linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: davem@davemloft.net, ebiggers@kernel.org, ebiggers@google.com,
	pvanleeuwen@rambus.com, zohar@linux.ibm.com, gilad@benyossef.com,
	jarkko.sakkinen@linux.intel.com, dmitry.kasatkin@intel.com,
	nicstange@gmail.com, tadeusz.struk@intel.com, jmorris@namei.org,
	serge@hallyn.com, zhang.jia@linux.alibaba.com,
	linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 0/7] crpyto: introduce OSCCA certificate and SM2 asymmetric algorithm
Date: Thu, 16 Apr 2020 14:37:25 +0800	[thread overview]
Message-ID: <f0122a77-714d-7fc3-4272-2bf9bd36da5c@linux.alibaba.com> (raw)
In-Reply-To: <20200416060136.GA19149@gondor.apana.org.au>



On 2020/4/16 14:01, Herbert Xu wrote:
> On Thu, Apr 02, 2020 at 08:34:57PM +0800, Tianjia Zhang wrote:
>> Hello all,
>>
>> This new module implement the OSCCA certificate and SM2 public key
>> algorithm. It was published by State Encryption Management Bureau, China.
>> List of specifications for OSCCA certificate and SM2 elliptic curve
>> public key cryptography:
>>
>> * GM/T 0003.1-2012
>> * GM/T 0003.2-2012
>> * GM/T 0003.3-2012
>> * GM/T 0003.4-2012
>> * GM/T 0003.5-2012
>> * GM/T 0015-2012
>> * GM/T 0009-2012
>>
>> IETF: https://tools.ietf.org/html/draft-shen-sm2-ecdsa-02
>> oscca: http://www.oscca.gov.cn/sca/xxgk/2010-12/17/content_1002386.shtml
>> scctc: http://www.gmbz.org.cn/main/bzlb.html
>>
>> These patchs add the OID object identifier defined by OSCCA. The
>> x509 certificate supports sm2-with-sm3 type certificate parsing
>> and verification.
> 
> I don't have any objections to the crypto API bits, but obviously
> this is contingent on the x509 bits getting accepted since that's
> the only in-kernel user.  So can I see some acks on that please?
> 
> Thanks,
> 

Thanks for Herbert's reply. At present, the latest mainline openssl can 
generate SM2-with-SM3 certificates. I also provide commands for 
generating certificates and a test certificate in PEM format.

``` bash
#!/bin/bash

if [ ! -f openssl.cnf ]; then
	cat > openssl.cnf << EOF
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = v3_req

[ req_distinguished_name ]
O = Test
OU = Test
CN = Test key
emailAddress = test@foo.com

[ v3_req ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always
EOF
fi

openssl ecparam -genkey -name SM2 -text -out private.pem

openssl req -new \
	-key private.pem \
	-out csr.pem \
	-sm3 -sigopt "distid:1234567812345678" \
     -subj 
"/C=CN/ST=GS/L=Gt/O=baba/OU=OS/CN=hello/emailAddress=hello@world.com"

openssl ecparam -genkey -name SM2 -text -out ca.key

openssl req -new \
     -x509 -days 3650 \
     -sm3 -sigopt "distid:1234567812345678" \
     -key ca.key \
     -out ca.crt \
     -subj "/C=CN/ST=GS/L=Gt/O=baba/OU=OS/CN=ca/emailAddress=ca@world.com"

openssl x509 -req -days 3650 \
     -sm3 \
     -sigopt "distid:1234567812345678" \
	-vfyopt "distid:1234567812345678" \
     -CA ca.crt -CAkey ca.key -CAcreateserial \
     -extfile openssl.cnf -extensions v3_req \
     -in csr.pem \
     -out cert.pem

openssl x509 -in ca.crt -outform DER -out ca.der
openssl x509 -in cert.pem -outform DER -out cert.der
```

The following content is the CA certificate and the signed SM2-with-SM3 
certificate generated by the above command, both in PEM format.

-----BEGIN CERTIFICATE-----
MIICLjCCAdWgAwIBAgIUEoozP6LzMYWh4gCpcWlzsUyfgsIwCgYIKoEcz1UBg3Uw
bTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdTMQswCQYDVQQHDAJHdDENMAsGA1UE
CgwEYmFiYTELMAkGA1UECwwCT1MxCzAJBgNVBAMMAmNhMRswGQYJKoZIhvcNAQkB
FgxjYUB3b3JsZC5jb20wHhcNMjAwNDE1MTE1NDA3WhcNMzAwNDEzMTE1NDA3WjBt
MQswCQYDVQQGEwJDTjELMAkGA1UECAwCR1MxCzAJBgNVBAcMAkd0MQ0wCwYDVQQK
DARiYWJhMQswCQYDVQQLDAJPUzELMAkGA1UEAwwCY2ExGzAZBgkqhkiG9w0BCQEW
DGNhQHdvcmxkLmNvbTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABMTGRiHezKm5
MiKHlyfa5Bv5jLxge/WRRG0nLNsZx1yf0XQTQBR/tFFjPGePEr7+Fa1CPgYpXExx
i44coYMmQT6jUzBRMB0GA1UdDgQWBBSjd9GWIe98Ll9J0dquxgCktp9DrTAfBgNV
HSMEGDAWgBSjd9GWIe98Ll9J0dquxgCktp9DrTAPBgNVHRMBAf8EBTADAQH/MAoG
CCqBHM9VAYN1A0cAMEQCIAvLWIfGFq85u/vVMLc5H1D/DnrNS0VhSkQA4daRO4tc
AiABbeWENcQZDZLWTuqG9P2KDPOoNqV/QV/+0XjMAVblhg==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIICPzCCAeWgAwIBAgIUIaawP5HQDi5kTruyhLudFfeQ7uwwCgYIKoEcz1UBg3Uw
bTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdTMQswCQYDVQQHDAJHdDENMAsGA1UE
CgwEYmFiYTELMAkGA1UECwwCT1MxCzAJBgNVBAMMAmNhMRswGQYJKoZIhvcNAQkB
FgxjYUB3b3JsZC5jb20wHhcNMjAwNDE1MTE1NDA3WhcNMzAwNDEzMTE1NDA3WjBz
MQswCQYDVQQGEwJDTjELMAkGA1UECAwCR1MxCzAJBgNVBAcMAkd0MQ0wCwYDVQQK
DARiYWJhMQswCQYDVQQLDAJPUzEOMAwGA1UEAwwFaGVsbG8xHjAcBgkqhkiG9w0B
CQEWD2hlbGxvQHdvcmxkLmNvbTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABI6g
M2mRfj3srY7wRV4TPmhbjKtcxshQ35EA4CRzTTHyLsDVa+7amJPs2Daquc9jgu+n
GgPtFrp0uIv55XA5pHCjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0G
A1UdDgQWBBQ76UB0skz7y4ic5V/PIWFLZ5XoDDAfBgNVHSMEGDAWgBSjd9GWIe98
Ll9J0dquxgCktp9DrTAKBggqgRzPVQGDdQNIADBFAiEA25WAmaN7g7M26lwMad4H
AeO8YNSBOcHKc8AfCdYSS88CIBJji4xRm+wXCR9qkXj4g8HVhaYpvwlMukk9EYxw
09gJ
-----END CERTIFICATE-----


The following is the certificate information of SM2-with-SM3, the 
following command output:
`openssl x509 -in cert.pem -noout -text`

Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
             21:a6:b0:3f:91:d0:0e:2e:64:4e:bb:b2:84:bb:9d:15:f7:90:ee:ec
         Signature Algorithm: SM2-with-SM3
         Issuer: C = CN, ST = GS, L = Gt, O = baba, OU = OS, CN = ca, 
emailAddress = ca@world.com
         Validity
             Not Before: Apr 15 11:54:07 2020 GMT
             Not After : Apr 13 11:54:07 2030 GMT
         Subject: C = CN, ST = GS, L = Gt, O = baba, OU = OS, CN = 
hello, emailAddress = hello@world.com
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
                 pub:
                     04:8e:a0:33:69:91:7e:3d:ec:ad:8e:f0:45:5e:13:
                     3e:68:5b:8c:ab:5c:c6:c8:50:df:91:00:e0:24:73:
                     4d:31:f2:2e:c0:d5:6b:ee:da:98:93:ec:d8:36:aa:
                     b9:cf:63:82:ef:a7:1a:03:ed:16:ba:74:b8:8b:f9:
                     e5:70:39:a4:70
                 ASN1 OID: SM2
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Key Usage:
                 Digital Signature
             X509v3 Subject Key Identifier:
                 3B:E9:40:74:B2:4C:FB:CB:88:9C:E5:5F:CF:21:61:4B:67:95:E8:0C
             X509v3 Authority Key Identifier:
                 A3:77:D1:96:21:EF:7C:2E:5F:49:D1:DA:AE:C6:00:A4:B6:9F:43:AD
     Signature Algorithm: SM2-with-SM3
     Signature Value:
         30:45:02:21:00:db:95:80:99:a3:7b:83:b3:36:ea:5c:0c:69:
         de:07:01:e3:bc:60:d4:81:39:c1:ca:73:c0:1f:09:d6:12:4b:
         cf:02:20:12:63:8b:8c:51:9b:ec:17:09:1f:6a:91:78:f8:83:
         c1:d5:85:a6:29:bf:09:4c:ba:49:3d:11:8c:70:d3:d8:09



If additional information is needed, I can provide it.

Thanks and best,
Tianjia

  reply	other threads:[~2020-04-16  6:38 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-02 12:34 [PATCH v2 0/7] crpyto: introduce OSCCA certificate and SM2 asymmetric algorithm Tianjia Zhang
2020-04-02 12:34 ` [PATCH v2 1/7] crypto: sm3 - export crypto_sm3_final function Tianjia Zhang
2020-04-02 12:34 ` [PATCH v2 2/7] lib/mpi: Extend the MPI library Tianjia Zhang
2020-04-02 12:35 ` [PATCH v2 3/7] lib/mpi: Introduce ec implementation to " Tianjia Zhang
2020-04-02 12:35 ` [PATCH v2 4/7] crypto: sm2 - introduce OSCCA SM2 asymmetric cipher algorithm Tianjia Zhang
2020-04-02 12:35 ` [PATCH v2 5/7] crypto: testmgr - support test with different ciphertext per encryption Tianjia Zhang
2020-04-02 12:35 ` [PATCH v2 6/7] X.509: support OSCCA certificate parse Tianjia Zhang
2020-04-02 12:35 ` [PATCH v2 7/7] X.509: support OSCCA sm2-with-sm3 certificate verification Tianjia Zhang
2020-04-16  6:01 ` [PATCH v2 0/7] crpyto: introduce OSCCA certificate and SM2 asymmetric algorithm Herbert Xu
2020-04-16  6:37   ` Tianjia Zhang [this message]
2020-05-29 11:04   ` Tianjia Zhang
2020-05-29 11:52     ` Herbert Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f0122a77-714d-7fc3-4272-2bf9bd36da5c@linux.alibaba.com \
    --to=tianjia.zhang@linux.alibaba.com \
    --cc=davem@davemloft.net \
    --cc=dmitry.kasatkin@intel.com \
    --cc=ebiggers@google.com \
    --cc=ebiggers@kernel.org \
    --cc=gilad@benyossef.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=jmorris@namei.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nicstange@gmail.com \
    --cc=pvanleeuwen@rambus.com \
    --cc=serge@hallyn.com \
    --cc=tadeusz.struk@intel.com \
    --cc=zhang.jia@linux.alibaba.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).