diff --git a/.github/workflows/wolfsm.yml b/.github/workflows/wolfsm.yml new file mode 100644 index 00000000000..f67485793e1 --- /dev/null +++ b/.github/workflows/wolfsm.yml @@ -0,0 +1,63 @@ +name: wolfSM Tests + +# START OF COMMON SECTION +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +# END OF COMMON SECTION + +jobs: + make_check: + strategy: + fail-fast: false + matrix: + config: [ + # Core SM TLS cipher suites + '--enable-sm2 --enable-sm3 --enable-sm4-gcm --enable-sm4-ccm --enable-sha3', + # All SM4 modes + '--enable-sm2 --enable-sm3 --enable-sm4-ecb --enable-sm4-cbc --enable-sm4-ctr --enable-sm4-gcm --enable-sm4-ccm --enable-sha3', + # SM + all features integration test + '--enable-all --enable-sm2 --enable-sm3 --enable-sm4-ecb --enable-sm4-cbc --enable-sm4-ctr --enable-sm4-gcm --enable-sm4-ccm', + ] + name: make check + if: github.repository_owner == 'wolfssl' + runs-on: ubuntu-24.04 + timeout-minutes: 10 + steps: + - uses: actions/checkout@v4 + name: Checkout wolfSSL + + - uses: actions/checkout@v4 + name: Checkout wolfsm + with: + repository: wolfssl/wolfsm + path: wolfsm + + - name: Install wolfsm + working-directory: wolfsm + run: ./install.sh $GITHUB_WORKSPACE + + - name: Test wolfSSL with wolfSM + run: | + ./autogen.sh + ./configure ${{ matrix.config }} + make + make check + + - name: Print errors + if: ${{ failure() }} + run: | + for file in scripts/*.log + do + if [ -f "$file" ]; then + echo "${file}:" + cat "$file" + echo "========================================================================" + fi + done diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index ddce2389928..8745770ab90 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -768,6 +768,16 @@ run_renewcerts(){ echo "End of section" echo "---------------------------------------------------------------------" + ############################################################ + ########## generate SM2 certificates ####################### + ############################################################ + echo "Renewing SM2 certificates" + cd sm2 + ./gen-sm2-certs.sh + cd .. + echo "End of section" + echo "---------------------------------------------------------------------" + ############################################################ ########## update Raw Public Key certificates ############## ############################################################ diff --git a/certs/sm2/ca-sm2.der b/certs/sm2/ca-sm2.der index 050c1b1ae74..2b416438642 100644 Binary files a/certs/sm2/ca-sm2.der and b/certs/sm2/ca-sm2.der differ diff --git a/certs/sm2/ca-sm2.pem b/certs/sm2/ca-sm2.pem index 2451a522f73..097a24dad30 100644 --- a/certs/sm2/ca-sm2.pem +++ b/certs/sm2/ca-sm2.pem @@ -3,11 +3,11 @@ Certificate: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: SM2-with-SM3 - Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_SM2, OU = Root-SM2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_SM2, OU=Root-SM2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com Validity - Not Before: Feb 15 06:23:07 2023 GMT - Not After : Nov 11 06:23:07 2025 GMT - Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = CA-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Not Before: Feb 18 17:56:57 2026 GMT + Not After : Nov 14 17:56:57 2028 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=CA-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Subject Public Key Info: Public Key Algorithm: sm2 Public-Key: (256 bit) @@ -29,16 +29,16 @@ Certificate: Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: SM2-with-SM3 Signature Value: - 30:45:02:20:47:4e:00:03:ab:34:a1:af:59:39:8f:60:36:bf: - 89:88:42:41:27:c1:dd:57:c9:79:cb:1f:56:5c:16:b5:28:bd: - 02:21:00:8b:2e:25:eb:21:9b:a9:2b:a6:6a:5b:db:a7:c7:2b: - 11:df:73:15:ad:e4:c5:c3:c2:f3:b4:b4:67:af:d7:51:1c + 30:46:02:21:00:b2:b9:5b:02:ad:78:f8:52:ba:67:cf:cb:25: + 9b:ba:d9:56:f5:a7:ff:af:25:26:d5:f6:f3:f3:a6:f5:9a:2f: + 9b:02:21:00:bc:96:f3:39:13:76:dc:02:35:39:0e:dc:0a:69: + bf:02:18:b6:01:be:ff:05:d7:2e:f2:7b:67:eb:16:e9:8e:c5 -----BEGIN CERTIFICATE----- -MIICljCCAjygAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO +MIIClzCCAjygAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZT U0xfU00yMREwDwYDVQQLDAhSb290LVNNMjEYMBYGA1UEAwwPd3d3LndvbGZzc2wu -Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIzMDIxNTA2 -MjMwN1oXDTI1MTExMTA2MjMwN1owgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN +Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2MDIxODE3 +NTY1N1oXDTI4MTExNDE3NTY1N1owgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQKDAt3b2xmU1NMX3NtMjEP MA0GA1UECwwGQ0Etc20yMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkq hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xm @@ -46,6 +46,6 @@ U1NMMFowFAYIKoEcz1UBgi0GCCqBHM9VAYItA0IABCGS98sk32RNuqtme4N1qSnn /2RjttVCgCC94uICEjuOtACVCYDLVu1Lyo1X5q4F03YnY3E5ibdp5kiArtGpSBKj YzBhMB0GA1UdDgQWBBRHCkh+uwKoWiZXKxmpe2GLf12ZbjAfBgNVHSMEGDAWgBQ0 HXlEFXmhsWOZ4+1lfGSJgP+47DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIBhjAKBggqgRzPVQGDdQNIADBFAiBHTgADqzShr1k5j2A2v4mIQkEnwd1XyXnL -H1ZcFrUovQIhAIsuJeshm6krpmpb26fHKxHfcxWt5MXDwvO0tGev11Ec +AwIBhjAKBggqgRzPVQGDdQNJADBGAiEAsrlbAq14+FK6Z8/LJZu62Vb1p/+vJSbV +9vPzpvWaL5sCIQC8lvM5E3bcAjU5DtwKab8CGLYBvv8F1y7ye2frFumOxQ== -----END CERTIFICATE----- diff --git a/certs/sm2/client-sm2.der b/certs/sm2/client-sm2.der index 195cdb14460..be1bbf4f16a 100644 Binary files a/certs/sm2/client-sm2.der and b/certs/sm2/client-sm2.der differ diff --git a/certs/sm2/client-sm2.pem b/certs/sm2/client-sm2.pem index 2f3f49ef89d..05114a72356 100644 --- a/certs/sm2/client-sm2.pem +++ b/certs/sm2/client-sm2.pem @@ -2,13 +2,13 @@ Certificate: Data: Version: 3 (0x2) Serial Number: - 60:a0:4a:0b:36:eb:7d:e1:3f:74:29:a9:29:b4:05:6c:17:f7:a6:d4 + 63:dd:75:63:8a:b0:51:4f:9c:4e:ff:6d:55:4e:cd:ee:8f:26:d3:80 Signature Algorithm: SM2-with-SM3 - Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = Client-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Client-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Validity - Not Before: Feb 15 06:23:07 2023 GMT - Not After : Nov 11 06:23:07 2025 GMT - Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = Client-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Not Before: Feb 18 17:56:57 2026 GMT + Not After : Nov 14 17:56:57 2028 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Client-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Subject Public Key Info: Public Key Algorithm: sm2 Public-Key: (256 bit) @@ -25,7 +25,7 @@ Certificate: X509v3 Authority Key Identifier: keyid:E4:21:B2:C5:E5:D4:9E:82:CA:F8:67:F2:28:99:F6:85:E8:F1:55:EF DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_sm2/OU=Client-sm2/CN=www.wolfssl.com/emailAddress=info@wolfssl.com/UID=wolfSSL - serial:60:A0:4A:0B:36:EB:7D:E1:3F:74:29:A9:29:B4:05:6C:17:F7:A6:D4 + serial:63:DD:75:63:8A:B0:51:4F:9C:4E:FF:6D:55:4E:CD:EE:8F:26:D3:80 X509v3 Basic Constraints: CA:TRUE X509v3 Subject Alternative Name: @@ -34,17 +34,17 @@ Certificate: TLS Web Server Authentication, TLS Web Client Authentication Signature Algorithm: SM2-with-SM3 Signature Value: - 30:46:02:21:00:8f:b2:b5:95:8f:79:f6:5e:75:e5:c5:e9:9a: - 12:d2:0f:78:9f:c0:1d:8d:1c:be:6b:0c:f1:f5:57:60:db:91: - 4f:02:21:00:87:5e:7d:e4:d6:3a:bb:7b:98:27:85:de:7a:f0: - 21:e2:66:a1:9f:26:e0:dd:86:23:b4:c8:c0:46:5a:f2:49:8d + 30:46:02:21:00:dd:98:90:68:35:95:61:2f:11:90:a5:e9:30: + 8b:9a:aa:33:cc:73:8a:76:96:8b:97:8c:4c:c3:10:fc:14:56: + 9b:02:21:00:f8:de:db:67:54:59:ca:98:27:3d:3f:f6:6f:30: + 0c:65:e1:fb:a0:9f:11:ab:ea:76:30:31:c4:66:11:d7:b9:f2 -----BEGIN CERTIFICATE----- -MIIDyTCCA26gAwIBAgIUYKBKCzbrfeE/dCmpKbQFbBf3ptQwCgYIKoEcz1UBg3Uw +MIIDyTCCA26gAwIBAgIUY911Y4qwUU+cTv9tVU7N7o8m04AwCgYIKoEcz1UBg3Uw gbAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl bWFuMRQwEgYDVQQKDAt3b2xmU1NMX3NtMjETMBEGA1UECwwKQ2xpZW50LXNtMjEY MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv -bGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0yMzAyMTUwNjIz -MDdaFw0yNTExMTEwNjIzMDdaMIGwMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9u +bGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDAeFw0yNjAyMTgxNzU2 +NTdaFw0yODExMTQxNzU2NTdaMIGwMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9u dGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECgwLd29sZlNTTF9zbTIxEzAR BgNVBAsMCkNsaWVudC1zbTIxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0G CSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixkAQEMB3dv @@ -55,9 +55,9 @@ BIHoMIHlgBTkIbLF5dSegsr4Z/IomfaF6PFV76GBtqSBszCBsDELMAkGA1UEBhMC VVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoM C3dvbGZTU0xfc20yMRMwEQYDVQQLDApDbGllbnQtc20yMRgwFgYDVQQDDA93d3cu d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAV -BgoJkiaJk/IsZAEBDAd3b2xmU1NMghRgoEoLNut94T90KakptAVsF/em1DAMBgNV +BgoJkiaJk/IsZAEBDAd3b2xmU1NMghRj3XVjirBRT5xO/21VTs3ujybTgDAMBgNV HRMEBTADAQH/MBwGA1UdEQQVMBOCC2V4YW1wbGUuY29thwR/AAABMB0GA1UdJQQW -MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqgRzPVQGDdQNJADBGAiEAj7K1lY95 -9l515cXpmhLSD3ifwB2NHL5rDPH1V2DbkU8CIQCHXn3k1jq7e5gnhd568CHiZqGf -JuDdhiO0yMBGWvJJjQ== +MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAKBggqgRzPVQGDdQNJADBGAiEA3ZiQaDWV +YS8RkKXpMIuaqjPMc4p2louXjEzDEPwUVpsCIQD43ttnVFnKmCc9P/ZvMAxl4fug +nxGr6nYwMcRmEde58g== -----END CERTIFICATE----- diff --git a/certs/sm2/fix_sm2_spki.py b/certs/sm2/fix_sm2_spki.py new file mode 100644 index 00000000000..dd05a23efce --- /dev/null +++ b/certs/sm2/fix_sm2_spki.py @@ -0,0 +1,179 @@ +#!/usr/bin/env python3 +"""Fix SM2 certificate SubjectPublicKeyInfo algorithm OID. + +OpenSSL 3.x encodes SM2 keys using the generic id-ecPublicKey OID +(1.2.840.10045.2.1) instead of the SM2-specific OID (1.2.156.10197.1.301). +This script patches the SPKI algorithm OID back to SM2 and re-signs the +certificate. + +Usage: fix_sm2_spki.py +""" + +import base64 +import subprocess +import sys +import os +import tempfile + +EC_PUBKEY_OID = bytes([0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01]) +SM2_ALGO_OID = bytes([0x06, 0x08, 0x2a, 0x81, 0x1c, 0xcf, 0x55, 0x01, 0x82, 0x2d]) +SM2_WITH_SM3 = bytes([0x30, 0x0a, 0x06, 0x08, + 0x2a, 0x81, 0x1c, 0xcf, 0x55, 0x01, 0x83, 0x75]) + + +def read_der_length(data, offset): + b = data[offset] + if b < 0x80: + return b, 1 + num_bytes = b & 0x7f + length = 0 + for i in range(num_bytes): + length = (length << 8) | data[offset + 1 + i] + return length, 1 + num_bytes + + +def encode_der_length(length): + if length < 0x80: + return bytes([length]) + elif length < 0x100: + return bytes([0x81, length]) + elif length < 0x10000: + return bytes([0x82, length >> 8, length & 0xff]) + else: + raise ValueError("Length too large: %d" % length) + + +def find_enclosing_sequences(data, target_pos): + """Find length-field offsets of all SEQUENCEs enclosing target_pos.""" + results = [] + + def scan(offset, end): + while offset < end: + tag = data[offset] + offset += 1 + length, len_bytes = read_der_length(data, offset) + len_offset = offset + offset += len_bytes + content_start = offset + content_end = offset + length + + if tag == 0x30 and content_start <= target_pos < content_end: + results.append((len_offset, length, len_bytes)) + scan(content_start, content_end) + return + offset = content_end + + scan(0, len(data)) + return results + + +def patch_tbs_spki_oid(tbs_der): + """Replace id-ecPublicKey with SM2 OID in TBS SubjectPublicKeyInfo.""" + oid_pos = tbs_der.find(EC_PUBKEY_OID) + if oid_pos == -1: + return None # Already has SM2 OID or no EC key + + enclosing = find_enclosing_sequences(tbs_der, oid_pos) + size_diff = len(SM2_ALGO_OID) - len(EC_PUBKEY_OID) + + result = bytearray( + tbs_der[:oid_pos] + SM2_ALGO_OID + tbs_der[oid_pos + len(EC_PUBKEY_OID):] + ) + + for len_offset, old_length, old_len_bytes in enclosing: + new_length = old_length + size_diff + new_len_encoded = encode_der_length(new_length) + if len(new_len_encoded) == old_len_bytes: + result[len_offset:len_offset + old_len_bytes] = new_len_encoded + else: + result[len_offset:len_offset + old_len_bytes] = new_len_encoded + size_diff += len(new_len_encoded) - old_len_bytes + + return bytes(result) + + +def pem_to_der(pem_text): + b64 = ''.join( + line for line in pem_text.split('\n') + if not line.startswith('-----') and line.strip() + ) + return base64.b64decode(b64) + + +def der_to_pem(der_data, label="CERTIFICATE"): + b64 = base64.b64encode(der_data).decode() + lines = [b64[i:i+64] for i in range(0, len(b64), 64)] + return ('-----BEGIN %s-----\n' % label + + '\n'.join(lines) + + '\n-----END %s-----\n' % label) + + +def extract_tbs(cert_der): + assert cert_der[0] == 0x30 + outer_len, outer_len_bytes = read_der_length(cert_der, 1) + tbs_offset = 1 + outer_len_bytes + tbs_len, tbs_len_bytes = read_der_length(cert_der, tbs_offset + 1) + tbs_total = 1 + tbs_len_bytes + tbs_len + return cert_der[tbs_offset:tbs_offset + tbs_total] + + +def sign_tbs(tbs_der, key_pem_path): + """Sign TBS with SM2-with-SM3 using openssl dgst.""" + with tempfile.NamedTemporaryFile(suffix='.der', delete=False) as tbs_f: + tbs_f.write(tbs_der) + tbs_path = tbs_f.name + + sig_path = tbs_path + '.sig' + try: + result = subprocess.run( + ['openssl', 'dgst', '-sm3', '-sign', key_pem_path, + '-out', sig_path, tbs_path], + capture_output=True, text=True + ) + if result.returncode != 0: + raise RuntimeError("openssl dgst failed: " + result.stderr) + + with open(sig_path, 'rb') as f: + return f.read() + finally: + os.unlink(tbs_path) + if os.path.exists(sig_path): + os.unlink(sig_path) + + +def build_cert(tbs_der, sig_der): + bit_string = bytes([0x03, len(sig_der) + 1, 0x00]) + sig_der + cert_body = tbs_der + SM2_WITH_SM3 + bit_string + return bytes([0x30]) + encode_der_length(len(cert_body)) + cert_body + + +def fix_sm2_cert(cert_pem_path, key_pem_path, output_pem_path): + with open(cert_pem_path, 'r') as f: + cert_pem = f.read() + + cert_der = pem_to_der(cert_pem) + tbs = extract_tbs(cert_der) + + new_tbs = patch_tbs_spki_oid(tbs) + if new_tbs is None: + print(" Already has SM2 OID, no patching needed") + if cert_pem_path != output_pem_path: + with open(output_pem_path, 'w') as f: + f.write(cert_pem) + return + + sig = sign_tbs(new_tbs, key_pem_path) + new_cert_der = build_cert(new_tbs, sig) + + with open(output_pem_path, 'w') as f: + f.write(der_to_pem(new_cert_der)) + + print(" Patched SPKI algorithm OID to SM2") + + +if __name__ == '__main__': + if len(sys.argv) != 4: + print("Usage: %s " % sys.argv[0]) + sys.exit(1) + + fix_sm2_cert(sys.argv[1], sys.argv[2], sys.argv[3]) diff --git a/certs/sm2/gen-sm2-certs.sh b/certs/sm2/gen-sm2-certs.sh index 46f2a8cd501..33c459f370d 100755 --- a/certs/sm2/gen-sm2-certs.sh +++ b/certs/sm2/gen-sm2-certs.sh @@ -1,5 +1,7 @@ #!/usr/bin/env bash +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" + check_result(){ if [ $1 -ne 0 ]; then echo "Failed at \"$2\", Abort" @@ -9,6 +11,15 @@ check_result(){ fi } +# OpenSSL 3.x encodes SM2 keys using the generic id-ecPublicKey OID instead of +# the SM2-specific OID. fix_sm2_spki.py patches the SubjectPublicKeyInfo +# algorithm OID back to SM2 and re-signs the certificate. +fix_sm2_oid(){ + # $1 = cert PEM, $2 = signing key PEM + python3 "${SCRIPT_DIR}/fix_sm2_spki.py" "$1" "$2" "$1" + check_result $? "Fix SM2 SPKI OID in $1" +} + openssl pkey -in root-sm2-priv.pem -noout >/dev/null 2>&1 if [ $? -ne 0 ]; then echo "OpenSSL does not support SM2" @@ -29,6 +40,7 @@ check_result $? "Generate request" openssl x509 -req -in root-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey root-sm2-priv.pem -out root-sm2.pem check_result $? "Generate certificate" rm root-sm2.csr +fix_sm2_oid root-sm2.pem root-sm2-priv.pem openssl x509 -in root-sm2.pem -outform DER > root-sm2.der check_result $? "Convert to DER" @@ -50,6 +62,7 @@ check_result $? "Generate request" openssl x509 -req -in ca-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -CA root-sm2.pem -CAkey root-sm2-priv.pem -set_serial 01 -out ca-sm2.pem check_result $? "Generate certificate" rm ca-sm2.csr +fix_sm2_oid ca-sm2.pem root-sm2-priv.pem openssl x509 -in ca-sm2.pem -outform DER > ca-sm2.der check_result $? "Convert to DER" @@ -71,6 +84,7 @@ check_result $? "Generate request" openssl x509 -req -in self-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions ca_ecc_cert -signkey self-sm2-priv.pem -out self-sm2-cert.pem check_result $? "Generate certificate" rm self-sm2.csr +fix_sm2_oid self-sm2-cert.pem self-sm2-priv.pem openssl x509 -in self-sm2-cert.pem -text > tmp.pem check_result $? "Add text" @@ -90,6 +104,7 @@ check_result $? "Generate request" openssl x509 -req -in server-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions server_ecc -CA ca-sm2.pem -CAkey ca-sm2-priv.pem -set_serial 01 -out server-sm2-cert.pem check_result $? "Generate certificate" rm server-sm2.csr +fix_sm2_oid server-sm2-cert.pem ca-sm2-priv.pem openssl x509 -in server-sm2-cert.pem -outform DER > server-sm2-cert.der check_result $? "Convert to DER" @@ -113,6 +128,7 @@ check_result $? "Generate request" openssl x509 -req -in client-sm2.csr -days 1000 -extfile ../renewcerts/wolfssl.cnf -extensions wolfssl_opts -signkey client-sm2-priv.pem -out client-sm2.pem check_result $? "Generate certificate" rm client-sm2.csr +fix_sm2_oid client-sm2.pem client-sm2-priv.pem openssl x509 -in client-sm2.pem -outform DER > client-sm2.der check_result $? "Convert to DER" diff --git a/certs/sm2/root-sm2.der b/certs/sm2/root-sm2.der index 63c0407713d..47550ba9143 100644 Binary files a/certs/sm2/root-sm2.der and b/certs/sm2/root-sm2.der differ diff --git a/certs/sm2/root-sm2.pem b/certs/sm2/root-sm2.pem index 91b149af565..4dd07761b9d 100644 --- a/certs/sm2/root-sm2.pem +++ b/certs/sm2/root-sm2.pem @@ -2,13 +2,13 @@ Certificate: Data: Version: 3 (0x2) Serial Number: - 74:9c:dd:a4:b2:67:26:57:29:fb:e9:13:54:e0:34:08:03:2b:70:a9 + 61:2a:93:12:b3:6e:ff:d6:9a:a7:98:c4:49:4d:c6:2c:3e:ea:5a:f9 Signature Algorithm: SM2-with-SM3 - Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_SM2, OU = Root-SM2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_SM2, OU=Root-SM2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com Validity - Not Before: Feb 15 06:23:07 2023 GMT - Not After : Nov 11 06:23:07 2025 GMT - Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_SM2, OU = Root-SM2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Not Before: Feb 18 17:56:57 2026 GMT + Not After : Nov 14 17:56:57 2028 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_SM2, OU=Root-SM2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: sm2 Public-Key: (256 bit) @@ -30,16 +30,16 @@ Certificate: Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: SM2-with-SM3 Signature Value: - 30:44:02:20:03:27:29:f0:ef:78:26:a1:1a:6a:1e:88:81:e7: - 83:72:5f:3e:e6:08:e8:14:68:bf:4b:0f:68:52:92:aa:8f:a1: - 02:20:0b:fe:1b:14:ba:51:82:65:06:bb:22:d8:1a:a7:9f:54: - 62:eb:8d:b2:d5:13:b3:b8:a2:f3:14:44:b2:a0:21:d0 + 30:46:02:21:00:fe:8d:2f:b9:c9:55:db:2c:d4:89:ff:a1:92: + 03:ce:4a:09:00:7f:c4:b3:b6:55:ae:a1:f6:7b:3e:ed:c4:dd: + 7c:02:21:00:d0:be:9b:4a:a9:cf:52:c1:cd:0d:bc:86:29:9e: + c4:e2:f1:fa:86:f3:73:01:e2:3b:c5:cc:99:0a:bb:c3:a8:ee -----BEGIN CERTIFICATE----- -MIICkTCCAjigAwIBAgIUdJzdpLJnJlcp++kTVOA0CAMrcKkwCgYIKoEcz1UBg3Uw +MIICkzCCAjigAwIBAgIUYSqTErNu/9aap5jESU3GLD7qWvkwCgYIKoEcz1UBg3Uw gZUxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3pl bWFuMRQwEgYDVQQKDAt3b2xmU1NMX1NNMjERMA8GA1UECwwIUm9vdC1TTTIxGDAW BgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xm -c3NsLmNvbTAeFw0yMzAyMTUwNjIzMDdaFw0yNTExMTEwNjIzMDdaMIGVMQswCQYD +c3NsLmNvbTAeFw0yNjAyMTgxNzU2NTdaFw0yODExMTQxNzU2NTdaMIGVMQswCQYD VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIG A1UECgwLd29sZlNTTF9TTTIxETAPBgNVBAsMCFJvb3QtU00yMRgwFgYDVQQDDA93 d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20w @@ -47,6 +47,6 @@ WjAUBggqgRzPVQGCLQYIKoEcz1UBgi0DQgAEu5x1jPcX+Eir9/bbDZqNn8LRR5eV C07mV+zF+FdUcTk8eeFAP7ZR6XzH2i3v0uh5gXuro19rKmyXGl6O2dDMBKNjMGEw HQYDVR0OBBYEFDQdeUQVeaGxY5nj7WV8ZImA/7jsMB8GA1UdIwQYMBaAFDQdeUQV eaGxY5nj7WV8ZImA/7jsMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGG -MAoGCCqBHM9VAYN1A0cAMEQCIAMnKfDveCahGmoeiIHng3JfPuYI6BRov0sPaFKS -qo+hAiAL/hsUulGCZQa7Itgap59UYuuNstUTs7ii8xREsqAh0A== +MAoGCCqBHM9VAYN1A0kAMEYCIQD+jS+5yVXbLNSJ/6GSA85KCQB/xLO2Va6h9ns+ +7cTdfAIhANC+m0qpz1LBzQ28himexOLx+obzcwHiO8XMmQq7w6ju -----END CERTIFICATE----- diff --git a/certs/sm2/self-sm2-cert.pem b/certs/sm2/self-sm2-cert.pem index b8d484d9a34..e80f996d5e4 100644 --- a/certs/sm2/self-sm2-cert.pem +++ b/certs/sm2/self-sm2-cert.pem @@ -2,15 +2,15 @@ Certificate: Data: Version: 3 (0x2) Serial Number: - 06:7b:3a:5d:cf:22:a9:6d:6d:78:2b:10:01:51:b6:4c:d4:82:a2:a1 + 26:2d:4b:fe:64:7d:97:44:c8:85:22:01:96:b3:a5:db:1c:64:12:1b Signature Algorithm: SM2-with-SM3 - Issuer: C = AU, ST = QLD, O = wolfSSL, OU = Testing, CN = wolfssl-dev-sm2, emailAddress = info@wolfssl.com, UID = wolfSSL + Issuer: C=AU, ST=QLD, O=wolfSSL, OU=Testing, CN=wolfssl-dev-sm2, emailAddress=info@wolfssl.com, UID=wolfSSL Validity - Not Before: Nov 22 21:28:37 2023 GMT - Not After : Aug 18 21:28:37 2026 GMT - Subject: C = AU, ST = QLD, O = wolfSSL, OU = Testing, CN = wolfssl-dev-sm2, emailAddress = info@wolfssl.com, UID = wolfSSL + Not Before: Feb 18 17:56:57 2026 GMT + Not After : Nov 14 17:56:57 2028 GMT + Subject: C=AU, ST=QLD, O=wolfSSL, OU=Testing, CN=wolfssl-dev-sm2, emailAddress=info@wolfssl.com, UID=wolfSSL Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey + Public Key Algorithm: sm2 Public-Key: (256 bit) pub: 04:d8:c4:a1:f1:0b:8b:8d:c4:7d:dc:d4:65:b9:a5: @@ -30,23 +30,23 @@ Certificate: Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: SM2-with-SM3 Signature Value: - 30:44:02:20:0f:c3:2c:36:e3:9f:1c:e9:68:1c:3b:43:18:5b: - c9:8f:e4:fa:dd:33:c1:b8:1c:d3:d4:61:33:f8:37:9d:5a:f4: - 02:20:3a:b9:a8:43:80:cf:38:25:e9:64:d8:26:47:9d:50:04: - 0c:8a:e8:a2:42:e8:63:dd:53:94:7d:38:6d:52:70:fd + 30:45:02:21:00:cb:1a:f6:3d:c5:63:4f:fb:23:c9:22:e5:c6: + 53:12:e0:90:81:42:ef:61:98:0b:c9:93:ff:27:59:e6:81:57: + 25:02:20:45:7a:6e:db:0f:15:c7:90:f0:ad:fe:a6:85:42:d3: + dc:ed:7b:56:e6:12:6e:73:12:55:69:32:c5:16:22:f0:cd -----BEGIN CERTIFICATE----- -MIICjDCCAjOgAwIBAgIUBns6Xc8iqW1teCsQAVG2TNSCoqEwCgYIKoEcz1UBg3Uw +MIICjjCCAjSgAwIBAgIUJi1L/mR9l0TIhSIBlrOl2xxkEhswCgYIKoEcz1UBg3Uw gZMxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANRTEQxEDAOBgNVBAoMB3dvbGZTU0wx EDAOBgNVBAsMB1Rlc3RpbmcxGDAWBgNVBAMMD3dvbGZzc2wtZGV2LXNtMjEfMB0G CSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixkAQEMB3dv -bGZTU0wwHhcNMjMxMTIyMjEyODM3WhcNMjYwODE4MjEyODM3WjCBkzELMAkGA1UE +bGZTU0wwHhcNMjYwMjE4MTc1NjU3WhcNMjgxMTE0MTc1NjU3WjCBkzELMAkGA1UE BhMCQVUxDDAKBgNVBAgMA1FMRDEQMA4GA1UECgwHd29sZlNTTDEQMA4GA1UECwwH VGVzdGluZzEYMBYGA1UEAwwPd29sZnNzbC1kZXYtc20yMR8wHQYJKoZIhvcNAQkB -FhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDBZMBMG -ByqGSM49AgEGCCqBHM9VAYItA0IABNjEofELi43EfdzUZbmlVU77rDOrm0OUTEhA -GzPZG8wxwYJWP7DAa5VAUf2IAgGxsJRsBuun2o7ucLblu7Qe57SjYzBhMB0GA1Ud -DgQWBBRul+iYtlu2rocE2xRWZhb0uC2M8jAfBgNVHSMEGDAWgBRul+iYtlu2rocE -2xRWZhb0uC2M8jAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAKBggq -gRzPVQGDdQNHADBEAiAPwyw2458c6WgcO0MYW8mP5PrdM8G4HNPUYTP4N51a9AIg -OrmoQ4DPOCXpZNgmR51QBAyK6KJC6GPdU5R9OG1ScP0= +FhBpbmZvQHdvbGZzc2wuY29tMRcwFQYKCZImiZPyLGQBAQwHd29sZlNTTDBaMBQG +CCqBHM9VAYItBggqgRzPVQGCLQNCAATYxKHxC4uNxH3c1GW5pVVO+6wzq5tDlExI +QBsz2RvMMcGCVj+wwGuVQFH9iAIBsbCUbAbrp9qO7nC25bu0Hue0o2MwYTAdBgNV +HQ4EFgQUbpfomLZbtq6HBNsUVmYW9LgtjPIwHwYDVR0jBBgwFoAUbpfomLZbtq6H +BNsUVmYW9LgtjPIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwCgYI +KoEcz1UBg3UDSAAwRQIhAMsa9j3FY0/7I8ki5cZTEuCQgULvYZgLyZP/J1nmgVcl +AiBFem7bDxXHkPCt/qaFQtPc7XtW5hJucxJVaTLFFiLwzQ== -----END CERTIFICATE----- diff --git a/certs/sm2/server-sm2-cert.der b/certs/sm2/server-sm2-cert.der index 878296d9467..bd9ea8ee406 100644 Binary files a/certs/sm2/server-sm2-cert.der and b/certs/sm2/server-sm2-cert.der differ diff --git a/certs/sm2/server-sm2-cert.pem b/certs/sm2/server-sm2-cert.pem index 23c49c9113d..f21400f20b5 100644 --- a/certs/sm2/server-sm2-cert.pem +++ b/certs/sm2/server-sm2-cert.pem @@ -3,11 +3,11 @@ Certificate: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: SM2-with-SM3 - Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = CA-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=CA-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Validity - Not Before: Feb 15 06:23:07 2023 GMT - Not After : Nov 11 06:23:07 2025 GMT - Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = Server-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Not Before: Feb 18 17:56:57 2026 GMT + Not After : Nov 14 17:56:57 2028 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Server-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Subject Public Key Info: Public Key Algorithm: sm2 Public-Key: (256 bit) @@ -33,16 +33,16 @@ Certificate: SSL Server Signature Algorithm: SM2-with-SM3 Signature Value: - 30:45:02:20:1b:ca:94:28:7f:f6:b2:0d:31:43:50:e1:d5:34: - 17:dd:af:3a:de:81:06:67:9a:b3:06:22:7e:64:ec:fd:0e:b9: - 02:21:00:a1:48:a8:32:d1:05:09:6b:1c:eb:89:12:66:d8:38: - a1:c4:5c:89:09:0f:fd:e9:c0:3b:1d:fb:cd:b5:4c:31:68 + 30:46:02:21:00:96:50:5f:3e:3f:bf:1e:50:6c:9a:5d:4e:8e: + ef:27:a1:4d:fa:b9:75:a6:58:0e:f6:db:60:32:20:e4:31:1d: + 36:02:21:00:e7:cb:5c:9f:85:7d:4c:b5:54:74:e4:45:c4:f0: + 01:53:51:33:07:dd:28:c6:c7:47:ff:d6:dc:b0:e1:36:cc:3b -----BEGIN CERTIFICATE----- -MIIC2DCCAn6gAwIBAgIBATAKBggqgRzPVQGDdTCBrDELMAkGA1UEBhMCVVMxEDAO +MIIC2TCCAn6gAwIBAgIBATAKBggqgRzPVQGDdTCBrDELMAkGA1UEBhMCVVMxEDAO BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZT U0xfc20yMQ8wDQYDVQQLDAZDQS1zbTIxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNv bTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixk -AQEMB3dvbGZTU0wwHhcNMjMwMjE1MDYyMzA3WhcNMjUxMTExMDYyMzA3WjCBsDEL +AQEMB3dvbGZTU0wwHhcNMjYwMjE4MTc1NjU3WhcNMjgxMTE0MTc1NjU3WjCBsDEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4x FDASBgNVBAoMC3dvbGZTU0xfc20yMRMwEQYDVQQLDApTZXJ2ZXItc20yMRgwFgYD VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz @@ -51,7 +51,7 @@ HM9VAYItA0IABJRwK0bkXg9B+48tNApBQBle+9QdEaz69ZM3xvqHCPcWHyzOMECd T6YqCqHWlTPDpgOY5o0FNLCXDN6kx89Tj9GjgYkwgYYwHQYDVR0OBBYEFGeuYP9+ Gw+Vrh+CWfJsVi2T7xcyMB8GA1UdIwQYMBaAFEcKSH67AqhaJlcrGal7YYt/XZlu MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUF -BwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAKBggqgRzPVQGDdQNIADBFAiAbypQof/ay -DTFDUOHVNBfdrzregQZnmrMGIn5k7P0OuQIhAKFIqDLRBQlrHOuJEmbYOKHEXIkJ -D/3pwDsd+821TDFo +BwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAKBggqgRzPVQGDdQNJADBGAiEAllBfPj+/ +HlBsml1Oju8noU36uXWmWA7222AyIOQxHTYCIQDny1yfhX1MtVR05EXE8AFTUTMH +3SjGx0f/1tyw4TbMOw== -----END CERTIFICATE----- diff --git a/certs/sm2/server-sm2.pem b/certs/sm2/server-sm2.pem index 95877f0d4ca..ecb96ac2ee0 100644 --- a/certs/sm2/server-sm2.pem +++ b/certs/sm2/server-sm2.pem @@ -3,11 +3,11 @@ Certificate: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: SM2-with-SM3 - Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = CA-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=CA-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Validity - Not Before: Feb 15 06:23:07 2023 GMT - Not After : Nov 11 06:23:07 2025 GMT - Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = Server-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Not Before: Feb 18 17:56:57 2026 GMT + Not After : Nov 14 17:56:57 2028 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=Server-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Subject Public Key Info: Public Key Algorithm: sm2 Public-Key: (256 bit) @@ -33,16 +33,16 @@ Certificate: SSL Server Signature Algorithm: SM2-with-SM3 Signature Value: - 30:45:02:20:1b:ca:94:28:7f:f6:b2:0d:31:43:50:e1:d5:34: - 17:dd:af:3a:de:81:06:67:9a:b3:06:22:7e:64:ec:fd:0e:b9: - 02:21:00:a1:48:a8:32:d1:05:09:6b:1c:eb:89:12:66:d8:38: - a1:c4:5c:89:09:0f:fd:e9:c0:3b:1d:fb:cd:b5:4c:31:68 + 30:46:02:21:00:96:50:5f:3e:3f:bf:1e:50:6c:9a:5d:4e:8e: + ef:27:a1:4d:fa:b9:75:a6:58:0e:f6:db:60:32:20:e4:31:1d: + 36:02:21:00:e7:cb:5c:9f:85:7d:4c:b5:54:74:e4:45:c4:f0: + 01:53:51:33:07:dd:28:c6:c7:47:ff:d6:dc:b0:e1:36:cc:3b -----BEGIN CERTIFICATE----- -MIIC2DCCAn6gAwIBAgIBATAKBggqgRzPVQGDdTCBrDELMAkGA1UEBhMCVVMxEDAO +MIIC2TCCAn6gAwIBAgIBATAKBggqgRzPVQGDdTCBrDELMAkGA1UEBhMCVVMxEDAO BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZT U0xfc20yMQ8wDQYDVQQLDAZDQS1zbTIxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNv bTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTEXMBUGCgmSJomT8ixk -AQEMB3dvbGZTU0wwHhcNMjMwMjE1MDYyMzA3WhcNMjUxMTExMDYyMzA3WjCBsDEL +AQEMB3dvbGZTU0wwHhcNMjYwMjE4MTc1NjU3WhcNMjgxMTE0MTc1NjU3WjCBsDEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4x FDASBgNVBAoMC3dvbGZTU0xfc20yMRMwEQYDVQQLDApTZXJ2ZXItc20yMRgwFgYD VQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNz @@ -51,20 +51,20 @@ HM9VAYItA0IABJRwK0bkXg9B+48tNApBQBle+9QdEaz69ZM3xvqHCPcWHyzOMECd T6YqCqHWlTPDpgOY5o0FNLCXDN6kx89Tj9GjgYkwgYYwHQYDVR0OBBYEFGeuYP9+ Gw+Vrh+CWfJsVi2T7xcyMB8GA1UdIwQYMBaAFEcKSH67AqhaJlcrGal7YYt/XZlu MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUF -BwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAKBggqgRzPVQGDdQNIADBFAiAbypQof/ay -DTFDUOHVNBfdrzregQZnmrMGIn5k7P0OuQIhAKFIqDLRBQlrHOuJEmbYOKHEXIkJ -D/3pwDsd+821TDFo +BwMBMBEGCWCGSAGG+EIBAQQEAwIGQDAKBggqgRzPVQGDdQNJADBGAiEAllBfPj+/ +HlBsml1Oju8noU36uXWmWA7222AyIOQxHTYCIQDny1yfhX1MtVR05EXE8AFTUTMH +3SjGx0f/1tyw4TbMOw== -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: SM2-with-SM3 - Issuer: C = US, ST = Montana, L = Bozeman, O = wolfSSL_SM2, OU = Root-SM2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com + Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_SM2, OU=Root-SM2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com Validity - Not Before: Feb 15 06:23:07 2023 GMT - Not After : Nov 11 06:23:07 2025 GMT - Subject: C = US, ST = Montana, L = Bozeman, O = wolfSSL_sm2, OU = CA-sm2, CN = www.wolfssl.com, emailAddress = info@wolfssl.com, UID = wolfSSL + Not Before: Feb 18 17:56:57 2026 GMT + Not After : Nov 14 17:56:57 2028 GMT + Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_sm2, OU=CA-sm2, CN=www.wolfssl.com, emailAddress=info@wolfssl.com, UID=wolfSSL Subject Public Key Info: Public Key Algorithm: sm2 Public-Key: (256 bit) @@ -86,16 +86,16 @@ Certificate: Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: SM2-with-SM3 Signature Value: - 30:45:02:20:47:4e:00:03:ab:34:a1:af:59:39:8f:60:36:bf: - 89:88:42:41:27:c1:dd:57:c9:79:cb:1f:56:5c:16:b5:28:bd: - 02:21:00:8b:2e:25:eb:21:9b:a9:2b:a6:6a:5b:db:a7:c7:2b: - 11:df:73:15:ad:e4:c5:c3:c2:f3:b4:b4:67:af:d7:51:1c + 30:46:02:21:00:b2:b9:5b:02:ad:78:f8:52:ba:67:cf:cb:25: + 9b:ba:d9:56:f5:a7:ff:af:25:26:d5:f6:f3:f3:a6:f5:9a:2f: + 9b:02:21:00:bc:96:f3:39:13:76:dc:02:35:39:0e:dc:0a:69: + bf:02:18:b6:01:be:ff:05:d7:2e:f2:7b:67:eb:16:e9:8e:c5 -----BEGIN CERTIFICATE----- -MIICljCCAjygAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO +MIIClzCCAjygAwIBAgIBATAKBggqgRzPVQGDdTCBlTELMAkGA1UEBhMCVVMxEDAO BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC3dvbGZT U0xfU00yMREwDwYDVQQLDAhSb290LVNNMjEYMBYGA1UEAwwPd3d3LndvbGZzc2wu -Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTIzMDIxNTA2 -MjMwN1oXDTI1MTExMTA2MjMwN1owgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN +Y29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2MDIxODE3 +NTY1N1oXDTI4MTExNDE3NTY1N1owgawxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdN b250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYDVQQKDAt3b2xmU1NMX3NtMjEP MA0GA1UECwwGQ0Etc20yMRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkq hkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20xFzAVBgoJkiaJk/IsZAEBDAd3b2xm @@ -103,6 +103,6 @@ U1NMMFowFAYIKoEcz1UBgi0GCCqBHM9VAYItA0IABCGS98sk32RNuqtme4N1qSnn /2RjttVCgCC94uICEjuOtACVCYDLVu1Lyo1X5q4F03YnY3E5ibdp5kiArtGpSBKj YzBhMB0GA1UdDgQWBBRHCkh+uwKoWiZXKxmpe2GLf12ZbjAfBgNVHSMEGDAWgBQ0 HXlEFXmhsWOZ4+1lfGSJgP+47DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIBhjAKBggqgRzPVQGDdQNIADBFAiBHTgADqzShr1k5j2A2v4mIQkEnwd1XyXnL -H1ZcFrUovQIhAIsuJeshm6krpmpb26fHKxHfcxWt5MXDwvO0tGev11Ec +AwIBhjAKBggqgRzPVQGDdQNJADBGAiEAsrlbAq14+FK6Z8/LJZu62Vb1p/+vJSbV +9vPzpvWaL5sCIQC8lvM5E3bcAjU5DtwKab8CGLYBvv8F1y7ye2frFumOxQ== -----END CERTIFICATE----- diff --git a/src/internal.c b/src/internal.c index 9b8736cac1f..86e16cfdb07 100644 --- a/src/internal.c +++ b/src/internal.c @@ -20332,8 +20332,10 @@ static WC_INLINE int EncryptDo(WOLFSSL* ssl, byte* out, const byte* input, out + sz - ssl->specs.aead_mac_size, ssl->specs.aead_mac_size ); - if (ret != 0) + if (ret != 0) { + XFREE(outBuf, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); break; + } XMEMCPY(out, ssl->encrypt.nonce + AESGCM_IMP_IV_SZ, AESGCM_EXP_IV_SZ); XMEMCPY(out + AESGCM_EXP_IV_SZ,outBuf,sz - AESGCM_EXP_IV_SZ); @@ -20805,8 +20807,10 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input, (byte *)input + sz - ssl->specs.aead_mac_size, ssl->specs.aead_mac_size ); - if (ret != 0) + if (ret != 0) { + XFREE(outBuf, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); break; + } XMEMCPY(plain + AESGCM_EXP_IV_SZ, outBuf, sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size); @@ -20832,7 +20836,7 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input, case wolfssl_sm4_cbc: #ifdef WOLFSSL_ASYNC_CRYPT /* initialize event */ - ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev, + ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.sm4->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); if (ret != 0) break; @@ -20840,7 +20844,7 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input, ret = wc_Sm4CbcDecrypt(ssl->decrypt.sm4, plain, input, sz); #ifdef WOLFSSL_ASYNC_CRYPT if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { - ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev); + ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.sm4->asyncDev); } #endif break; @@ -40111,7 +40115,7 @@ static int TicketEncDec(byte* key, int keyLen, byte* iv, byte* aad, int aadSz, } if (ret == 0) { ret = wc_Sm4GcmDecrypt(sm4, in, out, inLen, iv, GCM_NONCE_MID_SZ, - tag, SM$_BLOCK_SIZE, aad, aadSz); + tag, SM4_BLOCK_SIZE, aad, aadSz); } wc_Sm4Free(sm4); } diff --git a/src/ocsp.c b/src/ocsp.c index 40c255f37d7..7a44f6c978d 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -950,7 +950,8 @@ static int OcspRespIdMatches(OcspResponse* resp, const byte* NameHash, SIGNER_DIGEST_SIZE) == 0; } else if (resp->responderIdType == OCSP_RESPONDER_ID_KEY) { - return XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0; + return XMEMCMP(keyHash, resp->responderId.keyHash, + OCSP_RESPONDER_ID_KEY_SZ) == 0; } return 0; diff --git a/src/quic.c b/src/quic.c index 2d6e4a6c878..4860adbc680 100644 --- a/src/quic.c +++ b/src/quic.c @@ -184,13 +184,14 @@ static word32 add_rec_header(byte* output, word32 length, byte type) static sword32 quic_record_transfer(QuicRecord* qr, byte* buf, word32 sz) { - word32 len = qr->end - qr->start; + word32 len; word32 offset = 0; word32 rlen; - if (len <= 0) { + if (qr->end <= qr->start) { return 0; } + len = qr->end - qr->start; /* We check if the buf is at least RECORD_HEADER_SZ */ if (sz < RECORD_HEADER_SZ) { diff --git a/src/ssl_ech.c b/src/ssl_ech.c index 81419d8c105..c7ea7e0e612 100644 --- a/src/ssl_ech.c +++ b/src/ssl_ech.c @@ -48,6 +48,10 @@ int wolfSSL_CTX_GenerateEchConfig(WOLFSSL_CTX* ctx, const char* publicName, if (ctx == NULL || publicName == NULL) return BAD_FUNC_ARG; + /* ECH spec limits public_name to 255 bytes (1-byte length prefix) */ + if (XSTRLEN(publicName) > 255) + return BAD_FUNC_ARG; + WC_ALLOC_VAR_EX(rng, WC_RNG, 1, ctx->heap, DYNAMIC_TYPE_RNG, return MEMORY_E); ret = wc_InitRng(rng); @@ -313,10 +317,16 @@ int GetEchConfig(WOLFSSL_EchConfig* config, byte* output, word32* outputLen) { int i; word16 totalLen = 0; + word16 publicNameLen; if (config == NULL || (output == NULL && outputLen == NULL)) return BAD_FUNC_ARG; + /* ECH spec limits public_name to 255 bytes (1-byte length prefix) */ + if (config->publicName == NULL || XSTRLEN(config->publicName) > 255) + return BAD_FUNC_ARG; + publicNameLen = (word16)XSTRLEN(config->publicName); + /* 2 for version */ totalLen += 2; /* 2 for length */ @@ -355,7 +365,7 @@ int GetEchConfig(WOLFSSL_EchConfig* config, byte* output, word32* outputLen) totalLen += 2; /* public name */ - totalLen += XSTRLEN(config->publicName); + totalLen += publicNameLen; /* trailing zeros */ totalLen += 2; @@ -435,13 +445,12 @@ int GetEchConfig(WOLFSSL_EchConfig* config, byte* output, word32* outputLen) output++; /* publicName len */ - *output = XSTRLEN(config->publicName); + *output = (byte)publicNameLen; output++; /* publicName */ - XMEMCPY(output, config->publicName, - XSTRLEN(config->publicName)); - output += XSTRLEN(config->publicName); + XMEMCPY(output, config->publicName, publicNameLen); + output += publicNameLen; /* terminating zeros */ c16toa(0, output); diff --git a/src/tls13.c b/src/tls13.c index 50cae9e577d..ca1792a96db 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -3116,7 +3116,7 @@ int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz, case wolfssl_sm4_gcm: nonceSz = SM4_GCM_NONCE_SZ; ret = wc_Sm4GcmDecrypt(ssl->decrypt.sm4, output, input, - dataSz, ssl->decrypt.nonce, nonceSz, output + dataSz, + dataSz, ssl->decrypt.nonce, nonceSz, input + dataSz, macSz, aad, aadSz); break; #endif @@ -3125,7 +3125,7 @@ int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz, case wolfssl_sm4_ccm: nonceSz = SM4_CCM_NONCE_SZ; ret = wc_Sm4CcmDecrypt(ssl->decrypt.sm4, output, input, - dataSz, ssl->decrypt.nonce, nonceSz, output + dataSz, + dataSz, ssl->decrypt.nonce, nonceSz, input + dataSz, macSz, aad, aadSz); break; #endif diff --git a/src/wolfio.c b/src/wolfio.c index 80d3b65610d..095f55fa812 100644 --- a/src/wolfio.c +++ b/src/wolfio.c @@ -384,8 +384,8 @@ int SslBioSend(WOLFSSL* ssl, char *buf, int sz, void *ctx) } /* If retry and write flags are set, return WANT_WRITE */ - if ((ssl->biord->flags & WOLFSSL_BIO_FLAG_WRITE) && - (ssl->biord->flags & WOLFSSL_BIO_FLAG_RETRY)) { + if ((ssl->biowr->flags & WOLFSSL_BIO_FLAG_WRITE) && + (ssl->biowr->flags & WOLFSSL_BIO_FLAG_RETRY)) { return WOLFSSL_CBIO_ERR_WANT_WRITE; } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 78d2c75d59b..3672d27b486 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -18967,8 +18967,9 @@ int ConfirmSignature(SignatureCtx* sigCtx, { #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) if (sigOID == CTC_SM3wSM2) { + /* OpenSSL creates signature without CERT_SIG_ID. */ ret = wc_ecc_sm2_create_digest(CERT_SIG_ID, - CERT_SIG_ID_SZ, buf, bufSz, WC_HASH_TYPE_SM3, + 0, buf, bufSz, WC_HASH_TYPE_SM3, sigCtx->digest, WC_SM3_DIGEST_SIZE, sigCtx->key.ecc); if (ret == 0) { @@ -39572,8 +39573,9 @@ static int OcspRespIdMatch(OcspResponse *resp, const byte *NameHash, return XMEMCMP(NameHash, resp->responderId.nameHash, SIGNER_DIGEST_SIZE) == 0; /* OCSP_RESPONDER_ID_KEY */ - return ((int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ) && - XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0; + return (KEYID_SIZE >= OCSP_RESPONDER_ID_KEY_SZ) && + XMEMCMP(keyHash, resp->responderId.keyHash, + OCSP_RESPONDER_ID_KEY_SZ) == 0; } #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK @@ -39612,8 +39614,15 @@ static Signer *OcspFindSigner(OcspResponse *resp, WOLFSSL_CERT_MANAGER *cm) if (s) return s; } - else if ((int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ) { - s = GetCAByKeyHash(cm, resp->responderId.keyHash); + else if (KEYID_SIZE >= OCSP_RESPONDER_ID_KEY_SZ) { + /* Responder key hash is OCSP_RESPONDER_ID_KEY_SZ bytes (SHA-1 per + * RFC 6960) but lookup functions compare KEYID_SIZE bytes. Zero-pad + * to avoid buffer over-read when KEYID_SIZE > OCSP_RESPONDER_ID_KEY_SZ + * (e.g. when SM2/SM3 is enabled). */ + byte keyHash[KEYID_SIZE]; + XMEMSET(keyHash, 0, KEYID_SIZE); + XMEMCPY(keyHash, resp->responderId.keyHash, OCSP_RESPONDER_ID_KEY_SZ); + s = GetCAByKeyHash(cm, keyHash); if (s) return s; } @@ -39626,8 +39635,11 @@ static Signer *OcspFindSigner(OcspResponse *resp, WOLFSSL_CERT_MANAGER *cm) if (s) return s; } - else { - s = findSignerByKeyHash(resp->pendingCAs, resp->responderId.keyHash); + else if (KEYID_SIZE >= OCSP_RESPONDER_ID_KEY_SZ) { + byte keyHash[KEYID_SIZE]; + XMEMSET(keyHash, 0, KEYID_SIZE); + XMEMCPY(keyHash, resp->responderId.keyHash, OCSP_RESPONDER_ID_KEY_SZ); + s = findSignerByKeyHash(resp->pendingCAs, keyHash); if (s) return s; }