From 7db806754976daa32cea3a113ccc23a24a1dcd44 Mon Sep 17 00:00:00 2001 From: Sun Yimin Date: Tue, 9 Jan 2024 08:29:18 +0800 Subject: [PATCH] smx509: can parse openssl v3.1.3 p8 sm2 private key #197 --- smx509/pkcs8.go | 2 +- smx509/pkcs8_test.go | 28 +++++++++++++++++++++------- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/smx509/pkcs8.go b/smx509/pkcs8.go index 76af088..ba236fd 100644 --- a/smx509/pkcs8.go +++ b/smx509/pkcs8.go @@ -49,7 +49,7 @@ func ParsePKCS8PrivateKey(der []byte) (key any, err error) { if privKey.Algo.Algorithm.Equal(oidSM9) || privKey.Algo.Algorithm.Equal(oidSM9Sign) || privKey.Algo.Algorithm.Equal(oidSM9Enc) { return parseSM9PrivateKey(privKey) } - if !privKey.Algo.Algorithm.Equal(oidPublicKeyECDSA) { + if !privKey.Algo.Algorithm.Equal(oidPublicKeyECDSA) && !privKey.Algo.Algorithm.Equal(oidNamedCurveP256SM2) { return x509.ParsePKCS8PrivateKey(der) } bytes := privKey.Algo.Parameters.FullBytes diff --git a/smx509/pkcs8_test.go b/smx509/pkcs8_test.go index 84da81b..37e9611 100644 --- a/smx509/pkcs8_test.go +++ b/smx509/pkcs8_test.go @@ -18,25 +18,33 @@ import ( ) // Generated using: -// openssl genrsa 1024 | openssl pkcs8 -topk8 -nocrypt +// +// openssl genrsa 1024 | openssl pkcs8 -topk8 -nocrypt var pkcs8RSAPrivateKeyHex = `30820278020100300d06092a864886f70d0101010500048202623082025e02010002818100cfb1b5bf9685ffa97b4f99df4ff122b70e59ac9b992f3bc2b3dde17d53c1a34928719b02e8fd17839499bfbd515bd6ef99c7a1c47a239718fe36bfd824c0d96060084b5f67f0273443007a24dfaf5634f7772c9346e10eb294c2306671a5a5e719ae24b4de467291bc571014b0e02dec04534d66a9bb171d644b66b091780e8d020301000102818100b595778383c4afdbab95d2bfed12b3f93bb0a73a7ad952f44d7185fd9ec6c34de8f03a48770f2009c8580bcd275e9632714e9a5e3f32f29dc55474b2329ff0ebc08b3ffcb35bc96e6516b483df80a4a59cceb71918cbabf91564e64a39d7e35dce21cb3031824fdbc845dba6458852ec16af5dddf51a8397a8797ae0337b1439024100ea0eb1b914158c70db39031dd8904d6f18f408c85fbbc592d7d20dee7986969efbda081fdf8bc40e1b1336d6b638110c836bfdc3f314560d2e49cd4fbde1e20b024100e32a4e793b574c9c4a94c8803db5152141e72d03de64e54ef2c8ed104988ca780cd11397bc359630d01b97ebd87067c5451ba777cf045ca23f5912f1031308c702406dfcdbbd5a57c9f85abc4edf9e9e29153507b07ce0a7ef6f52e60dcfebe1b8341babd8b789a837485da6c8d55b29bbb142ace3c24a1f5b54b454d01b51e2ad03024100bd6a2b60dee01e1b3bfcef6a2f09ed027c273cdbbaf6ba55a80f6dcc64e4509ee560f84b4f3e076bd03b11e42fe71a3fdd2dffe7e0902c8584f8cad877cdc945024100aa512fa4ada69881f1d8bb8ad6614f192b83200aef5edf4811313d5ef30a86cbd0a90f7b025c71ea06ec6b34db6306c86b1040670fd8654ad7291d066d06d031` // Generated using: -// openssl ecparam -genkey -name secp224r1 | openssl pkcs8 -topk8 -nocrypt +// +// openssl ecparam -genkey -name secp224r1 | openssl pkcs8 -topk8 -nocrypt var pkcs8P224PrivateKeyHex = `3078020100301006072a8648ce3d020106052b810400210461305f020101041cca3d72b3e88fed2684576dad9b80a9180363a5424986900e3abcab3fa13c033a0004f8f2a6372872a4e61263ed893afb919576a4cacfecd6c081a2cbc76873cf4ba8530703c6042b3a00e2205087e87d2435d2e339e25702fae1` // Generated using: -// openssl ecparam -genkey -name secp256r1 | openssl pkcs8 -topk8 -nocrypt +// +// openssl ecparam -genkey -name secp256r1 | openssl pkcs8 -topk8 -nocrypt var pkcs8P256PrivateKeyHex = `308187020100301306072a8648ce3d020106082a8648ce3d030107046d306b0201010420dad6b2f49ca774c36d8ae9517e935226f667c929498f0343d2424d0b9b591b43a14403420004b9c9b90095476afe7b860d8bd43568cab7bcb2eed7b8bf2fa0ce1762dd20b04193f859d2d782b1e4cbfd48492f1f533113a6804903f292258513837f07fda735` var pkcs8SM2P256PrivateKeyHex = `308187020100301306072a8648ce3d020106082a811ccf5501822d046d306b0201010420b26da57ba53004ddcd387ad46a361b51b308481f2327d47fb10c5fb3a8c86b92a144034200040d5365bfdbdc564c5b0eda0a85ddbd753821a709de90efe0666ba2544766acf1100ac0484d166842011da5cd6139e53dedb99ce37cea9edf4941628066e861bf` +// Generated with OpenSSL v3.1.3 +var pkcs8SM2PrivateKeyHex = "308188020100301406082a811ccf5501822d06082a811ccf5501822d046d306b020101042087d86c005f449379641916b5e5f1cd5d21ccdad60613741669f470946acb9d17a144034200046f233f11f15549701dc5e677a2f5d202d1b7183d6f6affb16a76558afab3cca537e482c56d779ff589311d03a94114627c88fdf67252ed21fe7051f94b48ca2f" + // Generated using: -// openssl ecparam -genkey -name secp384r1 | openssl pkcs8 -topk8 -nocrypt +// +// openssl ecparam -genkey -name secp384r1 | openssl pkcs8 -topk8 -nocrypt var pkcs8P384PrivateKeyHex = `3081b6020100301006072a8648ce3d020106052b8104002204819e30819b02010104309bf832f6aaaeacb78ce47ffb15e6fd0fd48683ae79df6eca39bfb8e33829ac94aa29d08911568684c2264a08a4ceb679a164036200049070ad4ed993c7770d700e9f6dc2baa83f63dd165b5507f98e8ff29b5d2e78ccbe05c8ddc955dbf0f7497e8222cfa49314fe4e269459f8e880147f70d785e530f2939e4bf9f838325bb1a80ad4cf59272ae0e5efe9a9dc33d874492596304bd3` // Generated using: -// openssl ecparam -genkey -name secp521r1 | openssl pkcs8 -topk8 -nocrypt +// +// openssl ecparam -genkey -name secp521r1 | openssl pkcs8 -topk8 -nocrypt // // Note that OpenSSL will truncate the private key if it can (i.e. it emits it // like an integer, even though it's an OCTET STRING field). Thus if you @@ -77,6 +85,12 @@ func TestPKCS8(t *testing.T) { keyType: reflect.TypeOf(&sm2.PrivateKey{}), curve: sm2.P256(), }, + { + name: "SM2 private key with ALG=SM2", + keyHex: pkcs8SM2PrivateKeyHex, + keyType: reflect.TypeOf(&sm2.PrivateKey{}), + curve: sm2.P256(), + }, { name: "P-384 private key", keyHex: pkcs8P384PrivateKeyHex, @@ -120,7 +134,7 @@ func TestPKCS8(t *testing.T) { t.Errorf("%s: failed to marshal into PKCS#8: %s", test.name, err) continue } - if !bytes.Equal(derBytes, reserialised) { + if test.name != "SM2 private key with ALG=SM2" && !bytes.Equal(derBytes, reserialised) { t.Errorf("%s: marshaled PKCS#8 didn't match original: got %x, want %x", test.name, reserialised, derBytes) continue } @@ -135,7 +149,7 @@ func TestPKCS8(t *testing.T) { t.Errorf("%s: failed to marshal into PKCS#8: %s", test.name, err) continue } - if !bytes.Equal(derBytes, reserialised) { + if test.name != "SM2 private key with ALG=SM2" && !bytes.Equal(derBytes, reserialised) { t.Errorf("%s: marshaled PKCS#8 didn't match original: got %x, want %x", test.name, reserialised, derBytes) continue }