laitimes
return

GmSSL支持SM2/SM3/SM4/SM9/SSL国产商用密码开源库

author:Not bald programmer
GmSSL支持SM2/SM3/SM4/SM9/SSL国产商用密码开源库

overview

GmSSL is an open-source cryptographic toolbox, which supports SM2/SM3/SM4/SM9/ZUC and other national cryptography (national commercial cryptography) algorithms, SM2 national cryptography digital certificate and SSL/TLS secure communication protocol based on SM2 certificate, supports national cryptography hardware cryptographic devices, provides programming interfaces and command line tools that comply with national cryptography specifications, and can be used to build PKI/CA, secure communication, data encryption and other security applications that meet national cryptography standards.

The GmSSL project is a fork of the OpenSSL project and maintains interface compatibility with OpenSSL. Therefore, GmSSL can replace the OpenSSL component in the application, and make the application automatically have the security capability based on the national secret. The GmSSL project is open source and can be used for closed-source commercial applications under a BSD-like open source license.

The GmSSL project is developed and maintained by the cryptography research group of associate researcher Guan Zhi of Peking University, and the source code of the project is hosted on GitHub. Since its release in 2014, GmSSL has been deployed and applied in a number of projects and products, and won the second prize (the highest award of the year) in the 2015 "Yiming Cup" China Linux Software Competition and the recommended project of open source China cryptography. The core goal of the GmSSL project is to promote the construction of domestic cyberspace security through open-source cryptography technology.

Key features:

  • Ultra-lightweight: GmSSL 3 greatly reduces memory requirements and binary code size, does not rely on dynamic memory, and can be used in low-power embedded environments (MCU, SOC, etc.) without operating systems, and developers can also more easily embed the national cryptography algorithm and SSL protocol into existing projects.
  • More compliant: GmSSL 3 can be configured to include only the SM2 algorithm and the TLCP protocol, making it easier for cryptographic applications that rely on GmSSL to meet the requirements of cryptographic product model detection and avoid security and compliance problems caused by mixed non-SM2 algorithms and insecure algorithms.
  • More secure: TLS 1.3 has a huge improvement over the previous TLS protocol in terms of security and communication latency, and GmSSL 3 supports the TLS 1.3 protocol and the national secret suite of RFC 8998. GmSSL 3 supports key encryption protection by default, which improves the cryptographic algorithm's ability to resist side-channel attacks.
  • Cross-platform: GmSSL 3 is easier to cross-platform, the build system no longer relies on Perl, the default CMake build system can be easily used with default compilation tools such as Visual Studio and Android NDK, and developers can also manually write Makefiles to compile and trim in a special environment.
  • Support Java, Go, PHP and other multi-language interface binding and REST service interfaces

National Cryptography Algorithm

The national cryptography algorithm is the abbreviation of the national commercial cryptography algorithm. Since 2012, the State Cryptography Administration has successively published SM2/SM3/SM4 and other cryptographic algorithm standards and their application specifications in the form of the Cryptography Industry Standards of the People's Republic of China. Among them, "SM" stands for "commercial secret", that is, cryptographic technology used for commercial use and does not involve state secrets.

Among them, SM2 is a public key cryptography algorithm standard based on elliptic curve cryptography, including digital signature, key exchange and public key encryption, which is used to replace international algorithms such as RSA/Diffie-Hellman/ECDSA/ECDH. SM3 is a cryptographic hash algorithm, which is used to replace MD5/SHA-1/SHA-256 and other international algorithms. SM4 is a block cipher, which is used to replace international algorithms such as DES/AES; SM9 is an identity-based cryptographic algorithm, which can replace the PKI/CA system based on digital certificates. By deploying the national cryptography algorithm, the security risks caused by weak passwords and incorrect implementations and the overhead caused by deploying PKI/CA can be reduced.

Compilation and installation

Download

wget https://github.com/guanzhi/GmSSL/archive/refs/tags/v3.1.1.zip
unzip v3.1.1.zip

Installation

cd GmSSL-3.1.1/
mkdir build
cd build/
sudo cmake ..

cmake compilation

sudo cmake ..
-- The C compiler identification is GNU 7.5.0
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Looking for getentropy
-- Looking for getentropy - found
-- have getentropy
-- Configuring done
-- Generating done
-- Build files have been written to: /home/www/build/GmSSL-3.1.1/build

compile

make
GmSSL支持SM2/SM3/SM4/SM9/SSL国产商用密码开源库

Installation

sudo make install

Error when executing gmssl

sudo /usr/local/bin/gmssl
/usr/local/bin/gmssl: error while loading shared libraries: libgmssl.so.3: cannot open shared object file: No such file or directory

In this case, you need to edit the /etc/ld.so.conf file and add a line:

/usr/local/lib

Then execute the command:

ldconfig

Enter gmssl version on the command line

sudo /usr/local/bin/gmssl version
GmSSL 3.1.1

When you see GmSSL 3.1.1, it means that gmssl is successfully installed.

Grant the current user the execution permission

sudo chown www:www /usr/local/bin/

Basic commands

By executing the gmssl --help command

gmssl --help
gmssl: illegal option '--help'
usage: gmssl command [options]
command -help

Commands:
  help            Print this help message
  version         Print version
  rand            Generate random bytes
  sm2keygen       Generate SM2 keypair
  sm2sign         Generate SM2 signature
  sm2verify       Verify SM2 signature
  sm2encrypt      Encrypt with SM2 public key
  sm2decrypt      Decrypt with SM2 private key
  sm3             Generate SM3 hash
  sm3hmac         Generate SM3 HMAC tag
  sm4             Encrypt or decrypt with SM4
  zuc             Encrypt or decrypt with ZUC
  sm9setup        Generate SM9 master secret
  sm9keygen       Generate SM9 private key
  sm9sign         Generate SM9 signature
  sm9verify       Verify SM9 signature
  sm9encrypt      SM9 public key encryption
  sm9decrypt      SM9 decryption
  pbkdf2          Generate key from password
  reqgen          Generate certificate signing request (CSR)
  reqsign         Generate certificate from CSR
  reqparse        Parse and print a CSR
  crlget          Download the CRL of given certificate
  crlgen          Sign a CRL with CA certificate and private key
  crlverify       Verify a CRL with issuer's certificate
  crlparse        Parse and print CRL
  certgen         Generate a self-signed certificate
  certparse       Parse and print certificates
  certverify      Verify certificate chain
  certrevoke      Revoke certificate and output RevokedCertificate record
  cmsparse        Parse CMS (cryptographic message syntax) file
  cmsencrypt      Generate CMS EnvelopedData
  cmsdecrypt      Decrypt CMS EnvelopedData
  cmssign         Generate CMS SignedData
  cmsverify       Verify CMS SignedData
  sdfutil         SDF crypto device utility
  skfutil         SKF crypto device utility
  tlcp_client     TLCP client
  tlcp_server     TLCP server
  tls12_client    TLS 1.2 client
  tls12_server    TLS 1.2 server
  tls13_client    TLS 1.3 client
  tls13_server    TLS 1.3 server

SM4 encryption and decryption 

$ KEY=11223344556677881122334455667788
$ IV=11223344556677881122334455667788

encrypt

echo Hello Tony | gmssl sm4 -cbc -encrypt -key $KEY -iv $IV -out sm4.cbc

// 加密内容
more sm4.cbc 
$×ʩ#

decrypt

gmssl sm4 -cbc -decrypt -key $KEY -iv $IV -in sm4.cbc
Hello Tony

SM3 Summary: 

echo -n “开源技术” | gmssl sm3
3b944faa488763d08967e7999aa565f8035277f9b017adc8fe209e81de698465

Generate public and private keys

gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem

私钥

cat sm2.pem 
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBBjBhBgkqhkiG9w0BBQ0wVDA0BgkqhkiG9w0BBQwwJwQQD7UeQ0Nd0c8HjwJC
BwrZDAIDAQAAAgEQMAsGCSqBHM9VAYMRAjAcBggqgRzPVQFoAgQQJXNNiqfAxKIx
y4Ze0KxunASBoHsXGe2jtW6N1DkBROWr/QAY9r6zRlZ4JTphVjdy5MzRJo1Wa6pc
+AxPKqouSi5kfayp0nKvJijIZY2e67J3hF327g+xGHj9+keSfTZS1sJfN2c/i1CM
Zcg2IKes5/T3Zk6DRZKcGIwuuUo3cVYcw+oT3lE5onnSBYT0DXdrRpfGzM8yB3Qb
yfEcSLm+f22Xzx05AzyiMKWQHSk7n+aH50o=
-----END ENCRYPTED PRIVATE KEY-----

Public

cat sm2pub.pem 
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAE7DOZdFLay3eY7/H8J1CECQ5s2Z8o
4flOpF1HdPjUh4mPGigJzuOp/PzrrEMTuu9cISHqMmHn6XQDP6B6cy56Rg==

Public-key cryptography

echo -n "Tony 开源技术" | gmssl sm3 -pubkey sm2pub.pem -id 1234567812345678
7b2f0eb9ce8bf75a799bccff590f38178fbe8d14ff56a2ab001ce382b05cfcf0

SM2 signature and verification 

$ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem

$ echo hello | gmssl sm2sign -key sm2.pem -pass 1234 -out sm2.sig #-id 1234567812345678
$ echo hello | gmssl sm2verify -pubkey sm2pub.pem -sig sm2.sig -id 1234567812345678

$ echo hello | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der
$ gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der

SM2 encryption and decryption 

$ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem

$ echo hello | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der
$ gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der

Generate SM2 root certificate rootcakey.pem and CA certificate cakey.pem 

$ gmssl sm2keygen -pass 1234 -out rootcakey.pem
$ gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign
$ gmssl certparse -in rootcacert.pem

$ gmssl sm2keygen -pass 1234 -out cakey.pem
$ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
$ gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem

Use CA certificates to issue signing certificates and encrypting certificates 

$ gmssl sm2keygen -pass 1234 -out signkey.pem
$ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
$ gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem

$ gmssl sm2keygen -pass 1234 -out enckey.pem
$ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem
$ gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem

Merge the signing certificate and CA certificate into the server certificate certs.pem and verify it 

$ cat signcert.pem > certs.pem
$ cat cacert.pem >> certs.pem
$ gmssl certverify -in certs.pem -cacert rootcacert.pem

View the contents of the certificate 

$ gmssl certparse -in cacert.pem

Official Documentation: http://gmssl.org/docs/quickstart.html

Domestic
Previous: Microsoft open-source GraphRAG: Greatly enhances large model Q&A, summarization, and inference
Next: AMD Zen5 processors have changed their name again! Changing tricks to lead the Intel generation

Read on