overview
GmSSL is an open-source cryptographic toolbox, which supports SM2/SM3/SM4/SM9/ZUC and other national cryptography (national commercial cryptography) algorithms, SM2 national cryptography digital certificate and SSL/TLS secure communication protocol based on SM2 certificate, supports national cryptography hardware cryptographic devices, provides programming interfaces and command line tools that comply with national cryptography specifications, and can be used to build PKI/CA, secure communication, data encryption and other security applications that meet national cryptography standards.
The GmSSL project is a fork of the OpenSSL project and maintains interface compatibility with OpenSSL. Therefore, GmSSL can replace the OpenSSL component in the application, and make the application automatically have the security capability based on the national secret. The GmSSL project is open source and can be used for closed-source commercial applications under a BSD-like open source license.
The GmSSL project is developed and maintained by the cryptography research group of associate researcher Guan Zhi of Peking University, and the source code of the project is hosted on GitHub. Since its release in 2014, GmSSL has been deployed and applied in a number of projects and products, and won the second prize (the highest award of the year) in the 2015 "Yiming Cup" China Linux Software Competition and the recommended project of open source China cryptography. The core goal of the GmSSL project is to promote the construction of domestic cyberspace security through open-source cryptography technology.
Key features:
- Ultra-lightweight: GmSSL 3 greatly reduces memory requirements and binary code size, does not rely on dynamic memory, and can be used in low-power embedded environments (MCU, SOC, etc.) without operating systems, and developers can also more easily embed the national cryptography algorithm and SSL protocol into existing projects.
- More compliant: GmSSL 3 can be configured to include only the SM2 algorithm and the TLCP protocol, making it easier for cryptographic applications that rely on GmSSL to meet the requirements of cryptographic product model detection and avoid security and compliance problems caused by mixed non-SM2 algorithms and insecure algorithms.
- More secure: TLS 1.3 has a huge improvement over the previous TLS protocol in terms of security and communication latency, and GmSSL 3 supports the TLS 1.3 protocol and the national secret suite of RFC 8998. GmSSL 3 supports key encryption protection by default, which improves the cryptographic algorithm's ability to resist side-channel attacks.
- Cross-platform: GmSSL 3 is easier to cross-platform, the build system no longer relies on Perl, the default CMake build system can be easily used with default compilation tools such as Visual Studio and Android NDK, and developers can also manually write Makefiles to compile and trim in a special environment.
- Support Java, Go, PHP and other multi-language interface binding and REST service interfaces
National Cryptography Algorithm
The national cryptography algorithm is the abbreviation of the national commercial cryptography algorithm. Since 2012, the State Cryptography Administration has successively published SM2/SM3/SM4 and other cryptographic algorithm standards and their application specifications in the form of the Cryptography Industry Standards of the People's Republic of China. Among them, "SM" stands for "commercial secret", that is, cryptographic technology used for commercial use and does not involve state secrets.
Among them, SM2 is a public key cryptography algorithm standard based on elliptic curve cryptography, including digital signature, key exchange and public key encryption, which is used to replace international algorithms such as RSA/Diffie-Hellman/ECDSA/ECDH. SM3 is a cryptographic hash algorithm, which is used to replace MD5/SHA-1/SHA-256 and other international algorithms. SM4 is a block cipher, which is used to replace international algorithms such as DES/AES; SM9 is an identity-based cryptographic algorithm, which can replace the PKI/CA system based on digital certificates. By deploying the national cryptography algorithm, the security risks caused by weak passwords and incorrect implementations and the overhead caused by deploying PKI/CA can be reduced.
Compilation and installation
Download
wget https://github.com/guanzhi/GmSSL/archive/refs/tags/v3.1.1.zip
unzip v3.1.1.zip
Installation
cd GmSSL-3.1.1/
mkdir build
cd build/
sudo cmake ..
cmake compilation
sudo cmake ..
-- The C compiler identification is GNU 7.5.0
-- Check for working C compiler: /usr/bin/cc
-- Check for working C compiler: /usr/bin/cc -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Looking for getentropy
-- Looking for getentropy - found
-- have getentropy
-- Configuring done
-- Generating done
-- Build files have been written to: /home/www/build/GmSSL-3.1.1/build
compile
make
Installation
sudo make install
Error when executing gmssl
sudo /usr/local/bin/gmssl
/usr/local/bin/gmssl: error while loading shared libraries: libgmssl.so.3: cannot open shared object file: No such file or directory
In this case, you need to edit the /etc/ld.so.conf file and add a line:
/usr/local/lib
Then execute the command:
ldconfig
Enter gmssl version on the command line
sudo /usr/local/bin/gmssl version
GmSSL 3.1.1
When you see GmSSL 3.1.1, it means that gmssl is successfully installed.
Grant the current user the execution permission
sudo chown www:www /usr/local/bin/
Basic commands
By executing the gmssl --help command
gmssl --help
gmssl: illegal option '--help'
usage: gmssl command [options]
command -help
Commands:
help Print this help message
version Print version
rand Generate random bytes
sm2keygen Generate SM2 keypair
sm2sign Generate SM2 signature
sm2verify Verify SM2 signature
sm2encrypt Encrypt with SM2 public key
sm2decrypt Decrypt with SM2 private key
sm3 Generate SM3 hash
sm3hmac Generate SM3 HMAC tag
sm4 Encrypt or decrypt with SM4
zuc Encrypt or decrypt with ZUC
sm9setup Generate SM9 master secret
sm9keygen Generate SM9 private key
sm9sign Generate SM9 signature
sm9verify Verify SM9 signature
sm9encrypt SM9 public key encryption
sm9decrypt SM9 decryption
pbkdf2 Generate key from password
reqgen Generate certificate signing request (CSR)
reqsign Generate certificate from CSR
reqparse Parse and print a CSR
crlget Download the CRL of given certificate
crlgen Sign a CRL with CA certificate and private key
crlverify Verify a CRL with issuer's certificate
crlparse Parse and print CRL
certgen Generate a self-signed certificate
certparse Parse and print certificates
certverify Verify certificate chain
certrevoke Revoke certificate and output RevokedCertificate record
cmsparse Parse CMS (cryptographic message syntax) file
cmsencrypt Generate CMS EnvelopedData
cmsdecrypt Decrypt CMS EnvelopedData
cmssign Generate CMS SignedData
cmsverify Verify CMS SignedData
sdfutil SDF crypto device utility
skfutil SKF crypto device utility
tlcp_client TLCP client
tlcp_server TLCP server
tls12_client TLS 1.2 client
tls12_server TLS 1.2 server
tls13_client TLS 1.3 client
tls13_server TLS 1.3 server
SM4 encryption and decryption
$ KEY=11223344556677881122334455667788
$ IV=11223344556677881122334455667788
encrypt
echo Hello Tony | gmssl sm4 -cbc -encrypt -key $KEY -iv $IV -out sm4.cbc
// 加密内容
more sm4.cbc
$×ʩ#
decrypt
gmssl sm4 -cbc -decrypt -key $KEY -iv $IV -in sm4.cbc
Hello Tony
SM3 Summary:
echo -n “开源技术” | gmssl sm3
3b944faa488763d08967e7999aa565f8035277f9b017adc8fe209e81de698465
Generate public and private keys
gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem
私钥
cat sm2.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBBjBhBgkqhkiG9w0BBQ0wVDA0BgkqhkiG9w0BBQwwJwQQD7UeQ0Nd0c8HjwJC
BwrZDAIDAQAAAgEQMAsGCSqBHM9VAYMRAjAcBggqgRzPVQFoAgQQJXNNiqfAxKIx
y4Ze0KxunASBoHsXGe2jtW6N1DkBROWr/QAY9r6zRlZ4JTphVjdy5MzRJo1Wa6pc
+AxPKqouSi5kfayp0nKvJijIZY2e67J3hF327g+xGHj9+keSfTZS1sJfN2c/i1CM
Zcg2IKes5/T3Zk6DRZKcGIwuuUo3cVYcw+oT3lE5onnSBYT0DXdrRpfGzM8yB3Qb
yfEcSLm+f22Xzx05AzyiMKWQHSk7n+aH50o=
-----END ENCRYPTED PRIVATE KEY-----
Public
cat sm2pub.pem
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAE7DOZdFLay3eY7/H8J1CECQ5s2Z8o
4flOpF1HdPjUh4mPGigJzuOp/PzrrEMTuu9cISHqMmHn6XQDP6B6cy56Rg==
Public-key cryptography
echo -n "Tony 开源技术" | gmssl sm3 -pubkey sm2pub.pem -id 1234567812345678
7b2f0eb9ce8bf75a799bccff590f38178fbe8d14ff56a2ab001ce382b05cfcf0
SM2 signature and verification
$ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem
$ echo hello | gmssl sm2sign -key sm2.pem -pass 1234 -out sm2.sig #-id 1234567812345678
$ echo hello | gmssl sm2verify -pubkey sm2pub.pem -sig sm2.sig -id 1234567812345678
$ echo hello | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der
$ gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der
SM2 encryption and decryption
$ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem
$ echo hello | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der
$ gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der
Generate SM2 root certificate rootcakey.pem and CA certificate cakey.pem
$ gmssl sm2keygen -pass 1234 -out rootcakey.pem
$ gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign
$ gmssl certparse -in rootcacert.pem
$ gmssl sm2keygen -pass 1234 -out cakey.pem
$ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
$ gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem
Use CA certificates to issue signing certificates and encrypting certificates
$ gmssl sm2keygen -pass 1234 -out signkey.pem
$ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
$ gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem
$ gmssl sm2keygen -pass 1234 -out enckey.pem
$ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem
$ gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem
Merge the signing certificate and CA certificate into the server certificate certs.pem and verify it
$ cat signcert.pem > certs.pem
$ cat cacert.pem >> certs.pem
$ gmssl certverify -in certs.pem -cacert rootcacert.pem
View the contents of the certificate
$ gmssl certparse -in cacert.pem
Official Documentation: http://gmssl.org/docs/quickstart.html