go 语言生成自签证书文件(SM2)
package main
import (
"crypto/rand"
"crypto/x509/pkix"
"encoding/pem"
"github.com/tjfoc/gmsm/sm2"
"github.com/tjfoc/gmsm/x509"
"math/big"
"net"
"os"
"time"
)
func GenerateCertKeySM2(host, commonName string, alternateIPs []net.IP, alternateDNS []string){priv, err := sm2.GenerateKey(rand.Reader)
if err != nil {panic(err)
}
max := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, _ := rand.Int(rand.Reader, max)
template := x509.Certificate{
SerialNumber: serialNumber,
Issuer: pkix.Name{},
Subject: pkix.Name{
CommonName: commonName,
Organization: []string{"Test"},
Country: []string{"CN"},
ExtraNames: []pkix.AttributeTypeAndValue{
{Type: []int{2, 5, 4, 42},
Value: "Gopher",
},
{Type: []int{2, 5, 4, 6},
Value: "NL",
},
},
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(time.Hour * 24 * 365),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
SignatureAlgorithm: x509.SM2WithSM3,
}
if ip := net.ParseIP(host); ip != nil {template.IPAddresses = append(template.IPAddresses, ip)
}else {template.DNSNames = append(template.DNSNames, host)
}
template.IPAddresses = append(template.IPAddresses, alternateIPs...)
template.DNSNames = append(template.DNSNames, alternateDNS...)
publicKey := priv.Public().(*sm2.PublicKey)
certificateToPem, err := x509.CreateCertificateToPem(&template, &template, publicKey, priv)
if err != nil {panic(err)
}
file, err := os.Create("caSM2.crt")
if err != nil {panic(err)
}
defer file.Close()
file.Write(certificateToPem)
privateKey, err := x509.MarshalSm2PrivateKey(priv, []byte("jjjjjj"))
if err != nil {panic(err)
}
block := pem.Block{
Type: "SM2 PRIVATE KEY",
Headers: nil,
Bytes: privateKey,
}
file, err = os.Create("caSM2.key")
if err != nil {panic(err)
}
defer file.Close()
err = pem.Encode(file, &block)
if err != nil {panic(err)
}
}
func main(){ip := []byte("127.0.0.1")
alternateDNS := []string{"localhost"}
GenerateCertKeySM2("192.168.0.1", "www.example.com", []net.IP{net.ParseIP(string(ip))}, alternateDNS)
}
查看证书信息,用该库生成的证书 Signature Algorithm 字段解析进去的值与 template 中设置的不统一,已在 GitHub 提交了 issue
$ openssl x509 -in caSM2.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ed:e3:0a:34:c5:8f:49:09:13:e4:7b:77:ec:45:87:c8
Signature Algorithm: 1.2.156.10197.1.501
Issuer: O = Test, CN = www.example.com, GN = Gopher, C = NL
Validity
Not Before: May 28 13:20:58 2021 GMT
Not After : May 28 13:20:58 2022 GMT
Subject: O = Test, CN = www.example.com, GN = Gopher, C = NL
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:85:a3:bf:57:67:23:40:fb:81:c4:3f:14:c9:96:
31:a7:76:68:2b:c7:2b:56:b4:9d:3e:f8:9b:69:ff:
97:60:97:97:5d:09:ad:fe:95:28:d1:75:59:bf:00:
f8:cb:8f:27:d9:af:4d:4d:57:07:d8:dd:20:a7:eb:
d0:6e:2d:25:8f
ASN1 OID: SM2
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:192.168.0.1, IP Address:127.0.0.1
Signature Algorithm: 1.2.156.10197.1.501
30:45:02:20:7f:27:cf:23:2e:53:15:e7:0c:23:3a:6d:3b:23:
f8:6a:8e:6d:cb:ed:6a:af:e5:a3:46:d3:2a:2d:f0:21:1e:d6:
02:21:00:bf:81:4e:74:19:e2:fe:bc:25:86:1b:39:12:8f:b5:
f5:15:76:14:29:f1:5f:9b:32:da:13:b1:1c:bb:3a:f4:8f