openssl3.1.1国密支持的验证笔记

已于 2023-08-01 14:31:43 修改
阅读量2.4k 收藏 6
点赞数 2
文章标签: 笔记 服务器 linux
于 2023-07-28 09:45:12 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/yjkhtddx/article/details/131959187
版权

openssl3.1.1国密支持的验证笔记

openssl的版本差异日志

在这里插入图片描述
openssl虽然有3个大分支,我们就以3.1大分支查看关于国密的差异日志。

Changes between 1.1.0i and 1.1.1 [11 Sep 2018]

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

Changes between 1.1.1b and 1.1.1c [28 May 2019]

在这里插入图片描述

Changes between 1.1.1k and 1.1.1l [24 Aug 2021]

在这里插入图片描述

Changes between 1.1.1 and 3.0.0 [7 sep 2021]

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

Changes between 3.0.7 and 3.0.8 [7 Feb 2023]

在这里插入图片描述

差异日志分析

openssl在1.1.1版本已经添加了国密算法的支持,
openssl在3.0.0版本已经支持了国标签名和验签的支持
最有一次相关修改在3.0.8版本。

所以测试环境需要3.0.8以及更高版本。本人习惯使用最新版本,目前的最新版本为3.1.1版本,开始测试一波。

openssl编译(openssl-3.1.1)

编译流程

直接上终端日志

第一次想当然了,没有看官方说明,搞砸了,
错误示范:

: 1690424002:0;tar -zxvf openssl-3.1.1.tar.gz
: 1690424010:0;cd openssl-3.1.1
: 1690424039:0;./Configure
: 1690424067:0;make -j4
: 1690424109:0;chmod a+x util/shlib_wrap.sh
: 1690424114:0;chmod a+x util/wrap.pl
: 1690424116:0;make -j4
: 1690424156:0;make -j1
: 1690435099:0;cd ..
: 1690435105:0;rm -r openssl-3.1.1

正确示范:

: 1690435110:0;tar -zxvf openssl-3.1.1.tar.gz
: 1690435115:0;cd openssl-3.1.1
: 1690435138:0;./config --prefix=/opt/openssl-3.1.1
: 1690435176:0;make
: 1690436282:0;make install
: 1690438167:0;cd /opt/openssl-3.1.1/bin

由于没有安装到系统路径上,配一下动态库搜索路径,才能执行

# root @ ubuntu in /opt/openssl-3.1.1/bin [6:37:47]
$ find .. -name "*.so"
../lib64/engines-3/loader_attic.so
../lib64/engines-3/capi.so
../lib64/engines-3/padlock.so
../lib64/engines-3/afalg.so
../lib64/libssl.so
../lib64/ossl-modules/legacy.so
../lib64/libcrypto.so

# root @ ubuntu in /opt/openssl-3.1.1/bin [6:38:04] 
$ export LD_LIBRARY_PATH=/opt/openssl-3.1.1/lib64:$LD_LIBRARY_PATH

# root @ ubuntu in /opt/openssl-3.1.1/bin [6:38:14]
$ ./openssl version
OpenSSL 3.1.1 30 May 2023 (Library: OpenSSL 3.1.1 30 May 2023)

国密支持测试

非对称算法支持(结论:支持SM2)
# root @ ubuntu in ~/SMx_test [7:39:52] 
$ /opt/openssl-3.1.1/bin/openssl list -public-key-algorithms
Legacy:
 Name: OpenSSL RSA method
	Type: Builtin Algorithm
	OID: rsaEncryption
	PEM string: RSA
 Name: rsa
	Alias for: rsaEncryption
 Name: OpenSSL PKCS#3 DH method
	Type: Builtin Algorithm
	OID: dhKeyAgreement
	PEM string: DH
 Name: dsaWithSHA
	Alias for: dsaEncryption
 Name: dsaEncryption-old
	Alias for: dsaEncryption
 Name: dsaWithSHA1-old
	Alias for: dsaEncryption
 Name: dsaWithSHA1
	Alias for: dsaEncryption
 Name: OpenSSL DSA method
	Type: Builtin Algorithm
	OID: dsaEncryption
	PEM string: DSA
 Name: OpenSSL EC algorithm
	Type: Builtin Algorithm
	OID: id-ecPublicKey
	PEM string: EC
 Name: OpenSSL RSA-PSS method
	Type: Builtin Algorithm
	OID: rsassaPss
	PEM string: RSA-PSS
 Name: OpenSSL X9.42 DH method
	Type: Builtin Algorithm
	OID: X9.42 DH
	PEM string: X9.42 DH
 Name: OpenSSL X25519 algorithm
	Type: Builtin Algorithm
	OID: X25519
	PEM string: X25519
 Name: OpenSSL X448 algorithm
	Type: Builtin Algorithm
	OID: X448
	PEM string: X448
 Name: OpenSSL ED25519 algorithm
	Type: Builtin Algorithm
	OID: ED25519
	PEM string: ED25519
 Name: OpenSSL ED448 algorithm
	Type: Builtin Algorithm
	OID: ED448
	PEM string: ED448
 Name: sm2
	Alias for: id-ecPublicKey
Provided:
 Key Managers:
  Name: OpenSSL RSA implementation
    Type: Provider Algorithm
    IDs: { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ default
  Name: OpenSSL PKCS#3 DH implementation
    Type: Provider Algorithm
    IDs: { 1.2.840.113549.1.3.1, DH, dhKeyAgreement } @ default
  Name: OpenSSL DSA implementation
    Type: Provider Algorithm
    IDs: { 1.2.840.10040.4.1, 1.2.840.10040.4.3, 1.3.14.3.2.12, 1.3.14.3.2.13, 1.3.14.3.2.27, DSA, DSA-old, DSA-SHA, DSA-SHA1, DSA-SHA1-old, dsaEncryption, dsaEncryption-old, dsaWithSHA, dsaWithSHA1, dsaWithSHA1-old } @ default
  Name: OpenSSL EC implementation
    Type: Provider Algorithm
    IDs: { 1.2.840.10045.2.1, EC, id-ecPublicKey } @ default
  Name: OpenSSL RSA-PSS implementation
    Type: Provider Algorithm
    IDs: { 1.2.840.113549.1.1.10, RSA-PSS, RSASSA-PSS, rsassaPss } @ default
  Name: OpenSSL X9.42 DH implementation
    Type: Provider Algorithm
    IDs: { 1.2.840.10046.2.1, dhpublicnumber, DHX, X9.42 DH } @ default
  Name: OpenSSL X25519 implementation
    Type: Provider Algorithm
    IDs: { 1.3.101.110, X25519 } @ default
  Name: OpenSSL X448 implementation
    Type: Provider Algorithm
    IDs: { 1.3.101.111, X448 } @ default
  Name: OpenSSL ED25519 implementation
    Type: Provider Algorithm
    IDs: { 1.3.101.112, ED25519 } @ default
  Name: OpenSSL ED448 implementation
    Type: Provider Algorithm
    IDs: { 1.3.101.113, ED448 } @ default
  Name: OpenSSL SM2 implementation
    Type: Provider Algorithm
    IDs: { 1.2.156.10197.1.301, SM2 } @ default
  Name: OpenSSL TLS1_PRF via EVP_PKEY implementation
    Type: Provider Algorithm
    IDs: TLS1-PRF @ default
  Name: OpenSSL HKDF via EVP_PKEY implementation
    Type: Provider Algorithm
    IDs: HKDF @ default
  Name: OpenSSL SCRYPT via EVP_PKEY implementation
    Type: Provider Algorithm
    IDs: { 1.3.6.1.4.1.11591.4.11, id-scrypt, SCRYPT } @ default
  Name: OpenSSL HMAC via EVP_PKEY implementation
    Type: Provider Algorithm
    IDs: HMAC @ default
  Name: OpenSSL SIPHASH via EVP_PKEY implementation
    Type: Provider Algorithm
    IDs: SIPHASH @ default
  Name: OpenSSL POLY1305 via EVP_PKEY implementation
    Type: Provider Algorithm
    IDs: POLY1305 @ default
  Name: OpenSSL CMAC via EVP_PKEY implementation
    Type: Provider Algorithm
    IDs: CMAC @ default

# root @ ubuntu in ~/SMx_test [7:46:34] 
$ /opt/openssl-3.1.1/bin/openssl list -public-key-methods
Legacy:
 rsaEncryption
	Type: External Algorithm
 dhKeyAgreement
	Type: Builtin Algorithm
 dsaEncryption
	Type: External Algorithm
 id-ecPublicKey
	Type: Builtin Algorithm
 rsassaPss
	Type: External Algorithm
 X9.42 DH
	Type: Builtin Algorithm
 X25519
	Type: Builtin Algorithm
 X448
	Type: Builtin Algorithm
 ED25519
	Type: Builtin Algorithm
 ED448
	Type: Builtin Algorithm
Provided:
 Encryption:
  { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ default
  { 1.2.156.10197.1.301, SM2 } @ default
 Key Exchange:
  { 1.2.840.113549.1.3.1, DH, dhKeyAgreement } @ default
  { 1.3.101.110, X25519 } @ default
  { 1.3.101.111, X448 } @ default
  ECDH @ default
  TLS1-PRF @ default
  HKDF @ default
  { 1.3.6.1.4.1.11591.4.11, id-scrypt, SCRYPT } @ default
 Signatures:
  { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ default
  { 1.2.840.10040.4.1, 1.2.840.10040.4.3, 1.3.14.3.2.12, 1.3.14.3.2.13, 1.3.14.3.2.27, DSA, DSA-old, DSA-SHA, DSA-SHA1, DSA-SHA1-old, dsaEncryption, dsaEncryption-old, dsaWithSHA, dsaWithSHA1, dsaWithSHA1-old } @ default
  { 1.3.101.112, ED25519 } @ default
  { 1.3.101.113, ED448 } @ default
  { 1.2.156.10197.1.301, SM2 } @ default
  ECDSA @ default
  HMAC @ default
  SIPHASH @ default
  POLY1305 @ default
  CMAC @ default
 Key encapsulation:
  { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ default
摘要算法,哈希算法,杂凑算法(结论:支持SM3)
# root @ ubuntu in ~/SMx_test [7:52:15] 
$ /opt/openssl-3.1.1/bin/openssl list -digest-algorithms
Legacy:
  RSA-MD4 => MD4
  RSA-MD5 => MD5
  RSA-MDC2 => MDC2
  RSA-RIPEMD160 => RIPEMD160
  RSA-SHA1 => SHA1
  RSA-SHA1-2 => RSA-SHA1
  RSA-SHA224 => SHA224
  RSA-SHA256 => SHA256
  RSA-SHA3-224 => SHA3-224
  RSA-SHA3-256 => SHA3-256
  RSA-SHA3-384 => SHA3-384
  RSA-SHA3-512 => SHA3-512
  RSA-SHA384 => SHA384
  RSA-SHA512 => SHA512
  RSA-SHA512/224 => SHA512-224
  RSA-SHA512/256 => SHA512-256
  RSA-SM3 => SM3
  BLAKE2b512
  BLAKE2s256
  id-rsassa-pkcs1-v1_5-with-sha3-224 => SHA3-224
  id-rsassa-pkcs1-v1_5-with-sha3-256 => SHA3-256
  id-rsassa-pkcs1-v1_5-with-sha3-384 => SHA3-384
  id-rsassa-pkcs1-v1_5-with-sha3-512 => SHA3-512
  MD4
  md4WithRSAEncryption => MD4
  MD5
  MD5-SHA1
  md5WithRSAEncryption => MD5
  MDC2
  mdc2WithRSA => MDC2
  ripemd => RIPEMD160
  RIPEMD160
  ripemd160WithRSA => RIPEMD160
  rmd160 => RIPEMD160
  SHA1
  sha1WithRSAEncryption => SHA1
  SHA224
  sha224WithRSAEncryption => SHA224
  SHA256
  sha256WithRSAEncryption => SHA256
  SHA3-224
  SHA3-256
  SHA3-384
  SHA3-512
  SHA384
  sha384WithRSAEncryption => SHA384
  SHA512
  SHA512-224
  sha512-224WithRSAEncryption => SHA512-224
  SHA512-256
  sha512-256WithRSAEncryption => SHA512-256
  sha512WithRSAEncryption => SHA512
  SHAKE128
  SHAKE256
  SM3
  sm3WithRSAEncryption => SM3
  ssl3-md5 => MD5
  ssl3-sha1 => SHA1
  whirlpool
Provided:
  { 2.16.840.1.101.3.4.2.10, SHA3-512 } @ default
  { 2.16.840.1.101.3.4.2.6, SHA-512/256, SHA2-512/256, SHA512-256 } @ default
  { 2.16.840.1.101.3.4.2.4, SHA-224, SHA2-224, SHA224 } @ default
  { 1.3.14.3.2.26, SHA-1, SHA1, SSL3-SHA1 } @ default
  { 2.16.840.1.101.3.4.2.7, SHA3-224 } @ default
  { 2.16.840.1.101.3.4.2.9, SHA3-384 } @ default
  { 1.3.36.3.2.1, RIPEMD, RIPEMD-160, RIPEMD160, RMD160 } @ default
  { 2.16.840.1.101.3.4.2.3, SHA-512, SHA2-512, SHA512 } @ default
  { 2.16.840.1.101.3.4.2.5, SHA-512/224, SHA2-512/224, SHA512-224 } @ default
  { 2.16.840.1.101.3.4.2.12, SHAKE-256, SHAKE256 } @ default
  { 2.16.840.1.101.3.4.2.2, SHA-384, SHA2-384, SHA384 } @ default
  { 1.2.156.10197.1.401, SM3 } @ default
  { 2.16.840.1.101.3.4.2.8, SHA3-256 } @ default
  { 1.2.840.113549.2.5, MD5, SSL3-MD5 } @ default
  { 1.3.6.1.4.1.1722.12.2.2.8, BLAKE2S-256, BLAKE2s256 } @ default
  { 2.16.840.1.101.3.4.2.1, SHA-256, SHA2-256, SHA256 } @ default
  { 1.3.6.1.4.1.1722.12.2.1.16, BLAKE2B-512, BLAKE2b512 } @ default
  MD5-SHA1 @ default
  { 2.16.840.1.101.3.4.2.11, SHAKE-128, SHAKE128 } @ default
  { KECCAK-KMAC-128, KECCAK-KMAC128 } @ default
  { KECCAK-KMAC-256, KECCAK-KMAC256 } @ default
  NULL @ default
对称算法支持(结论:支持SM4)
# root @ ubuntu in ~/SMx_test [7:55:07] C:130
$ /opt/openssl-3.1.1/bin/openssl list -cipher-algorithms
Legacy:
  AES-128-CBC
  AES-128-CBC-HMAC-SHA1
  AES-128-CBC-HMAC-SHA256
  id-aes128-CCM
  AES-128-CFB
  AES-128-CFB1
  AES-128-CFB8
  AES-128-CTR
  AES-128-ECB
  id-aes128-GCM
  AES-128-OCB
  AES-128-OFB
  AES-128-XTS
  AES-192-CBC
  id-aes192-CCM
  AES-192-CFB
  AES-192-CFB1
  AES-192-CFB8
  AES-192-CTR
  AES-192-ECB
  id-aes192-GCM
  AES-192-OCB
  AES-192-OFB
  AES-256-CBC
  AES-256-CBC-HMAC-SHA1
  AES-256-CBC-HMAC-SHA256
  id-aes256-CCM
  AES-256-CFB
  AES-256-CFB1
  AES-256-CFB8
  AES-256-CTR
  AES-256-ECB
  id-aes256-GCM
  AES-256-OCB
  AES-256-OFB
  AES-256-XTS
  aes128 => AES-128-CBC
  aes128-wrap => id-aes128-wrap
  aes192 => AES-192-CBC
  aes192-wrap => id-aes192-wrap
  aes256 => AES-256-CBC
  aes256-wrap => id-aes256-wrap
  ARIA-128-CBC
  ARIA-128-CCM
  ARIA-128-CFB
  ARIA-128-CFB1
  ARIA-128-CFB8
  ARIA-128-CTR
  ARIA-128-ECB
  ARIA-128-GCM
  ARIA-128-OFB
  ARIA-192-CBC
  ARIA-192-CCM
  ARIA-192-CFB
  ARIA-192-CFB1
  ARIA-192-CFB8
  ARIA-192-CTR
  ARIA-192-ECB
  ARIA-192-GCM
  ARIA-192-OFB
  ARIA-256-CBC
  ARIA-256-CCM
  ARIA-256-CFB
  ARIA-256-CFB1
  ARIA-256-CFB8
  ARIA-256-CTR
  ARIA-256-ECB
  ARIA-256-GCM
  ARIA-256-OFB
  aria128 => ARIA-128-CBC
  aria192 => ARIA-192-CBC
  aria256 => ARIA-256-CBC
  bf => BF-CBC
  BF-CBC
  BF-CFB
  BF-ECB
  BF-OFB
  blowfish => BF-CBC
  CAMELLIA-128-CBC
  CAMELLIA-128-CFB
  CAMELLIA-128-CFB1
  CAMELLIA-128-CFB8
  CAMELLIA-128-CTR
  CAMELLIA-128-ECB
  CAMELLIA-128-OFB
  CAMELLIA-192-CBC
  CAMELLIA-192-CFB
  CAMELLIA-192-CFB1
  CAMELLIA-192-CFB8
  CAMELLIA-192-CTR
  CAMELLIA-192-ECB
  CAMELLIA-192-OFB
  CAMELLIA-256-CBC
  CAMELLIA-256-CFB
  CAMELLIA-256-CFB1
  CAMELLIA-256-CFB8
  CAMELLIA-256-CTR
  CAMELLIA-256-ECB
  CAMELLIA-256-OFB
  camellia128 => CAMELLIA-128-CBC
  camellia192 => CAMELLIA-192-CBC
  camellia256 => CAMELLIA-256-CBC
  cast => CAST5-CBC
  cast-cbc => CAST5-CBC
  CAST5-CBC
  CAST5-CFB
  CAST5-ECB
  CAST5-OFB
  ChaCha20
  ChaCha20-Poly1305
  des => DES-CBC
  DES-CBC
  DES-CFB
  DES-CFB1
  DES-CFB8
  DES-ECB
  DES-EDE
  DES-EDE-CBC
  DES-EDE-CFB
  des-ede-ecb => DES-EDE
  DES-EDE-OFB
  DES-EDE3
  DES-EDE3-CBC
  DES-EDE3-CFB
  DES-EDE3-CFB1
  DES-EDE3-CFB8
  des-ede3-ecb => DES-EDE3
  DES-EDE3-OFB
  DES-OFB
  des3 => DES-EDE3-CBC
  des3-wrap => id-smime-alg-CMS3DESwrap
  desx => DESX-CBC
  DESX-CBC
  id-aes128-CCM
  id-aes128-GCM
  id-aes128-wrap
  id-aes128-wrap-pad
  id-aes192-CCM
  id-aes192-GCM
  id-aes192-wrap
  id-aes192-wrap-pad
  id-aes256-CCM
  id-aes256-GCM
  id-aes256-wrap
  id-aes256-wrap-pad
  id-smime-alg-CMS3DESwrap
  idea => IDEA-CBC
  IDEA-CBC
  IDEA-CFB
  IDEA-ECB
  IDEA-OFB
  rc2 => RC2-CBC
  rc2-128 => RC2-CBC
  rc2-40 => RC2-40-CBC
  RC2-40-CBC
  rc2-64 => RC2-64-CBC
  RC2-64-CBC
  RC2-CBC
  RC2-CFB
  RC2-ECB
  RC2-OFB
  RC4
  RC4-40
  RC4-HMAC-MD5
  seed => SEED-CBC
  SEED-CBC
  SEED-CFB
  SEED-ECB
  SEED-OFB
  sm4 => SM4-CBC
  SM4-CBC
  SM4-CFB
  SM4-CTR
  SM4-ECB
  SM4-OFB
Provided:
  { 2.16.840.1.101.3.4.1.22, AES-192-CBC, AES192 } @ default
  { 1.2.410.200046.1.1.12, ARIA-256-CBC, ARIA256 } @ default
  { 2.16.840.1.101.3.4.1.4, AES-128-CFB } @ default
  { 1.2.410.200046.1.1.38, ARIA-192-CCM } @ default
  { 1.2.410.200046.1.1.1, ARIA-128-ECB } @ default
  { 2.16.840.1.101.3.4.1.2, AES-128-CBC, AES128 } @ default
  { 2.16.840.1.101.3.4.1.24, AES-192-CFB } @ default
  { 1.2.392.200011.61.1.1.1.2, CAMELLIA-128-CBC, CAMELLIA128 } @ default
  { 1.2.392.200011.61.1.1.1.4, CAMELLIA-256-CBC, CAMELLIA256 } @ default
  { 1.2.410.200046.1.1.35, ARIA-192-GCM } @ default
  { 2.16.840.1.101.3.4.1.42, AES-256-CBC, AES256 } @ default
  { 1.2.410.200046.1.1.36, ARIA-256-GCM } @ default
  { 1.3.111.2.1619.0.1.2, AES-256-XTS } @ default
  { 1.2.840.113549.1.9.16.3.6, DES3-WRAP, id-smime-alg-CMS3DESwrap } @ default
  { 2.16.840.1.101.3.4.1.48, AES-256-WRAP-PAD, AES256-WRAP-PAD, id-aes256-wrap-pad } @ default
  { 1.2.156.10197.1.104.3, SM4-OFB, SM4-OFB128 } @ default
  { 2.16.840.1.101.3.4.1.25, AES-192-WRAP, AES192-WRAP, id-aes192-wrap } @ default
  { 2.16.840.1.101.3.4.1.41, AES-256-ECB } @ default
  { 0.3.4401.5.3.1.9.49, CAMELLIA-256-CTR } @ default
  { 1.2.410.200046.1.1.2, ARIA-128-CBC, ARIA128 } @ default
  { 2.16.840.1.101.3.4.1.6, aes-128-gcm, id-aes128-GCM } @ default
  { 0.3.4401.5.3.1.9.41, CAMELLIA-256-ECB } @ default
  { 2.16.840.1.101.3.4.1.44, AES-256-CFB } @ default
  { 2.16.840.1.101.3.4.1.8, AES-128-WRAP-PAD, AES128-WRAP-PAD, id-aes128-wrap-pad } @ default
  { 1.2.156.10197.1.104.4, SM4-CFB, SM4-CFB128 } @ default
  { 0.3.4401.5.3.1.9.4, CAMELLIA-128-CFB } @ default
  { 1.2.410.200046.1.1.39, ARIA-256-CCM } @ default
  { 1.2.410.200046.1.1.14, ARIA-256-OFB } @ default
  { 2.16.840.1.101.3.4.1.46, aes-256-gcm, id-aes256-GCM } @ default
  { 0.3.4401.5.3.1.9.9, CAMELLIA-128-CTR } @ default
  { 2.16.840.1.101.3.4.1.23, AES-192-OFB } @ default
  { 1.2.156.10197.1.104.1, SM4-ECB } @ default
  { 2.16.840.1.101.3.4.1.7, aes-128-ccm, id-aes128-CCM } @ default
  { 2.16.840.1.101.3.4.1.47, aes-256-ccm, id-aes256-CCM } @ default
  { 1.2.410.200046.1.1.7, ARIA-192-CBC, ARIA192 } @ default
  { 2.16.840.1.101.3.4.1.45, AES-256-WRAP, AES256-WRAP, id-aes256-wrap } @ default
  { 1.2.410.200046.1.1.15, ARIA-256-CTR } @ default
  { 1.2.410.200046.1.1.3, ARIA-128-CFB } @ default
  { 1.2.410.200046.1.1.34, ARIA-128-GCM } @ default
  { 1.2.410.200046.1.1.6, ARIA-192-ECB } @ default
  { 2.16.840.1.101.3.4.1.26, aes-192-gcm, id-aes192-GCM } @ default
  { 0.3.4401.5.3.1.9.29, CAMELLIA-192-CTR } @ default
  { 0.3.4401.5.3.1.9.43, CAMELLIA-256-OFB } @ default
  { 1.2.156.10197.1.104.2, SM4, SM4-CBC } @ default
  { 1.2.410.200046.1.1.37, ARIA-128-CCM } @ default
  { 2.16.840.1.101.3.4.1.27, aes-192-ccm, id-aes192-CCM } @ default
  { 1.3.14.3.2.17, DES-EDE, DES-EDE-ECB } @ default
  { 1.2.410.200046.1.1.11, ARIA-256-ECB } @ default
  { 1.3.111.2.1619.0.1.1, AES-128-XTS } @ default
  { 2.16.840.1.101.3.4.1.5, AES-128-WRAP, AES128-WRAP, id-aes128-wrap } @ default
  { 2.16.840.1.101.3.4.1.3, AES-128-OFB } @ default
  { 0.3.4401.5.3.1.9.3, CAMELLIA-128-OFB } @ default
  { 0.3.4401.5.3.1.9.1, CAMELLIA-128-ECB } @ default
  { 1.2.840.113549.3.7, DES-EDE3-CBC, DES3 } @ default
  { 0.3.4401.5.3.1.9.44, CAMELLIA-256-CFB } @ default
  { 1.2.410.200046.1.1.10, ARIA-192-CTR } @ default
  { 0.3.4401.5.3.1.9.23, CAMELLIA-192-OFB } @ default
  { 0.3.4401.5.3.1.9.24, CAMELLIA-192-CFB } @ default
  { 1.2.410.200046.1.1.9, ARIA-192-OFB } @ default
  { 1.2.410.200046.1.1.13, ARIA-256-CFB } @ default
  { 2.16.840.1.101.3.4.1.1, AES-128-ECB } @ default
  { 2.16.840.1.101.3.4.1.28, AES-192-WRAP-PAD, AES192-WRAP-PAD, id-aes192-wrap-pad } @ default
  { 1.2.410.200046.1.1.8, ARIA-192-CFB } @ default
  { 1.2.156.10197.1.104.7, SM4-CTR } @ default
  { 2.16.840.1.101.3.4.1.43, AES-256-OFB } @ default
  { 1.2.410.200046.1.1.4, ARIA-128-OFB } @ default
  { 1.2.392.200011.61.1.1.1.3, CAMELLIA-192-CBC, CAMELLIA192 } @ default
  { 0.3.4401.5.3.1.9.21, CAMELLIA-192-ECB } @ default
  { 1.2.410.200046.1.1.5, ARIA-128-CTR } @ default
  { 2.16.840.1.101.3.4.1.21, AES-192-ECB } @ default
  NULL @ default
  AES-128-CBC-CTS @ default
  AES-192-CBC-CTS @ default
  AES-256-CBC-CTS @ default
  AES-256-CFB1 @ default
  AES-192-CFB1 @ default
  AES-128-CFB1 @ default
  AES-256-CFB8 @ default
  AES-192-CFB8 @ default
  AES-128-CFB8 @ default
  AES-256-CTR @ default
  AES-192-CTR @ default
  AES-128-CTR @ default
  AES-256-OCB @ default
  AES-192-OCB @ default
  AES-128-OCB @ default
  AES-128-SIV @ default
  AES-192-SIV @ default
  AES-256-SIV @ default
  { AES-256-WRAP-INV, AES256-WRAP-INV } @ default
  { AES-192-WRAP-INV, AES192-WRAP-INV } @ default
  { AES-128-WRAP-INV, AES128-WRAP-INV } @ default
  { AES-256-WRAP-PAD-INV, AES256-WRAP-PAD-INV } @ default
  { AES-192-WRAP-PAD-INV, AES192-WRAP-PAD-INV } @ default
  { AES-128-WRAP-PAD-INV, AES128-WRAP-PAD-INV } @ default
  AES-128-CBC-HMAC-SHA1 @ default
  AES-256-CBC-HMAC-SHA1 @ default
  AES-128-CBC-HMAC-SHA256 @ default
  AES-256-CBC-HMAC-SHA256 @ default
  ARIA-256-CFB1 @ default
  ARIA-192-CFB1 @ default
  ARIA-128-CFB1 @ default
  ARIA-256-CFB8 @ default
  ARIA-192-CFB8 @ default
  ARIA-128-CFB8 @ default
  CAMELLIA-128-CBC-CTS @ default
  CAMELLIA-192-CBC-CTS @ default
  CAMELLIA-256-CBC-CTS @ default
  CAMELLIA-256-CFB1 @ default
  CAMELLIA-192-CFB1 @ default
  CAMELLIA-128-CFB1 @ default
  CAMELLIA-256-CFB8 @ default
  CAMELLIA-192-CFB8 @ default
  CAMELLIA-128-CFB8 @ default
  { DES-EDE3, DES-EDE3-ECB } @ default
  DES-EDE3-OFB @ default
  DES-EDE3-CFB @ default
  DES-EDE3-CFB8 @ default
  DES-EDE3-CFB1 @ default
  DES-EDE-CBC @ default
  DES-EDE-OFB @ default
  DES-EDE-CFB @ default
  { 1.2.156.10197.1.104.8, SM4-GCM } @ default
  { 1.2.156.10197.1.104.9, SM4-CCM } @ default
  ChaCha20 @ default
  ChaCha20-Poly1305 @ default

国密测试

生成CA根证书国密SM2私钥

# root @ ubuntu in ~/SMx_test [7:55:45] 
$ /opt/openssl-3.1.1/bin/openssl ecparam -list_curves 
  secp112r1 : SECG/WTLS curve over a 112 bit prime field
  secp112r2 : SECG curve over a 112 bit prime field
  secp128r1 : SECG curve over a 128 bit prime field
  secp128r2 : SECG curve over a 128 bit prime field
  secp160k1 : SECG curve over a 160 bit prime field
  secp160r1 : SECG curve over a 160 bit prime field
  secp160r2 : SECG/WTLS curve over a 160 bit prime field
  secp192k1 : SECG curve over a 192 bit prime field
  secp224k1 : SECG curve over a 224 bit prime field
  secp224r1 : NIST/SECG curve over a 224 bit prime field
  secp256k1 : SECG curve over a 256 bit prime field
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
  prime192v2: X9.62 curve over a 192 bit prime field
  prime192v3: X9.62 curve over a 192 bit prime field
  prime239v1: X9.62 curve over a 239 bit prime field
  prime239v2: X9.62 curve over a 239 bit prime field
  prime239v3: X9.62 curve over a 239 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field
  sect113r1 : SECG curve over a 113 bit binary field
  sect113r2 : SECG curve over a 113 bit binary field
  sect131r1 : SECG/WTLS curve over a 131 bit binary field
  sect131r2 : SECG curve over a 131 bit binary field
  sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field
  sect163r1 : SECG curve over a 163 bit binary field
  sect163r2 : NIST/SECG curve over a 163 bit binary field
  sect193r1 : SECG curve over a 193 bit binary field
  sect193r2 : SECG curve over a 193 bit binary field
  sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field
  sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field
  sect239k1 : SECG curve over a 239 bit binary field
  sect283k1 : NIST/SECG curve over a 283 bit binary field
  sect283r1 : NIST/SECG curve over a 283 bit binary field
  sect409k1 : NIST/SECG curve over a 409 bit binary field
  sect409r1 : NIST/SECG curve over a 409 bit binary field
  sect571k1 : NIST/SECG curve over a 571 bit binary field
  sect571r1 : NIST/SECG curve over a 571 bit binary field
  c2pnb163v1: X9.62 curve over a 163 bit binary field
  c2pnb163v2: X9.62 curve over a 163 bit binary field
  c2pnb163v3: X9.62 curve over a 163 bit binary field
  c2pnb176v1: X9.62 curve over a 176 bit binary field
  c2tnb191v1: X9.62 curve over a 191 bit binary field
  c2tnb191v2: X9.62 curve over a 191 bit binary field
  c2tnb191v3: X9.62 curve over a 191 bit binary field
  c2pnb208w1: X9.62 curve over a 208 bit binary field
  c2tnb239v1: X9.62 curve over a 239 bit binary field
  c2tnb239v2: X9.62 curve over a 239 bit binary field
  c2tnb239v3: X9.62 curve over a 239 bit binary field
  c2pnb272w1: X9.62 curve over a 272 bit binary field
  c2pnb304w1: X9.62 curve over a 304 bit binary field
  c2tnb359v1: X9.62 curve over a 359 bit binary field
  c2pnb368w1: X9.62 curve over a 368 bit binary field
  c2tnb431r1: X9.62 curve over a 431 bit binary field
  wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field
  wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field
  wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field
  wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field
  wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
  wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
  wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
  wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
  wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field
  wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field
  wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field
  Oakley-EC2N-3: 
	IPSec/IKE/Oakley curve #3 over a 155 bit binary field.
	Not suitable for ECDSA.
	Questionable extension field!
  Oakley-EC2N-4: 
	IPSec/IKE/Oakley curve #4 over a 185 bit binary field.
	Not suitable for ECDSA.
	Questionable extension field!
  brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
  brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
  brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
  brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
  brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
  brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
  brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
  brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
  brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
  brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
  brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
  brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
  brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
  brainpoolP512t1: RFC 5639 curve over a 512 bit prime field
  SM2       : SM2 curve over a 256 bit prime field
  
# root @ ubuntu in ~/SMx_test [9:06:38] C:130
$ /opt/openssl-3.1.1/bin/openssl ecparam -genkey -name SM2 -out root.key

# root @ ubuntu in ~/SMx_test [9:08:12] 
$ cat root.key
-----BEGIN SM2 PARAMETERS-----
BggqgRzPVQGCLQ==
-----END SM2 PARAMETERS-----
-----BEGIN PRIVATE KEY-----
MIGIAgEAMBQGCCqBHM9VAYItBggqgRzPVQGCLQRtMGsCAQEEIMseXRorRdHJe5ab
2J4iSjWmBGQOlHIIJR38mqk9h1VroUQDQgAERa17YaXohsIanVDRoJJRhkPTpIZf
U+DcVcUDaUHjPXKZcbTnNjf2boiD4oORZ1CV5VMbnWYSew37SPn1Anbiqg==
-----END PRIVATE KEY-----

# root @ ubuntu in ~/SMx_test [9:08:17] 
$ /opt/openssl-3.1.1/bin/openssl ecparam -text -noout -in root.key
Could not read params of EC parameters from root.key
C091F8D0AC7F0000:error:1E08010C:DECODER routines:OSSL_DECODER_from_bio:unsupported:crypto/encode_decode/decoder_lib.c:102:No supported data to decode. Input type: PEM
C091F8D0AC7F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:

# root @ ubuntu in ~/SMx_test [9:08:26] C:1
$ /opt/openssl-3.1.1/bin/openssl ec -text -noout -in root.key
read EC key
Private-Key: (256 bit)
priv:
    cb:1e:5d:1a:2b:45:d1:c9:7b:96:9b:d8:9e:22:4a:
    35:a6:04:64:0e:94:72:08:25:1d:fc:9a:a9:3d:87:
    55:6b
pub:
    04:45:ad:7b:61:a5:e8:86:c2:1a:9d:50:d1:a0:92:
    51:86:43:d3:a4:86:5f:53:e0:dc:55:c5:03:69:41:
    e3:3d:72:99:71:b4:e7:36:37:f6:6e:88:83:e2:83:
    91:67:50:95:e5:53:1b:9d:66:12:7b:0d:fb:48:f9:
    f5:02:76:e2:aa
ASN1 OID: SM2

看着好像是没有问题。

生成CA根证书国密SM2公钥

# root @ ubuntu in ~/SMx_test [9:26:12] C:1
$ /opt/openssl-3.1.1/bin/openssl ec -in root.key -text -noout
read EC key
Private-Key: (256 bit)
priv:
    29:9a:da:8d:84:60:6e:cf:ee:9b:ed:16:33:7d:43:
    f1:a8:b1:cb:2c:1c:81:87:5e:56:93:4f:9c:3a:56:
    8b:01
pub:
    04:1c:92:71:8c:d5:bd:42:75:34:59:53:de:97:11:
    07:9c:4b:bf:d6:13:97:e1:99:b3:ec:71:57:84:24:
    e4:3c:5d:26:f8:06:f8:c2:e9:db:de:cc:e2:e8:10:
    27:eb:8d:73:fc:06:89:c8:14:b5:a3:d5:a0:b1:ce:
    13:50:d1:c2:b1
ASN1 OID: SM2

# root @ ubuntu in ~/SMx_test [9:19:55] 
$ /opt/openssl-3.1.1/bin/openssl ec -pubout -in root.key -out root_pub.key    
read EC key
writing EC key

# root @ ubuntu in ~/SMx_test [9:20:03] 
$ ls
root.key  root_pub.key

# root @ ubuntu in ~/SMx_test [9:20:09] 
$ cat root_pub.key 
-----BEGIN PUBLIC KEY-----
MFowFAYIKoEcz1UBgi0GCCqBHM9VAYItA0IABByScYzVvUJ1NFlT3pcRB5xLv9YT
l+GZs+xxV4Qk5DxdJvgG+MLp297M4ugQJ+uNc/wGicgUtaPVoLHOE1DRwrE=
-----END PUBLIC KEY-----

# root @ ubuntu in ~/SMx_test [9:23:51] C:1
$ /opt/openssl-3.1.1/bin/openssl ec -pubin -in root_pub.key -text -noout
read EC key
Public-Key: (256 bit)
pub:
    04:1c:92:71:8c:d5:bd:42:75:34:59:53:de:97:11:
    07:9c:4b:bf:d6:13:97:e1:99:b3:ec:71:57:84:24:
    e4:3c:5d:26:f8:06:f8:c2:e9:db:de:cc:e2:e8:10:
    27:eb:8d:73:fc:06:89:c8:14:b5:a3:d5:a0:b1:ce:
    13:50:d1:c2:b1
ASN1 OID: SM2

生成CA根证书

# root @ ubuntu in ~/SMx_test [9:33:34] 
$ /opt/openssl-3.1.1/bin/openssl req -new -x509 -key root.key -out root.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:HN
Locality Name (eg, city) []:ZZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JL
Organizational Unit Name (eg, section) []:HW
Common Name (e.g. server FQDN or YOUR name) []:liuyuelong.com  
Email Address []:yjkhtddx@sina.com

# root @ ubuntu in ~/SMx_test [9:35:16] 
$ ls
root.crt  root.key  root_pub.key

# root @ ubuntu in ~/SMx_test [9:35:19] 
$ cat root.crt 
-----BEGIN CERTIFICATE-----
MIICTjCCAfSgAwIBAgIUDHdnZH56/dBiHojqqNzfhoDDIUwwCgYIKoEcz1UBg3Uw
fDELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkhOMQswCQYDVQQHDAJaWjELMAkGA1UE
CgwCSkwxCzAJBgNVBAsMAkhXMRcwFQYDVQQDDA5saXV5dWVsb25nLmNvbTEgMB4G
CSqGSIb3DQEJARYReWpraHRkZHhAc2luYS5jb20wHhcNMjMwNzI3MDkzNTE2WhcN
MjMwODI2MDkzNTE2WjB8MQswCQYDVQQGEwJDTjELMAkGA1UECAwCSE4xCzAJBgNV
BAcMAlpaMQswCQYDVQQKDAJKTDELMAkGA1UECwwCSFcxFzAVBgNVBAMMDmxpdXl1
ZWxvbmcuY29tMSAwHgYJKoZIhvcNAQkBFhF5amtodGRkeEBzaW5hLmNvbTBaMBQG
CCqBHM9VAYItBggqgRzPVQGCLQNCAAQcknGM1b1CdTRZU96XEQecS7/WE5fhmbPs
cVeEJOQ8XSb4BvjC6dvezOLoECfrjXP8BonIFLWj1aCxzhNQ0cKxo1MwUTAdBgNV
HQ4EFgQUuT7GISEAApZf7WL7sjR2DDZM62IwHwYDVR0jBBgwFoAUuT7GISEAApZf
7WL7sjR2DDZM62IwDwYDVR0TAQH/BAUwAwEB/zAKBggqgRzPVQGDdQNIADBFAiEA
3ggGkI7OL8pR21OPYt/ogyXTQz8pdjs5BwHwf1+NVnMCIHyXJO05Fe0BGAxG4bhC
N5fiGR1dwR6StS/LnriuW0aT
-----END CERTIFICATE-----

# root @ ubuntu in ~/SMx_test [9:35:49] 
$ /opt/openssl-3.1.1/bin/openssl x509 -in root.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0c:77:67:64:7e:7a:fd:d0:62:1e:88:ea:a8:dc:df:86:80:c3:21:4c
        Signature Algorithm: SM2-with-SM3
        Issuer: C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = liuyuelong.com, emailAddress = yjkhtddx@sina.com
        Validity
            Not Before: Jul 27 09:35:16 2023 GMT
            Not After : Aug 26 09:35:16 2023 GMT
        Subject: C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = liuyuelong.com, emailAddress = yjkhtddx@sina.com
        Subject Public Key Info:
            Public Key Algorithm: sm2
                Public-Key: (256 bit)
                pub:
                    04:1c:92:71:8c:d5:bd:42:75:34:59:53:de:97:11:
                    07:9c:4b:bf:d6:13:97:e1:99:b3:ec:71:57:84:24:
                    e4:3c:5d:26:f8:06:f8:c2:e9:db:de:cc:e2:e8:10:
                    27:eb:8d:73:fc:06:89:c8:14:b5:a3:d5:a0:b1:ce:
                    13:50:d1:c2:b1
                ASN1 OID: SM2
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                B9:3E:C6:21:21:00:02:96:5F:ED:62:FB:B2:34:76:0C:36:4C:EB:62
            X509v3 Authority Key Identifier: 
                B9:3E:C6:21:21:00:02:96:5F:ED:62:FB:B2:34:76:0C:36:4C:EB:62
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: SM2-with-SM3
    Signature Value:
        30:45:02:21:00:de:08:06:90:8e:ce:2f:ca:51:db:53:8f:62:
        df:e8:83:25:d3:43:3f:29:76:3b:39:07:01:f0:7f:5f:8d:56:
        73:02:20:7c:97:24:ed:39:15:ed:01:18:0c:46:e1:b8:42:37:
        97:e2:19:1d:5d:c1:1e:92:b5:2f:cb:9e:b8:ae:5b:46:93

SM2算法的私钥,openssl自动选择SM2-with-SM3签名算法,牛B。

给使用CA根证书给CA根证书验签

正常使用应该没有这种使用场景,但是验一下也无妨嘛。

# root @ ubuntu in ~/SMx_test [9:36:45] 
$ /opt/openssl-3.1.1/bin/openssl verify -CAfile root.crt root.crt 
root.crt: OK

肯定是没有问题的嘛,自己给自己验签怎么会有问题呢!

生成服务器密钥对

# root @ ubuntu in ~/SMx_test [1:08:49] 
$ /opt/openssl-3.1.1/bin/openssl ecparam -genkey -name SM2 -out server.key

# root @ ubuntu in ~/SMx_test [1:09:21] 
$ cat server.key 
-----BEGIN SM2 PARAMETERS-----
BggqgRzPVQGCLQ==
-----END SM2 PARAMETERS-----
-----BEGIN PRIVATE KEY-----
MIGIAgEAMBQGCCqBHM9VAYItBggqgRzPVQGCLQRtMGsCAQEEIHjB95D+zU84Ybgg
0iAwogycqDM1yjQeK1iPX0xwwZXioUQDQgAEj6Fi8BEulmmcHish9fsI6gZEgjSA
ORDpOEaZ2LrmsBhzm059n2z0UDWvEGHPPC55miwSpfQUhA8WuE4avYk6Ag==
-----END PRIVATE KEY-----

# root @ ubuntu in ~/SMx_test [1:09:25] 
$ /opt/openssl-3.1.1/bin/openssl ec -text -noout -in server.key
read EC key
Private-Key: (256 bit)
priv:
    78:c1:f7:90:fe:cd:4f:38:61:b8:20:d2:20:30:a2:
    0c:9c:a8:33:35:ca:34:1e:2b:58:8f:5f:4c:70:c1:
    95:e2
pub:
    04:8f:a1:62:f0:11:2e:96:69:9c:1e:2b:21:f5:fb:
    08:ea:06:44:82:34:80:39:10:e9:38:46:99:d8:ba:
    e6:b0:18:73:9b:4e:7d:9f:6c:f4:50:35:af:10:61:
    cf:3c:2e:79:9a:2c:12:a5:f4:14:84:0f:16:b8:4e:
    1a:bd:89:3a:02
ASN1 OID: SM2

# root @ ubuntu in ~/SMx_test [1:10:06] C:127
$ /opt/openssl-3.1.1/bin/openssl ec -pubout -in server.key -out server_pub.key
read EC key
writing EC key

# root @ ubuntu in ~/SMx_test [1:10:23] 
$ cat server_pub.key 
-----BEGIN PUBLIC KEY-----
MFowFAYIKoEcz1UBgi0GCCqBHM9VAYItA0IABI+hYvARLpZpnB4rIfX7COoGRII0
gDkQ6ThGmdi65rAYc5tOfZ9s9FA1rxBhzzwueZosEqX0FIQPFrhOGr2JOgI=
-----END PUBLIC KEY-----

# root @ ubuntu in ~/SMx_test [1:10:36] 
$ /opt/openssl-3.1.1/bin/openssl ec -pubin -in server_pub.key -text -noout
read EC key
Public-Key: (256 bit)
pub:
    04:8f:a1:62:f0:11:2e:96:69:9c:1e:2b:21:f5:fb:
    08:ea:06:44:82:34:80:39:10:e9:38:46:99:d8:ba:
    e6:b0:18:73:9b:4e:7d:9f:6c:f4:50:35:af:10:61:
    cf:3c:2e:79:9a:2c:12:a5:f4:14:84:0f:16:b8:4e:
    1a:bd:89:3a:02
ASN1 OID: SM2

生成服务器证书请求文件

# root @ ubuntu in ~/SMx_test [1:11:30] C:130
$ /opt/openssl-3.1.1/bin/openssl req -new -key server.key -out server.csr        
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:HN
Locality Name (eg, city) []:ZZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JL
Organizational Unit Name (eg, section) []:HW
Common Name (e.g. server FQDN or YOUR name) []:*.liuyunuo.cn     
Email Address []:yjkhtddx@sina.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# root @ ubuntu in ~/SMx_test [1:18:27] 
$ cat server.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIIBNzCB3gIBADB7MQswCQYDVQQGEwJDTjELMAkGA1UECAwCSE4xCzAJBgNVBAcM
AlpaMQswCQYDVQQKDAJKTDELMAkGA1UECwwCSFcxFjAUBgNVBAMMDSoubGl1eXVu
dW8uY24xIDAeBgkqhkiG9w0BCQEWEXlqa2h0ZGR4QHNpbmEuY29tMFowFAYIKoEc
z1UBgi0GCCqBHM9VAYItA0IABI+hYvARLpZpnB4rIfX7COoGRII0gDkQ6ThGmdi6
5rAYc5tOfZ9s9FA1rxBhzzwueZosEqX0FIQPFrhOGr2JOgKgADAKBggqgRzPVQGD
dQNIADBFAiBMd/NcRzTelVCtjhQL8mU7qb0BY2T3VH+jn2DYdBsnTgIhAKBX0qFb
IAudJ9D2O2uTf66i9CRncxWpD22/1m2ORz/s
-----END CERTIFICATE REQUEST-----

# root @ ubuntu in ~/SMx_test [1:18:38] 
$ /opt/openssl-3.1.1/bin/openssl req -text -noout -in server.csr         
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = *.liuyunuo.cn, emailAddress = yjkhtddx@sina.com
        Subject Public Key Info:
            Public Key Algorithm: sm2
                Public-Key: (256 bit)
                pub:
                    04:8f:a1:62:f0:11:2e:96:69:9c:1e:2b:21:f5:fb:
                    08:ea:06:44:82:34:80:39:10:e9:38:46:99:d8:ba:
                    e6:b0:18:73:9b:4e:7d:9f:6c:f4:50:35:af:10:61:
                    cf:3c:2e:79:9a:2c:12:a5:f4:14:84:0f:16:b8:4e:
                    1a:bd:89:3a:02
                ASN1 OID: SM2
        Attributes:
            (none)
            Requested Extensions:
    Signature Algorithm: SM2-with-SM3
    Signature Value:
        30:45:02:20:4c:77:f3:5c:47:34:de:95:50:ad:8e:14:0b:f2:
        65:3b:a9:bd:01:63:64:f7:54:7f:a3:9f:60:d8:74:1b:27:4e:
        02:21:00:a0:57:d2:a1:5b:20:0b:9d:27:d0:f6:3b:6b:93:7f:
        ae:a2:f4:24:67:73:15:a9:0f:6d:bf:d6:6d:8e:47:3f:ec

CA私钥通过服务器证书请求为服务器生成证书(错误)

# root @ ubuntu in ~/SMx_test [1:38:58] C:1
$ /opt/openssl-3.1.1/bin/openssl x509 -req -in server.csr -signkey root.key -out server.crt
Certificate request self-signature ok
subject=C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = *.liuyunuo.cn, emailAddress = yjkhtddx@sina.com

# root @ ubuntu in ~/SMx_test [1:39:12] 
$ cat server.crt
-----BEGIN CERTIFICATE-----
MIIB8zCCAZgCFHhSrlWiLFM3tN9+SSeErM9SRrAaMAoGCCqBHM9VAYN1MHsxCzAJ
BgNVBAYTAkNOMQswCQYDVQQIDAJITjELMAkGA1UEBwwCWloxCzAJBgNVBAoMAkpM
MQswCQYDVQQLDAJIVzEWMBQGA1UEAwwNKi5saXV5dW51by5jbjEgMB4GCSqGSIb3
DQEJARYReWpraHRkZHhAc2luYS5jb20wHhcNMjMwNzI4MDEzOTEyWhcNMjMwODI3
MDEzOTEyWjB7MQswCQYDVQQGEwJDTjELMAkGA1UECAwCSE4xCzAJBgNVBAcMAlpa
MQswCQYDVQQKDAJKTDELMAkGA1UECwwCSFcxFjAUBgNVBAMMDSoubGl1eXVudW8u
Y24xIDAeBgkqhkiG9w0BCQEWEXlqa2h0ZGR4QHNpbmEuY29tMFowFAYIKoEcz1UB
gi0GCCqBHM9VAYItA0IABByScYzVvUJ1NFlT3pcRB5xLv9YTl+GZs+xxV4Qk5Dxd
JvgG+MLp297M4ugQJ+uNc/wGicgUtaPVoLHOE1DRwrEwCgYIKoEcz1UBg3UDSQAw
RgIhAPLtgPAFtxEFXxzCJFxRYBa5m9kKlD+RCf/2N56Q+Of3AiEAktIMixCUkOUY
olV8UX/WWiypi+BTIIKCsjLaprYWBlE=
-----END CERTIFICATE-----

# root @ ubuntu in ~/SMx_test [1:39:21] 
$ /opt/openssl-3.1.1/bin/openssl x509 -in server.crt -text -noout                          
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            78:52:ae:55:a2:2c:53:37:b4:df:7e:49:27:84:ac:cf:52:46:b0:1a
        Signature Algorithm: SM2-with-SM3
        Issuer: C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = *.liuyunuo.cn, emailAddress = yjkhtddx@sina.com
        Validity
            Not Before: Jul 28 01:39:12 2023 GMT
            Not After : Aug 27 01:39:12 2023 GMT
        Subject: C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = *.liuyunuo.cn, emailAddress = yjkhtddx@sina.com
        Subject Public Key Info:
            Public Key Algorithm: sm2
                Public-Key: (256 bit)
                pub:
                    04:1c:92:71:8c:d5:bd:42:75:34:59:53:de:97:11:
                    07:9c:4b:bf:d6:13:97:e1:99:b3:ec:71:57:84:24:
                    e4:3c:5d:26:f8:06:f8:c2:e9:db:de:cc:e2:e8:10:
                    27:eb:8d:73:fc:06:89:c8:14:b5:a3:d5:a0:b1:ce:
                    13:50:d1:c2:b1
                ASN1 OID: SM2
    Signature Algorithm: SM2-with-SM3
    Signature Value:
        30:46:02:21:00:f2:ed:80:f0:05:b7:11:05:5f:1c:c2:24:5c:
        51:60:16:b9:9b:d9:0a:94:3f:91:09:ff:f6:37:9e:90:f8:e7:
        f7:02:21:00:92:d2:0c:8b:10:94:90:e5:18:a2:55:7c:51:7f:
        d6:5a:2c:a9:8b:e0:53:20:82:82:b2:32:da:a6:b6:16:06:51

使用CA证书对服务器证书进行验签(错误)

# root @ ubuntu in ~/SMx_test [1:40:15] 
$ /opt/openssl-3.1.1/bin/openssl verify -CAfile root.crt server.crt 
C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = *.liuyunuo.cn, emailAddress = yjkhtddx@sina.com
error 18 at 0 depth lookup: self-signed certificate
error server.crt: verification failed

生成服务器证书并验签

# root @ ubuntu in ~/SMx_test [3:10:56] 
$ /opt/openssl-3.1.1/bin/openssl x509 -req -in server.csr -CA root.crt -CAkey root.key -CAcreateserial -out server1.crt    
Certificate request self-signature ok
subject=C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = *.liuyunuo.cn, emailAddress = yjkhtddx@sina.com

# root @ ubuntu in ~/SMx_test [3:11:57] 
$ /opt/openssl-3.1.1/bin/openssl x509 -in server1.crt -text -noout                                      
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            2f:c5:e1:c5:52:f4:5a:29:b9:c1:fc:06:c1:51:1e:51:36:71:56:85
        Signature Algorithm: SM2-with-SM3
        Issuer: C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = liuyuelong.com, emailAddress = yjkhtddx@sina.com
        Validity
            Not Before: Jul 28 03:11:57 2023 GMT
            Not After : Aug 27 03:11:57 2023 GMT
        Subject: C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = *.liuyunuo.cn, emailAddress = yjkhtddx@sina.com
        Subject Public Key Info:
            Public Key Algorithm: sm2
                Public-Key: (256 bit)
                pub:
                    04:8f:a1:62:f0:11:2e:96:69:9c:1e:2b:21:f5:fb:
                    08:ea:06:44:82:34:80:39:10:e9:38:46:99:d8:ba:
                    e6:b0:18:73:9b:4e:7d:9f:6c:f4:50:35:af:10:61:
                    cf:3c:2e:79:9a:2c:12:a5:f4:14:84:0f:16:b8:4e:
                    1a:bd:89:3a:02
                ASN1 OID: SM2
    Signature Algorithm: SM2-with-SM3
    Signature Value:
        30:44:02:20:17:4a:fc:9d:75:b5:e7:ef:2a:53:11:11:ee:d4:
        96:db:c6:03:1f:b3:df:f6:3a:be:44:b1:5c:7c:8f:c2:3e:96:
        02:20:1b:87:40:96:95:61:54:12:c1:10:df:98:50:c8:cf:d5:
        15:fc:66:0b:16:57:5d:02:37:61:36:27:3b:fb:de:e4

# root @ ubuntu in ~/SMx_test [3:12:08] 
$ /opt/openssl-3.1.1/bin/openssl verify -CAfile root.crt server1.crt                                                   
server1.crt: OK

GA/T0015相关测试

给第三方生成的证书请求文件生成证书

# root @ ubuntu in ~/SMx_test [5:57:16] 
$ /opt/openssl-3.1.1/bin/openssl req -text -noout -in gbs_req_cert_a77d169.pem 
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = CN, ST = HN, L = ZZ, O = JL, OU = LiveGBS, CN = 34020000002000000001, serialNumber = a77d1691d30cdc6eec2e9fb0acd4a4f4
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:01:28:3c:50:26:d1:73:0d:e4:db:f8:14:62:bb:
                    1a:74:39:fc:b4:c5:9a:9b:82:6e:11:1a:4c:59:7d:
                    fb:97:31:8d:8c:7d:9b:cb:a9:35:36:f1:41:53:cf:
                    31:41:a7:91:bf:ef:a9:c9:5d:7d:63:38:62:46:70:
                    a6:2e:9d:76:12
                ASN1 OID: SM2
        Attributes:
            Requested Extensions:
                X509v3 Subject Alternative Name: 
                    email:yjkhtddx@sina.com
    Signature Algorithm: SM2-with-SM3
    Signature Value:
        30:46:02:21:00:8f:f1:4c:5e:56:8a:8b:b8:d5:b2:9d:0b:05:
        a4:72:ec:91:67:01:d0:84:b0:30:6a:ba:c1:10:f0:b2:ba:12:
        8d:02:21:00:bd:01:a7:fe:03:35:ba:ad:2f:35:8d:f8:fe:b1:
        1e:1e:7e:f7:5b:4e:f3:aa:22:d3:0a:2e:79:05:f2:17:e3:59

# root @ ubuntu in ~/SMx_test [6:14:35] C:1
$ /opt/openssl-3.1.1/bin/openssl x509 -req -in gbs_req_cert_a77d169.pem -CA root.crt -CAkey root.key -CAcreateserial -out livsGBS.crt
Certificate request self-signature did not match the contents
C001EC05457F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:217:

# root @ ubuntu in ~/SMx_test [6:15:07] C:1
$ /opt/openssl-3.1.1/bin/openssl x509 -req -in gbs_req_cert_a77d169.pem -CA root.crt -CAkey root.key -out livsGBS.crt
Certificate request self-signature did not match the contents
C0A13EE8427F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:217:

提示证书请求文件的公钥对签名进行验签没有过,扯淡了,已和第三方玩,就不行了。咋搞?

手工解析工具验签测试 (错误)

原始数据

3082017d

    30820122020100308190310b300906035504061302434e310b300906035504081302484e310b3009060355040713025a5a310b3009060355040a13024a4c3110300e060355040b13074c697665474253311d301b060355040313143334303230303030303032303030303030303031312930270603550405132061373764313639316433306364633665656332653966623061636434613466343059301306072a8648ce3d020106082a811ccf5501822d0342000401283c5026d1730de4dbf81462bb1a7439fcb4c59a9b826e111a4c597dfb97318d8c7d9bcba93536f14153cf3141a791bfefa9c95d7d6338624670a62e9d7612a02f302d06092a864886f70d01090e3120301e301c0603551d11041530138111796a6b68746464784073696e612e636f6d[签名内容]

    300a06082a811ccf55018375

    03490030460221008ff14c5e568a8bb8d5b29d0b05a472ec916701d084b0306abac110f0b2ba128d022100bd01a7fe0335baad2f358df8feb11e1e7ef75b4ef3aa22d30a2e7905f217e35968[签名]

手工解析数据 (错误)

3082017d[SEQUENCE]
    30820122[SEQUENCE]
        020100[INTERGER:Version:1(0x00)]
        308190[SEQUENCE:Subject]
            310b[SET]
                3009[SEQUENCE]
                    0603[OBJECT IDENTIFIER(3)]
                        550406
                1302[PrintableString(2)]
                    434e[CN:中国]
            310b [SET]
                3009[SEQUENCE]
                    0603[OBJECT IDENTIFIER(3)]
                        550408[ID:stateOrProvinceName]
                    1302[PrintableString(2)]
                        484e[HN:河南]
            310b [SET]
                3009[SEQUENCE]
                    0603[OBJECT IDENTIFIER(3)]
                        550407[ID:localityName]
                    1302[PrintableString(2)]
                        5a5a[ZZ:郑州]
            310b [SET]
                3009[SEQUENCE]
                    0603[OBJECT IDENTIFIER(3)]
                        55040a[ID:organizationName]
                    1302[PrintableString(2)]
                        4a4c[JL:巨龙]
            3110[SET]
                300e[SEQUENCE]
                    0603[OBJECT IDENTIFIER(3)]
                        55040b[ID:organizationalUnitName]
                    1307[PrintableString(7)]
                        4c697665474253[liveGBS]
            311d[SET]
                301b[SEQUENCE]
                    0603[OBJECT IDENTIFIER(3)]
                        550403[ID:commonName]
                    1314[PrintableString(20)]
                        3334303230303030303032303030303030303031[34020000002000000001]
            3129[SET]
                3027[SEQUENCE]
                    0603[OBJECT IDENTIFIER(3)]
                        550405[ID:serialNumber]
                    13201314[PrintableString(32)]
                        6137376431363931643330636463366565633265396662306163643461346634[a77d1691d30cdc6eec2e9fb0acd4a4f4]
        3059[SEQUENCE]
            3013[SEQUENCE]
                0607[OBJECT IDENTIFIER(7)]
                    2a8648ce3d0201[ID:ecPublicKey]
                0608[OBJECT IDENTIFIER(8)]
                    2a811ccf5501822d[ID:Unknow]
            0342[BIT STRING(66)]
                00[BIT STRING 忽略字节]
                0401283c5026d1730de4dbf81462bb1a7439fcb4c59a9b826e111a4c597dfb97318d8c7d9bcba93536f14153cf3141a791bfefa9c95d7d6338624670a62e9d7612[公钥:65byte]
        a02f[Context]
            302d[SEQUENCE]
                0609[OBJECT IDENTIFIER(9)]
                    2a864886f70d01090e
                3120[SET]
                    301e[SEQUENCE]
                        301c[SEQUENCE]
                            0603[OBJECT IDENTIFIER(9)]
                                551d11[ID:subjectAltName]
                            0415[OCTET STRING]
                                3013[SEQUENCE]
                                    8111[UnknowType]
                                        796a6b68746464784073696e612e636f6d[yjkhtddx@sina.com]
    300a[SEQUENCE]
        0608[OBJECT IDENTIFIER(7)]
            2a811ccf55018375[ID:Unknow]
    034900[BIT STRING]
        3046[SEQUENCE]
            0221[UnknowType]
                00[BIT STRING 忽略字节]
                8ff14c5e568a8bb8d5b29d0b05a472ec916701d084b0306abac110f0b2ba128d[signature R]
            0221[UnknowType]
                00[BIT STRING 忽略字节]
                bd01a7fe0335baad2f358df8feb11e1e7ef75b4ef3aa22d30a2e7905f217e359[signature S]
68[UNknow]

验签测试 (错误)

[public Key X]
0401283c5026d1730de4dbf81462bb1a7439fcb4c59a9b826e111a4c597dfb97
[public Key Y]
318d8c7d9bcba93536f14153cf3141a791bfefa9c95d7d6338624670a62e9d76
[UserID]
31323334353637383132333435363738
[MessageData]
30820122020100308190310b300906035504061302434e310b300906035504081302484e310b3009060355040713025a5a310b3009060355040a13024a4c3110300e060355040b13074c697665474253311d301b060355040313143334303230303030303032303030303030303031312930270603550405132061373764313639316433306364633665656332653966623061636434613466343059301306072a8648ce3d020106082a811ccf5501822d0342000401283c5026d1730de4dbf81462bb1a7439fcb4c59a9b826e111a4c597dfb97318d8c7d9bcba93536f14153cf3141a791bfefa9c95d7d6338624670a62e9d7612a02f302d06092a864886f70d01090e3120301e301c0603551d11041530138111796a6b68746464784073696e612e636f6d
[signature R]
8ff14c5e568a8bb8d5b29d0b05a472ec916701d084b0306abac110f0b2ba128d
[signature S]
bd01a7fe0335baad2f358df8feb11e1e7ef75b4ef3aa22d30a2e7905f217e359

也不太会,大概解析一下证书结构。

在这里插入图片描述
还是不行,应该是哪里有问题。

手工解析工具验签测试(正确)

摇人帮忙,得到一下信息,原来公钥用错了。

在 SM2 公钥信息中,如果你提到的是前缀为 “00 04” 的公钥格式,它表示 SM2 公钥的非压缩格式。
具体地说,SM2 的非压缩公钥格式由以下部分组成:
“00”:表示这是非压缩格式,而不是压缩格式(压缩格式通常是以 “02” 或 “03” 开头)。
“04”:表示后续的数据是 x 和 y 坐标的完整表示。
后续的数据:固定长度为 64 字节,其中前 32 字节表示 x 坐标,后 32 字节表示 y 坐标,共同构成了 SM2 椭圆曲线上的公钥点。
因此,“00 04” 前缀指示了 SM2 公钥是以非压缩格式表示的,并且随后的 64 字节是完整的 x 和 y 坐标值,用于描述椭圆曲线上的公钥点。

原始数据

3082017d

    30820122020100308190310b300906035504061302434e310b300906035504081302484e310b3009060355040713025a5a310b3009060355040a13024a4c3110300e060355040b13074c697665474253311d301b060355040313143334303230303030303032303030303030303031312930270603550405132061373764313639316433306364633665656332653966623061636434613466343059301306072a8648ce3d020106082a811ccf5501822d0342000401283c5026d1730de4dbf81462bb1a7439fcb4c59a9b826e111a4c597dfb97318d8c7d9bcba93536f14153cf3141a791bfefa9c95d7d6338624670a62e9d7612a02f302d06092a864886f70d01090e3120301e301c0603551d11041530138111796a6b68746464784073696e612e636f6d[签名内容]

    300a06082a811ccf55018375

    03490030460221008ff14c5e568a8bb8d5b29d0b05a472ec916701d084b0306abac110f0b2ba128d022100bd01a7fe0335baad2f358df8feb11e1e7ef75b4ef3aa22d30a2e7905f217e35968[签名]

手工解析数据

3082017d[SEQUENCE]
    30820122[SEQUENCE]
        020100[INTERGER:Version:1(0x00)]
        308190[SEQUENCE:Subject]
            310b[SET]
                3009[SEQUENCE]
                    0603[OBJECT IDENTIFIER(3)]
                        550406
                1302[PrintableString(2)]
                    434e[CN:中国]
            310b [SET]
                3009[SEQUENCE]
                    0603[OBJECT IDENTIFIER(3)]
                        550408[ID:stateOrProvinceName]
                    1302[PrintableString(2)]
                        484e[HN:河南]
            310b [SET]
                3009[SEQUENCE]
                    0603[OBJECT IDENTIFIER(3)]
                        550407[ID:localityName]
                    1302[PrintableString(2)]
                        5a5a[ZZ:郑州]
            310b [SET]
                3009[SEQUENCE]
                    0603[OBJECT IDENTIFIER(3)]
                        55040a[ID:organizationName]
                    1302[PrintableString(2)]
                        4a4c[JL:巨龙]
            3110[SET]
                300e[SEQUENCE]
                    0603[OBJECT IDENTIFIER(3)]
                        55040b[ID:organizationalUnitName]
                    1307[PrintableString(7)]
                        4c697665474253[liveGBS]
            311d[SET]
                301b[SEQUENCE]
                    0603[OBJECT IDENTIFIER(3)]
                        550403[ID:commonName]
                    1314[PrintableString(20)]
                        3334303230303030303032303030303030303031[34020000002000000001]
            3129[SET]
                3027[SEQUENCE]
                    0603[OBJECT IDENTIFIER(3)]
                        550405[ID:serialNumber]
                    13201314[PrintableString(32)]
                        6137376431363931643330636463366565633265396662306163643461346634[a77d1691d30cdc6eec2e9fb0acd4a4f4]
        3059[SEQUENCE]
            3013[SEQUENCE]
                0607[OBJECT IDENTIFIER(7)]
                    2a8648ce3d0201[ID:ecPublicKey]
                0608[OBJECT IDENTIFIER(8)]
                    2a811ccf5501822d[ID:Unknow]
            0342[BIT STRING(66)]
                0004[前缀,非压缩]
                01283c5026d1730de4dbf81462bb1a7439fcb4c59a9b826e111a4c597dfb9731[public Key Y:32byte]
                8d8c7d9bcba93536f14153cf3141a791bfefa9c95d7d6338624670a62e9d7612[public Key Y:32byte]
        a02f[Context]
            302d[SEQUENCE]
                0609[OBJECT IDENTIFIER(9)]
                    2a864886f70d01090e
                3120[SET]
                    301e[SEQUENCE]
                        301c[SEQUENCE]
                            0603[OBJECT IDENTIFIER(9)]
                                551d11[ID:subjectAltName]
                            0415[OCTET STRING]
                                3013[SEQUENCE]
                                    8111[UnknowType]
                                        796a6b68746464784073696e612e636f6d[yjkhtddx@sina.com]
    300a[SEQUENCE]
        0608[OBJECT IDENTIFIER(7)]
            2a811ccf55018375[ID:Unknow]
    034900[BIT STRING]
        3046[SEQUENCE]
            0221[UnknowType]
                00[BIT STRING 忽略字节]
                8ff14c5e568a8bb8d5b29d0b05a472ec916701d084b0306abac110f0b2ba128d[signature R]
            0221[UnknowType]
                00[BIT STRING 忽略字节]
                bd01a7fe0335baad2f358df8feb11e1e7ef75b4ef3aa22d30a2e7905f217e359[signature S]
68[UNknow]

验签测试

[public Key X]
01283c5026d1730de4dbf81462bb1a7439fcb4c59a9b826e111a4c597dfb9731
[public Key Y]
8d8c7d9bcba93536f14153cf3141a791bfefa9c95d7d6338624670a62e9d7612
[UserID]
31323334353637383132333435363738
[MessageData]
30820122020100308190310b300906035504061302434e310b300906035504081302484e310b3009060355040713025a5a310b3009060355040a13024a4c3110300e060355040b13074c697665474253311d301b060355040313143334303230303030303032303030303030303031312930270603550405132061373764313639316433306364633665656332653966623061636434613466343059301306072a8648ce3d020106082a811ccf5501822d0342000401283c5026d1730de4dbf81462bb1a7439fcb4c59a9b826e111a4c597dfb97318d8c7d9bcba93536f14153cf3141a791bfefa9c95d7d6338624670a62e9d7612a02f302d06092a864886f70d01090e3120301e301c0603551d11041530138111796a6b68746464784073696e612e636f6d
[signature R]
8ff14c5e568a8bb8d5b29d0b05a472ec916701d084b0306abac110f0b2ba128d
[signature S]
bd01a7fe0335baad2f358df8feb11e1e7ef75b4ef3aa22d30a2e7905f217e359

在这里插入图片描述
呵呵,那现在的问题就改为为什么openssl认为签名不对的问题。

暂时放弃好了

试试GMSSL好了

跃龙客
关注
  • 2
    点赞
  • 6
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
openSSL1.0.1o源码含国密算法
05-15
openSSL源码,含国密算法SM2、SM3、SM4、RSA、AES、DES、SSL、TLS、SSL openSSL源码,含国密算法SM2、SM3、SM4、RSA、AES、DES、SSL、TLS、SSL openSSL源码,含国密算法SM2、SM3、SM4、RSA、AES、DES、SSL、TLS、SSL openSSL源码,含国密算法SM2、SM3、SM4、RSA、AES、DES、SSL、TLS、SSL openSSL源码,含国密算法SM2、SM3、SM4、RSA、AES、DES、SSL、TLS、SSL openSSL源码,含国密算法SM2、SM3、SM4、RSA、AES、DES、SSL、TLS、SSL openSSL源码,含国密算法SM2、SM3、SM4、RSA、AES、DES、SSL、TLS、SSL openSSL源码,含国密算法SM2、SM3、SM4、RSA、AES、DES、SSL、TLS、SSL openSSL源码,含国密算法SM2、SM3、SM4、RSA、AES、DES、SSL、TLS、SSL
OpenSSL 3.1.1 ECC 加密、解密、签名、验签(国密 sm2、sm3)
Linuxsisohard的博客
06-05 6632
openssl 3 默认废弃了 旧版本 (opessl 1.x) 的部分api 导致部分旧ecc 代码无法使用(可以通过配置编译选项打开)新接口是真的方便,基本上你都不需要懂啥密码学知识,对我们这种密码白痴来说太好了。,这里展示如何使用新接口用ECC 进行加密解密。
国密算法--Openssl 实现国密算法(加密和解密)
weixin_33955681的博客
11-09 1574
上一次讲了产生密钥,这次我们讲一下加密解密的实现。 先说一下加密解密的流程,一下这些内容都是从国密局发布的国密标准文档里面摘录出来的。大家可以去国密局的网站上自己下载。 下列符号适用于本部分。 A,B:使用公钥密码系统的两个用户。 a,b: Fq中的元素,它们定义Fq上的一条椭圆曲线E。 dB:用户B的私钥。 E(Fq): Fq上椭圆曲线E 的所有有理点(包括无穷远点O)组成的集合。 Fq :包...
OpenSSL 升级支持国密
salahi的专栏
04-24 4134
OpenSSL 升级支持国密
OpenSSL 1.1.1 新特性: 全面支持国密SM2/SM3/SM4加密算法
阿群的笔记(同步备份自简书)
04-08 6969
OpenSSL项目最近6个月添加了许多新特性, 包括对中国SM2/SM3/SM4算法支持: SM2椭圆曲线: https://github.com/openssl/openssl/pull/4793 SM3哈希摘要: https://github.com/openssl/openssl/pull/4616 SM4对称加密: https://gith...
openssl 命令行国密sm2的加密解密签名验签操作
baron-周贺贺-代码改变世界ctw
07-31 1693
原始文件为in,签名为in.sign,使用sha256做摘要后使用SM2算法验签,输出验签结果。签名文件为in,使用sha256做摘要后使用SM2算法签名,输出文件为in.sign。
SM国密算法(二)-- OpenSSL库中分离算法
旭日的博客
05-30 1567
OpenSSL 是用于传输层安全性 (TLS) 和安全套接字层 (SSL) 协议的一个强大、商业级和功能齐全的工具包。它也是一个通用的密码学库,包含有RSA、SM4、DES、AES等诸多加密算法
openssl sm4 加解密
sheng199463的博客
05-07 5739
1.SM4算法介绍 SM4 算法是一种分组密码算法。其分组长度为 16字节,密钥长度也为 16字节。 加密算法与密钥扩展算法均采用 32 轮非线性迭代结构,以字(32 位)为单位进 行加密运算,每一次迭代运算均为一轮变换函数 F。SM4 算法加/解密算法的结构 相同,只是使用轮密钥相反,其中解密轮密钥是加密轮密钥的逆序。 2.代码例子 ...
Openssl+sm4开发实例(含源码)
N阶二进制的博客
10-29 4613
SM4(国密算法)是由中国国家密码管理局(State Cryptography Administration,SCA)提出的分组密码算法,是一种对称加密算法。它是中国国家商用密码算法,也是 ISO/IEC 标准(ISO/IEC 18033-3:2010)中的一部分。SM4 算法被广泛用于中国国内的商用加密应用中。
OpenSSL3.0.1中SM4算法分析
qq_22655313的博客
08-28 2183
SM4分组密码算法是我国自主设计的分组对称密码算法,用于实现数据的加密/解密运算,以保证数据和信息的机密性。SM4属于常见的国密算法,因此在进行OpenSSL3.0.1版本的移植过程中对该算法进行学习和研究。...
openssl 加解密以及国密算法
qianbo042311的博客
08-10 4065
国密即国家密码局认定的国产密码算法。主要有SM1,SM2,SM3,SM4。密钥长度和分组长度均为128位。1、SM1 为对称加密。其加密强度与AES相当。该算法不公开,调用该算法时,需要通过加密芯片的接口进行调用。2、SM2为非对称加密,基于ECC。该算法已公开。由于该算法基于ECC,故其签名速度与秘钥生成速度都快于RSA。ECC 256位(SM2采用的就是ECC 256位的一种)安全强度比RSA 2048位高,但运算速度快于RSA。3、SM3 消息摘要。可以用MD5作为对比理解。该算法已公开。...
支持国密OpenSSL 2.0
07-04
支持国密OpenSSL 版本2.0, 直接使用无需编译。 支持VC以及C++ Builder调用
国密openssl安装包
11-03
国密openssl安装包
使用openssl 1.1.1版本,调试国密SM4算法
11-26
OpenSSL 1.1.1 新特性: 全面支持国密SM2/SM3/SM4加密算法,最近的项目涉及到国密,前期已经完成了SM2算法,近期测试了SM4。代码附上。vs2017亲测通过。支持ECB、CBC 。采用自己打补丁的方式。
delphi openssl国密SM234.rar
04-19
由于项目需要用到国密,国密的资料能直接使用的比较少,delphi的更少.为了统一标准,下载了openssl最新代码,经过大约一周的时间,经历了修改,编译,终于搞定,其中辛酸更不用说了.现在把成果奉献出来,大家可以节省点时间.
openssl-3.1.1.zip
05-31
Openssl-3.1.1, a binary pre-built version of Windows platform, can be used for the dependence of webassembly packaging of rust on openssl. You can also get it from the following address. ...
使用openssl 1.1.1版本,调试国密SM2签名、验签、加密解密、SM3
11-20
OpenSSL 1.1.1 新特性: 全面支持国密SM2/SM3/SM4加密算法,最近的项目涉及到国密,又局限于资源有限,只能只能上了。
Vitis HLS 学习笔记--优化指令-ARRAY_PARTITION
hi94的博客
04-22 1309
ARRAY_PARTITION 指令中非常重要,它用于优化数组的存储和访问。该指令可以将一个大数组分割成多个小数组,以提高并行处理能力和减少访问延迟。
Spring Cloud学习笔记(Feigh):简介,实战简单样例
最新发布
sinat_38393872的博客
04-22 368
是用来帮助发送远程服务的,它让开发者觉得调用远程服务就像是调用本地方法一样,体验非常丝滑。但是最终Netflix决定停止Feign的维护,转而将其变成一个开源项目,由Spring社区维护,并更名为Open Feign。Open Feign和功能上内容基本相同,因为前者是继承后者的缘故,OpenFeign有着更多更完善的功能。所以现在大家都用Open Feign。
php openssl支持国密算法
09-07
是的,PHP OpenSSL支持国密算法OpenSSL是一个开源的软件库,提供了各种加密和安全功能,可以在PHP中使用。国密算法是中国自主开发的一系列密码算法,用于保护网络通信等领域的数据安全。 PHP OpenSSL扩展提供了对国密算法支持,包括SM2、SM3和SM4等。SM2是一种椭圆曲线公钥密码算法,用于数字签名和密钥交换。SM3是一种杂凑函数算法,用于消息摘要和椭圆曲线参数的生成。SM4是一种分组密码算法,用于数据加密和解密。 使用PHP OpenSSL扩展,可以通过调用相应的函数来实现国密算法的功能。例如,可以使用openssl_pkey_new函数生成SM2公私钥对,使用openssl_private_encrypt和openssl_public_decrypt函数进行SM2非对称加密和解密,使用openssl_digest函数计算SM3摘要值,使用openssl_encrypt和openssl_decrypt函数进行SM4对称加密和解密等。 PHP OpenSSL支持国密算法,使得开发人员能够在PHP应用程序中使用这些算法来保护数据的安全性。无论是数字签名、加密通信还是数据摘要,国密算法都提供了一种可靠的解决方案,并且在PHP中实现这些功能变得更加简单和高效。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值