? ? ? ? 1、首先使用gmssl命令生成根證書、客戶端公私鑰,然后使用根證書簽發客戶端證書;
? ? ? ? 2、然后編寫代碼完成認證功能,使用根證書驗證客戶端證書是否由自己簽發,然后使用客戶端證書驗證客戶端私鑰對隨機數的簽名是否正確。
? ? ? ? 第一部分生成根證書和客戶端證書的命令:
# 生成私鑰,用于生成根證書
# gmssl 3.1.1要求必須使用密碼加密私鑰
gmssl sm2keygen -pass 123456 -out root.key# 生成自簽名根證書
gmssl certgen \-C CN \-ST Beijing \-L Beijing \-O MyCA \-OU RootCA \-CN RootCA \-days 3650 \-key root.key \-pass 123456 \-key_usage keyCertSign \-out root.crt# 生成客戶端公私鑰
gmssl sm2keygen -pass 123456 -out client.key# 生成客戶端證書請求(CSR)
gmssl reqgen \-C CN \-ST Beijing \-L Beijing \-O MyClient \-OU Client \-CN client.example.com \-key client.key \-pass 123456 \-out client.csr# 簽發客戶端證書
gmssl reqsign \-in client.csr \-days 3650 \-key_usage digitalSignature \-cacert root.crt \-key root.key \-pass 123456 \-out client.crt? ? ? ? 第二部分進行客戶端證書認證和簽名驗簽的代碼:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <gmssl/x509.h>
#include <gmssl/sm2.h>
#include <gmssl/sm3.h>
#include <gmssl/pem.h>
#include <gmssl/error.h>
#include <gmssl/base64.h>#define ROOT_CERT_FILE "root.crt"
#define CLIENT_CERT_FILE "client.crt"
#define CLIENT_KEY_FILE "client.key"
#define ROOT_KEY_FILE "root.key"
#define DATA_TO_SIGN "This is the data to sign."// 讀取加密的SM2私鑰(PKCS#8 PEM),解密并導入SM2_KEY
int load_encrypted_sm2_private_key(const char *filename, const char *password, SM2_KEY *key) {FILE *fp = fopen(filename, "r");if (!fp) {perror(filename);return -1;}if (sm2_private_key_info_decrypt_from_pem(key, password, fp) != 1) {fprintf(stderr, "Failed to decrypt/load private key: %s\n", filename);fclose(fp);return -1;}fclose(fp);return 0;
}int main(void) {uint8_t root_cert[4096], client_cert[4096];size_t root_cert_len = 0, client_cert_len = 0;SM2_KEY client_key, client_pubkey;uint8_t dgst[32];uint8_t sig[SM2_MAX_SIGNATURE_SIZE];size_t siglen = 0;int ret = 1;// 1. 讀取根證書FILE *fp = fopen(ROOT_CERT_FILE, "r");if (!fp) {perror("open root.crt");return 1;}if (x509_cert_from_pem(root_cert, &root_cert_len, sizeof(root_cert), fp) != 1) {fprintf(stderr, "Failed to load root certificate\n");fclose(fp);return 1;}fclose(fp);// 2. 讀取客戶端證書fp = fopen(CLIENT_CERT_FILE, "r");if (!fp) {perror("open client.crt");return 1;}if (x509_cert_from_pem(client_cert, &client_cert_len, sizeof(client_cert), fp) != 1) {fprintf(stderr, "Failed to load client certificate\n");fclose(fp);return 1;}fclose(fp);// 3. 驗證客戶端證書if (x509_cert_verify_by_ca_cert(client_cert, client_cert_len, root_cert,root_cert_len, SM2_DEFAULT_ID, SM2_DEFAULT_ID_LENGTH) != 1) {fprintf(stderr, "Client certificate verify failed\n");goto end;}printf("Client certificate verified successfully.\n");// 4. 讀取加密的客戶端私鑰(需要口令)char client_pass[7] = {0x31,0x32,0x33,0x34,0x35,0x36,0x00};if (load_encrypted_sm2_private_key(CLIENT_KEY_FILE, client_pass, &client_key) != 0) {fprintf(stderr, "Failed to load client private key\n");goto end;}// 5. 計算數據摘要const uint8_t *data = (const uint8_t *)DATA_TO_SIGN;size_t data_len = strlen(DATA_TO_SIGN);sm3_digest(data, data_len, dgst);// 6. 簽名if (sm2_sign(&client_key, dgst, sig, &siglen) != 1) {fprintf(stderr, "SM2 sign failed\n");goto end;}printf("Data signed successfully.\nSignature: ");for (size_t i = 0; i < siglen; i++) printf("%02x", sig[i]);printf("\n");// 7. 從證書中提取公鑰if (x509_cert_get_subject_public_key(client_cert, client_cert_len, &client_pubkey) != 1) {fprintf(stderr, "Failed to extract public key from client certificate\n");goto end;}// 8. 驗簽if (sm2_verify(&client_pubkey, dgst, sig, siglen) != 1) {fprintf(stderr, "Signature verification failed\n");goto end;}printf("Signature verified successfully.\n");ret = 0;end://sm2_key_cleanup(&client_key);//sm2_key_cleanup(&client_pubkey);return ret;
}? ? ? ? 在centos7平臺使用GmSSL V3.1.1親測可行。
)
)
:頻域中的拉普拉斯算子)
![題解:P12207 [藍橋杯 2023 國 Python B] 劃分](http://pic.xiahunao.cn/題解:P12207 [藍橋杯 2023 國 Python B] 劃分)