GmSSL - GmSSL的编译、安装和命令行基本指令

2024-05-25 20:12:22 浏览数 (1)

Pre

Java - 一文读懂SM1、SM2、SM3、SM4等国密算法

Java - OpenSSL与国密OpenSSL

Java - 数字签名与数字证书

下载源代码(zip)

下载源代码(zip): https://github.com/guanzhi/GmSSL/archive/master.zip

解压缩至当前工作目录

代码语言:javascript复制
$ unzip GmSSL-master.zip

编译与安装

Linux平台

代码语言:javascript复制
$ mkdir build
$ cd build
$ cmake ..
$ make
$ make test
$ sudo make install

安装之后可以执行gmssl命令行工具检查是否成功

代码语言:javascript复制
$ gmssl version
GmSSL 3.1.0 Dev

SM4加密解密

代码语言:javascript复制
$ KEY=11223344556677881122334455667788
$ IV=11223344556677881122334455667788

$ echo hello | gmssl sm4 -cbc -encrypt -key $KEY -iv $IV -out sm4.cbc
$ gmssl sm4 -cbc -decrypt -key $KEY -iv $IV -in sm4.cbc

$ echo hello | gmssl sm4 -ctr -encrypt -key $KEY -iv $IV -out sm4.ctr
$ gmssl sm4 -ctr -decrypt -key $KEY -iv $IV -in sm4.ctr

SM3摘要

代码语言:javascript复制
$ echo -n abc | gmssl sm3
$ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem
$ echo -n abc | gmssl sm3 -pubkey sm2pub.pem -id 1234567812345678
$ echo -n abc | gmssl sm3hmac -key 11223344556677881122334455667788

SM2签名及验签

代码语言:javascript复制
$ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem

$ echo hello | gmssl sm2sign -key sm2.pem -pass 1234 -out sm2.sig #-id 1234567812345678
$ echo hello | gmssl sm2verify -pubkey sm2pub.pem -sig sm2.sig -id 1234567812345678

$ echo hello | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der
$ gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der

SM2加密及解密

代码语言:javascript复制
$ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem

$ echo hello | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der
$ gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der

生成SM2根证书rootcakey.pem及CA证书cakey.pem

代码语言:javascript复制
$ gmssl sm2keygen -pass 1234 -out rootcakey.pem
$ gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign
$ gmssl certparse -in rootcacert.pem

$ gmssl sm2keygen -pass 1234 -out cakey.pem
$ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
$ gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem

使用CA证书签发签名证书和加密证书

代码语言:javascript复制
$ gmssl sm2keygen -pass 1234 -out signkey.pem
$ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
$ gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem

$ gmssl sm2keygen -pass 1234 -out enckey.pem
$ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem
$ gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem

将签名证书和ca证书合并为服务端证书certs.pem,并验证

代码语言:javascript复制
$ cat signcert.pem > certs.pem
$ cat cacert.pem >> certs.pem
$ gmssl certverify -in certs.pem -cacert rootcacert.pem

查看证书内容:

代码语言:javascript复制
$ gmssl certparse -in cacert.pem

http://gmssl.org/docs/quickstart.html

0 人点赞