-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add GMSSL support #908
base: master
Are you sure you want to change the base?
Add GMSSL support #908
Conversation
addAlgorithmImplementation to provide
The client can successfully establish a GMSSL connection
sync with upstream
Simplified the convertion of SM2 between ASN1 and C1C3C2 formats. add test needed certificates and keys
…n refuse connection. finish server side gmssl debug, gm browser access test.
…master # Conflicts: # tls/src/main/java/org/bouncycastle/tls/SignatureAlgorithm.java # tls/src/main/java/org/bouncycastle/tls/SignatureAndHashAlgorithm.java
and attach apache HttpClient HTTP Client example.
Apache HTTPClient GMSSL Example: import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.HttpClientBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
import org.bouncycastle.jsse.provider.gm.GMSimpleSSLSocketFactory;
import java.security.Security;
/**
* GMSSL Http Client test
*
* @author Cliven
* @since 2021-02-05 13:25:06
*/
public class GMHttpClient {
public static void main(String[] args) throws Exception {
Security.addProvider(new BouncyCastleProvider());
GMSimpleSSLSocketFactory factory = new GMSimpleSSLSocketFactory();
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(factory, new NoopHostnameVerifier());
HttpClient client = HttpClientBuilder.create()
.setSSLSocketFactory(sf)
.build();
final HttpResponse response = client.execute(new HttpGet("https://127.0.0.1:5557"));
response.getEntity().writeTo(System.out);
}
} |
Just one thing, we do not allow author tags (which I'll admit can be annoying as most IDEs now insist on inserting one when you create a file, here we take the attitude that if anything's broken, it's all our problem). I think we can accept this otherwise. I just wanted to check that was understood. |
I have removed all |
Thanks. Just one other thing, is this meant to be compliant with RFC 8998? I just noticed there was a comment concerning TLS 1.1. at the top. Okay, I've done a bit more reading. This is different from RFC 8998 isn't it? In some ways it's not really TLS is it, it's more a TLS like protocol. Would that be correct? |
Correct.
Although it is called SSL, it is closer to TLS because it is modified from TLS RFC4346. Most of the content is the same as TLS1.1, except that ShangMi (SM) Cipher is used. I personally think that it may be more appropriate to call it GMTLS, but it is called GMSSL in GMT0024-2012, which is just a difference in name. The latest version of Chinese cipher algorithm has been added in TLS1.3, I remember the protocol number is RFC8998 ShangMi (SM) Cipher Suites for TLS 1.3, they are not the same thing. RFC8998 describes the addition of ShangMi (SM) algorithm suite to TLS1.3, while and GMT0024-2012 is an independent revision branch based on TLS1.1. |
One question that has come up is how does the Certificate message work in the SM2 key exchange algorithm. There appear to be 2 end-entity certificates in the message, are there going to be others in the chain and do the two certificate have a common issuer? |
We've finished analysing the patches. It's been quite a valuable exercise in the sense that it has shown up some shortcomings in our approach. We feel that treating GM SSL as a branch of TLS 1.1 may be the best way to go also. You'll notice more and more conflicts with your patch as we do the merge. We'll let you know when we are done, hopefully at that point we'll something you can simply start using. There is no need to make any changes at the moment. |
ok, thanks |
When will this branch be merged |
We're still working through it. You should see bits of it showing up now though. |
请问下 示例中客户端的证书改如何设置?客户端连接的时候不是传递ca证书、签名证书|密钥、加密证书|密钥即可,但是 GMSSKeyParameters 构造函数很不明确 |
目前我还没有时间去处理客户端对服务端证书的验证,以及双向身份认证,目前的这个分支仅仅实现了单向的gmssl |
访问 https://demo.gmssl.cn 没有问题,但有一些使用国密证书的URL会抛出这样的握手失败的异常,造成连接失败:
UPDATE:找到原因了,在TlsClientProtocol类里发送了重新协商请求,如果server端不支持重新协商那么就会Alert40。目前暂时注释掉这行即可。
|
Hi @dghgit , Do you have plan to merge this pr or there is another solution to support GMSSL from official? |
GMSSL follow the specification《GMT 0024-2014 SSL VPN技术规范》
GMSSL a variant of TLS1.1(RFC4346)
Use independent protocol version number 0x0101
Cipher suite using GM algorithm SM2_SM4_SM3
certficate message contain two cert, first for sign second for encypt.
more difference see https://blog.csdn.net/q1009020096/article/details/114321986?spm=1001.2014.3001.5501
For testing and use, see:
more:
reference:
[1]. IETF. RFC4346 . 2006
[2]. 密码行业标准化技术委员会 . GMT 0024-2014 SSL VPN技术规范 . 2014