springboot使用国密sm2证书,腾讯Kona国密套件,生成truststore.p12生成keystore.p12。angie nginx 配置sm2国密证书

已于 2025-02-20 19:45:11 修改
阅读量1.2k 收藏 20
点赞数 15
分类专栏: kona 文章标签: kona truststore.p12 keystore.p12 springboot国密证书 nginx
于 2025-01-24 14:45:02 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/qq_35459198/article/details/145340783
版权

目录

概述

本文讲述了springboot里配置的国密sm2的证书文件,truststore.p12和keystore.p12是如何生成的。
本文适合那些直接想springboot支持国密https的情况,其实不在springboot里配置,使用类似nginx的一个俄罗斯的angie负载均衡软件,在里面配置国密双证也能实现。会玩nginx的朋友可以试一下。kona安全套件,我这边也仅需要证书解析,和合成p12文件,sm2,sm3,sm4都是调用密码产品实现,例如ukey,服务器密码机。所以没太需要kona的其他功能。

注意:kona这个demo是springboot2的,jdk是1.8的,要用kona的jdk8,github上有,可以自行下载配置。
这是我的win10的jdk环境

C:\Users\test>java -version
openjdk version "1.8.0_422"
OpenJDK Runtime Environment (Tencent Kona 8.0.19) (build 1.8.0_422-b1)
OpenJDK 64-Bit Server VM (Tencent Kona 8.0.19) (build 25.422-b1, mixed mode)

项目网址:https://github.com/Tencent/TencentKonaSMSuite

本人也是在学习中,欢迎大家留言批评指正。

其实本文来源是kona安全套件的github的issue,收集查阅了很多年前的,整理的内容。

文件:TencentKonaSMSuite/kona-demo/src/main/resources
/application.yml内容如下

server:  
  port: 8443

  ssl:
    enabled: true

    provider: Kona

    trust-store-provider: Kona
    trust-store-type: PKCS12
    trust-store: classpath:ssl/truststore.p12
    trust-store-password: truststorepass

    key-store-provider: Kona
    key-store-type: PKCS12
    key-store: classpath:ssl/keystore.p12
    key-store-password: keystorepass

    # This context protocol supports TLCPv1.1, TLSv1.3 and TLSv1.2,
    # and will take the providers from TencentKonaSMSuite to work.
    protocol: TLCP

    client-auth-enabled: false

  http2:
    enabled: true

第一步:编译openssl3.0.3和蚂蚁的tongsuo

需要编译蚂蚁的tongsuo,我这时需要openssl3.0.3

wget https://www.openssl.org/source/openssl-3.0.3.tar.gz
tar -xzvf openssl-3.0.3.tar.gz
cd openssl-3.0.3
# 卸载旧的openssl1.1.1
sudo apt remove --purge openssl libssl-dev
# 编译新的3.0.3
sudo ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
sudo make -j8
sudo make install

# 配置openssl的环境变量
sudo vim /etc/profile

export PATH=/usr/local/openssl/bin:$PATH
export LD_LIBRARY_PATH=/usr/local/openssl/lib:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH=/usr/local/openssl/lib64:$LD_LIBRARY_PATH
source /etc/profile
# 编译tongsuo
./config --prefix=/usr/local/openssl -Wl,-rpath,/usr/local/openssl/lib enable-ec_elgamal enable-paillier enable-ntls


使用之前记得
source /etc/profile
一下

FAQ: crypto/ec/ec_elgamal_crypt.c: In function ‘EC_ELGAMAL_CTX_new’: crypto/ec/ec_elgamal_crypt.c:96:9: error: label ‘err’ used but not defined

96 | goto err;
| ^~~~
注意编译tongsuo可能报错,修改一下这个crypto/ec/ec_elgamal_crypt.c

//96行的旧的注释掉
/*#ifndef OPENSSL_NO_TWISTED_EC_ELGAMAL
err:
    OPENSSL_free(buf);
    BN_CTX_free(bn_ctx);
    EC_ELGAMAL_CTX_free(ctx);
    return NULL;
#endif
*/
//改为以下内容
err:
#ifndef OPENSSL_NO_TWISTED_EC_ELGAMAL
    if (ctx != NULL) {
        OPENSSL_free(buf);
        BN_CTX_free(bn_ctx);
        EC_ELGAMAL_CTX_free(ctx);
    }
#endif
    return NULL;

第二步:生成tlcp国密双证书

使用这个文件:TencentKonaSMSuite/kona-pkix/src/test/resources
/gen_tlcp_certs.sh

#!/usr/bin/env bash
#
# Copyright (C) 2022, 2024, THL A29 Limited, a Tencent company. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

TLCP_DIR="tlcp"
if [ ! -d ${TLCP_DIR} ]; then
  echo "mkdir tlcp_certs"
  mkdir ${TLCP_DIR}
fi
cd ${TLCP_DIR}

echo "Generate X.509 version 3 extensions for CA"
cat > ca.ext << EOF
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints=critical,CA:TRUE
keyUsage=critical,digitalSignature,keyCertSign,cRLSign
EOF

echo "Generate X.509 version 3 extensions for sign + enc EE"
cat > ee.ext << EOF
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints=critical,CA:FALSE
keyUsage=critical,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement
EOF

echo "Generate X.509 version 3 extensions for sign EE"
cat > ee-sign.ext << EOF
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints=critical,CA:FALSE
keyUsage=critical,digitalSignature
EOF

echo "Generate X.509 version 3 extensions for enc EE"
cat > ee-enc.ext << EOF
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
basicConstraints=critical,CA:FALSE
keyUsage=critical,keyEncipherment,dataEncipherment,keyAgreement
EOF

OPENSSL=tongsuo

##### CA
$OPENSSL genpkey -algorithm ec -pkeyopt ec_paramgen_curve:SM2 -pkeyopt ec_param_enc:named_curve -out tlcp-ca.key
$OPENSSL req -new -key tlcp-ca.key -subj "/CN=tlcp-ca" -sm3 -out tlcp-ca.csr
$OPENSSL x509 -extfile ca.ext -req -CAcreateserial -days 3650 -in tlcp-ca.csr -sm3 \
    -signkey tlcp-ca.key -out tlcp-ca.crt.tmp
$OPENSSL x509 -text -in tlcp-ca.crt.tmp > tlcp-ca.crt

##### Intermediate CA
$OPENSSL genpkey -algorithm ec -pkeyopt ec_paramgen_curve:SM2 -pkeyopt ec_param_enc:named_curve -out tlcp-intca.key
$OPENSSL req -new -key tlcp-intca.key -subj "/CN=tlcp-intca" -sm3 -out tlcp-intca.csr
$OPENSSL x509 -extfile ca.ext -req -CAcreateserial -days 3650 -in tlcp-intca.csr -sm3 \
    -CA tlcp-ca.crt -CAkey tlcp-ca.key -out tlcp-intca.crt.tmp
$OPENSSL x509 -text -in tlcp-intca.crt.tmp > tlcp-intca.crt

##### Sign + Enc EE (Server)
$OPENSSL genpkey -algorithm ec -pkeyopt ec_paramgen_curve:SM2 -pkeyopt ec_param_enc:named_curve -out tlcp-server.key
$OPENSSL req -new -key tlcp-server.key -subj "/CN=tlcp-server" -sm3 -out tlcp-server.csr
$OPENSSL x509 -extfile ee.ext -req -CAcreateserial -days 3650 -in tlcp-server.csr -sm3 \
    -CA tlcp-intca.crt -CAkey tlcp-intca.key -out tlcp-server.crt.tmp
$OPENSSL x509 -text -in tlcp-server.crt.tmp > tlcp-server.crt

##### Sign + Enc EE (Client)
$OPENSSL genpkey -algorithm ec -pkeyopt ec_paramgen_curve:SM2 -pkeyopt ec_param_enc:named_curve -out tlcp-client.key
$OPENSSL req -new -key tlcp-client.key -subj "/CN=tlcp-client" -sm3 -out tlcp-client.csr
$OPENSSL x509 -extfile ee.ext -req -CAcreateserial -days 3650 -in tlcp-client.csr -sm3 \
    -CA tlcp-intca.crt -CAkey tlcp-intca.key -out tlcp-client.crt.tmp
$OPENSSL x509 -text -in tlcp-client.crt.tmp > tlcp-client.crt

##### Sign EE (Server)
$OPENSSL genpkey -algorithm ec -pkeyopt ec_paramgen_curve:SM2 -pkeyopt ec_param_enc:named_curve -out tlcp-server-sign.key
$OPENSSL req -new -key tlcp-server-sign.key -subj "/CN=tlcp-server-sign" -sm3 -out tlcp-server-sign.csr
$OPENSSL x509 -extfile ee-sign.ext -req -CAcreateserial -days 3650 -in tlcp-server-sign.csr -sm3 \
    -CA tlcp-intca.crt -CAkey tlcp-intca.key -out tlcp-server-sign.crt.tmp
$OPENSSL x509 -text -in tlcp-server-sign.crt.tmp > tlcp-server-sign.crt

##### Sign EE (Client)
$OPENSSL genpkey -algorithm ec -pkeyopt ec_paramgen_curve:SM2 -pkeyopt ec_param_enc:named_curve -out tlcp-client-sign.key
$OPENSSL req -new -key tlcp-client-sign.key -subj "/CN=tlcp-client-sign" -sm3 -out tlcp-client-sign.csr
$OPENSSL x509 -extfile ee-sign.ext -req -CAcreateserial -days 3650 -in tlcp-client-sign.csr -sm3 \
    -CA tlcp-intca.crt -CAkey tlcp-intca.key -out tlcp-client-sign.crt.tmp
$OPENSSL x509 -text -in tlcp-clien
最低0.47元/天 解锁文章
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值