gost

Author: Anton-Dodonov

common/crypto/gost/gost_x509.go

@@ -12,14 +12,8 @@ import (
 	"github.com/pedroalbanese/gogost/gost3410"
 )
 
-// GOST signature algorithm constants
-const (
-	GOST256 = 0x0601 // GOST R 34.10-2012 256-bit
-	GOST512 = 0x0602 // GOST R 34.10-2012 512-bit
-)
-
 // GenerateGOSTSelfSignedCert создает самоподписанный X.509 сертификат GOST2012 (256 или 512)
-func GenerateGOSTSelfSignedCert(curve *gost3410.Curve, sigAlg x509.SignatureAlgorithm, cn string, expireDays int) ([]byte, []byte, error) {
+func GenerateGOSTSelfSignedCert(curve *gost3410.Curve, cn string, expireDays int) ([]byte, []byte, error) {
 	fmt.Printf("DEBUG: Starting GenerateGOSTSelfSignedCert\n")
 
 	prvRaw := make([]byte, curve.PointSize())
@@ -42,18 +36,27 @@ func GenerateGOSTSelfSignedCert(curve *gost3410.Curve, sigAlg x509.SignatureAlgo
 	notBefore := time.Now()
 	notAfter := notBefore.Add(time.Duration(expireDays) * 24 * time.Hour)
 	serial := big.NewInt(time.Now().UnixNano())
+	
+	// Determine the correct signature algorithm based on curve size
+	var signatureAlgorithm x509.SignatureAlgorithm
+	if curve.PointSize() == 32 {
+		signatureAlgorithm = x509.GOST256
+	} else {
+		signatureAlgorithm = x509.GOST512
+	}
+	
 	template := x509.Certificate{
 		SerialNumber:       serial,
 		NotBefore:          notBefore,
 		NotAfter:           notAfter,
-		SignatureAlgorithm: sigAlg,
+		SignatureAlgorithm: signatureAlgorithm,
 		Subject:            pkix.Name{CommonName: cn},
 		KeyUsage:           x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
 		BasicConstraintsValid: true,
 		IsCA: false,
 	}
 
-	fmt.Printf("DEBUG: About to call CreateCertificate\n")
+	fmt.Printf("DEBUG: About to call CreateCertificate with signature algorithm: %d\n", signatureAlgorithm)
 	certDER, err := x509.CreateCertificate(
 		rand.Reader,
 		&template, &template, pub,
@@ -94,11 +97,20 @@ func GenerateGOSTCAChildCert(curve *gost3410.Curve, sigAlg x509.SignatureAlgorit
 	notBefore := time.Now()
 	notAfter := notBefore.Add(time.Duration(expireDays) * 24 * time.Hour)
 	serial := big.NewInt(time.Now().UnixNano())
+	
+	// Determine the correct signature algorithm based on curve size
+	var signatureAlgorithm x509.SignatureAlgorithm
+	if curve.PointSize() == 32 {
+		signatureAlgorithm = x509.GOST256
+	} else {
+		signatureAlgorithm = x509.GOST512
+	}
+	
 	template := x509.Certificate{
 		SerialNumber:       serial,
 		NotBefore:          notBefore,
 		NotAfter:           notAfter,
-		SignatureAlgorithm: sigAlg,
+		SignatureAlgorithm: signatureAlgorithm,
 		Subject:            pkix.Name{CommonName: cn},
 		KeyUsage:           x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
 		BasicConstraintsValid: true,

common/crypto/x509/x509.go

@@ -318,6 +318,8 @@ func createTBSCertificate(template *Certificate, pub interface{}, sigAlg Signatu
 	// Create a basic ASN.1 DER encoding of the To-Be-Signed certificate
 	// This is a simplified implementation for testing purposes
 
+	fmt.Printf("DEBUG: createTBSCertificate called with signature algorithm: %d\n", sigAlg)
+	
 	// Determine OIDs based on signature algorithm
 	var signatureOID asn1.ObjectIdentifier
 	var publicKeyOID asn1.ObjectIdentifier
@@ -368,6 +370,71 @@ func createTBSCertificate(template *Certificate, pub interface{}, sigAlg Signatu
 		return nil, fmt.Errorf("unsupported public key type: %T", pub)
 	}
 
+	// For GOST certificates, we need to use a different approach
+	// GOST certificates have a specific ASN.1 structure that's different from standard X.509
+	if sigAlg == GOST256 || sigAlg == GOST512 {
+		fmt.Printf("DEBUG: Using GOST-specific certificate structure\n")
+		// Create GOST-specific certificate structure
+		gostCert := struct {
+			Version            int `asn1:"optional,explicit,default:0,tag:0"`
+			SerialNumber       *big.Int
+			SignatureAlgorithm pkix.AlgorithmIdentifier
+			Issuer            pkix.Name
+			Validity          struct {
+				NotBefore time.Time
+				NotAfter  time.Time
+			}
+			Subject            pkix.Name
+			SubjectPublicKeyInfo struct {
+				Algorithm pkix.AlgorithmIdentifier
+				PublicKey asn1.BitString
+			}
+			IssuerUniqueID  asn1.BitString `asn1:"optional,tag:1"`
+			SubjectUniqueID asn1.BitString `asn1:"optional,tag:2"`
+			Extensions      []pkix.Extension `asn1:"optional,tag:3"`
+		}{
+			Version:      template.Version,
+			SerialNumber: template.SerialNumber,
+			SignatureAlgorithm: pkix.AlgorithmIdentifier{
+				Algorithm: signatureOID,
+			},
+			Issuer: template.Issuer,
+			Validity: struct {
+				NotBefore time.Time
+				NotAfter  time.Time
+			}{
+				NotBefore: template.NotBefore,
+				NotAfter:  template.NotAfter,
+			},
+			Subject: template.Subject,
+			SubjectPublicKeyInfo: struct {
+				Algorithm pkix.AlgorithmIdentifier
+				PublicKey asn1.BitString
+			}{
+				Algorithm: pkix.AlgorithmIdentifier{
+					Algorithm: publicKeyOID,
+				},
+				PublicKey: asn1.BitString{
+					Bytes:     publicKeyBytes,
+					BitLength: bitLength,
+				},
+			},
+			IssuerUniqueID:  asn1.BitString{},
+			SubjectUniqueID: asn1.BitString{},
+			Extensions:      template.Extensions,
+		}
+
+		// Encode to ASN.1 DER
+		der, err := asn1.Marshal(gostCert)
+		if err != nil {
+			return nil, fmt.Errorf("failed to marshal GOST TBS certificate: %w", err)
+		}
+
+		fmt.Printf("DEBUG: GOST TBS certificate marshaled successfully, length: %d\n", len(der))
+		return der, nil
+	}
+	
+	fmt.Printf("DEBUG: Using standard X.509 certificate structure\n")
 	// Create the basic certificate structure with proper ASN.1 tags
 	tbs := struct {
 		Version            int `asn1:"optional,explicit,default:0,tag:0"`

common/protocol/tls/cert/cert.go

@@ -207,7 +207,6 @@ func GenerateGOST2012_256(parent *Certificate, opts ...SM2Option) (*Certificate,
 
 	certPEM, keyPEM, err := gost.GenerateGOSTSelfSignedCert(
 		gost3410.CurveIdtc26gost34102012256paramSetA(),
-		gost.GOST256,
 		commonName,
 		expireDays,
 	)
@@ -243,7 +242,6 @@ func GenerateGOST2012_512(parent *Certificate, opts ...SM2Option) (*Certificate,
 
 	certPEM, keyPEM, err := gost.GenerateGOSTSelfSignedCert(
 		gost3410.CurveIdtc26gost34102012512paramSetA(),
-		gost.GOST512,
 		commonName,
 		expireDays,
 	)

connect_local.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
 
-echo "openssl s_client -connect 127.0.0.1:443 -servername 127.0.0.1 "
-openssl s_client -connect 127.0.0.1:443 -servername 127.0.0.1 
+echo "openssl s_client -connect 127.0.0.1:443 -servername example.com "
+openssl s_client -connect 127.0.0.1:443 -servername example.com

run_vmess_rsa.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+
+set -e
+
+CERT_FILE="test_cert_rsa.crt"
+KEY_FILE="test_cert_rsa.key"
+CONFIG_FILE="vmess_rsa.json"
+DOMAIN="localhost"
+ORG="Test Organization"
+CLIENT_ID="b831381d-6324-4d53-ad4f-8cda48b30811"
+
+# 1. Генерация RSA сертификата, если его нет
+if [ ! -f "$CERT_FILE" ] || [ ! -f "$KEY_FILE" ]; then
+    echo "📝 Generating RSA certificate..."
+    openssl req -x509 -newkey rsa:2048 -keyout "$KEY_FILE" -out "$CERT_FILE" -days 365 -nodes \
+        -subj "/CN=$DOMAIN/O=$ORG"
+    echo "✅ RSA certificate generated."
+else
+    echo "✅ RSA certificate already exists."
+fi
+
+echo
+# 2. Создание VMess server config
+cat > "$CONFIG_FILE" << EOF
+{
+  "log": {
+    "loglevel": "debug"
+  },
+  "inbounds": [
+    {
+      "port": 443,
+      "protocol": "vmess",
+      "settings": {
+        "clients": [
+          {
+            "id": "$CLIENT_ID",
+            "alterId": 0
+          }
+        ]
+      },
+      "streamSettings": {
+        "network": "tcp",
+        "security": "tls",
+        "tlsSettings": {
+          "certificates": [
+            {
+              "certificateFile": "$CERT_FILE",
+              "keyFile": "$KEY_FILE"
+            }
+          ]
+        }
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "protocol": "freedom"
+    }
+  ]
+}
+EOF
+
+echo "✅ Configuration file created: $CONFIG_FILE"
+echo
+# 3. Запуск Xray
+
+echo "🚀 Starting VMess server with RSA certificate..."
+echo "📋 Server details:"
+echo "   - Port: 443"
+echo "   - Protocol: VMess"
+echo "   - Security: TLS with RSA certificate"
+echo "   - Client ID: $CLIENT_ID"
+echo
+echo "Press Ctrl+C to stop the server"
+echo
+
+./xray -c "$CONFIG_FILE" 

transport/internet/tls/config.go

@@ -9,6 +9,7 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
+	"fmt"
 	"os"
 	"slices"
 	"strings"
@@ -65,6 +66,7 @@ func (c *Config) BuildCertificates() []*tls.Certificate {
 		getX509KeyPair := func() *tls.Certificate {
 			// Check if this is an SM2 certificate by trying to parse it with SM2 library first
 			if isSM2Certificate(entry.Certificate) {
+				fmt.Printf("DEBUG: Processing SM2 certificate\n")
 				keyPair, err := buildSM2KeyPair(entry.Certificate, entry.Key)
 				if err != nil {
 					errors.LogWarningInner(context.Background(), err, "ignoring invalid SM2 key pair")
@@ -74,16 +76,20 @@ func (c *Config) BuildCertificates() []*tls.Certificate {
 			}
 
 			// Fall back to standard X509 processing
+			fmt.Printf("DEBUG: Processing standard X509 certificate\n")
 			keyPair, err := tls.X509KeyPair(entry.Certificate, entry.Key)
 			if err != nil {
+				fmt.Printf("DEBUG: X509KeyPair error: %v\n", err)
 				errors.LogWarningInner(context.Background(), err, "ignoring invalid X509 key pair")
 				return nil
 			}
 			keyPair.Leaf, err = x509.ParseCertificate(keyPair.Certificate[0])
 			if err != nil {
+				fmt.Printf("DEBUG: ParseCertificate error: %v\n", err)
 				errors.LogWarningInner(context.Background(), err, "ignoring invalid certificate")
 				return nil
 			}
+			fmt.Printf("DEBUG: Successfully loaded X509 certificate\n")
 			return &keyPair
 		}
 		if keyPair := getX509KeyPair(); keyPair != nil {
@@ -122,22 +128,22 @@ func isSM2Certificate(certPEM []byte) bool {
 		return false
 	}
 
-	// Try to parse with SM2 x509 library
-	_, err := sm2x509.ParseCertificate(block.Bytes)
+	// First, try to parse as standard x509 to see if it's a regular certificate
+	_, err := x509.ParseCertificate(block.Bytes)
 	if err == nil {
-		return true
-	}
-	
-	// Also check if it's a standard x509 certificate that might be SM2
-	// by looking for SM2 OIDs or curve parameters
-	if len(block.Bytes) > 0 {
-		// Check if certificate contains SM2 curve OID
+		// It's a valid standard x509 certificate, check if it contains SM2-specific OIDs
 		if bytes.Contains(block.Bytes, []byte{0x06, 0x08, 0x2A, 0x81, 0x1C, 0xCF, 0x55, 0x01, 0x82, 0x2D}) {
-			return true
+			// Contains SM2 curve OID, try SM2 parsing
+			_, err := sm2x509.ParseCertificate(block.Bytes)
+			return err == nil
 		}
+		// Standard x509 certificate without SM2 OIDs - not SM2
+		return false
 	}
 
-	return false
+	// If standard x509 parsing failed, try SM2 parsing
+	_, err = sm2x509.ParseCertificate(block.Bytes)
+	return err == nil
 }
 
 // buildSM2KeyPair creates a tls.Certificate from SM2 certificate and key

verify_cert_rsa.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+openssl x509 -in test_cert_rsa.crt -text -noout

vmess_rsa.json

@@ -0,0 +1,36 @@
+{
+  "log": {
+    "loglevel": "debug"
+  },
+  "inbounds": [
+    {
+      "port": 443,
+      "protocol": "vmess",
+      "settings": {
+        "clients": [
+          {
+            "id": "b831381d-6324-4d53-ad4f-8cda48b30811",
+            "alterId": 0
+          }
+        ]
+      },
+      "streamSettings": {
+        "network": "tcp",
+        "security": "tls",
+        "tlsSettings": {
+          "certificates": [
+            {
+              "certificateFile": "test_cert_rsa.crt",
+              "keyFile": "test_cert_rsa.key"
+            }
+          ]
+        }
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "protocol": "freedom"
+    }
+  ]
+}