gost2

Author: Anton-Dodonov

common/crypto/sm2/sm2.go

@@ -64,10 +64,15 @@ func GenerateCertificate(privKey *sm2.PrivateKey, domain string, isCA bool, expi
 		Bytes: certDER,
 	})
 
-	// Encode private key
+	// Encode private key in PKCS8 format for better compatibility
+	privKeyBytes, err := sm2x509.MarshalSm2UnecryptedPrivateKey(privKey)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to marshal SM2 private key: %w", err)
+	}
+
 	privKeyPEM := pem.EncodeToMemory(&pem.Block{
 		Type:  "PRIVATE KEY",
-		Bytes: privKey.D.Bytes(),
+		Bytes: privKeyBytes,
 	})
 
 	return certPEM, privKeyPEM, nil

common/crypto/x509/x509.go

@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/pedroalbanese/gogost/gost3410"
+	"github.com/pedroalbanese/gogost/gost34112012256"
 )
 
 // SignatureAlgorithm represents the algorithm used to sign the certificate
@@ -319,7 +320,7 @@ func createTBSCertificate(template *Certificate, sigAlg SignatureAlgorithm) ([]b
 		publicKeyOID = asn1.ObjectIdentifier{1, 2, 643, 7, 1, 1, 1, 1}
 	}
 
-	// Create the basic certificate structure
+	// Create the basic certificate structure with proper ASN.1 tags
 	tbs := struct {
 		Version            int `asn1:"optional,explicit,default:0,tag:0"`
 		SerialNumber       *big.Int
@@ -334,7 +335,9 @@ func createTBSCertificate(template *Certificate, sigAlg SignatureAlgorithm) ([]b
 			Algorithm pkix.AlgorithmIdentifier
 			PublicKey asn1.BitString
 		}
-		Extensions []pkix.Extension `asn1:"optional,tag:3"`
+		IssuerUniqueID  asn1.BitString `asn1:"optional,tag:1"`
+		SubjectUniqueID asn1.BitString `asn1:"optional,tag:2"`
+		Extensions      []pkix.Extension `asn1:"optional,tag:3"`
 	}{
 		Version:      template.Version,
 		SerialNumber: template.SerialNumber,
@@ -358,11 +361,13 @@ func createTBSCertificate(template *Certificate, sigAlg SignatureAlgorithm) ([]b
 				Algorithm: publicKeyOID,
 			},
 			PublicKey: asn1.BitString{
-				Bytes:     []byte{}, // Placeholder - will be filled by actual public key
-				BitLength: 0,
+				Bytes:     []byte{0x04, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}, // Placeholder GOST public key
+				BitLength: 256,
 			},
 		},
-		Extensions: template.Extensions,
+		IssuerUniqueID:  asn1.BitString{},
+		SubjectUniqueID: asn1.BitString{},
+		Extensions:      template.Extensions,
 	}
 
 	// Encode to ASN.1 DER
@@ -400,7 +405,18 @@ func signWithGOST(data []byte, priv *gost3410.PrivateKey, sigAlg SignatureAlgori
 
 func signWithGOSTReverseDigest(data []byte, priv *gost3410.PrivateKeyReverseDigest, sigAlg SignatureAlgorithm) ([]byte, error) {
 	// Use GOST signing with reverse digest
-	return priv.Sign(rand.Reader, data, nil)
+	// First, we need to hash the data with GOST hash function
+	hash := gost34112012256.New()
+	hash.Write(data)
+	hashed := hash.Sum(nil)
+	
+	// Sign the hash
+	signature, err := priv.Sign(rand.Reader, hashed, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to sign with GOST: %w", err)
+	}
+	
+	return signature, nil
 }
 
 func getPublicKeyAlgorithm(pub interface{}) PublicKeyAlgorithm {

common/protocol/tls/cert/cert.go

@@ -274,7 +274,7 @@ func GenerateSM2(parent *Certificate, opts ...SM2Option) (*Certificate, error) {
 			CommonName:   "",
 		},
 		NotBefore:             time.Now().Add(time.Hour * -1),
-		NotAfter:              time.Now().Add(time.Hour),
+		NotAfter:              time.Now().Add(time.Hour * 24 * 365), // 1 year default
 		KeyUsage:              sm2x509.KeyUsageKeyEncipherment | sm2x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []sm2x509.ExtKeyUsage{sm2x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,

run_vless_sm2.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+
+echo "=== VLESS Server with SM2 Certificate ==="
+echo
+
+# Check if certificate exists, if not create it
+if [ ! -f "test_cert_sm2.crt" ] || [ ! -f "test_cert_sm2.key" ]; then
+    echo "📝 Creating SM2 certificate..."
+    ./make_cert_sm2.sh > /dev/null 2>&1
+    if [ $? -eq 0 ]; then
+        echo "✅ Certificate created successfully"
+    else
+        echo "❌ Failed to create certificate"
+        exit 1
+    fi
+else
+    echo "✅ Certificate already exists"
+fi
+
+echo
+echo "🔧 Creating VLESS server configuration..."
+
+# Create VLESS server configuration
+cat > vless_sm2.json << 'EOF'
+{
+  "log": {
+    "loglevel": "info"
+  },
+  "inbounds": [
+    {
+      "port": 443,
+      "protocol": "vless",
+      "settings": {
+        "clients": [
+          {
+            "id": "b831381d-6324-4d53-ad4f-8cda48b30811"
+          }
+        ],
+        "decryption": "none"
+      },
+      "streamSettings": {
+        "network": "tcp",
+        "security": "tls",
+        "tlsSettings": {
+          "certificates": [
+            {
+              "certificateFile": "test_cert_sm2.crt",
+              "keyFile": "test_cert_sm2.key",
+              "certificateType": "sm2"
+            }
+          ]
+        }
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "protocol": "freedom"
+    }
+  ]
+}
+EOF
+
+echo "✅ Configuration file created: vless_sm2.json"
+echo
+echo "🚀 Starting VLESS server with SM2 certificate..."
+echo "📋 Server details:"
+echo "   - Port: 443"
+echo "   - Protocol: VLESS"
+echo "   - Security: TLS with SM2 certificate"
+echo "   - Client ID: b831381d-6324-4d53-ad4f-8cda48b30811"
+echo
+echo "Press Ctrl+C to stop the server"
+echo
+
+# Start the server
+./xray -c vless_sm2.json 

run_vless_sm2_fixed.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+echo "=== VLESS Server with SM2 Certificate ==="
+echo
+
+# Check if certificate exists, if not create it
+if [ ! -f "test_cert_sm2.crt" ] || [ ! -f "test_cert_sm2.key" ]; then
+    echo "📝 Creating SM2 certificate..."
+    ./make_cert_sm2.sh > /dev/null 2>&1
+    if [ $? -eq 0 ]; then
+        echo "✅ Certificate created successfully"
+    else
+        echo "❌ Failed to create certificate"
+        exit 1
+    fi
+else
+    echo "✅ Certificate already exists"
+fi
+
+echo
+echo "🔧 Creating VLESS server configuration..."
+
+# Create VLESS server configuration
+cat > vless_sm2_fixed.json << 'EOF'
+{
+  "log": {
+    "loglevel": "info"
+  },
+  "inbounds": [
+    {
+      "port": 443,
+      "protocol": "vless",
+      "settings": {
+        "clients": [
+          {
+            "id": "b831381d-6324-4d53-ad4f-8cda48b30811"
+          }
+        ],
+        "decryption": "none"
+      },
+      "streamSettings": {
+        "network": "tcp",
+        "security": "tls",
+        "tlsSettings": {
+          "certificates": [
+            {
+              "certificateFile": "test_cert_sm2.crt",
+              "keyFile": "test_cert_sm2.key"
+            }
+          ]
+        }
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "protocol": "freedom"
+    }
+  ]
+}
+EOF
+
+echo "✅ Configuration file created: vless_sm2_fixed.json"
+echo
+echo "🚀 Starting VLESS server with SM2 certificate..."
+echo "📋 Server details:"
+echo "   - Port: 443"
+echo "   - Protocol: VLESS"
+echo "   - Security: TLS with SM2 certificate"
+echo "   - Client ID: b831381d-6324-4d53-ad4f-8cda48b30811"
+echo
+echo "Press Ctrl+C to stop the server"
+echo
+
+# Start the server
+./xray -c vless_sm2_fixed.json 

run_vmess_ecdsa.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+echo "=== VMess Server with ECDSA Certificate ==="
+echo
+
+# Check if certificate exists, if not create it
+if [ ! -f "test_cert_ecdsa.crt" ] || [ ! -f "test_cert_ecdsa.key" ]; then
+    echo "📝 Creating ECDSA certificate..."
+    ./xray tls cert --algorithm=ecdsa --domain=example.com --name="Test Server ECDSA" --org="Test Organization" --file=test_cert_ecdsa > /dev/null 2>&1
+    if [ $? -eq 0 ]; then
+        echo "✅ Certificate created successfully"
+    else
+        echo "❌ Failed to create certificate"
+        exit 1
+    fi
+else
+    echo "✅ Certificate already exists"
+fi
+
+echo
+echo "🔧 Creating VMess server configuration..."
+
+# Create VMess server configuration
+cat > vmess_ecdsa.json << 'EOF'
+{
+  "log": {
+    "loglevel": "info"
+  },
+  "inbounds": [
+    {
+      "port": 443,
+      "protocol": "vmess",
+      "settings": {
+        "clients": [
+          {
+            "id": "b831381d-6324-4d53-ad4f-8cda48b30811",
+            "alterId": 0
+          }
+        ]
+      },
+      "streamSettings": {
+        "network": "tcp",
+        "security": "tls",
+        "tlsSettings": {
+          "certificates": [
+            {
+              "certificateFile": "test_cert_ecdsa.crt",
+              "keyFile": "test_cert_ecdsa.key"
+            }
+          ]
+        }
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "protocol": "freedom"
+    }
+  ]
+}
+EOF
+
+echo "✅ Configuration file created: vmess_ecdsa.json"
+echo
+echo "🚀 Starting VMess server with ECDSA certificate..."
+echo "📋 Server details:"
+echo "   - Port: 443"
+echo "   - Protocol: VMess"
+echo "   - Security: TLS with ECDSA certificate"
+echo "   - Client ID: b831381d-6324-4d53-ad4f-8cda48b30811"
+echo
+echo "Press Ctrl+C to stop the server"
+echo
+
+# Start the server
+./xray -c vmess_ecdsa.json