Re: [PATCH v2 0/7] crpyto: introduce OSCCA certificate and SM2 asymmetric algorithm
From: Tianjia Zhang
Date: Thu Apr 16 2020 - 02:38:47 EST
On 2020/4/16 14:01, Herbert Xu wrote:
On Thu, Apr 02, 2020 at 08:34:57PM +0800, Tianjia Zhang wrote:
Hello all,
This new module implement the OSCCA certificate and SM2 public key
algorithm. It was published by State Encryption Management Bureau, China.
List of specifications for OSCCA certificate and SM2 elliptic curve
public key cryptography:
* GM/T 0003.1-2012
* GM/T 0003.2-2012
* GM/T 0003.3-2012
* GM/T 0003.4-2012
* GM/T 0003.5-2012
* GM/T 0015-2012
* GM/T 0009-2012
IETF: https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
oscca: http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
scctc: http://www.gmbz.org.cn/main/bzlb.html
These patchs add the OID object identifier defined by OSCCA. The
x509 certificate supports sm2-with-sm3 type certificate parsing
and verification.
I don't have any objections to the crypto API bits, but obviously
this is contingent on the x509 bits getting accepted since that's
the only in-kernel user. So can I see some acks on that please?
Thanks,
Thanks for Herbert's reply. At present, the latest mainline openssl can
generate SM2-with-SM3 certificates. I also provide commands for
generating certificates and a test certificate in PEM format.
``` bash
#!/bin/bash
if [ ! -f openssl.cnf ]; then
cat > openssl.cnf << EOF
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = v3_req
[ req_distinguished_name ]
O = Test
OU = Test
CN = Test key
emailAddress = test@xxxxxxx
[ v3_req ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
EOF
fi
openssl ecparam -genkey -name SM2 -text -out private.pem
openssl req -new \
-key private.pem \
-out csr.pem \
-sm3 -sigopt "distid:1234567812345678" \
-subj
"/C=CN/ST=GS/L=Gt/O=baba/OU=OS/CN=hello/emailAddress=hello@xxxxxxxxx"
openssl ecparam -genkey -name SM2 -text -out ca.key
openssl req -new \
-x509 -days 3650 \
-sm3 -sigopt "distid:1234567812345678" \
-key ca.key \
-out ca.crt \
-subj "/C=CN/ST=GS/L=Gt/O=baba/OU=OS/CN=ca/emailAddress=ca@xxxxxxxxx"
openssl x509 -req -days 3650 \
-sm3 \
-sigopt "distid:1234567812345678" \
-vfyopt "distid:1234567812345678" \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile openssl.cnf -extensions v3_req \
-in csr.pem \
-out cert.pem
openssl x509 -in ca.crt -outform DER -out ca.der
openssl x509 -in cert.pem -outform DER -out cert.der
```
The following content is the CA certificate and the signed SM2-with-SM3
certificate generated by the above command, both in PEM format.
-----BEGIN CERTIFICATE-----
MIICLjCCAdWgAwIBAgIUEoozP6LzMYWh4gCpcWlzsUyfgsIwCgYIKoEcz1UBg3Uw
bTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdTMQswCQYDVQQHDAJHdDENMAsGA1UE
CgwEYmFiYTELMAkGA1UECwwCT1MxCzAJBgNVBAMMAmNhMRswGQYJKoZIhvcNAQkB
FgxjYUB3b3JsZC5jb20wHhcNMjAwNDE1MTE1NDA3WhcNMzAwNDEzMTE1NDA3WjBt
MQswCQYDVQQGEwJDTjELMAkGA1UECAwCR1MxCzAJBgNVBAcMAkd0MQ0wCwYDVQQK
DARiYWJhMQswCQYDVQQLDAJPUzELMAkGA1UEAwwCY2ExGzAZBgkqhkiG9w0BCQEW
DGNhQHdvcmxkLmNvbTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABMTGRiHezKm5
MiKHlyfa5Bv5jLxge/WRRG0nLNsZx1yf0XQTQBR/tFFjPGePEr7+Fa1CPgYpXExx
i44coYMmQT6jUzBRMB0GA1UdDgQWBBSjd9GWIe98Ll9J0dquxgCktp9DrTAfBgNV
HSMEGDAWgBSjd9GWIe98Ll9J0dquxgCktp9DrTAPBgNVHRMBAf8EBTADAQH/MAoG
CCqBHM9VAYN1A0cAMEQCIAvLWIfGFq85u/vVMLc5H1D/DnrNS0VhSkQA4daRO4tc
AiABbeWENcQZDZLWTuqG9P2KDPOoNqV/QV/+0XjMAVblhg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICPzCCAeWgAwIBAgIUIaawP5HQDi5kTruyhLudFfeQ7uwwCgYIKoEcz1UBg3Uw
bTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdTMQswCQYDVQQHDAJHdDENMAsGA1UE
CgwEYmFiYTELMAkGA1UECwwCT1MxCzAJBgNVBAMMAmNhMRswGQYJKoZIhvcNAQkB
FgxjYUB3b3JsZC5jb20wHhcNMjAwNDE1MTE1NDA3WhcNMzAwNDEzMTE1NDA3WjBz
MQswCQYDVQQGEwJDTjELMAkGA1UECAwCR1MxCzAJBgNVBAcMAkd0MQ0wCwYDVQQK
DARiYWJhMQswCQYDVQQLDAJPUzEOMAwGA1UEAwwFaGVsbG8xHjAcBgkqhkiG9w0B
CQEWD2hlbGxvQHdvcmxkLmNvbTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABI6g
M2mRfj3srY7wRV4TPmhbjKtcxshQ35EA4CRzTTHyLsDVa+7amJPs2Daquc9jgu+n
GgPtFrp0uIv55XA5pHCjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0G
A1UdDgQWBBQ76UB0skz7y4ic5V/PIWFLZ5XoDDAfBgNVHSMEGDAWgBSjd9GWIe98
Ll9J0dquxgCktp9DrTAKBggqgRzPVQGDdQNIADBFAiEA25WAmaN7g7M26lwMad4H
AeO8YNSBOcHKc8AfCdYSS88CIBJji4xRm+wXCR9qkXj4g8HVhaYpvwlMukk9EYxw
09gJ
-----END CERTIFICATE-----
The following is the certificate information of SM2-with-SM3, the
following command output:
`openssl x509 -in cert.pem -noout -text`
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
21:a6:b0:3f:91:d0:0e:2e:64:4e:bb:b2:84:bb:9d:15:f7:90:ee:ec
Signature Algorithm: SM2-with-SM3
Issuer: C = CN, ST = GS, L = Gt, O = baba, OU = OS, CN = ca,
emailAddress = ca@xxxxxxxxx
Validity
Not Before: Apr 15 11:54:07 2020 GMT
Not After : Apr 13 11:54:07 2030 GMT
Subject: C = CN, ST = GS, L = Gt, O = baba, OU = OS, CN =
hello, emailAddress = hello@xxxxxxxxx
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:8e:a0:33:69:91:7e:3d:ec:ad:8e:f0:45:5e:13:
3e:68:5b:8c:ab:5c:c6:c8:50:df:91:00:e0:24:73:
4d:31:f2:2e:c0:d5:6b:ee:da:98:93:ec:d8:36:aa:
b9:cf:63:82:ef:a7:1a:03:ed:16:ba:74:b8:8b:f9:
e5:70:39:a4:70
ASN1 OID: SM2
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
3B:E9:40:74:B2:4C:FB:CB:88:9C:E5:5F:CF:21:61:4B:67:95:E8:0C
X509v3 Authority Key Identifier:
A3:77:D1:96:21:EF:7C:2E:5F:49:D1:DA:AE:C6:00:A4:B6:9F:43:AD
Signature Algorithm: SM2-with-SM3
Signature Value:
30:45:02:21:00:db:95:80:99:a3:7b:83:b3:36:ea:5c:0c:69:
de:07:01:e3:bc:60:d4:81:39:c1:ca:73:c0:1f:09:d6:12:4b:
cf:02:20:12:63:8b:8c:51:9b:ec:17:09:1f:6a:91:78:f8:83:
c1:d5:85:a6:29:bf:09:4c:ba:49:3d:11:8c:70:d3:d8:09
If additional information is needed, I can provide it.
Thanks and best,
Tianjia