Open xbguo opened 2 years ago
RFC和国密标准说是要对client hello 到 certificate verify(不包含)之间的所有交互报文做签名,现在看代码,是对一块固定大小的摘要数据做签名
客户端侧: ` if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pkey->pkey.ec)) == NID_sm2) { size_t _j_j = EVP_PKEY_size(pkey);
tass_md = EVP_sm3(); if (EVP_DigestSignInit(&mctx, NULL, tass_md, NULL, pkey) <= 0 || EVP_DigestSignUpdate(&mctx, &(data[MD5_DIGEST_LENGTH]), tass_md->md_size) <= 0 || EVP_DigestSignFinal(&mctx, &(p[2]), (size_t *)&_j_j) <= 0) { SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_ECDSA_LIB); goto err; }`
服务器侧: ` if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pkey->pkey.ec)) == NID_sm2) { int offset; md = EVP_sm3();
EVP_MD_CTX_init(&mctx); if (ssl_get_algorithm2(s) & SSL_HANDSHAKE_MAC_SM3) offset = 0; else offset = MD5_DIGEST_LENGTH; if (EVP_DigestVerifyInit(&mctx, NULL, md, NULL, pkey) <= 0 || EVP_DigestVerifyUpdate(&mctx, &s->s3->tmp.cert_verify_md[offset], md->md_size) <= 0 || EVP_DigestVerifyFinal(&mctx, p, (size_t)i) <= 0) { /* bad signature */ al = SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_BAD_ECDSA_SIGNATURE); goto f_err; }`
RFC和国密标准说是要对client hello 到 certificate verify(不包含)之间的所有交互报文做签名,现在看代码,是对一块固定大小的摘要数据做签名
客户端侧: ` if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pkey->pkey.ec)) == NID_sm2) { size_t _j_j = EVP_PKEY_size(pkey);
服务器侧: ` if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pkey->pkey.ec)) == NID_sm2) { int offset; md = EVP_sm3();