Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] How to support GM/T SSL (or GMSSL)? #5652

Open
janusdo opened this issue Sep 4, 2024 · 1 comment
Open

[Question] How to support GM/T SSL (or GMSSL)? #5652

janusdo opened this issue Sep 4, 2024 · 1 comment
Labels
type: question Further information is requested

Comments

@janusdo
Copy link

janusdo commented Sep 4, 2024
edited
Loading

Question

I expect to implement GM SSL by integrating the BGMProvider cryptographic suite from OpenEuler.

Maven

<dependency>
 <groupId>org.openeuler</groupId>
 <artifactId>bgmprovider</artifactId>
 <version>1.1.3</version>
</dependency>

application.yml

server:
  port: 9195
  address: 0.0.0.0
  servlet:
    context-path: /
  ssl:
    enabled: true
    key-alias: server-sm2-enc
    key-store: classpath:server.keystore
    key-store-password: 12345678
    key-store-type: PKCS12
    protocol: GMTLS
    enabled-protocols: GMTLS

Modify the NettyReactiveWebServerFactory configuration in the ShenyuNettyWebServerConfiguration class by adding the following code.

try {
    File keyStoreFile = FileUtil.file(sslProperties.getKeyStore());
    KeyStore keyStore = KeyUtil.readKeyStore(sslProperties.getKeyStoreType(), keyStoreFile, sslProperties.getKeyStorePassword().toCharArray());

    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyManagerFactory.init(keyStore, sslProperties.getKeyStorePassword().toCharArray());
    System.out.println(keyManagerFactory);
    KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();

    List<String> ciphers = Arrays.asList("ECC_SM4_CBC_SM3", "ECDHE_SM4_CBC_SM3", "ECC_SM4_GCM_SM3", "ECDHE_SM4_GCM_SM3");
    if (sslProperties.getCiphers() != null) {
        ciphers = Arrays.asList(sslProperties.getCiphers());
    }

    SslContext sslContext = SslContextBuilder.forServer(keyManagers[0])
        .protocols(TLS_PROTOCOL_GM)
        .ciphers(ciphers, IdentityCipherSuiteFilter.INSTANCE_DEFAULTING_TO_SUPPORTED_CIPHERS)
        .build();

    httpServer = httpServer.secure(sslContextSpec -> {
        sslContextSpec.sslContext(sslContext);
    });

    /*AbstractProtocolSslContextSpec<?> sslContextSpec = Http11SslContextSpec.forServer(keyManagerFactory);
                    sslContextSpec.configure((builder) -> {
                        builder.sslProvider(SslProvider.JDK)
                            .sslContextProvider(BGM_PROVIDER)
                            .keyStoreType(sslProperties.getKeyStoreType());

                        if (sslProperties.getEnabledProtocols() != null) {
                            System.out.println(sslProperties.getEnabledProtocols());
                            builder.protocols(sslProperties.getEnabledProtocols());
                        }

                        if (sslProperties.getCiphers() != null) {
                            builder.ciphers(Arrays.asList(sslProperties.getCiphers()));
                        }
                    });

                    httpServer = httpServer.secure((spec) -> spec.sslContext(sslContextSpec), true);*/
} catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | SSLException e) {
    throw new LoongException("Create GM SSL Context fail");
}

The service started successfully, but accessing https://127.0.0.1:9195/ using a GM browser failed with the error message: ERR_SSL_VERSION_OR_CIPHER_MISMATCH.

Modify code

httpServer = HttpServer.create().secure(sslContextSpec -> {
	sslContextSpec.sslContext(sslContext);
});

Access to HTTPS is successful, but the port is set randomly and needs to be specified through .port(9443).

How to support GM/T SSL (or GMSSL)?
@janusdo janusdo added the type: question Further information is requested label Sep 4, 2024
@janusdo
Copy link
Author

janusdo commented Sep 4, 2024
edited
Loading

The code modification succeeded in accessing HTTPS, but the port cannot be the one specified by server.port

try {
    File keyStoreFile = FileUtil.file(sslProperties.getKeyStore());
    KeyStore keyStore = KeyUtil.readKeyStore(sslProperties.getKeyStoreType(), keyStoreFile, sslProperties.getKeyStorePassword().toCharArray());
    
    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyManagerFactory.init(keyStore, sslProperties.getKeyStorePassword().toCharArray());
    
    AbstractProtocolSslContextSpec<?> sslContextSpec = Http11SslContextSpec.forServer(keyManagerFactory);
    sslContextSpec.configure((builder) -> {
        builder.sslProvider(SslProvider.JDK)
            .keyStoreType(sslProperties.getKeyStoreType())
            .sslContextProvider(BGM_PROVIDER);
        
        if (sslProperties.getEnabledProtocols() != null) {
            builder.protocols(sslProperties.getEnabledProtocols());
        }
        
        if (sslProperties.getCiphers() != null) {
            builder.ciphers(Arrays.asList(sslProperties.getCiphers()));
        }
    });
    
    httpServer = httpServer.port(sslProperties.getPort()).secure((spec) -> spec.sslContext(sslContextSpec), true);
 } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
    throw new LoongException("Create GM SSL Context fail");
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@janusdo