mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 19:10:50 +02:00
Merge pull request #9795 from LinuxJedi/static-fixes2
Static analysis fixes
This commit is contained in:
@@ -0,0 +1,63 @@
|
||||
name: wolfSM Tests
|
||||
|
||||
# START OF COMMON SECTION
|
||||
on:
|
||||
push:
|
||||
branches: [ 'master', 'main', 'release/**' ]
|
||||
pull_request:
|
||||
branches: [ '*' ]
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
# END OF COMMON SECTION
|
||||
|
||||
jobs:
|
||||
make_check:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
config: [
|
||||
# Core SM TLS cipher suites
|
||||
'--enable-sm2 --enable-sm3 --enable-sm4-gcm --enable-sm4-ccm --enable-sha3',
|
||||
# All SM4 modes
|
||||
'--enable-sm2 --enable-sm3 --enable-sm4-ecb --enable-sm4-cbc --enable-sm4-ctr --enable-sm4-gcm --enable-sm4-ccm --enable-sha3',
|
||||
# SM + all features integration test
|
||||
'--enable-all --enable-sm2 --enable-sm3 --enable-sm4-ecb --enable-sm4-cbc --enable-sm4-ctr --enable-sm4-gcm --enable-sm4-ccm',
|
||||
]
|
||||
name: make check
|
||||
if: github.repository_owner == 'wolfssl'
|
||||
runs-on: ubuntu-24.04
|
||||
timeout-minutes: 10
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
name: Checkout wolfSSL
|
||||
|
||||
- uses: actions/checkout@v4
|
||||
name: Checkout wolfsm
|
||||
with:
|
||||
repository: wolfssl/wolfsm
|
||||
path: wolfsm
|
||||
|
||||
- name: Install wolfsm
|
||||
working-directory: wolfsm
|
||||
run: ./install.sh $GITHUB_WORKSPACE
|
||||
|
||||
- name: Test wolfSSL with wolfSM
|
||||
run: |
|
||||
./autogen.sh
|
||||
./configure ${{ matrix.config }}
|
||||
make
|
||||
make check
|
||||
|
||||
- name: Print errors
|
||||
if: ${{ failure() }}
|
||||
run: |
|
||||
for file in scripts/*.log
|
||||
do
|
||||
if [ -f "$file" ]; then
|
||||
echo "${file}:"
|
||||
cat "$file"
|
||||
echo "========================================================================"
|
||||
fi
|
||||
done
|
||||
@@ -768,6 +768,16 @@ run_renewcerts(){
|
||||
echo "End of section"
|
||||
echo "---------------------------------------------------------------------"
|
||||
|
||||
############################################################
|
||||
########## generate SM2 certificates #######################
|
||||
############################################################
|
||||
echo "Renewing SM2 certificates"
|
||||
cd sm2
|
||||
./gen-sm2-certs.sh
|
||||
cd ..
|
||||
echo "End of section"
|
||||
echo "---------------------------------------------------------------------"
|
||||
|
||||
############################################################
|
||||
########## update Raw Public Key certificates ##############
|
||||
############################################################
|
||||
|
||||
Binary file not shown.
+13
-13
@@ -3,11 +3,11 @@ Certificate:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 1 (0x1)
|
||||
Signature Algorithm: SM2-with-SM3
|
||||
Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_SM2, OU = Root-SM2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
|
||||
Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_SM2, OU=Root-SM2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
|
||||
Validity
|
||||
Not Before: Feb 15 06:23:07 2023 GMT
|
||||
Not After : Nov 11 06:23:07 2025 GMT
|
||||
Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = CA-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL
|
||||
Not Before: Feb 18 17:56:57 2026 GMT
|
||||
Not After : Nov 14 17:56:57 2028 GMT
|
||||
Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=CA-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: sm2
|
||||
Public-Key: (256 bit)
|
||||
@@ -29,16 +29,16 @@ Certificate:
|
||||
Digital Signature, Certificate Sign, CRL Sign
|
||||
Signature Algorithm: SM2-with-SM3
|
||||
Signature Value:
|
||||
30:45:02:20:47:4e:00:03:ab:34:a1:af:59:39:8f:60:36:bf:
|
||||
89:88:42:41:27:c1:dd:57:c9:79:cb:1f:56:5c:16:b5:28:bd:
|
||||
02:21:00:8b:2e:25:eb:21:9b:a9:2b:a6:6a:5b:db:a7:c7:2b:
|
||||
11:df:73:15:ad:e4:c5:c3:c2:f3:b4:b4:67:af:d7:51:1c
|
||||
30:46:02:21:00:b2:b9:5b:02:ad:78:f8:52:ba:67:cf:cb:25:
|
||||
9b:ba:d9:56:f5:a7:ff:af:25:26:d5:f6:f3:f3:a6:f5:9a:2f:
|
||||
9b:02:21:00:bc:96:f3:39:13:76:dc:02:35:39:0e:dc:0a:69:
|
||||
bf:02:18:b6:01:be:ff:05:d7:2e:f2:7b:67:eb:16:e9:8e:c5
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICljCCAjygAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO
|
||||
MIIClzCCAjygAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO
|
||||
BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZT
|
||||
U0xfU00yMREwDwYDVQQLDAhSb290LVNNMjEYMBYGA1UEAwwPd3d3LndvbGZzc2wu
|
||||
Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIzMDIxNTA2
|
||||
MjMwN1oXDTI1MTExMTA2MjMwN1owgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN
|
||||
Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2MDIxODE3
|
||||
NTY1N1oXDTI4MTExNDE3NTY1N1owgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN
|
||||
b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQKDAt3b2xmU1NMX3NtMjEP
|
||||
MA0GA1UECwwGQ0Etc20yMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkq
|
||||
hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xm
|
||||
@@ -46,6 +46,6 @@ U1NMMFowFAYIKoEcz1UBgi0GCCqBHM9VAYItA0IABCGS98sk32RNuqtme4N1qSnn
|
||||
/2RjttVCgCC94uICEjuOtACVCYDLVu1Lyo1X5q4F03YnY3E5ibdp5kiArtGpSBKj
|
||||
YzBhMB0GA1UdDgQWBBRHCkh+uwKoWiZXKxmpe2GLf12ZbjAfBgNVHSMEGDAWgBQ0
|
||||
HXlEFXmhsWOZ4+1lfGSJgP+47DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
|
||||
AwIBhjAKBggqgRzPVQGDdQNIADBFAiBHTgADqzShr1k5j2A2v4mIQkEnwd1XyXnL
|
||||
H1ZcFrUovQIhAIsuJeshm6krpmpb26fHKxHfcxWt5MXDwvO0tGev11Ec
|
||||
AwIBhjAKBggqgRzPVQGDdQNJADBGAiEAsrlbAq14+FK6Z8/LJZu62Vb1p/+vJSbV
|
||||
9vPzpvWaL5sCIQC8lvM5E3bcAjU5DtwKab8CGLYBvv8F1y7ye2frFumOxQ==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
Binary file not shown.
+17
-17
@@ -2,13 +2,13 @@ Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number:
|
||||
60:a0:4a:0b:36:eb:7d:e1:3f:74:29:a9:29:b4:05:6c:17:f7:a6:d4
|
||||
63:dd:75:63:8a:b0:51:4f:9c:4e:ff:6d:55:4e:cd:ee:8f:26:d3:80
|
||||
Signature Algorithm: SM2-with-SM3
|
||||
Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = Client-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL
|
||||
Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Client-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL
|
||||
Validity
|
||||
Not Before: Feb 15 06:23:07 2023 GMT
|
||||
Not After : Nov 11 06:23:07 2025 GMT
|
||||
Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = Client-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL
|
||||
Not Before: Feb 18 17:56:57 2026 GMT
|
||||
Not After : Nov 14 17:56:57 2028 GMT
|
||||
Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Client-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: sm2
|
||||
Public-Key: (256 bit)
|
||||
@@ -25,7 +25,7 @@ Certificate:
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:E4:21:B2:C5:E5:D4:9E:82:CA:F8:67:F2:28:99:F6:85:E8:F1:55:EF
|
||||
DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_sm2/OU=Client-sm2/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/UID=wolfSSL
|
||||
serial:60:A0:4A:0B:36:EB:7D:E1:3F:74:29:A9:29:B4:05:6C:17:F7:A6:D4
|
||||
serial:63:DD:75:63:8A:B0:51:4F:9C:4E:FF:6D:55:4E:CD:EE:8F:26:D3:80
|
||||
X509v3 Basic Constraints:
|
||||
CA:TRUE
|
||||
X509v3 Subject Alternative Name:
|
||||
@@ -34,17 +34,17 @@ Certificate:
|
||||
TLS Web Server Authentication, TLS Web Client Authentication
|
||||
Signature Algorithm: SM2-with-SM3
|
||||
Signature Value:
|
||||
30:46:02:21:00:8f:b2:b5:95:8f:79:f6:5e:75:e5:c5:e9:9a:
|
||||
12:d2:0f:78:9f:c0:1d:8d:1c:be:6b:0c:f1:f5:57:60:db:91:
|
||||
4f:02:21:00:87:5e:7d:e4:d6:3a:bb:7b:98:27:85:de:7a:f0:
|
||||
21:e2:66:a1:9f:26:e0:dd:86:23:b4:c8:c0:46:5a:f2:49:8d
|
||||
30:46:02:21:00:dd:98:90:68:35:95:61:2f:11:90:a5:e9:30:
|
||||
8b:9a:aa:33:cc:73:8a:76:96:8b:97:8c:4c:c3:10:fc:14:56:
|
||||
9b:02:21:00:f8:de:db:67:54:59:ca:98:27:3d:3f:f6:6f:30:
|
||||
0c:65:e1:fb:a0:9f:11:ab:ea:76:30:31:c4:66:11:d7:b9:f2
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDyTCCA26gAwIBAgIUYKBKCzbrfeE/dCmpKbQFbBf3ptQwCgYIKoEcz1UBg3Uw
|
||||
MIIDyTCCA26gAwIBAgIUY911Y4qwUU+cTv9tVU7N7o8m04AwCgYIKoEcz1UBg3Uw
|
||||
gbAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
|
||||
bWFuMRQwEgYDVQQKDAt3b2xmU1NMX3NtMjETMBEGA1UECwwKQ2xpZW50LXNtMjEY
|
||||
MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
|
||||
bGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0yMzAyMTUwNjIz
|
||||
MDdaFw0yNTExMTEwNjIzMDdaMIGwMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9u
|
||||
bGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0yNjAyMTgxNzU2
|
||||
NTdaFw0yODExMTQxNzU2NTdaMIGwMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9u
|
||||
dGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECgwLd29sZlNTTF9zbTIxEzAR
|
||||
BgNVBAsMCkNsaWVudC1zbTIxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0G
|
||||
CSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixkAQEMB3dv
|
||||
@@ -55,9 +55,9 @@ BIHoMIHlgBTkIbLF5dSegsr4Z/IomfaF6PFV76GBtqSBszCBsDELMAkGA1UEBhMC
|
||||
VVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoM
|
||||
C3dvbGZTU0xfc20yMRMwEQYDVQQLDApDbGllbnQtc20yMRgwFgYDVQQDDA93d3cu
|
||||
d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAV
|
||||
BgoJkiaJk/IsZAEBDAd3b2xmU1NMghRgoEoLNut94T90KakptAVsF/em1DAMBgNV
|
||||
BgoJkiaJk/IsZAEBDAd3b2xmU1NMghRj3XVjirBRT5xO/21VTs3ujybTgDAMBgNV
|
||||
HRMEBTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQW
|
||||
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqgRzPVQGDdQNJADBGAiEAj7K1lY95
|
||||
9l515cXpmhLSD3ifwB2NHL5rDPH1V2DbkU8CIQCHXn3k1jq7e5gnhd568CHiZqGf
|
||||
JuDdhiO0yMBGWvJJjQ==
|
||||
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqgRzPVQGDdQNJADBGAiEA3ZiQaDWV
|
||||
YS8RkKXpMIuaqjPMc4p2louXjEzDEPwUVpsCIQD43ttnVFnKmCc9P/ZvMAxl4fug
|
||||
nxGr6nYwMcRmEde58g==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
@@ -0,0 +1,179 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Fix SM2 certificate SubjectPublicKeyInfo algorithm OID.
|
||||
|
||||
OpenSSL 3.x encodes SM2 keys using the generic id-ecPublicKey OID
|
||||
(1.2.840.10045.2.1) instead of the SM2-specific OID (1.2.156.10197.1.301).
|
||||
This script patches the SPKI algorithm OID back to SM2 and re-signs the
|
||||
certificate.
|
||||
|
||||
Usage: fix_sm2_spki.py <cert.pem> <signing-key.pem> <output.pem>
|
||||
"""
|
||||
|
||||
import base64
|
||||
import subprocess
|
||||
import sys
|
||||
import os
|
||||
import tempfile
|
||||
|
||||
EC_PUBKEY_OID = bytes([0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01])
|
||||
SM2_ALGO_OID = bytes([0x06, 0x08, 0x2a, 0x81, 0x1c, 0xcf, 0x55, 0x01, 0x82, 0x2d])
|
||||
SM2_WITH_SM3 = bytes([0x30, 0x0a, 0x06, 0x08,
|
||||
0x2a, 0x81, 0x1c, 0xcf, 0x55, 0x01, 0x83, 0x75])
|
||||
|
||||
|
||||
def read_der_length(data, offset):
|
||||
b = data[offset]
|
||||
if b < 0x80:
|
||||
return b, 1
|
||||
num_bytes = b & 0x7f
|
||||
length = 0
|
||||
for i in range(num_bytes):
|
||||
length = (length << 8) | data[offset + 1 + i]
|
||||
return length, 1 + num_bytes
|
||||
|
||||
|
||||
def encode_der_length(length):
|
||||
if length < 0x80:
|
||||
return bytes([length])
|
||||
elif length < 0x100:
|
||||
return bytes([0x81, length])
|
||||
elif length < 0x10000:
|
||||
return bytes([0x82, length >> 8, length & 0xff])
|
||||
else:
|
||||
raise ValueError("Length too large: %d" % length)
|
||||
|
||||
|
||||
def find_enclosing_sequences(data, target_pos):
|
||||
"""Find length-field offsets of all SEQUENCEs enclosing target_pos."""
|
||||
results = []
|
||||
|
||||
def scan(offset, end):
|
||||
while offset < end:
|
||||
tag = data[offset]
|
||||
offset += 1
|
||||
length, len_bytes = read_der_length(data, offset)
|
||||
len_offset = offset
|
||||
offset += len_bytes
|
||||
content_start = offset
|
||||
content_end = offset + length
|
||||
|
||||
if tag == 0x30 and content_start <= target_pos < content_end:
|
||||
results.append((len_offset, length, len_bytes))
|
||||
scan(content_start, content_end)
|
||||
return
|
||||
offset = content_end
|
||||
|
||||
scan(0, len(data))
|
||||
return results
|
||||
|
||||
|
||||
def patch_tbs_spki_oid(tbs_der):
|
||||
"""Replace id-ecPublicKey with SM2 OID in TBS SubjectPublicKeyInfo."""
|
||||
oid_pos = tbs_der.find(EC_PUBKEY_OID)
|
||||
if oid_pos == -1:
|
||||
return None # Already has SM2 OID or no EC key
|
||||
|
||||
enclosing = find_enclosing_sequences(tbs_der, oid_pos)
|
||||
size_diff = len(SM2_ALGO_OID) - len(EC_PUBKEY_OID)
|
||||
|
||||
result = bytearray(
|
||||
tbs_der[:oid_pos] + SM2_ALGO_OID + tbs_der[oid_pos + len(EC_PUBKEY_OID):]
|
||||
)
|
||||
|
||||
for len_offset, old_length, old_len_bytes in enclosing:
|
||||
new_length = old_length + size_diff
|
||||
new_len_encoded = encode_der_length(new_length)
|
||||
if len(new_len_encoded) == old_len_bytes:
|
||||
result[len_offset:len_offset + old_len_bytes] = new_len_encoded
|
||||
else:
|
||||
result[len_offset:len_offset + old_len_bytes] = new_len_encoded
|
||||
size_diff += len(new_len_encoded) - old_len_bytes
|
||||
|
||||
return bytes(result)
|
||||
|
||||
|
||||
def pem_to_der(pem_text):
|
||||
b64 = ''.join(
|
||||
line for line in pem_text.split('\n')
|
||||
if not line.startswith('-----') and line.strip()
|
||||
)
|
||||
return base64.b64decode(b64)
|
||||
|
||||
|
||||
def der_to_pem(der_data, label="CERTIFICATE"):
|
||||
b64 = base64.b64encode(der_data).decode()
|
||||
lines = [b64[i:i+64] for i in range(0, len(b64), 64)]
|
||||
return ('-----BEGIN %s-----\n' % label +
|
||||
'\n'.join(lines) +
|
||||
'\n-----END %s-----\n' % label)
|
||||
|
||||
|
||||
def extract_tbs(cert_der):
|
||||
assert cert_der[0] == 0x30
|
||||
outer_len, outer_len_bytes = read_der_length(cert_der, 1)
|
||||
tbs_offset = 1 + outer_len_bytes
|
||||
tbs_len, tbs_len_bytes = read_der_length(cert_der, tbs_offset + 1)
|
||||
tbs_total = 1 + tbs_len_bytes + tbs_len
|
||||
return cert_der[tbs_offset:tbs_offset + tbs_total]
|
||||
|
||||
|
||||
def sign_tbs(tbs_der, key_pem_path):
|
||||
"""Sign TBS with SM2-with-SM3 using openssl dgst."""
|
||||
with tempfile.NamedTemporaryFile(suffix='.der', delete=False) as tbs_f:
|
||||
tbs_f.write(tbs_der)
|
||||
tbs_path = tbs_f.name
|
||||
|
||||
sig_path = tbs_path + '.sig'
|
||||
try:
|
||||
result = subprocess.run(
|
||||
['openssl', 'dgst', '-sm3', '-sign', key_pem_path,
|
||||
'-out', sig_path, tbs_path],
|
||||
capture_output=True, text=True
|
||||
)
|
||||
if result.returncode != 0:
|
||||
raise RuntimeError("openssl dgst failed: " + result.stderr)
|
||||
|
||||
with open(sig_path, 'rb') as f:
|
||||
return f.read()
|
||||
finally:
|
||||
os.unlink(tbs_path)
|
||||
if os.path.exists(sig_path):
|
||||
os.unlink(sig_path)
|
||||
|
||||
|
||||
def build_cert(tbs_der, sig_der):
|
||||
bit_string = bytes([0x03, len(sig_der) + 1, 0x00]) + sig_der
|
||||
cert_body = tbs_der + SM2_WITH_SM3 + bit_string
|
||||
return bytes([0x30]) + encode_der_length(len(cert_body)) + cert_body
|
||||
|
||||
|
||||
def fix_sm2_cert(cert_pem_path, key_pem_path, output_pem_path):
|
||||
with open(cert_pem_path, 'r') as f:
|
||||
cert_pem = f.read()
|
||||
|
||||
cert_der = pem_to_der(cert_pem)
|
||||
tbs = extract_tbs(cert_der)
|
||||
|
||||
new_tbs = patch_tbs_spki_oid(tbs)
|
||||
if new_tbs is None:
|
||||
print(" Already has SM2 OID, no patching needed")
|
||||
if cert_pem_path != output_pem_path:
|
||||
with open(output_pem_path, 'w') as f:
|
||||
f.write(cert_pem)
|
||||
return
|
||||
|
||||
sig = sign_tbs(new_tbs, key_pem_path)
|
||||
new_cert_der = build_cert(new_tbs, sig)
|
||||
|
||||
with open(output_pem_path, 'w') as f:
|
||||
f.write(der_to_pem(new_cert_der))
|
||||
|
||||
print(" Patched SPKI algorithm OID to SM2")
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
if len(sys.argv) != 4:
|
||||
print("Usage: %s <cert.pem> <signing-key.pem> <output.pem>" % sys.argv[0])
|
||||
sys.exit(1)
|
||||
|
||||
fix_sm2_cert(sys.argv[1], sys.argv[2], sys.argv[3])
|
||||
@@ -1,5 +1,7 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||||
|
||||
check_result(){
|
||||
if [ $1 -ne 0 ]; then
|
||||
echo "Failed at \"$2\", Abort"
|
||||
@@ -9,6 +11,15 @@ check_result(){
|
||||
fi
|
||||
}
|
||||
|
||||
# OpenSSL 3.x encodes SM2 keys using the generic id-ecPublicKey OID instead of
|
||||
# the SM2-specific OID. fix_sm2_spki.py patches the SubjectPublicKeyInfo
|
||||
# algorithm OID back to SM2 and re-signs the certificate.
|
||||
fix_sm2_oid(){
|
||||
# $1 = cert PEM, $2 = signing key PEM
|
||||
python3 "${SCRIPT_DIR}/fix_sm2_spki.py" "$1" "$2" "$1"
|
||||
check_result $? "Fix SM2 SPKI OID in $1"
|
||||
}
|
||||
|
||||
openssl pkey -in root-sm2-priv.pem -noout >/dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "OpenSSL does not support SM2"
|
||||
@@ -29,6 +40,7 @@ check_result $? "Generate request"
|
||||
openssl x509 -req -in root-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey root-sm2-priv.pem -out root-sm2.pem
|
||||
check_result $? "Generate certificate"
|
||||
rm root-sm2.csr
|
||||
fix_sm2_oid root-sm2.pem root-sm2-priv.pem
|
||||
|
||||
openssl x509 -in root-sm2.pem -outform DER > root-sm2.der
|
||||
check_result $? "Convert to DER"
|
||||
@@ -50,6 +62,7 @@ check_result $? "Generate request"
|
||||
openssl x509 -req -in ca-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -CA root-sm2.pem -CAkey root-sm2-priv.pem -set_serial 01 -out ca-sm2.pem
|
||||
check_result $? "Generate certificate"
|
||||
rm ca-sm2.csr
|
||||
fix_sm2_oid ca-sm2.pem root-sm2-priv.pem
|
||||
|
||||
openssl x509 -in ca-sm2.pem -outform DER > ca-sm2.der
|
||||
check_result $? "Convert to DER"
|
||||
@@ -71,6 +84,7 @@ check_result $? "Generate request"
|
||||
openssl x509 -req -in self-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey self-sm2-priv.pem -out self-sm2-cert.pem
|
||||
check_result $? "Generate certificate"
|
||||
rm self-sm2.csr
|
||||
fix_sm2_oid self-sm2-cert.pem self-sm2-priv.pem
|
||||
|
||||
openssl x509 -in self-sm2-cert.pem -text > tmp.pem
|
||||
check_result $? "Add text"
|
||||
@@ -90,6 +104,7 @@ check_result $? "Generate request"
|
||||
openssl x509 -req -in server-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ca-sm2.pem -CAkey ca-sm2-priv.pem -set_serial 01 -out server-sm2-cert.pem
|
||||
check_result $? "Generate certificate"
|
||||
rm server-sm2.csr
|
||||
fix_sm2_oid server-sm2-cert.pem ca-sm2-priv.pem
|
||||
|
||||
openssl x509 -in server-sm2-cert.pem -outform DER > server-sm2-cert.der
|
||||
check_result $? "Convert to DER"
|
||||
@@ -113,6 +128,7 @@ check_result $? "Generate request"
|
||||
openssl x509 -req -in client-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts -signkey client-sm2-priv.pem -out client-sm2.pem
|
||||
check_result $? "Generate certificate"
|
||||
rm client-sm2.csr
|
||||
fix_sm2_oid client-sm2.pem client-sm2-priv.pem
|
||||
|
||||
openssl x509 -in client-sm2.pem -outform DER > client-sm2.der
|
||||
check_result $? "Convert to DER"
|
||||
|
||||
Binary file not shown.
+13
-13
@@ -2,13 +2,13 @@ Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number:
|
||||
74:9c:dd:a4:b2:67:26:57:29:fb:e9:13:54:e0:34:08:03:2b:70:a9
|
||||
61:2a:93:12:b3:6e:ff:d6:9a:a7:98:c4:49:4d:c6:2c:3e:ea:5a:f9
|
||||
Signature Algorithm: SM2-with-SM3
|
||||
Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_SM2, OU = Root-SM2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
|
||||
Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_SM2, OU=Root-SM2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
|
||||
Validity
|
||||
Not Before: Feb 15 06:23:07 2023 GMT
|
||||
Not After : Nov 11 06:23:07 2025 GMT
|
||||
Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_SM2, OU = Root-SM2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
|
||||
Not Before: Feb 18 17:56:57 2026 GMT
|
||||
Not After : Nov 14 17:56:57 2028 GMT
|
||||
Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_SM2, OU=Root-SM2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: sm2
|
||||
Public-Key: (256 bit)
|
||||
@@ -30,16 +30,16 @@ Certificate:
|
||||
Digital Signature, Certificate Sign, CRL Sign
|
||||
Signature Algorithm: SM2-with-SM3
|
||||
Signature Value:
|
||||
30:44:02:20:03:27:29:f0:ef:78:26:a1:1a:6a:1e:88:81:e7:
|
||||
83:72:5f:3e:e6:08:e8:14:68:bf:4b:0f:68:52:92:aa:8f:a1:
|
||||
02:20:0b:fe:1b:14:ba:51:82:65:06:bb:22:d8:1a:a7:9f:54:
|
||||
62:eb:8d:b2:d5:13:b3:b8:a2:f3:14:44:b2:a0:21:d0
|
||||
30:46:02:21:00:fe:8d:2f:b9:c9:55:db:2c:d4:89:ff:a1:92:
|
||||
03:ce:4a:09:00:7f:c4:b3:b6:55:ae:a1:f6:7b:3e:ed:c4:dd:
|
||||
7c:02:21:00:d0:be:9b:4a:a9:cf:52:c1:cd:0d:bc:86:29:9e:
|
||||
c4:e2:f1:fa:86:f3:73:01:e2:3b:c5:cc:99:0a:bb:c3:a8:ee
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICkTCCAjigAwIBAgIUdJzdpLJnJlcp++kTVOA0CAMrcKkwCgYIKoEcz1UBg3Uw
|
||||
MIICkzCCAjigAwIBAgIUYSqTErNu/9aap5jESU3GLD7qWvkwCgYIKoEcz1UBg3Uw
|
||||
gZUxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl
|
||||
bWFuMRQwEgYDVQQKDAt3b2xmU1NMX1NNMjERMA8GA1UECwwIUm9vdC1TTTIxGDAW
|
||||
BgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm
|
||||
c3NsLmNvbTAeFw0yMzAyMTUwNjIzMDdaFw0yNTExMTEwNjIzMDdaMIGVMQswCQYD
|
||||
c3NsLmNvbTAeFw0yNjAyMTgxNzU2NTdaFw0yODExMTQxNzU2NTdaMIGVMQswCQYD
|
||||
VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIG
|
||||
A1UECgwLd29sZlNTTF9TTTIxETAPBgNVBAsMCFJvb3QtU00yMRgwFgYDVQQDDA93
|
||||
d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20w
|
||||
@@ -47,6 +47,6 @@ WjAUBggqgRzPVQGCLQYIKoEcz1UBgi0DQgAEu5x1jPcX+Eir9/bbDZqNn8LRR5eV
|
||||
C07mV+zF+FdUcTk8eeFAP7ZR6XzH2i3v0uh5gXuro19rKmyXGl6O2dDMBKNjMGEw
|
||||
HQYDVR0OBBYEFDQdeUQVeaGxY5nj7WV8ZImA/7jsMB8GA1UdIwQYMBaAFDQdeUQV
|
||||
eaGxY5nj7WV8ZImA/7jsMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGG
|
||||
MAoGCCqBHM9VAYN1A0cAMEQCIAMnKfDveCahGmoeiIHng3JfPuYI6BRov0sPaFKS
|
||||
qo+hAiAL/hsUulGCZQa7Itgap59UYuuNstUTs7ii8xREsqAh0A==
|
||||
MAoGCCqBHM9VAYN1A0kAMEYCIQD+jS+5yVXbLNSJ/6GSA85KCQB/xLO2Va6h9ns+
|
||||
7cTdfAIhANC+m0qpz1LBzQ28himexOLx+obzcwHiO8XMmQq7w6ju
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
+19
-19
@@ -2,15 +2,15 @@ Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number:
|
||||
06:7b:3a:5d:cf:22:a9:6d:6d:78:2b:10:01:51:b6:4c:d4:82:a2:a1
|
||||
26:2d:4b:fe:64:7d:97:44:c8:85:22:01:96:b3:a5:db:1c:64:12:1b
|
||||
Signature Algorithm: SM2-with-SM3
|
||||
Issuer: C = AU, ST = QLD, O = wolfSSL, OU = Testing, CN = wolfssl-dev-sm2, emailAddress = info@wolfssl.com, UID = wolfSSL
|
||||
Issuer: C=AU, ST=QLD, O=wolfSSL, OU=Testing, CN=wolfssl-dev-sm2, emailAddress=info@wolfssl.com, UID=wolfSSL
|
||||
Validity
|
||||
Not Before: Nov 22 21:28:37 2023 GMT
|
||||
Not After : Aug 18 21:28:37 2026 GMT
|
||||
Subject: C = AU, ST = QLD, O = wolfSSL, OU = Testing, CN = wolfssl-dev-sm2, emailAddress = info@wolfssl.com, UID = wolfSSL
|
||||
Not Before: Feb 18 17:56:57 2026 GMT
|
||||
Not After : Nov 14 17:56:57 2028 GMT
|
||||
Subject: C=AU, ST=QLD, O=wolfSSL, OU=Testing, CN=wolfssl-dev-sm2, emailAddress=info@wolfssl.com, UID=wolfSSL
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: id-ecPublicKey
|
||||
Public Key Algorithm: sm2
|
||||
Public-Key: (256 bit)
|
||||
pub:
|
||||
04:d8:c4:a1:f1:0b:8b:8d:c4:7d:dc:d4:65:b9:a5:
|
||||
@@ -30,23 +30,23 @@ Certificate:
|
||||
Digital Signature, Certificate Sign, CRL Sign
|
||||
Signature Algorithm: SM2-with-SM3
|
||||
Signature Value:
|
||||
30:44:02:20:0f:c3:2c:36:e3:9f:1c:e9:68:1c:3b:43:18:5b:
|
||||
c9:8f:e4:fa:dd:33:c1:b8:1c:d3:d4:61:33:f8:37:9d:5a:f4:
|
||||
02:20:3a:b9:a8:43:80:cf:38:25:e9:64:d8:26:47:9d:50:04:
|
||||
0c:8a:e8:a2:42:e8:63:dd:53:94:7d:38:6d:52:70:fd
|
||||
30:45:02:21:00:cb:1a:f6:3d:c5:63:4f:fb:23:c9:22:e5:c6:
|
||||
53:12:e0:90:81:42:ef:61:98:0b:c9:93:ff:27:59:e6:81:57:
|
||||
25:02:20:45:7a:6e:db:0f:15:c7:90:f0:ad:fe:a6:85:42:d3:
|
||||
dc:ed:7b:56:e6:12:6e:73:12:55:69:32:c5:16:22:f0:cd
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICjDCCAjOgAwIBAgIUBns6Xc8iqW1teCsQAVG2TNSCoqEwCgYIKoEcz1UBg3Uw
|
||||
MIICjjCCAjSgAwIBAgIUJi1L/mR9l0TIhSIBlrOl2xxkEhswCgYIKoEcz1UBg3Uw
|
||||
gZMxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANRTEQxEDAOBgNVBAoMB3dvbGZTU0wx
|
||||
EDAOBgNVBAsMB1Rlc3RpbmcxGDAWBgNVBAMMD3dvbGZzc2wtZGV2LXNtMjEfMB0G
|
||||
CSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixkAQEMB3dv
|
||||
bGZTU0wwHhcNMjMxMTIyMjEyODM3WhcNMjYwODE4MjEyODM3WjCBkzELMAkGA1UE
|
||||
bGZTU0wwHhcNMjYwMjE4MTc1NjU3WhcNMjgxMTE0MTc1NjU3WjCBkzELMAkGA1UE
|
||||
BhMCQVUxDDAKBgNVBAgMA1FMRDEQMA4GA1UECgwHd29sZlNTTDEQMA4GA1UECwwH
|
||||
VGVzdGluZzEYMBYGA1UEAwwPd29sZnNzbC1kZXYtc20yMR8wHQYJKoZIhvcNAQkB
|
||||
FhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDBZMBMG
|
||||
ByqGSM49AgEGCCqBHM9VAYItA0IABNjEofELi43EfdzUZbmlVU77rDOrm0OUTEhA
|
||||
GzPZG8wxwYJWP7DAa5VAUf2IAgGxsJRsBuun2o7ucLblu7Qe57SjYzBhMB0GA1Ud
|
||||
DgQWBBRul+iYtlu2rocE2xRWZhb0uC2M8jAfBgNVHSMEGDAWgBRul+iYtlu2rocE
|
||||
2xRWZhb0uC2M8jAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAKBggq
|
||||
gRzPVQGDdQNHADBEAiAPwyw2458c6WgcO0MYW8mP5PrdM8G4HNPUYTP4N51a9AIg
|
||||
OrmoQ4DPOCXpZNgmR51QBAyK6KJC6GPdU5R9OG1ScP0=
|
||||
FhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDBaMBQG
|
||||
CCqBHM9VAYItBggqgRzPVQGCLQNCAATYxKHxC4uNxH3c1GW5pVVO+6wzq5tDlExI
|
||||
QBsz2RvMMcGCVj+wwGuVQFH9iAIBsbCUbAbrp9qO7nC25bu0Hue0o2MwYTAdBgNV
|
||||
HQ4EFgQUbpfomLZbtq6HBNsUVmYW9LgtjPIwHwYDVR0jBBgwFoAUbpfomLZbtq6H
|
||||
BNsUVmYW9LgtjPIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwCgYI
|
||||
KoEcz1UBg3UDSAAwRQIhAMsa9j3FY0/7I8ki5cZTEuCQgULvYZgLyZP/J1nmgVcl
|
||||
AiBFem7bDxXHkPCt/qaFQtPc7XtW5hJucxJVaTLFFiLwzQ==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
Binary file not shown.
@@ -3,11 +3,11 @@ Certificate:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 1 (0x1)
|
||||
Signature Algorithm: SM2-with-SM3
|
||||
Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = CA-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL
|
||||
Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=CA-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL
|
||||
Validity
|
||||
Not Before: Feb 15 06:23:07 2023 GMT
|
||||
Not After : Nov 11 06:23:07 2025 GMT
|
||||
Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = Server-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL
|
||||
Not Before: Feb 18 17:56:57 2026 GMT
|
||||
Not After : Nov 14 17:56:57 2028 GMT
|
||||
Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Server-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: sm2
|
||||
Public-Key: (256 bit)
|
||||
@@ -33,16 +33,16 @@ Certificate:
|
||||
SSL Server
|
||||
Signature Algorithm: SM2-with-SM3
|
||||
Signature Value:
|
||||
30:45:02:20:1b:ca:94:28:7f:f6:b2:0d:31:43:50:e1:d5:34:
|
||||
17:dd:af:3a:de:81:06:67:9a:b3:06:22:7e:64:ec:fd:0e:b9:
|
||||
02:21:00:a1:48:a8:32:d1:05:09:6b:1c:eb:89:12:66:d8:38:
|
||||
a1:c4:5c:89:09:0f:fd:e9:c0:3b:1d:fb:cd:b5:4c:31:68
|
||||
30:46:02:21:00:96:50:5f:3e:3f:bf:1e:50:6c:9a:5d:4e:8e:
|
||||
ef:27:a1:4d:fa:b9:75:a6:58:0e:f6:db:60:32:20:e4:31:1d:
|
||||
36:02:21:00:e7:cb:5c:9f:85:7d:4c:b5:54:74:e4:45:c4:f0:
|
||||
01:53:51:33:07:dd:28:c6:c7:47:ff:d6:dc:b0:e1:36:cc:3b
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIC2DCCAn6gAwIBAgIBATAKBggqgRzPVQGDdTCBrDELMAkGA1UEBhMCVVMxEDAO
|
||||
MIIC2TCCAn6gAwIBAgIBATAKBggqgRzPVQGDdTCBrDELMAkGA1UEBhMCVVMxEDAO
|
||||
BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZT
|
||||
U0xfc20yMQ8wDQYDVQQLDAZDQS1zbTIxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNv
|
||||
bTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixk
|
||||
AQEMB3dvbGZTU0wwHhcNMjMwMjE1MDYyMzA3WhcNMjUxMTExMDYyMzA3WjCBsDEL
|
||||
AQEMB3dvbGZTU0wwHhcNMjYwMjE4MTc1NjU3WhcNMjgxMTE0MTc1NjU3WjCBsDEL
|
||||
MAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4x
|
||||
FDASBgNVBAoMC3dvbGZTU0xfc20yMRMwEQYDVQQLDApTZXJ2ZXItc20yMRgwFgYD
|
||||
VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
|
||||
@@ -51,7 +51,7 @@ HM9VAYItA0IABJRwK0bkXg9B+48tNApBQBle+9QdEaz69ZM3xvqHCPcWHyzOMECd
|
||||
T6YqCqHWlTPDpgOY5o0FNLCXDN6kx89Tj9GjgYkwgYYwHQYDVR0OBBYEFGeuYP9+
|
||||
Gw+Vrh+CWfJsVi2T7xcyMB8GA1UdIwQYMBaAFEcKSH67AqhaJlcrGal7YYt/XZlu
|
||||
MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUF
|
||||
BwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAKBggqgRzPVQGDdQNIADBFAiAbypQof/ay
|
||||
DTFDUOHVNBfdrzregQZnmrMGIn5k7P0OuQIhAKFIqDLRBQlrHOuJEmbYOKHEXIkJ
|
||||
D/3pwDsd+821TDFo
|
||||
BwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAKBggqgRzPVQGDdQNJADBGAiEAllBfPj+/
|
||||
HlBsml1Oju8noU36uXWmWA7222AyIOQxHTYCIQDny1yfhX1MtVR05EXE8AFTUTMH
|
||||
3SjGx0f/1tyw4TbMOw==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
+26
-26
@@ -3,11 +3,11 @@ Certificate:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 1 (0x1)
|
||||
Signature Algorithm: SM2-with-SM3
|
||||
Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = CA-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL
|
||||
Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=CA-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL
|
||||
Validity
|
||||
Not Before: Feb 15 06:23:07 2023 GMT
|
||||
Not After : Nov 11 06:23:07 2025 GMT
|
||||
Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = Server-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL
|
||||
Not Before: Feb 18 17:56:57 2026 GMT
|
||||
Not After : Nov 14 17:56:57 2028 GMT
|
||||
Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Server-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: sm2
|
||||
Public-Key: (256 bit)
|
||||
@@ -33,16 +33,16 @@ Certificate:
|
||||
SSL Server
|
||||
Signature Algorithm: SM2-with-SM3
|
||||
Signature Value:
|
||||
30:45:02:20:1b:ca:94:28:7f:f6:b2:0d:31:43:50:e1:d5:34:
|
||||
17:dd:af:3a:de:81:06:67:9a:b3:06:22:7e:64:ec:fd:0e:b9:
|
||||
02:21:00:a1:48:a8:32:d1:05:09:6b:1c:eb:89:12:66:d8:38:
|
||||
a1:c4:5c:89:09:0f:fd:e9:c0:3b:1d:fb:cd:b5:4c:31:68
|
||||
30:46:02:21:00:96:50:5f:3e:3f:bf:1e:50:6c:9a:5d:4e:8e:
|
||||
ef:27:a1:4d:fa:b9:75:a6:58:0e:f6:db:60:32:20:e4:31:1d:
|
||||
36:02:21:00:e7:cb:5c:9f:85:7d:4c:b5:54:74:e4:45:c4:f0:
|
||||
01:53:51:33:07:dd:28:c6:c7:47:ff:d6:dc:b0:e1:36:cc:3b
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIC2DCCAn6gAwIBAgIBATAKBggqgRzPVQGDdTCBrDELMAkGA1UEBhMCVVMxEDAO
|
||||
MIIC2TCCAn6gAwIBAgIBATAKBggqgRzPVQGDdTCBrDELMAkGA1UEBhMCVVMxEDAO
|
||||
BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZT
|
||||
U0xfc20yMQ8wDQYDVQQLDAZDQS1zbTIxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNv
|
||||
bTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixk
|
||||
AQEMB3dvbGZTU0wwHhcNMjMwMjE1MDYyMzA3WhcNMjUxMTExMDYyMzA3WjCBsDEL
|
||||
AQEMB3dvbGZTU0wwHhcNMjYwMjE4MTc1NjU3WhcNMjgxMTE0MTc1NjU3WjCBsDEL
|
||||
MAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4x
|
||||
FDASBgNVBAoMC3dvbGZTU0xfc20yMRMwEQYDVQQLDApTZXJ2ZXItc20yMRgwFgYD
|
||||
VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz
|
||||
@@ -51,20 +51,20 @@ HM9VAYItA0IABJRwK0bkXg9B+48tNApBQBle+9QdEaz69ZM3xvqHCPcWHyzOMECd
|
||||
T6YqCqHWlTPDpgOY5o0FNLCXDN6kx89Tj9GjgYkwgYYwHQYDVR0OBBYEFGeuYP9+
|
||||
Gw+Vrh+CWfJsVi2T7xcyMB8GA1UdIwQYMBaAFEcKSH67AqhaJlcrGal7YYt/XZlu
|
||||
MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUF
|
||||
BwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAKBggqgRzPVQGDdQNIADBFAiAbypQof/ay
|
||||
DTFDUOHVNBfdrzregQZnmrMGIn5k7P0OuQIhAKFIqDLRBQlrHOuJEmbYOKHEXIkJ
|
||||
D/3pwDsd+821TDFo
|
||||
BwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAKBggqgRzPVQGDdQNJADBGAiEAllBfPj+/
|
||||
HlBsml1Oju8noU36uXWmWA7222AyIOQxHTYCIQDny1yfhX1MtVR05EXE8AFTUTMH
|
||||
3SjGx0f/1tyw4TbMOw==
|
||||
-----END CERTIFICATE-----
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 1 (0x1)
|
||||
Signature Algorithm: SM2-with-SM3
|
||||
Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_SM2, OU = Root-SM2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com
|
||||
Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_SM2, OU=Root-SM2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com
|
||||
Validity
|
||||
Not Before: Feb 15 06:23:07 2023 GMT
|
||||
Not After : Nov 11 06:23:07 2025 GMT
|
||||
Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = CA-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL
|
||||
Not Before: Feb 18 17:56:57 2026 GMT
|
||||
Not After : Nov 14 17:56:57 2028 GMT
|
||||
Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=CA-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: sm2
|
||||
Public-Key: (256 bit)
|
||||
@@ -86,16 +86,16 @@ Certificate:
|
||||
Digital Signature, Certificate Sign, CRL Sign
|
||||
Signature Algorithm: SM2-with-SM3
|
||||
Signature Value:
|
||||
30:45:02:20:47:4e:00:03:ab:34:a1:af:59:39:8f:60:36:bf:
|
||||
89:88:42:41:27:c1:dd:57:c9:79:cb:1f:56:5c:16:b5:28:bd:
|
||||
02:21:00:8b:2e:25:eb:21:9b:a9:2b:a6:6a:5b:db:a7:c7:2b:
|
||||
11:df:73:15:ad:e4:c5:c3:c2:f3:b4:b4:67:af:d7:51:1c
|
||||
30:46:02:21:00:b2:b9:5b:02:ad:78:f8:52:ba:67:cf:cb:25:
|
||||
9b:ba:d9:56:f5:a7:ff:af:25:26:d5:f6:f3:f3:a6:f5:9a:2f:
|
||||
9b:02:21:00:bc:96:f3:39:13:76:dc:02:35:39:0e:dc:0a:69:
|
||||
bf:02:18:b6:01:be:ff:05:d7:2e:f2:7b:67:eb:16:e9:8e:c5
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICljCCAjygAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO
|
||||
MIIClzCCAjygAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO
|
||||
BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZT
|
||||
U0xfU00yMREwDwYDVQQLDAhSb290LVNNMjEYMBYGA1UEAwwPd3d3LndvbGZzc2wu
|
||||
Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIzMDIxNTA2
|
||||
MjMwN1oXDTI1MTExMTA2MjMwN1owgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN
|
||||
Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2MDIxODE3
|
||||
NTY1N1oXDTI4MTExNDE3NTY1N1owgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN
|
||||
b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQKDAt3b2xmU1NMX3NtMjEP
|
||||
MA0GA1UECwwGQ0Etc20yMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkq
|
||||
hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xm
|
||||
@@ -103,6 +103,6 @@ U1NMMFowFAYIKoEcz1UBgi0GCCqBHM9VAYItA0IABCGS98sk32RNuqtme4N1qSnn
|
||||
/2RjttVCgCC94uICEjuOtACVCYDLVu1Lyo1X5q4F03YnY3E5ibdp5kiArtGpSBKj
|
||||
YzBhMB0GA1UdDgQWBBRHCkh+uwKoWiZXKxmpe2GLf12ZbjAfBgNVHSMEGDAWgBQ0
|
||||
HXlEFXmhsWOZ4+1lfGSJgP+47DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
|
||||
AwIBhjAKBggqgRzPVQGDdQNIADBFAiBHTgADqzShr1k5j2A2v4mIQkEnwd1XyXnL
|
||||
H1ZcFrUovQIhAIsuJeshm6krpmpb26fHKxHfcxWt5MXDwvO0tGev11Ec
|
||||
AwIBhjAKBggqgRzPVQGDdQNJADBGAiEAsrlbAq14+FK6Z8/LJZu62Vb1p/+vJSbV
|
||||
9vPzpvWaL5sCIQC8lvM5E3bcAjU5DtwKab8CGLYBvv8F1y7ye2frFumOxQ==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
+9
-5
@@ -20332,8 +20332,10 @@ static WC_INLINE int EncryptDo(WOLFSSL* ssl, byte* out, const byte* input,
|
||||
out + sz - ssl->specs.aead_mac_size,
|
||||
ssl->specs.aead_mac_size
|
||||
);
|
||||
if (ret != 0)
|
||||
if (ret != 0) {
|
||||
XFREE(outBuf, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
break;
|
||||
}
|
||||
XMEMCPY(out,
|
||||
ssl->encrypt.nonce + AESGCM_IMP_IV_SZ, AESGCM_EXP_IV_SZ);
|
||||
XMEMCPY(out + AESGCM_EXP_IV_SZ,outBuf,sz - AESGCM_EXP_IV_SZ);
|
||||
@@ -20805,8 +20807,10 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
|
||||
(byte *)input + sz - ssl->specs.aead_mac_size,
|
||||
ssl->specs.aead_mac_size
|
||||
);
|
||||
if (ret != 0)
|
||||
if (ret != 0) {
|
||||
XFREE(outBuf, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
||||
break;
|
||||
}
|
||||
XMEMCPY(plain + AESGCM_EXP_IV_SZ,
|
||||
outBuf,
|
||||
sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size);
|
||||
@@ -20832,7 +20836,7 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
|
||||
case wolfssl_sm4_cbc:
|
||||
#ifdef WOLFSSL_ASYNC_CRYPT
|
||||
/* initialize event */
|
||||
ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
|
||||
ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.sm4->asyncDev,
|
||||
WC_ASYNC_FLAG_CALL_AGAIN);
|
||||
if (ret != 0)
|
||||
break;
|
||||
@@ -20840,7 +20844,7 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
|
||||
ret = wc_Sm4CbcDecrypt(ssl->decrypt.sm4, plain, input, sz);
|
||||
#ifdef WOLFSSL_ASYNC_CRYPT
|
||||
if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
|
||||
ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev);
|
||||
ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.sm4->asyncDev);
|
||||
}
|
||||
#endif
|
||||
break;
|
||||
@@ -40111,7 +40115,7 @@ static int TicketEncDec(byte* key, int keyLen, byte* iv, byte* aad, int aadSz,
|
||||
}
|
||||
if (ret == 0) {
|
||||
ret = wc_Sm4GcmDecrypt(sm4, in, out, inLen, iv, GCM_NONCE_MID_SZ,
|
||||
tag, SM$_BLOCK_SIZE, aad, aadSz);
|
||||
tag, SM4_BLOCK_SIZE, aad, aadSz);
|
||||
}
|
||||
wc_Sm4Free(sm4);
|
||||
}
|
||||
|
||||
+2
-1
@@ -950,7 +950,8 @@ static int OcspRespIdMatches(OcspResponse* resp, const byte* NameHash,
|
||||
SIGNER_DIGEST_SIZE) == 0;
|
||||
}
|
||||
else if (resp->responderIdType == OCSP_RESPONDER_ID_KEY) {
|
||||
return XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0;
|
||||
return XMEMCMP(keyHash, resp->responderId.keyHash,
|
||||
OCSP_RESPONDER_ID_KEY_SZ) == 0;
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
||||
+3
-2
@@ -184,13 +184,14 @@ static word32 add_rec_header(byte* output, word32 length, byte type)
|
||||
|
||||
static sword32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz)
|
||||
{
|
||||
word32 len = qr->end - qr->start;
|
||||
word32 len;
|
||||
word32 offset = 0;
|
||||
word32 rlen;
|
||||
|
||||
if (len <= 0) {
|
||||
if (qr->end <= qr->start) {
|
||||
return 0;
|
||||
}
|
||||
len = qr->end - qr->start;
|
||||
|
||||
/* We check if the buf is at least RECORD_HEADER_SZ */
|
||||
if (sz < RECORD_HEADER_SZ) {
|
||||
|
||||
+14
-5
@@ -48,6 +48,10 @@ int wolfSSL_CTX_GenerateEchConfig(WOLFSSL_CTX* ctx, const char* publicName,
|
||||
if (ctx == NULL || publicName == NULL)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
/* ECH spec limits public_name to 255 bytes (1-byte length prefix) */
|
||||
if (XSTRLEN(publicName) > 255)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
WC_ALLOC_VAR_EX(rng, WC_RNG, 1, ctx->heap, DYNAMIC_TYPE_RNG,
|
||||
return MEMORY_E);
|
||||
ret = wc_InitRng(rng);
|
||||
@@ -313,10 +317,16 @@ int GetEchConfig(WOLFSSL_EchConfig* config, byte* output, word32* outputLen)
|
||||
{
|
||||
int i;
|
||||
word16 totalLen = 0;
|
||||
word16 publicNameLen;
|
||||
|
||||
if (config == NULL || (output == NULL && outputLen == NULL))
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
/* ECH spec limits public_name to 255 bytes (1-byte length prefix) */
|
||||
if (config->publicName == NULL || XSTRLEN(config->publicName) > 255)
|
||||
return BAD_FUNC_ARG;
|
||||
publicNameLen = (word16)XSTRLEN(config->publicName);
|
||||
|
||||
/* 2 for version */
|
||||
totalLen += 2;
|
||||
/* 2 for length */
|
||||
@@ -355,7 +365,7 @@ int GetEchConfig(WOLFSSL_EchConfig* config, byte* output, word32* outputLen)
|
||||
totalLen += 2;
|
||||
|
||||
/* public name */
|
||||
totalLen += XSTRLEN(config->publicName);
|
||||
totalLen += publicNameLen;
|
||||
/* trailing zeros */
|
||||
totalLen += 2;
|
||||
|
||||
@@ -435,13 +445,12 @@ int GetEchConfig(WOLFSSL_EchConfig* config, byte* output, word32* outputLen)
|
||||
output++;
|
||||
|
||||
/* publicName len */
|
||||
*output = XSTRLEN(config->publicName);
|
||||
*output = (byte)publicNameLen;
|
||||
output++;
|
||||
|
||||
/* publicName */
|
||||
XMEMCPY(output, config->publicName,
|
||||
XSTRLEN(config->publicName));
|
||||
output += XSTRLEN(config->publicName);
|
||||
XMEMCPY(output, config->publicName, publicNameLen);
|
||||
output += publicNameLen;
|
||||
|
||||
/* terminating zeros */
|
||||
c16toa(0, output);
|
||||
|
||||
+2
-2
@@ -3116,7 +3116,7 @@ int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz,
|
||||
case wolfssl_sm4_gcm:
|
||||
nonceSz = SM4_GCM_NONCE_SZ;
|
||||
ret = wc_Sm4GcmDecrypt(ssl->decrypt.sm4, output, input,
|
||||
dataSz, ssl->decrypt.nonce, nonceSz, output + dataSz,
|
||||
dataSz, ssl->decrypt.nonce, nonceSz, input + dataSz,
|
||||
macSz, aad, aadSz);
|
||||
break;
|
||||
#endif
|
||||
@@ -3125,7 +3125,7 @@ int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz,
|
||||
case wolfssl_sm4_ccm:
|
||||
nonceSz = SM4_CCM_NONCE_SZ;
|
||||
ret = wc_Sm4CcmDecrypt(ssl->decrypt.sm4, output, input,
|
||||
dataSz, ssl->decrypt.nonce, nonceSz, output + dataSz,
|
||||
dataSz, ssl->decrypt.nonce, nonceSz, input + dataSz,
|
||||
macSz, aad, aadSz);
|
||||
break;
|
||||
#endif
|
||||
|
||||
+2
-2
@@ -384,8 +384,8 @@ int SslBioSend(WOLFSSL* ssl, char *buf, int sz, void *ctx)
|
||||
}
|
||||
|
||||
/* If retry and write flags are set, return WANT_WRITE */
|
||||
if ((ssl->biord->flags & WOLFSSL_BIO_FLAG_WRITE) &&
|
||||
(ssl->biord->flags & WOLFSSL_BIO_FLAG_RETRY)) {
|
||||
if ((ssl->biowr->flags & WOLFSSL_BIO_FLAG_WRITE) &&
|
||||
(ssl->biowr->flags & WOLFSSL_BIO_FLAG_RETRY)) {
|
||||
return WOLFSSL_CBIO_ERR_WANT_WRITE;
|
||||
}
|
||||
|
||||
|
||||
+19
-7
@@ -18967,8 +18967,9 @@ int ConfirmSignature(SignatureCtx* sigCtx,
|
||||
{
|
||||
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
|
||||
if (sigOID == CTC_SM3wSM2) {
|
||||
/* OpenSSL creates signature without CERT_SIG_ID. */
|
||||
ret = wc_ecc_sm2_create_digest(CERT_SIG_ID,
|
||||
CERT_SIG_ID_SZ, buf, bufSz, WC_HASH_TYPE_SM3,
|
||||
0, buf, bufSz, WC_HASH_TYPE_SM3,
|
||||
sigCtx->digest, WC_SM3_DIGEST_SIZE,
|
||||
sigCtx->key.ecc);
|
||||
if (ret == 0) {
|
||||
@@ -39572,8 +39573,9 @@ static int OcspRespIdMatch(OcspResponse *resp, const byte *NameHash,
|
||||
return XMEMCMP(NameHash, resp->responderId.nameHash,
|
||||
SIGNER_DIGEST_SIZE) == 0;
|
||||
/* OCSP_RESPONDER_ID_KEY */
|
||||
return ((int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ) &&
|
||||
XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0;
|
||||
return (KEYID_SIZE >= OCSP_RESPONDER_ID_KEY_SZ) &&
|
||||
XMEMCMP(keyHash, resp->responderId.keyHash,
|
||||
OCSP_RESPONDER_ID_KEY_SZ) == 0;
|
||||
}
|
||||
|
||||
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
|
||||
@@ -39612,8 +39614,15 @@ static Signer *OcspFindSigner(OcspResponse *resp, WOLFSSL_CERT_MANAGER *cm)
|
||||
if (s)
|
||||
return s;
|
||||
}
|
||||
else if ((int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ) {
|
||||
s = GetCAByKeyHash(cm, resp->responderId.keyHash);
|
||||
else if (KEYID_SIZE >= OCSP_RESPONDER_ID_KEY_SZ) {
|
||||
/* Responder key hash is OCSP_RESPONDER_ID_KEY_SZ bytes (SHA-1 per
|
||||
* RFC 6960) but lookup functions compare KEYID_SIZE bytes. Zero-pad
|
||||
* to avoid buffer over-read when KEYID_SIZE > OCSP_RESPONDER_ID_KEY_SZ
|
||||
* (e.g. when SM2/SM3 is enabled). */
|
||||
byte keyHash[KEYID_SIZE];
|
||||
XMEMSET(keyHash, 0, KEYID_SIZE);
|
||||
XMEMCPY(keyHash, resp->responderId.keyHash, OCSP_RESPONDER_ID_KEY_SZ);
|
||||
s = GetCAByKeyHash(cm, keyHash);
|
||||
if (s)
|
||||
return s;
|
||||
}
|
||||
@@ -39626,8 +39635,11 @@ static Signer *OcspFindSigner(OcspResponse *resp, WOLFSSL_CERT_MANAGER *cm)
|
||||
if (s)
|
||||
return s;
|
||||
}
|
||||
else {
|
||||
s = findSignerByKeyHash(resp->pendingCAs, resp->responderId.keyHash);
|
||||
else if (KEYID_SIZE >= OCSP_RESPONDER_ID_KEY_SZ) {
|
||||
byte keyHash[KEYID_SIZE];
|
||||
XMEMSET(keyHash, 0, KEYID_SIZE);
|
||||
XMEMCPY(keyHash, resp->responderId.keyHash, OCSP_RESPONDER_ID_KEY_SZ);
|
||||
s = findSignerByKeyHash(resp->pendingCAs, keyHash);
|
||||
if (s)
|
||||
return s;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user