PEM PFX
#PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
编译GmSSL
OPENSSL=gmssl2
PATH=/app/$OPENSSL/bin/:$PATH
./config shared --prefix=/app/$OPENSSL --openssldir=/app/$OPENSSL -Wl,-rpath,/app/$OPENSSL/lib -Wl,-rpath,/app/$OPENSSL/lib64 && make clean && make -j8 && sudo make install
/app/$OPENSSL/bin/openssl ciphers -V 'ALL:COMPLEMENTOFALL'
# 安装 openssl 3.0.0
OPENSSL=openssl-3.0
PATH=/app/$OPENSSL/bin/:$PATH
chmod 755 config Configure
./config shared --prefix=/app/$OPENSSL --openssldir=/app/$OPENSSL -Wl,-rpath,/app/$OPENSSL/lib -Wl,-rpath,/app/$OPENSSL/lib64
make clean && make -j8 && sudo make install
/app/$OPENSSL/bin/openssl ciphers -V 'ALL:COMPLEMENTOFALL'
# 安装 gmssl 3.0-dev
OPENSSL=gmssl-3.0
mkdir -p build
cd build
make clean
cmake .. -DCMAKE_INSTALL_PREFIX:PATH=/app/$OPENSSL
make clean && make -j8 && sudo make all install
./config shared --prefix=/app/$OPENSSL --openssldir=/app/$OPENSSL -Wl,-rpath,/app/$OPENSSL/lib -Wl,-rpath,/app/$OPENSSL/lib64
make clean && make -j8 && sudo make install
/app/$OPENSSL/bin/openssl ciphers -V 'ALL:COMPLEMENTOFALL'
制作自签名证书
# DEV CA ECC
openssl ecparam -list_curves
/app/openssl-3.0/bin/openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -nodes -days 36600 -out Rootecc.crt -keyout Rootecc.key -subj "/CN=DEV CA ECC R1/ST=CA/L=CA/O=CA/OU=CA/C=CA"
/app/openssl-3.0/bin/openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -nodes -days 36600 -out OCAecc.crt -keyout OCAecc.key -subj "/CN=DEV CA ECC OCA R1/ST=CA/L=CA/O=CA/OU=CA/C=CA" -CA Rootecc.crt -CAkey Rootecc.key
/app/openssl-3.0/bin/openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -x509 -nodes -days 36600 -out Serverecc.crt -keyout Serverecc.key -subj "/CN=DEV ECC /ST=CA/L=CA/O=CA/OU=CA/C=CA" -CA OCAecc.crt -CAkey OCAecc.key -addext "subjectAltName = DNS:localhost,IP:127.0.0.1,IP:169.254.16.1,IP:1.2.3.4"
cat OCAecc.crt >> Serverecc.crt
# 查看 证书
/app/openssl-3.0/bin/openssl x509 -in Serverecc.crt -text
gmssl ecparam -genkey -name sm2p256v1 -text -out SM2CA.key
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt
openssl x509 -req -days 36600 -in dev-ecc.csr -signkey dev-ecc.key -out dev-ecc.crt
export PATH=/app/gmssl2/bin:$PATH
gmssl version
gmssl ecparam -genkey -name sm2p256v1 -out SM2Root.key
# gmssl 2.5.4 with 1.1.0, not support -addext basicConstraints=critical,CA:TRUE,pathlen:1
## 直接根据私钥生成根证书 SM2Root.crt
gmssl req -x509 -sm3 -days 9650 -key SM2Root.key -out SM2Root.crt -subj "/C=CA/ST=CA/L=CA/O=CA/OU=CA/CN=CA"
## 先生成CSR,再生成根证书 SM2Root2.crt
gmssl req -new -key SM2Root.key -out SM2Root.csr -subj "/C=CA/ST=CA/L=CA/O=CA/OU=CA/CN=CA"
gmssl x509 -req -days 9651 -in SM2Root.csr -signkey SM2Root.key -out SM2Root2.crt
# 查看 证书
gmssl x509 -in SM2Root.crt -text
# 生成二级CA
gmssl ecparam -genkey -name sm2p256v1 -text -out SM2CA.key
gmssl req -new -key SM2CA.key -out SM2CA.csr -subj "/C=CA/ST=CA/L=CA/O=CA/OU=CA/CN=CA"
gmssl x509 -req -days 9999 -in SM2CA.csr -CA SM2Root.crt -CAkey SM2Root.key -CAcreateserial -out SM2CA.crt
# 生成服务器证书
gmssl ecparam -genkey -name sm2p256v1 -text -out sm2server.key
# gmssl not support -addext "subjectAltName = DNS:localhost,IP:192.168.0.1"
gmssl req -x509 -sm3 -days 9650 -key sm2server.key -out sm2server.crt -subj "/C=CA/ST=CA/L=CA/O=CA/OU=CA/CN=SM2"
# 查看 证书
gmssl x509 -in sm2server.crt -text
# 没有生成 GM/T 0010 国密P7,生成的是 RFC RSA P7, OID 为 1 2 840 113549 1 7 2
echo 1234 > msg.txt
gmssl smime -sign -signer sm2server.crt -inkey sm2server.key -in msg.txt -outform PEM -out msg.txt.p7 -nodetach
# 查看 p7 结构、格式 内容
gmssl pkcs7 -text -print -in msg.txt.p7
openssl pkcs7 -print -in ~/sm2/sm2.p7
# CentOS 导入根证书
cp ROOT.crt /etc/pki/ca-trust/source/anchors/ && /bin/update-ca-trust
# 查看linux 根证书清单
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-bundle.crt # centos
awk -v cmd='openssl x509 -noout -subject' ' /BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
# 把 PEM 导出到 pfx
openssl pkcs12 -export -inkey server.key -in server.crt -out server.pfx
https://certlogik.com/decoder/ 验证, OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 还是 RSA 类型的 P7 格式, GM/T 0010 国密P7的 OID 应该为 1.2.156.10197.6.1.4.2.2
# 验签 RSA P7
openssl smime -verify -inform pem -in p2.txt
# 验签 RSA P7
/app/gmssl-2.5/bin/gmssl smime -verify -CAfile /etc/ssl/certs/ca-bundle.crt -inform pem -in p7.txt
openssl 3.0 gmssl 2.5 验签 国密 p7 报错:
/app/openssl-3.0/bin/openssl smime -CAfile /etc/ssl/certs/ca-bundle.crt -no_check_time -verify -inform pem -in /root/sm2ca/sm2.p7
Verification failure
4037671CB27F0000:error:10800071:PKCS7 routines:(unknown function):wrong content type:crypto/pkcs7/pk7_smime.c:232:
/app/gmssl-2.5/bin/gmssl smime -CAfile /etc/ssl/certs/ca-bundle.crt -no_check_time -verify -inform pem -in /root/sm2ca/sm2.p7
Verification failure
139755985131328:error:21075071:PKCS7 routines:PKCS7_verify:wrong content type:crypto/pkcs7/pk7_smime.c:274:
/app/BabaSSL-8.2.0/bin/openssl smime -CAfile /etc/ssl/certs/ca-bundle.crt -no_check_time -verify -inform pem -in /root/sm2ca/sm2.p7
Verification failure
140550913554240:error:21075071:PKCS7 routines:PKCS7_verify:wrong content type:crypto/pkcs7/pk7_smime.c:223:
/app/TASSL/bin/openssl smime -CAfile /etc/ssl/certs/ca-bundle.crt -no_check_time -verify -inform pem -in /root/sm2ca/sm2.p7
amtg(]i
Verification failure
140572523964224:error:21071069:PKCS7 routines:PKCS7_signatureVerify:signature failure:crypto/pkcs7/pk7_doit.c:1373:
140572523964224:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:crypto/pkcs7/pk7_smime.c:353:
实现
BabaSSL
# 安装
OPENSSL=BabaSSL-8.2.1
OPENSSL=openssl
PATH=/app/$OPENSSL/bin/:$PATH
./config shared --prefix=/app/$OPENSSL --openssldir=/app/$OPENSSL -Wl,-rpath,/app/$OPENSSL/lib
make -j8 && sudo make install
/app/$OPENSSL/bin/openssl ciphers -V 'ALL:COMPLEMENTOFALL'
# 查看版本
openssl version
BabaSSL 8.2.0-dev
OpenSSL 1.1.1h-dev xx XXX xxxx
# 生成 私钥
openssl ecparam -genkey -name SM2 -out sm2.key
# 生成 公钥
openssl ec -in sm2.key -pubout -out sm2.pubkey
# 交互式生成 CSR
openssl req -new -key sm2.key -out sm2.csr -sm3 -sigopt "sm2_id:1234567812345678"
# 非交互式生成 CSR
openssl req -new -key sm2.key -out sm2.csr -sm3 -sigopt "sm2_id:1234567812345678" \
-subj "/C=CA/ST=CA/L=CA/O=CA/OU=CA/CN=CA"
# OpenSSL 使用 SM2 结合 sha256签名
openssl dgst -sha256 -sign sm2.key -out sm2-sha256.sig sign.data
# OpenSSL 使用 SM2 结合 SM3 签名
openssl dgst -sm3 -sign sm2.key -out sm2-sm3.sig sign.data
# OpenSSL 使用 SM2 结合 sha256 验签
openssl dgst -sha256 -verify sm2.pubkey -signature sm2-sha256.sig sign.data
Verified OK
# OpenSSL 使用 SM2 结合 SM3 验签
openssl dgst -SM3 -verify sm2.pubkey -signature sm2-sm3.sig sign.data
Verified OK
# pfx to pem bundle
pfx=filename.pfx
# openssl pkcs12 -in $pfx -nodes -out cert.crt
# We can extract the private key form a PFX to a PEM file with this command:
# openssl pkcs12 -in $pfx -nocerts -out key.pem
#Exporting the certificate only:
# openssl pkcs12 -in $pfx -clcerts -nokeys -out cert.pem
# Removing the password from the extracted private key:
# openssl rsa -in key.pem -out cert.key
# print crt info
openssl x509 -in cert.crt -text -noout
tar zxfv BabaSSL-8.2.1.tar.gz -C /usr/local/
# install BaBaSSL
# openresty with BabaSSL
cd openresty-1.19.9.1
./configure --with-openssl=/usr/local/BabaSSL-8.2.1
make -j8 && sudo make install
# lua-openssl with openresty
# openssl.pc source dir
make clean
export PKG_CONFIG_PATH=/usr/local/BabaSSL-8.2.1
make LUA_CFLAGS=-I/usr/local/openresty/luajit/include/luajit-2.1
cp openssl.so /usr/local/openresty/lualib/
make clean && make LUA_CFLAGS=-I/app/nginx/luajit/include/luajit-2.1 OPENSSL_CFLAGS=-I/app/openssl-3.0.0/include
cp openssl.so /app/nginx/luajit/lib/lua/5.1/
现状: babassl 8.2.1 可以使用 sm2 证书生成RFC规范的pkcs7 签名,但是不属于国标。不能通过验签。
理论上可以参考下面的连接进行构造 asn.1 的结构,达到国标。
https://blog.csdn.net/lt4959/article/details/112317252
https://blog.csdn.net/lt4959/article/details/112531889
RFC8998
国密 SM2 曲线的标准号:curveSM2(41)
基于 SM2 及 SM3 的签名算法标准号:sm2sig_sm3(0x0708)
TLS_SM4_GCM_SM3(0x00,0xC6)
TLS_SM4_CCM_SM3(0x00,0xC7)
## OID
结构讲解 https://blog.csdn.net/lt4959/article/details/112317252
RFC定义的oid如下:
数据类型data 1 2 840 113549 1 7 1
签名数据类型signedData 1 2 840 113549 1 7 2
数字信封数据类型envelopedData 1 2 840 113549 1 7 3
签名及数字信封数据类型signedAndEnvelopedData 1 2 840 113549 1 7 4
摘要数据类型digestData 1 2 840 113549 1 7 5
加密数据类型encryptedData 1 2 840 113549 1 7 6
国密标准GM/T 0010定义的oid如下:
数据类型data 1.2.156.10197.6.1.4.2.1
签名数据类型signedData 1.2.156.10197.6.1.4.2.2
数字信封数据类型envelopedData 1.2.156.10197.6.1.4.2.3
签名及数字信封数据类型signedAndEnvelopedData 1.2.156.10197.6.1.4.2.4
加密数据类型encryptedData 1.2.156.10197.6.1.4.2.5
密钥协商类型keyAgreementInfo 1.2.156.10197.6.1.4.2.6
对象标识符OID 对象标识符定义 GmSSL/OpenSSL中NID
1.2.840.113549.1.7.1 数据类型data NID_pkcs7_data
1.2.840.113549.1.7.2 签名数据类型signedData NID_pkcs7_signed
1.2.840.113549.1.7.3 数字信封数据类型envelopedData NID_pkcs7_enveloped
1.2.840.113549.1.7.4 签名及数字信封数据类型signedAndEnvelopedData NID_pkcs7_signedAndEnveloped
1.2.840.113549.1.7.5 摘要数据类型digestData NID_pkcs7_digest
1.2.840.113549.1.7.6 加密数据类型encryptedData NID_pkcs7_encrypted
对象标识符OID 对象标识符定义 GmSSL/OpenSSL中NID
1.2.156.10197.6.1.4.2 SM2密码算法加密签名消息语法规范 无
1.2.156.10197.6.1.4.2.1 数据类型data 无
1.2.156.10197.6.1.4.2.2 签名数据类型signedData 无
1.2.156.10197.6.1.4.2.3 数字信封数据类型envelopedData 无
1.2.156.10197.6.1.4.2.4 签名及数据信封数据类型signedAndEnvelopedData 无
1.2.156.10197.6.1.4.2.5 加密数据类型encrypedData 无
1.2.156.10197.6.1.4.2.6 密钥协商类型keyAgreementInfo
无
摘要算法 1.2.156.10197.1.401对应SM3 Hash Algorithm
签署算法 1.2.156.10197.1.301.1对应SM2-1 Digital Siganture Algorithm
https://certlogik.com/decoder/
这个网站可以解码RFC的PKCS7证书,无法解码国密pkcs7证书。可以分析RFC和国密的asn.1 结构。
https://blog.csdn.net/weixin_42683223/article/details/114283152
增加 oid 的方法
https://blog.csdn.net/wojiushiwoba/article/details/79480737
方法2:
1. 直接在crypto/objects/objects.txt文件中增加自己要增加的对象标识符OID,具体如何添加参考此文件内容;
2. 回到openssl的根目录,重新配置openssl,即运行./config命令,此命令根据自己的实际情况添加参数;
3. make update
4. 查看修改前后是否都添加好。
https://github.com/guanzhi/gmssl-v3-dev/blob/main/tests/cmstest.c#L314
https://github.com/guanzhi/gmssl-v3-dev/blob/d5258bc761fad28c03e0fa90cb8ccdfc5b56d649/src/cms.c#L1101
# openssl 3.0.0
yum install perl-IPC-Cmd
OPENSSL=openssl-3.0.0
PATH=/app/$OPENSSL/bin/:$PATH
./config shared --prefix=/app/$OPENSSL --openssldir=/app/$OPENSSL -Wl,-rpath,/app/$OPENSSL/lib
make clean && make -j8 && sudo make install
/app/$OPENSSL/bin/openssl ciphers -V 'ALL:COMPLEMENTOFALL'
# openssl sign rsa p7
openssl smime -sign -signer rsa2.crt -inkey rsa2.key -in msg.txt -outform PEM -out msg.txt.p7 -nodetach
-----BEGIN PKCS7-----
MIIG6wYJKoZIhvcNAQcCoIIG3DCCBtgCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggQ0MIIEMDCCAxigAwIBAgIIMwAAAAgQMQQwDQYJKoZIhvcNAQEL
BQAwXTELMAkGA1UEBhMCQ04xMDAuBgNVBAoMJ0NoaW5hIEZpbmFuY2lhbCBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTEcMBoGA1UEAwwTQ0ZDQSBBQ1MgVEVTVCBPQ0Ez
MzAeFw0yMTA3MjgxMzE3MzJaFw0yMTA3MjgxNTU5NTlaMIGPMQswCQYDVQQGEwJD
TjEYMBYGA1UECgwPQ0ZDQSBURVNUIE9DQTMzMQwwCgYDVQQLDANDU0cxGTAXBgNV
BAsMEE9yZ2FuaXphdGlvbmFsLTExPTA7BgNVBAMMNDA1MUDljZfmlrnnlLXnvZHo
tKLliqHmnInpmZDlhazlj7hA6LSi5LyB5YmN572u5py6QDEwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDMuXOFHMQdHpwMgU4wbsWLCwyR+KxCWhzODMao
6ei57P8FO3yuPQMeFWYTn4AReESWJJGnOcfXtyYOF4/C1jrSvs74kzSLtixU8EWb
FM2IjNPPkzV/SRBwU+TOKnZ0vApBZjF+h1CmZE4zrpzs4vYHHupmFsGc1M1YhrcI
tDPpZ4q39iyJpAt0ofdFRUlCJq3bFT6tsq9bvsnLV5eKGtlynNQNgIgiVViLPc3Q
z4vhqWx+7PqHthVKW4gCcH+NqfQIQ5pC5/D3t/upPigov8sNrXaCdy/mxtWiAhn0
F08a35L+aQVX/dS8hBSwWe3iG/1OiGeVWO9Ul4k/sOaQm5p9AgMBAAGjgcAwgb0w
HwYDVR0jBBgwFoAUnu5dMsxzrpI2zBQRz//XDjA+b9EwDAYDVR0TAQH/BAIwADA+
BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vdWNybC5jZmNhLmNvbS5jbi9PQ0EzMy9S
U0EvY3JsMTYxMC5jcmwwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBRhuTZDeLtY
P/o2TrJlmRzbX8s7rDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJ
KoZIhvcNAQELBQADggEBAA7Oe7M8ok/xdHDrMC3ZwTgpVxOGlbqUCKoZ5k+BGoqA
DQ6XEhNJewtHhtzspQzof2zqsI8XH43CtRxAhGZU1VPGwsNtnAymEFIdzovB7pio
I9684TZuPRt6sJ+iXVI1lkpszG0/f4Oasq/t/9cfeCKC1gTpWR3J7i0c3+KD+Gsc
rhW1pYFj5cgJM9v7tqTZYN5jTXO2EHIhid8K5mgnPJdKkDmwEDhdEHpr/Y2gG4c9
8Ztdw1QxgkBlo94AgxkOUs3eRe/O8UfXQWf+YQ9gEnKxygk8z5g1tIBffRu2s7bV
Rx1ebQFXMXys8+SFNfzQzlgRB4YnB3TFxBfptMn4jcgxggJ7MIICdwIBATBpMF0x
CzAJBgNVBAYTAkNOMTAwLgYDVQQKDCdDaGluYSBGaW5hbmNpYWwgQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkxHDAaBgNVBAMME0NGQ0EgQUNTIFRFU1QgT0NBMzMCCDMA
AAAIEDEEMA0GCWCGSAFlAwQCAQUAoIHkMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B
BwEwHAYJKoZIhvcNAQkFMQ8XDTIxMTAwNDE1NTYyNVowLwYJKoZIhvcNAQkEMSIE
INA2ADdLafY7w7a7R7o3l/VQat/fNKAUzCSQeh82MRpbMHkGCSqGSIb3DQEJDzFs
MGowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZI
hvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0G
CCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBACuMgT4cm5hirw8FSifxDlIK
rzJudzBScpTpmveIbtO3itdPjb70KXnhHZDRf+YVBCw+puIlfbCsVsZBJnj60xjx
M6IiX7Gu7T4iR7NOjyTQhQp+ozK8M1ffRLStvs6S63uiBr6qU+bW2dYit/GprIrl
S3QtzWskahcC7xC2Qz4pPwHDTh+P1M1M+U9Y4VSE4DGOjnhhZl0K0PcvuYZd5ygW
kxcg1OqV+FiOUrML6DFWaCMGrm5KTQXQPXWciLtrtsbFb+RV6RYKMTbOSZPk4QQO
Ps11mzh34KF9ix5iUY8AIAgaMTbCnrbJhz9uVWpitHqjyzl5KaMkAzY5pzy6FO0=
-----END PKCS7-----
加密生成p7文件(base64)
gmssl smime -encrypt -in outside_enc.pri -sms4-ecb -out output.enc outside_sign.pem
将p7文件格式转换为pem
openssl smime -in output.enc -pk7out -out output.pem
打印p7文件
openssl pkcs7 -in output.pem -text -print
解密p7文件
openssl smime -decrypt -in output.enc -out outside_enc.ori -inkey outside_sign.pri
国密 P7 签名
https://blog.csdn.net/lt4959/article/details/112317252
https://blog.csdn.net/weixin_42683223/article/details/114283152
[1.2.156.10197.6.1.4.2.2, [0][3, [[1.2.156.10197.1.401, NULL]], [1.2.156.10197.6.1.4.2.1, [0]#64656339653838306264386264373631373637336232396536343933396165613638646263636164323532626137613962383538303133393634663062356462], [0][[[0]2, 3855128974485415805, [1.2.156.10197.1.501, NULL], [[[2.5.4.6, CN]], [[2.5.4.10, ZHCA]], [[2.5.4.3, ZHCA]]], [210224080254Z, 220224080254Z], [[[2.5.4.6, CN]], [[2.5.4.10, 中环CA电子签约平台-契约锁]], [[2.5.4.3, 维森集团有限公司]]], [[1.2.840.10045.2.1, 1.2.156.10197.1.301], #034200042B9DE080E2B96FF60FF0E33D3584D627385579ABB9285BAD417C559F5761F293E4DFA167E5A3DF53BF5DCB58DB6D62DD759749EE70CD14DCA7885578051C6A65], [3][[2.5.29.15, TRUE, #030206c0], [2.5.29.35, #30168014b42f42823b8e390ccd36f358b6af7475d176c717], [2.5.29.31, #30283026a024a0228620687474703a2f2f7777772e746a7a6863612e636f6d2f63726c3430332e63726c], [2.5.29.14, #04149757d21eb9d103dd1422dd4110f27a5654260f34], [2.5.29.19, TRUE, #3003010100], [1.2.156.10260.4.1.4, TRUE, #131231323647464b583531434d50545448444642]]], [1.2.156.10197.1.501, NULL], #03480030450221009FAC6120B46709962DE00263244EF53EEFB53644B4A0E7C720C87A9263AD530C022047B9AD1FF04E3831609A7AA9F066A35CD9B2D7EA05BCFF13C0747C4566BCDDF0], [[1, [[[[2.5.4.6, CN]], [[2.5.4.10, ZHCA]], [[2.5.4.3, ZHCA]]], 3855128974485415805], [1.2.156.10197.1.401, NULL], [1.2.156.10197.1.301.1, NULL], #30450220244aef4ccbc97f991648a7c5e4ad768ddecb066f97f847b76e31336b371c491c022100b0b31efcb430210842597582a6c230f24a5db9390342807473063546e9869582]]]]
1.2.156.10197.6.1.4.2 SM2密码算法加密签名消息语法规范
1.2.156.10197.6.1.4.2.1 数据类型data
1.2.156.10197.6.1.4.2.2 签名数据类型signedData
1.2.156.10197.6.1.4.2.3 数字信封数据类型envelopedData
1.2.156.10197.6.1.4.2.4 签名及数字信封数据类型signedAndEnvelopedData
1.2.156.10197.6.1.4.2.5 加密数据类型encryptedData
1.2.156.10197.6.1.4.2.6 密钥协商类型keyAgreementInfo
1.2.156.10197.6.1.4.2.2 => 签名数据类型signedData
1.2.156.10197.1.401 => SM3 Hash Algorithm
1.2.156.10197.1.301.1 => SM2-1 Digital Siganture Algorithm
1.2.156.10197.6.1.4.2.1 => 数据类型data
1.2.156.10197.1.501 => SM2 Signing with SM3
1.2.840.10045.2.1 => id-ecPublicKey
1.2.156.10197.1.301 => SM2 Elliptic Curve Cryptography
1.2.156.10260.4.1.4 => 企业组织机构代码 Organization Code
1.2.156.10197.1.501 => SM2Sign-with-SM3
1.2.156.10197.1.401 SM3 Hash Algorithm
1.2.156.10197.1.301.1 sm2sign
1.2.156.10197.1.401 SM3 Hash Algorithm
1.2.156.10197.1.401.1 SM3 Hash Without Key
1.2.156.10197.1.401.2 SM3 Hash With Key
1.2.156.10260.4.1.2 个人社会保险号 Insurance Number
1.2.156.10260.4.1.3 企业工商注册号 IC Registration Number
1.2.156.10260.4.1.4 企业组织机构代码 Organization Code
1.2.156.10260.4.1.5 企业税号 Taxation Number
1.2.156.10197.1.501 SM2Sign-with-SM3
1.2.156.10197.1.502 SM2Sign-with-SHA1
1.2.156.10197.1.503 SM2Sign-with-SHA256
1.2.156.10197.1.504 SM2Sign-with-SHA511
1.2.156.10197.1.505 SM2Sign-with-SHA224
1.2.156.10197.1.506 SM2Sign-with-SHA384
1.2.156.10197.1.507 SM2Sign-with-RMD160
参考汇总: 《政府采购数字证书格式规范》 http://zfcg.ggzyjy.nmg.gov.cn/u/cms/www/202012/%E9%99%84%E4%BB%B62-2%EF%BC%9A%E6%94%BF%E5%BA%9C%E9%87%87%E8%B4%AD%E6%95%B0%E5%AD%97%E8%AF%81%E4%B9%A6%E6%A0%BC%E5%BC%8F%E6%A0%87%E5%87%86%E8%A7%84%E8%8C%83.docx
http://gmssl.org/docs/oid.html
https://github.com/jntass/TASSL-1.1.1k/blob/00f6c528d5f4ef7c655e582216f06fde9aef6ceb/crypto/objects/obj_dat.h#L2293
https://github.com/jntass/TASSL-1.1.1k/blob/master/include/openssl/obj_mac.h#L1196
{"SM2-SM3", "sm3WithSM2Sign", NID_sm3WithSM2Sign, 8, &so[7761]},
{"sm-pkcs", "sm-pkcs", NID_sm_pkcs, 6, &so[7769]},
{"sm-pkcs7", "china pkcs7 series", NID_sm_pkcs7, 9, &so[7775]},
{"pkcs7_sm2_data", "pkcs7_sm2_data", NID_pkcs7_sm2_data, 10, &so[7784]},
{"pkcs7_sm2_signed", "pkcs7_sm2_signed", NID_pkcs7_sm2_signed, 10, &so[7794]},
{"pkcs7_sm2_enveloped", "pkcs7_sm2_enveloped", NID_pkcs7_sm2_enveloped, 10, &so[7804]},
{ NULL, NULL, NID_undef },
{ NULL, NULL, NID_undef },
{ NULL, NULL, NID_undef },
{"pkcs7_sm2_signedAndEnveloped", "pkcs7_sm2_signedAndEnveloped", NID_pkcs7_sm2_signedAndEnveloped, 10, &so[7814]},
{"pkcs7_sm2_encryptedData", "pkcs7_sm2_encryptedData", NID_pkcs7_sm2_encryptedData, 10, &so[7824]},
{"pkcs7_sm2_keyAgreementInfo", "pkcs7_sm2_keyAgreementInfo", NID_pkcs7_sm2_keyAgreementInfo, 10, &so[7834]},
{"frp256v1", "frp256v1", NID_frp256v1, 10, &so[7844]},
{"sm2signature", "sm2signature", NID_sm2signature, 9, &so[7854]},
{"sm2keyagreement", "sm2keyagreement", NID_sm2keyagreement, 9, &so[7863]},
{"sm2encrypt", "sm2encrypt", NID_sm2encrypt, 9, &so[7872]},
{"SM4-GCM", "sm4-gcm", NID_sm4_gcm, 8, &so[7881]},
{"SM4-CCM", "sm4-ccm", NID_sm4_ccm, 8, &so[7889]},
NID_sm_pkcs
NID_sm_pkcs7
NID_pkcs7_sm2_data
NID_pkcs7_sm2_signed
NID_pkcs7_sm2_enveloped
网友评论