The GmSSL Project

快速上手

快速上手指南介绍GmSSL的编译、安装和gmssl命令行工具的基本指令。

1. 下载源代码(zip)，解压缩至当前工作目录

   $ unzip GmSSL-master.zip
   

2. 编译与安装

   Linux平台

   $ mkdir build
   $ cd build
   $ cmake ..
   $ make
   $ make test
   $ sudo make install
   

   安装之后可以执行gmssl命令行工具检查是否成功

   $ gmssl version
   GmSSL 3.1.0 Dev
   

3. SM4加密解密

   $ KEY=11223344556677881122334455667788
   $ IV=11223344556677881122334455667788
   
   $ echo hello | gmssl sm4 -cbc -encrypt -key $KEY -iv $IV -out sm4.cbc
   $ gmssl sm4 -cbc -decrypt -key $KEY -iv $IV -in sm4.cbc
   
   $ echo hello | gmssl sm4 -ctr -encrypt -key $KEY -iv $IV -out sm4.ctr
   $ gmssl sm4 -ctr -decrypt -key $KEY -iv $IV -in sm4.ctr
   

4. SM3摘要

   $ echo -n abc | gmssl sm3
   $ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem
   $ echo -n abc | gmssl sm3 -pubkey sm2pub.pem -id 1234567812345678
   $ echo -n abc | gmssl sm3hmac -key 11223344556677881122334455667788
   

5. SM2签名及验签

   $ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem
   
   $ echo hello | gmssl sm2sign -key sm2.pem -pass 1234 -out sm2.sig #-id 1234567812345678
   $ echo hello | gmssl sm2verify -pubkey sm2pub.pem -sig sm2.sig -id 1234567812345678
   
   $ echo hello | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der
   $ gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der
   

6. SM2加密及解密

   $ gmssl sm2keygen -pass 1234 -out sm2.pem -pubout sm2pub.pem
   
   $ echo hello | gmssl sm2encrypt -pubkey sm2pub.pem -out sm2.der
   $ gmssl sm2decrypt -key sm2.pem -pass 1234 -in sm2.der
   

7. 生成SM2根证书rootcakey.pem及CA证书cakey.pem

   $ gmssl sm2keygen -pass 1234 -out rootcakey.pem
   $ gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key rootcakey.pem -pass 1234 -out rootcacert.pem -key_usage keyCertSign -key_usage cRLSign
   $ gmssl certparse -in rootcacert.pem
   
   $ gmssl sm2keygen -pass 1234 -out cakey.pem
   $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN "Sub CA" -days 3650 -key cakey.pem -pass 1234 -out careq.pem
   $ gmssl reqsign -in careq.pem -days 365 -key_usage keyCertSign -path_len_constraint 0 -cacert rootcacert.pem -key rootcakey.pem -pass 1234 -out cacert.pem
   

8. 使用CA证书签发签名证书和加密证书

   $ gmssl sm2keygen -pass 1234 -out signkey.pem
   $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key signkey.pem -pass 1234 -out signreq.pem
   $ gmssl reqsign -in signreq.pem -days 365 -key_usage digitalSignature -cacert cacert.pem -key cakey.pem -pass 1234 -out signcert.pem
   
   $ gmssl sm2keygen -pass 1234 -out enckey.pem
   $ gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -days 365 -key enckey.pem -pass 1234 -out encreq.pem
   $ gmssl reqsign -in encreq.pem -days 365 -key_usage keyEncipherment -cacert cacert.pem -key cakey.pem -pass 1234 -out enccert.pem
   

9. 将签名证书和ca证书合并为服务端证书certs.pem，并验证

   $ cat signcert.pem > certs.pem
   $ cat cacert.pem >> certs.pem
   $ gmssl certverify -in certs.pem -cacert rootcacert.pem
   

   查看证书内容：

   $ gmssl certparse -in cacert.pem