gmssl连接问题

[942685826]

服务端使用GMTLS_server_method(); 客户端使用 GMTLS_client_method() 在连接握手过程中 出错 8740:error:141C0044:SSL routines:gmtls_construct_ske_sm2:internal error:ssl\staem\statem_gmtls.c:729: 查看源码发现x509 = s->cert->pkeys[SSL_PKEY_SM2_ENC].x509 这个是空的，而我使用的SSL_CTX_use_PrivateKey_file(ctx, SERVER_KEY, SSL_FILETYPE_PEM) 赋值的是s->cert->pkeys[SSL_PKEY_SM2].x509 我的证书使用SSLv23_server_method()和SSLv23_client_method()在握手过程中可以 正常使用ECDHE-SM2-WITH-SMS4-SM3加密套件

[942685826]

使用过程中我只替换const SSL_METHOD method = SSLv23_server_method（）为 const SSL_METHOD method = GMTLS_server_method(); 还有没有什么配置需要修改的吗

[942685826]

经过修改部分源码已经可以使用SM2-WITH-SMS4-SM3加密套件，但是SM2DHE-WITH-SMS4-SM3这个套件有问题，不知道这个SM2DHE和SM2有什么区别

[xiejianjun417]

@942685826 请问，您是怎么修改的呢？

[942685826]

设置双证书（签名和加密证书），签名证书在前加密证书在后。源码里面有个覆盖的给去掉

[xiejianjun417]

@942685826 您说的源码具体是哪个文件呢？谢谢，我这边是参考demo/saccept.c和demo/sconnect.c例子

[ghost]

我遇到了同样的问题。

首先国密是双证书，要先安装签名然后安装加密证书，这一步没问题的话。接下来，我的情况是，生成的证书中的 key_usage 没有填写，见源码 ssl_cert_type_ecc 函数对于 key 的判断，没填默认按照签名证书来算，所以你会看到安装了两个签名证书，而没有加密证书。

如源码中的判断，所以关键是生成证书时，Extensions 字段中 keyUsage 的值，附上我用来测试的生成脚本。

# 脚本参考 https://blog.csdn.net/ustccw/article/details/76691248
PROJECT_NAME="TLS Project"

# Generate the openssl configuration files.
cat > ca_cert.conf << EOF  
[ req ]
distinguished_name     = req_distinguished_name
prompt                 = no

[ req_distinguished_name ]
 O                      = $PROJECT_NAME Dodgy Certificate Authority
EOF

cat > server_cert.conf << EOF  
[ req ]
distinguished_name     = req_distinguished_name
prompt                 = no

[ req_distinguished_name ]
 O                      = $PROJECT_NAME
 CN                     = localhost
EOF

cat > client_cert.conf << EOF  
[ req ]
distinguished_name     = req_distinguished_name
prompt                 = no

[ req_distinguished_name ]
 O                      = $PROJECT_NAME Device Certificate
 CN                     = localhost
EOF

# ext.conf 中的 keyUsage 是决定证书类型的关键
cat > ext.conf << EOF
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature

[ v3enc_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = keyAgreement, keyEncipherment, dataEncipherment
EOF

mkdir ca
mkdir server
mkdir client

# private key generation
gmssl ecparam -genkey -name sm2p256v1 -text -out ca.key
gmssl ecparam -genkey -name sm2p256v1 -text -out s_enc.key
gmssl ecparam -genkey -name sm2p256v1 -text -out s_sig.key
gmssl ecparam -genkey -name sm2p256v1 -text -out c_enc.key
gmssl ecparam -genkey -name sm2p256v1 -text -out c_sig.key

# cert requests
gmssl req -out ca.req -key ca.key -new \
            -config ./ca_cert.conf
gmssl req -out s_enc.req -key s_enc.key -new \
            -config ./server_cert.conf 
gmssl req -out s_sig.req -key s_sig.key -new \
            -config ./server_cert.conf 
gmssl req -out c_enc.req -key c_enc.key -new \
            -config ./client_cert.conf 
gmssl req -out c_sig.req -key c_sig.key -new \
            -config ./client_cert.conf 

# generate the actual certs.
gmssl x509 -req -in ca.req -out ca.crt \
            -sm3 -days 5000 -signkey ca.key
gmssl x509 -req -in s_enc.req -out s_enc.crt \
            -sm3 -CAcreateserial -days 5000 \
            -CA ca.crt -CAkey ca.key -extfile ./ext.conf -extensions v3enc_req
gmssl x509 -req -in s_sig.req -out s_sig.crt \
            -sm3 -CAcreateserial -days 5000 \
            -CA ca.crt -CAkey ca.key -extfile ./ext.conf -extensions v3_req
gmssl x509 -req -in c_enc.req -out c_enc.crt \
            -sm3 -CAcreateserial -days 5000 \
            -CA ca.crt -CAkey ca.key  -extfile ./ext.conf -extensions v3enc_req
gmssl x509 -req -in c_sig.req -out c_sig.crt \
            -sm3 -CAcreateserial -days 5000 \
            -CA ca.crt -CAkey ca.key  -extfile ./ext.conf -extensions v3_req

mv ca.crt ca.key ca/
mv s_enc.crt s_sig.crt s_enc.key s_sig.key server/
mv c_enc.crt c_sig.crt c_enc.key c_sig.key client/

rm *.conf
rm *.req
rm *.srl

参考 天安配置 天安生成脚本

[github-actions[bot]]

Marked as stale issue. Will be closed later if no activity for a while.