tongsuo-project / tongsuo-go-sdk Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
近期有接入国密通信的需要,请问有没有具体的发布计划?方便的话可否告知?感激!感激!
增加macOS CI
报错信息:
could not determine kind of name for C.SSL_CTX_use_enc_PrivateKey
could not determine kind of name for C.SSL_CTX_use_enc_certificate
could not determine kind of name for C.SSL_CTX_use_sign_PrivateKey
could not determine kind of name for C.SSL_CTX_use_sign_certificate
修改代码忽略这几个函数后报错:
shim.c:501:9: error: implicit declaration of function 'NTLS_method' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
shim.c:501:9: warning: incompatible integer to pointer conversion returning 'int' from a function with result type 'const SSL_METHOD *' (aka 'const struct ssl_method_st *') [-Wint-conversion]
shim.c:504:9: error: implicit declaration of function 'NTLS_client_method' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
shim.c:504:9: warning: incompatible integer to pointer conversion returning 'int' from a function with result type 'const SSL_METHOD *' (aka 'const struct ssl_method_st *') [-Wint-conversion]
shim.c:507:9: error: implicit declaration of function 'NTLS_server_method' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
shim.c:507:9: warning: incompatible integer to pointer conversion returning 'int' from a function with result type 'const SSL_METHOD *' (aka 'const struct ssl_method_st *') [-Wint-conversion]
shim.c:515:9: error: implicit declaration of function 'SSL_CTX_enable_ntls' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
shim.c:515:9: note: did you mean 'X_SSL_CTX_enable_ntls'?
shim.c:514:6: note: 'X_SSL_CTX_enable_ntls' declared here
shim.c:515:2: error: void function 'X_SSL_CTX_enable_ntls' should not return a value [-Wreturn-type]
使用的铜锁库版本:8.3.2
请问下,如果使用 Go,目前是否支持基于国密的 TLS_1.x ?看上去似乎可以启动服务端,但是客户端没法校验对端证书。
我尝试启动了一个 tls1.3 的 tcp 服务器
tsCtx, err := tongsuosdk.NewCtx()
if err != nil {
panic(errors.Wrap(err, "new ctx"))
}
cert, err := tscrypto.LoadCertificateFromPEM(certPem)
if err != nil {
panic(errors.Wrap(err, "load cert"))
}
if err = tsCtx.UseCertificate(cert); err != nil {
panic(errors.Wrap(err, "use cert"))
}
prikey, err := tscrypto.LoadPrivateKeyFromPEM(prikeyPem)
if err != nil {
panic(errors.Wrap(err, "load prikey"))
}
tsCtx.UsePrivateKey(prikey)
listener, err := tongsuosdk.Listen("tcp", "127.0.0.1:48271", tsCtx)
使用命令行可以看到服务端的证书:
tongsuo s_client -connect 127.0.0.1:48271
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = CN, ST = Shanghai, L = Shanghai, O = BBT, OU = XSS, CN = Leaf Cert
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = CN, ST = Shanghai, L = Shanghai, O = BBT, OU = XSS, CN = Leaf Cert
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = CN, ST = Shanghai, L = Shanghai, O = BBT, OU = XSS, CN = Leaf Cert
verify return:1
---
Certificate chain
0 s:C = CN, ST = Shanghai, L = Shanghai, O = BBT, OU = XSS, CN = Leaf Cert
i:C = CN, ST = Shanghai, L = Shanghai, O = BBT, OU = XSS, CN = Root CA
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: SM2-SM3
v:NotBefore: Dec 20 07:03:25 2023 GMT; NotAfter: Dec 17 07:03:25 2033 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICOjCCAeCgAwIBAgIUK02vV3EIZ/a1LA3uhnPs3REdgFgwCgYIKoEcz1UBg3Uw
YTELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMREwDwYDVQQHDAhTaGFu
Z2hhaTEMMAoGA1UECgwDQkJUMQwwCgYDVQQLDANYU1MxEDAOBgNVBAMMB1Jvb3Qg
Q0EwHhcNMjMxMjIwMDcwMzI1WhcNMzMxMjE3MDcwMzI1WjBjMQswCQYDVQQGEwJD
TjERMA8GA1UECAwIU2hhbmdoYWkxETAPBgNVBAcMCFNoYW5naGFpMQwwCgYDVQQK
DANCQlQxDDAKBgNVBAsMA1hTUzESMBAGA1UEAwwJTGVhZiBDZXJ0MFkwEwYHKoZI
zj0CAQYIKoEcz1UBgi0DQgAEP4EofNMJ6WriQBAgargp4hzV/ZgzJeUSlcKqKVkv
uUjd3DBQwagVpFOE/JTFRDvObrZR6Nf0Azyi30xSlMkFwqN0MHIwDAYDVR0TAQH/
BAIwADALBgNVHQ8EBAMCA/gwHQYDVR0OBBYEFOfFdG8+JaWaZC2Vywhm12Otyf+O
MB8GA1UdIwQYMBaAFOmm/EuVjwzYGt7RHxHHw7xFYp0gMBUGA1UdIAQOMAwwCgYI
KgMEBQYHCAEwCgYIKoEcz1UBg3UDSAAwRQIhAJ0nNc8qJSUgQadURpSYBxAoJeIw
SGO1g6O2HPkD0nmLAiAWZ35fO5q/bKum5oSDXFv+E6pUbJ99bTdIp8gavNNKug==
-----END CERTIFICATE-----
subject=C = CN, ST = Shanghai, L = Shanghai, O = BBT, OU = XSS, CN = Leaf Cert
issuer=C = CN, ST = Shanghai, L = Shanghai, O = BBT, OU = XSS, CN = Root CA
---
No client certificate CA names sent
Peer signing digest: SM3
Peer signature type: SM2
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 945 bytes and written 385 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 96C7121745F218C11EA8F723F8952088A635B8F5ACD5717CED7C3449F0151FE6
Session-ID-ctx:
Resumption PSK: E6E576FFFD20F88B3DC603D6BF61BBB63280382493ABF09485FF654DC2C6ADA09C3E6195644D93E30B3606B6674760B0
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - b6 de 28 5a 20 5d 0f e2-b4 71 14 d3 61 1c a5 cf ..(Z ]...q..a...
0010 - fe 3b 04 be 59 d4 c4 ab-cd 0e e4 41 da 29 70 c9 .;..Y......A.)p.
0020 - 86 ea 9c 65 b2 a0 7a 94-1f a7 fc 53 a8 0a 41 75 ...e..z....S..Au
0030 - e2 e6 54 c5 1b 73 5b 5b-72 83 86 39 97 ad e9 08 ..T..s[[r..9....
0040 - 00 50 fa b8 71 30 85 88-98 c0 e0 1a 96 f2 84 9e .P..q0..........
0050 - c4 8d 61 36 0d b8 df 14-37 d4 da 54 62 4c a5 4f ..a6....7..TbL.O
0060 - 40 d1 c8 df 85 ba a2 f4-f6 09 e6 c1 f0 7c 5c 59 @............|\Y
0070 - 1a 96 55 0a db 60 77 91-1c 68 b7 27 77 2c 00 7a ..U..`w..h.'w,.z
0080 - 5f d4 05 0e 7a 23 da cb-cd 83 dc 4a 3b 03 4b 79 _...z#.....J;.Ky
0090 - e7 94 17 94 c6 0e e8 6c-1c e6 de 01 45 25 5d 70 .......l....E%]p
00a0 - be eb c1 13 12 ea bc d3-5f f7 a0 46 29 97 24 57 ........_..F).$W
00b0 - 2c c2 6c 4b ff 3b 22 6b-44 39 1a ed f0 d1 5f 10 ,.lK.;"kD9...._.
00c0 - 5d 0e df 4b 89 f7 ae 26-a2 12 5e 19 94 1c 89 6e ]..K...&..^....n
Start Time: 1704962704
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
QUIC: no
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 4985BB19FC67A27F29C3008615215967227BB30E1DA679D3BDDBD85FB3AD6D77
Session-ID-ctx:
Resumption PSK: 39D6AD6679795830565B3EE5EA2E7B975516EDBC58C580882E90F47CC467153AE661C4CBD6200B14AD929195F0561B1F
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - b6 de 28 5a 20 5d 0f e2-b4 71 14 d3 61 1c a5 cf ..(Z ]...q..a...
0010 - 76 65 9d 0c e6 6e 27 3a-02 d9 b5 d1 de a4 b6 71 ve...n':.......q
0020 - a5 e2 6e d1 be 52 81 d5-79 4a da 4d 84 91 a7 ae ..n..R..yJ.M....
0030 - 1c 32 ee f0 8a 10 23 f7-e8 72 62 a3 b8 59 67 04 .2....#..rb..Yg.
0040 - be 30 65 93 f0 7e 3d 2a-25 c1 f3 c3 59 06 64 4a .0e..~=*%...Y.dJ
0050 - 19 7d d1 76 8b 25 e1 ac-20 d3 f2 51 cf 00 8a 25 .}.v.%.. ..Q...%
0060 - d7 13 ac f7 d4 63 88 e9-f4 71 a0 79 8e b2 a0 cf .....c...q.y....
0070 - 39 11 a3 05 80 7b 1d a7-c4 b7 56 e3 6c e2 7b 5a 9....{....V.l.{Z
0080 - 1f b0 eb 18 aa 7c ca 4d-d2 cf 79 d7 12 8c 17 63 .....|.M..y....c
0090 - 7e 5c 27 b9 cb 8f 8b a9-15 fc 59 42 9f 79 c5 0b ~\'.......YB.y..
00a0 - be ba 53 f3 1f df cc b4-c0 13 1c 7c 0d a0 ac 2c ..S........|...,
00b0 - 1a 8c b6 2e 60 ca dc 81-8f 01 b8 49 12 a2 06 d5 ....`......I....
00c0 - 82 97 c0 09 9e 89 f5 1a-6b de ef 82 c9 62 9f d3 ........k....b..
Start Time: 1704962704
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
QUIC: no
但现在一个问题是,我没找到如何验证服务端证书的方式,客户端无论是否设置证书,都是可以连通服务端的
tsCtx, err := tongsuosdk.NewCtx()
if err != nil {
return errors.Wrap(err, "new ctx")
}
// 如果设置了这行,那么就无论如何都无法握手
// tsCtx.SetVerifyMode(tongsuosdk.VerifyPeer)
// 如果是否有这行,客户端都能握手成功
if err = tsCtx.GetCertificateStore().LoadCertificatesFromPEM(parentPem); err != nil {
return errors.Wrap(err, "add cert")
}
fmt.Println("try dial...")
conn, err := tongsuosdk.Dial("tcp", "127.0.0.1:48271",
tsCtx, tongsuosdk.InsecureSkipHostVerification)
if err != nil {
return errors.Wrap(err, "dial")
}
增加windows CI
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.