Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to test sm2 certificate base on this project? #3

Open
ruimya opened this issue Feb 23, 2024 · 13 comments
Open

How to test sm2 certificate base on this project? #3

ruimya opened this issue Feb 23, 2024 · 13 comments

Comments

@ruimya
Copy link

ruimya commented Feb 23, 2024

How should Envoy be configured to support SM2 certificates? Can you provide an example configuration file?
@StarryVae
Copy link

i have the same question, did you solve it? thanks.

@InfoHunter
Copy link
Member

This might be answered by MOSN people: @taoyuanyuan

@StarryVae
Copy link

oh, thanks, friendly ping @taoyuanyuan

@taoyuanyuan
Copy link

cc @wangfakang

@wangfakang
Copy link

@ruimya @StarryVae

Currently tongsuo proxy only supports the tls1.3 suite, some key point configuration as below:

      transport_socket:
         name: envoy.transport_sockets.tls
         typed_config:
           "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
           common_tls_context:
             tls_params:
               tls_maximum_protocol_version: TLSv1_3
               tls_minimum_protocol_version: TLSv1_3
               cipher_suites:
                - TLS_SM4_GCM_SM3
                - TLS_SM4_CCM_SM3
             tls_certificates:
             - certificate_chain:
                 filename: certs/servercert.pem
               private_key:
                 filename: certs/serverkey.pem

@InfoHunter
Copy link
Member

Additionally, in that configuration, the certs/servercert.pem and certs/serverkey.p shoud be effectively an SM2 certificate with a valid SM2 private key,.

@StarryVae
Copy link

awesome, thanks a lot! And according to envoyproxy/envoy#10762 (comment) , it seems that TLS 1.3 cipher suites are not configurable as below, so i remove the cipher_suites config and it works.

image

finally, i use curl base on tongsuo ( https://github.com/Tongsuo-Project/curl ) to test, dose the result below mean it works? cc @InfoHunter @wangfakang thanks!

image

@InfoHunter
Copy link
Member

Seems it's working

@ruimya
Copy link
Author

ruimya commented Jun 18, 2024

@StarryVae @InfoHunter @wangfakang
Could you please provide a complete Envoy example configuration file? I've tried the following steps to generate certificates using the commands below:

$ export LD_LIBRARY_PATH=/opt/tongsuo/lib:$LD_LIBRARY_PATH
$ bin/openssl ecparam -genkey -name SM2 -out sm2.key
$ bin/openssl req -new -key sm2.key -out sm2.csr -sm3 -sigopt "sm2_id:1234567812345678"
$ bin/openssl x509 -req -in sm2.csr -signkey sm2.key -out sm2.crt -sm3 -sm2-id 1234567812345678 -sigopt "sm2_id:1234567812345678"

However, I'm encountering an error "Failed to load certificate chain" when attempting to use these certificates. How should the certificates be generated?

@StarryVae
Copy link

StarryVae commented Jun 18, 2024
edited
Loading

https://github.com/StarryVae/envoy-openssl/blob/maistra-2.5-tongsuo/examples/tls/envoy-https-https.yaml

this is my example configuration @ruimya

@InfoHunter
Copy link
Member

If it's something wrong with the SM2 certificate you generated, then you can use the SM2 testing certificate and key provided in Tongsuo code repo: In directory test/certs/ there are several usable certificates prefixed with sm2.

@ruimya
Copy link
Author

ruimya commented Jul 10, 2024

Thanks you much, I use your configuration file @StarryVae , now I'm getting an error

[2024-06-20 03:14:53.459][42205][critical][main] [external/envoy/source/server/server.cc:102] error initializing configuration 'config.yaml': Failed to load certificate chain from <inline>, only P-256 ECDSA certificates are supported
[2024-06-20 03:14:53.459][42205][info][main] [external/envoy/source/server/server.cc:715] exiting
Failed to load certificate chain from <inline>, only P-256 ECDSA certificates are supported

I guess this issue is due to my build method or incorrect use of the Tongsuo version。I use tongsuo-8.2.1,dockerfile is like this below

FROM envoyproxy/envoy-build-ubuntu

RUN cp /etc/apt/sources.list /etc/apt/sources.list.bak \
    && sed -i "s/archive.ubuntu.com/mirrors.aliyun.com/g" /etc/apt/sources.list
    # && apt update

RUN wget https://github.com/BabaSSL/BabaSSL/archive/refs/tags/8.3.1.tar.gz \
    && tar -zxvf 8.3.1.tar.gz \
    && cd Tongsuo-8.3.1 \
    && ./config --prefix=/opt/tongsuo \
    && make -j \
    && make install

RUN git clone https://github.com/Tongsuo-Project/proxy-tongsuo.git /opt/proxy-tongsuo \
	&& cd /opt/proxy-tongsuo \ 
	&& git submodule update --init --recursive

WORKDIR /opt/proxy-tongsuo

RUN sed -i 's/babassl/tongsuo/' WORKSPACE \
    && sed -i 's/"524960ac99d086cdb6988d2a92fc163436fd3c6ec0a84c475c6382fbf989be05"/"65271a83fa81783d1272553f4564965ac2e32535a58b0b8141e9f4003afb0e3a"/' envoy/bazel/repository_locations.bzl

RUN echo "build --copt=-Wno-unused-variable" >> .bazelrc \
    && echo "build --copt=-Wno-deprecated-declarations" >> .bazelrc

CMD ["bash"]

Is there any problem with my dockerfile,which version tongsuo should i use? or how should i build this? @InfoHunter

@StarryVae
Copy link

Thanks you much, I use your configuration file @StarryVae , now I'm getting an error

[2024-06-20 03:14:53.459][42205][critical][main] [external/envoy/source/server/server.cc:102] error initializing configuration 'config.yaml': Failed to load certificate chain from <inline>, only P-256 ECDSA certificates are supported
[2024-06-20 03:14:53.459][42205][info][main] [external/envoy/source/server/server.cc:715] exiting
Failed to load certificate chain from <inline>, only P-256 ECDSA certificates are supported

I guess this issue is due to my build method or incorrect use of the Tongsuo version。I use tongsuo-8.2.1,dockerfile is like this below

FROM envoyproxy/envoy-build-ubuntu

RUN cp /etc/apt/sources.list /etc/apt/sources.list.bak \
    && sed -i "s/archive.ubuntu.com/mirrors.aliyun.com/g" /etc/apt/sources.list
    # && apt update

RUN wget https://github.com/BabaSSL/BabaSSL/archive/refs/tags/8.3.1.tar.gz \
    && tar -zxvf 8.3.1.tar.gz \
    && cd Tongsuo-8.3.1 \
    && ./config --prefix=/opt/tongsuo \
    && make -j \
    && make install

RUN git clone https://github.com/Tongsuo-Project/proxy-tongsuo.git /opt/proxy-tongsuo \
	&& cd /opt/proxy-tongsuo \ 
	&& git submodule update --init --recursive

WORKDIR /opt/proxy-tongsuo

RUN sed -i 's/babassl/tongsuo/' WORKSPACE \
    && sed -i 's/"524960ac99d086cdb6988d2a92fc163436fd3c6ec0a84c475c6382fbf989be05"/"65271a83fa81783d1272553f4564965ac2e32535a58b0b8141e9f4003afb0e3a"/' envoy/bazel/repository_locations.bzl

RUN echo "build --copt=-Wno-unused-variable" >> .bazelrc \
    && echo "build --copt=-Wno-deprecated-declarations" >> .bazelrc

CMD ["bash"]

Is there any problem with my dockerfile,which version tongsuo should i use? or how should i build this? @InfoHunter

you can try to comment out the limit of P-256 ECDSA here and it may work.

https://github.com/StarryVae/envoy-openssl/blob/5cfbde98d910335b8f93c7d89b490225b8aa9950/source/extensions/transport_sockets/tls/context_impl.cc#L220

but i am also not familiar with openssl, for sm2 certificate, its' NID is not NID_X9_62_prime256v1? cc @InfoHunter for help, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@InfoHunter @taoyuanyuan @wangfakang @StarryVae @ruimya