• 国密gmtls协议-双证书体系的服务端和客户端通信代码

    内容介绍

    • 国密的双证书体系,将证书按照使用目的的不同划分为加密证书和签名证书两种,也就是两对公私钥,二者本质一致,均为SM2密钥对,区别仅体现在用法
    • 国密CA体系中,加密密钥对由CA产生,签名密钥对由用户自己产生,那么加密密钥涉及到的 私钥是如何通过安全的方式由CA传递到用户侧呢?使用数字信封的机理
    • 从道理上来说两个密钥具有不同的属性,逻辑上应该分开处理。其实最主要的原因是国家要保证必要的时候有能力对某些通讯进行监控,如果采用单证书,除了自己谁也无法解密(理论上如此),不利于国家安全。因此某些国家法律规定使用双证书。如果拥有加密证书的私钥,可以进行实时监控。使用过wireshark抓HTTPS包的朋友应该知道,如果配置了RSA密钥,可以解密出HTTPS通信中的加密信息。

    加密证书和私钥的生成过程

    • 用户产生签名密钥对,生成签名证书的请求,发送签名证书给CA
    • CA验证用户的签名密钥对,产生加密证书
    • CA生成对称密钥,使用用户的签名公钥加密对称密钥,生成对称秘钥的密文
    • CA使用对称密钥对称加密 加密证书所对应的私钥,输出加密私钥的密文
    • CA将加密证书、对称密钥密文和加密私钥的密文 返还给 用户
    • 用户使用签名私钥解密对称密钥的密文得到对称密钥
    • 用户使用对称密钥解密加密私钥,得到加密私钥的明文

    国标文档

    注意事项

    • 双证书与标准TLS报文格式一样,但至少要包含两个证书,签名证书在前,加密证书在后。如果牵扯到证书链,问题就复杂了,而且协议这里也没有规定清楚。是签名证书 + 证书链 + 加密证书,还是签名证书 + 加密证书 + 证书链?在实现中发现TASSL采用的是前者,而沃通测试网站采用后者。在编码时请注意,最好是两者都兼容。

    参考链接

    最关键的参考链接

    命令行 模式

    -dcert filename-dkey keyname

    specify an additional certificate and private key, these behave in the same manner as the -cert and -key options except there is no default if they are not specified (no additional certificate and key is used). As noted above some cipher suites require a certificate containing a key of a certain type. Some cipher suites need a certificate carrying an RSA key and some a DSS (DSA) key. By using RSA and DSS certificates and keys a server can support clients which only support RSA or DSS cipher suites by using an appropriate certificate.

    -dcert文件名,-dkey密钥名
    指定一个额外的证书和私钥,它们的行为方式与-cert和-key选项相同,除非没有指定它们,否则没有默认值(不使用额外的证书和密钥)。如上所述,一些密码套件需要包含特定类型密钥的证书。一些密码套件需要携带RSA密钥和一些DSS (DSA)密钥的证书。通过使用RSA和DSS证书和密钥,服务器可以通过使用适当的证书来支持仅支持RSA或DSS密码套件的客户端。

    双证书双向认证 

    服务端

    • 在设置双证书时,需要先设置签名证书,然后再设置加密证书,具体可参考源码。
    • 服务端执行命令 需要在指定的文件下执行
    • 必须要有 verify,verify是开启gmtls双向证书认证的关键,也就是对等证书验证,客户端也会验证服务端的证书
    • gmssl s_server -gmtls -accept 44330 -key SS.key.pem -cert SS.cert.pem -dkey SE.key.pem -dcert SE.cert.pem -CAfile CA.cert.pem -state -verify 1
    1. chy-cpabe@ubuntu:~/GMSSL_certificate/sm2Certs$ gmssl s_server -gmtls -accept 44330 -key SS.key.pem -cert SS.cert.pem -dkey SE.key.pem -dcert SE.cert.pem -CAfile CA.cert.pem -state -verify 1
    2. verify depth is 1
    3. Using default temp DH parameters
    4. [GMTLS_DEBUG] set sm2 signing certificate
    5. [GMTLS_DEBUG] set sm2 signing private key
    6. [GMTLS_DEBUG] set sm2 encryption certificate
    7. [GMTLS_DEBUG] set sm2 decryption private key
    8. ACCEPT
    9. SSL_accept:before SSL initialization
    10. SSL_accept:before SSL initialization
    11. SSL_accept:SSLv3/TLS read client hello
    12. SSL_accept:SSLv3/TLS write server hello
    13. SSL_accept:SSLv3/TLS write certificate
    14. SSL_accept:SSLv3/TLS write key exchange
    15. SSL_accept:SSLv3/TLS write certificate request
    16. SSL_accept:SSLv3/TLS write server done
    17. SSL_accept:SSLv3/TLS write server done
    18. depth=1 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
    19. verify return:1
    20. depth=0 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = client sign (SM2)
    21. verify return:1
    22. SSL_accept:SSLv3/TLS read client certificate
    23. ssl_get_algorithm2=f227000008x
    24. SSL_accept:SSLv3/TLS read client key exchange
    25. SSL_accept:SSLv3/TLS read certificate verify
    26. SSL_accept:SSLv3/TLS read change cipher spec
    27. SSL_accept:SSLv3/TLS read finished
    28. SSL_accept:SSLv3/TLS write change cipher spec
    29. SSL_accept:SSLv3/TLS write finished
    30. -----BEGIN SSL SESSION PARAMETERS-----
    31. MIICmAIBAQICAQEEAuATBCAWcAdtfPyMiEJmINUd/e/AmYdNqNTalV1AAbACRSQE
    32. CgQwtuURXPYQpQ7gQIZ3fWRd9QpsP0Zi57oDT1D/X1xVBL3wy9yrr/BOpRw2afsu
    33. 4DH3oQYCBGMw/gSiBAICHCCjggIfMIICGzCCAcGgAwIBAgIJAIVjx+dwZIdmMAoG
    34. CCqBHM9VAYN1MIGCMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
    35. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
    36. FTATBgNVBAsMDFNPUkIgb2YgVEFTUzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAe
    37. Fw0yMDA2MjAxMDE4MjZaFw0yNDA3MjkxMDE4MjZaMIGGMQswCQYDVQQGEwJDTjEL
    38. MAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcg
    39. Sk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgG
    40. A1UEAwwRY2xpZW50IHNpZ24gKFNNMikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNC
    41. AARV/eII1n2NVqYjwt9r9A5Eh6Z0iG+WUpsw4sGxhfKL0vr0OKcur6DZqjqLDSCr
    42. ZEhU6yuntNtaW+pexPblqXAroxowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAK
    43. BggqgRzPVQGDdQNIADBFAiEAiX+PoCNW/n9SDbv6/o+NyCCV/7kBgunc7w5b7xGm
    44. 4RICIBMDlLjPZE2ACYhu1Wjqph23PfMPMgae4+Gtd7wzFz2UpAYEBAEAAAA=
    45. -----END SSL SESSION PARAMETERS-----
    46. Client certificate
    47. -----BEGIN CERTIFICATE-----
    48. MIICGzCCAcGgAwIBAgIJAIVjx+dwZIdmMAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
    49. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
    50. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
    51. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjZaFw0yNDA3
    52. MjkxMDE4MjZaMIGGMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
    53. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
    54. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgGA1UEAwwRY2xpZW50IHNpZ24gKFNN
    55. MikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAARV/eII1n2NVqYjwt9r9A5Eh6Z0
    56. iG+WUpsw4sGxhfKL0vr0OKcur6DZqjqLDSCrZEhU6yuntNtaW+pexPblqXAroxow
    57. GDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNIADBFAiEAiX+P
    58. oCNW/n9SDbv6/o+NyCCV/7kBgunc7w5b7xGm4RICIBMDlLjPZE2ACYhu1Wjqph23
    59. PfMPMgae4+Gtd7wzFz2U
    60. -----END CERTIFICATE-----
    61. subject=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=client sign (SM2)
    62. issuer=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    63. Shared ciphers:SM9-WITH-SMS4-SM3:SM9DHE-WITH-SMS4-SM3:SM2-WITH-SMS4-SM3:SM2DHE-WITH-SMS4-SM3:RSA-WITH-SMS4-SHA1:RSA-WITH-SMS4-SM3
    64. CIPHER is SM2-WITH-SMS4-SM3
    65. Secure Renegotiation IS supported

    客户端 

    • 客户端执行代码和执行结果  
    • gmssl s_client -gmtls -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -state -showcerts
    1. chy-cpabe@ubuntu:~/GMSSL_certificate/sm2Certs$ gmssl s_client -gmtls -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -state -showcerts
    2. [GMTLS_DEBUG] set sm2 signing certificate
    3. [GMTLS_DEBUG] set sm2 signing private key
    4. [GMTLS_DEBUG] set sm2 encryption certificate
    5. [GMTLS_DEBUG] set sm2 decryption private key
    6. CONNECTED(00000003)
    7. SSL_connect:before SSL initialization
    8. SSL_connect:SSLv3/TLS write client hello
    9. SSL_connect:SSLv3/TLS write client hello
    10. SSL_connect:SSLv3/TLS read server hello
    11. depth=1 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
    12. verify return:1
    13. depth=0 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = server sign (SM2)
    14. verify return:1
    15. SSL_connect:SSLv3/TLS read server certificate
    16. Z=BCDCCB61AADD790C076DAC60ED09DDD5285A906A4025DD748DA2FB5816464C58
    17. C=00021E3082021A308201C0A0030201020209008563C7E770648765300A06082A811CCF55018375308182310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C534F5242206F6620544153533116301406035504030C0D546573742043412028534D3229301E170D3230303632303130313832365A170D3234303732393130313832365A308185310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C42535243206F6620544153533119301706035504030C1073657276657220656E632028534D32293059301306072A8648CE3D020106082A811CCF5501822D03420004B999853302F02CC522CC4CCA287019E86B901FC24E3CCF9A61B93BB177B28C2CE8E23C5C522DF73C23F7AC36FF688CB2E685A3FA4770103F7C99EFC32D06C11FA31A301830090603551D1304023000300B0603551D0F040403020338300A06082A811CCF550183750348003045022100EC4368F400870BED441817AF4D359BDC61A9EDFDDEE54AB0C185084B450C46B902206E0C3A08BC584590046DC85603CD4E8A51F97D9669B1ACA3E2A3627BE61D49A2
    18. SSL_connect:SSLv3/TLS read server key exchange
    19. SSL_connect:SSLv3/TLS read server certificate request
    20. SSL_connect:SSLv3/TLS read server done
    21. SSL_connect:SSLv3/TLS write client certificate
    22. SSL_connect:SSLv3/TLS write client key exchange
    23. ssl_get_algorithm2=3268600008x
    24. SSL_connect:SSLv3/TLS write certificate verify
    25. SSL_connect:SSLv3/TLS write change cipher spec
    26. SSL_connect:SSLv3/TLS write finished
    27. SSL_connect:SSLv3/TLS write finished
    28. SSL_connect:SSLv3/TLS read change cipher spec
    29. SSL_connect:SSLv3/TLS read finished
    30. ---
    31. Certificate chain
    32.  0 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server sign (SM2)
    33.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    34. -----BEGIN CERTIFICATE-----
    35. MIICGjCCAcGgAwIBAgIJAIVjx+dwZIdkMAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
    36. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
    37. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
    38. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjVaFw0yNDA3
    39. MjkxMDE4MjVaMIGGMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
    40. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
    41. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgGA1UEAwwRc2VydmVyIHNpZ24gKFNN
    42. MikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAS0lHzt7CkOzCtyf6VwCqoT2PYD
    43. CL/AJrCsHa+6lE8wDZ7DShI2bvfmrpavndEW67CHQOlO0q6/aoEB0PoAgpopoxow
    44. GDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNHADBEAiB06JWp
    45. uxFbGBfvG9juhe2Umu/auI1H2XeMdvDjbOtfuQIgMXT8jewkzq9TR3OPzRTkZCRH
    46. 3H+xKEb8r8JsEEStwaU=
    47. -----END CERTIFICATE-----
    48.  1 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server enc (SM2)
    49.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    50. -----BEGIN CERTIFICATE-----
    51. MIICGjCCAcCgAwIBAgIJAIVjx+dwZIdlMAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
    52. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
    53. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
    54. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjZaFw0yNDA3
    55. MjkxMDE4MjZaMIGFMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
    56. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
    57. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEZMBcGA1UEAwwQc2VydmVyIGVuYyAoU00y
    58. KTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABLmZhTMC8CzFIsxMyihwGehrkB/C
    59. TjzPmmG5O7F3sows6OI8XFIt9zwj96w2/2iMsuaFo/pHcBA/fJnvwy0GwR+jGjAY
    60. MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgM4MAoGCCqBHM9VAYN1A0gAMEUCIQDsQ2j0
    61. AIcL7UQYF69NNZvcYant/d7lSrDBhQhLRQxGuQIgbgw6CLxYRZAEbchWA81OilH5
    62. fZZpsayj4qNie+YdSaI=
    63. -----END CERTIFICATE-----
    64.  2 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    65.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    66. -----BEGIN CERTIFICATE-----
    67. MIICWjCCAgCgAwIBAgIJAP5W2mLaOWq5MAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
    68. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
    69. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
    70. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjVaFw0yNDA3
    71. MjkxMDE4MjVaMIGCMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
    72. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
    73. FTATBgNVBAsMDFNPUkIgb2YgVEFTUzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTBZ
    74. MBMGByqGSM49AgEGCCqBHM9VAYItA0IABArjN7ag+H8D12eqXJpMeTOR9m3sB2RC
    75. ojH7fZPB77SDfHZb9g1lcqUhrug0nw2F8wBMsLfjvsK3wQn/ryi3YvSjXTBbMB0G
    76. A1UdDgQWBBRCcBGiEpd09qSpUlkiGkZ+q+CFbDAfBgNVHSMEGDAWgBRCcBGiEpd0
    77. 9qSpUlkiGkZ+q+CFbDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjAKBggqgRzP
    78. VQGDdQNIADBFAiBjdylWVsUoTRcHu9DoMHv4lgtYJMf2xHAGLoJUjmbizAIhAOFD
    79. i3EmFVUgGVdgbnztFZcBLxtBzIAh/Q4Q3dm3/MFu
    80. -----END CERTIFICATE-----
    81. ---
    82. Server certificate
    83. subject=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server sign (SM2)
    84. issuer=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    85. ---
    86. Acceptable client certificate CA names
    87. /C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    88. Client Certificate Types: RSA sign, DSA sign
    89. ---
    90. SSL handshake has read 2121 bytes and written 2115 bytes
    91. Verification: OK
    92. ---
    93. New, GMTLSv1.1, Cipher is SM2-WITH-SMS4-SM3
    94. Server public key is 256 bit
    95. Secure Renegotiation IS NOT supported
    96. Compression: NONE
    97. Expansion: NONE
    98. No ALPN negotiated
    99. SSL-Session:
    100.     Protocol  : GMTLSv1.1
    101.     Cipher    : SM2-WITH-SMS4-SM3
    102.     Session-ID: 1670076D7CFC8C88426620D51DFDEFC099874DA8D4DA955D4001B0024524040A
    103.     Session-ID-ctx: 
    104.     Master-Key: B6E5115CF610A50EE04086777D645DF50A6C3F4662E7BA034F50FF5F5C5504BDF0CBDCABAFF04EA51C3669FB2EE031F7
    105.     PSK identity: None
    106.     PSK identity hint: None
    107.     SRP username: None
    108.     Start Time: 1664155140
    109.     Timeout   : 7200 (sec)
    110.     Verify return code: 0 (ok)
    111.     Extended master secret: no
    112. ---

    双证书单向认证 

    • 同时指定签名和加密证书 且 采用双证书单向认证
    • 服务端执行代码
    • gmssl s_server -gmtls -accept 44330 -key SS.key.pem -cert SS.cert.pem -dkey SE.key.pem -dcert SE.cert.pem -CAfile CA.cert.pem -state
    • 只需要将verify删除,就由双向认证变成了单项认证
    • -state参数表示打印跟多信息,方便调试
    1.  
    2. s_server: Cannot open input file gmcrt/2_sign.crt, No such file or directory
    3. s_server: Use -help for summary.
    4. chy-cpabe@ubuntu:~/test_double_ssl/GMSSL双证书demo/sm2Certs$ ls
    5. CA.cert.pem  CA.key.pem  CA.pem  CE.cert.pem  CE.key.pem  CE.pem  CS.cert.pem  CS.key.pem  CS.pem  SE.cert.pem  SE.key.pem  SE.pem  SS.cert.pem  SS.key.pem  SS.pem
    6. chy-cpabe@ubuntu:~/test_double_ssl/GMSSL双证书demo/sm2Certs$ gmssl s_server -gmtls -accept 44330 -key SS.key.pem -cert SS.cert.pem  -dkey SE.key.pem -dcert SE.cert.pem -CAfile CA.cert.pem -state
    7. Using default temp DH parameters
    8. [GMTLS_DEBUG] set sm2 signing certificate
    9. [GMTLS_DEBUG] set sm2 signing private key
    10. [GMTLS_DEBUG] set sm2 encryption certificate
    11. [GMTLS_DEBUG] set sm2 decryption private key
    12. ACCEPT
    13. SSL_accept:before SSL initialization
    14. SSL_accept:before SSL initialization
    15. ssl_get_algorithm2=2b81000008x
    16. SSL_accept:SSLv3/TLS read client hello
    17. SSL_accept:SSLv3/TLS write server hello
    18. SSL_accept:SSLv3/TLS write certificate
    19. SSL_accept:SSLv3/TLS write key exchange
    20. SSL_accept:SSLv3/TLS write server done
    21. SSL_accept:SSLv3/TLS write server done
    22. SSL_accept:SSLv3/TLS read client key exchange
    23. SSL_accept:SSLv3/TLS read change cipher spec
    24. SSL_accept:SSLv3/TLS read finished
    25. SSL_accept:SSLv3/TLS write change cipher spec
    26. SSL_accept:SSLv3/TLS write finished
    27. -----BEGIN SSL SESSION PARAMETERS-----
    28. MHUCAQECAgEBBALgEwQg4tsFtm05e9thEdmOsDjCdEY797x1PAcVaGWd8chdLuoE
    29. MDqjvlXZek3vSlC1q+aYT7NA40D6C7sbR0gNowPIhMfVan396kWxthLUmXIgz3t1
    30. 5qEGAgRjAfsxogQCAhwgpAYEBAEAAAA=
    31. -----END SSL SESSION PARAMETERS-----
    32. Shared ciphers:SM9-WITH-SMS4-SM3:SM9DHE-WITH-SMS4-SM3:SM2-WITH-SMS4-SM3:SM2DHE-WITH-SMS4-SM3:RSA-WITH-SMS4-SHA1:RSA-WITH-SMS4-SM3
    33. CIPHER is SM2-WITH-SMS4-SM3
    34. Secure Renegotiation IS supported
    • 客户端执行代码
    • gmssl s_client -gmtls -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -state
    • 可以看出,现在使用的协议已经变成gmtlsv1.1
    • SSL-Session:
    •     Protocol  : GMTLSv1.1
    1.  
    2. [GMTLS_DEBUG] set sm2 signing certificate
    3. [GMTLS_DEBUG] set sm2 signing private key
    4. [GMTLS_DEBUG] set sm2 encryption certificate
    5. [GMTLS_DEBUG] set sm2 decryption private key
    6. CONNECTED(00000003)
    7. SSL_connect:before SSL initialization
    8. SSL_connect:SSLv3/TLS write client hello
    9. SSL_connect:SSLv3/TLS write client hello
    10. SSL_connect:SSLv3/TLS read server hello
    11. depth=1 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
    12. verify return:1
    13. depth=0 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = server sign (SM2)
    14. verify return:1
    15. SSL_connect:SSLv3/TLS read server certificate
    16. Z=BCDCCB61AADD790C076DAC60ED09DDD5285A906A4025DD748DA2FB5816464C58
    17. C=00021E3082021A308201C0A0030201020209008563C7E770648765300A06082A811CCF55018375308182310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C534F5242206F6620544153533116301406035504030C0D546573742043412028534D3229301E170D3230303632303130313832365A170D3234303732393130313832365A308185310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C42535243206F6620544153533119301706035504030C1073657276657220656E632028534D32293059301306072A8648CE3D020106082A811CCF5501822D03420004B999853302F02CC522CC4CCA287019E86B901FC24E3CCF9A61B93BB177B28C2CE8E23C5C522DF73C23F7AC36FF688CB2E685A3FA4770103F7C99EFC32D06C11FA31A301830090603551D1304023000300B0603551D0F040403020338300A06082A811CCF550183750348003045022100EC4368F400870BED441817AF4D359BDC61A9EDFDDEE54AB0C185084B450C46B902206E0C3A08BC584590046DC85603CD4E8A51F97D9669B1ACA3E2A3627BE61D49A2
    18. SSL_connect:SSLv3/TLS read server key exchange
    19. SSL_connect:SSLv3/TLS read server done
    20. SSL_connect:SSLv3/TLS write client key exchange
    21. SSL_connect:SSLv3/TLS write change cipher spec
    22. ssl_get_algorithm2=2790100008x
    23. SSL_connect:SSLv3/TLS write finished
    24. SSL_connect:SSLv3/TLS write finished
    25. SSL_connect:SSLv3/TLS read change cipher spec
    26. SSL_connect:SSLv3/TLS read finished
    27. ---
    28. Certificate chain
    29.  0 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server sign (SM2)
    30.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    31.  1 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server enc (SM2)
    32.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    33.  2 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    34.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    35. ---
    36. Server certificate
    37. -----BEGIN CERTIFICATE-----
    38. MIICGjCCAcGgAwIBAgIJAIVjx+dwZIdkMAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
    39. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
    40. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
    41. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjVaFw0yNDA3
    42. MjkxMDE4MjVaMIGGMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
    43. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
    44. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgGA1UEAwwRc2VydmVyIHNpZ24gKFNN
    45. MikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAS0lHzt7CkOzCtyf6VwCqoT2PYD
    46. CL/AJrCsHa+6lE8wDZ7DShI2bvfmrpavndEW67CHQOlO0q6/aoEB0PoAgpopoxow
    47. GDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNHADBEAiB06JWp
    48. uxFbGBfvG9juhe2Umu/auI1H2XeMdvDjbOtfuQIgMXT8jewkzq9TR3OPzRTkZCRH
    49. 3H+xKEb8r8JsEEStwaU=
    50. -----END CERTIFICATE-----
    51. subject=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server sign (SM2)
    52. issuer=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    53. ---
    54. No client certificate CA names sent
    55. ---
    56. SSL handshake has read 1973 bytes and written 320 bytes
    57. Verification: OK
    58. ---
    59. New, GMTLSv1.1, Cipher is SM2-WITH-SMS4-SM3
    60. Server public key is 256 bit
    61. Secure Renegotiation IS NOT supported
    62. Compression: NONE
    63. Expansion: NONE
    64. No ALPN negotiated
    65. SSL-Session:
    66.     Protocol  : GMTLSv1.1
    67.     Cipher    : SM2-WITH-SMS4-SM3
    68.     Session-ID: E24D8195A9D25F9A6B877C63A85979492FA5199E58FA512A95915E33BA7A418B
    69.     Session-ID-ctx: 
    70.     Master-Key: 2ED26139965074A55F65D011A370DF7A4672A0FC7BBB4A0ED991DCD55A6231E92B5A09225BFE9F1ABD0546F1F75885A2
    71.     PSK identity: None
    72.     PSK identity hint: None
    73.     SRP username: None
    74.     Start Time: 1661073328
    75.     Timeout   : 7200 (sec)
    76.     Verify return code: 0 (ok)
    77.     Extended master secret: no
    78. ---
    79.
    • 客户端命令
    • gmssl s_client -gmtls -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -state
    1. gmssl s_client -gmtls -connect localhost:44330 -key CS.key.pem -cert CS.cert.pem -dkey CE.key.pem -dcert CE.cert.pem -CAfile CA.cert.pem -state
    2. [GMTLS_DEBUG] set sm2 signing certificate
    3. [GMTLS_DEBUG] set sm2 signing private key
    4. [GMTLS_DEBUG] set sm2 encryption certificate
    5. [GMTLS_DEBUG] set sm2 decryption private key
    6. CONNECTED(00000003)
    7. SSL_connect:before SSL initialization
    8. SSL_connect:SSLv3/TLS write client hello
    9. SSL_connect:SSLv3/TLS write client hello
    10. SSL_connect:SSLv3/TLS read server hello
    11. depth=1 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = SORB of TASS, CN = Test CA (SM2)
    12. verify return:1
    13. depth=0 C = CN, ST = BJ, L = HaiDian, O = Beijing JNTA Technology LTD., OU = BSRC of TASS, CN = server sign (SM2)
    14. verify return:1
    15. SSL_connect:SSLv3/TLS read server certificate
    16. Z=BCDCCB61AADD790C076DAC60ED09DDD5285A906A4025DD748DA2FB5816464C58
    17. C=00021E3082021A308201C0A0030201020209008563C7E770648765300A06082A811CCF55018375308182310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C534F5242206F6620544153533116301406035504030C0D546573742043412028534D3229301E170D3230303632303130313832365A170D3234303732393130313832365A308185310B300906035504061302434E310B300906035504080C02424A3110300E06035504070C074861694469616E31253023060355040A0C1C4265696A696E67204A4E544120546563686E6F6C6F6779204C54442E31153013060355040B0C0C42535243206F6620544153533119301706035504030C1073657276657220656E632028534D32293059301306072A8648CE3D020106082A811CCF5501822D03420004B999853302F02CC522CC4CCA287019E86B901FC24E3CCF9A61B93BB177B28C2CE8E23C5C522DF73C23F7AC36FF688CB2E685A3FA4770103F7C99EFC32D06C11FA31A301830090603551D1304023000300B0603551D0F040403020338300A06082A811CCF550183750348003045022100EC4368F400870BED441817AF4D359BDC61A9EDFDDEE54AB0C185084B450C46B902206E0C3A08BC584590046DC85603CD4E8A51F97D9669B1ACA3E2A3627BE61D49A2
    18. SSL_connect:SSLv3/TLS read server key exchange
    19. SSL_connect:SSLv3/TLS read server certificate request
    20. SSL_connect:SSLv3/TLS read server done
    21. SSL_connect:SSLv3/TLS write client certificate
    22. SSL_connect:SSLv3/TLS write client key exchange
    23. ssl_get_algorithm2=3c3f900008x
    24. SSL_connect:SSLv3/TLS write certificate verify
    25. SSL_connect:SSLv3/TLS write change cipher spec
    26. SSL_connect:SSLv3/TLS write finished
    27. SSL3 alert read:fatal:decrypt error
    28. SSL_connect:error in SSLv3/TLS write finished
    29. 140016949239808:error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error:ssl/record/rec_layer_s3.c:1385:SSL alert number 51
    30. ---
    31. Certificate chain
    32.  0 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server sign (SM2)
    33.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    34.  1 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server enc (SM2)
    35.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    36.  2 s:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    37.    i:/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    38. ---
    39. Server certificate
    40. -----BEGIN CERTIFICATE-----
    41. MIICGjCCAcGgAwIBAgIJAIVjx+dwZIdkMAoGCCqBHM9VAYN1MIGCMQswCQYDVQQG
    42. EwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcMB0hhaURpYW4xJTAjBgNVBAoMHEJl
    43. aWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4xFTATBgNVBAsMDFNPUkIgb2YgVEFT
    44. UzEWMBQGA1UEAwwNVGVzdCBDQSAoU00yKTAeFw0yMDA2MjAxMDE4MjVaFw0yNDA3
    45. MjkxMDE4MjVaMIGGMQswCQYDVQQGEwJDTjELMAkGA1UECAwCQkoxEDAOBgNVBAcM
    46. B0hhaURpYW4xJTAjBgNVBAoMHEJlaWppbmcgSk5UQSBUZWNobm9sb2d5IExURC4x
    47. FTATBgNVBAsMDEJTUkMgb2YgVEFTUzEaMBgGA1UEAwwRc2VydmVyIHNpZ24gKFNN
    48. MikwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAS0lHzt7CkOzCtyf6VwCqoT2PYD
    49. CL/AJrCsHa+6lE8wDZ7DShI2bvfmrpavndEW67CHQOlO0q6/aoEB0PoAgpopoxow
    50. GDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIGwDAKBggqgRzPVQGDdQNHADBEAiB06JWp
    51. uxFbGBfvG9juhe2Umu/auI1H2XeMdvDjbOtfuQIgMXT8jewkzq9TR3OPzRTkZCRH
    52. 3H+xKEb8r8JsEEStwaU=
    53. -----END CERTIFICATE-----
    54. subject=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=BSRC of TASS/CN=server sign (SM2)
    55. issuer=/C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    56. ---
    57. Acceptable client certificate CA names
    58. /C=CN/ST=BJ/L=HaiDian/O=Beijing JNTA Technology LTD./OU=SORB of TASS/CN=Test CA (SM2)
    59. Client Certificate Types: RSA sign, DSA sign
    60. ---
    61. SSL handshake has read 2037 bytes and written 2116 bytes
    62. Verification: OK
    63. ---
    64. New, GMTLSv1.1, Cipher is SM2-WITH-SMS4-SM3
    65. Server public key is 256 bit
    66. Secure Renegotiation IS NOT supported
    67. Compression: NONE
    68. Expansion: NONE
    69. No ALPN negotiated
    70. SSL-Session:
    71.     Protocol  : GMTLSv1.1
    72.     Cipher    : SM2-WITH-SMS4-SM3
    73.     Session-ID: 12664AE82CE989580C27B14AFF7487B19FF1C159C94291A0B76AA5F80D28317F
    74.     Session-ID-ctx: 
    75.     Master-Key: AD4D5164B7F54B9FA1F74A7A569C6B6E75CFD96967AB7519658C33E9C6FB8851EBCF1B10E175E736E9C7127E5FA8D32D
    76.     PSK identity: None
    77.     PSK identity hint: None
    78.     SRP username: None
    79.     Start Time: 1661074697
    80.     Timeout   : 7200 (sec)
    81.     Verify return code: 0 (ok)
    82.     Extended master secret: no
    83. ---

    双证书双向认证-代码实现

     参考链接

     注意事项

    • 基于TASSL开源项目中的Tassl_demo/mk_tls_cert 下的 SM2certgen.sh 脚本,共生成 15 个 PEM 文件,即根证书、服务端和客户端的签名和加密证书
    • 上述参考链接里面的下面这句话是错误的,服务端都不验证客户端身份了,还叫双向认证嘛??
    • 修改后代码如下
    1.     // 是否要求校验对方证书 此处不验证客户端身份所以为: SSL_VERIFY_NONE
    2.     SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);

     服务端代码

    1. #include 
    2. #include 
    3. #include 
    4. #include 
    5. #include 
    6. #include 
    7. #include 
    8. #include 
    9. #include 
    10. #include 
    11.  
    12. #define MAXBUF 1500
    13.  
    14. //#define CA_CERT_FILE "/home/chy-cpabe/GMSSL_certificate/sm2Certs/CA.cert.pem"
    15. //#define SIGN_CERT_FILE "/home/chy-cpabe/GMSSL_certificate/sm2Certs/SS.cert.pem"
    16. //#define SIGN_KEY_FILE "/home/chy-cpabe/GMSSL_certificate/sm2Certs/SS.key.pem"
    17. //#define ENCODE_CERT_FILE "/home/chy-cpabe/GMSSL_certificate/sm2Certs/SE.cert.pem"
    18. //#define ENCODE_KEY_FILE "/home/chy-cpabe/GMSSL_certificate/sm2Certs/SE.key.pem"
    19.  
    20. #define CA_CERT_FILE "/home/chy-cpabe/tmp/second/rootcert.pem"
    21. #define SIGN_CERT_FILE "/home/chy-cpabe/tmp/second/sign.pem"
    22. #define SIGN_KEY_FILE "/home/chy-cpabe/tmp/second/sign.key"
    23. #define ENCODE_CERT_FILE "/home/chy-cpabe/tmp/second/encrypt.pem"
    24. #define ENCODE_KEY_FILE "/home/chy-cpabe/tmp/second/encrypt.key"
    25.  
    26. void ShowCerts(SSL * ssl)
    27. {
    28.     X509 *cert;
    29.     char *line;
    30.  
    31.     cert = SSL_get_peer_certificate(ssl);
    32.     // SSL_get_verify_result()是重点,SSL_CTX_set_verify()只是配置启不启用并没有执行认证,调用该函数才会真证进行证书认证
    33.     // 如果验证不通过,那么程序抛出异常中止连接
    34.     if(SSL_get_verify_result(ssl) == X509_V_OK){
    35.         printf("证书验证通过\n");
    36.     }
    37.     if (cert != nullptr) {
    38.         printf("数字证书信息:\n");
    39.         line = X509_NAME_oneline(X509_get_subject_name(cert), nullptr, 0);
    40.         printf("证书: %s\n", line);
    41.         free(line);
    42.         line = X509_NAME_oneline(X509_get_issuer_name(cert), nullptr, 0);
    43.         printf("颁发者: %s\n", line);
    44.         free(line);
    45.         X509_free(cert);
    46.     } else
    47.         printf("无证书信息!\n");
    48. }
    49.  
    50. int main(int argc, char **argv) {
    51.     int listen_fd = -1; /* TCP监听套接字 */
    52.     int accept_fd = -1; /* 已连接TCP套接字 */
    53.     struct sockaddr_in server_addr, client_addr;
    54.     bzero(&server_addr, sizeof(server_addr));
    55.  
    56.     SSL_CTX *ctx = nullptr; /* SSL会话环境 */
    57.  
    58.     SSL *ssl = nullptr; /* SSL安全套接字 */
    59.     socklen_t len;
    60.     char buf[MAXBUF]={0};  /* 服务器接收数据buffer */
    61.  
    62.  
    63.     if( 3!=argc )
    64.     {
    65.         printf("argcment wrong:ip port\n");
    66.     }
    67.  
    68.     SSL_library_init(); /* SSL 库初始化 */
    69.     SSLeay_add_ssl_algorithms();
    70.     OpenSSL_add_all_algorithms();  /* 载入所有 SSL 算法 */
    71.     SSL_load_error_strings(); /* 载入所有 SSL 错误消息 */
    72. //    ERR_load_BIO_strings();
    73.  
    74.  
    75.     //TCP服务器:创建、绑定、监听
    76.     if ((listen_fd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
    77.         perror("socket create wrong\n");
    78.         exit(1);
    79.     } else
    80.         printf("socket created\n");
    81.  
    82.     server_addr.sin_family = PF_INET;
    83.     server_addr.sin_port = htons(atoi(argv[2]));
    84.     server_addr.sin_addr.s_addr = inet_addr(argv[1]);;
    85.  
    86.     if (bind(listen_fd, (struct sockaddr *) &server_addr, sizeof(struct sockaddr))
    87.         == -1) {
    88.         perror("bind wrong\n");
    89.         exit(1);
    90.     } else
    91.         printf("binded success\n");
    92.     int lisnum = 2;
    93.  
    94.     do{
    95.         //使用SSL_CTX_new()创建会话环境,建立连接时要使用协议由TLS_server_method()来定。如果这一步出错,需要查看错误栈来查看原因
    96.         if(nullptr == (ctx = SSL_CTX_new( GMTLS_server_method())))		//using sm3, TLSv1_2_method
    97.         {
    98.             ERR_print_errors_fp(stderr);
    99.             break;
    100.         }
    101. //        SSL_CTX_set_security_level(ctx,0);
    102.  
    103.  
    104.         // 双向验证
    105.         // SSL_VERIFY_PEER---要求对证书进行认证,没有证书也会放行
    106.         // SSL_VERIFY_FAIL_IF_NO_PEER_CERT---要求客户端需要提供证书,但验证发现单独使用没有证书也会放行
    107.         SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
    108.  
    109.         // 设置信任根证书
    110.         if(SSL_CTX_load_verify_locations(ctx, CA_CERT_FILE, nullptr) != 1)
    111.         {
    112.             printf("SSL_CTX_load_verify_locations error\n");
    113.             ERR_print_errors_fp(stderr);
    114.             break;
    115.         }
    116.  
    117.         // 签名证书和对应私钥
    118.         if( 0>=SSL_CTX_use_certificate_file(ctx, SIGN_CERT_FILE, SSL_FILETYPE_PEM/*SSL_FILETYPE_ASN1*/) ) /* 为SSL会话加载用户证书 */
    119.         {
    120.             printf("SSL_CTX_use_certificate_file error!\n");
    121.             ERR_print_errors_fp(stderr);
    122.             break;
    123.         }
    124.         if( 0>=SSL_CTX_use_PrivateKey_file(ctx, SIGN_KEY_FILE, SSL_FILETYPE_PEM/*SSL_FILETYPE_ASN1*/) ) /* 为SSL会话加载用户私钥 */
    125.         {
    126.             printf("SSL_CTX_use_PrivateKey_file error!\n");
    127.             ERR_print_errors_fp(stderr);
    128.             break;
    129.         }
    130.         // 加密证书和对应私钥
    131.         if(SSL_CTX_use_certificate_file(ctx, ENCODE_CERT_FILE, SSL_FILETYPE_PEM) <= 0)
    132.         {
    133.             printf("SSL_CTX_use_certificate_file error!\n");
    134.             ERR_print_errors_fp(stderr);
    135.             return -1;
    136.         }
    137.         if(SSL_CTX_use_PrivateKey_file(ctx, ENCODE_KEY_FILE, SSL_FILETYPE_PEM) <= 0)
    138.         {
    139.             printf("SSL_CTX_use_PrivateKey_file error!\n");
    140.             ERR_print_errors_fp(stderr);
    141.             return -1;
    142.         }
    143.  
    144.         /* 检查用户私钥是否正确 */
    145.         if(!SSL_CTX_check_private_key(ctx))                                 										 /* 验证私钥和证书是否相符 */
    146.         {
    147.             printf("SSL_CTX_check_private_key error!\n");
    148.             ERR_print_errors_fp(stderr);
    149.             break;
    150.         }
    151.  
    152.         if (listen(listen_fd, lisnum) == -1) {
    153.             perror("listen wrong\n");
    154.             exit(1);
    155.         } else
    156.             printf("begin listen\n");
    157.  
    158.         len = sizeof(struct sockaddr);
    159.         /* 等待客户端连上来 */
    160.         if ((accept_fd = accept(listen_fd, (struct sockaddr *) &client_addr, &len))
    161.             == -1) {
    162.             perror("accept wrong\n");
    163.             exit(errno);
    164.         } else{
    165.             printf("server: got connection from %s, port %d, socket %d\n",
    166.                    inet_ntoa(client_addr.sin_addr), ntohs(client_addr.sin_port),
    167.                    accept_fd);
    168.         }
    169.  
    170.         ssl = SSL_new(ctx); /* 基于 ctx 产生一个新的 SSL */
    171.         SSL_set_fd(ssl, accept_fd); /* 将连接用户的 socket 加入到 SSL */
    172.         /* 建立 SSL 连接 */
    173.         if (SSL_accept(ssl) == -1) {
    174.             perror("accept wrong\n");
    175.             SSL_shutdown(ssl);
    176.             SSL_free(ssl);
    177.             ssl= nullptr;
    178.             close(accept_fd);
    179.             accept_fd=-1;
    180.             break;
    181.         }
    182.         ShowCerts(ssl);
    183.  
    184.         /* 开始处理每个新连接上的数据收发 */
    185.         bzero(buf, MAXBUF + 1);
    186.         strcpy(buf, "server->client");
    187.         /* 发消息给客户端 */
    188.         len = SSL_write(ssl, buf, strlen(buf));
    189.  
    190.         if (len <= 0) {
    191.             printf("消息'%s'发送失败!错误代码是%d,错误信息是'%s'\n", buf, errno,
    192.                    strerror(errno));
    193.             goto finish;
    194.         } else
    195.             printf("消息'%s'发送成功,共发送了%d个字节!\n", buf, len);
    196.  
    197.         bzero(buf, MAXBUF + 1);
    198.         /* 接收客户端的消息 */
    199.         len = SSL_read(ssl, buf, MAXBUF);
    200.         if (len > 0)
    201.             printf("接收消息成功:'%s',共%d个字节的数据\n", buf, len);
    202.         else
    203.             printf("消息接收失败!错误代码是%d,错误信息是'%s'\n",
    204.                    errno, strerror(errno));
    205.         /* 处理每个新连接上的数据收发结束 */
    206.         finish:
    207.         /* 关闭 SSL 连接 */
    208.         SSL_shutdown(ssl);
    209.         /* 释放 SSL */
    210.         SSL_free(ssl);
    211.         ssl = nullptr;
    212.         /* 关闭 socket */
    213.         close(accept_fd);
    214.         accept_fd = -1;
    215.     }while(1);
    216.  
    217.     /* 关闭监听的 socket */
    218.     close(listen_fd);
    219.     listen_fd = -1;
    220.     /* 释放 CTX */
    221.     SSL_CTX_free(ctx);
    222.     ctx = nullptr;
    223.     return 0;
    224. }
    225.

    客户端代码

    1. #include 
    2. #include 
    3. #include 
    4. #include 
    5. #include 
    6. #include 
    7. #include 
    8. #include 
    9. #include 
    10. #include 
    11.  
    12. #define MAXBUF 1024
    13. //#define CA_CERT_FILE "/home/chy-cpabe/GMSSL_certificate/sm2Certs/CA.cert.pem"
    14. //#define CS_CERT_FILE "/home/chy-cpabe/GMSSL_certificate/sm2Certs/CS.cert.pem"
    15. //#define CS_KEY_FILE "/home/chy-cpabe/GMSSL_certificate/sm2Certs/CS.key.pem"
    16. //#define CE_CERT_FILE "/home/chy-cpabe/GMSSL_certificate/sm2Certs/CE.cert.pem"
    17. //#define CE_KEY_FILE "/home/chy-cpabe/GMSSL_certificate/sm2Certs/CE.key.pem"
    18.  
    19. #define CA_CERT_FILE "/home/chy-cpabe/tmp/first/rootcert.pem"
    20. #define CS_CERT_FILE "/home/chy-cpabe/tmp/first/sign.pem"
    21. #define CS_KEY_FILE "/home/chy-cpabe/tmp/first/sign.key"
    22. #define CE_CERT_FILE "/home/chy-cpabe/tmp/first/encrypt.pem"
    23. #define CE_KEY_FILE "/home/chy-cpabe/tmp/first/encrypt.key"
    24. void ShowCerts(SSL * ssl)
    25. {
    26.     X509 *cert;
    27.     char *line;
    28.  
    29.     cert = SSL_get_peer_certificate(ssl);
    30.     // SSL_get_verify_result()是重点,SSL_CTX_set_verify()只是配置启不启用并没有执行认证,调用该函数才会真证进行证书认证
    31.     // 如果验证不通过,那么程序抛出异常中止连接
    32.     if(SSL_get_verify_result(ssl) == X509_V_OK){
    33.         printf("证书验证通过\n");
    34.     }
    35.     if (cert != nullptr) {
    36.         printf("数字证书信息:\n");
    37.         line = X509_NAME_oneline(X509_get_subject_name(cert), nullptr, 0);
    38.         printf("证书: %s\n", line);
    39.         free(line);
    40.         line = X509_NAME_oneline(X509_get_issuer_name(cert), nullptr, 0);
    41.         printf("颁发者: %s\n", line);
    42.         free(line);
    43.         X509_free(cert);
    44.     } else
    45.         printf("无证书信息!\n");
    46. }
    47.  
    48. static void PrintData(char *p, char *buf,int len,char *filename)
    49. {
    50.     char *name=p;
    51.     printf("%s[%d]:\n",p,len);
    52.     for (p=buf; p && p++-buf
    53.         printf("%02x%c",(unsigned char)p[-1],(!((p-buf)%16) || p-buf==len)?'\n':' ');
    54. //	if (filename) FileWrite(name,buf,len,filename);
    55. }
    56.  
    57. int main(int argc, char **argv)
    58. {
    59.     int sock_fd = -1;            /* TCP套接字    */
    60.     int len = 0;                 /* SSL会话环境 */
    61.     SSL *ssl = nullptr;          /* SSL安全套接字 */
    62.     struct sockaddr_in ser_addr; /* 服务器地址 */
    63.     bzero(&ser_addr, sizeof(ser_addr));
    64.     SSL_CTX *ctx = nullptr;
    65.     char buffer[MAXBUF + 1];
    66.  
    67.     if( argc != 3 )
    68.     {
    69.         printf("argcment wrong:ip port content\n");
    70.         exit(0);
    71.     }
    72.  
    73.     /* SSL 库初始化,参看 ssl-server.c 代码 */
    74.     SSL_library_init();
    75.     SSLeay_add_ssl_algorithms();
    76.     OpenSSL_add_all_algorithms();
    77.     SSL_load_error_strings();
    78. //    ERR_load_BIO_strings();
    79.  
    80.     do{
    81.         /* 申请SSL会话环境 */
    82.         if( nullptr==(ctx=SSL_CTX_new(GMTLS_client_method())) )    //使用SSL_CTX_new()创建会话环境,建立连接时要使用协议由TLS_client_method()来定,服务器由对应的TLS_server_method()来定。如果这一步出错,需要查看错误栈来查看原因
    83.         {
    84.             printf("SSL_CTX_new error!\n");
    85.             ERR_print_errors_fp(stderr);
    86.             break;
    87.         }
    88.         // 双向验证
    89.         // SSL_VERIFY_PEER---要求对证书进行认证,没有证书也会放行
    90.         // SSL_VERIFY_FAIL_IF_NO_PEER_CERT---要求客户端需要提供证书,但验证发现单独使用没有证书也会放行
    91.         SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
    92. //        if(SSL_CTX_set_cipher_list(ctx, "ECC-SM2-WITH-SM4-SM3") <= 0){
    93. //            printf("SSL_CTX_set_cipher_list error!\n");
    94. //            ERR_print_errors_fp(stderr);
    95. //            exit(1);
    96. //        }
    97.         // 设置信任根证书
    98.         if(SSL_CTX_load_verify_locations(ctx, CA_CERT_FILE, nullptr) != 1)
    99.         {
    100.             printf("SSL_CTX_load_verify_locations error!\n");
    101.             ERR_print_errors_fp(stderr);
    102.             exit(1);
    103.         }
    104.  
    105.         // 签名证书和对应私钥
    106.         if (SSL_CTX_use_certificate_file(ctx, CS_CERT_FILE, SSL_FILETYPE_PEM) <= 0)
    107.         {
    108.             printf("SSL_CTX_use_certificate_file error!\n");
    109.             ERR_print_errors_fp(stderr);
    110.             exit(1);
    111.         }
    112.         if (SSL_CTX_use_PrivateKey_file(ctx, CS_KEY_FILE, SSL_FILETYPE_PEM) <= 0)
    113.         {
    114.             printf("SSL_CTX_use_PrivateKey_file error!\n");
    115.             ERR_print_errors_fp(stderr);
    116.             exit(1);
    117.         }
    118.         // 加密证书和对应私钥
    119.         if(SSL_CTX_use_certificate_file(ctx, CE_CERT_FILE, SSL_FILETYPE_PEM) <= 0)
    120.         {
    121.             printf("SSL_CTX_use_certificate_file error!\n");
    122.             ERR_print_errors_fp(stderr);
    123.             return -1;
    124.         }
    125.  
    126.         if(SSL_CTX_use_PrivateKey_file(ctx, CE_KEY_FILE, SSL_FILETYPE_PEM) <= 0)
    127.         {
    128.             printf("SSL_CTX_use_PrivateKey_file error!\n");
    129.             ERR_print_errors_fp(stderr);
    130.             return -1;
    131.         }
    132.         //判定私钥是否正确
    133.         if (!SSL_CTX_check_private_key(ctx)) {
    134.             printf("SSL_CTX_check_private_key error!\n");
    135.             ERR_print_errors_fp(stderr);
    136.             exit(1);
    137.         }
    138. //        SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
    139.         /* 创建一个 socket 用于 tcp 通信 */
    140.         if(-1==(sock_fd=socket(AF_INET, SOCK_STREAM, 0)) )
    141.         {
    142.             printf("creat socket wrong\n");
    143.             break;
    144.         }
    145.         printf("socket created\n");
    146.         /* 初始化服务器端(对方)的地址和端口信息 */
    147.         ser_addr.sin_family = AF_INET;
    148.         ser_addr.sin_port = htons(atoi(argv[2]));
    149.         ser_addr.sin_addr.s_addr = inet_addr(argv[1]);
    150.  
    151.         printf("address created\n");
    152.         //建立连接
    153.         if( -1==(connect(sock_fd, (struct sockaddr *)&ser_addr, sizeof(ser_addr))) )
    154.         {
    155.             printf("connect wrong\n");
    156.             break;
    157.         }
    158.         printf("server connected\n");
    159.  
    160.         /* 基于 ctx 产生一个新的 SSL */
    161.         ssl = SSL_new(ctx);
    162.         SSL_set_fd(ssl, sock_fd);
    163.         /* 建立 SSL 连接 */
    164.         if (SSL_connect(ssl) == -1)
    165.             ERR_print_errors_fp(stderr);
    166.         else {
    167.             printf("The relevant information is as follows:\n");
    168.             printf("-->ssl version %s\n",SSL_get_version(ssl));
    169.             printf("-->ssleay version %s\n",SSLeay_version(0));
    170.             printf("-->Connected with %s encryption\n", SSL_get_cipher(ssl));
    171.             ShowCerts(ssl);
    172.         }
    173.  
    174.         //导出key和salt
    175.         unsigned char buf[16];
    176.         int err = -1;
    177.         err = SSL_export_keying_material(ssl, buf, 16, nullptr,0, nullptr, 0, 1);
    178.         if(err != 1){
    179.             printf("SSL_export_keying_material error,err=%d\n",err);
    180.         }else{
    181.             PrintData("SSL_export_keying_material", (char*)buf, 16, nullptr);
    182.         }
    183.  
    184.  
    185.         /* 接收对方发过来的消息,最多接收 MAXBUF 个字节 */
    186.         bzero(buffer, MAXBUF + 1);
    187.         /* 接收服务器来的消息 */
    188.         len = SSL_read(ssl, buffer, MAXBUF);
    189.         if (len > 0)
    190.             printf("接收消息成功:'%s',共%d个字节的数据\n",
    191.                    buffer, len);
    192.         else {
    193.             printf
    194.                     ("消息接收失败!错误代码是%d,错误信息是'%s'\n",
    195.                      errno, strerror(errno));
    196.             goto finish;
    197.         }
    198.         bzero(buffer, MAXBUF + 1);
    199.         strcpy(buffer, "from client->server");
    200.         /* 发消息给服务器 */
    201.         len = SSL_write(ssl, buffer, strlen(buffer));
    202.         if (len < 0)
    203.             printf
    204.                     ("消息'%s'发送失败!错误代码是%d,错误信息是'%s'\n",
    205.                      buffer, errno, strerror(errno));
    206.         else
    207.             printf("消息'%s'发送成功,共发送了%d个字节!\n",
    208.                    buffer, len);
    209.  
    210.         /* 处理每个新连接上的数据收发结束 */
    211.         finish:
    212.         /* 关闭 SSL 连接 */
    213.         SSL_shutdown(ssl);
    214.         /* 释放 SSL */
    215.         SSL_free(ssl);
    216.         ssl = nullptr;
    217.     }while(0);
    218.  
    219.     /* 关闭socket */
    220.     close(sock_fd);
    221.     sock_fd = -1;
    222.     /* 释放 CTX */
    223.     SSL_CTX_free(ctx);
    224.     ctx = nullptr;
    225.     return 0;
    226. }

    注意事项

  • 相关阅读:
    【方案分享】抖音运营攻略:平台规则、爆款涨粉、运营技巧、内容变现.pdf(附下载链接)...
    SQL Server查询优化
    Java基础(第一期):IDEA的下载和安装(步骤图) && 项目结构的介绍 && 项目、模块、类的创建。第一个代码的实现
    干货|数据资产评估的基本方法和选择方法
    我把微信群聊机器人项目开源
    交换机的工作原理以及搭建局域网划分VLAN
    敏捷开发的实施要素和实现敏捷的实际改进
    AJAX【AJAX实现省市联动 、AJAX跨域问题、AJAX实现搜索联想 自动补全、 附录:HTTP状态信息】
    Windows端通过Vscode或PowerShell连接linux服务器,打开图形界面的程序
    微信公众号运营的那些实用技巧,你了解多少?
  • 原文地址:https://blog.csdn.net/CHYabc123456hh/article/details/126352458