OpenSSL 1.1.1 新特性: 全面支持国密SM2/SM3/SM4加密算法

zoukankan html css js c++ java

OpenSSL 1.1.1 新特性: 全面支持国密SM2/SM3/SM4加密算法
https://blog.csdn.net/bruce135lee/article/details/81811403

OpenSSL项目最近6个月添加了许多新特性, 包括对中国SM2/SM3/SM4算法的支持:
- SM2椭圆曲线: https://github.com/openssl/openssl/pull/4793
- SM3哈希摘要: https://github.com/openssl/openssl/pull/4616
- SM4对称加密: https://github.com/openssl/openssl/pull/4552
参考: 中国国家密码管理局制定的商业密码算法标准
- 《GM/T 0006-2012 密码应用标识规范》定义国密算法OID标识
- 《GB/T 32907-2016 SM4分组密码算法》(原GM/T 0002-2012)
- 《GB/T 329??-2016 SM2椭圆曲线公钥密码算法》(原GM/T 0003-2012)
- 《GB/T 32905-2016 SM3密码杂凑算法》(原GM/T 0004-2012)
下载源码, 编译, 以及验证步骤

 下载源码
- https://www.openssl.org/source/openssl-1.1.1-pre4.tar.gz
- https://www.openssl.org/source/openssl-1.1.1-pre5.tar.gz
解压缩
1. tar xzvf openssl-1.1.1-pre4.tar.gz
2. tar xzvf openssl-1.1.1-pre5.tar.gz
编译步骤
1. cd openssl-1.1.1-pre5
2. ./config
3. make
本地安装(可选步骤)
```
sudo make install
```
配置LD_LIBRARY_PATH并检查openssl可执行程序版本号
1. $ export LD_LIBRARY_PATH=`pwd`
3. $ ./apps/openssl version
4. OpenSSL 1.1.1-pre5 (beta) 17 Apr 2018
检查 SM3 哈希校验和
1. $ echo -n "abc" | ./apps/openssl dgst -SM3
2. (stdin)= 66c7f0f462eeedd9d1f2d46bdc10e4e24167c4875cf2f7a2297da02b8f4ba8e0
检查椭圆曲线是否包含SM2
1. $ ./apps/openssl ecparam -list_curves | grep SM2
2. SM2 : SM2 curve over a 256 bit prime field
检查对称算法
1. ./apps/openssl enc -ciphers
2. -sm4
3. -sm4-cbc
4. -sm4-cfb
5. -sm4-ctr
6. -sm4-ecb
7. -sm4-ofb
查找SM4对称加密API接口文档

???

SM4-自测试数据
1. 测试SM4-ECB电子密码本模式, 选取AES-128-ECB作为参考
  https://github.com/liuqun/openssl-sm4-demo/
1. /** 文件名: https://github.com/liuqun/openssl-sm4-demo/blob/cmake/src/main.c */
2. #include <stddef.h>
3. #include <stdio.h>
4. #include <stdlib.h>
5. #include <string.h>
6. #include "openssl/err.h"
7. #include "openssl/evp.h"
9. /* Before OpenSSL 1.1.1-pre1, we did not have EVP_sm4_ecb() */
10. #if defined(OPENSSL_VERSION_NUMBER)
11. && OPENSSL_VERSION_NUMBER < 0x10101001L
12. static const EVP_CIPHER *(*EVP_sm4_ecb)()=EVP_aes_128_ecb;
13. #endif
15. typedef struct {
16. const unsigned char *in_data;
17. size_t in_data_len;
18. int in_data_is_already_padded;
19. const unsigned char *in_ivec;
20. const unsigned char *in_key;
21. size_t in_key_len;
22. } test_case_t;
25. void test_encrypt_with_cipher(const test_case_t *in, const EVP_CIPHER *cipher)
26. {
27. unsigned char *out_buf = NULL;
28. int out_len;
29. int out_padding_len;
30. EVP_CIPHER_CTX *ctx;
32. ctx = EVP_CIPHER_CTX_new();
33. EVP_EncryptInit_ex(ctx, cipher, NULL, in->in_key, in->in_ivec);
35. if (in->in_data_is_already_padded)
36. {
37. /* Check whether the input data is already padded.
38. And its length must be an integral multiple of the cipher's block size. */
39. const size_t bs = EVP_CIPHER_block_size(cipher);
40. if (in->in_data_len % bs != 0)
41. {
42. printf("ERROR-1: data length=%d which is not added yet; block size=%d ", (int) in->in_data_len, (int) bs);
43. /* Warning: Remember to do some clean-ups */
44. EVP_CIPHER_CTX_free(ctx);
45. return;
46. }
47. /* Disable the implicit PKCS#7 padding defined in EVP_CIPHER */
48. EVP_CIPHER_CTX_set_padding(ctx, 0);
49. }
51. out_buf = (unsigned char *) malloc(((in->in_data_len>>4)+1) << 4);
52. out_len = 0;
53. EVP_EncryptUpdate(ctx, out_buf, &out_len, in->in_data, in->in_data_len);
54. if (1)
55. {
56. printf("Debug: out_len=%d ", out_len);
57. }
59. out_padding_len = 0;
60. EVP_EncryptFinal_ex(ctx, out_buf+out_len, &out_padding_len);
61. if (1)
62. {
63. printf("Debug: out_padding_len=%d ", out_padding_len);
64. }
66. EVP_CIPHER_CTX_free(ctx);
67. if (1)
68. {
69. int i;
70. int len;
71. len = out_len + out_padding_len;
72. for (i=0; i<len; i++)
73. {
74. printf("%02x ", out_buf[i]);
75. }
76. printf(" ");
77. }
79. if (out_buf)
80. {
81. free(out_buf);
82. out_buf = NULL;
83. }
84. }
86. void main()
87. {
88. int have_sm4 = (OPENSSL_VERSION_NUMBER >= 0x10101001L);
89. int have_aes = 1;
90. const unsigned char data[]=
91. {
92. 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
93. 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
94. };
95. unsigned char ivec[EVP_MAX_IV_LENGTH]; ///< IV 向量
96. const unsigned char key1[16] = ///< key_data, 密钥内容, 至少16字节
97. {
98. 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef,
99. 0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10,
100. };
101. test_case_t tc;
103. tc.in_data = data;
104. tc.in_data_len = sizeof(data);
105. tc.in_data_is_already_padded = (tc.in_data_len % 16)==0; // Hard coded 16 as the cipher's block size
106. tc.in_key = key1;
107. tc.in_key_len = sizeof(key1);
108. memset(ivec, 0x00, EVP_MAX_IV_LENGTH);
109. tc.in_ivec = ivec;
111. #if defined(OPENSSL_NO_SM4)
112. have_sm4 = 0;
113. #endif
114. if (have_sm4)
115. {
116. printf("[1] ");
117. printf("Debug: EVP_sm4_ecb() test ");
118. test_encrypt_with_cipher(&tc, EVP_sm4_ecb());
119. }
120. #if defined(OPENSSL_NO_AES)
121. have_aes = 0;
122. #endif
123. if (have_aes)
124. {
125. printf("[2] ");
126. printf("Debug: EVP_aes_128_ecb() test ");
127. test_encrypt_with_cipher(&tc, EVP_aes_128_ecb());
128. }
129. }
1. 假定当前是把main.c放在 openssl-1.1.1-pre5/文件夹内
2. gcc -Iinclude -c main.c
3. gcc main.o libcrypto.so -o a.out
5. export LD_LIBRARY_PATH=`pwd`
6. ldd a.out
8. ./a.out
9.1. GM/T OIDs
9.1.1. SCA OID Prefix
All SM4 GM/T OIDs belong under the "1.2.156.10197" OID prefix,
registered by the Chinese Cryptography Standardization Technology
Committee ("CCSTC"), a committee under the SCA. Its components are
described below in ASN.1 notation.
查看全文

相关阅读:
关于Hibernate(JPA)关联关系加载的默认值
 （转）存储过程语法及实例
 网页qq
git的代理配置
 The problem with POSIX semaphores 使用信号做进程互斥必看
 git merge conflict的处理
 转载：telnet协议详细描述
 Mac OS X terminal滚动慢的问题
 进程间通讯信号量函数 semget() semop() semctl()
.hpp文件和.h文件的区别

原文地址：https://www.cnblogs.com/dhcn/p/12509299.html

OpenSSL 1.1.1 新特性: 全面支持国密SM2/SM3/SM4加密算法

下载源码, 编译, 以及验证步骤

下载源码

编译步骤

本地安装(可选步骤)

配置LD_LIBRARY_PATH并检查openssl可执行程序版本号

检查 SM3 哈希校验和

检查椭圆曲线是否包含SM2

检查对称算法

查找SM4对称加密API接口文档

SM4-自测试数据