openssl3.1.1关于国标支持的验证笔记

news2024/11/11 5:49:59

openssl3.1.1关于国标支持的验证笔记

openssl的版本差异日志

在这里插入图片描述
openssl虽然有3个大分支,我们就以3.1大分支查看关于国密的差异日志。

Changes between 1.1.0i and 1.1.1 [11 Sep 2018]

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

Changes between 1.1.1b and 1.1.1c [28 May 2019]

在这里插入图片描述

Changes between 1.1.1k and 1.1.1l [24 Aug 2021]

在这里插入图片描述

Changes between 1.1.1 and 3.0.0 [7 sep 2021]

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述

Changes between 3.0.7 and 3.0.8 [7 Feb 2023]

在这里插入图片描述

差异日志分析

openssl在1.1.1版本已经添加了国密算法的支持,
openssl在3.0.0版本已经支持了国标签名和验签的支持
最有一次相关修改在3.0.8版本。

所以测试环境需要3.0.8以及更高版本。本人习惯使用最新版本,目前的最新版本为3.1.1版本,开始测试一波。

openssl编译(openssl-3.1.1)

编译流程

直接上终端日志

第一次想当然了,没有看官方说明,搞砸了,
错误示范:

: 1690424002:0;tar -zxvf openssl-3.1.1.tar.gz
: 1690424010:0;cd openssl-3.1.1
: 1690424039:0;./Configure
: 1690424067:0;make -j4
: 1690424109:0;chmod a+x util/shlib_wrap.sh
: 1690424114:0;chmod a+x util/wrap.pl
: 1690424116:0;make -j4
: 1690424156:0;make -j1
: 1690435099:0;cd ..
: 1690435105:0;rm -r openssl-3.1.1

正确示范:

: 1690435110:0;tar -zxvf openssl-3.1.1.tar.gz
: 1690435115:0;cd openssl-3.1.1
: 1690435138:0;./config --prefix=/opt/openssl-3.1.1
: 1690435176:0;make
: 1690436282:0;make install
: 1690438167:0;cd /opt/openssl-3.1.1/bin

由于没有安装到系统路径上,配一下动态库搜索路径,才能执行

# root @ ubuntu in /opt/openssl-3.1.1/bin [6:37:47]
$ find .. -name "*.so"
../lib64/engines-3/loader_attic.so
../lib64/engines-3/capi.so
../lib64/engines-3/padlock.so
../lib64/engines-3/afalg.so
../lib64/libssl.so
../lib64/ossl-modules/legacy.so
../lib64/libcrypto.so

# root @ ubuntu in /opt/openssl-3.1.1/bin [6:38:04] 
$ export LD_LIBRARY_PATH=/opt/openssl-3.1.1/lib64:$LD_LIBRARY_PATH

# root @ ubuntu in /opt/openssl-3.1.1/bin [6:38:14]
$ ./openssl version
OpenSSL 3.1.1 30 May 2023 (Library: OpenSSL 3.1.1 30 May 2023)

国密支持测试

非对称算法支持(结论:支持SM2)

# root @ ubuntu in ~/SMx_test [7:39:52] 
$ /opt/openssl-3.1.1/bin/openssl list -public-key-algorithms
Legacy:
 Name: OpenSSL RSA method
	Type: Builtin Algorithm
	OID: rsaEncryption
	PEM string: RSA
 Name: rsa
	Alias for: rsaEncryption
 Name: OpenSSL PKCS#3 DH method
	Type: Builtin Algorithm
	OID: dhKeyAgreement
	PEM string: DH
 Name: dsaWithSHA
	Alias for: dsaEncryption
 Name: dsaEncryption-old
	Alias for: dsaEncryption
 Name: dsaWithSHA1-old
	Alias for: dsaEncryption
 Name: dsaWithSHA1
	Alias for: dsaEncryption
 Name: OpenSSL DSA method
	Type: Builtin Algorithm
	OID: dsaEncryption
	PEM string: DSA
 Name: OpenSSL EC algorithm
	Type: Builtin Algorithm
	OID: id-ecPublicKey
	PEM string: EC
 Name: OpenSSL RSA-PSS method
	Type: Builtin Algorithm
	OID: rsassaPss
	PEM string: RSA-PSS
 Name: OpenSSL X9.42 DH method
	Type: Builtin Algorithm
	OID: X9.42 DH
	PEM string: X9.42 DH
 Name: OpenSSL X25519 algorithm
	Type: Builtin Algorithm
	OID: X25519
	PEM string: X25519
 Name: OpenSSL X448 algorithm
	Type: Builtin Algorithm
	OID: X448
	PEM string: X448
 Name: OpenSSL ED25519 algorithm
	Type: Builtin Algorithm
	OID: ED25519
	PEM string: ED25519
 Name: OpenSSL ED448 algorithm
	Type: Builtin Algorithm
	OID: ED448
	PEM string: ED448
 Name: sm2
	Alias for: id-ecPublicKey
Provided:
 Key Managers:
  Name: OpenSSL RSA implementation
    Type: Provider Algorithm
    IDs: { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ default
  Name: OpenSSL PKCS#3 DH implementation
    Type: Provider Algorithm
    IDs: { 1.2.840.113549.1.3.1, DH, dhKeyAgreement } @ default
  Name: OpenSSL DSA implementation
    Type: Provider Algorithm
    IDs: { 1.2.840.10040.4.1, 1.2.840.10040.4.3, 1.3.14.3.2.12, 1.3.14.3.2.13, 1.3.14.3.2.27, DSA, DSA-old, DSA-SHA, DSA-SHA1, DSA-SHA1-old, dsaEncryption, dsaEncryption-old, dsaWithSHA, dsaWithSHA1, dsaWithSHA1-old } @ default
  Name: OpenSSL EC implementation
    Type: Provider Algorithm
    IDs: { 1.2.840.10045.2.1, EC, id-ecPublicKey } @ default
  Name: OpenSSL RSA-PSS implementation
    Type: Provider Algorithm
    IDs: { 1.2.840.113549.1.1.10, RSA-PSS, RSASSA-PSS, rsassaPss } @ default
  Name: OpenSSL X9.42 DH implementation
    Type: Provider Algorithm
    IDs: { 1.2.840.10046.2.1, dhpublicnumber, DHX, X9.42 DH } @ default
  Name: OpenSSL X25519 implementation
    Type: Provider Algorithm
    IDs: { 1.3.101.110, X25519 } @ default
  Name: OpenSSL X448 implementation
    Type: Provider Algorithm
    IDs: { 1.3.101.111, X448 } @ default
  Name: OpenSSL ED25519 implementation
    Type: Provider Algorithm
    IDs: { 1.3.101.112, ED25519 } @ default
  Name: OpenSSL ED448 implementation
    Type: Provider Algorithm
    IDs: { 1.3.101.113, ED448 } @ default
  Name: OpenSSL SM2 implementation
    Type: Provider Algorithm
    IDs: { 1.2.156.10197.1.301, SM2 } @ default
  Name: OpenSSL TLS1_PRF via EVP_PKEY implementation
    Type: Provider Algorithm
    IDs: TLS1-PRF @ default
  Name: OpenSSL HKDF via EVP_PKEY implementation
    Type: Provider Algorithm
    IDs: HKDF @ default
  Name: OpenSSL SCRYPT via EVP_PKEY implementation
    Type: Provider Algorithm
    IDs: { 1.3.6.1.4.1.11591.4.11, id-scrypt, SCRYPT } @ default
  Name: OpenSSL HMAC via EVP_PKEY implementation
    Type: Provider Algorithm
    IDs: HMAC @ default
  Name: OpenSSL SIPHASH via EVP_PKEY implementation
    Type: Provider Algorithm
    IDs: SIPHASH @ default
  Name: OpenSSL POLY1305 via EVP_PKEY implementation
    Type: Provider Algorithm
    IDs: POLY1305 @ default
  Name: OpenSSL CMAC via EVP_PKEY implementation
    Type: Provider Algorithm
    IDs: CMAC @ default
# root @ ubuntu in ~/SMx_test [7:46:34] 
$ /opt/openssl-3.1.1/bin/openssl list -public-key-methods
Legacy:
 rsaEncryption
	Type: External Algorithm
 dhKeyAgreement
	Type: Builtin Algorithm
 dsaEncryption
	Type: External Algorithm
 id-ecPublicKey
	Type: Builtin Algorithm
 rsassaPss
	Type: External Algorithm
 X9.42 DH
	Type: Builtin Algorithm
 X25519
	Type: Builtin Algorithm
 X448
	Type: Builtin Algorithm
 ED25519
	Type: Builtin Algorithm
 ED448
	Type: Builtin Algorithm
Provided:
 Encryption:
  { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ default
  { 1.2.156.10197.1.301, SM2 } @ default
 Key Exchange:
  { 1.2.840.113549.1.3.1, DH, dhKeyAgreement } @ default
  { 1.3.101.110, X25519 } @ default
  { 1.3.101.111, X448 } @ default
  ECDH @ default
  TLS1-PRF @ default
  HKDF @ default
  { 1.3.6.1.4.1.11591.4.11, id-scrypt, SCRYPT } @ default
 Signatures:
  { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ default
  { 1.2.840.10040.4.1, 1.2.840.10040.4.3, 1.3.14.3.2.12, 1.3.14.3.2.13, 1.3.14.3.2.27, DSA, DSA-old, DSA-SHA, DSA-SHA1, DSA-SHA1-old, dsaEncryption, dsaEncryption-old, dsaWithSHA, dsaWithSHA1, dsaWithSHA1-old } @ default
  { 1.3.101.112, ED25519 } @ default
  { 1.3.101.113, ED448 } @ default
  { 1.2.156.10197.1.301, SM2 } @ default
  ECDSA @ default
  HMAC @ default
  SIPHASH @ default
  POLY1305 @ default
  CMAC @ default
 Key encapsulation:
  { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ default

摘要算法,哈希算法,杂凑算法(结论:支持SM3)

# root @ ubuntu in ~/SMx_test [7:52:15] 
$ /opt/openssl-3.1.1/bin/openssl list -digest-algorithms
Legacy:
  RSA-MD4 => MD4
  RSA-MD5 => MD5
  RSA-MDC2 => MDC2
  RSA-RIPEMD160 => RIPEMD160
  RSA-SHA1 => SHA1
  RSA-SHA1-2 => RSA-SHA1
  RSA-SHA224 => SHA224
  RSA-SHA256 => SHA256
  RSA-SHA3-224 => SHA3-224
  RSA-SHA3-256 => SHA3-256
  RSA-SHA3-384 => SHA3-384
  RSA-SHA3-512 => SHA3-512
  RSA-SHA384 => SHA384
  RSA-SHA512 => SHA512
  RSA-SHA512/224 => SHA512-224
  RSA-SHA512/256 => SHA512-256
  RSA-SM3 => SM3
  BLAKE2b512
  BLAKE2s256
  id-rsassa-pkcs1-v1_5-with-sha3-224 => SHA3-224
  id-rsassa-pkcs1-v1_5-with-sha3-256 => SHA3-256
  id-rsassa-pkcs1-v1_5-with-sha3-384 => SHA3-384
  id-rsassa-pkcs1-v1_5-with-sha3-512 => SHA3-512
  MD4
  md4WithRSAEncryption => MD4
  MD5
  MD5-SHA1
  md5WithRSAEncryption => MD5
  MDC2
  mdc2WithRSA => MDC2
  ripemd => RIPEMD160
  RIPEMD160
  ripemd160WithRSA => RIPEMD160
  rmd160 => RIPEMD160
  SHA1
  sha1WithRSAEncryption => SHA1
  SHA224
  sha224WithRSAEncryption => SHA224
  SHA256
  sha256WithRSAEncryption => SHA256
  SHA3-224
  SHA3-256
  SHA3-384
  SHA3-512
  SHA384
  sha384WithRSAEncryption => SHA384
  SHA512
  SHA512-224
  sha512-224WithRSAEncryption => SHA512-224
  SHA512-256
  sha512-256WithRSAEncryption => SHA512-256
  sha512WithRSAEncryption => SHA512
  SHAKE128
  SHAKE256
  SM3
  sm3WithRSAEncryption => SM3
  ssl3-md5 => MD5
  ssl3-sha1 => SHA1
  whirlpool
Provided:
  { 2.16.840.1.101.3.4.2.10, SHA3-512 } @ default
  { 2.16.840.1.101.3.4.2.6, SHA-512/256, SHA2-512/256, SHA512-256 } @ default
  { 2.16.840.1.101.3.4.2.4, SHA-224, SHA2-224, SHA224 } @ default
  { 1.3.14.3.2.26, SHA-1, SHA1, SSL3-SHA1 } @ default
  { 2.16.840.1.101.3.4.2.7, SHA3-224 } @ default
  { 2.16.840.1.101.3.4.2.9, SHA3-384 } @ default
  { 1.3.36.3.2.1, RIPEMD, RIPEMD-160, RIPEMD160, RMD160 } @ default
  { 2.16.840.1.101.3.4.2.3, SHA-512, SHA2-512, SHA512 } @ default
  { 2.16.840.1.101.3.4.2.5, SHA-512/224, SHA2-512/224, SHA512-224 } @ default
  { 2.16.840.1.101.3.4.2.12, SHAKE-256, SHAKE256 } @ default
  { 2.16.840.1.101.3.4.2.2, SHA-384, SHA2-384, SHA384 } @ default
  { 1.2.156.10197.1.401, SM3 } @ default
  { 2.16.840.1.101.3.4.2.8, SHA3-256 } @ default
  { 1.2.840.113549.2.5, MD5, SSL3-MD5 } @ default
  { 1.3.6.1.4.1.1722.12.2.2.8, BLAKE2S-256, BLAKE2s256 } @ default
  { 2.16.840.1.101.3.4.2.1, SHA-256, SHA2-256, SHA256 } @ default
  { 1.3.6.1.4.1.1722.12.2.1.16, BLAKE2B-512, BLAKE2b512 } @ default
  MD5-SHA1 @ default
  { 2.16.840.1.101.3.4.2.11, SHAKE-128, SHAKE128 } @ default
  { KECCAK-KMAC-128, KECCAK-KMAC128 } @ default
  { KECCAK-KMAC-256, KECCAK-KMAC256 } @ default
  NULL @ default

对称算法支持(结论:支持SM4)

# root @ ubuntu in ~/SMx_test [7:55:07] C:130
$ /opt/openssl-3.1.1/bin/openssl list -cipher-algorithms
Legacy:
  AES-128-CBC
  AES-128-CBC-HMAC-SHA1
  AES-128-CBC-HMAC-SHA256
  id-aes128-CCM
  AES-128-CFB
  AES-128-CFB1
  AES-128-CFB8
  AES-128-CTR
  AES-128-ECB
  id-aes128-GCM
  AES-128-OCB
  AES-128-OFB
  AES-128-XTS
  AES-192-CBC
  id-aes192-CCM
  AES-192-CFB
  AES-192-CFB1
  AES-192-CFB8
  AES-192-CTR
  AES-192-ECB
  id-aes192-GCM
  AES-192-OCB
  AES-192-OFB
  AES-256-CBC
  AES-256-CBC-HMAC-SHA1
  AES-256-CBC-HMAC-SHA256
  id-aes256-CCM
  AES-256-CFB
  AES-256-CFB1
  AES-256-CFB8
  AES-256-CTR
  AES-256-ECB
  id-aes256-GCM
  AES-256-OCB
  AES-256-OFB
  AES-256-XTS
  aes128 => AES-128-CBC
  aes128-wrap => id-aes128-wrap
  aes192 => AES-192-CBC
  aes192-wrap => id-aes192-wrap
  aes256 => AES-256-CBC
  aes256-wrap => id-aes256-wrap
  ARIA-128-CBC
  ARIA-128-CCM
  ARIA-128-CFB
  ARIA-128-CFB1
  ARIA-128-CFB8
  ARIA-128-CTR
  ARIA-128-ECB
  ARIA-128-GCM
  ARIA-128-OFB
  ARIA-192-CBC
  ARIA-192-CCM
  ARIA-192-CFB
  ARIA-192-CFB1
  ARIA-192-CFB8
  ARIA-192-CTR
  ARIA-192-ECB
  ARIA-192-GCM
  ARIA-192-OFB
  ARIA-256-CBC
  ARIA-256-CCM
  ARIA-256-CFB
  ARIA-256-CFB1
  ARIA-256-CFB8
  ARIA-256-CTR
  ARIA-256-ECB
  ARIA-256-GCM
  ARIA-256-OFB
  aria128 => ARIA-128-CBC
  aria192 => ARIA-192-CBC
  aria256 => ARIA-256-CBC
  bf => BF-CBC
  BF-CBC
  BF-CFB
  BF-ECB
  BF-OFB
  blowfish => BF-CBC
  CAMELLIA-128-CBC
  CAMELLIA-128-CFB
  CAMELLIA-128-CFB1
  CAMELLIA-128-CFB8
  CAMELLIA-128-CTR
  CAMELLIA-128-ECB
  CAMELLIA-128-OFB
  CAMELLIA-192-CBC
  CAMELLIA-192-CFB
  CAMELLIA-192-CFB1
  CAMELLIA-192-CFB8
  CAMELLIA-192-CTR
  CAMELLIA-192-ECB
  CAMELLIA-192-OFB
  CAMELLIA-256-CBC
  CAMELLIA-256-CFB
  CAMELLIA-256-CFB1
  CAMELLIA-256-CFB8
  CAMELLIA-256-CTR
  CAMELLIA-256-ECB
  CAMELLIA-256-OFB
  camellia128 => CAMELLIA-128-CBC
  camellia192 => CAMELLIA-192-CBC
  camellia256 => CAMELLIA-256-CBC
  cast => CAST5-CBC
  cast-cbc => CAST5-CBC
  CAST5-CBC
  CAST5-CFB
  CAST5-ECB
  CAST5-OFB
  ChaCha20
  ChaCha20-Poly1305
  des => DES-CBC
  DES-CBC
  DES-CFB
  DES-CFB1
  DES-CFB8
  DES-ECB
  DES-EDE
  DES-EDE-CBC
  DES-EDE-CFB
  des-ede-ecb => DES-EDE
  DES-EDE-OFB
  DES-EDE3
  DES-EDE3-CBC
  DES-EDE3-CFB
  DES-EDE3-CFB1
  DES-EDE3-CFB8
  des-ede3-ecb => DES-EDE3
  DES-EDE3-OFB
  DES-OFB
  des3 => DES-EDE3-CBC
  des3-wrap => id-smime-alg-CMS3DESwrap
  desx => DESX-CBC
  DESX-CBC
  id-aes128-CCM
  id-aes128-GCM
  id-aes128-wrap
  id-aes128-wrap-pad
  id-aes192-CCM
  id-aes192-GCM
  id-aes192-wrap
  id-aes192-wrap-pad
  id-aes256-CCM
  id-aes256-GCM
  id-aes256-wrap
  id-aes256-wrap-pad
  id-smime-alg-CMS3DESwrap
  idea => IDEA-CBC
  IDEA-CBC
  IDEA-CFB
  IDEA-ECB
  IDEA-OFB
  rc2 => RC2-CBC
  rc2-128 => RC2-CBC
  rc2-40 => RC2-40-CBC
  RC2-40-CBC
  rc2-64 => RC2-64-CBC
  RC2-64-CBC
  RC2-CBC
  RC2-CFB
  RC2-ECB
  RC2-OFB
  RC4
  RC4-40
  RC4-HMAC-MD5
  seed => SEED-CBC
  SEED-CBC
  SEED-CFB
  SEED-ECB
  SEED-OFB
  sm4 => SM4-CBC
  SM4-CBC
  SM4-CFB
  SM4-CTR
  SM4-ECB
  SM4-OFB
Provided:
  { 2.16.840.1.101.3.4.1.22, AES-192-CBC, AES192 } @ default
  { 1.2.410.200046.1.1.12, ARIA-256-CBC, ARIA256 } @ default
  { 2.16.840.1.101.3.4.1.4, AES-128-CFB } @ default
  { 1.2.410.200046.1.1.38, ARIA-192-CCM } @ default
  { 1.2.410.200046.1.1.1, ARIA-128-ECB } @ default
  { 2.16.840.1.101.3.4.1.2, AES-128-CBC, AES128 } @ default
  { 2.16.840.1.101.3.4.1.24, AES-192-CFB } @ default
  { 1.2.392.200011.61.1.1.1.2, CAMELLIA-128-CBC, CAMELLIA128 } @ default
  { 1.2.392.200011.61.1.1.1.4, CAMELLIA-256-CBC, CAMELLIA256 } @ default
  { 1.2.410.200046.1.1.35, ARIA-192-GCM } @ default
  { 2.16.840.1.101.3.4.1.42, AES-256-CBC, AES256 } @ default
  { 1.2.410.200046.1.1.36, ARIA-256-GCM } @ default
  { 1.3.111.2.1619.0.1.2, AES-256-XTS } @ default
  { 1.2.840.113549.1.9.16.3.6, DES3-WRAP, id-smime-alg-CMS3DESwrap } @ default
  { 2.16.840.1.101.3.4.1.48, AES-256-WRAP-PAD, AES256-WRAP-PAD, id-aes256-wrap-pad } @ default
  { 1.2.156.10197.1.104.3, SM4-OFB, SM4-OFB128 } @ default
  { 2.16.840.1.101.3.4.1.25, AES-192-WRAP, AES192-WRAP, id-aes192-wrap } @ default
  { 2.16.840.1.101.3.4.1.41, AES-256-ECB } @ default
  { 0.3.4401.5.3.1.9.49, CAMELLIA-256-CTR } @ default
  { 1.2.410.200046.1.1.2, ARIA-128-CBC, ARIA128 } @ default
  { 2.16.840.1.101.3.4.1.6, aes-128-gcm, id-aes128-GCM } @ default
  { 0.3.4401.5.3.1.9.41, CAMELLIA-256-ECB } @ default
  { 2.16.840.1.101.3.4.1.44, AES-256-CFB } @ default
  { 2.16.840.1.101.3.4.1.8, AES-128-WRAP-PAD, AES128-WRAP-PAD, id-aes128-wrap-pad } @ default
  { 1.2.156.10197.1.104.4, SM4-CFB, SM4-CFB128 } @ default
  { 0.3.4401.5.3.1.9.4, CAMELLIA-128-CFB } @ default
  { 1.2.410.200046.1.1.39, ARIA-256-CCM } @ default
  { 1.2.410.200046.1.1.14, ARIA-256-OFB } @ default
  { 2.16.840.1.101.3.4.1.46, aes-256-gcm, id-aes256-GCM } @ default
  { 0.3.4401.5.3.1.9.9, CAMELLIA-128-CTR } @ default
  { 2.16.840.1.101.3.4.1.23, AES-192-OFB } @ default
  { 1.2.156.10197.1.104.1, SM4-ECB } @ default
  { 2.16.840.1.101.3.4.1.7, aes-128-ccm, id-aes128-CCM } @ default
  { 2.16.840.1.101.3.4.1.47, aes-256-ccm, id-aes256-CCM } @ default
  { 1.2.410.200046.1.1.7, ARIA-192-CBC, ARIA192 } @ default
  { 2.16.840.1.101.3.4.1.45, AES-256-WRAP, AES256-WRAP, id-aes256-wrap } @ default
  { 1.2.410.200046.1.1.15, ARIA-256-CTR } @ default
  { 1.2.410.200046.1.1.3, ARIA-128-CFB } @ default
  { 1.2.410.200046.1.1.34, ARIA-128-GCM } @ default
  { 1.2.410.200046.1.1.6, ARIA-192-ECB } @ default
  { 2.16.840.1.101.3.4.1.26, aes-192-gcm, id-aes192-GCM } @ default
  { 0.3.4401.5.3.1.9.29, CAMELLIA-192-CTR } @ default
  { 0.3.4401.5.3.1.9.43, CAMELLIA-256-OFB } @ default
  { 1.2.156.10197.1.104.2, SM4, SM4-CBC } @ default
  { 1.2.410.200046.1.1.37, ARIA-128-CCM } @ default
  { 2.16.840.1.101.3.4.1.27, aes-192-ccm, id-aes192-CCM } @ default
  { 1.3.14.3.2.17, DES-EDE, DES-EDE-ECB } @ default
  { 1.2.410.200046.1.1.11, ARIA-256-ECB } @ default
  { 1.3.111.2.1619.0.1.1, AES-128-XTS } @ default
  { 2.16.840.1.101.3.4.1.5, AES-128-WRAP, AES128-WRAP, id-aes128-wrap } @ default
  { 2.16.840.1.101.3.4.1.3, AES-128-OFB } @ default
  { 0.3.4401.5.3.1.9.3, CAMELLIA-128-OFB } @ default
  { 0.3.4401.5.3.1.9.1, CAMELLIA-128-ECB } @ default
  { 1.2.840.113549.3.7, DES-EDE3-CBC, DES3 } @ default
  { 0.3.4401.5.3.1.9.44, CAMELLIA-256-CFB } @ default
  { 1.2.410.200046.1.1.10, ARIA-192-CTR } @ default
  { 0.3.4401.5.3.1.9.23, CAMELLIA-192-OFB } @ default
  { 0.3.4401.5.3.1.9.24, CAMELLIA-192-CFB } @ default
  { 1.2.410.200046.1.1.9, ARIA-192-OFB } @ default
  { 1.2.410.200046.1.1.13, ARIA-256-CFB } @ default
  { 2.16.840.1.101.3.4.1.1, AES-128-ECB } @ default
  { 2.16.840.1.101.3.4.1.28, AES-192-WRAP-PAD, AES192-WRAP-PAD, id-aes192-wrap-pad } @ default
  { 1.2.410.200046.1.1.8, ARIA-192-CFB } @ default
  { 1.2.156.10197.1.104.7, SM4-CTR } @ default
  { 2.16.840.1.101.3.4.1.43, AES-256-OFB } @ default
  { 1.2.410.200046.1.1.4, ARIA-128-OFB } @ default
  { 1.2.392.200011.61.1.1.1.3, CAMELLIA-192-CBC, CAMELLIA192 } @ default
  { 0.3.4401.5.3.1.9.21, CAMELLIA-192-ECB } @ default
  { 1.2.410.200046.1.1.5, ARIA-128-CTR } @ default
  { 2.16.840.1.101.3.4.1.21, AES-192-ECB } @ default
  NULL @ default
  AES-128-CBC-CTS @ default
  AES-192-CBC-CTS @ default
  AES-256-CBC-CTS @ default
  AES-256-CFB1 @ default
  AES-192-CFB1 @ default
  AES-128-CFB1 @ default
  AES-256-CFB8 @ default
  AES-192-CFB8 @ default
  AES-128-CFB8 @ default
  AES-256-CTR @ default
  AES-192-CTR @ default
  AES-128-CTR @ default
  AES-256-OCB @ default
  AES-192-OCB @ default
  AES-128-OCB @ default
  AES-128-SIV @ default
  AES-192-SIV @ default
  AES-256-SIV @ default
  { AES-256-WRAP-INV, AES256-WRAP-INV } @ default
  { AES-192-WRAP-INV, AES192-WRAP-INV } @ default
  { AES-128-WRAP-INV, AES128-WRAP-INV } @ default
  { AES-256-WRAP-PAD-INV, AES256-WRAP-PAD-INV } @ default
  { AES-192-WRAP-PAD-INV, AES192-WRAP-PAD-INV } @ default
  { AES-128-WRAP-PAD-INV, AES128-WRAP-PAD-INV } @ default
  AES-128-CBC-HMAC-SHA1 @ default
  AES-256-CBC-HMAC-SHA1 @ default
  AES-128-CBC-HMAC-SHA256 @ default
  AES-256-CBC-HMAC-SHA256 @ default
  ARIA-256-CFB1 @ default
  ARIA-192-CFB1 @ default
  ARIA-128-CFB1 @ default
  ARIA-256-CFB8 @ default
  ARIA-192-CFB8 @ default
  ARIA-128-CFB8 @ default
  CAMELLIA-128-CBC-CTS @ default
  CAMELLIA-192-CBC-CTS @ default
  CAMELLIA-256-CBC-CTS @ default
  CAMELLIA-256-CFB1 @ default
  CAMELLIA-192-CFB1 @ default
  CAMELLIA-128-CFB1 @ default
  CAMELLIA-256-CFB8 @ default
  CAMELLIA-192-CFB8 @ default
  CAMELLIA-128-CFB8 @ default
  { DES-EDE3, DES-EDE3-ECB } @ default
  DES-EDE3-OFB @ default
  DES-EDE3-CFB @ default
  DES-EDE3-CFB8 @ default
  DES-EDE3-CFB1 @ default
  DES-EDE-CBC @ default
  DES-EDE-OFB @ default
  DES-EDE-CFB @ default
  { 1.2.156.10197.1.104.8, SM4-GCM } @ default
  { 1.2.156.10197.1.104.9, SM4-CCM } @ default
  ChaCha20 @ default
  ChaCha20-Poly1305 @ default

国密测试

生成CA根证书国密SM2私钥

# root @ ubuntu in ~/SMx_test [7:55:45] 
$ /opt/openssl-3.1.1/bin/openssl ecparam -list_curves 
  secp112r1 : SECG/WTLS curve over a 112 bit prime field
  secp112r2 : SECG curve over a 112 bit prime field
  secp128r1 : SECG curve over a 128 bit prime field
  secp128r2 : SECG curve over a 128 bit prime field
  secp160k1 : SECG curve over a 160 bit prime field
  secp160r1 : SECG curve over a 160 bit prime field
  secp160r2 : SECG/WTLS curve over a 160 bit prime field
  secp192k1 : SECG curve over a 192 bit prime field
  secp224k1 : SECG curve over a 224 bit prime field
  secp224r1 : NIST/SECG curve over a 224 bit prime field
  secp256k1 : SECG curve over a 256 bit prime field
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field
  prime192v2: X9.62 curve over a 192 bit prime field
  prime192v3: X9.62 curve over a 192 bit prime field
  prime239v1: X9.62 curve over a 239 bit prime field
  prime239v2: X9.62 curve over a 239 bit prime field
  prime239v3: X9.62 curve over a 239 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field
  sect113r1 : SECG curve over a 113 bit binary field
  sect113r2 : SECG curve over a 113 bit binary field
  sect131r1 : SECG/WTLS curve over a 131 bit binary field
  sect131r2 : SECG curve over a 131 bit binary field
  sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field
  sect163r1 : SECG curve over a 163 bit binary field
  sect163r2 : NIST/SECG curve over a 163 bit binary field
  sect193r1 : SECG curve over a 193 bit binary field
  sect193r2 : SECG curve over a 193 bit binary field
  sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field
  sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field
  sect239k1 : SECG curve over a 239 bit binary field
  sect283k1 : NIST/SECG curve over a 283 bit binary field
  sect283r1 : NIST/SECG curve over a 283 bit binary field
  sect409k1 : NIST/SECG curve over a 409 bit binary field
  sect409r1 : NIST/SECG curve over a 409 bit binary field
  sect571k1 : NIST/SECG curve over a 571 bit binary field
  sect571r1 : NIST/SECG curve over a 571 bit binary field
  c2pnb163v1: X9.62 curve over a 163 bit binary field
  c2pnb163v2: X9.62 curve over a 163 bit binary field
  c2pnb163v3: X9.62 curve over a 163 bit binary field
  c2pnb176v1: X9.62 curve over a 176 bit binary field
  c2tnb191v1: X9.62 curve over a 191 bit binary field
  c2tnb191v2: X9.62 curve over a 191 bit binary field
  c2tnb191v3: X9.62 curve over a 191 bit binary field
  c2pnb208w1: X9.62 curve over a 208 bit binary field
  c2tnb239v1: X9.62 curve over a 239 bit binary field
  c2tnb239v2: X9.62 curve over a 239 bit binary field
  c2tnb239v3: X9.62 curve over a 239 bit binary field
  c2pnb272w1: X9.62 curve over a 272 bit binary field
  c2pnb304w1: X9.62 curve over a 304 bit binary field
  c2tnb359v1: X9.62 curve over a 359 bit binary field
  c2pnb368w1: X9.62 curve over a 368 bit binary field
  c2tnb431r1: X9.62 curve over a 431 bit binary field
  wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field
  wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field
  wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field
  wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field
  wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field
  wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field
  wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field
  wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field
  wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field
  wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field
  wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field
  Oakley-EC2N-3: 
	IPSec/IKE/Oakley curve #3 over a 155 bit binary field.
	Not suitable for ECDSA.
	Questionable extension field!
  Oakley-EC2N-4: 
	IPSec/IKE/Oakley curve #4 over a 185 bit binary field.
	Not suitable for ECDSA.
	Questionable extension field!
  brainpoolP160r1: RFC 5639 curve over a 160 bit prime field
  brainpoolP160t1: RFC 5639 curve over a 160 bit prime field
  brainpoolP192r1: RFC 5639 curve over a 192 bit prime field
  brainpoolP192t1: RFC 5639 curve over a 192 bit prime field
  brainpoolP224r1: RFC 5639 curve over a 224 bit prime field
  brainpoolP224t1: RFC 5639 curve over a 224 bit prime field
  brainpoolP256r1: RFC 5639 curve over a 256 bit prime field
  brainpoolP256t1: RFC 5639 curve over a 256 bit prime field
  brainpoolP320r1: RFC 5639 curve over a 320 bit prime field
  brainpoolP320t1: RFC 5639 curve over a 320 bit prime field
  brainpoolP384r1: RFC 5639 curve over a 384 bit prime field
  brainpoolP384t1: RFC 5639 curve over a 384 bit prime field
  brainpoolP512r1: RFC 5639 curve over a 512 bit prime field
  brainpoolP512t1: RFC 5639 curve over a 512 bit prime field
  SM2       : SM2 curve over a 256 bit prime field
  
# root @ ubuntu in ~/SMx_test [9:06:38] C:130
$ /opt/openssl-3.1.1/bin/openssl ecparam -genkey -name SM2 -out root.key

# root @ ubuntu in ~/SMx_test [9:08:12] 
$ cat root.key
-----BEGIN SM2 PARAMETERS-----
BggqgRzPVQGCLQ==
-----END SM2 PARAMETERS-----
-----BEGIN PRIVATE KEY-----
MIGIAgEAMBQGCCqBHM9VAYItBggqgRzPVQGCLQRtMGsCAQEEIMseXRorRdHJe5ab
2J4iSjWmBGQOlHIIJR38mqk9h1VroUQDQgAERa17YaXohsIanVDRoJJRhkPTpIZf
U+DcVcUDaUHjPXKZcbTnNjf2boiD4oORZ1CV5VMbnWYSew37SPn1Anbiqg==
-----END PRIVATE KEY-----

# root @ ubuntu in ~/SMx_test [9:08:17] 
$ /opt/openssl-3.1.1/bin/openssl ecparam -text -noout -in root.key
Could not read params of EC parameters from root.key
C091F8D0AC7F0000:error:1E08010C:DECODER routines:OSSL_DECODER_from_bio:unsupported:crypto/encode_decode/decoder_lib.c:102:No supported data to decode. Input type: PEM
C091F8D0AC7F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto/store/store_result.c:151:

# root @ ubuntu in ~/SMx_test [9:08:26] C:1
$ /opt/openssl-3.1.1/bin/openssl ec -text -noout -in root.key
read EC key
Private-Key: (256 bit)
priv:
    cb:1e:5d:1a:2b:45:d1:c9:7b:96:9b:d8:9e:22:4a:
    35:a6:04:64:0e:94:72:08:25:1d:fc:9a:a9:3d:87:
    55:6b
pub:
    04:45:ad:7b:61:a5:e8:86:c2:1a:9d:50:d1:a0:92:
    51:86:43:d3:a4:86:5f:53:e0:dc:55:c5:03:69:41:
    e3:3d:72:99:71:b4:e7:36:37:f6:6e:88:83:e2:83:
    91:67:50:95:e5:53:1b:9d:66:12:7b:0d:fb:48:f9:
    f5:02:76:e2:aa
ASN1 OID: SM2

看着好像是没有问题。

生成CA根证书国密SM2公钥

# root @ ubuntu in ~/SMx_test [9:26:12] C:1
$ /opt/openssl-3.1.1/bin/openssl ec -in root.key -text -noout
read EC key
Private-Key: (256 bit)
priv:
    29:9a:da:8d:84:60:6e:cf:ee:9b:ed:16:33:7d:43:
    f1:a8:b1:cb:2c:1c:81:87:5e:56:93:4f:9c:3a:56:
    8b:01
pub:
    04:1c:92:71:8c:d5:bd:42:75:34:59:53:de:97:11:
    07:9c:4b:bf:d6:13:97:e1:99:b3:ec:71:57:84:24:
    e4:3c:5d:26:f8:06:f8:c2:e9:db:de:cc:e2:e8:10:
    27:eb:8d:73:fc:06:89:c8:14:b5:a3:d5:a0:b1:ce:
    13:50:d1:c2:b1
ASN1 OID: SM2

# root @ ubuntu in ~/SMx_test [9:19:55] 
$ /opt/openssl-3.1.1/bin/openssl ec -pubout -in root.key -out root_pub.key    
read EC key
writing EC key

# root @ ubuntu in ~/SMx_test [9:20:03] 
$ ls
root.key  root_pub.key

# root @ ubuntu in ~/SMx_test [9:20:09] 
$ cat root_pub.key 
-----BEGIN PUBLIC KEY-----
MFowFAYIKoEcz1UBgi0GCCqBHM9VAYItA0IABByScYzVvUJ1NFlT3pcRB5xLv9YT
l+GZs+xxV4Qk5DxdJvgG+MLp297M4ugQJ+uNc/wGicgUtaPVoLHOE1DRwrE=
-----END PUBLIC KEY-----

# root @ ubuntu in ~/SMx_test [9:23:51] C:1
$ /opt/openssl-3.1.1/bin/openssl ec -pubin -in root_pub.key -text -noout
read EC key
Public-Key: (256 bit)
pub:
    04:1c:92:71:8c:d5:bd:42:75:34:59:53:de:97:11:
    07:9c:4b:bf:d6:13:97:e1:99:b3:ec:71:57:84:24:
    e4:3c:5d:26:f8:06:f8:c2:e9:db:de:cc:e2:e8:10:
    27:eb:8d:73:fc:06:89:c8:14:b5:a3:d5:a0:b1:ce:
    13:50:d1:c2:b1
ASN1 OID: SM2

生成CA根证书

# root @ ubuntu in ~/SMx_test [9:33:34] 
$ /opt/openssl-3.1.1/bin/openssl req -new -x509 -key root.key -out root.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:HN
Locality Name (eg, city) []:ZZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JL
Organizational Unit Name (eg, section) []:HW
Common Name (e.g. server FQDN or YOUR name) []:liuyuelong.com  
Email Address []:yjkhtddx@sina.com

# root @ ubuntu in ~/SMx_test [9:35:16] 
$ ls
root.crt  root.key  root_pub.key

# root @ ubuntu in ~/SMx_test [9:35:19] 
$ cat root.crt 
-----BEGIN CERTIFICATE-----
MIICTjCCAfSgAwIBAgIUDHdnZH56/dBiHojqqNzfhoDDIUwwCgYIKoEcz1UBg3Uw
fDELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkhOMQswCQYDVQQHDAJaWjELMAkGA1UE
CgwCSkwxCzAJBgNVBAsMAkhXMRcwFQYDVQQDDA5saXV5dWVsb25nLmNvbTEgMB4G
CSqGSIb3DQEJARYReWpraHRkZHhAc2luYS5jb20wHhcNMjMwNzI3MDkzNTE2WhcN
MjMwODI2MDkzNTE2WjB8MQswCQYDVQQGEwJDTjELMAkGA1UECAwCSE4xCzAJBgNV
BAcMAlpaMQswCQYDVQQKDAJKTDELMAkGA1UECwwCSFcxFzAVBgNVBAMMDmxpdXl1
ZWxvbmcuY29tMSAwHgYJKoZIhvcNAQkBFhF5amtodGRkeEBzaW5hLmNvbTBaMBQG
CCqBHM9VAYItBggqgRzPVQGCLQNCAAQcknGM1b1CdTRZU96XEQecS7/WE5fhmbPs
cVeEJOQ8XSb4BvjC6dvezOLoECfrjXP8BonIFLWj1aCxzhNQ0cKxo1MwUTAdBgNV
HQ4EFgQUuT7GISEAApZf7WL7sjR2DDZM62IwHwYDVR0jBBgwFoAUuT7GISEAApZf
7WL7sjR2DDZM62IwDwYDVR0TAQH/BAUwAwEB/zAKBggqgRzPVQGDdQNIADBFAiEA
3ggGkI7OL8pR21OPYt/ogyXTQz8pdjs5BwHwf1+NVnMCIHyXJO05Fe0BGAxG4bhC
N5fiGR1dwR6StS/LnriuW0aT
-----END CERTIFICATE-----

# root @ ubuntu in ~/SMx_test [9:35:49] 
$ /opt/openssl-3.1.1/bin/openssl x509 -in root.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0c:77:67:64:7e:7a:fd:d0:62:1e:88:ea:a8:dc:df:86:80:c3:21:4c
        Signature Algorithm: SM2-with-SM3
        Issuer: C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = liuyuelong.com, emailAddress = yjkhtddx@sina.com
        Validity
            Not Before: Jul 27 09:35:16 2023 GMT
            Not After : Aug 26 09:35:16 2023 GMT
        Subject: C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = liuyuelong.com, emailAddress = yjkhtddx@sina.com
        Subject Public Key Info:
            Public Key Algorithm: sm2
                Public-Key: (256 bit)
                pub:
                    04:1c:92:71:8c:d5:bd:42:75:34:59:53:de:97:11:
                    07:9c:4b:bf:d6:13:97:e1:99:b3:ec:71:57:84:24:
                    e4:3c:5d:26:f8:06:f8:c2:e9:db:de:cc:e2:e8:10:
                    27:eb:8d:73:fc:06:89:c8:14:b5:a3:d5:a0:b1:ce:
                    13:50:d1:c2:b1
                ASN1 OID: SM2
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                B9:3E:C6:21:21:00:02:96:5F:ED:62:FB:B2:34:76:0C:36:4C:EB:62
            X509v3 Authority Key Identifier: 
                B9:3E:C6:21:21:00:02:96:5F:ED:62:FB:B2:34:76:0C:36:4C:EB:62
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: SM2-with-SM3
    Signature Value:
        30:45:02:21:00:de:08:06:90:8e:ce:2f:ca:51:db:53:8f:62:
        df:e8:83:25:d3:43:3f:29:76:3b:39:07:01:f0:7f:5f:8d:56:
        73:02:20:7c:97:24:ed:39:15:ed:01:18:0c:46:e1:b8:42:37:
        97:e2:19:1d:5d:c1:1e:92:b5:2f:cb:9e:b8:ae:5b:46:93

SM2算法的私钥,openssl自动选择SM2-with-SM3签名算法,牛B。

给使用CA根证书给CA根证书验签

正常使用应该没有这种使用场景,但是验一下也无妨嘛。

# root @ ubuntu in ~/SMx_test [9:36:45] 
$ /opt/openssl-3.1.1/bin/openssl verify -CAfile root.crt root.crt 
root.crt: OK

肯定是没有问题的嘛,自己给自己验签怎么会有问题呢!

生成服务器密钥对

# root @ ubuntu in ~/SMx_test [1:08:49] 
$ /opt/openssl-3.1.1/bin/openssl ecparam -genkey -name SM2 -out server.key

# root @ ubuntu in ~/SMx_test [1:09:21] 
$ cat server.key 
-----BEGIN SM2 PARAMETERS-----
BggqgRzPVQGCLQ==
-----END SM2 PARAMETERS-----
-----BEGIN PRIVATE KEY-----
MIGIAgEAMBQGCCqBHM9VAYItBggqgRzPVQGCLQRtMGsCAQEEIHjB95D+zU84Ybgg
0iAwogycqDM1yjQeK1iPX0xwwZXioUQDQgAEj6Fi8BEulmmcHish9fsI6gZEgjSA
ORDpOEaZ2LrmsBhzm059n2z0UDWvEGHPPC55miwSpfQUhA8WuE4avYk6Ag==
-----END PRIVATE KEY-----

# root @ ubuntu in ~/SMx_test [1:09:25] 
$ /opt/openssl-3.1.1/bin/openssl ec -text -noout -in server.key
read EC key
Private-Key: (256 bit)
priv:
    78:c1:f7:90:fe:cd:4f:38:61:b8:20:d2:20:30:a2:
    0c:9c:a8:33:35:ca:34:1e:2b:58:8f:5f:4c:70:c1:
    95:e2
pub:
    04:8f:a1:62:f0:11:2e:96:69:9c:1e:2b:21:f5:fb:
    08:ea:06:44:82:34:80:39:10:e9:38:46:99:d8:ba:
    e6:b0:18:73:9b:4e:7d:9f:6c:f4:50:35:af:10:61:
    cf:3c:2e:79:9a:2c:12:a5:f4:14:84:0f:16:b8:4e:
    1a:bd:89:3a:02
ASN1 OID: SM2

# root @ ubuntu in ~/SMx_test [1:10:06] C:127
$ /opt/openssl-3.1.1/bin/openssl ec -pubout -in server.key -out server_pub.key
read EC key
writing EC key

# root @ ubuntu in ~/SMx_test [1:10:23] 
$ cat server_pub.key 
-----BEGIN PUBLIC KEY-----
MFowFAYIKoEcz1UBgi0GCCqBHM9VAYItA0IABI+hYvARLpZpnB4rIfX7COoGRII0
gDkQ6ThGmdi65rAYc5tOfZ9s9FA1rxBhzzwueZosEqX0FIQPFrhOGr2JOgI=
-----END PUBLIC KEY-----

# root @ ubuntu in ~/SMx_test [1:10:36] 
$ /opt/openssl-3.1.1/bin/openssl ec -pubin -in server_pub.key -text -noout
read EC key
Public-Key: (256 bit)
pub:
    04:8f:a1:62:f0:11:2e:96:69:9c:1e:2b:21:f5:fb:
    08:ea:06:44:82:34:80:39:10:e9:38:46:99:d8:ba:
    e6:b0:18:73:9b:4e:7d:9f:6c:f4:50:35:af:10:61:
    cf:3c:2e:79:9a:2c:12:a5:f4:14:84:0f:16:b8:4e:
    1a:bd:89:3a:02
ASN1 OID: SM2

生成服务器证书请求文件

# root @ ubuntu in ~/SMx_test [1:11:30] C:130
$ /opt/openssl-3.1.1/bin/openssl req -new -key server.key -out server.csr        
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:HN
Locality Name (eg, city) []:ZZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JL
Organizational Unit Name (eg, section) []:HW
Common Name (e.g. server FQDN or YOUR name) []:*.liuyunuo.cn     
Email Address []:yjkhtddx@sina.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# root @ ubuntu in ~/SMx_test [1:18:27] 
$ cat server.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIIBNzCB3gIBADB7MQswCQYDVQQGEwJDTjELMAkGA1UECAwCSE4xCzAJBgNVBAcM
AlpaMQswCQYDVQQKDAJKTDELMAkGA1UECwwCSFcxFjAUBgNVBAMMDSoubGl1eXVu
dW8uY24xIDAeBgkqhkiG9w0BCQEWEXlqa2h0ZGR4QHNpbmEuY29tMFowFAYIKoEc
z1UBgi0GCCqBHM9VAYItA0IABI+hYvARLpZpnB4rIfX7COoGRII0gDkQ6ThGmdi6
5rAYc5tOfZ9s9FA1rxBhzzwueZosEqX0FIQPFrhOGr2JOgKgADAKBggqgRzPVQGD
dQNIADBFAiBMd/NcRzTelVCtjhQL8mU7qb0BY2T3VH+jn2DYdBsnTgIhAKBX0qFb
IAudJ9D2O2uTf66i9CRncxWpD22/1m2ORz/s
-----END CERTIFICATE REQUEST-----

# root @ ubuntu in ~/SMx_test [1:18:38] 
$ /opt/openssl-3.1.1/bin/openssl req -text -noout -in server.csr         
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = *.liuyunuo.cn, emailAddress = yjkhtddx@sina.com
        Subject Public Key Info:
            Public Key Algorithm: sm2
                Public-Key: (256 bit)
                pub:
                    04:8f:a1:62:f0:11:2e:96:69:9c:1e:2b:21:f5:fb:
                    08:ea:06:44:82:34:80:39:10:e9:38:46:99:d8:ba:
                    e6:b0:18:73:9b:4e:7d:9f:6c:f4:50:35:af:10:61:
                    cf:3c:2e:79:9a:2c:12:a5:f4:14:84:0f:16:b8:4e:
                    1a:bd:89:3a:02
                ASN1 OID: SM2
        Attributes:
            (none)
            Requested Extensions:
    Signature Algorithm: SM2-with-SM3
    Signature Value:
        30:45:02:20:4c:77:f3:5c:47:34:de:95:50:ad:8e:14:0b:f2:
        65:3b:a9:bd:01:63:64:f7:54:7f:a3:9f:60:d8:74:1b:27:4e:
        02:21:00:a0:57:d2:a1:5b:20:0b:9d:27:d0:f6:3b:6b:93:7f:
        ae:a2:f4:24:67:73:15:a9:0f:6d:bf:d6:6d:8e:47:3f:ec

CA私钥通过服务器证书请求为服务器生成证书(错误)

# root @ ubuntu in ~/SMx_test [1:38:58] C:1
$ /opt/openssl-3.1.1/bin/openssl x509 -req -in server.csr -signkey root.key -out server.crt
Certificate request self-signature ok
subject=C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = *.liuyunuo.cn, emailAddress = yjkhtddx@sina.com

# root @ ubuntu in ~/SMx_test [1:39:12] 
$ cat server.crt
-----BEGIN CERTIFICATE-----
MIIB8zCCAZgCFHhSrlWiLFM3tN9+SSeErM9SRrAaMAoGCCqBHM9VAYN1MHsxCzAJ
BgNVBAYTAkNOMQswCQYDVQQIDAJITjELMAkGA1UEBwwCWloxCzAJBgNVBAoMAkpM
MQswCQYDVQQLDAJIVzEWMBQGA1UEAwwNKi5saXV5dW51by5jbjEgMB4GCSqGSIb3
DQEJARYReWpraHRkZHhAc2luYS5jb20wHhcNMjMwNzI4MDEzOTEyWhcNMjMwODI3
MDEzOTEyWjB7MQswCQYDVQQGEwJDTjELMAkGA1UECAwCSE4xCzAJBgNVBAcMAlpa
MQswCQYDVQQKDAJKTDELMAkGA1UECwwCSFcxFjAUBgNVBAMMDSoubGl1eXVudW8u
Y24xIDAeBgkqhkiG9w0BCQEWEXlqa2h0ZGR4QHNpbmEuY29tMFowFAYIKoEcz1UB
gi0GCCqBHM9VAYItA0IABByScYzVvUJ1NFlT3pcRB5xLv9YTl+GZs+xxV4Qk5Dxd
JvgG+MLp297M4ugQJ+uNc/wGicgUtaPVoLHOE1DRwrEwCgYIKoEcz1UBg3UDSQAw
RgIhAPLtgPAFtxEFXxzCJFxRYBa5m9kKlD+RCf/2N56Q+Of3AiEAktIMixCUkOUY
olV8UX/WWiypi+BTIIKCsjLaprYWBlE=
-----END CERTIFICATE-----

# root @ ubuntu in ~/SMx_test [1:39:21] 
$ /opt/openssl-3.1.1/bin/openssl x509 -in server.crt -text -noout                          
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            78:52:ae:55:a2:2c:53:37:b4:df:7e:49:27:84:ac:cf:52:46:b0:1a
        Signature Algorithm: SM2-with-SM3
        Issuer: C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = *.liuyunuo.cn, emailAddress = yjkhtddx@sina.com
        Validity
            Not Before: Jul 28 01:39:12 2023 GMT
            Not After : Aug 27 01:39:12 2023 GMT
        Subject: C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = *.liuyunuo.cn, emailAddress = yjkhtddx@sina.com
        Subject Public Key Info:
            Public Key Algorithm: sm2
                Public-Key: (256 bit)
                pub:
                    04:1c:92:71:8c:d5:bd:42:75:34:59:53:de:97:11:
                    07:9c:4b:bf:d6:13:97:e1:99:b3:ec:71:57:84:24:
                    e4:3c:5d:26:f8:06:f8:c2:e9:db:de:cc:e2:e8:10:
                    27:eb:8d:73:fc:06:89:c8:14:b5:a3:d5:a0:b1:ce:
                    13:50:d1:c2:b1
                ASN1 OID: SM2
    Signature Algorithm: SM2-with-SM3
    Signature Value:
        30:46:02:21:00:f2:ed:80:f0:05:b7:11:05:5f:1c:c2:24:5c:
        51:60:16:b9:9b:d9:0a:94:3f:91:09:ff:f6:37:9e:90:f8:e7:
        f7:02:21:00:92:d2:0c:8b:10:94:90:e5:18:a2:55:7c:51:7f:
        d6:5a:2c:a9:8b:e0:53:20:82:82:b2:32:da:a6:b6:16:06:51

使用CA证书对服务器证书进行验签(错误)

# root @ ubuntu in ~/SMx_test [1:40:15] 
$ /opt/openssl-3.1.1/bin/openssl verify -CAfile root.crt server.crt 
C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = *.liuyunuo.cn, emailAddress = yjkhtddx@sina.com
error 18 at 0 depth lookup: self-signed certificate
error server.crt: verification failed

生成服务器证书并验签

# root @ ubuntu in ~/SMx_test [3:10:56] 
$ /opt/openssl-3.1.1/bin/openssl x509 -req -in server.csr -CA root.crt -CAkey root.key -CAcreateserial -out server1.crt    
Certificate request self-signature ok
subject=C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = *.liuyunuo.cn, emailAddress = yjkhtddx@sina.com

# root @ ubuntu in ~/SMx_test [3:11:57] 
$ /opt/openssl-3.1.1/bin/openssl x509 -in server1.crt -text -noout                                      
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            2f:c5:e1:c5:52:f4:5a:29:b9:c1:fc:06:c1:51:1e:51:36:71:56:85
        Signature Algorithm: SM2-with-SM3
        Issuer: C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = liuyuelong.com, emailAddress = yjkhtddx@sina.com
        Validity
            Not Before: Jul 28 03:11:57 2023 GMT
            Not After : Aug 27 03:11:57 2023 GMT
        Subject: C = CN, ST = HN, L = ZZ, O = JL, OU = HW, CN = *.liuyunuo.cn, emailAddress = yjkhtddx@sina.com
        Subject Public Key Info:
            Public Key Algorithm: sm2
                Public-Key: (256 bit)
                pub:
                    04:8f:a1:62:f0:11:2e:96:69:9c:1e:2b:21:f5:fb:
                    08:ea:06:44:82:34:80:39:10:e9:38:46:99:d8:ba:
                    e6:b0:18:73:9b:4e:7d:9f:6c:f4:50:35:af:10:61:
                    cf:3c:2e:79:9a:2c:12:a5:f4:14:84:0f:16:b8:4e:
                    1a:bd:89:3a:02
                ASN1 OID: SM2
    Signature Algorithm: SM2-with-SM3
    Signature Value:
        30:44:02:20:17:4a:fc:9d:75:b5:e7:ef:2a:53:11:11:ee:d4:
        96:db:c6:03:1f:b3:df:f6:3a:be:44:b1:5c:7c:8f:c2:3e:96:
        02:20:1b:87:40:96:95:61:54:12:c1:10:df:98:50:c8:cf:d5:
        15:fc:66:0b:16:57:5d:02:37:61:36:27:3b:fb:de:e4

# root @ ubuntu in ~/SMx_test [3:12:08] 
$ /opt/openssl-3.1.1/bin/openssl verify -CAfile root.crt server1.crt                                                   
server1.crt: OK

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/802444.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

kotlin 编写一个简单的天气预报app(四)

编写界面来显示返回的数据 用户友好性&#xff1a;通过界面设计和用户体验优化&#xff0c;可以使天气信息更易读、易理解和易操作。有效的界面设计可以提高用户满意度并提供更好的交互体验。 增加城市名字的TextView <TextViewandroid:id"id/textViewCityName"…

H3C B5路由器审计分析(环境准备)

H3C B5路由器 固件下载固件解压与文件提取固件仿真方式大端模式小端模式高字节和低字节高地址和低地址物联网系统常见cpu架构固件下载 固件提取的几种方式 路由器供应商官网提供固件更新,可以去官网搜索下载,如H3C B5路由: 官方固件下载地址 B5路由器属于智能终端,所以进入…

基于罪名法务智能知识图谱(含码源):基于280万罪名预测、20W法务问答与法律资讯问答功能

项目设计集合&#xff08;人工智能方向&#xff09;&#xff1a;助力新人快速实战掌握技能、自主完成项目设计升级&#xff0c;提升自身的硬实力&#xff08;不仅限NLP、知识图谱、计算机视觉等领域&#xff09;&#xff1a;汇总有意义的项目设计集合&#xff0c;助力新人快速实…

会议OA项目之会议通知(需要反馈自己的参会情况)

一.主要功能点介绍 ①显示出所有的数据&#xff08;查询所有的待开会议&#xff09; ②模糊查询&#xff08;根据会议标题&#xff09; ③附有一个是否参会的操作&#xff1a;反馈结果&#xff08;参加/不参加&#xff09;当然&#xff0c;没有阅读此消息时&#xff0c;那么就会…

【数据分享】1999—2021年地级市的科技创新相关指标(免费获取\Shp\Excel格式)

1999-2021年地级市的人口相关数据、各类用地面积数据、污染物排放和环境治理相关数据、房地产投资情况和商品房销售面积、社会消费品零售总额和年末金融机构存贷款余额、地方一般公共预算收支状况、工业企业数、固定资产投资和对外经济贸易数据&#xff08;可查看之前的文章获悉…

奇特!AI换脸让康熙本人出演电视剧;LLM超全综述资料;业内深聊游戏行业中AI应用实践;吴恩达联合Hugging Face再出新课 | ShowMeAI日报

&#x1f440;日报&周刊合集 | &#x1f3a1;生产力工具与行业应用大全 | &#x1f9e1; 点赞关注评论拜托啦&#xff01; &#x1f916; B站UP主再出「邪招」&#xff0c;让康熙本人出演电视剧名场面 B站UP主 PAC_松柏 结合康熙画像和电视剧画面&#xff0c;对视频人物角色…

flutter:轮播

前言 介绍几个比较有不错的轮播库 swipe_deck 与轮播沾边&#xff0c;但是更多的是一种卡片式的交互式界面设计。它的主要概念是用户可以通过左右滑动手势浏览不同的卡片&#xff0c;每张卡片上都有不同的信息或功能。 Swipe deck通常用于展示图片、产品信息、新闻文章、社…

从C语言到C++_29(红黑树封装set和map)红黑树迭代器的实现

目录 1. set和map中的红黑树 2. 仿函数比较键值对 3. 红黑树迭代器的实现 3.1 迭代器 3.2 迭代器-- 3.3 map的operator[ ] 4. 完整代码 Set.h Map.h RedBlackTree.h Test.cpp 本章完&#xff0c; 1. set和map中的红黑树 前一篇红黑树的源代码&#xff1a; #pragm…

Python web实战 | 用 Flask 框架快速构建 Web 应用【实战】

概要 Python web 开发已经有了相当长的历史&#xff0c;从最早的 CGI 脚本到现在的全栈 Web 框架&#xff0c;现在已经成为了一种非常流行的方式。 Python 最早被用于 Web 开发是在 1995 年&#xff08;90年代早期&#xff09;&#xff0c;当时使用 CGI 脚本编写动态 Web 页面…

Python爬取IP归属地信息及各个地区天气信息

一、实现样式 二、核心点 1、语言&#xff1a;Python、HTML&#xff0c;CSS 2、python web框架 Flask 3、三方库&#xff1a;requests、xpath 4、爬取网站&#xff1a;https://ip138.com/ 5、文档结构 三、代码 ipquery.py import requests from lxml import etree # 请求…

Lambda-Java8新特性最佳实践

一、基本概念 1.背景 Lambda是Java SE 8中一个重要的新特性。lambda表达式允许你通过表达式来代替功能接口。 lambda表达式就和方法一样,它提供了一个正常的参数列表和一个使用这些参数的主体(body,可以是一个表达式或一个代码块)。 Lambda 表达式&#xff08;Lambda express…

视频孪生赋能智慧交通,视频孪生在9大交通场景的典型应用展示

《数字中国建设整体布局规划》中提出&#xff0c;要推动数字技术和实体经济深度融合&#xff0c;在交通领域加快数字技术创新应用。其中对“数字技术创新应用”的理解&#xff0c;一方面是指推动人工智能、大数据、云计算、数字孪生、物联网等新技术与交通行业深度融合&#xf…

深度学习入门(二):神经网络整体架构

一、前向传播 作用于每一层的输入&#xff0c;通过逐层计算得到输出结果 二、反向传播 作用于网络输出&#xff0c;通过计算梯度由深到浅更新网络参数 三、整体架构 层次结构&#xff1a;逐层变换数据 神经元&#xff1a;数据量、矩阵大小&#xff08;代表输入特征的数量…

1400*B. Toy Blocks

Example input 3 3 3 2 2 4 2 2 3 2 3 0 3 0 output 1 0 3 解析&#xff1a; 对于某个盒子&#xff0c;我们用其余盒子的最大值 mx 乘以其余的盒子数量&#xff08;n-1&#xff09;&#xff0c;再减去其余盒子当前的数量 ( sum-a[ i ] )&#xff0c;即为需要补上的数量 cnt…

某制造企业基于 KubeSphere 的云原生实践

背景介绍 随着业务升级改造与软件产品专案的增多&#xff0c;常规的物理机和虚拟机方式逐渐暴露出一些问题&#xff1a; 大量服务部署在虚拟机上&#xff0c;资源预估和硬件浪费较大&#xff1b;大量服务部署在虚拟机上&#xff0c;部署时间和难度较大&#xff0c;自动化程度…

RocketMQ工作原理

文章目录 三.RocketMQ工作原理1.消息的生产消息的生产过程Queue选择算法 2.消息的存储1.commitlog文件目录与文件消息单元 2.consumequeue目录与文件索引条目 3.对文件的读写消息写入消息拉取性能提升 3.indexFile1.索引条目结构2.文件名的作用3.查询流程 4.消息的消费1.推拉消…

思维导图怎么做?一份完整的思维导图绘制教程来了!

在信息爆炸的时代&#xff0c;如何高效地整理和消化信息是每个人都需要面对的问题。思维导图作为一种能够高效组织和呈现信息的工具&#xff0c;凭借其直观、易理解的特性&#xff0c;备受学生、教师、企业管理者、商业团队等许多人的青睐。那么&#xff0c;如何制作思维导图呢…

Python案例|使用Scikit-learn实现客户聚类模型

聚类是一种经典的无监督学习方法&#xff0c;无监督学习的目标是通过对无标记训练样本的学习&#xff0c;发掘和揭示数据集本身潜在的结构与规律&#xff0c;即不依赖于训练数据集的类标记信息。聚类试图将数据集划分为若干个互不相交的类簇&#xff0c;从而每个簇对应一个潜在…

适合运动时戴的蓝牙耳机有哪些?精选五款表现还不错的耳机

音乐能有效地激发人体潜能&#xff0c;充分释放能量&#xff0c;达到更好的运动效果&#xff0c;因此对于运动爱好者来说&#xff0c;运动耳机至关重要。面对产品种类众多的运动耳机&#xff0c;很多人都会感到迷茫&#xff0c;经常有人问“有什么适合运动的时候佩戴的耳机”&a…

健身用什么耳机好?分享几款适合健身时使用的耳机!

随着全民健身的热潮到来&#xff0c;运动耳机的种类也更加丰富。在众多入耳式耳机、半入耳式耳机、头戴式耳机等传统市场之中&#xff0c;诞生了一种新晋关注度极高的耳机骨传导耳机。这种不依赖空气传递声波&#xff0c;并且无需堵住耳朵的新奇聆听方式&#xff0c;不仅健康而…