From b7c3bbf1013f5facb56363f472afa2830cfdb0bc Mon Sep 17 00:00:00 2001 From: Andrew Hutchings Date: Wed, 18 Feb 2026 13:45:45 +0000 Subject: [PATCH 1/9] Fixes to size checking In `quic_record_transfer()`, the unsigned subtraction `qr->end - qr->start` could wrap around if `end < start`, and the subsequent `len <= 0` check was ineffective on a `word32`. Move the comparison before the subtraction so the function returns `0` safely. In `GetEchConfig()`, `XSTRLEN(config->publicName)` was assigned to a single byte, silently truncating names longer than 255 characters while `XMEMCPY` still copied the full string. Add a 255-byte length validation in both `wolfSSL_CTX_GenerateEchConfig()` and `GetEchConfig()`, and cache the length in a local variable to avoid redundant `XSTRLEN` calls. --- src/quic.c | 5 +++-- src/ssl_ech.c | 19 ++++++++++++++----- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/src/quic.c b/src/quic.c index 2d6e4a6c87..4860adbc68 100644 --- a/src/quic.c +++ b/src/quic.c @@ -184,13 +184,14 @@ static word32 add_rec_header(byte* output, word32 length, byte type) static sword32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz) { - word32 len = qr->end - qr->start; + word32 len; word32 offset = 0; word32 rlen; - if (len <= 0) { + if (qr->end <= qr->start) { return 0; } + len = qr->end - qr->start; /* We check if the buf is at least RECORD_HEADER_SZ */ if (sz < RECORD_HEADER_SZ) { diff --git a/src/ssl_ech.c b/src/ssl_ech.c index 81419d8c10..c7ea7e0e61 100644 --- a/src/ssl_ech.c +++ b/src/ssl_ech.c @@ -48,6 +48,10 @@ int wolfSSL_CTX_GenerateEchConfig(WOLFSSL_CTX* ctx, const char* publicName, if (ctx == NULL || publicName == NULL) return BAD_FUNC_ARG; + /* ECH spec limits public_name to 255 bytes (1-byte length prefix) */ + if (XSTRLEN(publicName) > 255) + return BAD_FUNC_ARG; + WC_ALLOC_VAR_EX(rng, WC_RNG, 1, ctx->heap, DYNAMIC_TYPE_RNG, return MEMORY_E); ret = wc_InitRng(rng); @@ -313,10 +317,16 @@ int GetEchConfig(WOLFSSL_EchConfig* config, byte* output, word32* outputLen) { int i; word16 totalLen = 0; + word16 publicNameLen; if (config == NULL || (output == NULL && outputLen == NULL)) return BAD_FUNC_ARG; + /* ECH spec limits public_name to 255 bytes (1-byte length prefix) */ + if (config->publicName == NULL || XSTRLEN(config->publicName) > 255) + return BAD_FUNC_ARG; + publicNameLen = (word16)XSTRLEN(config->publicName); + /* 2 for version */ totalLen += 2; /* 2 for length */ @@ -355,7 +365,7 @@ int GetEchConfig(WOLFSSL_EchConfig* config, byte* output, word32* outputLen) totalLen += 2; /* public name */ - totalLen += XSTRLEN(config->publicName); + totalLen += publicNameLen; /* trailing zeros */ totalLen += 2; @@ -435,13 +445,12 @@ int GetEchConfig(WOLFSSL_EchConfig* config, byte* output, word32* outputLen) output++; /* publicName len */ - *output = XSTRLEN(config->publicName); + *output = (byte)publicNameLen; output++; /* publicName */ - XMEMCPY(output, config->publicName, - XSTRLEN(config->publicName)); - output += XSTRLEN(config->publicName); + XMEMCPY(output, config->publicName, publicNameLen); + output += publicNameLen; /* terminating zeros */ c16toa(0, output); From 43aad1e4d74677b52795862b49762eaa8acc0f38 Mon Sep 17 00:00:00 2001 From: Andrew Hutchings Date: Wed, 18 Feb 2026 14:42:53 +0000 Subject: [PATCH 2/9] Fix SM4 TLS 1.3 decrypt auth tag and SM2 cert verification - Fix SM4 GCM/CCM TLS 1.3 decrypt to read auth tag from input buffer instead of output buffer, consistent with all other AEAD ciphers (src/tls13.c) - Fix SM4_BLOCK_SIZE typo (was SM$_BLOCK_SIZE) in TicketEncDec SM4-GCM decrypt path (src/internal.c) - Fix SM2 certificate signature verification for certs using id-ecPublicKey (ECDSAk) with SM2-with-SM3 signature algorithm. OpenSSL creates SM2 cert signatures without the standard distinguishing identifier in the ZA hash. The SM2k code path already handled this correctly (idSz=0), but the ECDSAk + CTC_SM3wSM2 path was incorrectly using CERT_SIG_ID_SZ (16), causing ASN_SIG_CONFIRM_E (-155) when verifying non-self-signed SM2 certs (wolfcrypt/src/asn.c) - Regenerate expired SM2 test certificates via certs/sm2/gen-sm2-certs.sh They had expired. --- certs/sm2/ca-sm2.der | Bin 666 -> 666 bytes certs/sm2/ca-sm2.pem | 36 ++++++++--------- certs/sm2/client-sm2.der | Bin 973 -> 970 bytes certs/sm2/client-sm2.pem | 52 ++++++++++++------------ certs/sm2/root-sm2.der | Bin 661 -> 662 bytes certs/sm2/root-sm2.pem | 36 ++++++++--------- certs/sm2/self-sm2-cert.pem | 26 ++++++------ certs/sm2/server-sm2-cert.der | Bin 732 -> 731 bytes certs/sm2/server-sm2-cert.pem | 38 ++++++++--------- certs/sm2/server-sm2.pem | 74 +++++++++++++++++----------------- src/internal.c | 2 +- src/tls13.c | 4 +- wolfcrypt/src/asn.c | 3 +- 13 files changed, 136 insertions(+), 135 deletions(-) diff --git a/certs/sm2/ca-sm2.der b/certs/sm2/ca-sm2.der index 050c1b1ae7470b555ab33f4394679cb7a80fb6af..38fea750d7f4e1b02f153ad5ba10bb7c0e382df5 100644 GIT binary patch delta 146 zcmbQmI*XOVpowXkK@*epM2?MeW(G!v7KSE9=0;{w;=D!{hK7bFP_9Aanu+o*lcgCm zc_Iyj+1Rz(JkHrNF;1Syc)-h(!N844kzrT1$cFbE`+ba(lk^_OvfOlKsXV!V*5vuD wE?=J+r);TXQe=26{;%EC;FI-gG2J+WGAF+?thD}59AfVe05Cx>@&Et; delta 146 zcmbQmI*XOVpowXkK@*eBM2?Me#s)@)rUqt4#s=n5;=D$thK7cQP_9Aanu+o*lcgCm zd7}(O*f_KrWzL5(Ht9~Dz<9vZgTcU+Nx|KZfqAvb!u64s{Rw9KJ3E{l)eqhcKUsNN wJ}gFTtHxd?MTTxY)z^x%S86ZIioU)4xVGT^V$rovjvhYrdCQjc_16Ps02S&o@&Et; diff --git a/certs/sm2/ca-sm2.pem b/certs/sm2/ca-sm2.pem index 2451a522f7..5ced06b59d 100644 --- a/certs/sm2/ca-sm2.pem +++ b/certs/sm2/ca-sm2.pem @@ -3,13 +3,13 @@ Certificate: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: SM2-with-SM3 - Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_SM2, OU = Root-SM2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_SM2, OU=Root-SM2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com Validity - Not Before: Feb 15 06:23:07 2023 GMT - Not After : Nov 11 06:23:07 2025 GMT - Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = CA-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Not Before: Feb 18 14:27:26 2026 GMT + Not After : Nov 14 14:27:26 2028 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=CA-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Subject Public Key Info: - Public Key Algorithm: sm2 + Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:21:92:f7:cb:24:df:64:4d:ba:ab:66:7b:83:75: @@ -29,23 +29,23 @@ Certificate: Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: SM2-with-SM3 Signature Value: - 30:45:02:20:47:4e:00:03:ab:34:a1:af:59:39:8f:60:36:bf: - 89:88:42:41:27:c1:dd:57:c9:79:cb:1f:56:5c:16:b5:28:bd: - 02:21:00:8b:2e:25:eb:21:9b:a9:2b:a6:6a:5b:db:a7:c7:2b: - 11:df:73:15:ad:e4:c5:c3:c2:f3:b4:b4:67:af:d7:51:1c + 30:46:02:21:00:ba:6b:14:b0:ef:08:bf:4c:32:63:62:2e:e1: + 5d:04:d9:45:04:79:c9:bf:9a:93:9f:05:44:f5:e6:33:64:b4: + 7e:02:21:00:e3:17:fe:87:35:30:f2:3b:ab:16:2d:5e:30:76: + 42:4e:cc:85:96:b9:2f:af:55:00:a5:4f:43:7c:13:54:3f:4f -----BEGIN CERTIFICATE----- -MIICljCCAjygAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO +MIICljCCAjugAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZT U0xfU00yMREwDwYDVQQLDAhSb290LVNNMjEYMBYGA1UEAwwPd3d3LndvbGZzc2wu -Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIzMDIxNTA2 -MjMwN1oXDTI1MTExMTA2MjMwN1owgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN +Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2MDIxODE0 +MjcyNloXDTI4MTExNDE0MjcyNlowgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQKDAt3b2xmU1NMX3NtMjEP MA0GA1UECwwGQ0Etc20yMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkq hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xm -U1NMMFowFAYIKoEcz1UBgi0GCCqBHM9VAYItA0IABCGS98sk32RNuqtme4N1qSnn -/2RjttVCgCC94uICEjuOtACVCYDLVu1Lyo1X5q4F03YnY3E5ibdp5kiArtGpSBKj -YzBhMB0GA1UdDgQWBBRHCkh+uwKoWiZXKxmpe2GLf12ZbjAfBgNVHSMEGDAWgBQ0 -HXlEFXmhsWOZ4+1lfGSJgP+47DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIBhjAKBggqgRzPVQGDdQNIADBFAiBHTgADqzShr1k5j2A2v4mIQkEnwd1XyXnL -H1ZcFrUovQIhAIsuJeshm6krpmpb26fHKxHfcxWt5MXDwvO0tGev11Ec +U1NMMFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEIZL3yyTfZE26q2Z7g3WpKef/ +ZGO21UKAIL3i4gISO460AJUJgMtW7UvKjVfmrgXTdidjcTmJt2nmSICu0alIEqNj +MGEwHQYDVR0OBBYEFEcKSH67AqhaJlcrGal7YYt/XZluMB8GA1UdIwQYMBaAFDQd +eUQVeaGxY5nj7WV8ZImA/7jsMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD +AgGGMAoGCCqBHM9VAYN1A0kAMEYCIQC6axSw7wi/TDJjYi7hXQTZRQR5yb+ak58F +RPXmM2S0fgIhAOMX/oc1MPI7qxYtXjB2Qk7MhZa5L69VAKVPQ3wTVD9P -----END CERTIFICATE----- diff --git a/certs/sm2/client-sm2.der b/certs/sm2/client-sm2.der index 195cdb14460b0edfb26ff7fbd79c7bfa4d0ade99..e65e62b8d6db1076c051ff536f7b629243693105 100644 GIT binary patch delta 190 zcmX@heu`b$po#gIK@)TC0%j&gCMFT3bJLacXMXvts#?cbc5Yom*fz(D6P1rhnHd-v zS{RxbnH!l!iSrs+7#bRyK)90`8MpF88VIwoYqfctvt?r3e3&tW5vxIywV5M4+!+j9 zm=x3tRh2T|HoUgCQm2qdz&9jX#Aq=`Mo6%01MAZ$^ZZW delta 211 zcmX@bewJO|po#gUK@)S{0%j&gCMJ=D1zy}{uWKLLmuRlk+`^h8{(adM11>fWtwx#i zp^VL?lM|UX%Nxjv^BNf&7#W%xm>C%xm`9288krgz8X7{llNlMe@Yk0!#iT+HA n4DE5XPp(<*uAZUZdavq(;-j>M^VJ^QZByQI;(%M!C(m90N32e* diff --git a/certs/sm2/client-sm2.pem b/certs/sm2/client-sm2.pem index 2f3f49ef89..fb2887ad73 100644 --- a/certs/sm2/client-sm2.pem +++ b/certs/sm2/client-sm2.pem @@ -2,15 +2,15 @@ Certificate: Data: Version: 3 (0x2) Serial Number: - 60:a0:4a:0b:36:eb:7d:e1:3f:74:29:a9:29:b4:05:6c:17:f7:a6:d4 + 22:ce:97:23:6f:99:f4:f3:25:25:7e:01:76:ce:ae:80:56:b6:41:d1 Signature Algorithm: SM2-with-SM3 - Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = Client-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Client-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Validity - Not Before: Feb 15 06:23:07 2023 GMT - Not After : Nov 11 06:23:07 2025 GMT - Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = Client-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Not Before: Feb 18 14:27:26 2026 GMT + Not After : Nov 14 14:27:26 2028 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Client-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Subject Public Key Info: - Public Key Algorithm: sm2 + Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:3a:1d:e8:cb:4b:d3:2e:3f:4b:07:3f:b0:21:fe: @@ -25,7 +25,7 @@ Certificate: X509v3 Authority Key Identifier: keyid:E4:21:B2:C5:E5:D4:9E:82:CA:F8:67:F2:28:99:F6:85:E8:F1:55:EF DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_sm2/OU=Client-sm2/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/UID=wolfSSL - serial:60:A0:4A:0B:36:EB:7D:E1:3F:74:29:A9:29:B4:05:6C:17:F7:A6:D4 + serial:22:CE:97:23:6F:99:F4:F3:25:25:7E:01:76:CE:AE:80:56:B6:41:D1 X509v3 Basic Constraints: CA:TRUE X509v3 Subject Alternative Name: @@ -34,30 +34,30 @@ Certificate: TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: SM2-with-SM3 Signature Value: - 30:46:02:21:00:8f:b2:b5:95:8f:79:f6:5e:75:e5:c5:e9:9a: - 12:d2:0f:78:9f:c0:1d:8d:1c:be:6b:0c:f1:f5:57:60:db:91: - 4f:02:21:00:87:5e:7d:e4:d6:3a:bb:7b:98:27:85:de:7a:f0: - 21:e2:66:a1:9f:26:e0:dd:86:23:b4:c8:c0:46:5a:f2:49:8d + 30:44:02:20:27:71:25:22:69:ed:80:eb:3f:39:0e:7a:9b:a7: + 22:66:76:ef:d4:b4:5e:e8:8f:47:06:c7:2f:a4:f5:0f:09:6e: + 02:20:18:f9:bb:4c:4a:a0:a0:c9:ff:42:24:a1:9a:63:6b:ec: + d1:25:e5:49:de:bd:83:e0:90:81:f4:23:49:f7:84:6e -----BEGIN CERTIFICATE----- -MIIDyTCCA26gAwIBAgIUYKBKCzbrfeE/dCmpKbQFbBf3ptQwCgYIKoEcz1UBg3Uw +MIIDxjCCA22gAwIBAgIUIs6XI2+Z9PMlJX4Bds6ugFa2QdEwCgYIKoEcz1UBg3Uw gbAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl bWFuMRQwEgYDVQQKDAt3b2xmU1NMX3NtMjETMBEGA1UECwwKQ2xpZW50LXNtMjEY MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv -bGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0yMzAyMTUwNjIz -MDdaFw0yNTExMTEwNjIzMDdaMIGwMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9u +bGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0yNjAyMTgxNDI3 +MjZaFw0yODExMTQxNDI3MjZaMIGwMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9u dGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECgwLd29sZlNTTF9zbTIxEzAR BgNVBAsMCkNsaWVudC1zbTIxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0G CSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixkAQEMB3dv -bGZTU0wwWjAUBggqgRzPVQGCLQYIKoEcz1UBgi0DQgAEOh3oy0vTLj9LBz+wIf7F -ntnKOpOTlXYdMNkL9VbtGWDtAUz2Zx3xrKh0DbJ3yEk45P9M741th/ZOx/g5dHBw -taOCAWEwggFdMB0GA1UdDgQWBBTkIbLF5dSegsr4Z/IomfaF6PFV7zCB8AYDVR0j -BIHoMIHlgBTkIbLF5dSegsr4Z/IomfaF6PFV76GBtqSBszCBsDELMAkGA1UEBhMC -VVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoM -C3dvbGZTU0xfc20yMRMwEQYDVQQLDApDbGllbnQtc20yMRgwFgYDVQQDDA93d3cu -d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAV -BgoJkiaJk/IsZAEBDAd3b2xmU1NMghRgoEoLNut94T90KakptAVsF/em1DAMBgNV -HRMEBTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQW -MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqgRzPVQGDdQNJADBGAiEAj7K1lY95 -9l515cXpmhLSD3ifwB2NHL5rDPH1V2DbkU8CIQCHXn3k1jq7e5gnhd568CHiZqGf -JuDdhiO0yMBGWvJJjQ== +bGZTU0wwWTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAQ6HejLS9MuP0sHP7Ah/sWe +2co6k5OVdh0w2Qv1Vu0ZYO0BTPZnHfGsqHQNsnfISTjk/0zvjW2H9k7H+Dl0cHC1 +o4IBYTCCAV0wHQYDVR0OBBYEFOQhssXl1J6Cyvhn8iiZ9oXo8VXvMIHwBgNVHSME +gegwgeWAFOQhssXl1J6Cyvhn8iiZ9oXo8VXvoYG2pIGzMIGwMQswCQYDVQQGEwJV +UzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECgwL +d29sZlNTTF9zbTIxEzARBgNVBAsMCkNsaWVudC1zbTIxGDAWBgNVBAMMD3d3dy53 +b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUG +CgmSJomT8ixkAQEMB3dvbGZTU0yCFCLOlyNvmfTzJSV+AXbOroBWtkHRMAwGA1Ud +EwQFMAMBAf8wHAYDVR0RBBUwE4ILZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0lBBYw +FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAoGCCqBHM9VAYN1A0cAMEQCICdxJSJp7YDr +PzkOepunImZ279S0XuiPRwbHL6T1DwluAiAY+btMSqCgyf9CJKGaY2vs0SXlSd69 +g+CQgfQjSfeEbg== -----END CERTIFICATE----- diff --git a/certs/sm2/root-sm2.der b/certs/sm2/root-sm2.der index 63c0407713d05b25e21a6a0d22b3382492362c39..d94887dbc1313e2469cd338680f4c9c3683a4eb6 100644 GIT binary patch delta 166 zcmbQrI*nD?powXcK@*et0%j&gCMFS=lYfj^vu(cr5oKcf7Tz}LRNW!NiOMUb%?ykT zEeuVJ%#F;V#CeS@3=IuUpxlZ2GkGEngxT1&+C0wLGBHl>Wjx^J$zb5dq{z_zk$J(^ z%J4+Bx?))Y{X4H8sd_DDQ!nSe@a1i9a8h#~lOn^m7u*$VzEwVS3V7(2k#Fy9_>Zl{QXim?qNLO;m%;-!lb~guKD48 zh1x=?EV+)x=gmd&cF#Coh-B>d=FbS4w5oq0lLGfYX^~xlO{r|Vm2OBapC6L+x_8r6 Q;mtc1eHL-qv_SC!0FXmD!Tdecrypt.sm4, output, input, - dataSz, ssl->decrypt.nonce, nonceSz, output + dataSz, + dataSz, ssl->decrypt.nonce, nonceSz, input + dataSz, macSz, aad, aadSz); break; #endif @@ -3125,7 +3125,7 @@ int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz, case wolfssl_sm4_ccm: nonceSz = SM4_CCM_NONCE_SZ; ret = wc_Sm4CcmDecrypt(ssl->decrypt.sm4, output, input, - dataSz, ssl->decrypt.nonce, nonceSz, output + dataSz, + dataSz, ssl->decrypt.nonce, nonceSz, input + dataSz, macSz, aad, aadSz); break; #endif diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 78d2c75d59..636a877d97 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -18967,8 +18967,9 @@ int ConfirmSignature(SignatureCtx* sigCtx, { #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) if (sigOID == CTC_SM3wSM2) { + /* OpenSSL creates signature without CERT_SIG_ID. */ ret = wc_ecc_sm2_create_digest(CERT_SIG_ID, - CERT_SIG_ID_SZ, buf, bufSz, WC_HASH_TYPE_SM3, + 0, buf, bufSz, WC_HASH_TYPE_SM3, sigCtx->digest, WC_SM3_DIGEST_SIZE, sigCtx->key.ecc); if (ret == 0) { From 5bb447dee6a23596808a84ce0e89fa923b3a1c95 Mon Sep 17 00:00:00 2001 From: Andrew Hutchings Date: Wed, 18 Feb 2026 15:03:57 +0000 Subject: [PATCH 3/9] Fix copy/paste error in SM4 CBC Decrypt Async --- src/internal.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/internal.c b/src/internal.c index c12b6a6fe1..2c534a678d 100644 --- a/src/internal.c +++ b/src/internal.c @@ -20832,7 +20832,7 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input, case wolfssl_sm4_cbc: #ifdef WOLFSSL_ASYNC_CRYPT /* initialize event */ - ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev, + ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.sm4->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); if (ret != 0) break; @@ -20840,7 +20840,7 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input, ret = wc_Sm4CbcDecrypt(ssl->decrypt.sm4, plain, input, sz); #ifdef WOLFSSL_ASYNC_CRYPT if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { - ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev); + ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.sm4->asyncDev); } #endif break; From 2d2efccf710b0469010f01dd56812c476ff022aa Mon Sep 17 00:00:00 2001 From: Andrew Hutchings Date: Wed, 18 Feb 2026 15:05:08 +0000 Subject: [PATCH 4/9] Add CI test for wolfSM + wolfSSL --- .github/workflows/wolfsm.yml | 63 ++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 .github/workflows/wolfsm.yml diff --git a/.github/workflows/wolfsm.yml b/.github/workflows/wolfsm.yml new file mode 100644 index 0000000000..f67485793e --- /dev/null +++ b/.github/workflows/wolfsm.yml @@ -0,0 +1,63 @@ +name: wolfSM Tests + +# START OF COMMON SECTION +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +# END OF COMMON SECTION + +jobs: + make_check: + strategy: + fail-fast: false + matrix: + config: [ + # Core SM TLS cipher suites + '--enable-sm2 --enable-sm3 --enable-sm4-gcm --enable-sm4-ccm --enable-sha3', + # All SM4 modes + '--enable-sm2 --enable-sm3 --enable-sm4-ecb --enable-sm4-cbc --enable-sm4-ctr --enable-sm4-gcm --enable-sm4-ccm --enable-sha3', + # SM + all features integration test + '--enable-all --enable-sm2 --enable-sm3 --enable-sm4-ecb --enable-sm4-cbc --enable-sm4-ctr --enable-sm4-gcm --enable-sm4-ccm', + ] + name: make check + if: github.repository_owner == 'wolfssl' + runs-on: ubuntu-24.04 + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + name: Checkout wolfSSL + + - uses: actions/checkout@v4 + name: Checkout wolfsm + with: + repository: wolfssl/wolfsm + path: wolfsm + + - name: Install wolfsm + working-directory: wolfsm + run: ./install.sh $GITHUB_WORKSPACE + + - name: Test wolfSSL with wolfSM + run: | + ./autogen.sh + ./configure ${{ matrix.config }} + make + make check + + - name: Print errors + if: ${{ failure() }} + run: | + for file in scripts/*.log + do + if [ -f "$file" ]; then + echo "${file}:" + cat "$file" + echo "========================================================================" + fi + done From 3ffa625fd4e2fda69d4574562ce49d20801ce501 Mon Sep 17 00:00:00 2001 From: Andrew Hutchings Date: Wed, 18 Feb 2026 15:06:36 +0000 Subject: [PATCH 5/9] Fix leak in Aria upon error --- src/internal.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/internal.c b/src/internal.c index 2c534a678d..86e16cfdb0 100644 --- a/src/internal.c +++ b/src/internal.c @@ -20332,8 +20332,10 @@ static WC_INLINE int EncryptDo(WOLFSSL* ssl, byte* out, const byte* input, out + sz - ssl->specs.aead_mac_size, ssl->specs.aead_mac_size ); - if (ret != 0) + if (ret != 0) { + XFREE(outBuf, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); break; + } XMEMCPY(out, ssl->encrypt.nonce + AESGCM_IMP_IV_SZ, AESGCM_EXP_IV_SZ); XMEMCPY(out + AESGCM_EXP_IV_SZ,outBuf,sz - AESGCM_EXP_IV_SZ); @@ -20805,8 +20807,10 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input, (byte *)input + sz - ssl->specs.aead_mac_size, ssl->specs.aead_mac_size ); - if (ret != 0) + if (ret != 0) { + XFREE(outBuf, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); break; + } XMEMCPY(plain + AESGCM_EXP_IV_SZ, outBuf, sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size); From 730519211d9d225c6cc00e786cf500220b49de44 Mon Sep 17 00:00:00 2001 From: Andrew Hutchings Date: Wed, 18 Feb 2026 15:08:06 +0000 Subject: [PATCH 6/9] Fix wrong flags read on BIO write --- src/wolfio.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/wolfio.c b/src/wolfio.c index 80d3b65610..095f55fa81 100644 --- a/src/wolfio.c +++ b/src/wolfio.c @@ -384,8 +384,8 @@ int SslBioSend(WOLFSSL* ssl, char *buf, int sz, void *ctx) } /* If retry and write flags are set, return WANT_WRITE */ - if ((ssl->biord->flags & WOLFSSL_BIO_FLAG_WRITE) && - (ssl->biord->flags & WOLFSSL_BIO_FLAG_RETRY)) { + if ((ssl->biowr->flags & WOLFSSL_BIO_FLAG_WRITE) && + (ssl->biowr->flags & WOLFSSL_BIO_FLAG_RETRY)) { return WOLFSSL_CBIO_ERR_WANT_WRITE; } From 4e37d99d0736e4f1e999f200c7afd5232a1c050c Mon Sep 17 00:00:00 2001 From: Andrew Hutchings Date: Wed, 18 Feb 2026 15:59:37 +0000 Subject: [PATCH 7/9] Fix OCSP key-based responder ID lookup when SM2/SM3 is enabled. When WOLFSSL_SM2 and WOLFSSL_SM3 are both defined, KEYID_SIZE becomes 32 (WC_SM3_DIGEST_SIZE) but OCSP_RESPONDER_ID_KEY_SZ remains 20 (SHA-1 per RFC 6960). The guard (int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ in OcspFindSigner() and OcspRespIdMatch() evaluated to false (32 != 20), completely disabling key-based OCSP responder ID matching. This caused OCSP stapling to fail with BAD_CERTIFICATE_STATUS_ERROR (-406) against any server using a key-based responder ID (e.g. login.live.com). Fix by comparing only OCSP_RESPONDER_ID_KEY_SZ bytes for the responder ID match, and zero-padding the 20-byte key hash to KEYID_SIZE before passing to CA lookup functions that compare the full KEYID_SIZE. --- src/ocsp.c | 3 ++- wolfcrypt/src/asn.c | 23 +++++++++++++++++------ 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/src/ocsp.c b/src/ocsp.c index 40c255f37d..7a44f6c978 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -950,7 +950,8 @@ static int OcspRespIdMatches(OcspResponse* resp, const byte* NameHash, SIGNER_DIGEST_SIZE) == 0; } else if (resp->responderIdType == OCSP_RESPONDER_ID_KEY) { - return XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0; + return XMEMCMP(keyHash, resp->responderId.keyHash, + OCSP_RESPONDER_ID_KEY_SZ) == 0; } return 0; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 636a877d97..3672d27b48 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -39573,8 +39573,9 @@ static int OcspRespIdMatch(OcspResponse *resp, const byte *NameHash, return XMEMCMP(NameHash, resp->responderId.nameHash, SIGNER_DIGEST_SIZE) == 0; /* OCSP_RESPONDER_ID_KEY */ - return ((int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ) && - XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0; + return (KEYID_SIZE >= OCSP_RESPONDER_ID_KEY_SZ) && + XMEMCMP(keyHash, resp->responderId.keyHash, + OCSP_RESPONDER_ID_KEY_SZ) == 0; } #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK @@ -39613,8 +39614,15 @@ static Signer *OcspFindSigner(OcspResponse *resp, WOLFSSL_CERT_MANAGER *cm) if (s) return s; } - else if ((int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ) { - s = GetCAByKeyHash(cm, resp->responderId.keyHash); + else if (KEYID_SIZE >= OCSP_RESPONDER_ID_KEY_SZ) { + /* Responder key hash is OCSP_RESPONDER_ID_KEY_SZ bytes (SHA-1 per + * RFC 6960) but lookup functions compare KEYID_SIZE bytes. Zero-pad + * to avoid buffer over-read when KEYID_SIZE > OCSP_RESPONDER_ID_KEY_SZ + * (e.g. when SM2/SM3 is enabled). */ + byte keyHash[KEYID_SIZE]; + XMEMSET(keyHash, 0, KEYID_SIZE); + XMEMCPY(keyHash, resp->responderId.keyHash, OCSP_RESPONDER_ID_KEY_SZ); + s = GetCAByKeyHash(cm, keyHash); if (s) return s; } @@ -39627,8 +39635,11 @@ static Signer *OcspFindSigner(OcspResponse *resp, WOLFSSL_CERT_MANAGER *cm) if (s) return s; } - else { - s = findSignerByKeyHash(resp->pendingCAs, resp->responderId.keyHash); + else if (KEYID_SIZE >= OCSP_RESPONDER_ID_KEY_SZ) { + byte keyHash[KEYID_SIZE]; + XMEMSET(keyHash, 0, KEYID_SIZE); + XMEMCPY(keyHash, resp->responderId.keyHash, OCSP_RESPONDER_ID_KEY_SZ); + s = findSignerByKeyHash(resp->pendingCAs, keyHash); if (s) return s; } From 2e8f9fe5950b7fcee84023e4a6f367f72e0b3530 Mon Sep 17 00:00:00 2001 From: Andrew Hutchings Date: Wed, 18 Feb 2026 17:58:28 +0000 Subject: [PATCH 8/9] Fix SM2 certs to have the correct public key OID OpenSSL 3.5+ handles the OIDs differently. --- certs/sm2/ca-sm2.der | Bin 666 -> 667 bytes certs/sm2/ca-sm2.pem | 32 +++--- certs/sm2/client-sm2.der | Bin 970 -> 973 bytes certs/sm2/client-sm2.pem | 48 ++++----- certs/sm2/fix_sm2_spki.py | 179 ++++++++++++++++++++++++++++++++++ certs/sm2/gen-sm2-certs.sh | 16 +++ certs/sm2/root-sm2.der | Bin 662 -> 663 bytes certs/sm2/root-sm2.pem | 32 +++--- certs/sm2/self-sm2-cert.pem | 34 +++---- certs/sm2/server-sm2-cert.der | Bin 731 -> 733 bytes certs/sm2/server-sm2-cert.pem | 34 +++---- certs/sm2/server-sm2.pem | 66 ++++++------- 12 files changed, 318 insertions(+), 123 deletions(-) create mode 100644 certs/sm2/fix_sm2_spki.py diff --git a/certs/sm2/ca-sm2.der b/certs/sm2/ca-sm2.der index 38fea750d7f4e1b02f153ad5ba10bb7c0e382df5..2b416438642e03c6c37682390f1f2779ab32d144 100644 GIT binary patch delta 134 zcmbQmI-8ZlpowX^K@*eBM2_te=B8$*=27CjMiz#Kh9-s(u0i9PiSjO!r5Q7MqYOmY zIJ6pN&WAEK=}w-&c-(o@&S<8!6+eP@rJp~oI(yg6u&>MiuUA#O`t9@QWnX9M&t_6& m*fZ_3rEu9DCR0nkJ6xIjnIyI`?)%SrUGGzM`fIV5eMbTC3pGao delta 133 zcmbQuI*XOVpowXkK@*epM2_teCPwB)W>Mn2Miz#Kh9-s(u0i9PiSjO!r5Q7MA`OJu z*tOa`&e<|CPM*kk+<8~F$cFbE`+ba(lk^_OvfOlKsXV!V*5vuDE?=J+r);TXQe=26 k{;%EC;FI-gG2J+WGAF+?thD}59AfVe0Ky?H-v9sr diff --git a/certs/sm2/ca-sm2.pem b/certs/sm2/ca-sm2.pem index 5ced06b59d..097a24dad3 100644 --- a/certs/sm2/ca-sm2.pem +++ b/certs/sm2/ca-sm2.pem @@ -5,11 +5,11 @@ Certificate: Signature Algorithm: SM2-with-SM3 Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_SM2, OU=Root-SM2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com Validity - Not Before: Feb 18 14:27:26 2026 GMT - Not After : Nov 14 14:27:26 2028 GMT + Not Before: Feb 18 17:56:57 2026 GMT + Not After : Nov 14 17:56:57 2028 GMT Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=CA-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey + Public Key Algorithm: sm2 Public-Key: (256 bit) pub: 04:21:92:f7:cb:24:df:64:4d:ba:ab:66:7b:83:75: @@ -29,23 +29,23 @@ Certificate: Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: SM2-with-SM3 Signature Value: - 30:46:02:21:00:ba:6b:14:b0:ef:08:bf:4c:32:63:62:2e:e1: - 5d:04:d9:45:04:79:c9:bf:9a:93:9f:05:44:f5:e6:33:64:b4: - 7e:02:21:00:e3:17:fe:87:35:30:f2:3b:ab:16:2d:5e:30:76: - 42:4e:cc:85:96:b9:2f:af:55:00:a5:4f:43:7c:13:54:3f:4f + 30:46:02:21:00:b2:b9:5b:02:ad:78:f8:52:ba:67:cf:cb:25: + 9b:ba:d9:56:f5:a7:ff:af:25:26:d5:f6:f3:f3:a6:f5:9a:2f: + 9b:02:21:00:bc:96:f3:39:13:76:dc:02:35:39:0e:dc:0a:69: + bf:02:18:b6:01:be:ff:05:d7:2e:f2:7b:67:eb:16:e9:8e:c5 -----BEGIN CERTIFICATE----- -MIICljCCAjugAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO +MIIClzCCAjygAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZT U0xfU00yMREwDwYDVQQLDAhSb290LVNNMjEYMBYGA1UEAwwPd3d3LndvbGZzc2wu -Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2MDIxODE0 -MjcyNloXDTI4MTExNDE0MjcyNlowgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN +Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2MDIxODE3 +NTY1N1oXDTI4MTExNDE3NTY1N1owgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQKDAt3b2xmU1NMX3NtMjEP MA0GA1UECwwGQ0Etc20yMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkq hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xm -U1NMMFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEIZL3yyTfZE26q2Z7g3WpKef/ -ZGO21UKAIL3i4gISO460AJUJgMtW7UvKjVfmrgXTdidjcTmJt2nmSICu0alIEqNj -MGEwHQYDVR0OBBYEFEcKSH67AqhaJlcrGal7YYt/XZluMB8GA1UdIwQYMBaAFDQd -eUQVeaGxY5nj7WV8ZImA/7jsMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD -AgGGMAoGCCqBHM9VAYN1A0kAMEYCIQC6axSw7wi/TDJjYi7hXQTZRQR5yb+ak58F -RPXmM2S0fgIhAOMX/oc1MPI7qxYtXjB2Qk7MhZa5L69VAKVPQ3wTVD9P +U1NMMFowFAYIKoEcz1UBgi0GCCqBHM9VAYItA0IABCGS98sk32RNuqtme4N1qSnn +/2RjttVCgCC94uICEjuOtACVCYDLVu1Lyo1X5q4F03YnY3E5ibdp5kiArtGpSBKj +YzBhMB0GA1UdDgQWBBRHCkh+uwKoWiZXKxmpe2GLf12ZbjAfBgNVHSMEGDAWgBQ0 +HXlEFXmhsWOZ4+1lfGSJgP+47DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIBhjAKBggqgRzPVQGDdQNJADBGAiEAsrlbAq14+FK6Z8/LJZu62Vb1p/+vJSbV +9vPzpvWaL5sCIQC8lvM5E3bcAjU5DtwKab8CGLYBvv8F1y7ye2frFumOxQ== -----END CERTIFICATE----- diff --git a/certs/sm2/client-sm2.der b/certs/sm2/client-sm2.der index e65e62b8d6db1076c051ff536f7b629243693105..be1bbf4f16a0aa0c3e13bb42341b4cd1a5044b50 100644 GIT binary patch delta 211 zcmX@bewJO|po#gUK@)S{0%j&gCMJ>OyQRrp8v_03`2Eif^*j5nU+r>(0T&yGR-?@M zP{!uc$%#yxgQ zVZ>_oWG&_hFHZ&oHzq}fyE7(am`+X97o4#4r9t8KG znMH~78d(?`8k!h_xsw?gxAH_92(z(kwRxPgWn$cXm@$MAs}Ym6nIk;h84O&Q6x0h< zl``KpytcRGtD3!BDXr}Nl`U~E`rX-%>o57r&zZ-hAn|jzkJo|)C;vOCES!~`{pO +""" + +import base64 +import subprocess +import sys +import os +import tempfile + +EC_PUBKEY_OID = bytes([0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01]) +SM2_ALGO_OID = bytes([0x06, 0x08, 0x2a, 0x81, 0x1c, 0xcf, 0x55, 0x01, 0x82, 0x2d]) +SM2_WITH_SM3 = bytes([0x30, 0x0a, 0x06, 0x08, + 0x2a, 0x81, 0x1c, 0xcf, 0x55, 0x01, 0x83, 0x75]) + + +def read_der_length(data, offset): + b = data[offset] + if b < 0x80: + return b, 1 + num_bytes = b & 0x7f + length = 0 + for i in range(num_bytes): + length = (length << 8) | data[offset + 1 + i] + return length, 1 + num_bytes + + +def encode_der_length(length): + if length < 0x80: + return bytes([length]) + elif length < 0x100: + return bytes([0x81, length]) + elif length < 0x10000: + return bytes([0x82, length >> 8, length & 0xff]) + else: + raise ValueError("Length too large: %d" % length) + + +def find_enclosing_sequences(data, target_pos): + """Find length-field offsets of all SEQUENCEs enclosing target_pos.""" + results = [] + + def scan(offset, end): + while offset < end: + tag = data[offset] + offset += 1 + length, len_bytes = read_der_length(data, offset) + len_offset = offset + offset += len_bytes + content_start = offset + content_end = offset + length + + if tag == 0x30 and content_start <= target_pos < content_end: + results.append((len_offset, length, len_bytes)) + scan(content_start, content_end) + return + offset = content_end + + scan(0, len(data)) + return results + + +def patch_tbs_spki_oid(tbs_der): + """Replace id-ecPublicKey with SM2 OID in TBS SubjectPublicKeyInfo.""" + oid_pos = tbs_der.find(EC_PUBKEY_OID) + if oid_pos == -1: + return None # Already has SM2 OID or no EC key + + enclosing = find_enclosing_sequences(tbs_der, oid_pos) + size_diff = len(SM2_ALGO_OID) - len(EC_PUBKEY_OID) + + result = bytearray( + tbs_der[:oid_pos] + SM2_ALGO_OID + tbs_der[oid_pos + len(EC_PUBKEY_OID):] + ) + + for len_offset, old_length, old_len_bytes in enclosing: + new_length = old_length + size_diff + new_len_encoded = encode_der_length(new_length) + if len(new_len_encoded) == old_len_bytes: + result[len_offset:len_offset + old_len_bytes] = new_len_encoded + else: + result[len_offset:len_offset + old_len_bytes] = new_len_encoded + size_diff += len(new_len_encoded) - old_len_bytes + + return bytes(result) + + +def pem_to_der(pem_text): + b64 = ''.join( + line for line in pem_text.split('\n') + if not line.startswith('-----') and line.strip() + ) + return base64.b64decode(b64) + + +def der_to_pem(der_data, label="CERTIFICATE"): + b64 = base64.b64encode(der_data).decode() + lines = [b64[i:i+64] for i in range(0, len(b64), 64)] + return ('-----BEGIN %s-----\n' % label + + '\n'.join(lines) + + '\n-----END %s-----\n' % label) + + +def extract_tbs(cert_der): + assert cert_der[0] == 0x30 + outer_len, outer_len_bytes = read_der_length(cert_der, 1) + tbs_offset = 1 + outer_len_bytes + tbs_len, tbs_len_bytes = read_der_length(cert_der, tbs_offset + 1) + tbs_total = 1 + tbs_len_bytes + tbs_len + return cert_der[tbs_offset:tbs_offset + tbs_total] + + +def sign_tbs(tbs_der, key_pem_path): + """Sign TBS with SM2-with-SM3 using openssl dgst.""" + with tempfile.NamedTemporaryFile(suffix='.der', delete=False) as tbs_f: + tbs_f.write(tbs_der) + tbs_path = tbs_f.name + + sig_path = tbs_path + '.sig' + try: + result = subprocess.run( + ['openssl', 'dgst', '-sm3', '-sign', key_pem_path, + '-out', sig_path, tbs_path], + capture_output=True, text=True + ) + if result.returncode != 0: + raise RuntimeError("openssl dgst failed: " + result.stderr) + + with open(sig_path, 'rb') as f: + return f.read() + finally: + os.unlink(tbs_path) + if os.path.exists(sig_path): + os.unlink(sig_path) + + +def build_cert(tbs_der, sig_der): + bit_string = bytes([0x03, len(sig_der) + 1, 0x00]) + sig_der + cert_body = tbs_der + SM2_WITH_SM3 + bit_string + return bytes([0x30]) + encode_der_length(len(cert_body)) + cert_body + + +def fix_sm2_cert(cert_pem_path, key_pem_path, output_pem_path): + with open(cert_pem_path, 'r') as f: + cert_pem = f.read() + + cert_der = pem_to_der(cert_pem) + tbs = extract_tbs(cert_der) + + new_tbs = patch_tbs_spki_oid(tbs) + if new_tbs is None: + print(" Already has SM2 OID, no patching needed") + if cert_pem_path != output_pem_path: + with open(output_pem_path, 'w') as f: + f.write(cert_pem) + return + + sig = sign_tbs(new_tbs, key_pem_path) + new_cert_der = build_cert(new_tbs, sig) + + with open(output_pem_path, 'w') as f: + f.write(der_to_pem(new_cert_der)) + + print(" Patched SPKI algorithm OID to SM2") + + +if __name__ == '__main__': + if len(sys.argv) != 4: + print("Usage: %s " % sys.argv[0]) + sys.exit(1) + + fix_sm2_cert(sys.argv[1], sys.argv[2], sys.argv[3]) diff --git a/certs/sm2/gen-sm2-certs.sh b/certs/sm2/gen-sm2-certs.sh index 46f2a8cd50..33c459f370 100755 --- a/certs/sm2/gen-sm2-certs.sh +++ b/certs/sm2/gen-sm2-certs.sh @@ -1,5 +1,7 @@ #!/usr/bin/env bash +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" + check_result(){ if [ $1 -ne 0 ]; then echo "Failed at \"$2\", Abort" @@ -9,6 +11,15 @@ check_result(){ fi } +# OpenSSL 3.x encodes SM2 keys using the generic id-ecPublicKey OID instead of +# the SM2-specific OID. fix_sm2_spki.py patches the SubjectPublicKeyInfo +# algorithm OID back to SM2 and re-signs the certificate. +fix_sm2_oid(){ + # $1 = cert PEM, $2 = signing key PEM + python3 "${SCRIPT_DIR}/fix_sm2_spki.py" "$1" "$2" "$1" + check_result $? "Fix SM2 SPKI OID in $1" +} + openssl pkey -in root-sm2-priv.pem -noout >/dev/null 2>&1 if [ $? -ne 0 ]; then echo "OpenSSL does not support SM2" @@ -29,6 +40,7 @@ check_result $? "Generate request" openssl x509 -req -in root-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey root-sm2-priv.pem -out root-sm2.pem check_result $? "Generate certificate" rm root-sm2.csr +fix_sm2_oid root-sm2.pem root-sm2-priv.pem openssl x509 -in root-sm2.pem -outform DER > root-sm2.der check_result $? "Convert to DER" @@ -50,6 +62,7 @@ check_result $? "Generate request" openssl x509 -req -in ca-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -CA root-sm2.pem -CAkey root-sm2-priv.pem -set_serial 01 -out ca-sm2.pem check_result $? "Generate certificate" rm ca-sm2.csr +fix_sm2_oid ca-sm2.pem root-sm2-priv.pem openssl x509 -in ca-sm2.pem -outform DER > ca-sm2.der check_result $? "Convert to DER" @@ -71,6 +84,7 @@ check_result $? "Generate request" openssl x509 -req -in self-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey self-sm2-priv.pem -out self-sm2-cert.pem check_result $? "Generate certificate" rm self-sm2.csr +fix_sm2_oid self-sm2-cert.pem self-sm2-priv.pem openssl x509 -in self-sm2-cert.pem -text > tmp.pem check_result $? "Add text" @@ -90,6 +104,7 @@ check_result $? "Generate request" openssl x509 -req -in server-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ca-sm2.pem -CAkey ca-sm2-priv.pem -set_serial 01 -out server-sm2-cert.pem check_result $? "Generate certificate" rm server-sm2.csr +fix_sm2_oid server-sm2-cert.pem ca-sm2-priv.pem openssl x509 -in server-sm2-cert.pem -outform DER > server-sm2-cert.der check_result $? "Convert to DER" @@ -113,6 +128,7 @@ check_result $? "Generate request" openssl x509 -req -in client-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts -signkey client-sm2-priv.pem -out client-sm2.pem check_result $? "Generate certificate" rm client-sm2.csr +fix_sm2_oid client-sm2.pem client-sm2-priv.pem openssl x509 -in client-sm2.pem -outform DER > client-sm2.der check_result $? "Convert to DER" diff --git a/certs/sm2/root-sm2.der b/certs/sm2/root-sm2.der index d94887dbc1313e2469cd338680f4c9c3683a4eb6..47550ba91435644f320d02ae4924620b93bcd0e8 100644 GIT binary patch delta 154 zcmbQnI-OP7powX+K@*e30%j&gCMJcN@UAORCwcXnzcWamw87}Ob?X~iJ(8063d)hST9eMQeSKH@e#z)pi&&=f7 IeR#z?01O;K@&Et; delta 153 zcmbQvI*nD?powXcK@*et0%j&gCMFS=lYfj^vu(cr5oKcf7Tz}LRNW!NiOTCmO^nQq z%%a43jVufe4NVLo+===#c_Iyj+1Rz(JkHrNF;4DfJnr27k$J(^%J4+Bx?))Y{X4H8 zsd_DDQ!nSe@a1i9a8h#~lOn^m7u*$VzEwVS3V7(2k#Fy9_S3=B8$*=27CjMiz#Kh9-s(u0i95iSizk%@{LzqYOmY zIJ6pN&WAEK=}unF_}t5r!N844kzrauyq*1ixqzHmv3`B;)ff8y+F80Rg74ey1S5qf shO%Z%iVV+B$INf7_1PLy^2GJX2gcw)WA?im$Bw)IzjkNCL$fp10F7)kkpKVy delta 139 zcmcc1dYhHQpo!_aK@(H$M2>S3CPwB)W>Mn2Miz#Kh9-s(u0i95iSizk%@{LzA`OJu z*tOa`&e<|CPF}z?DgXUGPbYQ!QWKfYPF r-Z3dM{Qg?B?M%+3YZe)dM^~Soef`dv-T4-N(yg`E=PY@Die diff --git a/certs/sm2/server-sm2-cert.pem b/certs/sm2/server-sm2-cert.pem index bee875ded9..f21400f20b 100644 --- a/certs/sm2/server-sm2-cert.pem +++ b/certs/sm2/server-sm2-cert.pem @@ -5,11 +5,11 @@ Certificate: Signature Algorithm: SM2-with-SM3 Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=CA-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Validity - Not Before: Feb 18 14:27:26 2026 GMT - Not After : Nov 14 14:27:26 2028 GMT + Not Before: Feb 18 17:56:57 2026 GMT + Not After : Nov 14 17:56:57 2028 GMT Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Server-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey + Public Key Algorithm: sm2 Public-Key: (256 bit) pub: 04:94:70:2b:46:e4:5e:0f:41:fb:8f:2d:34:0a:41: @@ -33,25 +33,25 @@ Certificate: SSL Server Signature Algorithm: SM2-with-SM3 Signature Value: - 30:45:02:20:07:11:e4:64:42:5a:2b:74:1d:7d:bb:81:33:7f: - fd:5c:bd:93:f5:73:09:fc:23:5a:c4:f6:94:fc:4d:6a:da:ee: - 02:21:00:fb:f5:72:b6:cc:6c:92:d6:38:68:01:c5:ab:cb:9b: - d7:dc:cc:bb:6f:38:4e:1b:85:7d:d7:9c:a4:ed:b8:29:c8 + 30:46:02:21:00:96:50:5f:3e:3f:bf:1e:50:6c:9a:5d:4e:8e: + ef:27:a1:4d:fa:b9:75:a6:58:0e:f6:db:60:32:20:e4:31:1d: + 36:02:21:00:e7:cb:5c:9f:85:7d:4c:b5:54:74:e4:45:c4:f0: + 01:53:51:33:07:dd:28:c6:c7:47:ff:d6:dc:b0:e1:36:cc:3b -----BEGIN CERTIFICATE----- -MIIC1zCCAn2gAwIBAgIBATAKBggqgRzPVQGDdTCBrDELMAkGA1UEBhMCVVMxEDAO +MIIC2TCCAn6gAwIBAgIBATAKBggqgRzPVQGDdTCBrDELMAkGA1UEBhMCVVMxEDAO BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZT U0xfc20yMQ8wDQYDVQQLDAZDQS1zbTIxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNv bTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixk -AQEMB3dvbGZTU0wwHhcNMjYwMjE4MTQyNzI2WhcNMjgxMTE0MTQyNzI2WjCBsDEL +AQEMB3dvbGZTU0wwHhcNMjYwMjE4MTc1NjU3WhcNMjgxMTE0MTc1NjU3WjCBsDEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4x FDASBgNVBAoMC3dvbGZTU0xfc20yMRMwEQYDVQQLDApTZXJ2ZXItc20yMRgwFgYD VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz -bC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xmU1NMMFkwEwYHKoZIzj0CAQYIKoEc -z1UBgi0DQgAElHArRuReD0H7jy00CkFAGV771B0RrPr1kzfG+ocI9xYfLM4wQJ1P -pioKodaVM8OmA5jmjQU0sJcM3qTHz1OP0aOBiTCBhjAdBgNVHQ4EFgQUZ65g/34b -D5WuH4JZ8mxWLZPvFzIwHwYDVR0jBBgwFoAURwpIfrsCqFomVysZqXthi39dmW4w -DAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUH -AwEwEQYJYIZIAYb4QgEBBAQDAgZAMAoGCCqBHM9VAYN1A0gAMEUCIAcR5GRCWit0 -HX27gTN//Vy9k/VzCfwjWsT2lPxNatruAiEA+/VytsxsktY4aAHFq8ub19zMu284 -ThuFfdecpO24Kcg= +bC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xmU1NMMFowFAYIKoEcz1UBgi0GCCqB +HM9VAYItA0IABJRwK0bkXg9B+48tNApBQBle+9QdEaz69ZM3xvqHCPcWHyzOMECd +T6YqCqHWlTPDpgOY5o0FNLCXDN6kx89Tj9GjgYkwgYYwHQYDVR0OBBYEFGeuYP9+ +Gw+Vrh+CWfJsVi2T7xcyMB8GA1UdIwQYMBaAFEcKSH67AqhaJlcrGal7YYt/XZlu +MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUF +BwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAKBggqgRzPVQGDdQNJADBGAiEAllBfPj+/ +HlBsml1Oju8noU36uXWmWA7222AyIOQxHTYCIQDny1yfhX1MtVR05EXE8AFTUTMH +3SjGx0f/1tyw4TbMOw== -----END CERTIFICATE----- diff --git a/certs/sm2/server-sm2.pem b/certs/sm2/server-sm2.pem index eb8d804829..ecb96ac2ee 100644 --- a/certs/sm2/server-sm2.pem +++ b/certs/sm2/server-sm2.pem @@ -5,11 +5,11 @@ Certificate: Signature Algorithm: SM2-with-SM3 Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=CA-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Validity - Not Before: Feb 18 14:27:26 2026 GMT - Not After : Nov 14 14:27:26 2028 GMT + Not Before: Feb 18 17:56:57 2026 GMT + Not After : Nov 14 17:56:57 2028 GMT Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Server-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey + Public Key Algorithm: sm2 Public-Key: (256 bit) pub: 04:94:70:2b:46:e4:5e:0f:41:fb:8f:2d:34:0a:41: @@ -33,27 +33,27 @@ Certificate: SSL Server Signature Algorithm: SM2-with-SM3 Signature Value: - 30:45:02:20:07:11:e4:64:42:5a:2b:74:1d:7d:bb:81:33:7f: - fd:5c:bd:93:f5:73:09:fc:23:5a:c4:f6:94:fc:4d:6a:da:ee: - 02:21:00:fb:f5:72:b6:cc:6c:92:d6:38:68:01:c5:ab:cb:9b: - d7:dc:cc:bb:6f:38:4e:1b:85:7d:d7:9c:a4:ed:b8:29:c8 + 30:46:02:21:00:96:50:5f:3e:3f:bf:1e:50:6c:9a:5d:4e:8e: + ef:27:a1:4d:fa:b9:75:a6:58:0e:f6:db:60:32:20:e4:31:1d: + 36:02:21:00:e7:cb:5c:9f:85:7d:4c:b5:54:74:e4:45:c4:f0: + 01:53:51:33:07:dd:28:c6:c7:47:ff:d6:dc:b0:e1:36:cc:3b -----BEGIN CERTIFICATE----- -MIIC1zCCAn2gAwIBAgIBATAKBggqgRzPVQGDdTCBrDELMAkGA1UEBhMCVVMxEDAO +MIIC2TCCAn6gAwIBAgIBATAKBggqgRzPVQGDdTCBrDELMAkGA1UEBhMCVVMxEDAO BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZT U0xfc20yMQ8wDQYDVQQLDAZDQS1zbTIxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNv bTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixk -AQEMB3dvbGZTU0wwHhcNMjYwMjE4MTQyNzI2WhcNMjgxMTE0MTQyNzI2WjCBsDEL +AQEMB3dvbGZTU0wwHhcNMjYwMjE4MTc1NjU3WhcNMjgxMTE0MTc1NjU3WjCBsDEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4x FDASBgNVBAoMC3dvbGZTU0xfc20yMRMwEQYDVQQLDApTZXJ2ZXItc20yMRgwFgYD VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz -bC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xmU1NMMFkwEwYHKoZIzj0CAQYIKoEc -z1UBgi0DQgAElHArRuReD0H7jy00CkFAGV771B0RrPr1kzfG+ocI9xYfLM4wQJ1P -pioKodaVM8OmA5jmjQU0sJcM3qTHz1OP0aOBiTCBhjAdBgNVHQ4EFgQUZ65g/34b -D5WuH4JZ8mxWLZPvFzIwHwYDVR0jBBgwFoAURwpIfrsCqFomVysZqXthi39dmW4w -DAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwEwYDVR0lBAwwCgYIKwYBBQUH -AwEwEQYJYIZIAYb4QgEBBAQDAgZAMAoGCCqBHM9VAYN1A0gAMEUCIAcR5GRCWit0 -HX27gTN//Vy9k/VzCfwjWsT2lPxNatruAiEA+/VytsxsktY4aAHFq8ub19zMu284 -ThuFfdecpO24Kcg= +bC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xmU1NMMFowFAYIKoEcz1UBgi0GCCqB +HM9VAYItA0IABJRwK0bkXg9B+48tNApBQBle+9QdEaz69ZM3xvqHCPcWHyzOMECd +T6YqCqHWlTPDpgOY5o0FNLCXDN6kx89Tj9GjgYkwgYYwHQYDVR0OBBYEFGeuYP9+ +Gw+Vrh+CWfJsVi2T7xcyMB8GA1UdIwQYMBaAFEcKSH67AqhaJlcrGal7YYt/XZlu +MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUF +BwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAKBggqgRzPVQGDdQNJADBGAiEAllBfPj+/ +HlBsml1Oju8noU36uXWmWA7222AyIOQxHTYCIQDny1yfhX1MtVR05EXE8AFTUTMH +3SjGx0f/1tyw4TbMOw== -----END CERTIFICATE----- Certificate: Data: @@ -62,11 +62,11 @@ Certificate: Signature Algorithm: SM2-with-SM3 Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_SM2, OU=Root-SM2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com Validity - Not Before: Feb 18 14:27:26 2026 GMT - Not After : Nov 14 14:27:26 2028 GMT + Not Before: Feb 18 17:56:57 2026 GMT + Not After : Nov 14 17:56:57 2028 GMT Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=CA-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey + Public Key Algorithm: sm2 Public-Key: (256 bit) pub: 04:21:92:f7:cb:24:df:64:4d:ba:ab:66:7b:83:75: @@ -86,23 +86,23 @@ Certificate: Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: SM2-with-SM3 Signature Value: - 30:46:02:21:00:ba:6b:14:b0:ef:08:bf:4c:32:63:62:2e:e1: - 5d:04:d9:45:04:79:c9:bf:9a:93:9f:05:44:f5:e6:33:64:b4: - 7e:02:21:00:e3:17:fe:87:35:30:f2:3b:ab:16:2d:5e:30:76: - 42:4e:cc:85:96:b9:2f:af:55:00:a5:4f:43:7c:13:54:3f:4f + 30:46:02:21:00:b2:b9:5b:02:ad:78:f8:52:ba:67:cf:cb:25: + 9b:ba:d9:56:f5:a7:ff:af:25:26:d5:f6:f3:f3:a6:f5:9a:2f: + 9b:02:21:00:bc:96:f3:39:13:76:dc:02:35:39:0e:dc:0a:69: + bf:02:18:b6:01:be:ff:05:d7:2e:f2:7b:67:eb:16:e9:8e:c5 -----BEGIN CERTIFICATE----- -MIICljCCAjugAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO +MIIClzCCAjygAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZT U0xfU00yMREwDwYDVQQLDAhSb290LVNNMjEYMBYGA1UEAwwPd3d3LndvbGZzc2wu -Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2MDIxODE0 -MjcyNloXDTI4MTExNDE0MjcyNlowgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN +Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2MDIxODE3 +NTY1N1oXDTI4MTExNDE3NTY1N1owgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQKDAt3b2xmU1NMX3NtMjEP MA0GA1UECwwGQ0Etc20yMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkq hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xm -U1NMMFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEIZL3yyTfZE26q2Z7g3WpKef/ -ZGO21UKAIL3i4gISO460AJUJgMtW7UvKjVfmrgXTdidjcTmJt2nmSICu0alIEqNj -MGEwHQYDVR0OBBYEFEcKSH67AqhaJlcrGal7YYt/XZluMB8GA1UdIwQYMBaAFDQd -eUQVeaGxY5nj7WV8ZImA/7jsMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD -AgGGMAoGCCqBHM9VAYN1A0kAMEYCIQC6axSw7wi/TDJjYi7hXQTZRQR5yb+ak58F -RPXmM2S0fgIhAOMX/oc1MPI7qxYtXjB2Qk7MhZa5L69VAKVPQ3wTVD9P +U1NMMFowFAYIKoEcz1UBgi0GCCqBHM9VAYItA0IABCGS98sk32RNuqtme4N1qSnn +/2RjttVCgCC94uICEjuOtACVCYDLVu1Lyo1X5q4F03YnY3E5ibdp5kiArtGpSBKj +YzBhMB0GA1UdDgQWBBRHCkh+uwKoWiZXKxmpe2GLf12ZbjAfBgNVHSMEGDAWgBQ0 +HXlEFXmhsWOZ4+1lfGSJgP+47DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIBhjAKBggqgRzPVQGDdQNJADBGAiEAsrlbAq14+FK6Z8/LJZu62Vb1p/+vJSbV +9vPzpvWaL5sCIQC8lvM5E3bcAjU5DtwKab8CGLYBvv8F1y7ye2frFumOxQ== -----END CERTIFICATE----- From 7248ca359260a093d94d45ffc03dfe2f27e220c9 Mon Sep 17 00:00:00 2001 From: Andrew Hutchings Date: Wed, 18 Feb 2026 18:01:15 +0000 Subject: [PATCH 9/9] Add SM2 to renewcerts.sh --- certs/renewcerts.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index ddce238992..8745770ab9 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -768,6 +768,16 @@ run_renewcerts(){ echo "End of section" echo "---------------------------------------------------------------------" + ############################################################ + ########## generate SM2 certificates ####################### + ############################################################ + echo "Renewing SM2 certificates" + cd sm2 + ./gen-sm2-certs.sh + cd .. + echo "End of section" + echo "---------------------------------------------------------------------" + ############################################################ ########## update Raw Public Key certificates ############## ############################################################