
    8. # Option to find configuration file
    9. OPENSSL_CNF="-config ./openssl.cnf"
    10. # Directory where certificates are stored
    11. CERTS_DIR=./sm2Certs
    12. # Directory where private key files are stored
    13. KEYS_DIR=$CERTS_DIR
    14. # Directory where combo files (containing a certificate and corresponding
    15. # private key together) are stored
    16. COMBO_DIR=$CERTS_DIR
    17. # cat command
    18. echo "start"
    19. #Win
    20. #CAT="C:/Progra~1/Git/usr/bin/cat.exe"
    21. # rm command
    22. #RM="C:/Progra~1/Git/usr/bin/rm.exe"
    23. # mkdir command
    24. #MKDIR="C:/Progra~1/Git/usr/bin/mkdir.exe"
    25. #Linux
    26. CAT=cat
    27. # rm command
    28. RM=rm
    29. # mkdir command
    30. MKDIR=mkdir
    31. echo "end"
    32. # The certificate will expire these many days after the issue date.
    33. DAYS=1500
    34. TEST_CA_CURVE=SM2
    35. TEST_CA_FILE=CA
    36. TEST_CA_DN="//skip=yes/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)"
    37.  
    38. TEST_SERVER_CURVE=SM2
    39. TEST_SERVER_FILE=SS
    40. TEST_SERVER_DN="//skip=yes/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server sign (SM2)"
    41.  
    42. TEST_SERVER_ENC_FILE=SE
    43. TEST_SERVER_ENC_DN="//skip=yes/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server enc (SM2)"
    44.  
    45. TEST_CLIENT_CURVE=SM2
    46. TEST_CLIENT_FILE=CS
    47. TEST_CLIENT_DN="//skip=yes/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=client sign (SM2)"
    48.  
    49. TEST_CLIENT_ENC_FILE=CE
    50. TEST_CLIENT_ENC_DN="//skip=yes/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=client enc (SM2)"
    51.  
    52. # Generating an EC certificate involves the following main steps
    53. # 1. Generating curve parameters (if needed)
    54. # 2. Generating a certificate request
    55. # 3. Signing the certificate request 
    56. # 4. [Optional] One can combine the cert and private key into a single
    57. #    file and also delete the certificate request
    58.  
    59. $MKDIR -p $CERTS_DIR
    60. $MKDIR -p $KEYS_DIR
    61. $MKDIR -p $COMBO_DIR
    62.  
    63. echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)"
    64. echo "==============================================================="
    65. $OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem
    66.  
    67.  
    68. # Generate a new certificate request in $TEST_CA_FILE.req.pem. A 
    69. # new ecdsa (actually ECC) key pair is generated on the parameters in
    70. # $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem
    71. # WARNING: By using the -nodes option, we force the private key to be 
    72. # stored in the clear (rather than encrypted with a password).
    73.  
    74. # 在$TEST_CA_FILE.req.pem中生成一个新的证书请求。在$TEST_CA_CURVE中的参数上
    75. # 生成一个新的ecdsa(实际上是ECC)密钥对。私钥保存在“$TEST_CA_FILE.key”文件中。
    76. # 通过使用-nodes选项,我们强制将私钥存储在clear中(而不是用密码加密)。
    77.  
    78. $OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \
    79.     -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \
    80.     -newkey ec:$TEST_CA_CURVE.pem -new \
    81.     -out $CERTS_DIR/$TEST_CA_FILE.req.pem
    82.  
    83. # Sign the certificate request in $TEST_CA_FILE.req.pem using the
    84. # private key in $TEST_CA_FILE.key.pem and include the CA extension.
    85. # Make the certificate valid for 1500 days from the time of signing.
    86. # The certificate is written into $TEST_CA_FILE.cert.pem
    87.  
    88. # 在$TEST_CA_FILE.req中签名证书请求。使用$TEST_CA_FILE.key中的私钥生成pem,
    89. # 并包含CA扩展名。证书有效期为自签署之日起1500天。
    90. # 证书被写入$TEST_CA_FILE.cert.pem
    91. $OPENSSL_CMD x509 -req -days $DAYS \
    92.     -in $CERTS_DIR/$TEST_CA_FILE.req.pem \
    93.     -extfile $OPENSSL_DIR/openssl.cnf \
    94.     -extensions v3_ca \
    95.     -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
    96.     -out $CERTS_DIR/$TEST_CA_FILE.cert.pem
    97.  
    98. # Display the certificate
    99. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text
    100.  
    101. # Place the certificate and key in a common file
    102. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \
    103. 	 > $COMBO_DIR/$TEST_CA_FILE.pem
    104. $CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem
    105.  
    106. # Remove the cert request file (no longer needed)
    107. $RM $CERTS_DIR/$TEST_CA_FILE.req.pem
    108.  
    109. echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)"
    110. echo "=========================================================================="
    111. # Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A 
    112. # new ecdsa (actually ECC) key pair is generated on the parameters in
    113. # $TEST_SERVER_CURVE.pem and the private key is saved in 
    114. # $TEST_SERVER_FILE.key.pem
    115. # WARNING: By using the -nodes option, we force the private key to be 
    116. # stored in the clear (rather than encrypted with a password).
    117.  
    118. #在$TEST_SERVER_FILE.req.pem中生成新的证书请求。在$TEST_SERVER_CURVE中的
    119. #参数上生成一个新的ecdsa(实际上是ECC)密钥对。私钥保存在“$TEST_SERVER_FILE.key”文
    120. #件中。pemWARNING:通过使用-nodes选项,我们强制将私钥存储在clear中
    121. #(而不是使用密码进行加密)。
    122.  
    123. #TEST_SERVER_DN  -> server的签名 SS
    124. $OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
    125.     -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
    126.     -newkey ec:$TEST_SERVER_CURVE.pem -new \
    127.     -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
    128.  
    129. # Sign the certificate request in $TEST_SERVER_FILE.req.pem using the
    130. # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
    131. # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
    132. # file for this CA, create one. Make the certificate valid for $DAYS days
    133. # from the time of signing. The certificate is written into 
    134. # $TEST_SERVER_FILE.cert.pem
    135. $OPENSSL_CMD x509 -req -days $DAYS \
    136.     -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
    137.     -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
    138.     -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
    139. 	-extfile $OPENSSL_DIR/openssl.cnf \
    140. 	-extensions v3_req \
    141.     -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
    142.  
    143. # Display the certificate 
    144. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
    145.  
    146. # Place the certificate and key in a common file
    147. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
    148. 	 > $COMBO_DIR/$TEST_SERVER_FILE.pem
    149. $CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
    150.  
    151. # Remove the cert request file (no longer needed)
    152. $RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
    153.  
    154. echo "	GENERATING A TEST SERVER ENCRYPT CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)"
    155. echo "  ==================================================================================="
    156. # Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A 
    157. # new ecdsa (actually ECC) key pair is generated on the parameters in
    158. # $TEST_SERVER_CURVE.pem and the private key is saved in 
    159. # $TEST_SERVER_FILE.key.pem
    160. # WARNING: By using the -nodes option, we force the private key to be 
    161. # stored in the clear (rather than encrypted with a password).
    162. $OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_ENC_DN" \
    163.     -keyout $KEYS_DIR/$TEST_SERVER_ENC_FILE.key.pem \
    164.     -newkey ec:$TEST_SERVER_CURVE.pem -new \
    165.     -out $CERTS_DIR/$TEST_SERVER_ENC_FILE.req.pem
    166.  
    167. # Sign the certificate request in $TEST_SERVER_FILE.req.pem using the
    168. # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
    169. # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
    170. # file for this CA, create one. Make the certificate valid for $DAYS days
    171. # from the time of signing. The certificate is written into 
    172. # $TEST_SERVER_FILE.cert.pem
    173. $OPENSSL_CMD x509 -req -days $DAYS \
    174.     -in $CERTS_DIR/$TEST_SERVER_ENC_FILE.req.pem \
    175.     -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
    176.     -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
    177. 	-extfile $OPENSSL_DIR/openssl.cnf \
    178. 	-extensions v3enc_req \
    179.     -out $CERTS_DIR/$TEST_SERVER_ENC_FILE.cert.pem -CAcreateserial
    180.  
    181. # Display the certificate 
    182. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_ENC_FILE.cert.pem -text
    183.  
    184. # Place the certificate and key in a common file
    185. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_ENC_FILE.cert.pem -issuer -subject \
    186. 	 > $COMBO_DIR/$TEST_SERVER_ENC_FILE.pem
    187. $CAT $KEYS_DIR/$TEST_SERVER_ENC_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_ENC_FILE.pem
    188.  
    189. # Remove the cert request file (no longer needed)
    190. $RM $CERTS_DIR/$TEST_SERVER_ENC_FILE.req.pem
    191.  
    192.  
    193.  
    194. echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)"
    195. echo "=========================================================================="
    196. # Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A 
    197. # new ecdsa (actually ECC) key pair is generated on the parameters in
    198. # $TEST_CLIENT_CURVE.pem and the private key is saved in 
    199. # $TEST_CLIENT_FILE.key.pem
    200. # WARNING: By using the -nodes option, we force the private key to be 
    201. # stored in the clear (rather than encrypted with a password).
    202. $OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
    203. 	     -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
    204. 	     -newkey ec:$TEST_CLIENT_CURVE.pem -new \
    205. 	     -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
    206.  
    207. # Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the
    208. # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
    209. # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
    210. # file for this CA, create one. Make the certificate valid for $DAYS days
    211. # from the time of signing. The certificate is written into 
    212. # $TEST_CLIENT_FILE.cert.pem
    213. $OPENSSL_CMD x509 -req -days $DAYS \
    214.     -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
    215.     -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
    216.     -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
    217. 	-extfile $OPENSSL_DIR/openssl.cnf \
    218. 	-extensions v3_req \
    219.     -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
    220.  
    221. # Display the certificate 
    222. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
    223.  
    224. # Place the certificate and key in a common file
    225. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
    226. 	 > $COMBO_DIR/$TEST_CLIENT_FILE.pem
    227. $CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
    228.  
    229. # Remove the cert request file (no longer needed)
    230. $RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
    231.  
    232.  
    233. echo "	GENERATING A TEST CLIENT ENCRYPT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)"
    234. echo "	==================================================================================="
    235. # Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A 
    236. # new ecdsa (actually ECC) key pair is generated on the parameters in
    237. # $TEST_CLIENT_CURVE.pem and the private key is saved in 
    238. # $TEST_CLIENT_FILE.key.pem
    239. # WARNING: By using the -nodes option, we force the private key to be 
    240. # stored in the clear (rather than encrypted with a password).
    241. $OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_ENC_DN" \
    242. 	     -keyout $KEYS_DIR/$TEST_CLIENT_ENC_FILE.key.pem \
    243. 	     -newkey ec:$TEST_CLIENT_CURVE.pem -new \
    244. 	     -out $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem
    245.  
    246. # Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the
    247. # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
    248. # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
    249. # file for this CA, create one. Make the certificate valid for $DAYS days
    250. # from the time of signing. The certificate is written into 
    251. # $TEST_CLIENT_FILE.cert.pem
    252. $OPENSSL_CMD x509 -req -days $DAYS \
    253.     -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem \
    254.     -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
    255.     -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
    256. 	-extfile $OPENSSL_DIR/openssl.cnf \
    257. 	-extensions v3enc_req \
    258.     -out $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem -CAcreateserial
    259.  
    260. # Display the certificate 
    261. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem -text
    262.  
    263. # Place the certificate and key in a common file
    264. $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem -issuer -subject \
    265. 	 > $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem
    266. $CAT $KEYS_DIR/$TEST_CLIENT_ENC_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem
    267.  
    268. # Remove the cert request file (no longer needed)
    269. $RM $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem
    270.

     openssl.cnf

    •  openssl.cnf 和上面的SM2certgen.sh放置在同级目录
    1. #
    2. # OpenSSL example configuration file.
    3. # This is mostly being used for generation of certificate requests.
    4. #
    5.  
    6. # This definition stops the following lines choking if HOME isn't
    7. # defined.
    8. HOME			= .
    9. RANDFILE		= $ENV::HOME/.rnd
    10.  
    11. # Extra OBJECT IDENTIFIER info:
    12. #oid_file		= $ENV::HOME/.oid
    13. oid_section		= new_oids
    14.  
    15. # To use this configuration file with the "-extfile" option of the
    16. # "openssl x509" utility, name here the section containing the
    17. # X.509v3 extensions to use:
    18. # extensions		= 
    19. # (Alternatively, use a configuration file that has only
    20. # X.509v3 extensions in its main [= default] section.)
    21.  
    22. [ new_oids ]
    23.  
    24. # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
    25. # Add a simple OID like this:
    26. # testoid1=1.2.3.4
    27. # Or use config file substitution like this:
    28. # testoid2=${testoid1}.5.6
    29.  
    30. # Policies used by the TSA examples.
    31. tsa_policy1 = 1.2.3.4.1
    32. tsa_policy2 = 1.2.3.4.5.6
    33. tsa_policy3 = 1.2.3.4.5.7
    34.  
    35. ####################################################################
    36. [ ca ]
    37. default_ca	= CA_default		# The default ca section
    38.  
    39. ####################################################################
    40. [ CA_default ]
    41.  
    42. dir		= ./demoCA		# Where everything is kept
    43. certs		= $dir/certs		# Where the issued certs are kept
    44. crl_dir		= $dir/crl		# Where the issued crl are kept
    45. database	= $dir/index.txt	# database index file.
    46. #unique_subject	= no			# Set to 'no' to allow creation of
    47. 					# several ctificates with same subject.
    48. new_certs_dir	= $dir/newcerts		# default place for new certs.
    49.  
    50. certificate	= $dir/cacert.pem 	# The CA certificate
    51. serial		= $dir/serial 		# The current serial number
    52. crlnumber	= $dir/crlnumber	# the current crl number
    53. 					# must be commented out to leave a V1 CRL
    54. crl		= $dir/crl.pem 		# The current CRL
    55. private_key	= $dir/private/cakey.pem # The private key
    56. RANDFILE	= $dir/private/.rand	# private random number file
    57.  
    58. x509_extensions	= usr_cert		# The extentions to add to the cert
    59.  
    60. # Comment out the following two lines for the "traditional"
    61. # (and highly broken) format.
    62. name_opt 	= ca_default		# Subject Name options
    63. cert_opt 	= ca_default		# Certificate field options
    64.  
    65. # Extension copying option: use with caution.
    66. # copy_extensions = copy
    67.  
    68. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
    69. # so this is commented out by default to leave a V1 CRL.
    70. # crlnumber must also be commented out to leave a V1 CRL.
    71. # crl_extensions	= crl_ext
    72.  
    73. default_days	= 365			# how long to certify for
    74. default_crl_days= 30			# how long before next CRL
    75. default_md	= default		# use public key default MD
    76. preserve	= no			# keep passed DN ordering
    77.  
    78. # A few difference way of specifying how similar the request should look
    79. # For type CA, the listed attributes must be the same, and the optional
    80. # and supplied fields are just that :-)
    81. policy		= policy_match
    82.  
    83. # For the CA policy
    84. [ policy_match ]
    85. countryName		= match
    86. stateOrProvinceName	= match
    87. organizationName	= match
    88. organizationalUnitName	= optional
    89. commonName		= supplied
    90. emailAddress		= optional
    91.  
    92. # For the 'anything' policy
    93. # At this point in time, you must list all acceptable 'object'
    94. # types.
    95. [ policy_anything ]
    96. countryName		= optional
    97. stateOrProvinceName	= optional
    98. localityName		= optional
    99. organizationName	= optional
    100. organizationalUnitName	= optional
    101. commonName		= supplied
    102. emailAddress		= optional
    103.  
    104. ####################################################################
    105. [ req ]
    106. default_bits		= 2048
    107. default_md		= sm3
    108. default_keyfile 	= privkey.pem
    109. distinguished_name	= req_distinguished_name
    110. attributes		= req_attributes
    111. x509_extensions	= v3_ca	# The extentions to add to the self signed cert
    112.  
    113. # Passwords for private keys if not present they will be prompted for
    114. # input_password = secret
    115. # output_password = secret
    116.  
    117. # This sets a mask for permitted string types. There are several options. 
    118. # default: PrintableString, T61String, BMPString.
    119. # pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
    120. # utf8only: only UTF8Strings (PKIX recommendation after 2004).
    121. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
    122. # MASK:XXXX a literal mask value.
    123. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
    124. string_mask = utf8only
    125.  
    126. # req_extensions = v3_req # The extensions to add to a certificate request
    127.  
    128. [ req_distinguished_name ]
    129. countryName			= Country Name (2 letter code)
    130. countryName_default		= XX
    131. countryName_min			= 2
    132. countryName_max			= 2
    133.  
    134. stateOrProvinceName		= State or Province Name (full name)
    135. #stateOrProvinceName_default	= Default Province
    136.  
    137. localityName			= Locality Name (eg, city)
    138. localityName_default	= Default City
    139.  
    140. 0.organizationName		= Organization Name (eg, company)
    141. 0.organizationName_default	= Default Company Ltd
    142.  
    143. # we can do this but it is not needed normally :-)
    144. #1.organizationName		= Second Organization Name (eg, company)
    145. #1.organizationName_default	= World Wide Web Pty Ltd
    146.  
    147. organizationalUnitName		= Organizational Unit Name (eg, section)
    148. #organizationalUnitName_default	=
    149.  
    150. commonName			= Common Name (eg, your name or your server\'s hostname)
    151. commonName_max			= 64
    153. emailAddress			= Email Address
    154. emailAddress_max		= 64
    156. # SET-ex3			= SET extension number 3
    158. [ req_attributes ]
    159. challengePassword		= A challenge password
    160. challengePassword_min		= 4
    161. challengePassword_max		= 20
    163. unstructuredName		= An optional company name
    165. [ usr_cert ]
    167. # These extensions are added when 'ca' signs a request.
    169. # This goes against PKIX guidelines but some CAs do it and some software
    170. # requires this to avoid interpreting an end user certificate as a CA.
    172. basicConstraints=CA:FALSE
    174. # Here are some examples of the usage of nsCertType. If it is omitted
    175. # the certificate can be used for anything *except* object signing.
    177. # This is OK for an SSL server.
    178. # nsCertType			= server
    180. # For an object signing certificate this would be used.
    181. # nsCertType = objsign
    183. # For normal client use this is typical
    184. # nsCertType = client, email
    186. # and for everything including object signing:
    187. # nsCertType = client, email, objsignkeyCertSign
    189. # This is typical in keyUsage for a client certificate.
    190. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment dataEncipherment keyAgreement keyCertSign encipherOnly cRLSign decipherOnly
    192. # This will be displayed in Netscape's comment listbox.
    193. nsComment			= "OpenSSL Generated Certificate"
    194.  
    195. # PKIX recommendations harmless if included in all certificates.
    196. subjectKeyIdentifier=hash
    197. authorityKeyIdentifier=keyid,issuer
    198.  
    199. # This stuff is for subjectAltName and issuerAltname.
    200. # Import the email address.
    201. # subjectAltName=email:copy
    202. # An alternative to produce certificates that aren't
    203. # deprecated according to PKIX.
    204. # subjectAltName=email:move
    205.  
    206. # Copy subject details
    207. # issuerAltName=issuer:copy
    208.  
    209. #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
    210. #nsBaseUrl
    211. #nsRevocationUrl
    212. #nsRenewalUrl
    213. #nsCaPolicyUrl
    214. #nsSslServerName
    215.  
    216. # This is required for TSA certificates.
    217. # extendedKeyUsage = critical,timeStamping
    218.  
    219. [ v3_req ]
    220.  
    221. # Extensions to add to a certificate request
    222.  
    223. basicConstraints = CA:FALSE
    224. keyUsage = nonRepudiation, digitalSignature
    225.  
    226.  
    227. [ v3enc_req ]
    228.  
    229. # Extensions to add to a certificate request
    230.  
    231. basicConstraints = CA:FALSE
    232. keyUsage = keyAgreement, keyEncipherment, dataEncipherment
    233.  
    234.  
    235.  
    236.  
    237. [ v3_ca ]
    238.  
    239. # Extensions for a typical CA
    240.  
    241.  
    242. # PKIX recommendation.
    243.  
    244. subjectKeyIdentifier=hash
    245.  
    246. authorityKeyIdentifier=keyid:always,issuer
    247.  
    248. # This is what PKIX recommends but some broken software chokes on critical
    249. # extensions.
    250. #basicConstraints = critical,CA:true
    251. # So we do this instead.
    252. basicConstraints = CA:true
    253.  
    254. # Key usage: this is typical for a CA certificate. However since it will
    255. # prevent it being used as an test self-signed certificate it is best
    256. # left out by default.
    257. keyUsage = cRLSign, keyCertSign
    258.  
    259. # Some might want this also
    260. # nsCertType = sslCA, emailCA
    261.  
    262. # Include email address in subject alt name: another PKIX recommendation
    263. # subjectAltName=email:copy
    264. # Copy issuer details
    265. # issuerAltName=issuer:copy
    266.  
    267. # DER hex encoding of an extension: beware experts only!
    268. # obj=DER:02:03
    269. # Where 'obj' is a standard or added object
    270. # You can even override a supported extension:
    271. # basicConstraints= critical, DER:30:03:01:01:FF
    272.  
    273. [ crl_ext ]
    274.  
    275. # CRL extensions.
    276. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
    277.  
    278. # issuerAltName=issuer:copy
    279. authorityKeyIdentifier=keyid:always
    280.  
    281. [ proxy_cert_ext ]
    282. # These extensions should be added when creating a proxy certificate
    283.  
    284. # This goes against PKIX guidelines but some CAs do it and some software
    285. # requires this to avoid interpreting an end user certificate as a CA.
    286.  
    287. basicConstraints=CA:FALSE
    288.  
    289. # Here are some examples of the usage of nsCertType. If it is omitted
    290. # the certificate can be used for anything *except* object signing.
    291.  
    292. # This is OK for an SSL server.
    293. # nsCertType			= server
    294.  
    295. # For an object signing certificate this would be used.
    296. # nsCertType = objsign
    297.  
    298. # For normal client use this is typical
    299. # nsCertType = client, email
    300.  
    301. # and for everything including object signing:
    302. # nsCertType = client, email, objsign
    303.  
    304. # This is typical in keyUsage for a client certificate.
    305. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    306.  
    307. # This will be displayed in Netscape's comment listbox.
    308. nsComment			= "OpenSSL Generated Certificate"
    309.  
    310. # PKIX recommendations harmless if included in all certificates.
    311. subjectKeyIdentifier=hash
    312. authorityKeyIdentifier=keyid,issuer
    313.  
    314. # This stuff is for subjectAltName and issuerAltname.
    315. # Import the email address.
    316. # subjectAltName=email:copy
    317. # An alternative to produce certificates that aren't
    318. # deprecated according to PKIX.
    319. # subjectAltName=email:move
    320.  
    321. # Copy subject details
    322. # issuerAltName=issuer:copy
    323.  
    324. #nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
    325. #nsBaseUrl
    326. #nsRevocationUrl
    327. #nsRenewalUrl
    328. #nsCaPolicyUrl
    329. #nsSslServerName
    330.  
    331. # This really needs to be in place for it to be a proxy certificate.
    332. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
    333.  
    334. ####################################################################
    335. [ tsa ]
    336.  
    337. default_tsa = tsa_config1	# the default TSA section
    338.  
    339. [ tsa_config1 ]
    340.  
    341. # These are used by the TSA reply generation only.
    342. dir		= ./demoCA		# TSA root directory
    343. serial		= $dir/tsaserial	# The current serial number (mandatory)
    344. crypto_device	= builtin		# OpenSSL engine to use for signing
    345. signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
    346. 					# (optional)
    347. certs		= $dir/cacert.pem	# Certificate chain to include in reply
    348. 					# (optional)
    349. signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
    350.  
    351. default_policy	= tsa_policy1		# Policy if request did not specify it
    352. 					# (optional)
    353. other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
    354. digests		= md5, sha1		# Acceptable message digests (mandatory)
    355. accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
    356. clock_precision_digits  = 0	# number of digits after dot. (optional)
    357. ordering		= yes	# Is ordering defined for timestamps?
    358. 				# (optional, default: no)
    359. tsa_name		= yes	# Must the TSA name be included in the reply?
    360. 				# (optional, default: no)
    361. ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
    362. 				# (optional, default: no)

    执行结果

    1. chy-cpabe@ubuntu:~/double_certificate/test_sh$ ls
    2. openssl.cnf  SM2certGen.sh  sm2Certs
    3. chy-cpabe@ubuntu:~/double_certificate/test_sh$ ./SM2certGen.sh 
    4. start
    5. end
    6. Generating self-signed CA certificate (on curve SM2)
    7. ===============================================================
    8. Generating an EC private key
    9. writing new private key to './sm2Certs/CA.key.pem'
    10. -----
    11. req: Skipping unknown attribute "/skip"
    12. Signature ok
    13. subject=C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
    14. Getting Private key
    15. Certificate:
    16.     Data:
    17.         Version: 3 (0x2)
    18.         Serial Number:
    19.             84:3a:ff:da:ac:ac:89:34
    20.     Signature Algorithm: sm2sign-with-sm3
    21.         Issuer: C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
    22.         Validity
    23.             Not Before: Nov 28 09:48:17 2022 GMT
    24.             Not After : Jan  6 09:48:17 2027 GMT
    25.         Subject: C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
    26.         Subject Public Key Info:
    27.             Public Key Algorithm: id-ecPublicKey
    28.                 Public-Key: (256 bit)
    29.                 pub:
    30.                     04:ce:20:49:82:a9:26:1e:9e:2c:3c:a9:71:c1:fb:
    31.                     cb:45:f8:ac:de:94:9f:26:25:cd:2b:0f:bd:95:59:
    32.                     07:91:04:1e:ac:ae:b6:04:2c:23:24:b0:b6:e2:e8:
    33.                     53:13:e3:cf:fc:64:71:fe:c0:46:75:57:22:e0:01:
    34.                     05:a6:dc:35:d1
    35.                 ASN1 OID: sm2p256v1
    36.                 NIST CURVE: SM2
    37.         X509v3 extensions:
    38.             X509v3 Subject Key Identifier: 
    39.                 46:73:BA:3D:B5:E6:DD:C1:24:48:90:92:19:3F:21:F6:53:18:5E:76
    40.             X509v3 Authority Key Identifier: 
    41.                 keyid:46:73:BA:3D:B5:E6:DD:C1:24:48:90:92:19:3F:21:F6:53:18:5E:76
    42.  
    43.             X509v3 Basic Constraints: 
    44.                 CA:TRUE
    45.             X509v3 Key Usage: 
    46.                 Certificate Sign, CRL Sign
    47.     Signature Algorithm: sm2sign-with-sm3
    48.          30:44:02:20:13:30:fa:87:f3:eb:48:84:f2:19:55:a3:61:8d:
    49.          63:2c:00:95:06:1b:8a:c5:d6:dd:4b:9b:01:f6:bf:21:de:65:
    50.          02:20:6e:47:26:3c:f2:fe:44:7b:63:1a:82:7f:6f:e5:29:4f:
    51.          b0:5d:e3:e5:33:5a:11:35:32:07:f5:08:7d:78:ab:12
    52. -----BEGIN CERTIFICATE-----
    53. MIICWTCCAgCgAwIBAgIJAIQ6/9qsrIk0MAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
    54. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
    55. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
    56. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMjExMjgwOTQ4MTdaFw0yNzAx
    57. MDYwOTQ4MTdaMIGCMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
    58. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
    59. FTATBgNVBAsMDFNPUkIgb2YgVEFTUzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTBZ
    60. MBMGByqGSM49AgEGCCqBHM9VAYItA0IABM4gSYKpJh6eLDypccH7y0X4rN6UnyYl
    61. zSsPvZVZB5EEHqyutgQsIySwtuLoUxPjz/xkcf7ARnVXIuABBabcNdGjXTBbMB0G
    62. A1UdDgQWBBRGc7o9tebdwSRIkJIZPyH2UxhedjAfBgNVHSMEGDAWgBRGc7o9tebd
    63. wSRIkJIZPyH2UxhedjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqgRzP
    64. VQGDdQNHADBEAiATMPqH8+tIhPIZVaNhjWMsAJUGG4rF1t1LmwH2vyHeZQIgbkcm
    65. PPL+RHtjGoJ/b+UpT7Bd4+UzWhE1Mgf1CH14qxI=
    66. -----END CERTIFICATE-----
    67. GENERATING A TEST SERVER CERTIFICATE (on elliptic curve SM2)
    68. ==========================================================================
    69. Generating an EC private key
    70. writing new private key to './sm2Certs/SS.key.pem'
    71. -----
    72. req: Skipping unknown attribute "/skip"
    73. Signature ok
    74. subject=C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = server sign (SM2)
    75. Getting CA Private Key
    76. Certificate:
    77.     Data:
    78.         Version: 3 (0x2)
    79.         Serial Number:
    80.             bd:61:fb:da:53:9a:1c:39
    81.     Signature Algorithm: sm2sign-with-sm3
    82.         Issuer: C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
    83.         Validity
    84.             Not Before: Nov 28 09:48:17 2022 GMT
    85.             Not After : Jan  6 09:48:17 2027 GMT
    86.         Subject: C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = server sign (SM2)
    87.         Subject Public Key Info:
    88.             Public Key Algorithm: id-ecPublicKey
    89.                 Public-Key: (256 bit)
    90.                 pub:
    91.                     04:81:09:0d:ec:d1:99:8f:0d:28:5f:bd:83:e1:2c:
    92.                     01:af:bb:f5:bc:50:9b:30:ec:f1:c6:39:4c:c0:df:
    93.                     50:6e:fc:6d:8e:47:3a:73:bf:2c:2a:29:da:dc:d1:
    94.                     8d:e1:fc:86:1f:47:9d:30:cf:0b:40:4c:82:99:f6:
    95.                     45:c9:8b:6a:ea
    96.                 ASN1 OID: sm2p256v1
    97.                 NIST CURVE: SM2
    98.         X509v3 extensions:
    99.             X509v3 Basic Constraints: 
    100.                 CA:FALSE
    101.             X509v3 Key Usage: 
    102.                 Digital Signature, Non Repudiation
    103.     Signature Algorithm: sm2sign-with-sm3
    104.          30:45:02:21:00:e7:bc:48:a8:e3:f1:67:48:67:bd:f2:08:e7:
    105.          3d:c6:e5:2a:60:2e:63:ac:08:28:09:65:04:da:ac:d6:a2:81:
    106.          5c:02:20:36:cc:c9:3d:e5:37:64:52:49:de:27:6d:f7:76:47:
    107.          7c:f7:8a:6d:f7:ca:e9:cf:fb:b2:6d:66:ee:42:bc:40:f5
    108. -----BEGIN CERTIFICATE-----
    109. MIICGzCCAcGgAwIBAgIJAL1h+9pTmhw5MAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
    110. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
    111. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
    112. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMjExMjgwOTQ4MTdaFw0yNzAx
    113. MDYwOTQ4MTdaMIGGMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
    114. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
    115. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgGA1UEAwwRc2VydmVyIHNpZ24gKFNN
    116. MikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAASBCQ3s0ZmPDShfvYPhLAGvu/W8
    117. UJsw7PHGOUzA31Bu/G2ORzpzvywqKdrc0Y3h/IYfR50wzwtATIKZ9kXJi2rqoxow
    118. GDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNIADBFAiEA57xI
    119. qOPxZ0hnvfII5z3G5SpgLmOsCCgJZQTarNaigVwCIDbMyT3lN2RSSd4nbfd2R3z3
    120. im33yunP+7JtZu5CvED1
    121. -----END CERTIFICATE-----
    122. 	GENERATING A TEST SERVER ENCRYPT CERTIFICATE (on elliptic curve SM2)
    123.   ===================================================================================
    124. Generating an EC private key
    125. writing new private key to './sm2Certs/SE.key.pem'
    126. -----
    127. req: Skipping unknown attribute "/skip"
    128. Signature ok
    129. subject=C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = server enc (SM2)
    130. Getting CA Private Key
    131. Certificate:
    132.     Data:
    133.         Version: 3 (0x2)
    134.         Serial Number:
    135.             bd:61:fb:da:53:9a:1c:3a
    136.     Signature Algorithm: sm2sign-with-sm3
    137.         Issuer: C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
    138.         Validity
    139.             Not Before: Nov 28 09:48:17 2022 GMT
    140.             Not After : Jan  6 09:48:17 2027 GMT
    141.         Subject: C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = server enc (SM2)
    142.         Subject Public Key Info:
    143.             Public Key Algorithm: id-ecPublicKey
    144.                 Public-Key: (256 bit)
    145.                 pub:
    146.                     04:bd:4b:58:9f:96:88:a7:4d:5f:b2:09:59:0d:4f:
    147.                     bb:dd:62:72:b0:e8:4c:a8:98:66:a3:1b:23:b9:db:
    148.                     ce:bc:2d:a2:1c:be:d6:dd:2d:13:bd:53:e6:6f:44:
    149.                     3e:4e:b6:e5:af:bc:8b:83:9b:25:66:54:dd:e3:f7:
    150.                     dd:20:51:29:97
    151.                 ASN1 OID: sm2p256v1
    152.                 NIST CURVE: SM2
    153.         X509v3 extensions:
    154.             X509v3 Basic Constraints: 
    155.                 CA:FALSE
    156.             X509v3 Key Usage: 
    157.                 Key Encipherment, Data Encipherment, Key Agreement
    158.     Signature Algorithm: sm2sign-with-sm3
    159.          30:45:02:21:00:9a:59:a4:58:2a:ff:d6:a4:03:b5:68:22:ec:
    160.          52:44:5a:aa:49:9a:18:61:06:5c:4f:ed:dc:2c:2b:b2:62:f4:
    161.          8e:02:20:29:a6:0a:8e:70:00:91:44:18:12:b6:7d:d9:c7:f9:
    162.          66:16:d3:8b:6c:d4:83:99:c7:7d:67:6d:f6:94:51:b1:a8
    163. -----BEGIN CERTIFICATE-----
    164. MIICGjCCAcCgAwIBAgIJAL1h+9pTmhw6MAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
    165. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
    166. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
    167. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMjExMjgwOTQ4MTdaFw0yNzAx
    168. MDYwOTQ4MTdaMIGFMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
    169. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
    170. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEZMBcGA1UEAwwQc2VydmVyIGVuYyAoU00y
    171. KTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABL1LWJ+WiKdNX7IJWQ1Pu91icrDo
    172. TKiYZqMbI7nbzrwtohy+1t0tE71T5m9EPk625a+8i4ObJWZU3eP33SBRKZejGjAY
    173. MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgM4MAoGCCqBHM9VAYN1A0gAMEUCIQCaWaRY
    174. Kv/WpAO1aCLsUkRaqkmaGGEGXE/t3CwrsmL0jgIgKaYKjnAAkUQYErZ92cf5ZhbT
    175. i2zUg5nHfWdt9pRRsag=
    176. -----END CERTIFICATE-----
    177. GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve SM2)
    178. ==========================================================================
    179. Generating an EC private key
    180. writing new private key to './sm2Certs/CS.key.pem'
    181. -----
    182. req: Skipping unknown attribute "/skip"
    183. Signature ok
    184. subject=C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = client sign (SM2)
    185. Getting CA Private Key
    186. Certificate:
    187.     Data:
    188.         Version: 3 (0x2)
    189.         Serial Number:
    190.             bd:61:fb:da:53:9a:1c:3b
    191.     Signature Algorithm: sm2sign-with-sm3
    192.         Issuer: C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
    193.         Validity
    194.             Not Before: Nov 28 09:48:17 2022 GMT
    195.             Not After : Jan  6 09:48:17 2027 GMT
    196.         Subject: C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = client sign (SM2)
    197.         Subject Public Key Info:
    198.             Public Key Algorithm: id-ecPublicKey
    199.                 Public-Key: (256 bit)
    200.                 pub:
    201.                     04:d4:b3:30:f2:e8:a7:66:42:de:a4:2f:b9:5c:51:
    202.                     51:a6:35:ab:f3:00:df:fa:6c:7c:be:8a:cd:87:07:
    203.                     09:5f:b3:77:18:e6:94:c6:32:e5:a7:f6:ca:ad:b9:
    204.                     b6:bf:5b:04:18:d5:a2:d6:88:03:e8:a7:10:48:f5:
    205.                     8b:81:81:6f:a2
    206.                 ASN1 OID: sm2p256v1
    207.                 NIST CURVE: SM2
    208.         X509v3 extensions:
    209.             X509v3 Basic Constraints: 
    210.                 CA:FALSE
    211.             X509v3 Key Usage: 
    212.                 Digital Signature, Non Repudiation
    213.     Signature Algorithm: sm2sign-with-sm3
    214.          30:46:02:21:00:9c:51:38:c8:bb:0d:6f:9f:21:39:e1:fe:91:
    215.          9c:e3:ec:5d:23:62:ae:ab:26:3d:be:bc:c5:2e:03:21:33:54:
    216.          0a:02:21:00:d9:67:aa:55:97:ee:8f:bb:7c:fa:31:5a:bf:f5:
    217.          08:1f:f2:bf:0f:2c:c8:88:90:0e:e8:95:65:5e:93:0b:35:13
    218. -----BEGIN CERTIFICATE-----
    219. MIICHDCCAcGgAwIBAgIJAL1h+9pTmhw7MAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
    220. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
    221. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
    222. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMjExMjgwOTQ4MTdaFw0yNzAx
    223. MDYwOTQ4MTdaMIGGMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
    224. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
    225. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgGA1UEAwwRY2xpZW50IHNpZ24gKFNN
    226. MikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAATUszDy6KdmQt6kL7lcUVGmNavz
    227. AN/6bHy+is2HBwlfs3cY5pTGMuWn9sqtuba/WwQY1aLWiAPopxBI9YuBgW+ioxow
    228. GDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNJADBGAiEAnFE4
    229. yLsNb58hOeH+kZzj7F0jYq6rJj2+vMUuAyEzVAoCIQDZZ6pVl+6Pu3z6MVq/9Qgf
    230. 8r8PLMiIkA7olWVekws1Ew==
    231. -----END CERTIFICATE-----
    232. 	GENERATING A TEST CLIENT ENCRYPT CERTIFICATE (on elliptic curve SM2)
    233. 	===================================================================================
    234. Generating an EC private key
    235. writing new private key to './sm2Certs/CE.key.pem'
    236. -----
    237. req: Skipping unknown attribute "/skip"
    238. Signature ok
    239. subject=C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = client enc (SM2)
    240. Getting CA Private Key
    241. Certificate:
    242.     Data:
    243.         Version: 3 (0x2)
    244.         Serial Number:
    245.             bd:61:fb:da:53:9a:1c:3c
    246.     Signature Algorithm: sm2sign-with-sm3
    247.         Issuer: C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
    248.         Validity
    249.             Not Before: Nov 28 09:48:17 2022 GMT
    250.             Not After : Jan  6 09:48:17 2027 GMT
    251.         Subject: C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = client enc (SM2)
    252.         Subject Public Key Info:
    253.             Public Key Algorithm: id-ecPublicKey
    254.                 Public-Key: (256 bit)
    255.                 pub:
    256.                     04:c2:20:82:71:7b:46:8d:bf:98:df:1b:5f:51:28:
    257.                     40:96:cd:51:83:47:85:47:d0:da:b2:48:24:0e:0e:
    258.                     c7:28:29:9d:e0:14:15:e4:b9:2f:0d:2c:32:bc:54:
    259.                     dc:31:83:3c:5a:37:1a:1e:18:3e:0c:ba:9f:ec:70:
    260.                     9d:13:46:11:e5
    261.                 ASN1 OID: sm2p256v1
    262.                 NIST CURVE: SM2
    263.         X509v3 extensions:
    264.             X509v3 Basic Constraints: 
    265.                 CA:FALSE
    266.             X509v3 Key Usage: 
    267.                 Key Encipherment, Data Encipherment, Key Agreement
    268.     Signature Algorithm: sm2sign-with-sm3
    269.          30:44:02:20:6e:5b:c2:af:f3:65:eb:46:b1:01:76:2c:9c:ce:
    270.          bc:22:55:da:94:af:31:a0:ef:eb:da:fa:1e:70:05:7f:91:b7:
    271.          02:20:7d:3d:42:5e:40:b5:4d:7a:5c:0b:90:9d:40:6a:07:0d:
    272.          45:bc:db:1a:49:50:b2:ed:3c:d6:71:91:a8:11:45:bc
    273. -----BEGIN CERTIFICATE-----
    274. MIICGTCCAcCgAwIBAgIJAL1h+9pTmhw8MAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
    275. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
    276. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
    277. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMjExMjgwOTQ4MTdaFw0yNzAx
    278. MDYwOTQ4MTdaMIGFMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
    279. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
    280. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEZMBcGA1UEAwwQY2xpZW50IGVuYyAoU00y
    281. KTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABMIggnF7Ro2/mN8bX1EoQJbNUYNH
    282. hUfQ2rJIJA4OxygpneAUFeS5Lw0sMrxU3DGDPFo3Gh4YPgy6n+xwnRNGEeWjGjAY
    283. MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgM4MAoGCCqBHM9VAYN1A0cAMEQCIG5bwq/z
    284. ZetGsQF2LJzOvCJV2pSvMaDv69r6HnAFf5G3AiB9PUJeQLVNelwLkJ1AagcNRbzb
    285. GklQsu081nGRqBFFvA==
    286. -----END CERTIFICATE-----
    287. chy-cpabe@ubuntu:~/double_certificate/test_sh$ ls
    288. openssl.cnf  SM2certGen.sh  sm2Certs  SM2.pem
    289. chy-cpabe@ubuntu:~/double_certificate/test_sh$ cd sm2Certs/
    290. chy-cpabe@ubuntu:~/double_certificate/test_sh/sm2Certs$ ls
    291. CA.cert.pem  CA.pem       CE.key.pem  CS.cert.pem  CS.pem       SE.key.pem  SS.cert.pem  SS.pem
    292. CA.key.pem   CE.cert.pem  CE.pem      CS.key.pem   SE.cert.pem  SE.pem      SS.key.pem
    293. chy-cpabe@ubuntu:~/double_certificate/test_sh/sm2Certs$ ll
    294. 总用量 68
    295. drwxrwxr-x 2 chy-cpabe chy-cpabe 4096 11月 28 01:48 ./
    296. drwxrwxr-x 3 chy-cpabe chy-cpabe 4096 11月 28 01:48 ../
    297. -rw-rw-r-- 1 chy-cpabe chy-cpabe  875 11月 28 01:48 CA.cert.pem
    298. -rw------- 1 chy-cpabe chy-cpabe  241 11月 28 01:48 CA.key.pem
    299. -rw-rw-r-- 1 chy-cpabe chy-cpabe 1335 11月 28 01:48 CA.pem
    300. -rw-rw-r-- 1 chy-cpabe chy-cpabe  790 11月 28 01:48 CE.cert.pem
    301. -rw------- 1 chy-cpabe chy-cpabe  241 11月 28 01:48 CE.key.pem
    302. -rw-rw-r-- 1 chy-cpabe chy-cpabe 1253 11月 28 01:48 CE.pem
    303. -rw-rw-r-- 1 chy-cpabe chy-cpabe  794 11月 28 01:48 CS.cert.pem
    304. -rw------- 1 chy-cpabe chy-cpabe  241 11月 28 01:48 CS.key.pem
    305. -rw-rw-r-- 1 chy-cpabe chy-cpabe 1258 11月 28 01:48 CS.pem
    306. -rw-rw-r-- 1 chy-cpabe chy-cpabe  790 11月 28 01:48 SE.cert.pem
    307. -rw------- 1 chy-cpabe chy-cpabe  241 11月 28 01:48 SE.key.pem
    308. -rw-rw-r-- 1 chy-cpabe chy-cpabe 1253 11月 28 01:48 SE.pem
    309. -rw-rw-r-- 1 chy-cpabe chy-cpabe  790 11月 28 01:48 SS.cert.pem
    310. -rw------- 1 chy-cpabe chy-cpabe  241 11月 28 01:48 SS.key.pem
    311. -rw-rw-r-- 1 chy-cpabe chy-cpabe 1254 11月 28 01:48 SS.pem
    312. chy-cpabe@ubuntu:~/double_certificate/test_sh/sm2Certs$

    双向认证测试

     服务端

    • gmssl s_server -gmtls -accept 44330 -key SS.key.pem -cert SS.cert.pem -dkey SE.key.pem -dcert SE.cert.pem -CAfile CA.cert.pem -state -verify 1
    1. chy-cpabe@ubuntu:~/double_certificate/test_sh/sm2Certs$ gmssl s_server -gmtls -accept 44330 -key SS.key.pem -cert SS.cert.pem -dkey SE.key.pem -dcert SE.cert.pem -CAfile CA.cert.pem -state -verify 1
    2. verify depth is 1
    3. Using default temp DH parameters
    4. [GMTLS_DEBUG] set sm2 signing certificate
    5. [GMTLS_DEBUG] set sm2 signing private key
    6. [GMTLS_DEBUG] set sm2 encryption certificate
    7. [GMTLS_DEBUG] set sm2 decryption private key
    8. ACCEPT
    9. SSL_accept:before SSL initialization
    10. SSL_accept:before SSL initialization
    11. SSL_accept:SSLv3/TLS read client hello
    12. SSL_accept:SSLv3/TLS write server hello
    13. SSL_accept:SSLv3/TLS write certificate
    14. SSL_accept:SSLv3/TLS write key exchange
    15. SSL_accept:SSLv3/TLS write certificate request
    16. SSL_accept:SSLv3/TLS write server done
    17. SSL_accept:SSLv3/TLS write server done
    18. depth=1 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
    19. verify return:1
    20. depth=0 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = client sign (SM2)
    21. verify return:1
    22. SSL_accept:SSLv3/TLS read client certificate
    23. ssl_get_algorithm2=1734000008x
    24. SSL_accept:SSLv3/TLS read client key exchange
    25. SSL_accept:SSLv3/TLS read certificate verify
    26. SSL_accept:SSLv3/TLS read change cipher spec
    27. SSL_accept:SSLv3/TLS read finished
    28. SSL_accept:SSLv3/TLS write change cipher spec
    29. SSL_accept:SSLv3/TLS write finished
    30. -----BEGIN SSL SESSION PARAMETERS-----
    31. MIICmQIBAQICAQEEAuATBCB1GdDftz8QjZAogqTty/vAmqgraUSYwUlUYKBeLn4I
    32. UwQwmpFOFPw9d7/GxkX1oXjNkvu15V9G3/tUwup5mENRZdqxCLUFpF0YpU0GDtfZ
    33. fJddoQYCBGOEhsCiBAICHCCjggIgMIICHDCCAcGgAwIBAgIJAL1h+9pTmhw7MAoG
    34. CCqBHM9VAYN1MIGCMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
    35. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
    36. FTATBgNVBAsMDFNPUkIgb2YgVEFTUzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAe
    37. Fw0yMjExMjgwOTQ4MTdaFw0yNzAxMDYwOTQ4MTdaMIGGMQswCQYDVQQGEwJDTjEL
    38. MAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcg
    39. Sk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgG
    40. A1UEAwwRY2xpZW50IHNpZ24gKFNNMikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNC
    41. AATUszDy6KdmQt6kL7lcUVGmNavzAN/6bHy+is2HBwlfs3cY5pTGMuWn9sqtuba/
    42. WwQY1aLWiAPopxBI9YuBgW+ioxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAK
    43. BggqgRzPVQGDdQNJADBGAiEAnFE4yLsNb58hOeH+kZzj7F0jYq6rJj2+vMUuAyEz
    44. VAoCIQDZZ6pVl+6Pu3z6MVq/9Qgf8r8PLMiIkA7olWVekws1E6QGBAQBAAAA
    45. -----END SSL SESSION PARAMETERS-----
    46. Client certificate
    47. -----BEGIN CERTIFICATE-----
    48. MIICHDCCAcGgAwIBAgIJAL1h+9pTmhw7MAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
    49. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
    50. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
    51. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMjExMjgwOTQ4MTdaFw0yNzAx
    52. MDYwOTQ4MTdaMIGGMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
    53. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
    54. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgGA1UEAwwRY2xpZW50IHNpZ24gKFNN
    55. MikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAATUszDy6KdmQt6kL7lcUVGmNavz
    56. AN/6bHy+is2HBwlfs3cY5pTGMuWn9sqtuba/WwQY1aLWiAPopxBI9YuBgW+ioxow
    57. GDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNJADBGAiEAnFE4
    58. yLsNb58hOeH+kZzj7F0jYq6rJj2+vMUuAyEzVAoCIQDZZ6pVl+6Pu3z6MVq/9Qgf
    59. 8r8PLMiIkA7olWVekws1Ew==
    60. -----END CERTIFICATE-----
    61. subject=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=client sign (SM2)
    62. issuer=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    63. Shared ciphers:SM9-WITH-SMS4-SM3:SM9DHE-WITH-SMS4-SM3:SM2-WITH-SMS4-SM3:SM2DHE-WITH-SMS4-SM3:RSA-WITH-SMS4-SHA1:RSA-WITH-SMS4-SM3
    64. CIPHER is SM2-WITH-SMS4-SM3
    65. Secure Renegotiation IS supported

    客户端

    • gmssl s_client -gmtls -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -state
    1. chy-cpabe@ubuntu:~/double_certificate/test_sh/sm2Certs$ gmssl s_client -gmtls -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -state
    2. [GMTLS_DEBUG] set sm2 signing certificate
    3. [GMTLS_DEBUG] set sm2 signing private key
    4. [GMTLS_DEBUG] set sm2 encryption certificate
    5. [GMTLS_DEBUG] set sm2 decryption private key
    6. CONNECTED(00000003)
    7. SSL_connect:before SSL initialization
    8. SSL_connect:SSLv3/TLS write client hello
    9. SSL_connect:SSLv3/TLS write client hello
    10. SSL_connect:SSLv3/TLS read server hello
    11. depth=1 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
    12. verify return:1
    13. depth=0 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = server sign (SM2)
    14. verify return:1
    15. SSL_connect:SSLv3/TLS read server certificate
    16. Z=818CE57807A4D23F1F25A32D1C15EF46980AB3481FED36987D5D5BFCCCFEB367
    17. C=00021E3082021A308201C0A003020102020900BD61FBDA539A1C3A300A06082A811CCF55018375308182310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C534F5242206F6620544153533116301406035504030C0D546573742043412028534D3229301E170D3232313132383039343831375A170D3237303130363039343831375A308185310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C42535243206F6620544153533119301706035504030C1073657276657220656E632028534D32293059301306072A8648CE3D020106082A811CCF5501822D03420004BD4B589F9688A74D5FB209590D4FBBDD6272B0E84CA89866A31B23B9DBCEBC2DA21CBED6DD2D13BD53E66F443E4EB6E5AFBC8B839B256654DDE3F7DD20512997A31A301830090603551D1304023000300B0603551D0F040403020338300A06082A811CCF5501837503480030450221009A59A4582AFFD6A403B56822EC52445AAA499A1861065C4FEDDC2C2BB262F48E022029A60A8E700091441812B67DD9C7F96616D38B6CD48399C77D676DF69451B1A8
    18. SSL_connect:SSLv3/TLS read server key exchange
    19. SSL_connect:SSLv3/TLS read server certificate request
    20. SSL_connect:SSLv3/TLS read server done
    21. SSL_connect:SSLv3/TLS write client certificate
    22. SSL_connect:SSLv3/TLS write client key exchange
    23. ssl_get_algorithm2=a512200008x
    24. SSL_connect:SSLv3/TLS write certificate verify
    25. SSL_connect:SSLv3/TLS write change cipher spec
    26. SSL_connect:SSLv3/TLS write finished
    27. SSL_connect:SSLv3/TLS write finished
    28. SSL_connect:SSLv3/TLS read change cipher spec
    29. SSL_connect:SSLv3/TLS read finished
    30. ---
    31. Certificate chain
    32.  0 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server sign (SM2)
    33.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    34.  1 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server enc (SM2)
    35.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    36.  2 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    37.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    38. ---
    39. Server certificate
    40. -----BEGIN CERTIFICATE-----
    41. MIICGzCCAcGgAwIBAgIJAL1h+9pTmhw5MAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
    42. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
    43. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
    44. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMjExMjgwOTQ4MTdaFw0yNzAx
    45. MDYwOTQ4MTdaMIGGMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
    46. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
    47. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgGA1UEAwwRc2VydmVyIHNpZ24gKFNN
    48. MikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAASBCQ3s0ZmPDShfvYPhLAGvu/W8
    49. UJsw7PHGOUzA31Bu/G2ORzpzvywqKdrc0Y3h/IYfR50wzwtATIKZ9kXJi2rqoxow
    50. GDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNIADBFAiEA57xI
    51. qOPxZ0hnvfII5z3G5SpgLmOsCCgJZQTarNaigVwCIDbMyT3lN2RSSd4nbfd2R3z3
    52. im33yunP+7JtZu5CvED1
    53. -----END CERTIFICATE-----
    54. subject=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server sign (SM2)
    55. issuer=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    56. ---
    57. Acceptable client certificate CA names
    58. /C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    59. Client Certificate Types: RSA sign, DSA sign
    60. ---
    61. SSL handshake has read 2121 bytes and written 2113 bytes
    62. Verification: OK
    63. ---
    64. New, GMTLSv1.1, Cipher is SM2-WITH-SMS4-SM3
    65. Server public key is 256 bit
    66. Secure Renegotiation IS NOT supported
    67. Compression: NONE
    68. Expansion: NONE
    69. No ALPN negotiated
    70. SSL-Session:
    71.     Protocol  : GMTLSv1.1
    72.     Cipher    : SM2-WITH-SMS4-SM3
    73.     Session-ID: 7519D0DFB73F108D902882A4EDCBFBC09AA82B694498C1495460A05E2E7E0853
    74.     Session-ID-ctx: 
    75.     Master-Key: 9A914E14FC3D77BFC6C645F5A178CD92FBB5E55F46DFFB54C2EA7998435165DAB108B505A45D18A54D060ED7D97C975D
    76.     PSK identity: None
    77.     PSK identity hint: None
    78.     SRP username: None
    79.     Start Time: 1669629632
    80.     Timeout   : 7200 (sec)
    81.     Verify return code: 0 (ok)
    82.     Extended master secret: no
    83. ---

    参考链接

  • 相关阅读:
    Apollo自动驾驶平台的未来展望:从智能出行到城市管理
    【C++课程学习】:二叉树的基本函数实现
    Java 反射的应用 - 对象转Map
    MySQL数据库基本操作
    IOC容器,SpringBean和SpringBean生命周期
    Python制作经典坦克大战小游戏
    Day39——互斥锁,线程技术
    通俗讲解深度学习轻量网络MobileNet-v1/v2/v3
    【【verilog代码异步FIFO的设计解释+源码+tb】】
    SLM2110 600V 2A 逆变电源专用芯片替代IR2110S 移动储能解决方案
  • 原文地址:https://blog.csdn.net/CHYabc123456hh/article/details/128078426