2024-03-21
原文作者:小小工匠 原文地址: https://artisan.blog.csdn.net/article/details/135992973

202403212040428991.png

Pre

Java - 一文读懂SM1、SM2、SM3、SM4等国密算法

Java - OpenSSL与国密OpenSSL

Java - 数字签名与数字证书


下载源代码(zip)

下载源代码(zip): https://github.com/guanzhi/GmSSL/archive/master.zip

解压缩至当前工作目录

    $ unzip GmSSL-master.zip

编译与安装

Linux平台

    $ mkdir build
    $ cd build
    $ cmake ..
    $ make
    $ make test
    $ sudo make install

安装之后可以执行gmssl命令行工具检查是否成功

    $ gmssl version
    GmSSL 3.1.0 Dev

SM4加密解密

    $ KEY=11223344556677881122334455667788
    $ IV=11223344556677881122334455667788
    
    $ echo hello | gmssl sm4 -cbc -encrypt -key $KEY -iv $IV -out sm4.cbc
    $ gmssl sm4 -cbc -decrypt -key $KEY -iv $IV -in sm4.cbc
    
    $ echo hello | gmssl sm4 -ctr -encrypt -key $KEY -iv $IV -out sm4.ctr
    $ gmssl sm4 -ctr -decrypt -key $KEY -iv $IV -in sm4.ctr

SM3摘要

    $ echo -n abc | gmssl sm3
    $ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem
    $ echo -n abc | gmssl sm3 -pubkey sm2pub.pem -id 1234567812345678
    $ echo -n abc | gmssl sm3hmac -key 11223344556677881122334455667788

SM2签名及验签

    $ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem
    
    $ echo hello | gmssl sm2sign -key sm2.pem -pass 1234 -out sm2.sig #-id 1234567812345678
    $ echo hello | gmssl sm2verify -pubkey sm2pub.pem -sig sm2.sig -id 1234567812345678
    
    $ echo hello | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der
    $ gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der

SM2加密及解密

    $ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem
    
    $ echo hello | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der
    $ gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der

生成SM2根证书rootcakey.pem及CA证书cakey.pem

    $ gmssl sm2keygen -pass 1234 -out rootcakey.pem
    $ gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign
    $ gmssl certparse -in rootcacert.pem
    
    $ gmssl sm2keygen -pass 1234 -out cakey.pem
    $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
    $ gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem

使用CA证书签发签名证书和加密证书

    $ gmssl sm2keygen -pass 1234 -out signkey.pem
    $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
    $ gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem
    
    $ gmssl sm2keygen -pass 1234 -out enckey.pem
    $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem
    $ gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem

将签名证书和ca证书合并为服务端证书certs.pem,并验证

    $ cat signcert.pem > certs.pem
    $ cat cacert.pem >> certs.pem
    $ gmssl certverify -in certs.pem -cacert rootcacert.pem

查看证书内容:

    $ gmssl certparse -in cacert.pem

http://gmssl.org/docs/quickstart.html

202403212040432922.png

阅读全文