├── tls_demo ├── libssl.a ├── libcrypto.a ├── ca.pem ├── README.md ├── svrenc.pem ├── svr.pem ├── client_two.c ├── client_engine.c └── server_two.c ├── openssl3.0 └── openssl3.0.tar.gz ├── others └── README.md ├── cert_sh ├── README.md ├── RSAcertgen.sh ├── CA.cnf ├── eccsignsite.cnf ├── eccencsite.cnf ├── eccsignuser.cnf ├── eccencuser.cnf ├── openssl.cnf ├── SM2certgen.sh └── SM2for3_0.sh ├── README.md └── sm2_exch.c /tls_demo/libssl.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhenyuwei/Guomi/HEAD/tls_demo/libssl.a -------------------------------------------------------------------------------- /tls_demo/libcrypto.a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhenyuwei/Guomi/HEAD/tls_demo/libcrypto.a -------------------------------------------------------------------------------- /openssl3.0/openssl3.0.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhenyuwei/Guomi/HEAD/openssl3.0/openssl3.0.tar.gz -------------------------------------------------------------------------------- /others/README.md: -------------------------------------------------------------------------------- 1 | # 如何列出Linux下可执行文件依赖某个特定库(.so)的关系 2 | 3 | 最近需要统计Linux下软件(可执行文件)对某个特定库的依赖数,没有找到想要的工具,于是从网上找到一个[Python遍历文件](https://thispointer.com/python-how-to-get-list-of-files-in-directory-and-sub-directories/)的程序,对每个文件添加如下判断: 4 | 5 | * 是否为可执行文件(shell [ -x file ]) 6 | * 是否是软链接(shell [ -L file ]) 7 | * 是否依赖特定库(仅考虑动态链接)(shell [ ldd file | grep -iE "filter" ]) 8 | -------------------------------------------------------------------------------- /cert_sh/README.md: -------------------------------------------------------------------------------- 1 | # 脚本说明 2 | 3 | RSA/SM2证书生成工具,使用`OpenSSL/GmSSL`可以正常生成证书。 4 | 5 | ## RSA证书 6 | 7 | `RSAcertgen.sh` 生成RSA证书,证书配置参数使用当前目录的`openssl.cnf`文件,调整配置请自行修改。 8 | 9 | TEST_CA_DN、TEST_SERVER_DN、TEST_SERVER_ENC_DN等字段对应证书的使用者(issuer)信息,根据需求修改。 10 | 11 | 修改参数包括default_md、keyUsage以及alt_names配置项。 12 | 13 | 配置项说明: 14 | - default_md:默认使用的哈希算法,推荐使用sha256 15 | - keyUsage:扩展字段中的密钥用法,RSA证书推荐使用nonRepudiation, digitalSignature, keyEncipherment这三种 16 | - alt_names:扩展字段的使用者可选名称 17 | 18 | 19 | ## SM2证书 20 | 21 | **《GM/T 0024-2014 SSL VPN技术规范》** 中定义了双证书模式,包括加密证书和签名这里。这里使用不同的cnf配置文件来调整证书的keyUsage字段,决定哪种为加密证书和签名证书。 22 | 23 | 国密证书使用的签名算法为sm3,在每个req文件后指定了签名算法,也可以在cnf中指定。不推荐生成sha系列的国密证书,此证书目前不适用 **《GM/T 0024-2014 SSL VPN技术规范》** 。 24 | -------------------------------------------------------------------------------- /tls_demo/ca.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICBDCCAaqgAwIBAgIJAPuNNgWsUsI9MAoGCCqBHM9VAYN1MHgxDjAMBgNVBAMM 3 | BWVjY2NhMQswCQYDVQQGEwJDTjELMAkGA1UECAwCU0gxCzAJBgNVBAcMAlNIMRIw 4 | EAYDVQQKDAlLb2FsIFNvZnQxDDAKBgNVBAsMA1NTTDEdMBsGCSqGSIb3DQEJARYO 5 | ZWNjY2FAa29hbC5jb20wHhcNMTcwMTA4MjIyMDE1WhcNMjcwMTA2MjIyMDE1WjB4 6 | MQ4wDAYDVQQDDAVlY2NjYTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlNIMQswCQYD 7 | VQQHDAJTSDESMBAGA1UECgwJS29hbCBTb2Z0MQwwCgYDVQQLDANTU0wxHTAbBgkq 8 | hkiG9w0BCQEWDmVjY2NhQGtvYWwuY29tMFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0D 9 | QgAE7Xayxv9pyv/AeUiSvVC6odH0rupRbSGdygq7yJrgoNrVi2GJfBQSWVrp+sjJ 10 | h0odn84e//BxRvZcWCMxqEZE0qMdMBswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMC 11 | AuQwCgYIKoEcz1UBg3UDSAAwRQIgAVIn9NfHzfdq/oLvSaZZYIX+/Rv0ePD8S2zh 12 | lnDxFkoCIQDZ9GBYpPH1GJYdSrLdCgZc88IuCg+XaNIW30QwSdwwxg== 13 | -----END CERTIFICATE----- 14 | -------------------------------------------------------------------------------- /tls_demo/README.md: -------------------------------------------------------------------------------- 1 | # 简单描述 2 | 3 | ------ 4 | 5 | 程序为测试工具,用于检测是否可以正常使用国密单向和双向功能,这里仅用于调试。 6 | 7 | ## 操作说明 8 | 9 | 静态库在`Ubuntu 14.04.5 LTS`环境下`gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.4)`编译得到,可以拷贝GmSSL的头文件到指定目录即可编译。 10 | 11 | 程序编译方式: gcc -g -o client_two client_two.c ./libssl.a ./libcrypto.a -L./ (include文件放置在/usr/local/include目录下,因此这里不需要在添加-I参数) 12 | 13 | 测试的server_two.c和client_two.c使用的证书为同一份证书,如果修改证书内容,需要调整证书的使用方式: 14 | 15 | - 客户端的ca为签发的server的证书,为了完成服务器证书链的校验 16 | - 服务器使用的ca为签发client的证书,为了完成客户端证书链的校验 17 | 18 | 因此为了方便这里使用了一套证书操作。 19 | 20 | 程序使用OpenSSL测试国密双证书功能,包含客户端和服务端使用的OpenSSL接口,其中_engine为调用OpenSSL的engine机制实现硬件扩展,国密SKF接口硬件测试demo,目前基于GmSSL的国密SFK硬件测试功能已经完成,测试正常,使用只需要将当前的SKF.so文件配置到安装OpenSSL的lib库下engines-1.1目录。 21 | 22 | ## 功能完善 23 | 24 | 待添加SKF.so的实现方式,后续调整完成后上传。 25 | 26 | ### 功能列表 27 | 28 | - [x] 双向认证 29 | - [ ] 阻塞模式 30 | - [x] ENGINE方式 31 | - [x] 国密双证书 32 | - [ ] 多平台支持 33 | 34 | ### [Windows/Mac/Linux 全平台客户端] 35 | 36 | > 代码在多平台共用,整理完成后上传。 37 | -------------------------------------------------------------------------------- /tls_demo/svrenc.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICDDCCAbKgAwIBAgIJAJeHv6sBofdbMAoGCCqBHM9VAYN1MHgxDjAMBgNVBAMM 3 | BWVjY2NhMQswCQYDVQQGEwJDTjELMAkGA1UECAwCU0gxCzAJBgNVBAcMAlNIMRIw 4 | EAYDVQQKDAlLb2FsIFNvZnQxDDAKBgNVBAsMA1NTTDEdMBsGCSqGSIb3DQEJARYO 5 | ZWNjY2FAa29hbC5jb20wHhcNMTcwMTA4MjIyNDU4WhcNMjcwMTA2MjIyNDU4WjCB 6 | gjETMBEGA1UEAwwKZWNjZW5jc2l0ZTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlNI 7 | MQswCQYDVQQHDAJTSDESMBAGA1UECgwJS29hbCBTb2Z0MQwwCgYDVQQLDANTU0wx 8 | IjAgBgkqhkiG9w0BCQEWE2VjY2VuY3NpdGVAa29hbC5jb20wWTATBgcqhkjOPQIB 9 | BggqgRzPVQGCLQNCAATdil2meAmPFIAmxbKIdhffwduSaU0S8FHHV+oejHnN+JbG 10 | oRq+jAdFBuObkvvXCnAdHk5aTEHHa1/YFcd7bHrYoxowGDAJBgNVHRMEAjAAMAsG 11 | A1UdDwQEAwIEcDAKBggqgRzPVQGDdQNIADBFAiAXG+dPcucaaLuIz+tmyh2AUjVW 12 | nEA428LEQRHV8Zz1iwIhAMWX4CQ79eI+DhZ3/eLl7mrOF3I/mosBsIWWXGS2bMaJ 13 | -----END CERTIFICATE----- 14 | -----BEGIN EC PRIVATE KEY----- 15 | MHcCAQEEIC08TqHoULuqfTMSj8vdii7yV47mcIt5FEvPf9TSTWEzoAoGCCqBHM9V 16 | AYItoUQDQgAE3YpdpngJjxSAJsWyiHYX38HbkmlNEvBRx1fqHox5zfiWxqEavowH 17 | RQbjm5L71wpwHR5OWkxBx2tf2BXHe2x62A== 18 | -----END EC PRIVATE KEY----- 19 | -------------------------------------------------------------------------------- /tls_demo/svr.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICDjCCAbSgAwIBAgIJAJeHv6sBofdaMAoGCCqBHM9VAYN1MHgxDjAMBgNVBAMM 3 | BWVjY2NhMQswCQYDVQQGEwJDTjELMAkGA1UECAwCU0gxCzAJBgNVBAcMAlNIMRIw 4 | EAYDVQQKDAlLb2FsIFNvZnQxDDAKBgNVBAsMA1NTTDEdMBsGCSqGSIb3DQEJARYO 5 | ZWNjY2FAa29hbC5jb20wHhcNMTcwMTA4MjIyNDA1WhcNMjcwMTA2MjIyNDA1WjCB 6 | hDEUMBIGA1UEAwwLZWNjc2lnbnVzZXIxCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJT 7 | SDELMAkGA1UEBwwCU0gxEjAQBgNVBAoMCUtvYWwgU29mdDEMMAoGA1UECwwDU1NM 8 | MSMwIQYJKoZIhvcNAQkBFhRlY2NzaWdudXNlckBrb2FsLmNvbTBZMBMGByqGSM49 9 | AgEGCCqBHM9VAYItA0IABABwRzSc9xk5ak1ieE0kIuHjrOo7R9td/ST1N2+729+r 10 | 8MWfh7QBlTL4BLr/l7Sy3xyNzEQyoVDgrU3SgmfkT3GjGjAYMAkGA1UdEwQCMAAw 11 | CwYDVR0PBAQDAgbAMAoGCCqBHM9VAYN1A0gAMEUCIQCDnf3NgZ+l51gkNYlJpKvN 12 | +RMJ7aTrj7xJrdG/mPm0ogIgM13gbbg/6q7ApPFLWpJvYYKCgdilcbMrrNaHmDUC 13 | u8w= 14 | -----END CERTIFICATE----- 15 | -----BEGIN EC PRIVATE KEY----- 16 | MHcCAQEEIBGZ0390DYrT8JqVqID3R4mx81/78K9mwlv+8VYRfjKUoAoGCCqBHM9V 17 | AYItoUQDQgAEAHBHNJz3GTlqTWJ4TSQi4eOs6jtH2139JPU3b7vb36vwxZ+HtAGV 18 | MvgEuv+XtLLfHI3MRDKhUOCtTdKCZ+RPcQ== 19 | -----END EC PRIVATE KEY----- 20 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 国密 2 | 3 | 国密VPN/国密浏览器/国密网关 4 | 5 | ## 国密算法 6 | 7 | - 软算法-`OpenSSL/BoringSSL` 8 | - 硬件支持-国密USB KEY(海泰方圆、飞天诚信、渔翁科技),使用`OpenSSL`的`engine`源码方式(包括Windows和Linux平台) 9 | 10 | 软算法: 11 | 12 | - 算法添加方式,从零添加完整的(`SM2/3/4`)算法实现 13 | - 源码测试`demo` 14 | - 说明文档 15 | 16 | 国标`USB KEY`: 17 | 18 | - 使用 `OpenSSL` 提供的 `engine` 实现对国密 `USB KEY` 支持 19 | - `engine` 便于添加和移除新硬件(测过海泰方圆、飞天诚信和渔翁科技的国密 `USB KEY`) 20 | - `BoringSSL` 的 `engine` 实现 21 | 22 | ## 国标VPN 23 | 24 | **《GM/T 0024-2014 SSL VPN技术规范》** 在`OpenSSL/BoringSSL` 的实现,实现的VPN能够与国家商用密码检测中心的测试机通信,并详细说明哪些部分与标准文档中有差异,便于了解实现流程。 25 | 26 | 基于OpenSSL开源的国密VPN工程有[GmSSL](https://github.com/guanzhi/GmSSL)和[TaSSL](https://github.com/jntass/TASSL) [TaSSL-1.1.1b](https://github.com/jntass/TASSL-1.1.1b),有兴趣的可以参考其实现方式。最新的`OpenSSL-3.x.x`算法添加方式与以往的版本存在差异。 27 | 28 | [GmSSL](https://gmssl.cn/gmssl/index.jsp)实现了nginx/apache/tomcat版本的国密,[myssl](https://myssl.com/)提供了国密测试功能,类似[ssllabs](https://www.ssllabs.com/ssltest/). 29 | 30 | * 国密证书 - 支持使用`SM2certgen.sh`脚本生成证书,自定义配置参数 31 | * 国标双证书`demo` 32 | * `OpenSSL`的阻塞通信方式 33 | 34 | ## 国密浏览器 35 | 36 | Chromium源码集成国标VPN协议,实现国密通信。实现方式可以通过白名单放行或者自适应TLS和国密VPN协议,对两种实现方式做简单描述: 37 | 38 | - 白名单放行-通过配置国密 `URL` 地址来适配国密VPN协议,只有在配置在白名单的网址才能使用过VPN通道 39 | - 自适应协议-根据请求的网址,内核内部自动处理,响应相关的TLS或国密VPN协议 40 | 41 | 之前在公司见过另一种实现方式,但不推荐使用此方式,具体方法是在原有的HTTP流程注入TLS协议,可以使用OpenSSL或者其它第三方实现国密VPN套件,打断原有的HTTP流程,在通信建立后数据传输前添加国密TLS流程,达到实现HTTPS的方式。 42 | 43 | 对于上述两种方案,第一种已经实现并在Windows端测试正常,并与国内的国密浏览器做相应测试[中国银行](https://ebssec.boc.cn/boc15/login.html),性能突出。 44 | 目前还有[ovssl](https://sm2test.ovssl.cn/)此服务器可以测试国密VPN,但需要使用具备国密VPN通信的浏览器,否则为TLS协议 45 | 46 | ## GmSSL完善 47 | 48 | 添加sm2dhe的SM2_compute_share_key的实现方式,具体内容参考《GM/T 0009-2012 SM2 密码算法使用规范》的9.6内容。 49 | 50 | ## OpenSSL3.0国密套件 51 | 52 | openssl3.0文件夹内包含了最新的openssl代码支持国密0024-2014的E013密码套件的静态库,头文件,可执行文件openssl和测试用例。 53 | 54 | - 国密测试:openssl s_client -smtls -msg -debug -connect ebssec.boc.cn:443 55 | - TLS测试:openssl s_client -tls1_2 -msg -debug -connect www.baidu.com:443 56 | -------------------------------------------------------------------------------- /sm2_exch.c: -------------------------------------------------------------------------------- 1 | /* pms, &pmslen, ---out info 2 | EC_KEY_get0_public_key(peer_ephem), ---peer temp key Rb 3 | ephem, ---local temp key 4 | EC_KEY_get0_public_key(peer_pk), ---local peer cert key Ra 5 | sk, ---local cert key 6 | initiator = 0 7 | */ 8 | int SM2_compute_share_key(unsigned char *out, size_t *outlen, 9 | const EC_KEY *peer_ephem, EC_KEY *ephem, 10 | const EC_KEY *peer_pk, EC_KEY *sk, int initiator) 11 | { 12 | int ret = 0; 13 | SM2_KAP_CTX ctx; 14 | const BIGNUM *prikey; 15 | BIGNUM *h = NULL, *x = NULL; 16 | unsigned char ephem_point[128] = {0}; 17 | size_t ephem_point_len = sizeof(ephem_point); 18 | 19 | memset(&ctx, 0, sizeof(ctx)); 20 | 21 | /* last param is 0 (do_checksum) donot check S in key agreement, S no send to check others */ 22 | if (!SM2_KAP_CTX_init(&ctx, sk, SM2_DEFAULT_ID, 16, peer_pk, SM2_DEFAULT_ID, 16, initiator, 0)) { 23 | ECerr(EC_F_SM2_KAP_CTX_INIT, ERR_R_INIT_FAIL); 24 | goto end; 25 | } 26 | 27 | /* get private key */ 28 | if (!(prikey = EC_KEY_get0_private_key(ctx.ec_key))) { 29 | ECerr(EC_F_SM2_KAP_PREPARE, EC_R_SM2_KAP_NOT_INITED); 30 | return 0; 31 | } 32 | 33 | h = BN_new(); 34 | x = BN_new(); 35 | 36 | if (!h || !x) { 37 | ECerr(EC_F_SM2_KAP_PREPARE, 0); 38 | goto end; 39 | } 40 | 41 | if (EC_METHOD_get_field_type(EC_GROUP_method_of(ctx.group)) == NID_X9_62_prime_field) { 42 | if (!EC_POINT_get_affine_coordinates_GFp(ctx.group, EC_KEY_get0_public_key(ephem), x, NULL, ctx.bn_ctx)) { 43 | ECerr(EC_F_SM2_KAP_PREPARE, ERR_R_EC_LIB); 44 | goto end; 45 | } 46 | } else { 47 | if (!EC_POINT_get_affine_coordinates_GF2m(ctx.group, EC_KEY_get0_public_key(ephem), x, NULL, ctx.bn_ctx)) { 48 | ECerr(EC_F_SM2_KAP_PREPARE, ERR_R_EC_LIB); 49 | goto end; 50 | } 51 | } 52 | 53 | /* 54 | * w = ceil(keybits / 2) - 1 55 | * x = 2^w + (x and (2^w - 1)) = 2^w + (x mod 2^w) 56 | * t = (d + x * r) mod n 57 | * t = (h * t) mod n 58 | */ 59 | if (!ctx.t) { 60 | ECerr(EC_F_SM2_KAP_PREPARE, EC_R_SM2_KAP_NOT_INITED); 61 | goto end; 62 | } 63 | 64 | /* step A4 | step B3 */ 65 | if (!BN_nnmod(x, x, ctx.two_pow_w, ctx.bn_ctx)) {/* ctx->two_pow_w = 2^w x mod 2^w */ 66 | ECerr(EC_F_SM2_KAP_PREPARE, ERR_R_BN_LIB); 67 | goto end; 68 | } 69 | if (!BN_add(x, x, ctx.two_pow_w)) {/* x = 2^w + (x and (2^w - 1)) = 2^w + (x mod 2^w) */ 70 | ECerr(EC_F_SM2_KAP_PREPARE, ERR_R_BN_LIB); 71 | goto end; 72 | } 73 | 74 | /* step A5 | step B4 */ 75 | if (!BN_mod_mul(ctx.t, x, EC_KEY_get0_private_key(ephem), ctx.order, ctx.bn_ctx)) {/* t = ( x * r) mod n */ 76 | ECerr(EC_F_SM2_KAP_PREPARE, ERR_R_BN_LIB); 77 | goto end; 78 | } 79 | if (!BN_mod_add(ctx.t, ctx.t, prikey, ctx.order, ctx.bn_ctx)) {/* t = (d + x * r) mod n */ 80 | ECerr(EC_F_SM2_KAP_PREPARE, ERR_R_BN_LIB); 81 | goto end; 82 | } 83 | 84 | if (!EC_GROUP_get_cofactor(ctx.group, h, ctx.bn_ctx)) {/* h */ 85 | ECerr(EC_F_SM2_KAP_PREPARE, ERR_R_EC_LIB); 86 | goto end; 87 | } 88 | 89 | if (!BN_mul(ctx.t, ctx.t, h, ctx.bn_ctx)) { /* t = (h * t) mod n */ 90 | ECerr(EC_F_SM2_KAP_PREPARE, ERR_R_BN_LIB); 91 | goto end; 92 | } 93 | 94 | /* encode R = (x, y) for output and local buffer */ 95 | /* FIXME: ret is size_t and ret is the output length */ 96 | ret = EC_POINT_point2oct(ctx.group, EC_KEY_get0_public_key(peer_ephem), ctx.point_form, 97 | ephem_point, ephem_point_len, ctx.bn_ctx); 98 | 99 | memcpy(ctx.pt_buf, ephem_point, ret); 100 | ephem_point_len = ret; 101 | 102 | ret = 0; 103 | 104 | 105 | if (!SM2_KAP_compute_key(&ctx, ephem_point, ephem_point_len, out, *outlen, NULL, 0)) { 106 | ECerr(EC_F_SM2_KAP_COMPUTE_KEY, ERR_R_KDF2_LIB); 107 | goto end; 108 | } 109 | 110 | ret = 1; 111 | 112 | end: 113 | 114 | SM2_KAP_CTX_cleanup(&ctx); 115 | if (h) BN_free(h); 116 | if (x) BN_free(x); 117 | 118 | return ret; 119 | } -------------------------------------------------------------------------------- /tls_demo/client_two.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | #define MAXBUF 1024 14 | 15 | #define CA_FILE "ca.pem" 16 | #define CLIENT_KEY "svr.pem" 17 | #define CLIENT_CERT "svr.pem" 18 | #define CLIENT_ENC_KEY "svrenc.pem" 19 | #define CLIENT_ENC_CERT "svrenc.pem" 20 | 21 | void ShowCerts(SSL * ssl) 22 | { 23 | X509 *cert; 24 | char *line; 25 | cert = SSL_get_peer_certificate(ssl); 26 | if (cert != NULL) { 27 | printf("数字证书信息:\n"); 28 | line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0); 29 | printf("证书: %s\n", line); 30 | free(line); 31 | line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0); 32 | printf("颁发者: %s\n", line); 33 | free(line); 34 | X509_free(cert); 35 | } else { 36 | printf("无证书信息!\n"); 37 | } 38 | } 39 | 40 | int main(int argc, char **argv) 41 | { 42 | int sockfd, len; 43 | struct sockaddr_in dest; 44 | char buffer[MAXBUF + 1]; 45 | SSL_CTX *ctx; 46 | SSL *ssl; 47 | const SSL_METHOD *method; 48 | 49 | if (argc != 3) { 50 | printf("参数格式错误!正确用法如下:\n\t\t%s IP地址 端口\n\t比如:\t%s 127.0.0.1 80\n此程序用来从某个" 51 | "IP 地址的服务器某个端口接收最多 MAXBUF 个字节的消息", argv[0], argv[0]); 52 | exit(0); 53 | } 54 | 55 | /* Init SSL info */ 56 | SSL_library_init(); 57 | SSL_load_error_strings(); 58 | OpenSSL_add_all_algorithms(); 59 | method = GMTLS_client_method(); /* set gmssl protocal */ 60 | ctx = SSL_CTX_new(method); 61 | 62 | if (!ctx) { 63 | printf("create ctx is failed.\n"); 64 | } 65 | 66 | const char * cipher_list = "SM2-WITH-SMS4-SM3:SM2DHE-WITH-SMS4-SM3"; 67 | if (SSL_CTX_set_cipher_list(ctx, cipher_list) == 0) { /* set cipher suit in clienthello */ 68 | SSL_CTX_free(ctx); 69 | printf("Failed to set cipher list: %s", cipher_list); 70 | } 71 | 72 | /*设置会话的握手方式*/ 73 | //SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); 74 | 75 | /*加载CA FILE*/ 76 | if (SSL_CTX_load_verify_locations(ctx, CA_FILE, 0) != 1) { 77 | SSL_CTX_free(ctx); 78 | printf("Failed to load CA file %s", CA_FILE); 79 | } 80 | if (SSL_CTX_set_default_verify_paths(ctx) != 1) { 81 | SSL_CTX_free(ctx); 82 | printf("Call to SSL_CTX_set_default_verify_paths failed"); 83 | } 84 | /*加载客户端签名证书*/ 85 | if (SSL_CTX_use_certificate_file(ctx, CLIENT_CERT, SSL_FILETYPE_PEM) != 1) { 86 | SSL_CTX_free(ctx); 87 | printf("Failed to load client certificate from %s", CLIENT_KEY); 88 | } 89 | /*加载客户端签名私钥*/ 90 | if (SSL_CTX_use_PrivateKey_file(ctx, CLIENT_KEY, SSL_FILETYPE_PEM) != 1) { 91 | SSL_CTX_free(ctx); 92 | printf("Failed to load client private key from %s", CLIENT_KEY); 93 | } 94 | /*验证私钥*/ 95 | if (SSL_CTX_check_private_key(ctx) != 1) { 96 | SSL_CTX_free(ctx); 97 | printf("SSL_CTX_check_private_key failed"); 98 | } 99 | 100 | /*加载客户端加密证书*/ 101 | if (SSL_CTX_use_certificate_file(ctx, CLIENT_ENC_CERT, SSL_FILETYPE_PEM) != 1) { 102 | SSL_CTX_free(ctx); 103 | printf("Failed to load client certificate from %s", CLIENT_KEY); 104 | } 105 | /*加载客户端加密私钥*/ 106 | if (SSL_CTX_use_PrivateKey_file(ctx, CLIENT_ENC_KEY, SSL_FILETYPE_PEM) != 1) { 107 | SSL_CTX_free(ctx); 108 | printf("Failed to load client private key from %s", CLIENT_KEY); 109 | } 110 | /*验证私钥*/ 111 | if (SSL_CTX_check_private_key(ctx) != 1) { 112 | SSL_CTX_free(ctx); 113 | printf("SSL_CTX_check_private_key failed"); 114 | } 115 | 116 | /*处理握手多次*/ 117 | SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); 118 | 119 | if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { 120 | perror("Socket"); 121 | exit(errno); 122 | } 123 | 124 | bzero(&dest, sizeof(dest)); 125 | dest.sin_family = AF_INET; 126 | dest.sin_port = htons(atoi(argv[2])); 127 | if (inet_aton(argv[1], (struct in_addr *) &dest.sin_addr.s_addr) == 0) { 128 | perror(argv[0]); 129 | exit(errno); 130 | } 131 | 132 | if (connect(sockfd, (struct sockaddr *) &dest, sizeof(dest)) != 0) { 133 | perror("Connect "); 134 | exit(errno); 135 | } 136 | 137 | /*创建SSL*/ 138 | ssl = SSL_new(ctx); 139 | if (ssl == NULL) { 140 | printf("SSL_new error.\n"); 141 | } 142 | /*将fd添加到ssl层*/ 143 | SSL_set_fd(ssl, sockfd); 144 | if (SSL_connect(ssl) == -1) { 145 | printf("SSL_connect fail.\n"); 146 | ERR_print_errors_fp(stderr); 147 | } else { 148 | printf("Connected with %s encryption\n", SSL_get_cipher(ssl)); 149 | //ShowCerts(ssl); 150 | } 151 | 152 | bzero(buffer, MAXBUF + 1); 153 | strcpy(buffer, "from client->server"); 154 | 155 | len = SSL_write(ssl, buffer, strlen(buffer)); 156 | if (len < 0) { 157 | printf("消息'%s'发送失败!错误代码是%d,错误信息是'%s'\n", buffer, errno, strerror(errno)); 158 | } else { 159 | printf("消息'%s'发送成功,共发送了%d个字节!\n", buffer, len); 160 | } 161 | 162 | bzero(buffer, MAXBUF + 1); 163 | len = SSL_read(ssl, buffer, MAXBUF); 164 | if (len > 0) { 165 | printf("接收消息成功:'%s',共%d个字节的数据\n", buffer, len); 166 | } else { 167 | printf("消息接收失败!错误代码是%d,错误信息是'%s'\n", errno, strerror(errno)); 168 | goto finish; 169 | } 170 | 171 | finish: 172 | SSL_shutdown(ssl); 173 | SSL_free(ssl); 174 | close(sockfd); 175 | SSL_CTX_free(ctx); 176 | return 0; 177 | } 178 | -------------------------------------------------------------------------------- /tls_demo/client_engine.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #include 12 | #include 13 | #include 14 | 15 | #define MAXBUF 1024 16 | 17 | #define CA_FILE "ca.pem" 18 | #define CLIENT_KEY "svr.pem" 19 | #define CLIENT_CERT "svr.pem" 20 | #define CLIENT_ENC_KEY "svrenc.pem" 21 | #define CLIENT_ENC_CERT "svrenc.pem" 22 | 23 | #define USE_ENGINE 1 24 | 25 | void ShowCerts(SSL * ssl) 26 | { 27 | X509 *cert; 28 | char *line; 29 | cert = SSL_get_peer_certificate(ssl); 30 | if (cert != NULL) { 31 | printf("数字证书信息:\n"); 32 | line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0); 33 | printf("证书: %s\n", line); 34 | free(line); 35 | line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0); 36 | printf("颁发者: %s\n", line); 37 | free(line); 38 | X509_free(cert); 39 | } else { 40 | printf("无证书信息!\n"); 41 | } 42 | } 43 | 44 | int main(int argc, char **argv) 45 | { 46 | int sockfd, len; 47 | struct sockaddr_in dest; 48 | char buffer[MAXBUF + 1]; 49 | SSL_CTX *ctx; 50 | SSL *ssl; 51 | const SSL_METHOD *method; 52 | 53 | #if USE_ENGINE 54 | ENGINE *sm_skf = NULL; 55 | ENGINE_load_dynamic(); 56 | sm_skf = ENGINE_by_id("SKF"); 57 | if (!sm_skf) { 58 | fprintf(stderr, "SM ENGINE is null.\n"); 59 | exit(1); 60 | } 61 | ENGINE_register_complete(sm_skf); 62 | ENGINE_init(sm_skf); 63 | #endif 64 | 65 | if (argc != 3) { 66 | printf("参数格式错误!正确用法如下:\n\t\t%s IP地址 端口\n\t比如:\t%s 127.0.0.1 80\n此程序用来从某个" 67 | "IP 地址的服务器某个端口接收最多 MAXBUF 个字节的消息", argv[0], argv[0]); 68 | exit(0); 69 | } 70 | 71 | /* Init SSL info */ 72 | SSL_library_init(); 73 | SSL_load_error_strings(); 74 | OpenSSL_add_all_algorithms(); 75 | method = GMTLS_client_method(); /* set gmssl protocal */ 76 | ctx = SSL_CTX_new(method); 77 | 78 | if (!ctx) { 79 | printf("create ctx is failed.\n"); 80 | } 81 | 82 | const char * cipher_list = "SM2-WITH-SMS4-SM3:SM2DHE-WITH-SMS4-SM3"; 83 | if (SSL_CTX_set_cipher_list(ctx, cipher_list) == 0) { 84 | SSL_CTX_free(ctx); 85 | printf("Failed to set cipher list: %s", cipher_list); 86 | } 87 | 88 | /*设置会话的握手方式*/ 89 | SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); 90 | 91 | /*加载CA FILE*/ 92 | if (SSL_CTX_load_verify_locations(ctx, CA_FILE, 0) != 1) { 93 | SSL_CTX_free(ctx); 94 | printf("Failed to load CA file %s", CA_FILE); 95 | } 96 | if (SSL_CTX_set_default_verify_paths(ctx) != 1) { 97 | SSL_CTX_free(ctx); 98 | printf("Call to SSL_CTX_set_default_verify_paths failed"); 99 | } 100 | /*加载客户端签名证书*/ 101 | if (SSL_CTX_use_certificate_file(ctx, CLIENT_CERT, SSL_FILETYPE_PEM) != 1) { 102 | SSL_CTX_free(ctx); 103 | printf("Failed to load client certificate from %s", CLIENT_KEY); 104 | } 105 | #if !USE_ENGINE 106 | /*加载客户端签名私钥*/ 107 | if (SSL_CTX_use_PrivateKey_file(ctx, CLIENT_KEY, SSL_FILETYPE_PEM) != 1) { 108 | SSL_CTX_free(ctx); 109 | printf("Failed to load client private key from %s", CLIENT_KEY); 110 | } 111 | /*验证私钥*/ 112 | if (SSL_CTX_check_private_key(ctx) != 1) { 113 | SSL_CTX_free(ctx); 114 | printf("SSL_CTX_check_private_key failed"); 115 | } 116 | #endif 117 | 118 | /*加载客户端加密证书*/ 119 | if (SSL_CTX_use_certificate_file(ctx, CLIENT_ENC_CERT, SSL_FILETYPE_PEM) != 1) { 120 | SSL_CTX_free(ctx); 121 | printf("Failed to load client certificate from %s", CLIENT_KEY); 122 | } 123 | /*加载客户端加密私钥*/ 124 | if (SSL_CTX_use_PrivateKey_file(ctx, CLIENT_ENC_KEY, SSL_FILETYPE_PEM) != 1) { 125 | SSL_CTX_free(ctx); 126 | printf("Failed to load client private key from %s", CLIENT_KEY); 127 | } 128 | /*验证私钥*/ 129 | if (SSL_CTX_check_private_key(ctx) != 1) { 130 | SSL_CTX_free(ctx); 131 | printf("SSL_CTX_check_private_key failed"); 132 | } 133 | 134 | /*处理握手多次*/ 135 | SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); 136 | 137 | if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { 138 | perror("Socket"); 139 | exit(errno); 140 | } 141 | 142 | bzero(&dest, sizeof(dest)); 143 | dest.sin_family = AF_INET; 144 | dest.sin_port = htons(atoi(argv[2])); 145 | if (inet_aton(argv[1], (struct in_addr *) &dest.sin_addr.s_addr) == 0) { 146 | perror(argv[0]); 147 | exit(errno); 148 | } 149 | 150 | if (connect(sockfd, (struct sockaddr *) &dest, sizeof(dest)) != 0) { 151 | perror("Connect "); 152 | exit(errno); 153 | } 154 | 155 | /*创建SSL*/ 156 | ssl = SSL_new(ctx); 157 | if (ssl == NULL) { 158 | printf("SSL_new error.\n"); 159 | } 160 | /*将fd添加到ssl层*/ 161 | SSL_set_fd(ssl, sockfd); 162 | if (SSL_connect(ssl) == -1) { 163 | printf("SSL_connect fail.\n"); 164 | ERR_print_errors_fp(stderr); 165 | } else { 166 | printf("Connected with %s encryption\n", SSL_get_cipher(ssl)); 167 | ShowCerts(ssl); 168 | } 169 | 170 | bzero(buffer, MAXBUF + 1); 171 | strcpy(buffer, "from client->server"); 172 | 173 | len = SSL_write(ssl, buffer, strlen(buffer)); 174 | if (len < 0) { 175 | printf("消息'%s'发送失败!错误代码是%d,错误信息是'%s'\n", buffer, errno, strerror(errno)); 176 | } else { 177 | printf("消息'%s'发送成功,共发送了%d个字节!\n", buffer, len); 178 | } 179 | 180 | bzero(buffer, MAXBUF + 1); 181 | len = SSL_read(ssl, buffer, MAXBUF); 182 | if (len > 0) { 183 | printf("接收消息成功:'%s',共%d个字节的数据\n", buffer, len); 184 | } else { 185 | printf("消息接收失败!错误代码是%d,错误信息是'%s'\n", errno, strerror(errno)); 186 | goto finish; 187 | } 188 | 189 | 190 | finish: 191 | 192 | #if USE_ENGINE 193 | ENGINE_finish(sm_skf); 194 | ENGINE_free(sm_skf); 195 | #endif 196 | SSL_shutdown(ssl); 197 | SSL_free(ssl); 198 | close(sockfd); 199 | SSL_CTX_free(ctx); 200 | return 0; 201 | } 202 | -------------------------------------------------------------------------------- /tls_demo/server_two.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #define MAXBUF 1024 15 | 16 | #define CA_FILE "ca.pem" 17 | #define SERVER_KEY "svr.pem" 18 | #define SERVER_CERT "svr.pem" 19 | #define SERVER_ENC_KEY "svrenc.pem" 20 | #define SERVER_ENC_CERT "svrenc.pem" 21 | 22 | 23 | void ShowCerts(SSL * ssl) 24 | { 25 | X509 *cert; 26 | char *line; 27 | cert = SSL_get_peer_certificate(ssl); 28 | if (cert != NULL) { 29 | printf("数字证书信息:\n"); 30 | line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0); 31 | printf("证书: %s\n", line); 32 | //free(line); 33 | line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0); 34 | printf("颁发者: %s\n", line); 35 | //free(line); 36 | X509_free(cert); 37 | } else { 38 | printf("无证书信息!\n"); 39 | } 40 | } 41 | 42 | int main(int argc, char **argv) 43 | { 44 | int sockfd, new_fd; 45 | int reuse = 0; 46 | socklen_t len; 47 | struct sockaddr_in my_addr, their_addr; 48 | unsigned int myport, lisnum; 49 | char buf[MAXBUF + 1]; 50 | SSL_CTX *ctx; 51 | const SSL_METHOD *method; 52 | 53 | if (argv[1]) { 54 | myport = atoi(argv[1]); 55 | } else { 56 | myport = 7838; 57 | } 58 | printf("listen port:[%d]\n",myport); 59 | 60 | if (argv[2]) { 61 | lisnum = atoi(argv[2]); 62 | } else { 63 | lisnum = 2; 64 | } 65 | 66 | SSL_library_init(); 67 | OpenSSL_add_all_algorithms(); 68 | SSL_load_error_strings(); 69 | 70 | method = GMTLS_server_method(); 71 | ctx = SSL_CTX_new(method); 72 | if (ctx == NULL) { 73 | ERR_print_errors_fp(stdout); 74 | exit(1); 75 | } 76 | 77 | #if 0 78 | // const char *cipher_list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"; 79 | const char * cipher_list = "ECDHE-SM2-WITH-SMS4-SHA256:ECDHE-SM2-WITH-SMS4-SM3:SM9-WITH-SMS4-SM3:SM9DHE-WITH-SMS4-SM3:SM2-WITH-SMS4-SM3:SM2DHE-WITH-SMS4-SM3:AES128-SHA:RSA-WITH-SMS4-SHA1:RSA-WITH-SMS4-SM3"; 80 | if (SSL_CTX_set_cipher_list(ctx, cipher_list) == 0) { 81 | SSL_CTX_free(ctx); 82 | printf("Failed to set cipher list %s", cipher_list); 83 | } 84 | #endif 85 | 86 | SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); 87 | /*加载CA FILE*/ 88 | if (SSL_CTX_load_verify_locations(ctx, CA_FILE, 0) != 1) { 89 | SSL_CTX_free(ctx); 90 | printf("Failed to load CA file %s", CA_FILE); 91 | } 92 | /*加载服务端签名证书*/ 93 | if (SSL_CTX_use_certificate_file(ctx, SERVER_CERT, SSL_FILETYPE_PEM) <= 0) { 94 | ERR_print_errors_fp(stdout); 95 | exit(1); 96 | } 97 | /*加载服务端签名私钥*/ 98 | if (SSL_CTX_use_PrivateKey_file(ctx, SERVER_KEY, SSL_FILETYPE_PEM) <= 0) { 99 | printf("use private key fail.\n"); 100 | ERR_print_errors_fp(stdout); 101 | exit(1); 102 | } 103 | /*验证私钥*/ 104 | if (!SSL_CTX_check_private_key(ctx)) { 105 | ERR_print_errors_fp(stdout); 106 | exit(1); 107 | } 108 | 109 | /*加载服务端加密证书*/ 110 | if (SSL_CTX_use_certificate_file(ctx, SERVER_ENC_CERT, SSL_FILETYPE_PEM) <= 0) { 111 | ERR_print_errors_fp(stdout); 112 | exit(1); 113 | } 114 | /*加载服务端加密私钥*/ 115 | if (SSL_CTX_use_PrivateKey_file(ctx, SERVER_ENC_KEY, SSL_FILETYPE_PEM) <= 0) { 116 | printf("use private key fail.\n"); 117 | ERR_print_errors_fp(stdout); 118 | exit(1); 119 | } 120 | /*验证私钥*/ 121 | if (!SSL_CTX_check_private_key(ctx)) { 122 | ERR_print_errors_fp(stdout); 123 | exit(1); 124 | } 125 | 126 | //处理握手多次 127 | SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); 128 | 129 | if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) { 130 | perror("socket"); 131 | exit(1); 132 | } else { 133 | printf("socket created\n"); 134 | } 135 | 136 | if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &reuse, sizeof(reuse)) < 0){ 137 | printf("setsockopet error\n"); 138 | return -1; 139 | } 140 | 141 | bzero(&my_addr, sizeof(my_addr)); 142 | my_addr.sin_family = PF_INET; 143 | my_addr.sin_port = htons(myport); 144 | my_addr.sin_addr.s_addr = INADDR_ANY; 145 | 146 | if (bind(sockfd, (struct sockaddr *) &my_addr, sizeof(struct sockaddr)) == -1) { 147 | perror("bind"); 148 | exit(1); 149 | } 150 | printf("Server bind success.\n"); 151 | 152 | if (listen(sockfd, lisnum) == -1) { 153 | perror("listen"); 154 | exit(1); 155 | } 156 | printf("Server begin to listen\n"); 157 | 158 | while (1) { 159 | SSL *ssl; 160 | SSL_SESSION *session1 = NULL; 161 | len = sizeof(struct sockaddr); 162 | 163 | if ((new_fd = accept(sockfd, (struct sockaddr *) &their_addr, &len)) == -1) { 164 | perror("accept"); 165 | exit(errno); 166 | } 167 | 168 | printf("Server: receive a connection from %s, port %d, socket %d\n", inet_ntoa(their_addr.sin_addr), ntohs(their_addr.sin_port), new_fd); 169 | 170 | ssl = SSL_new(ctx); 171 | if (ssl == NULL) { 172 | printf("SSL_new error.\n"); 173 | } 174 | 175 | SSL_set_fd(ssl, new_fd); 176 | 177 | if (SSL_accept(ssl) == -1) { 178 | perror("accept"); 179 | ERR_print_errors_fp(stderr); 180 | close(new_fd); 181 | break; 182 | } 183 | printf("Server with %s encryption\n", SSL_get_cipher(ssl)); 184 | ShowCerts(ssl); 185 | 186 | 187 | bzero(buf, MAXBUF + 1); 188 | len = SSL_read(ssl, buf, MAXBUF); 189 | if (len > 0) { 190 | printf("接收消息成功:'%s',共%d个字节的数据\n", buf, len); 191 | } else { 192 | printf("消息接收失败!错误代码是%d,错误信息是'%s'\n", errno, strerror(errno)); 193 | } 194 | 195 | 196 | bzero(buf, MAXBUF + 1); 197 | strcpy(buf, "server->client"); 198 | len = SSL_write(ssl, buf, strlen(buf)); 199 | if (len <= 0) { 200 | printf("消息'%s'发送失败!错误代码是%d,错误信息是'%s'\n", buf, errno, strerror(errno)); 201 | goto finish; 202 | } else { 203 | printf("消息'%s'发送成功,共发送了%d个字节!\n", buf, len); 204 | } 205 | session1 = SSL_get_session(ssl); 206 | 207 | finish: 208 | SSL_shutdown(ssl); 209 | SSL_free(ssl); 210 | close(new_fd); 211 | } 212 | 213 | close(sockfd); 214 | SSL_CTX_free(ctx); 215 | return 0; 216 | } 217 | -------------------------------------------------------------------------------- /cert_sh/RSAcertgen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # For a list of supported curves, use "apps/openssl ecparam -list_curves". 4 | 5 | # Path to the openssl distribution 6 | OPENSSL_DIR=. 7 | # Path to the openssl program 8 | OPENSSL_CMD=openssl 9 | # Option to find configuration file 10 | OPENSSL_CNF="-config ./openssl.cnf" 11 | # Directory where certificates are stored 12 | CERTS_DIR=./rsaCerts 13 | # Directory where private key files are stored 14 | KEYS_DIR=$CERTS_DIR 15 | # Directory where combo files (containing a certificate and corresponding 16 | # private key together) are stored 17 | COMBO_DIR=$CERTS_DIR 18 | # cat command 19 | CAT=/bin/cat 20 | # rm command 21 | RM=/bin/rm 22 | # mkdir command 23 | MKDIR=/bin/mkdir 24 | # The certificate will expire these many days after the issue date. 25 | DAYS=180 26 | TEST_CA_KEYSIZE=2048 27 | TEST_CA_KEYFILE=CAKEY 28 | TEST_CA_FILE=RSACA 29 | TEST_CA_DN="/C=CN/ST=BJ/L=Beijing/O=RSATest Technology/OU=RSA/CN=Test CA (RSA-sha256)" 30 | 31 | TEST_SERVER_KEYSIZE=2048 32 | TEST_SERVER_KEYFILE=SSKEY 33 | TEST_SERVER_FILE=SSign 34 | TEST_SERVER_DN="/C=CN/ST=BJ/L=Beijing/O=RSATest Technology/OU=RSA/CN=192.168.2.30" 35 | 36 | TEST_SERVER_ENC_FILE=SEnc 37 | TEST_SERVER_ENC_KEYFILE=SEKEY 38 | TEST_SERVER_ENC_DN="/C=CN/ST=BJ/L=Beijing/O=RSATest Technology/OU=RSA/CN=192.168.2.30" 39 | 40 | TEST_CLIENT_KEYSIZE=2048 41 | TEST_SERVER_KEYFILE=CSKEY 42 | TEST_CLIENT_FILE=CSsign 43 | TEST_CLIENT_DN="/C=CN/ST=BJ/L=Beijing/O=RSATest Technology/OU=RSA/CN=192.168.2.30" 44 | 45 | TEST_CLIENT_ENC_FILE=CEnc 46 | TEST_CLIENT_ENC_KEYFILE=CEKEY 47 | TEST_CLIENT_ENC_DN="/C=CN/ST=BJ/L=Beijing/O=RSATest Technology/OU=RSA/CN=192.168.2.30" 48 | 49 | # Generating an RSA certificate involves the following main steps 50 | # 1. Generating keysize 51 | # 2. Generating a certificate request 52 | # 3. Signing the certificate request 53 | # 4. [Optional] One can combine the cert and private key into a single 54 | # file and also delete the certificate request 55 | 56 | $MKDIR -p $CERTS_DIR 57 | $MKDIR -p $KEYS_DIR 58 | $MKDIR -p $COMBO_DIR 59 | 60 | # Generate init data 61 | touch index.txt serial 62 | chmod 666 index.txt serial 63 | echo 01 > serial 64 | 65 | echo "Generating self-signed CA certificate (on keysize $TEST_CA_KEYSIZE)" 66 | echo "===============================================================" 67 | $OPENSSL_CMD genrsa -out $KEYS_DIR/$TEST_CA_KEYFILE.key.pem $TEST_SERVER_KEYSIZE 68 | 69 | # Generate a self certificate 70 | openssl req -new -x509 -days $DAYS $OPENSSL_CNF -subj "$TEST_CA_DN" \ 71 | -key $KEYS_DIR/$TEST_CA_KEYFILE.key.pem -out $CERTS_DIR/$TEST_CA_FILE.cert.pem 72 | 73 | 74 | # Display the certificate 75 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text 76 | 77 | # Place the certificate and key in a common file 78 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \ 79 | > $COMBO_DIR/$TEST_CA_FILE.pem 80 | $CAT $KEYS_DIR/$TEST_CA_KEYFILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem 81 | 82 | 83 | echo "GENERATING A TEST SERVER CERTIFICATE" 84 | echo "==========================================================================" 85 | $OPENSSL_CMD genrsa -out $KEYS_DIR/$TEST_SERVER_KEYFILE.key.pem $TEST_SERVER_KEYSIZE 86 | 87 | # Generate a new certificate request in $TEST_SERVER_FILE.req.pem. 88 | $OPENSSL_CMD req -new -key $KEYS_DIR/$TEST_SERVER_KEYFILE.key.pem \ 89 | -subj "$TEST_SERVER_DN" -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem $OPENSSL_CNF 90 | 91 | # Sign the certificate request in $TEST_SERVER_FILE.req.pem 92 | $OPENSSL_CMD x509 -req -days $DAYS \ 93 | -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \ 94 | -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 95 | -CAkey $KEYS_DIR/$TEST_CA_KEYFILE.key.pem \ 96 | -extfile $OPENSSL_DIR/openssl.cnf \ 97 | -extensions v3_req \ 98 | -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial 99 | 100 | # Display the certificate 101 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text 102 | 103 | # Place the certificate and key in a common file 104 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \ 105 | > $COMBO_DIR/$TEST_SERVER_FILE.pem 106 | $CAT $KEYS_DIR/$TEST_SERVER_KEYFILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem 107 | 108 | # Remove the cert request file (no longer needed) 109 | $RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem 110 | 111 | 112 | echo " GENERATING A TEST SERVER ENCRYPT CERTIFICATE" 113 | echo " ===================================================================================" 114 | $OPENSSL_CMD genrsa -out $KEYS_DIR/$TEST_SERVER_ENC_KEYFILE.key.pem $TEST_SERVER_KEYSIZE 115 | 116 | # Generate a new certificate request in $TEST_SERVER_FILE.req.pem. 117 | $OPENSSL_CMD req -new -key $KEYS_DIR/$TEST_SERVER_ENC_KEYFILE.key.pem \ 118 | -subj "$TEST_SERVER_DN" -out $CERTS_DIR/$TEST_SERVER_ENC_FILE.req.pem $OPENSSL_CNF 119 | 120 | # Sign the certificate request in $TEST_SERVER_FILE.req.pem 121 | $OPENSSL_CMD x509 -req -days $DAYS \ 122 | -in $CERTS_DIR/$TEST_SERVER_ENC_FILE.req.pem \ 123 | -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 124 | -CAkey $KEYS_DIR/$TEST_CA_KEYFILE.key.pem \ 125 | -extfile $OPENSSL_DIR/openssl.cnf \ 126 | -extensions v3enc_req \ 127 | -out $CERTS_DIR/$TEST_SERVER_ENC_FILE.cert.pem -CAcreateserial 128 | 129 | # Display the certificate 130 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_ENC_FILE.cert.pem -text 131 | 132 | # Place the certificate and key in a common file 133 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_ENC_FILE.cert.pem -issuer -subject \ 134 | > $COMBO_DIR/$TEST_SERVER_ENC_FILE.pem 135 | $CAT $KEYS_DIR/$TEST_SERVER_ENC_KEYFILE.key.pem >> $COMBO_DIR/$TEST_SERVER_ENC_FILE.pem 136 | 137 | # Remove the cert request file (no longer needed) 138 | $RM $CERTS_DIR/$TEST_SERVER_ENC_FILE.req.pem 139 | 140 | 141 | echo "GENERATING A TEST CLIENT CERTIFICATE " 142 | echo "==========================================================================" 143 | $OPENSSL_CMD genrsa -out $KEYS_DIR/$TEST_CLIENT_KEYFILE.key.pem $TEST_CLIENT_KEYSIZE 144 | 145 | # Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. 146 | $OPENSSL_CMD req -new -key $KEYS_DIR/$TEST_CLIENT_KEYFILE.key.pem \ 147 | -subj "$TEST_SERVER_DN" -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem $OPENSSL_CNF 148 | 149 | # Sign the certificate request in $TEST_CLIENT_FILE.req.pem 150 | $OPENSSL_CMD x509 -req -days $DAYS \ 151 | -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \ 152 | -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 153 | -CAkey $KEYS_DIR/$TEST_CA_KEYFILE.key.pem \ 154 | -extfile $OPENSSL_DIR/openssl.cnf \ 155 | -extensions v3_req \ 156 | -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial 157 | 158 | # Display the certificate 159 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text 160 | 161 | # Place the certificate and key in a common file 162 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \ 163 | > $COMBO_DIR/$TEST_CLIENT_FILE.pem 164 | $CAT $KEYS_DIR/$TEST_CLIENT_KEYFILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem 165 | 166 | # Remove the cert request file (no longer needed) 167 | $RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem 168 | 169 | 170 | echo " GENERATING A TEST CLIENT ENCRYPT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)" 171 | echo " ===================================================================================" 172 | $OPENSSL_CMD genrsa -out $KEYS_DIR/$TEST_CLIENT_ENC_KEYFILE.key.pem $TEST_CLIENT_KEYSIZE 173 | 174 | # Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. 175 | $OPENSSL_CMD req -new -key $KEYS_DIR/$TEST_CLIENT_ENC_KEYFILE.key.pem \ 176 | -subj "$TEST_SERVER_DN" -out $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem $OPENSSL_CNF 177 | 178 | # Sign the certificate request in $TEST_CLIENT_FILE.req.pem 179 | $OPENSSL_CMD x509 -req -days $DAYS \ 180 | -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem \ 181 | -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 182 | -CAkey $KEYS_DIR/$TEST_CA_KEYFILE.key.pem \ 183 | -extfile $OPENSSL_DIR/openssl.cnf \ 184 | -extensions v3enc_req \ 185 | -out $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem -CAcreateserial 186 | 187 | # Display the certificate 188 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem -text 189 | 190 | # Place the certificate and key in a common file 191 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem -issuer -subject \ 192 | > $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem 193 | $CAT $KEYS_DIR/$TEST_CLIENT_ENC_KEYFILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem 194 | 195 | # Remove the cert request file (no longer needed) 196 | $RM $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem 197 | 198 | 199 | -------------------------------------------------------------------------------- /cert_sh/CA.cnf: -------------------------------------------------------------------------------- 1 | # 2 | # OpenSSL example configuration file. 3 | # This is mostly being used for generation of certificate requests. 4 | # 5 | 6 | # This definition stops the following lines choking if HOME isn't 7 | # defined. 8 | HOME = . 9 | RANDFILE = $ENV::HOME/.rnd 10 | 11 | # Extra OBJECT IDENTIFIER info: 12 | #oid_file = $ENV::HOME/.oid 13 | oid_section = new_oids 14 | 15 | # To use this configuration file with the "-extfile" option of the 16 | # "openssl x509" utility, name here the section containing the 17 | # X.509v3 extensions to use: 18 | # extensions = 19 | # (Alternatively, use a configuration file that has only 20 | # X.509v3 extensions in its main [= default] section.) 21 | 22 | [ new_oids ] 23 | 24 | # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 25 | # Add a simple OID like this: 26 | # testoid1=1.2.3.4 27 | # Or use config file substitution like this: 28 | # testoid2=${testoid1}.5.6 29 | 30 | # Policies used by the TSA examples. 31 | tsa_policy1 = 1.2.3.4.1 32 | tsa_policy2 = 1.2.3.4.5.6 33 | tsa_policy3 = 1.2.3.4.5.7 34 | 35 | #################################################################### 36 | [ ca ] 37 | default_ca = CA_default # The default ca section 38 | 39 | #################################################################### 40 | [ CA_default ] 41 | 42 | dir = ./demoCA # Where everything is kept 43 | certs = $dir/certs # Where the issued certs are kept 44 | crl_dir = $dir/crl # Where the issued crl are kept 45 | database = $dir/index.txt # database index file. 46 | #unique_subject = no # Set to 'no' to allow creation of 47 | # several ctificates with same subject. 48 | new_certs_dir = $dir/newcerts # default place for new certs. 49 | 50 | certificate = $dir/cacert.pem # The CA certificate 51 | serial = $dir/serial # The current serial number 52 | crlnumber = $dir/crlnumber # the current crl number 53 | # must be commented out to leave a V1 CRL 54 | crl = $dir/crl.pem # The current CRL 55 | private_key = $dir/private/cakey.pem # The private key 56 | RANDFILE = $dir/private/.rand # private random number file 57 | 58 | x509_extensions = usr_cert # The extentions to add to the cert 59 | 60 | # Comment out the following two lines for the "traditional" 61 | # (and highly broken) format. 62 | name_opt = ca_default # Subject Name options 63 | cert_opt = ca_default # Certificate field options 64 | 65 | # Extension copying option: use with caution. 66 | # copy_extensions = copy 67 | 68 | # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 69 | # so this is commented out by default to leave a V1 CRL. 70 | # crlnumber must also be commented out to leave a V1 CRL. 71 | # crl_extensions = crl_ext 72 | 73 | default_days = 365 # how long to certify for 74 | default_crl_days= 30 # how long before next CRL 75 | default_md = sm3 # use public key default MD 76 | preserve = no # keep passed DN ordering 77 | 78 | # A few difference way of specifying how similar the request should look 79 | # For type CA, the listed attributes must be the same, and the optional 80 | # and supplied fields are just that :-) 81 | policy = policy_match 82 | 83 | # For the CA policy 84 | [ policy_match ] 85 | countryName = match 86 | stateOrProvinceName = match 87 | organizationName = match 88 | organizationalUnitName = optional 89 | commonName = supplied 90 | emailAddress = optional 91 | 92 | # For the 'anything' policy 93 | # At this point in time, you must list all acceptable 'object' 94 | # types. 95 | [ policy_anything ] 96 | countryName = optional 97 | stateOrProvinceName = optional 98 | localityName = optional 99 | organizationName = optional 100 | organizationalUnitName = optional 101 | commonName = supplied 102 | emailAddress = optional 103 | 104 | #################################################################### 105 | [ req ] 106 | distinguished_name = req_distinguished_name 107 | prompt = no 108 | req_extensions = v3_req 109 | 110 | [ req_distinguished_name ] 111 | CN = TEST CA 112 | C = CN 113 | ST = BJ 114 | L = BJ 115 | O = BeiJing SM2 116 | OU = SM2 117 | emailAddress = test@sm2.com 118 | 119 | [ v3_req ] 120 | # Extensions to add to a certificate request 121 | basicConstraints = CA:TRUE 122 | keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign 123 | 124 | [ req_attributes ] 125 | challengePassword = A challenge password 126 | challengePassword_min = 4 127 | challengePassword_max = 20 128 | 129 | unstructuredName = An optional company name 130 | 131 | [ usr_cert ] 132 | 133 | # These extensions are added when 'ca' signs a request. 134 | 135 | # This goes against PKIX guidelines but some CAs do it and some software 136 | # requires this to avoid interpreting an end user certificate as a CA. 137 | 138 | basicConstraints=CA:FALSE 139 | 140 | # Here are some examples of the usage of nsCertType. If it is omitted 141 | # the certificate can be used for anything *except* object signing. 142 | 143 | # This is OK for an SSL server. 144 | # nsCertType = server 145 | 146 | # For an object signing certificate this would be used. 147 | # nsCertType = objsign 148 | 149 | # For normal client use this is typical 150 | # nsCertType = client, email 151 | 152 | # and for everything including object signing: 153 | # nsCertType = client, email, objsignkeyCertSign 154 | 155 | # This is typical in keyUsage for a client certificate. 156 | # keyUsage = nonRepudiation, digitalSignature, keyEncipherment dataEncipherment keyAgreement keyCertSign encipherOnly cRLSign decipherOnly 157 | 158 | # This will be displayed in Netscape's comment listbox. 159 | nsComment = "OpenSSL Generated Certificate" 160 | 161 | # PKIX recommendations harmless if included in all certificates. 162 | subjectKeyIdentifier=hash 163 | authorityKeyIdentifier=keyid,issuer 164 | 165 | # This stuff is for subjectAltName and issuerAltname. 166 | # Import the email address. 167 | # subjectAltName=email:copy 168 | # An alternative to produce certificates that aren't 169 | # deprecated according to PKIX. 170 | # subjectAltName=email:move 171 | 172 | # Copy subject details 173 | # issuerAltName=issuer:copy 174 | 175 | #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 176 | #nsBaseUrl 177 | #nsRevocationUrl 178 | #nsRenewalUrl 179 | #nsCaPolicyUrl 180 | #nsSslServerName 181 | 182 | # This is required for TSA certificates. 183 | # extendedKeyUsage = critical,timeStamping 184 | 185 | [ v3_req ] 186 | 187 | # Extensions to add to a certificate request 188 | 189 | basicConstraints = CA:FALSE 190 | keyUsage = nonRepudiation, digitalSignature 191 | 192 | 193 | [ v3enc_req ] 194 | 195 | # Extensions to add to a certificate request 196 | 197 | basicConstraints = CA:FALSE 198 | keyUsage = keyAgreement, keyEncipherment, dataEncipherment 199 | 200 | 201 | 202 | 203 | [ v3_ca ] 204 | 205 | # Extensions for a typical CA 206 | 207 | 208 | # PKIX recommendation. 209 | 210 | subjectKeyIdentifier=hash 211 | 212 | authorityKeyIdentifier=keyid:always,issuer 213 | 214 | # This is what PKIX recommends but some broken software chokes on critical 215 | # extensions. 216 | #basicConstraints = critical,CA:true 217 | # So we do this instead. 218 | basicConstraints = CA:true 219 | 220 | # Key usage: this is typical for a CA certificate. However since it will 221 | # prevent it being used as an test self-signed certificate it is best 222 | # left out by default. 223 | keyUsage = cRLSign, keyCertSign 224 | 225 | # Some might want this also 226 | # nsCertType = sslCA, emailCA 227 | 228 | # Include email address in subject alt name: another PKIX recommendation 229 | # subjectAltName=email:copy 230 | # Copy issuer details 231 | # issuerAltName=issuer:copy 232 | 233 | # DER hex encoding of an extension: beware experts only! 234 | # obj=DER:02:03 235 | # Where 'obj' is a standard or added object 236 | # You can even override a supported extension: 237 | # basicConstraints= critical, DER:30:03:01:01:FF 238 | 239 | [ crl_ext ] 240 | 241 | # CRL extensions. 242 | # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 243 | 244 | # issuerAltName=issuer:copy 245 | authorityKeyIdentifier=keyid:always 246 | 247 | [ proxy_cert_ext ] 248 | # These extensions should be added when creating a proxy certificate 249 | 250 | # This goes against PKIX guidelines but some CAs do it and some software 251 | # requires this to avoid interpreting an end user certificate as a CA. 252 | 253 | basicConstraints=CA:FALSE 254 | 255 | # Here are some examples of the usage of nsCertType. If it is omitted 256 | # the certificate can be used for anything *except* object signing. 257 | 258 | # This is OK for an SSL server. 259 | # nsCertType = server 260 | 261 | # For an object signing certificate this would be used. 262 | # nsCertType = objsign 263 | 264 | # For normal client use this is typical 265 | # nsCertType = client, email 266 | 267 | # and for everything including object signing: 268 | # nsCertType = client, email, objsign 269 | 270 | # This is typical in keyUsage for a client certificate. 271 | # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 272 | 273 | # This will be displayed in Netscape's comment listbox. 274 | nsComment = "OpenSSL Generated Certificate" 275 | 276 | # PKIX recommendations harmless if included in all certificates. 277 | subjectKeyIdentifier=hash 278 | authorityKeyIdentifier=keyid,issuer 279 | 280 | # This stuff is for subjectAltName and issuerAltname. 281 | # Import the email address. 282 | # subjectAltName=email:copy 283 | # An alternative to produce certificates that aren't 284 | # deprecated according to PKIX. 285 | # subjectAltName=email:move 286 | 287 | # Copy subject details 288 | # issuerAltName=issuer:copy 289 | 290 | #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 291 | #nsBaseUrl 292 | #nsRevocationUrl 293 | #nsRenewalUrl 294 | #nsCaPolicyUrl 295 | #nsSslServerName 296 | 297 | # This really needs to be in place for it to be a proxy certificate. 298 | proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 299 | 300 | #################################################################### 301 | [ tsa ] 302 | 303 | default_tsa = tsa_config1 # the default TSA section 304 | 305 | [ tsa_config1 ] 306 | 307 | # These are used by the TSA reply generation only. 308 | dir = ./demoCA # TSA root directory 309 | serial = $dir/tsaserial # The current serial number (mandatory) 310 | crypto_device = builtin # OpenSSL engine to use for signing 311 | signer_cert = $dir/tsacert.pem # The TSA signing certificate 312 | # (optional) 313 | certs = $dir/cacert.pem # Certificate chain to include in reply 314 | # (optional) 315 | signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 316 | 317 | default_policy = tsa_policy1 # Policy if request did not specify it 318 | # (optional) 319 | other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 320 | digests = sm3 # Acceptable message digests (mandatory) 321 | accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 322 | clock_precision_digits = 0 # number of digits after dot. (optional) 323 | ordering = yes # Is ordering defined for timestamps? 324 | # (optional, default: no) 325 | tsa_name = yes # Must the TSA name be included in the reply? 326 | # (optional, default: no) 327 | ess_cert_id_chain = no # Must the ESS cert id chain be included? 328 | # (optional, default: no) 329 | 330 | -------------------------------------------------------------------------------- /cert_sh/eccsignsite.cnf: -------------------------------------------------------------------------------- 1 | # 2 | # OpenSSL example configuration file. 3 | # This is mostly being used for generation of certificate requests. 4 | # 5 | 6 | # This definition stops the following lines choking if HOME isn't 7 | # defined. 8 | HOME = . 9 | RANDFILE = $ENV::HOME/.rnd 10 | 11 | # Extra OBJECT IDENTIFIER info: 12 | #oid_file = $ENV::HOME/.oid 13 | oid_section = new_oids 14 | 15 | # To use this configuration file with the "-extfile" option of the 16 | # "openssl x509" utility, name here the section containing the 17 | # X.509v3 extensions to use: 18 | # extensions = 19 | # (Alternatively, use a configuration file that has only 20 | # X.509v3 extensions in its main [= default] section.) 21 | 22 | [ new_oids ] 23 | 24 | # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 25 | # Add a simple OID like this: 26 | # testoid1=1.2.3.4 27 | # Or use config file substitution like this: 28 | # testoid2=${testoid1}.5.6 29 | 30 | # Policies used by the TSA examples. 31 | tsa_policy1 = 1.2.3.4.1 32 | tsa_policy2 = 1.2.3.4.5.6 33 | tsa_policy3 = 1.2.3.4.5.7 34 | 35 | #################################################################### 36 | [ ca ] 37 | default_ca = CA_default # The default ca section 38 | 39 | #################################################################### 40 | [ CA_default ] 41 | 42 | dir = ./demoCA # Where everything is kept 43 | certs = $dir/certs # Where the issued certs are kept 44 | crl_dir = $dir/crl # Where the issued crl are kept 45 | database = $dir/index.txt # database index file. 46 | #unique_subject = no # Set to 'no' to allow creation of 47 | # several ctificates with same subject. 48 | new_certs_dir = $dir/newcerts # default place for new certs. 49 | 50 | certificate = $dir/cacert.pem # The CA certificate 51 | serial = $dir/serial # The current serial number 52 | crlnumber = $dir/crlnumber # the current crl number 53 | # must be commented out to leave a V1 CRL 54 | crl = $dir/crl.pem # The current CRL 55 | private_key = $dir/private/cakey.pem # The private key 56 | RANDFILE = $dir/private/.rand # private random number file 57 | 58 | x509_extensions = usr_cert # The extentions to add to the cert 59 | 60 | # Comment out the following two lines for the "traditional" 61 | # (and highly broken) format. 62 | name_opt = ca_default # Subject Name options 63 | cert_opt = ca_default # Certificate field options 64 | 65 | # Extension copying option: use with caution. 66 | # copy_extensions = copy 67 | 68 | # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 69 | # so this is commented out by default to leave a V1 CRL. 70 | # crlnumber must also be commented out to leave a V1 CRL. 71 | # crl_extensions = crl_ext 72 | 73 | default_days = 365 # how long to certify for 74 | default_crl_days= 30 # how long before next CRL 75 | default_md = sm3 # use public key default MD 76 | preserve = no # keep passed DN ordering 77 | 78 | # A few difference way of specifying how similar the request should look 79 | # For type CA, the listed attributes must be the same, and the optional 80 | # and supplied fields are just that :-) 81 | policy = policy_match 82 | 83 | # For the CA policy 84 | [ policy_match ] 85 | countryName = match 86 | stateOrProvinceName = match 87 | organizationName = match 88 | organizationalUnitName = optional 89 | commonName = supplied 90 | emailAddress = optional 91 | 92 | # For the 'anything' policy 93 | # At this point in time, you must list all acceptable 'object' 94 | # types. 95 | [ policy_anything ] 96 | countryName = optional 97 | stateOrProvinceName = optional 98 | localityName = optional 99 | organizationName = optional 100 | organizationalUnitName = optional 101 | commonName = supplied 102 | emailAddress = optional 103 | 104 | #################################################################### 105 | [ req ] 106 | distinguished_name = req_distinguished_name 107 | prompt = no 108 | req_extensions = v3_req 109 | 110 | [ req_distinguished_name ] 111 | CN = 192.168.2.30 112 | C = CN 113 | ST = BJ 114 | L = BJ 115 | O = BeiJing SM2 116 | OU = SM2 117 | emailAddress = test@sm2.com 118 | 119 | [ v3_req ] 120 | # Extensions to add to a certificate request 121 | basicConstraints = CA:FALSE 122 | keyUsage = nonRepudiation, digitalSignature 123 | subjectAltName = @alt_names 124 | 125 | [ alt_names ] 126 | IP.1 = 192.168.2.30 127 | IP.2 = 192.168.2.31 128 | 129 | DNS.1 = *.hello1.com 130 | DNS.2 = *.hello2.com 131 | DNS.3 = *.hello3.com 132 | DNS.4 = *.test.com 133 | 134 | [ req_attributes ] 135 | challengePassword = A challenge password 136 | challengePassword_min = 4 137 | challengePassword_max = 20 138 | 139 | unstructuredName = An optional company name 140 | 141 | [ usr_cert ] 142 | 143 | # These extensions are added when 'ca' signs a request. 144 | 145 | # This goes against PKIX guidelines but some CAs do it and some software 146 | # requires this to avoid interpreting an end user certificate as a CA. 147 | 148 | basicConstraints=CA:FALSE 149 | 150 | # Here are some examples of the usage of nsCertType. If it is omitted 151 | # the certificate can be used for anything *except* object signing. 152 | 153 | # This is OK for an SSL server. 154 | # nsCertType = server 155 | 156 | # For an object signing certificate this would be used. 157 | # nsCertType = objsign 158 | 159 | # For normal client use this is typical 160 | # nsCertType = client, email 161 | 162 | # and for everything including object signing: 163 | # nsCertType = client, email, objsignkeyCertSign 164 | 165 | # This is typical in keyUsage for a client certificate. 166 | # keyUsage = nonRepudiation, digitalSignature, keyEncipherment dataEncipherment keyAgreement keyCertSign encipherOnly cRLSign decipherOnly 167 | 168 | # This will be displayed in Netscape's comment listbox. 169 | nsComment = "OpenSSL Generated Certificate" 170 | 171 | # PKIX recommendations harmless if included in all certificates. 172 | subjectKeyIdentifier=hash 173 | authorityKeyIdentifier=keyid,issuer 174 | 175 | # This stuff is for subjectAltName and issuerAltname. 176 | # Import the email address. 177 | # subjectAltName=email:copy 178 | # An alternative to produce certificates that aren't 179 | # deprecated according to PKIX. 180 | # subjectAltName=email:move 181 | 182 | # Copy subject details 183 | # issuerAltName=issuer:copy 184 | 185 | #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 186 | #nsBaseUrl 187 | #nsRevocationUrl 188 | #nsRenewalUrl 189 | #nsCaPolicyUrl 190 | #nsSslServerName 191 | 192 | # This is required for TSA certificates. 193 | # extendedKeyUsage = critical,timeStamping 194 | 195 | [ v3_req ] 196 | 197 | # Extensions to add to a certificate request 198 | 199 | basicConstraints = CA:FALSE 200 | keyUsage = nonRepudiation, digitalSignature 201 | 202 | 203 | [ v3enc_req ] 204 | 205 | # Extensions to add to a certificate request 206 | 207 | basicConstraints = CA:FALSE 208 | keyUsage = keyAgreement, keyEncipherment, dataEncipherment 209 | 210 | 211 | 212 | 213 | [ v3_ca ] 214 | 215 | # Extensions for a typical CA 216 | 217 | 218 | # PKIX recommendation. 219 | 220 | subjectKeyIdentifier=hash 221 | 222 | authorityKeyIdentifier=keyid:always,issuer 223 | 224 | # This is what PKIX recommends but some broken software chokes on critical 225 | # extensions. 226 | #basicConstraints = critical,CA:true 227 | # So we do this instead. 228 | basicConstraints = CA:true 229 | 230 | # Key usage: this is typical for a CA certificate. However since it will 231 | # prevent it being used as an test self-signed certificate it is best 232 | # left out by default. 233 | keyUsage = cRLSign, keyCertSign 234 | 235 | # Some might want this also 236 | # nsCertType = sslCA, emailCA 237 | 238 | # Include email address in subject alt name: another PKIX recommendation 239 | # subjectAltName=email:copy 240 | # Copy issuer details 241 | # issuerAltName=issuer:copy 242 | 243 | # DER hex encoding of an extension: beware experts only! 244 | # obj=DER:02:03 245 | # Where 'obj' is a standard or added object 246 | # You can even override a supported extension: 247 | # basicConstraints= critical, DER:30:03:01:01:FF 248 | 249 | [ crl_ext ] 250 | 251 | # CRL extensions. 252 | # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 253 | 254 | # issuerAltName=issuer:copy 255 | authorityKeyIdentifier=keyid:always 256 | 257 | [ proxy_cert_ext ] 258 | # These extensions should be added when creating a proxy certificate 259 | 260 | # This goes against PKIX guidelines but some CAs do it and some software 261 | # requires this to avoid interpreting an end user certificate as a CA. 262 | 263 | basicConstraints=CA:FALSE 264 | 265 | # Here are some examples of the usage of nsCertType. If it is omitted 266 | # the certificate can be used for anything *except* object signing. 267 | 268 | # This is OK for an SSL server. 269 | # nsCertType = server 270 | 271 | # For an object signing certificate this would be used. 272 | # nsCertType = objsign 273 | 274 | # For normal client use this is typical 275 | # nsCertType = client, email 276 | 277 | # and for everything including object signing: 278 | # nsCertType = client, email, objsign 279 | 280 | # This is typical in keyUsage for a client certificate. 281 | # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 282 | 283 | # This will be displayed in Netscape's comment listbox. 284 | nsComment = "OpenSSL Generated Certificate" 285 | 286 | # PKIX recommendations harmless if included in all certificates. 287 | subjectKeyIdentifier=hash 288 | authorityKeyIdentifier=keyid,issuer 289 | 290 | # This stuff is for subjectAltName and issuerAltname. 291 | # Import the email address. 292 | # subjectAltName=email:copy 293 | # An alternative to produce certificates that aren't 294 | # deprecated according to PKIX. 295 | # subjectAltName=email:move 296 | 297 | # Copy subject details 298 | # issuerAltName=issuer:copy 299 | 300 | #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 301 | #nsBaseUrl 302 | #nsRevocationUrl 303 | #nsRenewalUrl 304 | #nsCaPolicyUrl 305 | #nsSslServerName 306 | 307 | # This really needs to be in place for it to be a proxy certificate. 308 | proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 309 | 310 | #################################################################### 311 | [ tsa ] 312 | 313 | default_tsa = tsa_config1 # the default TSA section 314 | 315 | [ tsa_config1 ] 316 | 317 | # These are used by the TSA reply generation only. 318 | dir = ./demoCA # TSA root directory 319 | serial = $dir/tsaserial # The current serial number (mandatory) 320 | crypto_device = builtin # OpenSSL engine to use for signing 321 | signer_cert = $dir/tsacert.pem # The TSA signing certificate 322 | # (optional) 323 | certs = $dir/cacert.pem # Certificate chain to include in reply 324 | # (optional) 325 | signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 326 | 327 | default_policy = tsa_policy1 # Policy if request did not specify it 328 | # (optional) 329 | other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 330 | digests = sm3 # Acceptable message digests (mandatory) 331 | accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 332 | clock_precision_digits = 0 # number of digits after dot. (optional) 333 | ordering = yes # Is ordering defined for timestamps? 334 | # (optional, default: no) 335 | tsa_name = yes # Must the TSA name be included in the reply? 336 | # (optional, default: no) 337 | ess_cert_id_chain = no # Must the ESS cert id chain be included? 338 | # (optional, default: no) 339 | 340 | -------------------------------------------------------------------------------- /cert_sh/eccencsite.cnf: -------------------------------------------------------------------------------- 1 | # 2 | # OpenSSL example configuration file. 3 | # This is mostly being used for generation of certificate requests. 4 | # 5 | 6 | # This definition stops the following lines choking if HOME isn't 7 | # defined. 8 | HOME = . 9 | RANDFILE = $ENV::HOME/.rnd 10 | 11 | # Extra OBJECT IDENTIFIER info: 12 | #oid_file = $ENV::HOME/.oid 13 | oid_section = new_oids 14 | 15 | # To use this configuration file with the "-extfile" option of the 16 | # "openssl x509" utility, name here the section containing the 17 | # X.509v3 extensions to use: 18 | # extensions = 19 | # (Alternatively, use a configuration file that has only 20 | # X.509v3 extensions in its main [= default] section.) 21 | 22 | [ new_oids ] 23 | 24 | # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 25 | # Add a simple OID like this: 26 | # testoid1=1.2.3.4 27 | # Or use config file substitution like this: 28 | # testoid2=${testoid1}.5.6 29 | 30 | # Policies used by the TSA examples. 31 | tsa_policy1 = 1.2.3.4.1 32 | tsa_policy2 = 1.2.3.4.5.6 33 | tsa_policy3 = 1.2.3.4.5.7 34 | 35 | #################################################################### 36 | [ ca ] 37 | default_ca = CA_default # The default ca section 38 | 39 | #################################################################### 40 | [ CA_default ] 41 | 42 | dir = ./demoCA # Where everything is kept 43 | certs = $dir/certs # Where the issued certs are kept 44 | crl_dir = $dir/crl # Where the issued crl are kept 45 | database = $dir/index.txt # database index file. 46 | #unique_subject = no # Set to 'no' to allow creation of 47 | # several ctificates with same subject. 48 | new_certs_dir = $dir/newcerts # default place for new certs. 49 | 50 | certificate = $dir/cacert.pem # The CA certificate 51 | serial = $dir/serial # The current serial number 52 | crlnumber = $dir/crlnumber # the current crl number 53 | # must be commented out to leave a V1 CRL 54 | crl = $dir/crl.pem # The current CRL 55 | private_key = $dir/private/cakey.pem # The private key 56 | RANDFILE = $dir/private/.rand # private random number file 57 | 58 | x509_extensions = usr_cert # The extentions to add to the cert 59 | 60 | # Comment out the following two lines for the "traditional" 61 | # (and highly broken) format. 62 | name_opt = ca_default # Subject Name options 63 | cert_opt = ca_default # Certificate field options 64 | 65 | # Extension copying option: use with caution. 66 | # copy_extensions = copy 67 | 68 | # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 69 | # so this is commented out by default to leave a V1 CRL. 70 | # crlnumber must also be commented out to leave a V1 CRL. 71 | # crl_extensions = crl_ext 72 | 73 | default_days = 365 # how long to certify for 74 | default_crl_days= 30 # how long before next CRL 75 | default_md = sm3 # use public key default MD 76 | preserve = no # keep passed DN ordering 77 | 78 | # A few difference way of specifying how similar the request should look 79 | # For type CA, the listed attributes must be the same, and the optional 80 | # and supplied fields are just that :-) 81 | policy = policy_match 82 | 83 | # For the CA policy 84 | [ policy_match ] 85 | countryName = match 86 | stateOrProvinceName = match 87 | organizationName = match 88 | organizationalUnitName = optional 89 | commonName = supplied 90 | emailAddress = optional 91 | 92 | # For the 'anything' policy 93 | # At this point in time, you must list all acceptable 'object' 94 | # types. 95 | [ policy_anything ] 96 | countryName = optional 97 | stateOrProvinceName = optional 98 | localityName = optional 99 | organizationName = optional 100 | organizationalUnitName = optional 101 | commonName = supplied 102 | emailAddress = optional 103 | 104 | #################################################################### 105 | [ req ] 106 | distinguished_name = req_distinguished_name 107 | prompt = no 108 | req_extensions = v3_req 109 | 110 | [ req_distinguished_name ] 111 | CN = 192.168.2.30 112 | C = CN 113 | ST = BJ 114 | L = BJ 115 | O = BeiJing SM2 116 | OU = SM2 117 | emailAddress = test@sm2.com 118 | 119 | [ v3_req ] 120 | # Extensions to add to a certificate request 121 | basicConstraints = CA:FALSE 122 | keyUsage = nonRepudiation, keyEncipherment, dataEncipherment 123 | subjectAltName = @alt_names 124 | 125 | [ alt_names ] 126 | IP.1 = 192.168.2.30 127 | IP.2 = 192.168.2.31 128 | 129 | DNS.1 = *.hello1.com 130 | DNS.2 = *.hello2.com 131 | DNS.3 = *.hello3.com 132 | DNS.4 = *.test.com 133 | 134 | [ req_attributes ] 135 | challengePassword = A challenge password 136 | challengePassword_min = 4 137 | challengePassword_max = 20 138 | 139 | unstructuredName = An optional company name 140 | 141 | [ usr_cert ] 142 | 143 | # These extensions are added when 'ca' signs a request. 144 | 145 | # This goes against PKIX guidelines but some CAs do it and some software 146 | # requires this to avoid interpreting an end user certificate as a CA. 147 | 148 | basicConstraints=CA:FALSE 149 | 150 | # Here are some examples of the usage of nsCertType. If it is omitted 151 | # the certificate can be used for anything *except* object signing. 152 | 153 | # This is OK for an SSL server. 154 | # nsCertType = server 155 | 156 | # For an object signing certificate this would be used. 157 | # nsCertType = objsign 158 | 159 | # For normal client use this is typical 160 | # nsCertType = client, email 161 | 162 | # and for everything including object signing: 163 | # nsCertType = client, email, objsignkeyCertSign 164 | 165 | # This is typical in keyUsage for a client certificate. 166 | # keyUsage = nonRepudiation, digitalSignature, keyEncipherment dataEncipherment keyAgreement keyCertSign encipherOnly cRLSign decipherOnly 167 | 168 | # This will be displayed in Netscape's comment listbox. 169 | nsComment = "OpenSSL Generated Certificate" 170 | 171 | # PKIX recommendations harmless if included in all certificates. 172 | subjectKeyIdentifier=hash 173 | authorityKeyIdentifier=keyid,issuer 174 | 175 | # This stuff is for subjectAltName and issuerAltname. 176 | # Import the email address. 177 | # subjectAltName=email:copy 178 | # An alternative to produce certificates that aren't 179 | # deprecated according to PKIX. 180 | # subjectAltName=email:move 181 | 182 | # Copy subject details 183 | # issuerAltName=issuer:copy 184 | 185 | #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 186 | #nsBaseUrl 187 | #nsRevocationUrl 188 | #nsRenewalUrl 189 | #nsCaPolicyUrl 190 | #nsSslServerName 191 | 192 | # This is required for TSA certificates. 193 | # extendedKeyUsage = critical,timeStamping 194 | 195 | [ v3_req ] 196 | 197 | # Extensions to add to a certificate request 198 | 199 | basicConstraints = CA:FALSE 200 | keyUsage = nonRepudiation, digitalSignature 201 | 202 | 203 | [ v3enc_req ] 204 | 205 | # Extensions to add to a certificate request 206 | 207 | basicConstraints = CA:FALSE 208 | keyUsage = keyAgreement, keyEncipherment, dataEncipherment 209 | 210 | 211 | 212 | 213 | [ v3_ca ] 214 | 215 | # Extensions for a typical CA 216 | 217 | 218 | # PKIX recommendation. 219 | 220 | subjectKeyIdentifier=hash 221 | 222 | authorityKeyIdentifier=keyid:always,issuer 223 | 224 | # This is what PKIX recommends but some broken software chokes on critical 225 | # extensions. 226 | #basicConstraints = critical,CA:true 227 | # So we do this instead. 228 | basicConstraints = CA:true 229 | 230 | # Key usage: this is typical for a CA certificate. However since it will 231 | # prevent it being used as an test self-signed certificate it is best 232 | # left out by default. 233 | keyUsage = cRLSign, keyCertSign 234 | 235 | # Some might want this also 236 | # nsCertType = sslCA, emailCA 237 | 238 | # Include email address in subject alt name: another PKIX recommendation 239 | # subjectAltName=email:copy 240 | # Copy issuer details 241 | # issuerAltName=issuer:copy 242 | 243 | # DER hex encoding of an extension: beware experts only! 244 | # obj=DER:02:03 245 | # Where 'obj' is a standard or added object 246 | # You can even override a supported extension: 247 | # basicConstraints= critical, DER:30:03:01:01:FF 248 | 249 | [ crl_ext ] 250 | 251 | # CRL extensions. 252 | # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 253 | 254 | # issuerAltName=issuer:copy 255 | authorityKeyIdentifier=keyid:always 256 | 257 | [ proxy_cert_ext ] 258 | # These extensions should be added when creating a proxy certificate 259 | 260 | # This goes against PKIX guidelines but some CAs do it and some software 261 | # requires this to avoid interpreting an end user certificate as a CA. 262 | 263 | basicConstraints=CA:FALSE 264 | 265 | # Here are some examples of the usage of nsCertType. If it is omitted 266 | # the certificate can be used for anything *except* object signing. 267 | 268 | # This is OK for an SSL server. 269 | # nsCertType = server 270 | 271 | # For an object signing certificate this would be used. 272 | # nsCertType = objsign 273 | 274 | # For normal client use this is typical 275 | # nsCertType = client, email 276 | 277 | # and for everything including object signing: 278 | # nsCertType = client, email, objsign 279 | 280 | # This is typical in keyUsage for a client certificate. 281 | # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 282 | 283 | # This will be displayed in Netscape's comment listbox. 284 | nsComment = "OpenSSL Generated Certificate" 285 | 286 | # PKIX recommendations harmless if included in all certificates. 287 | subjectKeyIdentifier=hash 288 | authorityKeyIdentifier=keyid,issuer 289 | 290 | # This stuff is for subjectAltName and issuerAltname. 291 | # Import the email address. 292 | # subjectAltName=email:copy 293 | # An alternative to produce certificates that aren't 294 | # deprecated according to PKIX. 295 | # subjectAltName=email:move 296 | 297 | # Copy subject details 298 | # issuerAltName=issuer:copy 299 | 300 | #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 301 | #nsBaseUrl 302 | #nsRevocationUrl 303 | #nsRenewalUrl 304 | #nsCaPolicyUrl 305 | #nsSslServerName 306 | 307 | # This really needs to be in place for it to be a proxy certificate. 308 | proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 309 | 310 | #################################################################### 311 | [ tsa ] 312 | 313 | default_tsa = tsa_config1 # the default TSA section 314 | 315 | [ tsa_config1 ] 316 | 317 | # These are used by the TSA reply generation only. 318 | dir = ./demoCA # TSA root directory 319 | serial = $dir/tsaserial # The current serial number (mandatory) 320 | crypto_device = builtin # OpenSSL engine to use for signing 321 | signer_cert = $dir/tsacert.pem # The TSA signing certificate 322 | # (optional) 323 | certs = $dir/cacert.pem # Certificate chain to include in reply 324 | # (optional) 325 | signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 326 | 327 | default_policy = tsa_policy1 # Policy if request did not specify it 328 | # (optional) 329 | other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 330 | digests = sm3 # Acceptable message digests (mandatory) 331 | accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 332 | clock_precision_digits = 0 # number of digits after dot. (optional) 333 | ordering = yes # Is ordering defined for timestamps? 334 | # (optional, default: no) 335 | tsa_name = yes # Must the TSA name be included in the reply? 336 | # (optional, default: no) 337 | ess_cert_id_chain = no # Must the ESS cert id chain be included? 338 | # (optional, default: no) 339 | 340 | -------------------------------------------------------------------------------- /cert_sh/eccsignuser.cnf: -------------------------------------------------------------------------------- 1 | # 2 | # OpenSSL example configuration file. 3 | # This is mostly being used for generation of certificate requests. 4 | # 5 | 6 | # This definition stops the following lines choking if HOME isn't 7 | # defined. 8 | HOME = . 9 | RANDFILE = $ENV::HOME/.rnd 10 | 11 | # Extra OBJECT IDENTIFIER info: 12 | #oid_file = $ENV::HOME/.oid 13 | oid_section = new_oids 14 | 15 | # To use this configuration file with the "-extfile" option of the 16 | # "openssl x509" utility, name here the section containing the 17 | # X.509v3 extensions to use: 18 | # extensions = 19 | # (Alternatively, use a configuration file that has only 20 | # X.509v3 extensions in its main [= default] section.) 21 | 22 | [ new_oids ] 23 | 24 | # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 25 | # Add a simple OID like this: 26 | # testoid1=1.2.3.4 27 | # Or use config file substitution like this: 28 | # testoid2=${testoid1}.5.6 29 | 30 | # Policies used by the TSA examples. 31 | tsa_policy1 = 1.2.3.4.1 32 | tsa_policy2 = 1.2.3.4.5.6 33 | tsa_policy3 = 1.2.3.4.5.7 34 | 35 | #################################################################### 36 | [ ca ] 37 | default_ca = CA_default # The default ca section 38 | 39 | #################################################################### 40 | [ CA_default ] 41 | 42 | dir = ./demoCA # Where everything is kept 43 | certs = $dir/certs # Where the issued certs are kept 44 | crl_dir = $dir/crl # Where the issued crl are kept 45 | database = $dir/index.txt # database index file. 46 | #unique_subject = no # Set to 'no' to allow creation of 47 | # several ctificates with same subject. 48 | new_certs_dir = $dir/newcerts # default place for new certs. 49 | 50 | certificate = $dir/cacert.pem # The CA certificate 51 | serial = $dir/serial # The current serial number 52 | crlnumber = $dir/crlnumber # the current crl number 53 | # must be commented out to leave a V1 CRL 54 | crl = $dir/crl.pem # The current CRL 55 | private_key = $dir/private/cakey.pem # The private key 56 | RANDFILE = $dir/private/.rand # private random number file 57 | 58 | x509_extensions = usr_cert # The extentions to add to the cert 59 | 60 | # Comment out the following two lines for the "traditional" 61 | # (and highly broken) format. 62 | name_opt = ca_default # Subject Name options 63 | cert_opt = ca_default # Certificate field options 64 | 65 | # Extension copying option: use with caution. 66 | # copy_extensions = copy 67 | 68 | # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 69 | # so this is commented out by default to leave a V1 CRL. 70 | # crlnumber must also be commented out to leave a V1 CRL. 71 | # crl_extensions = crl_ext 72 | 73 | default_days = 365 # how long to certify for 74 | default_crl_days= 30 # how long before next CRL 75 | default_md = sm3 # use public key default MD 76 | preserve = no # keep passed DN ordering 77 | 78 | # A few difference way of specifying how similar the request should look 79 | # For type CA, the listed attributes must be the same, and the optional 80 | # and supplied fields are just that :-) 81 | policy = policy_match 82 | 83 | # For the CA policy 84 | [ policy_match ] 85 | countryName = match 86 | stateOrProvinceName = match 87 | organizationName = match 88 | organizationalUnitName = optional 89 | commonName = supplied 90 | emailAddress = optional 91 | 92 | # For the 'anything' policy 93 | # At this point in time, you must list all acceptable 'object' 94 | # types. 95 | [ policy_anything ] 96 | countryName = optional 97 | stateOrProvinceName = optional 98 | localityName = optional 99 | organizationName = optional 100 | organizationalUnitName = optional 101 | commonName = supplied 102 | emailAddress = optional 103 | 104 | #################################################################### 105 | [ req ] 106 | distinguished_name = req_distinguished_name 107 | prompt = no 108 | req_extensions = v3_req 109 | 110 | [ req_distinguished_name ] 111 | CN = 192.168.2.30 112 | C = CN 113 | ST = BJ 114 | L = BJ 115 | O = BeiJing SM2 116 | OU = SM2 117 | emailAddress = test@sm2.com 118 | 119 | [ v3_req ] 120 | # Extensions to add to a certificate request 121 | basicConstraints = CA:FALSE 122 | keyUsage = nonRepudiation, digitalSignature 123 | subjectAltName = @alt_names 124 | 125 | [ alt_names ] 126 | IP.1 = 192.168.2.30 127 | IP.2 = 192.168.2.31 128 | 129 | DNS.1 = *.hello1.com 130 | DNS.2 = *.hello2.com 131 | DNS.3 = *.hello3.com 132 | DNS.4 = *.test.com 133 | 134 | 135 | [ req_attributes ] 136 | challengePassword = A challenge password 137 | challengePassword_min = 4 138 | challengePassword_max = 20 139 | 140 | unstructuredName = An optional company name 141 | 142 | [ usr_cert ] 143 | 144 | # These extensions are added when 'ca' signs a request. 145 | 146 | # This goes against PKIX guidelines but some CAs do it and some software 147 | # requires this to avoid interpreting an end user certificate as a CA. 148 | 149 | basicConstraints=CA:FALSE 150 | 151 | # Here are some examples of the usage of nsCertType. If it is omitted 152 | # the certificate can be used for anything *except* object signing. 153 | 154 | # This is OK for an SSL server. 155 | # nsCertType = server 156 | 157 | # For an object signing certificate this would be used. 158 | # nsCertType = objsign 159 | 160 | # For normal client use this is typical 161 | # nsCertType = client, email 162 | 163 | # and for everything including object signing: 164 | # nsCertType = client, email, objsignkeyCertSign 165 | 166 | # This is typical in keyUsage for a client certificate. 167 | # keyUsage = nonRepudiation, digitalSignature, keyEncipherment dataEncipherment keyAgreement keyCertSign encipherOnly cRLSign decipherOnly 168 | 169 | # This will be displayed in Netscape's comment listbox. 170 | nsComment = "OpenSSL Generated Certificate" 171 | 172 | # PKIX recommendations harmless if included in all certificates. 173 | subjectKeyIdentifier=hash 174 | authorityKeyIdentifier=keyid,issuer 175 | 176 | # This stuff is for subjectAltName and issuerAltname. 177 | # Import the email address. 178 | # subjectAltName=email:copy 179 | # An alternative to produce certificates that aren't 180 | # deprecated according to PKIX. 181 | # subjectAltName=email:move 182 | 183 | # Copy subject details 184 | # issuerAltName=issuer:copy 185 | 186 | #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 187 | #nsBaseUrl 188 | #nsRevocationUrl 189 | #nsRenewalUrl 190 | #nsCaPolicyUrl 191 | #nsSslServerName 192 | 193 | # This is required for TSA certificates. 194 | # extendedKeyUsage = critical,timeStamping 195 | 196 | [ v3_req ] 197 | 198 | # Extensions to add to a certificate request 199 | 200 | basicConstraints = CA:FALSE 201 | keyUsage = nonRepudiation, digitalSignature 202 | 203 | 204 | [ v3enc_req ] 205 | 206 | # Extensions to add to a certificate request 207 | 208 | basicConstraints = CA:FALSE 209 | keyUsage = keyAgreement, keyEncipherment, dataEncipherment 210 | 211 | 212 | 213 | 214 | [ v3_ca ] 215 | 216 | # Extensions for a typical CA 217 | 218 | 219 | # PKIX recommendation. 220 | 221 | subjectKeyIdentifier=hash 222 | 223 | authorityKeyIdentifier=keyid:always,issuer 224 | 225 | # This is what PKIX recommends but some broken software chokes on critical 226 | # extensions. 227 | #basicConstraints = critical,CA:true 228 | # So we do this instead. 229 | basicConstraints = CA:true 230 | 231 | # Key usage: this is typical for a CA certificate. However since it will 232 | # prevent it being used as an test self-signed certificate it is best 233 | # left out by default. 234 | keyUsage = cRLSign, keyCertSign 235 | 236 | # Some might want this also 237 | # nsCertType = sslCA, emailCA 238 | 239 | # Include email address in subject alt name: another PKIX recommendation 240 | # subjectAltName=email:copy 241 | # Copy issuer details 242 | # issuerAltName=issuer:copy 243 | 244 | # DER hex encoding of an extension: beware experts only! 245 | # obj=DER:02:03 246 | # Where 'obj' is a standard or added object 247 | # You can even override a supported extension: 248 | # basicConstraints= critical, DER:30:03:01:01:FF 249 | 250 | [ crl_ext ] 251 | 252 | # CRL extensions. 253 | # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 254 | 255 | # issuerAltName=issuer:copy 256 | authorityKeyIdentifier=keyid:always 257 | 258 | [ proxy_cert_ext ] 259 | # These extensions should be added when creating a proxy certificate 260 | 261 | # This goes against PKIX guidelines but some CAs do it and some software 262 | # requires this to avoid interpreting an end user certificate as a CA. 263 | 264 | basicConstraints=CA:FALSE 265 | 266 | # Here are some examples of the usage of nsCertType. If it is omitted 267 | # the certificate can be used for anything *except* object signing. 268 | 269 | # This is OK for an SSL server. 270 | # nsCertType = server 271 | 272 | # For an object signing certificate this would be used. 273 | # nsCertType = objsign 274 | 275 | # For normal client use this is typical 276 | # nsCertType = client, email 277 | 278 | # and for everything including object signing: 279 | # nsCertType = client, email, objsign 280 | 281 | # This is typical in keyUsage for a client certificate. 282 | # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 283 | 284 | # This will be displayed in Netscape's comment listbox. 285 | nsComment = "OpenSSL Generated Certificate" 286 | 287 | # PKIX recommendations harmless if included in all certificates. 288 | subjectKeyIdentifier=hash 289 | authorityKeyIdentifier=keyid,issuer 290 | 291 | # This stuff is for subjectAltName and issuerAltname. 292 | # Import the email address. 293 | # subjectAltName=email:copy 294 | # An alternative to produce certificates that aren't 295 | # deprecated according to PKIX. 296 | # subjectAltName=email:move 297 | 298 | # Copy subject details 299 | # issuerAltName=issuer:copy 300 | 301 | #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 302 | #nsBaseUrl 303 | #nsRevocationUrl 304 | #nsRenewalUrl 305 | #nsCaPolicyUrl 306 | #nsSslServerName 307 | 308 | # This really needs to be in place for it to be a proxy certificate. 309 | proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 310 | 311 | #################################################################### 312 | [ tsa ] 313 | 314 | default_tsa = tsa_config1 # the default TSA section 315 | 316 | [ tsa_config1 ] 317 | 318 | # These are used by the TSA reply generation only. 319 | dir = ./demoCA # TSA root directory 320 | serial = $dir/tsaserial # The current serial number (mandatory) 321 | crypto_device = builtin # OpenSSL engine to use for signing 322 | signer_cert = $dir/tsacert.pem # The TSA signing certificate 323 | # (optional) 324 | certs = $dir/cacert.pem # Certificate chain to include in reply 325 | # (optional) 326 | signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 327 | 328 | default_policy = tsa_policy1 # Policy if request did not specify it 329 | # (optional) 330 | other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 331 | digests = sm3 # Acceptable message digests (mandatory) 332 | accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 333 | clock_precision_digits = 0 # number of digits after dot. (optional) 334 | ordering = yes # Is ordering defined for timestamps? 335 | # (optional, default: no) 336 | tsa_name = yes # Must the TSA name be included in the reply? 337 | # (optional, default: no) 338 | ess_cert_id_chain = no # Must the ESS cert id chain be included? 339 | # (optional, default: no) 340 | 341 | 342 | -------------------------------------------------------------------------------- /cert_sh/eccencuser.cnf: -------------------------------------------------------------------------------- 1 | # 2 | # OpenSSL example configuration file. 3 | # This is mostly being used for generation of certificate requests. 4 | # 5 | 6 | # This definition stops the following lines choking if HOME isn't 7 | # defined. 8 | HOME = . 9 | RANDFILE = $ENV::HOME/.rnd 10 | 11 | # Extra OBJECT IDENTIFIER info: 12 | #oid_file = $ENV::HOME/.oid 13 | oid_section = new_oids 14 | 15 | # To use this configuration file with the "-extfile" option of the 16 | # "openssl x509" utility, name here the section containing the 17 | # X.509v3 extensions to use: 18 | # extensions = 19 | # (Alternatively, use a configuration file that has only 20 | # X.509v3 extensions in its main [= default] section.) 21 | 22 | [ new_oids ] 23 | 24 | # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 25 | # Add a simple OID like this: 26 | # testoid1=1.2.3.4 27 | # Or use config file substitution like this: 28 | # testoid2=${testoid1}.5.6 29 | 30 | # Policies used by the TSA examples. 31 | tsa_policy1 = 1.2.3.4.1 32 | tsa_policy2 = 1.2.3.4.5.6 33 | tsa_policy3 = 1.2.3.4.5.7 34 | 35 | #################################################################### 36 | [ ca ] 37 | default_ca = CA_default # The default ca section 38 | 39 | #################################################################### 40 | [ CA_default ] 41 | 42 | dir = ./demoCA # Where everything is kept 43 | certs = $dir/certs # Where the issued certs are kept 44 | crl_dir = $dir/crl # Where the issued crl are kept 45 | database = $dir/index.txt # database index file. 46 | #unique_subject = no # Set to 'no' to allow creation of 47 | # several ctificates with same subject. 48 | new_certs_dir = $dir/newcerts # default place for new certs. 49 | 50 | certificate = $dir/cacert.pem # The CA certificate 51 | serial = $dir/serial # The current serial number 52 | crlnumber = $dir/crlnumber # the current crl number 53 | # must be commented out to leave a V1 CRL 54 | crl = $dir/crl.pem # The current CRL 55 | private_key = $dir/private/cakey.pem # The private key 56 | RANDFILE = $dir/private/.rand # private random number file 57 | 58 | x509_extensions = usr_cert # The extentions to add to the cert 59 | 60 | # Comment out the following two lines for the "traditional" 61 | # (and highly broken) format. 62 | name_opt = ca_default # Subject Name options 63 | cert_opt = ca_default # Certificate field options 64 | 65 | # Extension copying option: use with caution. 66 | # copy_extensions = copy 67 | 68 | # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 69 | # so this is commented out by default to leave a V1 CRL. 70 | # crlnumber must also be commented out to leave a V1 CRL. 71 | # crl_extensions = crl_ext 72 | 73 | default_days = 365 # how long to certify for 74 | default_crl_days= 30 # how long before next CRL 75 | default_md = sm3 # use public key default MD 76 | preserve = no # keep passed DN ordering 77 | 78 | # A few difference way of specifying how similar the request should look 79 | # For type CA, the listed attributes must be the same, and the optional 80 | # and supplied fields are just that :-) 81 | policy = policy_match 82 | 83 | # For the CA policy 84 | [ policy_match ] 85 | countryName = match 86 | stateOrProvinceName = match 87 | organizationName = match 88 | organizationalUnitName = optional 89 | commonName = supplied 90 | emailAddress = optional 91 | 92 | # For the 'anything' policy 93 | # At this point in time, you must list all acceptable 'object' 94 | # types. 95 | [ policy_anything ] 96 | countryName = optional 97 | stateOrProvinceName = optional 98 | localityName = optional 99 | organizationName = optional 100 | organizationalUnitName = optional 101 | commonName = supplied 102 | emailAddress = optional 103 | 104 | #################################################################### 105 | [ req ] 106 | distinguished_name = req_distinguished_name 107 | prompt = no 108 | req_extensions = v3_req 109 | 110 | [ req_distinguished_name ] 111 | CN = 192.168.2.30 112 | C = CN 113 | ST = BJ 114 | L = BJ 115 | O = BeiJing SM2 116 | OU = SM2 117 | emailAddress = test@sm2.com 118 | 119 | [ v3_req ] 120 | # Extensions to add to a certificate request 121 | basicConstraints = CA:FALSE 122 | keyUsage = nonRepudiation, keyEncipherment, dataEncipherment 123 | subjectAltName = @alt_names 124 | 125 | [ alt_names ] 126 | IP.1 = 192.168.2.30 127 | IP.2 = 192.168.2.31 128 | 129 | DNS.1 = *.hello1.com 130 | DNS.2 = *.hello2.com 131 | DNS.3 = *.hello3.com 132 | DNS.4 = *.test.com 133 | 134 | 135 | [ req_attributes ] 136 | challengePassword = A challenge password 137 | challengePassword_min = 4 138 | challengePassword_max = 20 139 | 140 | unstructuredName = An optional company name 141 | 142 | [ usr_cert ] 143 | 144 | # These extensions are added when 'ca' signs a request. 145 | 146 | # This goes against PKIX guidelines but some CAs do it and some software 147 | # requires this to avoid interpreting an end user certificate as a CA. 148 | 149 | basicConstraints=CA:FALSE 150 | 151 | # Here are some examples of the usage of nsCertType. If it is omitted 152 | # the certificate can be used for anything *except* object signing. 153 | 154 | # This is OK for an SSL server. 155 | # nsCertType = server 156 | 157 | # For an object signing certificate this would be used. 158 | # nsCertType = objsign 159 | 160 | # For normal client use this is typical 161 | # nsCertType = client, email 162 | 163 | # and for everything including object signing: 164 | # nsCertType = client, email, objsignkeyCertSign 165 | 166 | # This is typical in keyUsage for a client certificate. 167 | # keyUsage = nonRepudiation, digitalSignature, keyEncipherment dataEncipherment keyAgreement keyCertSign encipherOnly cRLSign decipherOnly 168 | 169 | # This will be displayed in Netscape's comment listbox. 170 | nsComment = "OpenSSL Generated Certificate" 171 | 172 | # PKIX recommendations harmless if included in all certificates. 173 | subjectKeyIdentifier=hash 174 | authorityKeyIdentifier=keyid,issuer 175 | 176 | # This stuff is for subjectAltName and issuerAltname. 177 | # Import the email address. 178 | # subjectAltName=email:copy 179 | # An alternative to produce certificates that aren't 180 | # deprecated according to PKIX. 181 | # subjectAltName=email:move 182 | 183 | # Copy subject details 184 | # issuerAltName=issuer:copy 185 | 186 | #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 187 | #nsBaseUrl 188 | #nsRevocationUrl 189 | #nsRenewalUrl 190 | #nsCaPolicyUrl 191 | #nsSslServerName 192 | 193 | # This is required for TSA certificates. 194 | # extendedKeyUsage = critical,timeStamping 195 | 196 | [ v3_req ] 197 | 198 | # Extensions to add to a certificate request 199 | 200 | basicConstraints = CA:FALSE 201 | keyUsage = nonRepudiation, digitalSignature 202 | 203 | 204 | [ v3enc_req ] 205 | 206 | # Extensions to add to a certificate request 207 | 208 | basicConstraints = CA:FALSE 209 | keyUsage = keyAgreement, keyEncipherment, dataEncipherment 210 | 211 | 212 | 213 | 214 | [ v3_ca ] 215 | 216 | # Extensions for a typical CA 217 | 218 | 219 | # PKIX recommendation. 220 | 221 | subjectKeyIdentifier=hash 222 | 223 | authorityKeyIdentifier=keyid:always,issuer 224 | 225 | # This is what PKIX recommends but some broken software chokes on critical 226 | # extensions. 227 | #basicConstraints = critical,CA:true 228 | # So we do this instead. 229 | basicConstraints = CA:true 230 | 231 | # Key usage: this is typical for a CA certificate. However since it will 232 | # prevent it being used as an test self-signed certificate it is best 233 | # left out by default. 234 | keyUsage = cRLSign, keyCertSign 235 | 236 | # Some might want this also 237 | # nsCertType = sslCA, emailCA 238 | 239 | # Include email address in subject alt name: another PKIX recommendation 240 | # subjectAltName=email:copy 241 | # Copy issuer details 242 | # issuerAltName=issuer:copy 243 | 244 | # DER hex encoding of an extension: beware experts only! 245 | # obj=DER:02:03 246 | # Where 'obj' is a standard or added object 247 | # You can even override a supported extension: 248 | # basicConstraints= critical, DER:30:03:01:01:FF 249 | 250 | [ crl_ext ] 251 | 252 | # CRL extensions. 253 | # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 254 | 255 | # issuerAltName=issuer:copy 256 | authorityKeyIdentifier=keyid:always 257 | 258 | [ proxy_cert_ext ] 259 | # These extensions should be added when creating a proxy certificate 260 | 261 | # This goes against PKIX guidelines but some CAs do it and some software 262 | # requires this to avoid interpreting an end user certificate as a CA. 263 | 264 | basicConstraints=CA:FALSE 265 | 266 | # Here are some examples of the usage of nsCertType. If it is omitted 267 | # the certificate can be used for anything *except* object signing. 268 | 269 | # This is OK for an SSL server. 270 | # nsCertType = server 271 | 272 | # For an object signing certificate this would be used. 273 | # nsCertType = objsign 274 | 275 | # For normal client use this is typical 276 | # nsCertType = client, email 277 | 278 | # and for everything including object signing: 279 | # nsCertType = client, email, objsign 280 | 281 | # This is typical in keyUsage for a client certificate. 282 | # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 283 | 284 | # This will be displayed in Netscape's comment listbox. 285 | nsComment = "OpenSSL Generated Certificate" 286 | 287 | # PKIX recommendations harmless if included in all certificates. 288 | subjectKeyIdentifier=hash 289 | authorityKeyIdentifier=keyid,issuer 290 | 291 | # This stuff is for subjectAltName and issuerAltname. 292 | # Import the email address. 293 | # subjectAltName=email:copy 294 | # An alternative to produce certificates that aren't 295 | # deprecated according to PKIX. 296 | # subjectAltName=email:move 297 | 298 | # Copy subject details 299 | # issuerAltName=issuer:copy 300 | 301 | #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 302 | #nsBaseUrl 303 | #nsRevocationUrl 304 | #nsRenewalUrl 305 | #nsCaPolicyUrl 306 | #nsSslServerName 307 | 308 | # This really needs to be in place for it to be a proxy certificate. 309 | proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 310 | 311 | #################################################################### 312 | [ tsa ] 313 | 314 | default_tsa = tsa_config1 # the default TSA section 315 | 316 | [ tsa_config1 ] 317 | 318 | # These are used by the TSA reply generation only. 319 | dir = ./demoCA # TSA root directory 320 | serial = $dir/tsaserial # The current serial number (mandatory) 321 | crypto_device = builtin # OpenSSL engine to use for signing 322 | signer_cert = $dir/tsacert.pem # The TSA signing certificate 323 | # (optional) 324 | certs = $dir/cacert.pem # Certificate chain to include in reply 325 | # (optional) 326 | signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 327 | 328 | default_policy = tsa_policy1 # Policy if request did not specify it 329 | # (optional) 330 | other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 331 | digests = sm3 # Acceptable message digests (mandatory) 332 | accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 333 | clock_precision_digits = 0 # number of digits after dot. (optional) 334 | ordering = yes # Is ordering defined for timestamps? 335 | # (optional, default: no) 336 | tsa_name = yes # Must the TSA name be included in the reply? 337 | # (optional, default: no) 338 | ess_cert_id_chain = no # Must the ESS cert id chain be included? 339 | # (optional, default: no) 340 | 341 | -------------------------------------------------------------------------------- /cert_sh/openssl.cnf: -------------------------------------------------------------------------------- 1 | # 2 | # OpenSSL example configuration file. 3 | # This is mostly being used for generation of certificate requests. 4 | # 5 | 6 | # This definition stops the following lines choking if HOME isn't 7 | # defined. 8 | HOME = . 9 | RANDFILE = $ENV::HOME/.rnd 10 | 11 | # Extra OBJECT IDENTIFIER info: 12 | #oid_file = $ENV::HOME/.oid 13 | oid_section = new_oids 14 | 15 | # To use this configuration file with the "-extfile" option of the 16 | # "openssl x509" utility, name here the section containing the 17 | # X.509v3 extensions to use: 18 | # extensions = 19 | # (Alternatively, use a configuration file that has only 20 | # X.509v3 extensions in its main [= default] section.) 21 | 22 | [ new_oids ] 23 | 24 | # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. 25 | # Add a simple OID like this: 26 | # testoid1=1.2.3.4 27 | # Or use config file substitution like this: 28 | # testoid2=${testoid1}.5.6 29 | 30 | # Policies used by the TSA examples. 31 | tsa_policy1 = 1.2.3.4.1 32 | tsa_policy2 = 1.2.3.4.5.6 33 | tsa_policy3 = 1.2.3.4.5.7 34 | 35 | #################################################################### 36 | [ ca ] 37 | default_ca = CA_default # The default ca section 38 | 39 | #################################################################### 40 | [ CA_default ] 41 | 42 | dir = ./demoCA # Where everything is kept 43 | certs = $dir/certs # Where the issued certs are kept 44 | crl_dir = $dir/crl # Where the issued crl are kept 45 | database = $dir/index.txt # database index file. 46 | #unique_subject = no # Set to 'no' to allow creation of 47 | # several ctificates with same subject. 48 | new_certs_dir = $dir/newcerts # default place for new certs. 49 | 50 | certificate = $dir/cacert.pem # The CA certificate 51 | serial = $dir/serial # The current serial number 52 | crlnumber = $dir/crlnumber # the current crl number 53 | # must be commented out to leave a V1 CRL 54 | crl = $dir/crl.pem # The current CRL 55 | private_key = $dir/private/cakey.pem # The private key 56 | RANDFILE = $dir/private/.rand # private random number file 57 | 58 | x509_extensions = usr_cert # The extentions to add to the cert 59 | 60 | # Comment out the following two lines for the "traditional" 61 | # (and highly broken) format. 62 | name_opt = ca_default # Subject Name options 63 | cert_opt = ca_default # Certificate field options 64 | 65 | # Extension copying option: use with caution. 66 | # copy_extensions = copy 67 | 68 | # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs 69 | # so this is commented out by default to leave a V1 CRL. 70 | # crlnumber must also be commented out to leave a V1 CRL. 71 | # crl_extensions = crl_ext 72 | 73 | default_days = 365 # how long to certify for 74 | default_crl_days= 30 # how long before next CRL 75 | default_md = default # use public key default MD 76 | preserve = no # keep passed DN ordering 77 | 78 | # A few difference way of specifying how similar the request should look 79 | # For type CA, the listed attributes must be the same, and the optional 80 | # and supplied fields are just that :-) 81 | policy = policy_match 82 | 83 | # For the CA policy 84 | [ policy_match ] 85 | countryName = match 86 | stateOrProvinceName = match 87 | organizationName = match 88 | organizationalUnitName = optional 89 | commonName = supplied 90 | emailAddress = optional 91 | 92 | # For the 'anything' policy 93 | # At this point in time, you must list all acceptable 'object' 94 | # types. 95 | [ policy_anything ] 96 | countryName = optional 97 | stateOrProvinceName = optional 98 | localityName = optional 99 | organizationName = optional 100 | organizationalUnitName = optional 101 | commonName = supplied 102 | emailAddress = optional 103 | 104 | #################################################################### 105 | [ req ] 106 | default_bits = 2048 107 | default_keyfile = privkey.pem 108 | distinguished_name = req_distinguished_name 109 | attributes = req_attributes 110 | x509_extensions = v3_ca # The extentions to add to the self signed cert 111 | 112 | # Passwords for private keys if not present they will be prompted for 113 | # input_password = secret 114 | # output_password = secret 115 | 116 | # This sets a mask for permitted string types. There are several options. 117 | # default: PrintableString, T61String, BMPString. 118 | # pkix : PrintableString, BMPString (PKIX recommendation before 2004) 119 | # utf8only: only UTF8Strings (PKIX recommendation after 2004). 120 | # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 121 | # MASK:XXXX a literal mask value. 122 | # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. 123 | string_mask = utf8only 124 | 125 | # req_extensions = v3_req # The extensions to add to a certificate request 126 | 127 | [ req_distinguished_name ] 128 | countryName = Country Name (2 letter code) 129 | countryName_default = XX 130 | countryName_min = 2 131 | countryName_max = 2 132 | 133 | stateOrProvinceName = State or Province Name (full name) 134 | #stateOrProvinceName_default = Default Province 135 | 136 | localityName = Locality Name (eg, city) 137 | localityName_default = Default City 138 | 139 | 0.organizationName = Organization Name (eg, company) 140 | 0.organizationName_default = Default Company Ltd 141 | 142 | # we can do this but it is not needed normally :-) 143 | #1.organizationName = Second Organization Name (eg, company) 144 | #1.organizationName_default = World Wide Web Pty Ltd 145 | 146 | organizationalUnitName = Organizational Unit Name (eg, section) 147 | #organizationalUnitName_default = 148 | 149 | commonName = Common Name (eg, your name or your server\'s hostname) 150 | commonName_max = 64 151 | 152 | emailAddress = Email Address 153 | emailAddress_max = 64 154 | 155 | # SET-ex3 = SET extension number 3 156 | 157 | [ req_attributes ] 158 | challengePassword = A challenge password 159 | challengePassword_min = 4 160 | challengePassword_max = 20 161 | 162 | unstructuredName = An optional company name 163 | 164 | [ usr_cert ] 165 | 166 | # These extensions are added when 'ca' signs a request. 167 | 168 | # This goes against PKIX guidelines but some CAs do it and some software 169 | # requires this to avoid interpreting an end user certificate as a CA. 170 | 171 | basicConstraints=CA:FALSE 172 | 173 | # Here are some examples of the usage of nsCertType. If it is omitted 174 | # the certificate can be used for anything *except* object signing. 175 | 176 | # This is OK for an SSL server. 177 | # nsCertType = server 178 | 179 | # For an object signing certificate this would be used. 180 | # nsCertType = objsign 181 | 182 | # For normal client use this is typical 183 | # nsCertType = client, email 184 | 185 | # and for everything including object signing: 186 | # nsCertType = client, email, objsignkeyCertSign 187 | 188 | # This is typical in keyUsage for a client certificate. 189 | # keyUsage = nonRepudiation, digitalSignature, keyEncipherment dataEncipherment keyAgreement keyCertSign encipherOnly cRLSign decipherOnly 190 | 191 | # This will be displayed in Netscape's comment listbox. 192 | nsComment = "OpenSSL Generated Certificate" 193 | 194 | # PKIX recommendations harmless if included in all certificates. 195 | subjectKeyIdentifier=hash 196 | authorityKeyIdentifier=keyid,issuer 197 | 198 | # This stuff is for subjectAltName and issuerAltname. 199 | # Import the email address. 200 | # subjectAltName=email:copy 201 | # An alternative to produce certificates that aren't 202 | # deprecated according to PKIX. 203 | # subjectAltName=email:move 204 | 205 | # Copy subject details 206 | # issuerAltName=issuer:copy 207 | 208 | #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 209 | #nsBaseUrl 210 | #nsRevocationUrl 211 | #nsRenewalUrl 212 | #nsCaPolicyUrl 213 | #nsSslServerName 214 | 215 | # This is required for TSA certificates. 216 | # extendedKeyUsage = critical,timeStamping 217 | 218 | [ v3_req ] 219 | 220 | # Extensions to add to a certificate request 221 | 222 | basicConstraints = CA:FALSE 223 | keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign 224 | subjectAltName = @alt_names 225 | 226 | 227 | [ alt_names ] 228 | IP.1 = 192.168.2.30 229 | IP.2 = 192.168.2.31 230 | 231 | DNS.1 = *.hello1.com 232 | DNS.2 = *.hello2.com 233 | DNS.3 = *.hello3.com 234 | DNS.4 = *.test.com 235 | 236 | 237 | [ v3enc_req ] 238 | 239 | # Extensions to add to a certificate request 240 | 241 | basicConstraints = CA:FALSE 242 | keyUsage = keyAgreement, keyEncipherment, dataEncipherment 243 | 244 | 245 | 246 | 247 | [ v3_ca ] 248 | 249 | # Extensions for a typical CA 250 | 251 | 252 | # PKIX recommendation. 253 | 254 | subjectKeyIdentifier=hash 255 | 256 | authorityKeyIdentifier=keyid:always,issuer 257 | 258 | # This is what PKIX recommends but some broken software chokes on critical 259 | # extensions. 260 | #basicConstraints = critical,CA:true 261 | # So we do this instead. 262 | basicConstraints = CA:true 263 | 264 | # Key usage: this is typical for a CA certificate. However since it will 265 | # prevent it being used as an test self-signed certificate it is best 266 | # left out by default. 267 | keyUsage = cRLSign, keyCertSign 268 | 269 | # Some might want this also 270 | # nsCertType = sslCA, emailCA 271 | 272 | # Include email address in subject alt name: another PKIX recommendation 273 | # subjectAltName=email:copy 274 | # Copy issuer details 275 | # issuerAltName=issuer:copy 276 | 277 | # DER hex encoding of an extension: beware experts only! 278 | # obj=DER:02:03 279 | # Where 'obj' is a standard or added object 280 | # You can even override a supported extension: 281 | # basicConstraints= critical, DER:30:03:01:01:FF 282 | 283 | [ crl_ext ] 284 | 285 | # CRL extensions. 286 | # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 287 | 288 | # issuerAltName=issuer:copy 289 | authorityKeyIdentifier=keyid:always 290 | 291 | [ proxy_cert_ext ] 292 | # These extensions should be added when creating a proxy certificate 293 | 294 | # This goes against PKIX guidelines but some CAs do it and some software 295 | # requires this to avoid interpreting an end user certificate as a CA. 296 | 297 | basicConstraints=CA:FALSE 298 | 299 | # Here are some examples of the usage of nsCertType. If it is omitted 300 | # the certificate can be used for anything *except* object signing. 301 | 302 | # This is OK for an SSL server. 303 | # nsCertType = server 304 | 305 | # For an object signing certificate this would be used. 306 | # nsCertType = objsign 307 | 308 | # For normal client use this is typical 309 | # nsCertType = client, email 310 | 311 | # and for everything including object signing: 312 | # nsCertType = client, email, objsign 313 | 314 | # This is typical in keyUsage for a client certificate. 315 | # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 316 | 317 | # This will be displayed in Netscape's comment listbox. 318 | nsComment = "OpenSSL Generated Certificate" 319 | 320 | # PKIX recommendations harmless if included in all certificates. 321 | subjectKeyIdentifier=hash 322 | authorityKeyIdentifier=keyid,issuer 323 | 324 | # This stuff is for subjectAltName and issuerAltname. 325 | # Import the email address. 326 | # subjectAltName=email:copy 327 | # An alternative to produce certificates that aren't 328 | # deprecated according to PKIX. 329 | # subjectAltName=email:move 330 | 331 | # Copy subject details 332 | # issuerAltName=issuer:copy 333 | 334 | #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 335 | #nsBaseUrl 336 | #nsRevocationUrl 337 | #nsRenewalUrl 338 | #nsCaPolicyUrl 339 | #nsSslServerName 340 | 341 | # This really needs to be in place for it to be a proxy certificate. 342 | proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo 343 | 344 | #################################################################### 345 | [ tsa ] 346 | 347 | default_tsa = tsa_config1 # the default TSA section 348 | 349 | [ tsa_config1 ] 350 | 351 | # These are used by the TSA reply generation only. 352 | dir = ./demoCA # TSA root directory 353 | serial = $dir/tsaserial # The current serial number (mandatory) 354 | crypto_device = builtin # OpenSSL engine to use for signing 355 | signer_cert = $dir/tsacert.pem # The TSA signing certificate 356 | # (optional) 357 | certs = $dir/cacert.pem # Certificate chain to include in reply 358 | # (optional) 359 | signer_key = $dir/private/tsakey.pem # The TSA private key (optional) 360 | 361 | default_policy = tsa_policy1 # Policy if request did not specify it 362 | # (optional) 363 | other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) 364 | digests = md5, sha1 # Acceptable message digests (mandatory) 365 | accuracy = secs:1, millisecs:500, microsecs:100 # (optional) 366 | clock_precision_digits = 0 # number of digits after dot. (optional) 367 | ordering = yes # Is ordering defined for timestamps? 368 | # (optional, default: no) 369 | tsa_name = yes # Must the TSA name be included in the reply? 370 | # (optional, default: no) 371 | ess_cert_id_chain = no # Must the ESS cert id chain be included? 372 | # (optional, default: no) 373 | -------------------------------------------------------------------------------- /cert_sh/SM2certgen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # For a list of supported curves, use "apps/openssl ecparam -list_curves". 4 | 5 | # Path to the openssl distribution 6 | OPENSSL_DIR=. 7 | # Path to the openssl program 8 | #OPENSSL_CMD=openssl 9 | OPENSSL_CMD=gmssl 10 | # Option to find configuration file 11 | OPENSSL_CNF="-config ./openssl.cnf" 12 | # Directory where certificates are stored 13 | CERTS_DIR=./demoCA 14 | # Directory where key are stored 15 | CAKEY_DIR=./demoCA/private 16 | # Directory where private key files are stored 17 | KEYS_DIR=$CERTS_DIR 18 | # Directory where combo files (containing a certificate and corresponding 19 | # private key together) are stored 20 | COMBO_DIR=$CERTS_DIR 21 | # cat command 22 | CAT=/bin/cat 23 | # rm command 24 | RM=/bin/rm 25 | # mkdir command 26 | MKDIR=/bin/mkdir 27 | # MV command 28 | MVDIR=/bin/mv 29 | # CP command 30 | CPDIR=/bin/cp 31 | # touch command 32 | TOUCHDIR=/bin/touch 33 | 34 | # The certificate will expire these many days after the issue date. 35 | DAYS=700 36 | TEST_CA=SM2 37 | TEST_CA_CURVE=sm2p256v1 38 | TEST_CA_FILE=CA 39 | TEST_CA_DN="/C=CN/ST=BJ/L=Beijing/O=Beijing SM2Test/OU=SM2Test/CN=Test CA (SM2)" 40 | 41 | TEST_SERVER_CURVE=SM2 42 | TEST_SERVER_FILE=SS 43 | TEST_SERVER_DN="/C=CN/ST=BJ/L=Beijing/O=Beijing SM2Test/OU=SM2Test/CN=192.168.2.30" 44 | 45 | TEST_SERVER_ENC_FILE=SE 46 | TEST_SERVER_ENC_DN="/C=CN/ST=BJ/L=Beijing/O=Beijing SM2Test/OU=SM2Test/CN=192.168.2.30" 47 | 48 | TEST_CLIENT_CURVE=SM2 49 | TEST_CLIENT_FILE=CS 50 | TEST_CLIENT_DN="/C=CN/ST=BJ/L=Beijing/O=Beijing SM2Test/OU=SM2Test/CN=192.168.2.30" 51 | 52 | TEST_CLIENT_ENC_FILE=CE 53 | TEST_CLIENT_ENC_DN="/C=CN/ST=BJ/L=Beijing/O=Beijing SM2Test/OU=SM2Test/CN=192.168.2.30" 54 | 55 | # Generating an EC certificate involves the following main steps 56 | # 1. Generating curve parameters (if needed) 57 | # 2. Generating a certificate request 58 | # 3. Signing the certificate request 59 | # 4. [Optional] One can combine the cert and private key into a single 60 | # file and also delete the certificate request 61 | 62 | $MKDIR -p $CERTS_DIR 63 | $MKDIR -p $KEYS_DIR 64 | $MKDIR -p $COMBO_DIR 65 | $MKDIR -p $CAKEY_DIR 66 | 67 | # create file index.txt and serial 68 | $TOUCHDIR $CERTS_DIR/index.txt 69 | $TOUCHDIR $CERTS_DIR/serial 70 | $TOUCHDIR $CERTS_DIR/index.txt.attr 71 | $TOUCHDIR $CERTS_DIR/crlnumber 72 | echo "01" > $CERTS_DIR/serial 73 | 74 | echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)" 75 | echo "===============================================================" 76 | $OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA.pem 77 | 78 | # Generate a new certificate request in $TEST_CA_FILE.req.pem. A 79 | # new ecdsa (actually ECC) key pair is generated on the parameters in 80 | # $TEST_CA.pem and the private key is saved in $TEST_CA_FILE.key.pem 81 | # WARNING: By using the -nodes option, we force the private key to be 82 | # stored in the clear (rather than encrypted with a password). 83 | $OPENSSL_CMD req -config ./CA.cnf -nodes -subj "$TEST_CA_DN" \ 84 | -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \ 85 | -newkey ec:$TEST_CA.pem -new \ 86 | -out $CERTS_DIR/$TEST_CA_FILE.req.pem -sm3 87 | 88 | # Sign the certificate request in $TEST_CA_FILE.req.pem using the 89 | # private key in $TEST_CA_FILE.key.pem and include the CA extension. 90 | # Make the certificate valid for 1500 days from the time of signing. 91 | # The certificate is written into $TEST_CA_FILE.cert.pem 92 | $OPENSSL_CMD x509 -req -days $DAYS \ 93 | -in $CERTS_DIR/$TEST_CA_FILE.req.pem \ 94 | -extfile $OPENSSL_DIR/openssl.cnf \ 95 | -extensions v3_ca \ 96 | -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 97 | -out $CERTS_DIR/$TEST_CA_FILE.cert.pem -sm3 98 | 99 | # Display the certificate 100 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text 101 | 102 | # Place the certificate and key in a common file 103 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \ 104 | > $COMBO_DIR/$TEST_CA_FILE.pem 105 | $CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem 106 | 107 | # move key to private file and rename cakey.pem 108 | $CPDIR $KEYS_DIR/$TEST_CA_FILE.key.pem $CAKEY_DIR/cakey.pem 109 | $CPDIR $COMBO_DIR/$TEST_CA_FILE.pem $COMBO_DIR/cacert.pem 110 | 111 | # Remove the cert request file (no longer needed) 112 | $RM $CERTS_DIR/$TEST_CA_FILE.req.pem 113 | 114 | echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)" 115 | echo "==========================================================================" 116 | # Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A 117 | # new ecdsa (actually ECC) key pair is generated on the parameters in 118 | # $TEST_SERVER_CURVE.pem and the private key is saved in 119 | # $TEST_SERVER_FILE.key.pem 120 | # WARNING: By using the -nodes option, we force the private key to be 121 | # stored in the clear (rather than encrypted with a password). 122 | $OPENSSL_CMD req -config eccsignuser.cnf -nodes -subj "$TEST_SERVER_DN" \ 123 | -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \ 124 | -newkey ec:$TEST_SERVER_CURVE.pem -new \ 125 | -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem -sm3 126 | 127 | # Sign the certificate request in $TEST_SERVER_FILE.req.pem using the 128 | # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in 129 | # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number 130 | # file for this CA, create one. Make the certificate valid for $DAYS days 131 | # from the time of signing. The certificate is written into 132 | # $TEST_SERVER_FILE.cert.pem 133 | $OPENSSL_CMD x509 -req -days $DAYS \ 134 | -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \ 135 | -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 136 | -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 137 | -extfile $OPENSSL_DIR/openssl.cnf \ 138 | -extensions v3_req \ 139 | -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial -sm3 140 | 141 | # Display the certificate 142 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text 143 | 144 | # Place the certificate and key in a common file 145 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \ 146 | > $COMBO_DIR/$TEST_SERVER_FILE.pem 147 | $CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem 148 | 149 | # Verify cert 150 | $OPENSSL_CMD verify -CAfile $COMBO_DIR/$TEST_CA_FILE.pem $COMBO_DIR/$TEST_SERVER_FILE.pem 151 | 152 | # Remove the cert request file (no longer needed) 153 | $RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem 154 | 155 | echo " GENERATING A TEST SERVER ENCRYPT CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)" 156 | echo " ===================================================================================" 157 | # Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A 158 | # new ecdsa (actually ECC) key pair is generated on the parameters in 159 | # $TEST_SERVER_CURVE.pem and the private key is saved in 160 | # $TEST_SERVER_FILE.key.pem 161 | # WARNING: By using the -nodes option, we force the private key to be 162 | # stored in the clear (rather than encrypted with a password). 163 | $OPENSSL_CMD req -config eccencuser.cnf -nodes -subj "$TEST_SERVER_ENC_DN" \ 164 | -keyout $KEYS_DIR/$TEST_SERVER_ENC_FILE.key.pem \ 165 | -newkey ec:$TEST_SERVER_CURVE.pem -new \ 166 | -out $CERTS_DIR/$TEST_SERVER_ENC_FILE.req.pem -sm3 167 | 168 | # Sign the certificate request in $TEST_SERVER_FILE.req.pem using the 169 | # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in 170 | # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number 171 | # file for this CA, create one. Make the certificate valid for $DAYS days 172 | # from the time of signing. The certificate is written into 173 | # $TEST_SERVER_FILE.cert.pem 174 | $OPENSSL_CMD x509 -req -days $DAYS \ 175 | -in $CERTS_DIR/$TEST_SERVER_ENC_FILE.req.pem \ 176 | -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 177 | -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 178 | -extfile $OPENSSL_DIR/openssl.cnf \ 179 | -extensions v3enc_req \ 180 | -out $CERTS_DIR/$TEST_SERVER_ENC_FILE.cert.pem -CAcreateserial -sm3 181 | 182 | # Display the certificate 183 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_ENC_FILE.cert.pem -text 184 | 185 | # Place the certificate and key in a common file 186 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_ENC_FILE.cert.pem -issuer -subject \ 187 | > $COMBO_DIR/$TEST_SERVER_ENC_FILE.pem 188 | $CAT $KEYS_DIR/$TEST_SERVER_ENC_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_ENC_FILE.pem 189 | 190 | # Verify cert 191 | $OPENSSL_CMD verify -CAfile $COMBO_DIR/$TEST_CA_FILE.pem $COMBO_DIR/$TEST_SERVER_ENC_FILE.pem 192 | 193 | # Remove the cert request file (no longer needed) 194 | $RM $CERTS_DIR/$TEST_SERVER_ENC_FILE.req.pem 195 | 196 | 197 | 198 | echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)" 199 | echo "==========================================================================" 200 | # Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A 201 | # new ecdsa (actually ECC) key pair is generated on the parameters in 202 | # $TEST_CLIENT_CURVE.pem and the private key is saved in 203 | # $TEST_CLIENT_FILE.key.pem 204 | # WARNING: By using the -nodes option, we force the private key to be 205 | # stored in the clear (rather than encrypted with a password). 206 | $OPENSSL_CMD req -config eccsignuser.cnf -nodes -subj "$TEST_CLIENT_DN" \ 207 | -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \ 208 | -newkey ec:$TEST_CLIENT_CURVE.pem -new \ 209 | -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem -sm3 210 | 211 | # Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the 212 | # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in 213 | # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number 214 | # file for this CA, create one. Make the certificate valid for $DAYS days 215 | # from the time of signing. The certificate is written into 216 | # $TEST_CLIENT_FILE.cert.pem 217 | $OPENSSL_CMD x509 -req -days $DAYS \ 218 | -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \ 219 | -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 220 | -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 221 | -extfile $OPENSSL_DIR/openssl.cnf \ 222 | -extensions v3_req \ 223 | -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial -sm3 224 | 225 | # Display the certificate 226 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text 227 | 228 | # Place the certificate and key in a common file 229 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \ 230 | > $COMBO_DIR/$TEST_CLIENT_FILE.pem 231 | $CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem 232 | 233 | # Verify cert 234 | $OPENSSL_CMD verify -CAfile $COMBO_DIR/$TEST_CA_FILE.pem $COMBO_DIR/$TEST_CLIENT_FILE.pem 235 | 236 | # Remove the cert request file (no longer needed) 237 | $RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem 238 | 239 | 240 | echo " GENERATING A TEST CLIENT ENCRYPT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)" 241 | echo " ===================================================================================" 242 | # Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A 243 | # new ecdsa (actually ECC) key pair is generated on the parameters in 244 | # $TEST_CLIENT_CURVE.pem and the private key is saved in 245 | # $TEST_CLIENT_FILE.key.pem 246 | # WARNING: By using the -nodes option, we force the private key to be 247 | # stored in the clear (rather than encrypted with a password). 248 | $OPENSSL_CMD req -config eccencuser.cnf -nodes -subj "$TEST_CLIENT_ENC_DN" \ 249 | -keyout $KEYS_DIR/$TEST_CLIENT_ENC_FILE.key.pem \ 250 | -newkey ec:$TEST_CLIENT_CURVE.pem -new \ 251 | -out $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem -sm3 252 | 253 | # Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the 254 | # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in 255 | # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number 256 | # file for this CA, create one. Make the certificate valid for $DAYS days 257 | # from the time of signing. The certificate is written into 258 | # $TEST_CLIENT_FILE.cert.pem 259 | $OPENSSL_CMD x509 -req -days $DAYS \ 260 | -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem \ 261 | -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 262 | -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 263 | -extfile $OPENSSL_DIR/openssl.cnf \ 264 | -extensions v3enc_req \ 265 | -out $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem -CAcreateserial -sm3 266 | 267 | # Display the certificate 268 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem -text 269 | 270 | # Place the certificate and key in a common file 271 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem -issuer -subject \ 272 | > $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem 273 | $CAT $KEYS_DIR/$TEST_CLIENT_ENC_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem 274 | 275 | # Verify cert 276 | $OPENSSL_CMD verify -CAfile $COMBO_DIR/$TEST_CA_FILE.pem $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem 277 | 278 | # Remove the cert request file (no longer needed) 279 | $RM $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem 280 | 281 | echo " GENERATING A TEST CERTIFICATE FOR REVOKE (on elliptic curve $TEST_CLIENT_CURVE)" 282 | echo " ===================================================================================" 283 | # Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A 284 | # new ecdsa (actually ECC) key pair is generated on the parameters in 285 | # $TEST_CLIENT_CURVE.pem and the private key is saved in 286 | # $TEST_CLIENT_FILE.key.pem 287 | # WARNING: By using the -nodes option, we force the private key to be 288 | # stored in the clear (rather than encrypted with a password). 289 | $OPENSSL_CMD req -config eccencuser.cnf -nodes -subj "$TEST_CLIENT_ENC_DN" \ 290 | -keyout $KEYS_DIR/$TEST_CLIENT_ENC_FILE.key.pem1 \ 291 | -newkey ec:$TEST_CLIENT_CURVE.pem -new \ 292 | -out $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem1 -sm3 293 | 294 | # Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the 295 | # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in 296 | # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number 297 | # file for this CA, create one. Make the certificate valid for $DAYS days 298 | # from the time of signing. The certificate is written into 299 | # $TEST_CLIENT_FILE.cert.pem 300 | $OPENSSL_CMD x509 -req -days $DAYS \ 301 | -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem1 \ 302 | -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 303 | -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 304 | -extfile $OPENSSL_DIR/openssl.cnf \ 305 | -extensions v3enc_req \ 306 | -out $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem1 -CAcreateserial -sm3 307 | 308 | # Display the certificate 309 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem1 -text 310 | 311 | # Place the certificate and key in a common file 312 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem1 -issuer -subject \ 313 | > $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem1 314 | $CAT $KEYS_DIR/$TEST_CLIENT_ENC_FILE.key.pem1 >> $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem1 315 | 316 | # Verify cert 317 | $OPENSSL_CMD verify -CAfile $COMBO_DIR/$TEST_CA_FILE.pem $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem1 318 | 319 | # Remove the cert request file (no longer needed) 320 | $RM $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem1 321 | 322 | # Revoke cert 323 | $OPENSSL_CMD ca -config $OPENSSL_DIR/openssl.cnf -revoke $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem1 324 | 325 | # i want to export crl file 326 | $OPENSSL_CMD ca -config openssl.cnf -gencrl -out ca.crl.pem 327 | 328 | # Verfiy Cert chain 329 | echo "Verify $TEST_SERVER_FILE use $TEST_CA_FILE.cert.pem" 330 | $OPENSSL_CMD verify -CAfile $CERTS_DIR/$TEST_CA_FILE.cert.pem $CERTS_DIR/$TEST_SERVER_FILE.pem 331 | echo "Verify $TEST_SERVER_ENC_FILE use $TEST_CA_FILE.cert.pem" 332 | $OPENSSL_CMD verify -CAfile $CERTS_DIR/$TEST_CA_FILE.cert.pem $CERTS_DIR/$TEST_SERVER_ENC_FILE.pem 333 | echo "Verify $TEST_CLIENT_FILE use $TEST_CA_FILE.cert.pem" 334 | $OPENSSL_CMD verify -CAfile $CERTS_DIR/$TEST_CA_FILE.cert.pem $CERTS_DIR/$TEST_CLIENT_FILE.pem 335 | echo "Verify $TEST_CLIENT_ENC_FILE use $TEST_CA_FILE.cert.pem" 336 | $OPENSSL_CMD verify -CAfile $CERTS_DIR/$TEST_CA_FILE.cert.pem $CERTS_DIR/$TEST_CLIENT_ENC_FILE.pem 337 | -------------------------------------------------------------------------------- /cert_sh/SM2for3_0.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # For a list of supported curves, use "apps/openssl ecparam -list_curves". 4 | 5 | # Path to the openssl distribution 6 | OPENSSL_DIR=. 7 | # Path to the openssl program 8 | #OPENSSL_CMD=openssl 9 | OPENSSL_CMD=openssl 10 | # Option to find configuration file 11 | OPENSSL_CNF="-config ./openssl.cnf" 12 | # Directory where certificates are stored 13 | CERTS_DIR=./demoCA 14 | # Directory where key are stored 15 | CAKEY_DIR=./demoCA/private 16 | # Directory where private key files are stored 17 | KEYS_DIR=$CERTS_DIR 18 | # Directory where combo files (containing a certificate and corresponding 19 | # private key together) are stored 20 | COMBO_DIR=$CERTS_DIR 21 | # cat command 22 | CAT=/bin/cat 23 | # rm command 24 | RM=/bin/rm 25 | # mkdir command 26 | MKDIR=/bin/mkdir 27 | # MV command 28 | MVDIR=/bin/mv 29 | # CP command 30 | CPDIR=/bin/cp 31 | # touch command 32 | TOUCHDIR=/bin/touch 33 | 34 | # The certificate will expire these many days after the issue date. 35 | DAYS=700 36 | TEST_CA=SM2 37 | TEST_CA_CURVE=SM2 38 | TEST_CA_FILE=CA 39 | TEST_CA_DN="/C=CN/ST=BJ/L=Beijing/O=Beijing SM2Test/OU=SM2Test/CN=Test CA (SM2)" 40 | 41 | TEST_SERVER_CURVE=SM2 42 | TEST_SERVER_FILE=SS 43 | TEST_SERVER_DN="/C=CN/ST=BJ/L=Beijing/O=Beijing SM2Test/OU=SM2Test/CN=192.168.2.30" 44 | 45 | TEST_SERVER_ENC_FILE=SE 46 | TEST_SERVER_ENC_DN="/C=CN/ST=BJ/L=Beijing/O=Beijing SM2Test/OU=SM2Test/CN=192.168.2.30" 47 | 48 | TEST_CLIENT_CURVE=SM2 49 | TEST_CLIENT_FILE=CS 50 | TEST_CLIENT_DN="/C=CN/ST=BJ/L=Beijing/O=Beijing SM2Test/OU=SM2Test/CN=192.168.2.30" 51 | 52 | TEST_CLIENT_ENC_FILE=CE 53 | TEST_CLIENT_ENC_DN="/C=CN/ST=BJ/L=Beijing/O=Beijing SM2Test/OU=SM2Test/CN=192.168.2.30" 54 | 55 | # Generating an EC certificate involves the following main steps 56 | # 1. Generating curve parameters (if needed) 57 | # 2. Generating a certificate request 58 | # 3. Signing the certificate request 59 | # 4. [Optional] One can combine the cert and private key into a single 60 | # file and also delete the certificate request 61 | 62 | $MKDIR -p $CERTS_DIR 63 | $MKDIR -p $KEYS_DIR 64 | $MKDIR -p $COMBO_DIR 65 | $MKDIR -p $CAKEY_DIR 66 | 67 | # create file index.txt and serial 68 | $TOUCHDIR $CERTS_DIR/index.txt 69 | $TOUCHDIR $CERTS_DIR/serial 70 | $TOUCHDIR $CERTS_DIR/index.txt.attr 71 | $TOUCHDIR $CERTS_DIR/crlnumber 72 | echo "01" > $CERTS_DIR/serial 73 | 74 | echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)" 75 | echo "===============================================================" 76 | $OPENSSL_CMD genpkey -algorithm $TEST_CA_CURVE -out $TEST_CA.pem 77 | 78 | # Generate a new certificate request in $TEST_CA_FILE.req.pem. A 79 | # new ecdsa (actually ECC) key pair is generated on the parameters in 80 | # $TEST_CA.pem and the private key is saved in $TEST_CA_FILE.key.pem 81 | # WARNING: By using the -nodes option, we force the private key to be 82 | # stored in the clear (rather than encrypted with a password). 83 | $OPENSSL_CMD req -config ./CA.cnf -nodes -subj "$TEST_CA_DN" \ 84 | -keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \ 85 | -new -key $TEST_CA.pem -new \ 86 | -out $CERTS_DIR/$TEST_CA_FILE.req.pem -sm3 87 | 88 | # Sign the certificate request in $TEST_CA_FILE.req.pem using the 89 | # private key in $TEST_CA_FILE.key.pem and include the CA extension. 90 | # Make the certificate valid for 1500 days from the time of signing. 91 | # The certificate is written into $TEST_CA_FILE.cert.pem 92 | $OPENSSL_CMD x509 -req -days $DAYS \ 93 | -in $CERTS_DIR/$TEST_CA_FILE.req.pem \ 94 | -extfile $OPENSSL_DIR/openssl.cnf \ 95 | -extensions v3_ca \ 96 | -signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 97 | -out $CERTS_DIR/$TEST_CA_FILE.cert.pem -sm3 98 | 99 | # Display the certificate 100 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text 101 | 102 | # Place the certificate and key in a common file 103 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \ 104 | > $COMBO_DIR/$TEST_CA_FILE.pem 105 | $CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem 106 | 107 | # move key to private file and rename cakey.pem 108 | $CPDIR $KEYS_DIR/$TEST_CA_FILE.key.pem $CAKEY_DIR/cakey.pem 109 | $CPDIR $COMBO_DIR/$TEST_CA_FILE.pem $COMBO_DIR/cacert.pem 110 | 111 | # Remove the cert request file (no longer needed) 112 | $RM $CERTS_DIR/$TEST_CA_FILE.req.pem 113 | 114 | echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)" 115 | echo "==========================================================================" 116 | # Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A 117 | # new ecdsa (actually ECC) key pair is generated on the parameters in 118 | # $TEST_SERVER_CURVE.pem and the private key is saved in 119 | # $TEST_SERVER_FILE.key.pem 120 | # WARNING: By using the -nodes option, we force the private key to be 121 | # stored in the clear (rather than encrypted with a password). 122 | $OPENSSL_CMD req -config eccsignuser.cnf -nodes -subj "$TEST_SERVER_DN" \ 123 | -keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \ 124 | -new -key $TEST_SERVER_CURVE.pem -new \ 125 | -out $CERTS_DIR/$TEST_SERVER_FILE.req.pem -sm3 126 | 127 | # Sign the certificate request in $TEST_SERVER_FILE.req.pem using the 128 | # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in 129 | # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number 130 | # file for this CA, create one. Make the certificate valid for $DAYS days 131 | # from the time of signing. The certificate is written into 132 | # $TEST_SERVER_FILE.cert.pem 133 | $OPENSSL_CMD x509 -req -days $DAYS \ 134 | -in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \ 135 | -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 136 | -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 137 | -extfile $OPENSSL_DIR/openssl.cnf \ 138 | -extensions v3_req \ 139 | -out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial -sm3 140 | 141 | # Display the certificate 142 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text 143 | 144 | # Place the certificate and key in a common file 145 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \ 146 | > $COMBO_DIR/$TEST_SERVER_FILE.pem 147 | $CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem 148 | 149 | # Verify cert 150 | $OPENSSL_CMD verify -CAfile $COMBO_DIR/$TEST_CA_FILE.pem $COMBO_DIR/$TEST_SERVER_FILE.pem 151 | 152 | # Remove the cert request file (no longer needed) 153 | $RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem 154 | 155 | echo " GENERATING A TEST SERVER ENCRYPT CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)" 156 | echo " ===================================================================================" 157 | # Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A 158 | # new ecdsa (actually ECC) key pair is generated on the parameters in 159 | # $TEST_SERVER_CURVE.pem and the private key is saved in 160 | # $TEST_SERVER_FILE.key.pem 161 | # WARNING: By using the -nodes option, we force the private key to be 162 | # stored in the clear (rather than encrypted with a password). 163 | $OPENSSL_CMD req -config eccencuser.cnf -nodes -subj "$TEST_SERVER_ENC_DN" \ 164 | -keyout $KEYS_DIR/$TEST_SERVER_ENC_FILE.key.pem \ 165 | -new -key $TEST_SERVER_CURVE.pem -new \ 166 | -out $CERTS_DIR/$TEST_SERVER_ENC_FILE.req.pem -sm3 167 | 168 | # Sign the certificate request in $TEST_SERVER_FILE.req.pem using the 169 | # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in 170 | # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number 171 | # file for this CA, create one. Make the certificate valid for $DAYS days 172 | # from the time of signing. The certificate is written into 173 | # $TEST_SERVER_FILE.cert.pem 174 | $OPENSSL_CMD x509 -req -days $DAYS \ 175 | -in $CERTS_DIR/$TEST_SERVER_ENC_FILE.req.pem \ 176 | -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 177 | -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 178 | -extfile $OPENSSL_DIR/openssl.cnf \ 179 | -extensions v3enc_req \ 180 | -out $CERTS_DIR/$TEST_SERVER_ENC_FILE.cert.pem -CAcreateserial -sm3 181 | 182 | # Display the certificate 183 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_ENC_FILE.cert.pem -text 184 | 185 | # Place the certificate and key in a common file 186 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_ENC_FILE.cert.pem -issuer -subject \ 187 | > $COMBO_DIR/$TEST_SERVER_ENC_FILE.pem 188 | $CAT $KEYS_DIR/$TEST_SERVER_ENC_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_ENC_FILE.pem 189 | 190 | # Verify cert 191 | $OPENSSL_CMD verify -CAfile $COMBO_DIR/$TEST_CA_FILE.pem $COMBO_DIR/$TEST_SERVER_ENC_FILE.pem 192 | 193 | # Remove the cert request file (no longer needed) 194 | $RM $CERTS_DIR/$TEST_SERVER_ENC_FILE.req.pem 195 | 196 | 197 | 198 | echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)" 199 | echo "==========================================================================" 200 | # Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A 201 | # new ecdsa (actually ECC) key pair is generated on the parameters in 202 | # $TEST_CLIENT_CURVE.pem and the private key is saved in 203 | # $TEST_CLIENT_FILE.key.pem 204 | # WARNING: By using the -nodes option, we force the private key to be 205 | # stored in the clear (rather than encrypted with a password). 206 | $OPENSSL_CMD req -config eccsignuser.cnf -nodes -subj "$TEST_CLIENT_DN" \ 207 | -keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \ 208 | -new -key $TEST_CLIENT_CURVE.pem -new \ 209 | -out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem -sm3 210 | 211 | # Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the 212 | # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in 213 | # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number 214 | # file for this CA, create one. Make the certificate valid for $DAYS days 215 | # from the time of signing. The certificate is written into 216 | # $TEST_CLIENT_FILE.cert.pem 217 | $OPENSSL_CMD x509 -req -days $DAYS \ 218 | -in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \ 219 | -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 220 | -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 221 | -extfile $OPENSSL_DIR/openssl.cnf \ 222 | -extensions v3_req \ 223 | -out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial -sm3 224 | 225 | # Display the certificate 226 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text 227 | 228 | # Place the certificate and key in a common file 229 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \ 230 | > $COMBO_DIR/$TEST_CLIENT_FILE.pem 231 | $CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem 232 | 233 | # Verify cert 234 | $OPENSSL_CMD verify -CAfile $COMBO_DIR/$TEST_CA_FILE.pem $COMBO_DIR/$TEST_CLIENT_FILE.pem 235 | 236 | # Remove the cert request file (no longer needed) 237 | $RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem 238 | 239 | 240 | echo " GENERATING A TEST CLIENT ENCRYPT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)" 241 | echo " ===================================================================================" 242 | # Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A 243 | # new ecdsa (actually ECC) key pair is generated on the parameters in 244 | # $TEST_CLIENT_CURVE.pem and the private key is saved in 245 | # $TEST_CLIENT_FILE.key.pem 246 | # WARNING: By using the -nodes option, we force the private key to be 247 | # stored in the clear (rather than encrypted with a password). 248 | $OPENSSL_CMD req -config eccencuser.cnf -nodes -subj "$TEST_CLIENT_ENC_DN" \ 249 | -keyout $KEYS_DIR/$TEST_CLIENT_ENC_FILE.key.pem \ 250 | -new -key $TEST_CLIENT_CURVE.pem -new \ 251 | -out $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem -sm3 252 | 253 | # Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the 254 | # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in 255 | # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number 256 | # file for this CA, create one. Make the certificate valid for $DAYS days 257 | # from the time of signing. The certificate is written into 258 | # $TEST_CLIENT_FILE.cert.pem 259 | $OPENSSL_CMD x509 -req -days $DAYS \ 260 | -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem \ 261 | -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 262 | -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 263 | -extfile $OPENSSL_DIR/openssl.cnf \ 264 | -extensions v3enc_req \ 265 | -out $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem -CAcreateserial -sm3 266 | 267 | # Display the certificate 268 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem -text 269 | 270 | # Place the certificate and key in a common file 271 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem -issuer -subject \ 272 | > $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem 273 | $CAT $KEYS_DIR/$TEST_CLIENT_ENC_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem 274 | 275 | # Verify cert 276 | $OPENSSL_CMD verify -CAfile $COMBO_DIR/$TEST_CA_FILE.pem $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem 277 | 278 | # Remove the cert request file (no longer needed) 279 | $RM $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem 280 | 281 | echo " GENERATING A TEST CERTIFICATE FOR REVOKE (on elliptic curve $TEST_CLIENT_CURVE)" 282 | echo " ===================================================================================" 283 | # Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A 284 | # new ecdsa (actually ECC) key pair is generated on the parameters in 285 | # $TEST_CLIENT_CURVE.pem and the private key is saved in 286 | # $TEST_CLIENT_FILE.key.pem 287 | # WARNING: By using the -nodes option, we force the private key to be 288 | # stored in the clear (rather than encrypted with a password). 289 | $OPENSSL_CMD req -config eccencuser.cnf -nodes -subj "$TEST_CLIENT_ENC_DN" \ 290 | -keyout $KEYS_DIR/$TEST_CLIENT_ENC_FILE.key.pem1 \ 291 | -new -key $TEST_CLIENT_CURVE.pem -new \ 292 | -out $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem1 -sm3 293 | 294 | # Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the 295 | # CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in 296 | # $TEST_CA_FILE.key.pem. Since we do not have an existing serial number 297 | # file for this CA, create one. Make the certificate valid for $DAYS days 298 | # from the time of signing. The certificate is written into 299 | # $TEST_CLIENT_FILE.cert.pem 300 | $OPENSSL_CMD x509 -req -days $DAYS \ 301 | -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem1 \ 302 | -CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \ 303 | -CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \ 304 | -extfile $OPENSSL_DIR/openssl.cnf \ 305 | -extensions v3enc_req \ 306 | -out $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem1 -CAcreateserial -sm3 307 | 308 | # Display the certificate 309 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem1 -text 310 | 311 | # Place the certificate and key in a common file 312 | $OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_ENC_FILE.cert.pem1 -issuer -subject \ 313 | > $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem1 314 | $CAT $KEYS_DIR/$TEST_CLIENT_ENC_FILE.key.pem1 >> $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem1 315 | 316 | # Verify cert 317 | $OPENSSL_CMD verify -CAfile $COMBO_DIR/$TEST_CA_FILE.pem $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem1 318 | 319 | # Remove the cert request file (no longer needed) 320 | $RM $CERTS_DIR/$TEST_CLIENT_ENC_FILE.req.pem1 321 | 322 | # Revoke cert 323 | $OPENSSL_CMD ca -config $OPENSSL_DIR/openssl.cnf -revoke $COMBO_DIR/$TEST_CLIENT_ENC_FILE.pem1 324 | 325 | # i want to export crl file 326 | $OPENSSL_CMD ca -config openssl.cnf -gencrl -out ca.crl.pem 327 | 328 | # Verfiy Cert chain 329 | echo "Verify $TEST_SERVER_FILE use $TEST_CA_FILE.cert.pem" 330 | $OPENSSL_CMD verify -CAfile $CERTS_DIR/$TEST_CA_FILE.cert.pem $CERTS_DIR/$TEST_SERVER_FILE.pem 331 | echo "Verify $TEST_SERVER_ENC_FILE use $TEST_CA_FILE.cert.pem" 332 | $OPENSSL_CMD verify -CAfile $CERTS_DIR/$TEST_CA_FILE.cert.pem $CERTS_DIR/$TEST_SERVER_ENC_FILE.pem 333 | echo "Verify $TEST_CLIENT_FILE use $TEST_CA_FILE.cert.pem" 334 | $OPENSSL_CMD verify -CAfile $CERTS_DIR/$TEST_CA_FILE.cert.pem $CERTS_DIR/$TEST_CLIENT_FILE.pem 335 | echo "Verify $TEST_CLIENT_ENC_FILE use $TEST_CA_FILE.cert.pem" 336 | $OPENSSL_CMD verify -CAfile $CERTS_DIR/$TEST_CA_FILE.cert.pem $CERTS_DIR/$TEST_CLIENT_ENC_FILE.pem 337 | 338 | --------------------------------------------------------------------------------