与gmsm保持同步

客户端若提供了支持传输加密证书，无论是否为双向身份认证都会发送客户端加密证书
Trisia · Jul 13, 2023 · 5733160 · 5733160
1 parent 2d612bc
commit 5733160
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 20 deletions.
diff --git a/go.mod b/go.mod
@@ -3,6 +3,6 @@ module gitee.com/Trisia/gotlcp
 go 1.16
 
 require (
-	github.com/emmansun/gmsm v0.17.4
-	golang.org/x/crypto v0.9.0
+	github.com/emmansun/gmsm v0.19.1
+	golang.org/x/crypto v0.11.0
 )
diff --git a/go.sum b/go.sum
@@ -1,10 +1,10 @@
-github.com/emmansun/gmsm v0.17.4 h1:2CnGMnabiR/7n5qSBSAJMdIquY6SnkcqGtnne6x9JtA=
-github.com/emmansun/gmsm v0.17.4/go.mod h1:rGSVCbcfnJbRxTQdrdX94eKzKUw8GCPu225iUkoQeoQ=
+github.com/emmansun/gmsm v0.19.1 h1:/+3S2vd6t7yh+HkssSpRYm8RB7wqrZ7o8Ht3HQAUYZ0=
+github.com/emmansun/gmsm v0.19.1/go.mod h1:3MyXR2HCj9U3RN9AM5Q0+jvpveyoO+9ZpF/SnHLg9JE=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g=
-golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
+golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
+golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -22,17 +22,19 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
-golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

diff --git a/tlcp/handshake_client.go b/tlcp/handshake_client.go
@@ -345,12 +345,15 @@ func (hs *clientHandshakeState) doFullHandshake() error {
 			_ = c.sendAlert(alertInternalError)
 			return err
 		}
-		if c.cipherSuite == ECDHE_SM4_CBC_SM3 || c.cipherSuite == ECDHE_SM4_GCM_SM3 {
-			if clientEncCert, err = c.getClientKECertificate(cri); err != nil {
+		// 尝试尝试获取客户端加密证书，如果存在
+		if clientEncCert, err = c.getClientKECertificate(cri); err != nil {
+			// 特殊的 ECDHE 仅支持双向身份认证若没有加密证书则认为无法协商。
+			if c.cipherSuite == ECDHE_SM4_CBC_SM3 || c.cipherSuite == ECDHE_SM4_GCM_SM3 {
 				_ = c.sendAlert(alertInternalError)
 				return err
 			}
 		}
+
 		hs.authCert = clientAuthCert
 		hs.encCert = clientEncCert
 
@@ -370,14 +373,17 @@ func (hs *clientHandshakeState) doFullHandshake() error {
 	// 即便客户端没有证书，也需要发一条空证书的证书消息到服务端。
 	if certRequested {
 		certMsg = new(certificateMsg)
-		if len(clientAuthCert.Certificate) > 0 {
+		if clientAuthCert != nil && len(clientAuthCert.Certificate) > 0 {
 			certMsg.certificates = append(certMsg.certificates, clientAuthCert.Certificate[0])
 		}
-		if c.cipherSuite == ECDHE_SM4_CBC_SM3 || c.cipherSuite == ECDHE_SM4_GCM_SM3 {
-			// ECDHE系列套件出签名证书外，还需要客户端额外发送加密证书
-			// 加密证书将用于SM2密钥交换协商密钥。
+		// 若存在客户端加密证书则一同发送该证书。
+		//
+		// 特别的：ECDHE系列套件出签名证书外，还需要客户端额外发送加密证书
+		// 加密证书将用于SM2密钥交换协商密钥。
+		if clientEncCert != nil && len(clientEncCert.Certificate) > 0 {
 			certMsg.certificates = append(certMsg.certificates, clientEncCert.Certificate[0])
 		}
+
 		if _, err = c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil {
 			return err
 		}

diff --git a/tlcp/handshake_client_test.go b/tlcp/handshake_client_test.go
@@ -83,7 +83,7 @@ func Test_clientHandshake_no_auth(t *testing.T) {
 	time.Sleep(time.Millisecond * 300)
 
 	config := &Config{InsecureSkipVerify: true}
-	testClientHandshak(t, config, "127.0.0.1:8444")
+	testClientHandshake(t, config, "127.0.0.1:8444")
 }
 
 // 测试服务端身份认证
@@ -100,7 +100,7 @@ func Test_clientHandshake_auth_server(t *testing.T) {
 
 	time.Sleep(time.Millisecond * 300)
 	config := &Config{RootCAs: pool}
-	testClientHandshak(t, config, "127.0.0.1:8445")
+	testClientHandshake(t, config, "127.0.0.1:8445")
 }
 
 // 测试双向身份认证
@@ -116,7 +116,7 @@ func Test_clientHandshake_client_auth(t *testing.T) {
 	time.Sleep(time.Millisecond * 300)
 
 	config := &Config{RootCAs: pool, Certificates: []Certificate{authCert}}
-	testClientHandshak(t, config, "127.0.0.1:8446")
+	testClientHandshake(t, config, "127.0.0.1:8446")
 }
 
 // 测试客户端无证书，服务端要求证书
@@ -216,13 +216,13 @@ func Test_clientHandshake_ECDHE(t *testing.T) {
 		Certificates: []Certificate{authCert, authCert},
 		CipherSuites: []uint16{ECDHE_SM4_GCM_SM3, ECDHE_SM4_CBC_SM3},
 	}
-	testClientHandshak(t, config, "127.0.0.1:8451")
+	testClientHandshake(t, config, "127.0.0.1:8451")
 
 	config.ClientECDHEParamsAsVector = true
-	testClientHandshak(t, config, "127.0.0.1:8451")
+	testClientHandshake(t, config, "127.0.0.1:8451")
 }
 
-func testClientHandshak(t *testing.T, config *Config, addr string) {
+func testClientHandshake(t *testing.T, config *Config, addr string) {
 	conn, err := Dial("tcp", addr, config)
 	if err != nil {
 		t.Fatal(err)
@@ -290,3 +290,22 @@ func Test_NotResumedSession(t *testing.T) {
 		_ = conn.Close()
 	}
 }
+
+// ECC 套件下客户端传输双证书
+func Test_clientHandshake_ECCWithEncCert(t *testing.T) {
+	go func() {
+		if err := serverNeedAuth(8452); err != nil {
+			panic(err)
+		}
+	}()
+	time.Sleep(time.Millisecond * 300)
+	pool := smx509.NewCertPool()
+	pool.AddCert(root1)
+
+	config := &Config{
+		RootCAs:      pool,
+		Certificates: []Certificate{authCert, authCert},
+		CipherSuites: []uint16{ECC_SM4_GCM_SM3, ECC_SM4_CBC_SM3},
+	}
+	testClientHandshake(t, config, "127.0.0.1:8452")
+}