2020-04-16 06:40:10

by Tianjia Zhang

[permalink] [raw]
Subject: Re: [PATCH v2 0/7] crpyto: introduce OSCCA certificate and SM2 asymmetric algorithm



On 2020/4/16 14:01, Herbert Xu wrote:
> On Thu, Apr 02, 2020 at 08:34:57PM +0800, Tianjia Zhang wrote:
>> Hello all,
>>
>> This new module implement the OSCCA certificate and SM2 public key
>> algorithm. It was published by State Encryption Management Bureau, China.
>> List of specifications for OSCCA certificate and SM2 elliptic curve
>> public key cryptography:
>>
>> * GM/T 0003.1-2012
>> * GM/T 0003.2-2012
>> * GM/T 0003.3-2012
>> * GM/T 0003.4-2012
>> * GM/T 0003.5-2012
>> * GM/T 0015-2012
>> * GM/T 0009-2012
>>
>> IETF: https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
>> oscca: http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
>> scctc: http://www.gmbz.org.cn/main/bzlb.html
>>
>> These patchs add the OID object identifier defined by OSCCA. The
>> x509 certificate supports sm2-with-sm3 type certificate parsing
>> and verification.
>
> I don't have any objections to the crypto API bits, but obviously
> this is contingent on the x509 bits getting accepted since that's
> the only in-kernel user. So can I see some acks on that please?
>
> Thanks,
>

Thanks for Herbert's reply. At present, the latest mainline openssl can
generate SM2-with-SM3 certificates. I also provide commands for
generating certificates and a test certificate in PEM format.

``` bash
#!/bin/bash

if [ ! -f openssl.cnf ]; then
cat > openssl.cnf << EOF
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = v3_req

[ req_distinguished_name ]
O = Test
OU = Test
CN = Test key
emailAddress = [email protected]

[ v3_req ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
EOF
fi

openssl ecparam -genkey -name SM2 -text -out private.pem

openssl req -new \
-key private.pem \
-out csr.pem \
-sm3 -sigopt "distid:1234567812345678" \
-subj
"/C=CN/ST=GS/L=Gt/O=baba/OU=OS/CN=hello/[email protected]"

openssl ecparam -genkey -name SM2 -text -out ca.key

openssl req -new \
-x509 -days 3650 \
-sm3 -sigopt "distid:1234567812345678" \
-key ca.key \
-out ca.crt \
-subj "/C=CN/ST=GS/L=Gt/O=baba/OU=OS/CN=ca/[email protected]"

openssl x509 -req -days 3650 \
-sm3 \
-sigopt "distid:1234567812345678" \
-vfyopt "distid:1234567812345678" \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile openssl.cnf -extensions v3_req \
-in csr.pem \
-out cert.pem

openssl x509 -in ca.crt -outform DER -out ca.der
openssl x509 -in cert.pem -outform DER -out cert.der
```

The following content is the CA certificate and the signed SM2-with-SM3
certificate generated by the above command, both in PEM format.

-----BEGIN CERTIFICATE-----
MIICLjCCAdWgAwIBAgIUEoozP6LzMYWh4gCpcWlzsUyfgsIwCgYIKoEcz1UBg3Uw
bTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdTMQswCQYDVQQHDAJHdDENMAsGA1UE
CgwEYmFiYTELMAkGA1UECwwCT1MxCzAJBgNVBAMMAmNhMRswGQYJKoZIhvcNAQkB
FgxjYUB3b3JsZC5jb20wHhcNMjAwNDE1MTE1NDA3WhcNMzAwNDEzMTE1NDA3WjBt
MQswCQYDVQQGEwJDTjELMAkGA1UECAwCR1MxCzAJBgNVBAcMAkd0MQ0wCwYDVQQK
DARiYWJhMQswCQYDVQQLDAJPUzELMAkGA1UEAwwCY2ExGzAZBgkqhkiG9w0BCQEW
DGNhQHdvcmxkLmNvbTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABMTGRiHezKm5
MiKHlyfa5Bv5jLxge/WRRG0nLNsZx1yf0XQTQBR/tFFjPGePEr7+Fa1CPgYpXExx
i44coYMmQT6jUzBRMB0GA1UdDgQWBBSjd9GWIe98Ll9J0dquxgCktp9DrTAfBgNV
HSMEGDAWgBSjd9GWIe98Ll9J0dquxgCktp9DrTAPBgNVHRMBAf8EBTADAQH/MAoG
CCqBHM9VAYN1A0cAMEQCIAvLWIfGFq85u/vVMLc5H1D/DnrNS0VhSkQA4daRO4tc
AiABbeWENcQZDZLWTuqG9P2KDPOoNqV/QV/+0XjMAVblhg==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIICPzCCAeWgAwIBAgIUIaawP5HQDi5kTruyhLudFfeQ7uwwCgYIKoEcz1UBg3Uw
bTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdTMQswCQYDVQQHDAJHdDENMAsGA1UE
CgwEYmFiYTELMAkGA1UECwwCT1MxCzAJBgNVBAMMAmNhMRswGQYJKoZIhvcNAQkB
FgxjYUB3b3JsZC5jb20wHhcNMjAwNDE1MTE1NDA3WhcNMzAwNDEzMTE1NDA3WjBz
MQswCQYDVQQGEwJDTjELMAkGA1UECAwCR1MxCzAJBgNVBAcMAkd0MQ0wCwYDVQQK
DARiYWJhMQswCQYDVQQLDAJPUzEOMAwGA1UEAwwFaGVsbG8xHjAcBgkqhkiG9w0B
CQEWD2hlbGxvQHdvcmxkLmNvbTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABI6g
M2mRfj3srY7wRV4TPmhbjKtcxshQ35EA4CRzTTHyLsDVa+7amJPs2Daquc9jgu+n
GgPtFrp0uIv55XA5pHCjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0G
A1UdDgQWBBQ76UB0skz7y4ic5V/PIWFLZ5XoDDAfBgNVHSMEGDAWgBSjd9GWIe98
Ll9J0dquxgCktp9DrTAKBggqgRzPVQGDdQNIADBFAiEA25WAmaN7g7M26lwMad4H
AeO8YNSBOcHKc8AfCdYSS88CIBJji4xRm+wXCR9qkXj4g8HVhaYpvwlMukk9EYxw
09gJ
-----END CERTIFICATE-----


The following is the certificate information of SM2-with-SM3, the
following command output:
`openssl x509 -in cert.pem -noout -text`

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
21:a6:b0:3f:91:d0:0e:2e:64:4e:bb:b2:84:bb:9d:15:f7:90:ee:ec
Signature Algorithm: SM2-with-SM3
Issuer: C = CN, ST = GS, L = Gt, O = baba, OU = OS, CN = ca,
emailAddress = [email protected]
Validity
Not Before: Apr 15 11:54:07 2020 GMT
Not After : Apr 13 11:54:07 2030 GMT
Subject: C = CN, ST = GS, L = Gt, O = baba, OU = OS, CN =
hello, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:8e:a0:33:69:91:7e:3d:ec:ad:8e:f0:45:5e:13:
3e:68:5b:8c:ab:5c:c6:c8:50:df:91:00:e0:24:73:
4d:31:f2:2e:c0:d5:6b:ee:da:98:93:ec:d8:36:aa:
b9:cf:63:82:ef:a7:1a:03:ed:16:ba:74:b8:8b:f9:
e5:70:39:a4:70
ASN1 OID: SM2
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
3B:E9:40:74:B2:4C:FB:CB:88:9C:E5:5F:CF:21:61:4B:67:95:E8:0C
X509v3 Authority Key Identifier:
A3:77:D1:96:21:EF:7C:2E:5F:49:D1:DA:AE:C6:00:A4:B6:9F:43:AD
Signature Algorithm: SM2-with-SM3
Signature Value:
30:45:02:21:00:db:95:80:99:a3:7b:83:b3:36:ea:5c:0c:69:
de:07:01:e3:bc:60:d4:81:39:c1:ca:73:c0:1f:09:d6:12:4b:
cf:02:20:12:63:8b:8c:51:9b:ec:17:09:1f:6a:91:78:f8:83:
c1:d5:85:a6:29:bf:09:4c:ba:49:3d:11:8c:70:d3:d8:09



If additional information is needed, I can provide it.

Thanks and best,
Tianjia